Modifying third party updates using System Center Updates Publisher

From time to time, I have a need to modify updates. In the following, I demonstrate both why and how.

I needed to update drivers for HP EliteBook 830 G5 and HP EliteBook 840 G5. One of the drivers SP95496 “Intel I219LM/V Gigabit Ethernet Driver for Microsoft Windows [12.18.8.9.A1]” failed on one of my test machines.

The error code 0x87D00668 means, “Software update still detected as actionable after apply”. This naturally can happen for a number of reasons so I decided to examine the update in SCUP.

An update in SCUP is just a snippet of XML that defines the update. SCUP allows us to edit the update. Since the problem is that, the update is still applicable after the update completed, we start by examining the Installed definition.

Going over the rules, I noticed that one of rules are that the release of Windows 10 must be 1809. Since I tested on release 1803, the rule failed.

I then examined the Applicability/installable rules to see if there is anything related to release 1803.  

As can be seen the update is applicable for Release 1803. And the installed rules are not correct. Let’s fix it.

Navigate back to the installed rules. Right click the registry rule and select Delete

Next, next, complete.

Next we need to re-publish the update to get it into WSUS. Since we have change only the definition of the update and not the binary we only need to publish the metadata.

Right click the update, select publish, chose Metadata Only next, next, close

Syncronize your updates into Configuration Manager. 

Lenovo Third Party Catalog for Configuration Manager

Recently Lenovo has released a catalog containing a number of drivers, BIOS upgrades and other downloads for their ThinkPad and ThinkCenter lines. This has been announced in this thread: https://forums.lenovo.com/t5/Enterprise-Client-Management/Third-Party-Software-Update-Catalog-in-SCCM-1806-and-Lenovo/td-p/4212821

The catalog allows Configuration Manager Administrators to import Lenovo updates either directly into Configuration Manager using the Third Party node or using System Center Updates Publisher (see https://blogs.technet.microsoft.com/configurationmgr/2018/03/26/new-release-for-system-center-updates-publisher/)

It is my opinion that using SCUP is the better choice. Because

1. You decide which updates to publish with metadata. This reduces the bloat. Also some vendors do not supersede updates leaving old updates in the system.

2. You have the option of examining the updates from the catalog

3. You can manipulate the updates prior to deploying them. I often change HP BIOS updates to include BIOS passwords.

The downside is that you need an additional tool and need to perform the syncs manually.

Lenovo has done some good things with their catalog:

1. Using the new V2 catalog format that allows for much faster import where only changes are imported

2. Adding information about security identifies for software updates. Unfortunately Configuration Manager does not preserve this. But it would be a huge benefit if all catalogs contained CVE information.

3. Superseded updates. Lenovo has done a good job here. But this naturally means that there is a number of old updates in the catalog.

But the catalog is currently lacking quite a bit:

It is updated from time-to-time and currently (early May 2019 it has been a month since the last update). In my opinion it should be updated more often.

Coverage. It is hit or miss if a given update can be found in the catalog. I found the most recent BIOS upgrade for ThinkPad X260 and deployed it with big success. However BIOS upgrades for X270 was quite old.

I hope Lenovo puts some real effort into expanding the coverage of models and prioritize updates with security ratings.