IT Consultant Everyday Notes

Just some problems/solutions storage

SCCM: Updates published via SCUP fail with Error = 0x800b0109

System Center Update Publisher (SCUP) is a nice mechanism to deploy third-party updates via SCCM. SCUP implementation is well documented for example here by Kent Agerlund.

One of the requirements is allowing Update Client to install updates signed by “Trusted Publisher” in our case – SCUP.

Without that third-party update deployment will fail on “Preparing for installation step” and you can see above-mentioned error in “details” section of error in GUI and in WUAHandler.log

 

For Domain-joined machines it is pretty easy and can be done via GPO as described by Microsoft: here

but you cannot do that for workgroup/DMZ machines.

One of workarounds is creating a package with registry modifier and deploy it

or, you can use Compliance Settings introduced in SCCM 2012 (improved Desired Configuration Management from SCCM 2007) to let SCCM remediate the setting if machine is not compliant.

for that, first create the registry setting we plan to monitor on SCCM server (if it is not present)

SNAGHTML5ca352bda next, create a new Configuration item under Compliance Settings node:

image

leave default for Supported Platforms and create a setting to monitor (use Browse to navigate to the registry setting we created earlier)

image

Under Compliance Rule tab add an additional rule and allow remediation for it

image

You should have two in result:

image

finish new CI wizard, create a new Baseline and add the CI to it (alternatively you can add the new CI to one of your existing CIs)

image

Finish New Baseline wizard and deploy the Baseline to a collection (I use All Desktop and Server Clients)

image

Members of the collection should receive the new Baseline on next Machine Policy refresh

Test: on one of the Clients set registry setting to 0

SNAGHTML5caba991

Now, go to SCCM Client on that machine and re-evaluate the baseline

image

Client should find the non-compliancy and remediate it (since it was allowed in CI and Deployment). Check the registry settings – it should be 1 now:

SNAGHTML5cada88e

Third-party updates should be installed successfully now.

image

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: