I've tried searching the forum, but I've not found any hint resembling what I'm experiencing.
I've successfully subscribed to the "Patch my PC catalog", and used the publishing wizard to publish a number of updates with full content.
Now, if I setup an ADR, download fails with a certificate error.
If I manually download, the content successfully downloads, though installation fails on the clients I try to distribute them to.
I have during the install switched from a selfsigned WSUS signing certificate, to an internal PKI issued one, but when I look at the content manually downloaded to the package, I see it is still using the selfsigned one. Both signing certificates are present in Trusted Root/Publishers on clients, SUP/WSUS and Primary.
Need some help here :(
Quote from: ThoDah on June 20, 2019, 02:54:19 AM
Now, if I setup an ADR, download fails with a certificate error.
Please send the patchdownloader.log. Collecting Log Files for Support - https://patchmypc.com/faq-scup-catalog#log-files
You probably didn't deploy the WSUS signing certificate to the site server causing the ADR not to trust the update download.
Well, you're right the selfsigned WSUS certificate I initially used, wasn't in my Site servers certificate store and putting it there helped ADR to run, but why is it still using the selfsigned certificate?
I changed the signing certificate to a PKI issued one.
Because these are updates that were published in the past would be the reason for that.
You could republish updates
When, Why, and How to Republish Update(s) - https://patchmypc.com/faq-scup-catalog#republishing-updates
;)
So that fixed the certificate issue :)
Unfortunately all computers I've tried to deploy to returns 0x87D00651(-2016410031) (Post install scan failed)
Can you email the CCM\Logs via https://patchmypc.com/technical-support
yes, I will send them tomorrow, when I'm back at the office
Hi again
so, sorted out most of the issues, but I'm still unable to actually install the updates on clients, they return 0x800B0109(-2146762487), which I know is a certificate chain error.
As previously stated, I'm using a signing certificate from my own PKI, and have added that certificate to Trusted Publishers and Trusted Root (even though that shouldn't be necessary as the PKI root certificate is already in here). What other certificates does it need?
Did you enable the GPO to allow third-party updates? https://patchmypc.com/scupcatalog/documentation/PublishingServiceSetupGuide.pdf
Quote from: ThoDah on July 22, 2019, 04:26:42 AM
Hi again
so, sorted out most of the issues, but I'm still unable to actually install the updates on clients, they return 0x800B0109(-2146762487), which I know is a certificate chain error.
As previously stated, I'm using a signing certificate from my own PKI, and have added that certificate to Trusted Publishers and Trusted Root (even though that shouldn't be necessary as the PKI root certificate is already in here). What other certificates does it need?
Well no ??? I'm on SCCM 1806 and have enabled third party updates through client settings, thought that was enough? I do however have a remote https SUP, so I might need the GPO?
Yeah, if the SUP is remote it would need to be in HTTPs to manage the cert more details here https://docs.microsoft.com/en-us/sccm/sum/deploy-use/third-party-software-updates#additional-requirements-when-the-sup-is-remote-from-the-top-level-site-server.
I assume the certificate details are missing in the third-party updates tab on the SUP. You can use GPO as a workaround to having SCCM manage the cert.