Monthly Archives: August 2018

SCCM 1806 – Third Party Updates

This post will show how you can set up Third Party Updates in SCCM Current Branch 1806 using a catalog from Patch My PC. This is a fresh lab with no certificates or GPO’s configured. We will let SCCM create the Trusted Publisher certificate and take care of it on the clients by configuring the SCCM client settings, and also use the client settings to allow signed updates from an intranet location.

The below set up has the SUP installed on the same server as my Primary Site. My SUP is configured for HTTP mode. SSL must be enabled on the SUP if it is remote. See https://docs.microsoft.com/en-us/sccm/sum/deploy-use/third-party-software-updates for further details.

First thing is to enable third party updates, and then let SCCM manage the certificate.

TPA01

Once this is done, and you sync your software update point, it will then create and install the code signing certificate. You can see this in the wsyncmgr.log

TPA02

If you open up certlm.msc you can also see the WSUS Publishers Self-signed certificate in the WSUS store.

TPA03

You can also see this certificate in the Trusted Publishers store as well.

TPA04

Once the sync has completed, you can see there is now information about the certificate in the third party updates tab of the software update point properties.

TPA05

Next we will configure third party updates in the client settings. Open up the client settings and select the software updates section, then enable third party updates. This will add a local policy to the clients to allow signed updates from an intranet location, and also install the code signing certificate into the trusted publishers store. There is no need for a GPO to do this.

TPA06

If you open gpedit.msc on a machine that has received the new policy, and go to Computer Configuration > Administrative Templates > Windows Components > Windows Update, you will see the “Allow signed updates from an intranet Microsoft update service location” is now enabled.

TPA07

If you doa gpresult /computer you can also see the local policy has set this as well.

TPA08

You can also see that the code signing certificate has been installed.

TPA09

Now we need to add our third party update catalogs. You will see in the SCCM console you can right click on Third Party Software Update Catalogs and add a new catalog. In my example I will be adding some Patch My PC catalogs and then syncing them.

TPA10

Click on View Certificate and then click OK.

TPA12

Once you have viewed the certificate you can click Next.

TPA13

Once you have added the required catalogs, you now have to subscribe to them (the catalogs will synchronize automatically every 7 days)

TPA11

Once the updates have been subscribed to, the catalog will then download. You need to do a sync to import the metadata from the WSUS database into the SCCM database.

TPA14

Once the sync has finished, go back into your SUP properties, click products, and add the product.

TPA15

Another SUP sync needs to be done for the metadata to appear.

TPA16

Once the metadata has appeared from the catalogs we have added, we need to publish them before we can deploy them. You will see the updates download in the SMS_ISVUPDATES_SYNCAGENT.log

TPA17

After the updates have been published and downloaded, we need to do another sync.

TPA18

You can see that the icon has changed from the blue metadata, to green, We can now deploy our third party updates to a collection as normal.

TPA19

On my test client, you can see that it needed some Adobe Acrobat Reader, Google Chrome, and an Oracle Java update.

TPA

The updates have installed correctly. We know that the trusted publisher certificate and the allow signed updates from the intranet settings worked successfully.

TPA21

Advertisements

SCCM Current Branch 1806 – Cloud Management Gateway Improvements

In the recently released version 1806 for SCCM Current Branch there have been a number of improvements to the Cloud Management Gateway (CMG). You might have noticed these in the Technical Previews. More information about  new features can be seen here https://docs.microsoft.com/en-us/sccm/core/plan-design/changes/whats-new-in-version-1806

Some of the nice new features for the Cloud Management Gateway:

Download content from a CMG – You can now allow the cloud management gateway to function as a cloud distribution point. This is one less cloud service virtual machine running, which saves costs. You can now right click on your cloud management gateway, view the properties, click settings, and check the box “Allow CMG to function as a cloud distribution point and serve content from Azure storage”

cmg01

Or if you were to deploy a new CMG, you can view the checkbox below.

cmg02

Trusted root certificate isn’t required with Azure AD – In the screenshot above, you will notice that you aren’t required to provide a trusted client root certificate anymore. This isn’t required when you use Azure AD for authentication.

CMG Connection Analyzer – This was in an earlier technical preview release and will help a lot of people. The Connection Analyzer allows you to troubleshoot connecting to your CMG. In the example below I have signed in as an Azure AD user and tested the connection. This was useful after configuring “Use Configuration Manager-generated certificates for HTTP site systems” in the screenshot below. After checking that box, I was able to leave my management point in HTTP mode and allow CMG traffic, and run through the tests to confirm that everything is working fine.

cmg03

Use Configuration Manager-generated certificates for HTTP site systems – As mentioned above, this feature is awesome. After checking the box below on your site server, you can leave your management point in HTTP for cloud management gateway traffic, and not have to worry about installing PKI certificates.

cmg04

Once the checkbox above is enabled, you will see that you can enable CMG traffic on your management point in the screenshot below.

cmg05

If you also open IIS manager, you will see on the https binding that the SMS Role SSL Certificate is now selected. If you remove this certificate or change it, you will notice that the test in the Connection Analyzer above called Testing the CMG channel for management point will fail.

cmg06

You will also find a nice Cloud Management dashboard in the Monitoring node to find some stats.

cmg07