Lars Norman Søndergaard|Technology
07 May 2019
Modifying third party updates using System Center Updates Publisher
03 May 2019
Lenovo Third Party Catalog for Configuration Manager
Recently Lenovo has released a catalog containing a number of drivers, BIOS upgrades and other downloads for their ThinkPad and ThinkCenter lines. This has been announced in this thread: https://forums.lenovo.com/t5/Enterprise-Client-Management/Third-Party-Software-Update-Catalog-in-SCCM-1806-and-Lenovo/td-p/4212821
The catalog allows Configuration Manager Administrators to import Lenovo updates either directly into Configuration Manager using the Third Party node or using System Center Updates Publisher (see https://blogs.technet.microsoft.com/configurationmgr/2018/03/26/new-release-for-system-center-updates-publisher/)
It is my opinion that using SCUP is the better choice. Because
1. You decide which updates to publish with metadata. This reduces the bloat. Also some vendors do not supersede updates leaving old updates in the system.
2. You have the option of examining the updates from the catalog
3. You can manipulate the updates prior to deploying them. I often change HP BIOS updates to include BIOS passwords.
The downside is that you need an additional tool and need to perform the syncs manually.
Lenovo has done some good things with their catalog:
1. Using the new V2 catalog format that allows for much faster import where only changes are imported
2. Adding information about security identifies for software updates. Unfortunately Configuration Manager does not preserve this. But it would be a huge benefit if all catalogs contained CVE information.
3. Superseded updates. Lenovo has done a good job here. But this naturally means that there is a number of old updates in the catalog.
But the catalog is currently lacking quite a bit:
It is updated from time-to-time and currently (early May 2019 it has been a month since the last update). In my opinion it should be updated more often.
Coverage. It is hit or miss if a given update can be found in the catalog. I found the most recent BIOS upgrade for ThinkPad X260 and deployed it with big success. However BIOS upgrades for X270 was quite old.
I hope Lenovo puts some real effort into expanding the coverage of models and prioritize updates with security ratings.
07 December 2015
Error: 80071A90
This error has been seen on Windows 8, 8.1 and Server 2012 R2. For any updates reporting this error consider trying to reboot the machine and retry the update.
The error is not seen very often and due to the fact that Configuration Manager will normally retry updates periodically it will often self correct.
01 December 2015
Error 80096004
Description: The signature of the certificate cannot be verified
Possible cause: This problem is often seen if the agent does not trust the certificate server used to issue the SCUP signing certificate. Often seen with SCUP updates being applied during OSD or if a manual distribution method (ie. scripts) are used to deploy certificate.
Error 800b0004
Description: The subject is not trusted for the specific action
Possible cause: SCUP Signing Certificate is not in trusted publishers
If you see the error returned from deploying a group of updates containing a least one SCUP update (Adobe Flash, HP) then check the certificate store on the affected system.
20 November 2015
Error 80240440
Description: The connection to the service endpoint died.
Possible causes
I have seen this error with various firewalls and content inspection devices. Normally the problem is related to the fact that Windows Update Agent is trying to communicate using tcp/8530 or tcp/8531 to the Configuration Manager SUP. The content inspection system thinks that using http or https against non-standard ports is suspect and blocks the connections.
Remember that even if you have configured WSUS to use https some folders is still transmitted via http.
Possible solutions
1. Modify the rule set on the inspection device/firewall
2. Add a new WSUS server using default ports (tcp/80 and tcp/443)
Configuration Manager Techincal Preview 4
See http://blogs.technet.com/b/configmgrteam/archive/2015/11/19/now-available-system-center-configuration-manager-technical-preview-4.aspx for more details
Error 800B0109
Description - Windows: A certificate chain was processed but terminated in a root certificate which is not trusted by the trust provider.
This error can been found deploying software updates originating from System Center Updates Publisher (SCUP) if the client machine does not have both the root certificate of the CA issuing the code signing certificate used by SCUP and the actual code signing certificate. It can also be seen if the client does not have the "Allow signed content from intranet Microsoft update service location" policy enabled.
To correct the problem verify that you have the root certificate of your CA and the signing certificate deployed along with a GPO with "Allow signed content from intranet Microsoft update service location" enabled
17 November 2015
Service Manager 2012 R2 RU8 released
For more information and download see
https://support.microsoft.com/en-us/kb/3096383
Configuration Manager 2012 R2 CU2 Updated
While I have not had many issues with CU1 a few of the updates contained in CU2 is worth highlighting:
3084586 Driver package size increases in System Center 2012 Configuration Manager
Applications will not install when you use them with a dynamic variable list in a task sequence if no SMB package share was defined for the content. This affects only installations that use a dynamic variable list. Other installation methods are unaffected. Errors that resemble the following are recorded in the Smsts.log file on the client:
The build number is now 5.00.8239.1301
10 November 2015
Error 8007000E
06 November 2015
Error 87D00231
Source: Source: System Center Configuration Manager
Causes
Possible cause 1.
Configuration Manager Management Point is configured to use https but the client does not have a valid certificate. Check if the certificate is missing or expired.
You should see errors in ClientIDManagerStartup.log and notice in the console that the client is reporting software updates as being in a unknown state.
Fix: If the certificate is missing or expired you need to issue/request a new certificate.