IT Consultant Everyday Notes

Just some problems/solutions storage

Tag Archives: SCUP

SCCM: SCUP 2011 on Windows Server 2016

found a nice post ( http://www.slr-corp.fr/2017/02/tips-tricks-installing-system-center-updates-publisher-scup-2011-windows-server-2016/) describing how to Install SCUP 2011 on Server 2016. Normally installation fails due to WSUS version check, but if you change WSUS version to  6.3.9600.1777 in registry (HKLM\SOFTWARE\Microsoft\Update Services\Server\Setup VersionString) for time of SCUP installation you can apparently finish SCUP installation. Of course without any support from MS Smile

or, as mentioned in the post comments just run SCUP .msi with /qb switch Winking smile

Meanwhile people continue to vote for this feature for SCCM CB here: https://configurationmanager.uservoice.com/forums/300492-ideas/suggestions/8803711-3rd-party-patching-scup-integration-with-sccm-co

Advertisements

SCCM: Updates published via SCUP fail with Error = 0x800b0109

System Center Update Publisher (SCUP) is a nice mechanism to deploy third-party updates via SCCM. SCUP implementation is well documented for example here by Kent Agerlund.

One of the requirements is allowing Update Client to install updates signed by “Trusted Publisher” in our case – SCUP.

Without that third-party update deployment will fail on “Preparing for installation step” and you can see above-mentioned error in “details” section of error in GUI and in WUAHandler.log

 

For Domain-joined machines it is pretty easy and can be done via GPO as described by Microsoft: here

but you cannot do that for workgroup/DMZ machines.

One of workarounds is creating a package with registry modifier and deploy it

or, you can use Compliance Settings introduced in SCCM 2012 (improved Desired Configuration Management from SCCM 2007) to let SCCM remediate the setting if machine is not compliant.

for that, first create the registry setting we plan to monitor on SCCM server (if it is not present)

SNAGHTML5ca352bda next, create a new Configuration item under Compliance Settings node:

image

leave default for Supported Platforms and create a setting to monitor (use Browse to navigate to the registry setting we created earlier)

image

Under Compliance Rule tab add an additional rule and allow remediation for it

image

You should have two in result:

image

finish new CI wizard, create a new Baseline and add the CI to it (alternatively you can add the new CI to one of your existing CIs)

image

Finish New Baseline wizard and deploy the Baseline to a collection (I use All Desktop and Server Clients)

image

Members of the collection should receive the new Baseline on next Machine Policy refresh

Test: on one of the Clients set registry setting to 0

SNAGHTML5caba991

Now, go to SCCM Client on that machine and re-evaluate the baseline

image

Client should find the non-compliancy and remediate it (since it was allowed in CI and Deployment). Check the registry settings – it should be 1 now:

SNAGHTML5cada88e

Third-party updates should be installed successfully now.

image

SCCM 2012: SCUP cannot create self-signed certificate when installed on Windows Server 2012 R2

 

When install System Center Update Publisher (SCUP) 2011 on Server 2012 R2 you cannot create a self-signed certificate. This is by design, since WSUS 4.1 shipped with Server 2012 R2 does not support issuing of self-signed certificate. More on this subject is here.

Workaround: Generate a certificate from internal certificate authority (CA) as described: “System Center Updates Publisher Signing Certificate Requirements & Step-by-Step Guide

SCUP Support Statement update is here

 

UPDATE: WSUS team published a workaround, describing how you can re-enable the old behaviour. There is a note though saying self-signed API is considered and obsolete and can be removed at any moment