Modifying third party updates using System Center Updates Publisher

From time to time, I have a need to modify updates. In the following, I demonstrate both why and how.

I needed to update drivers for HP EliteBook 830 G5 and HP EliteBook 840 G5. One of the drivers SP95496 “Intel I219LM/V Gigabit Ethernet Driver for Microsoft Windows [12.18.8.9.A1]” failed on one of my test machines.

The error code 0x87D00668 means, “Software update still detected as actionable after apply”. This naturally can happen for a number of reasons so I decided to examine the update in SCUP.

An update in SCUP is just a snippet of XML that defines the update. SCUP allows us to edit the update. Since the problem is that, the update is still applicable after the update completed, we start by examining the Installed definition.

Going over the rules, I noticed that one of rules are that the release of Windows 10 must be 1809. Since I tested on release 1803, the rule failed.

I then examined the Applicability/installable rules to see if there is anything related to release 1803.  

As can be seen the update is applicable for Release 1803. And the installed rules are not correct. Let’s fix it.

Navigate back to the installed rules. Right click the registry rule and select Delete

Next, next, complete.

Next we need to re-publish the update to get it into WSUS. Since we have change only the definition of the update and not the binary we only need to publish the metadata.

Right click the update, select publish, chose Metadata Only next, next, close

Syncronize your updates into Configuration Manager. 

Lenovo Third Party Catalog for Configuration Manager

Recently Lenovo has released a catalog containing a number of drivers, BIOS upgrades and other downloads for their ThinkPad and ThinkCenter lines. This has been announced in this thread: https://forums.lenovo.com/t5/Enterprise-Client-Management/Third-Party-Software-Update-Catalog-in-SCCM-1806-and-Lenovo/td-p/4212821

The catalog allows Configuration Manager Administrators to import Lenovo updates either directly into Configuration Manager using the Third Party node or using System Center Updates Publisher (see https://blogs.technet.microsoft.com/configurationmgr/2018/03/26/new-release-for-system-center-updates-publisher/)

It is my opinion that using SCUP is the better choice. Because

1. You decide which updates to publish with metadata. This reduces the bloat. Also some vendors do not supersede updates leaving old updates in the system.

2. You have the option of examining the updates from the catalog

3. You can manipulate the updates prior to deploying them. I often change HP BIOS updates to include BIOS passwords.

The downside is that you need an additional tool and need to perform the syncs manually.

Lenovo has done some good things with their catalog:

1. Using the new V2 catalog format that allows for much faster import where only changes are imported

2. Adding information about security identifies for software updates. Unfortunately Configuration Manager does not preserve this. But it would be a huge benefit if all catalogs contained CVE information.

3. Superseded updates. Lenovo has done a good job here. But this naturally means that there is a number of old updates in the catalog.

But the catalog is currently lacking quite a bit:

It is updated from time-to-time and currently (early May 2019 it has been a month since the last update). In my opinion it should be updated more often.

Coverage. It is hit or miss if a given update can be found in the catalog. I found the most recent BIOS upgrade for ThinkPad X260 and deployed it with big success. However BIOS upgrades for X270 was quite old.

I hope Lenovo puts some real effort into expanding the coverage of models and prioritize updates with security ratings.

Error: 80071A90

Error: 80071A90

This error has been seen on Windows 8, 8.1 and Server 2012 R2. For any updates reporting this error consider trying to reboot the machine and retry the update.

The error is not seen very often and due to the fact that Configuration Manager will normally retry updates periodically it will often self correct.

Error 80096004

Error 80096004

Description: The signature of the certificate cannot be verified

Possible cause: This problem is often seen if the agent does not trust the certificate server used to issue the SCUP signing certificate. Often seen with SCUP updates being applied during OSD or if a manual distribution method (ie. scripts) are used to deploy certificate.

