SCCM 1806 – Third Party Updates Error 13875

Recently when adding a catalog to the third party software update catalogs in SCCM Current Branch 1806 and trying to synchronize, I encountered the error “Unable to create the subscription. The console failed to download <product> from <URL> because of the error code 13875. For more information, see SmsAdminUI logfile.”

tpa01

The error code 13875 means “Invalid certificate signature“. For more troubleshooting I downloaded the cab file by opening up IE and pasting in the link. Once the cab file was downloaded, I right clicked on the file then properties, clicked Digital Signatures tab:

tpa02

Then here my issue was that the certificate in the signature could not be verified. I clicked on View Certificate to view more details.

tpa03

My issue was that on the client server, it was missing some Trusted Root certificates. After these were installed the third party updates could then be synchronized to SCCM Current Branch 1806 without issues.

tpa04

Advertisements

SCCM 1806 – Third Party Updates

This post will show how you can set up Third Party Updates in SCCM Current Branch 1806 using a catalog from Patch My PC. This is a fresh lab with no certificates or GPO’s configured. We will let SCCM create the Trusted Publisher certificate and take care of it on the clients by configuring the SCCM client settings, and also use the client settings to allow signed updates from an intranet location.

The below set up has the SUP installed on the same server as my Primary Site. My SUP is configured for HTTP mode. SSL must be enabled on the SUP if it is remote. See https://docs.microsoft.com/en-us/sccm/sum/deploy-use/third-party-software-updates for further details.

First thing is to enable third party updates, and then let SCCM manage the certificate.

TPA01

Once this is done, and you sync your software update point, it will then create and install the code signing certificate. You can see this in the wsyncmgr.log

TPA02

If you open up certlm.msc you can also see the WSUS Publishers Self-signed certificate in the WSUS store.

TPA03

You can also see this certificate in the Trusted Publishers store as well.

TPA04

Once the sync has completed, you can see there is now information about the certificate in the third party updates tab of the software update point properties.

TPA05

Next we will configure third party updates in the client settings. Open up the client settings and select the software updates section, then enable third party updates. This will add a local policy to the clients to allow signed updates from an intranet location, and also install the code signing certificate into the trusted publishers store. There is no need for a GPO to do this.

TPA06

If you open gpedit.msc on a machine that has received the new policy, and go to Computer Configuration > Administrative Templates > Windows Components > Windows Update, you will see the “Allow signed updates from an intranet Microsoft update service location” is now enabled.

TPA07

If you doa gpresult /computer you can also see the local policy has set this as well.

TPA08

You can also see that the code signing certificate has been installed.

TPA09

Now we need to add our third party update catalogs. You will see in the SCCM console you can right click on Third Party Software Update Catalogs and add a new catalog. In my example I will be adding some Patch My PC catalogs and then syncing them.

TPA10

Click on View Certificate and then click OK.

TPA12

Once you have viewed the certificate you can click Next.

TPA13

Once you have added the required catalogs, you now have to subscribe to them (the catalogs will synchronize automatically every 7 days)

TPA11

Once the updates have been subscribed to, the catalog will then download. You need to do a sync to import the metadata from the WSUS database into the SCCM database.

TPA14

Once the sync has finished, go back into your SUP properties, click products, and add the product.

TPA15

Another SUP sync needs to be done for the metadata to appear.

TPA16

Once the metadata has appeared from the catalogs we have added, we need to publish them before we can deploy them. You will see the updates download in the SMS_ISVUPDATES_SYNCAGENT.log

TPA17

After the updates have been published and downloaded, we need to do another sync.

TPA18

You can see that the icon has changed from the blue metadata, to green, We can now deploy our third party updates to a collection as normal.

TPA19

On my test client, you can see that it needed some Adobe Acrobat Reader, Google Chrome, and an Oracle Java update.

TPA

The updates have installed correctly. We know that the trusted publisher certificate and the allow signed updates from the intranet settings worked successfully.

TPA21

SCCM Current Branch 1806 – Cloud Management Gateway Improvements

In the recently released version 1806 for SCCM Current Branch there have been a number of improvements to the Cloud Management Gateway (CMG). You might have noticed these in the Technical Previews. More information about  new features can be seen here https://docs.microsoft.com/en-us/sccm/core/plan-design/changes/whats-new-in-version-1806

Some of the nice new features for the Cloud Management Gateway:

Download content from a CMG – You can now allow the cloud management gateway to function as a cloud distribution point. This is one less cloud service virtual machine running, which saves costs. You can now right click on your cloud management gateway, view the properties, click settings, and check the box “Allow CMG to function as a cloud distribution point and serve content from Azure storage”

cmg01

Or if you were to deploy a new CMG, you can view the checkbox below.

cmg02

Trusted root certificate isn’t required with Azure AD – In the screenshot above, you will notice that you aren’t required to provide a trusted client root certificate anymore. This isn’t required when you use Azure AD for authentication.

CMG Connection Analyzer – This was in an earlier technical preview release and will help a lot of people. The Connection Analyzer allows you to troubleshoot connecting to your CMG. In the example below I have signed in as an Azure AD user and tested the connection. This was useful after configuring “Use Configuration Manager-generated certificates for HTTP site systems” in the screenshot below. After checking that box, I was able to leave my management point in HTTP mode and allow CMG traffic, and run through the tests to confirm that everything is working fine.

cmg03

Use Configuration Manager-generated certificates for HTTP site systems – As mentioned above, this feature is awesome. After checking the box below on your site server, you can leave your management point in HTTP for cloud management gateway traffic, and not have to worry about installing PKI certificates.

cmg04

Once the checkbox above is enabled, you will see that you can enable CMG traffic on your management point in the screenshot below.

cmg05

If you also open IIS manager, you will see on the https binding that the SMS Role SSL Certificate is now selected. If you remove this certificate or change it, you will notice that the test in the Connection Analyzer above called Testing the CMG channel for management point will fail.

cmg06

You will also find a nice Cloud Management dashboard in the Monitoring node to find some stats.

cmg07

SCCM TP 1806 – Office Customization Tool integration

In the new Technical Preview version 1806 of SCCM, the Office Customization Tool is now integrated with the Office 365 installer. This gives a better admin experience than the previous Office 365 installer, and allows you to further customize your Office 365 ProPlus settings.

