Modifying third party updates using System Center Updates Publisher

From time to time, I have a need to modify updates. In the following, I demonstrate both why and how.

I needed to update drivers for HP EliteBook 830 G5 and HP EliteBook 840 G5. One of the drivers SP95496 “Intel I219LM/V Gigabit Ethernet Driver for Microsoft Windows [12.18.8.9.A1]” failed on one of my test machines.

The error code 0x87D00668 means, “Software update still detected as actionable after apply”. This naturally can happen for a number of reasons so I decided to examine the update in SCUP.

An update in SCUP is just a snippet of XML that defines the update. SCUP allows us to edit the update. Since the problem is that, the update is still applicable after the update completed, we start by examining the Installed definition.

Going over the rules, I noticed that one of rules are that the release of Windows 10 must be 1809. Since I tested on release 1803, the rule failed.

I then examined the Applicability/installable rules to see if there is anything related to release 1803.  

As can be seen the update is applicable for Release 1803. And the installed rules are not correct. Let’s fix it.

Navigate back to the installed rules. Right click the registry rule and select Delete

Next, next, complete.

Next we need to re-publish the update to get it into WSUS. Since we have change only the definition of the update and not the binary we only need to publish the metadata.

Right click the update, select publish, chose Metadata Only next, next, close

Syncronize your updates into Configuration Manager. 

Lenovo Third Party Catalog for Configuration Manager

Recently Lenovo has released a catalog containing a number of drivers, BIOS upgrades and other downloads for their ThinkPad and ThinkCenter lines. This has been announced in this thread: https://forums.lenovo.com/t5/Enterprise-Client-Management/Third-Party-Software-Update-Catalog-in-SCCM-1806-and-Lenovo/td-p/4212821

The catalog allows Configuration Manager Administrators to import Lenovo updates either directly into Configuration Manager using the Third Party node or using System Center Updates Publisher (see https://blogs.technet.microsoft.com/configurationmgr/2018/03/26/new-release-for-system-center-updates-publisher/)

It is my opinion that using SCUP is the better choice. Because

1. You decide which updates to publish with metadata. This reduces the bloat. Also some vendors do not supersede updates leaving old updates in the system.

2. You have the option of examining the updates from the catalog

3. You can manipulate the updates prior to deploying them. I often change HP BIOS updates to include BIOS passwords.

The downside is that you need an additional tool and need to perform the syncs manually.

Lenovo has done some good things with their catalog:

1. Using the new V2 catalog format that allows for much faster import where only changes are imported

2. Adding information about security identifies for software updates. Unfortunately Configuration Manager does not preserve this. But it would be a huge benefit if all catalogs contained CVE information.

3. Superseded updates. Lenovo has done a good job here. But this naturally means that there is a number of old updates in the catalog.

But the catalog is currently lacking quite a bit:

It is updated from time-to-time and currently (early May 2019 it has been a month since the last update). In my opinion it should be updated more often.

Coverage. It is hit or miss if a given update can be found in the catalog. I found the most recent BIOS upgrade for ThinkPad X260 and deployed it with big success. However BIOS upgrades for X270 was quite old.

I hope Lenovo puts some real effort into expanding the coverage of models and prioritize updates with security ratings.

Error 80096004

Error 80096004

Description: The signature of the certificate cannot be verified

Possible cause: This problem is often seen if the agent does not trust the certificate server used to issue the SCUP signing certificate. Often seen with SCUP updates being applied during OSD or if a manual distribution method (ie. scripts) are used to deploy certificate.

Error 800b0004

Error 800b0004

Description: The subject is not trusted for the specific action

Possible cause: SCUP Signing Certificate is not in trusted publishers
If you see the error returned from deploying a group of updates containing a least one SCUP update (Adobe Flash, HP) then check the certificate store on the affected system.

Error 800B0109

Error 800B0109

Description - Windows: A certificate chain was processed but terminated in a root certificate which is not trusted by the trust provider.

This error can been found deploying software updates originating from System Center Updates Publisher (SCUP) if the client machine does not have both the root certificate of the CA issuing the code signing certificate used by SCUP and the actual code signing certificate. It can also be seen if the client does not have the "Allow signed content from intranet Microsoft update service location" policy enabled.

To correct the problem verify that you have the root certificate of your CA and the signing certificate deployed along with a GPO with "Allow signed content from intranet Microsoft update service location" enabled