Automated Application Management for SCCM

Simplify third-party application creation and patching in SCCM

Knowledge Base ArticlesDownload Trial

Update Publishing Fails When Proxy is in Use, and Timestamping is Enabled

The most common publishing failure we see is related to proxies and timestamping.

We will be reviewing in detail why this scenario can cause issues and how to fix it!

A Little Background

Within our publishing service, we always have timestamping enabled by default, as shown in the image below.

Time stamping Enabled Third-Party Updates

By enabling timestamping, it allows clients to trust updates published even after the code-signing certificate has expired. For example, the example below shows a WSUS Signing Certificate that expires on May 20, 2023. If timestamping is enabled, clients will trust updates even if they are installed after the expiration date.

Expiration Date of Code-Signing WSUS Cert

This is why we enable timestamping by default and generally don’t recommend disabling timestamping. If timestamping isn’t enabled, all updates would need to be republished after the expiration date.

In the PatchMyPC.log, you can also see the timestamping during the publishing attempt.

Publishing Third-Party Updates Timestamp PatchMyPC.Log

Why Publishing May Fail when Timestamping

One issue that can arise here is related to the way the WSUS publishing API performs the timestamping operation during the publishing. The WSUS API uses the Windows CryptoAPI to perform the timestamp on the updates CAB file.

The CryptoAPI uses the proxy defined at the SYSTEM level on the WSUS server. Because of this, the publishing operation with timestamping can often error out when a proxy is required for internet access.

So, even if the proxy is defined within our publishing service or on-site system in Configuration Manager, it will not be used during the publishing operating for timestamping.

Proxy Configured PatchMyPC SCCM

Workaround 1 – Set the SYSTEM Level Proxy Using PSEXEC and Internet Explorer

To resolve this issue, you will need to configure the proxy at the SYSTEM level on the server. The easiest method to change the proxy at the SYSTEM level is using PSEXEC.exe and Internet Explorer.

  1. Download PSEXEC.exe from https://live.sysinternals.com/
  2. Open command prompt as Administrator
  3. Launch Internet Explorer as SYSTEM using command line: psexec.exe -s -i “C:\Program Files\internet explorer\iexplore.exe”
  4. In Internet Explorer to Settings > Connections > LAN Settings > Enable “Use a proxy server for your LAN”, configure the IP Address and port, click OK, and close IE

Workaround 2 – Set the SYSTEM Level Proxy Using a Scheduled Task

If PSEXEC.exe is not allowed within your environment, you can also use a scheduled task as SYSTEM that runs a NetSH command.

  1. Create a one time scheduled task that runs under SYSTEM/COMPUTER account context
  2. Run the following command line: cmd.exe /c netsh winhttp set proxy http://myproxyserver.com:8080 (where the server name and port are set for your environment)

Workaround 3 – Disable Timestamping Within the Publishing Service

Although it’s probably not the best long-term solution, you can disable timestamping within the publishing service. Disabling timestamping can also be an excellent method to test if it’s the timestamping operation causing the updates to fail to publish.

If you are disabling timestamping for testing purposes, we recommend you only publish a single product such as 7-Zip. 

Here’s a List of Error Codes that Correspond to this Scenario

Error Codes:

An error occurred while publishing an update to WSUS: Failed to sign package; error was: 2147954402

An error occurred while publishing an update to WSUS: Failed to sign package; error was: 2147954429

An error occurred while publishing an update to WSUS: Failed to sign package; error was: 2147954407

An error occurred while publishing an update to WSUS: Failed to sign package; error was: 2148086027

Additional Details:

2147954402 = The operation timed out
2147954429 = A connection with the server could not be established
2147954407 = The server name or address could not be resolved
2148086027 = ASN1 bad tag value met.