Error 800b0004

Error 800b0004

Description: The subject is not trusted for the specific action

Possible cause: SCUP Signing Certificate is not in trusted publishers
If you see the error returned from deploying a group of updates containing a least one SCUP update (Adobe Flash, HP) then check the certificate store on the affected system.

Error 80240440

Error 80240440

Description: The connection to the service endpoint died.

Possible causes
I have seen this error with various firewalls and content inspection devices. Normally the problem is related to the fact that Windows Update Agent is trying to communicate using tcp/8530 or tcp/8531 to the Configuration Manager SUP. The content inspection system thinks that using http or https against non-standard ports is suspect and blocks the connections. 

Remember that even if you have configured WSUS to use https some folders is still transmitted via http. 

Possible solutions
1. Modify the rule set on the inspection device/firewall
2. Add a new WSUS server using default ports (tcp/80 and tcp/443)

Configuration Manager Techincal Preview 4

Microsoft has released the last technical preview of Configuration Manager before delivering the GA bits later this year.

See http://blogs.technet.com/b/configmgrteam/archive/2015/11/19/now-available-system-center-configuration-manager-technical-preview-4.aspx for more details

Error 800B0109

Error 800B0109

Description - Windows: A certificate chain was processed but terminated in a root certificate which is not trusted by the trust provider.

This error can been found deploying software updates originating from System Center Updates Publisher (SCUP) if the client machine does not have both the root certificate of the CA issuing the code signing certificate used by SCUP and the actual code signing certificate. It can also be seen if the client does not have the "Allow signed content from intranet Microsoft update service location" policy enabled.

To correct the problem verify that you have the root certificate of your CA and the signing certificate deployed along with a GPO with "Allow signed content from intranet Microsoft update service location" enabled

Service Manager 2012 R2 RU8 released

Service Manager 2012 R2 RU8 has been released. Among the more interesting features are a new end user portal to replace the old.

For more information and download see

https://support.microsoft.com/en-us/kb/3096383

Configuration Manager 2012 R2 CU2 Updated

CU2 for Configuration Manager 2012 SP2 and R2 SP1 has been updated. More information can be found here: https://support.microsoft.com/en-us/kb/3100144

While I have not had many issues with CU1 a few of the updates contained in CU2 is worth highlighting:

3084586 Driver package size increases in System Center 2012 Configuration Manager

Applications will not install when you use them with a dynamic variable list in a task sequence if no SMB package share was defined for the content. This affects only installations that use a dynamic variable list. Other installation methods are unaffected. Errors that resemble the following are recorded in the Smsts.log file on the client:

The build number is now 5.00.8239.1301

Error 8007000E

Error 8007000E

Out of memory

Source: Windows

Causes

Possible cause 1.

Windows Update Agent is running out of memory. This is often seen on 32 bit operating system where Windows Update Agent runs out of memory trying to scan the local machine for software updates. The consequence of running out of memory is that the machine will be seen as reporting unknown state for all updates.

Fix 1: Clean up software updates. Reduce the size of the Windows Update catalog by declining superseded updates. You can do this manually or by running the Powershell script described here: http://blogs.technet.com/b/configurationmgr/archive/2015/04/15/support-tip-configmgr-2012-update-scan-fails-and-causes-incorrect-compliance-status.aspx

This is always a good idea to clean up your updates to reduce the time it takes to scan your machines.

Fix 2: Install the updates KB3050265 – see https://support.microsoft.com/en-us/kb/3050265

Workaround: Configure Windows Update Agent (WUA) to run it is own memory space on a 32 bit Windows OS. This can be done by running sc.exe config wuauserv type= own

Error 87D00231

Error: 87D00231 - transient error

Source: Source: System Center Configuration Manager

Causes

Possible cause 1.
Configuration Manager Management Point is configured to use https but the client does not have a valid certificate. Check if the certificate is missing or expired.

You should see errors in ClientIDManagerStartup.log and notice in the console that the client is reporting software updates as being in a unknown state.

Fix: If the certificate is missing or expired you need to issue/request a new certificate.