If you go to the Office 365 Client Management section and click on the Office 365 Installer, there is a new option to Go to Office Web Page.

O365-01

This is where we can start customizing Office 365 ProPlus including entering in your organisation name, selecting either 32 or 64bit, excluding certain products, and selecting your language.

O365-02

You can choose your update channel and a specific version. I have chosen semi-annual channel and the latest version.

O365-03

I have selected to automatically accept the EULA.

O365-04

This is one of the nice parts where you can further customize Office 365 ProPlus. I won’t go through all the settings but some of the settings I have configured are to disable the opt-in wizard at first run, and to disable the customer experience improvement, and to disable the first run movie.

O365-05

Once you’re done, click on Submit then close the webpage.

O365-06

You can continue on with the rest of the wizard as normal to download and deploy Office 365 ProPlus. It will create an application for you and the deployment types with requirement rules.

O365-07

At the end you can see that the wizard has created the Application with the configuration.xml with the settings specified in the Office Customization Tool.

O365-08

SCCM TP 1806 – Deploy updates without downloading them

In the recently released SCCM Technical Preview 1806, one of the new features is the ability to deploy software updates without downloading them to a deployment package. This post will quickly show how to deploy the updates without downloading them. My client is Windows 10 1803 which is Internet based and communicating with my Cloud Management Gateway. This means that I won’t need to distribute the updates to a Cloud Distribution Point and waste space.

When you go to deploy your software updates, on the deployment package section where previously you had to either select an existing deployment package or create a new one, you will see there is a new option called “No deployment package” and the text “Client will download content from peer cache or public cloud if available”

Updates01

I have gone and deployed this to a collection which my Internet based machine. I will click on Install and see what the logs say.

Updates02

As expected, you can see that the client is downloading updates from Microsoft..

Updates03

SCCM TP 1806 – Download content from a CMG

The Cloud Management Gateway keeps getting better and better. In recent release of the Technical Preview 1806, clients can now download content from the Cloud Management Gateway. This means you do not need to deploy a Cloud Distribution Point which will save costs of not needing additional Azure VM’s and certificates. It is also not mandatory now to use the trusted client root certificate. This is useful if you are only using Azure AD authentication. More information can be found Here.

Going through the new CMG wizard and signing in as normal and selecting to deploy the CMG in Azure Resource Manager.

CMG01

You can notice a few things different here. First I do not need to select the trusted client root certificate, before this was mandatory. And also there is a new checkbox “Allow CMG to function as a cloud distribution point and serve content from Azure storage

CMG02

Once the CMG has been deployed, I will use the Configuration Analyzer to make sure everything is OK.

CMG04

Now when you distribute content you can select your Cloud Management Gateway.

CMG03

After downloading an application from Software Center you can see that it connected to https://<cloudservicename>.blob.core.windows.net/

CMG05

 

 

SCCM TP 1805 – CMG Connection Analyzer

One of the nice new features in the SCCM Technical Preview 1805 is the CMG Connection analyzer to help you determine issues with your Cloud Management Gateway. At the moment it allows you to troubleshoot as a user authenticating through Azure AD, and a user authenticating with a client authentication certificate.

This post will show the different checks that the Connection analyzer performs, and the types of errors it displays when something has gone wrong. I will include a few scenario’s of me breaking my CMG and what the Connetion analyzer shows.

You will notice in the CMG section there is a new button called Connection analyzer.

CA01

You can see the different authentication options you get. First I will test logging in as an Azure AD user. You can see that the first two steps involve checking that the service is running and testing connecting to it.

CA02

Next we can see that its checking the configuration versions to make sure it matches between on-prem and Azure.

CA03

Here in my lab you can see that the next step checks the CMG connection point and confirms that it is connected.

CA04

I have set my management point to allow CMG traffic, the test confirms this.

CA05

The Azure AD user can authenticate against my management point without any issues.

CA06

Now if I was to break the certificate on my management point IIS bindings and run the test again, you can see that the test fails and reports some 500 status code errors and gives possible reasons.

CA07

Next up is testing using a client certificate. You have two options to load the certificate. You can either export the client authentication certificate from a machine with the private key, or you can connect to the Certificate Store.

CA072

In this Tech Preview when you try to connect to the Certificate Store, it will try to connect to the User Store and then report that there are no certificates available. So for this post I have chosen to export the client authentication certificate to run through the tests.

CA08

You can see below that it has the same steps as testing authenticating as an Azure AD user.

CA09

I have broken my Cloud Management Gateway Point role in my lab and run through the tests again to see what it fails on. You can see that it fails as it can’t connect to the CMG Service.

CA010_2

The same as below.

CA11

Another interesting scenario is if I use an incorrect Client trusted root certificate that is uploaded to the CMG service. You can see that it fails below with the 403 forbidden status code.

CA10

And again, you can see that it says that the certificate is not trusted by the CMG.

CA12

That is all the tests I have run so far. So far it is a good start. It seems quite a few customers have issues getting their CMG up and running, I think it is mostly to do with certificates. Hopefully in the future the descriptions can be improved with more details as to what could be wrong in the Connection analyzer to help customers troubleshoot more. The Cloud Management Gateway is an awesome feature.