locked
Software Deployment Certificate Issue RRS feed

  • Question

  • Hi All,

    We are working on our first software deployment using SCE.  Our first deployment was unsuccessful.  I found the following error in the client WindowsUpdate.log:

    Validating signature for C:\Windows\SoftwareDistribution\Download\519d83436ac6995c5d7d7258c0d37bee\6bb4347492ed8f1382d3d6631172e792016738b5:
    2011-08-09    10:05:46:959     884    bfc    Misc     Microsoft signed: No
    2011-08-09    10:05:46:959     884    bfc    Misc    WARNING: Digital Signatures on file C:\Windows\SoftwareDistribution\Download\519d83436ac6995c5d7d7258c0d37bee\6bb4347492ed8f1382d3d6631172e792016738b5 are not trusted: Error 0x800b0109
    2011-08-09    10:05:46:974     884    bfc    DnldMgr    WARNING: File failed postprocessing, error = 800b0109
    2011-08-09    10:05:46:974     884    bfc    DnldMgr    Failed file: URL = 'http://empbedsce.empirix.com:8530/Content/B5/6BB4347492ED8F1382D3D6631172E792016738B5.cab', Local path = 'C:\Windows\SoftwareDistribution\Download\519d83436ac6995c5d7d7258c0d37bee\6bb4347492ed8f1382d3d6631172e792016738b5'
    2011-08-09    10:05:46:974     884    bfc    DnldMgr    Error 0x800b0109 occurred while downloading update; notifying dependent calls.

     

    Now, I know this is a result of the Code Signing cert not being trusted by the client, and therefore refusing the download of the software.  I have checked all the usual points that have been mentioned here in the forum:

    - GPO System Center Essentials All Computers Policy is established and has been applied to the client.

    - Certificates are appearing in the Certificates MMC console on the client..."Essentials Publishers Self-Signed" appears in Trusted Root Certification Authorities, Trusted Publishers, and Third-Party Root Certification Authorities.

    The test client I am using is a new Windows 7 VM spun up for this particular purpose.  The SCE health agent is reporting properly back to the server...

    I am not sure where else to look for the problem. It seems like everything is configured correctly, but obviously I am missing something.

    Can someone point me in the right direction to continue troubleshooting this.


    Thanks very much.

    Mike

    Thursday, August 11, 2011 3:15 PM

Answers

  •  

    Hi Mike,

     

    Thank you for your post.

     

    Based on my research, I would like to suggest the following:

     

    1.    Run “GPUPDATE /force” and try again.

     

    2.    Ensure the Group Policy settings of System Center Essentials 2010 have been applied:

     

    Local Policy vs. Group Policy in System Center Essentials 2010

    http://technet.microsoft.com/en-us/library/bb437395.aspx

     

    3.    Run GPRESULT on the client side, check the output and make sure the following policies have been applied with correct settings:

     

    Configure automatic updates

    Specify intranet Microsoft Update service location

    Allow signed content from intranet Microsoft Update service locations

    No auto-restart for scheduled Automatic Updates installations

     

    For more information about the Group Policy settings, please also see the following documents:

     

    Essentials Update Management Configuration

    http://technet.microsoft.com/en-us/library/ff603593.aspx

     

    How to Create Custom Update Settings for Client and Server Computers in Essentials

    http://technet.microsoft.com/en-us/library/ff621487.aspx

     

    4.    Check the related certificates:

     

    1) Ensure the WSUSCodeSighingCert.cer and WSUSSSLCert.cer exist in %programfiles%\system center essentials\certificates.

     

    2) Launch a MMC command and add the certificates snap-in for computer account of the local computer on SCE server.

     

    3) Check if the WSUSCodeSigningCert.cer has been imported into following nodes:

     

    a)     Trusted Root Certification Authorities

    b)     Trusted Publishers

    c)     Third-Party Root Certification Authorities

     

    Meanwhile, the certificate of these nodes matches WSUSCodeSighingCert.cer of %programfiles%\system center essentials\certificates.

     

    If the issue persists, please check the Event Log on the server and client; if there are any related errors, please let us know the details.

     

    Hope this helps.

     

    Thanks.

     

    Nicholas Li

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tnmff@microsoft.com.


    Nicholas Li - MSFT
    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Marked as answer by Nicholas Li Friday, August 19, 2011 7:39 AM
    • Unmarked as answer by Ravenmike Friday, August 19, 2011 11:53 AM
    • Marked as answer by Ravenmike Friday, August 19, 2011 11:54 AM
    • Unmarked as answer by Ravenmike Friday, August 19, 2011 11:54 AM
    • Marked as answer by Ravenmike Friday, August 19, 2011 11:54 AM
    Friday, August 12, 2011 8:02 AM

All replies

  •  

    Hi Mike,

     

    Thank you for your post.

     

    Based on my research, I would like to suggest the following:

     

    1.    Run “GPUPDATE /force” and try again.

     

    2.    Ensure the Group Policy settings of System Center Essentials 2010 have been applied:

     

    Local Policy vs. Group Policy in System Center Essentials 2010

    http://technet.microsoft.com/en-us/library/bb437395.aspx

     

    3.    Run GPRESULT on the client side, check the output and make sure the following policies have been applied with correct settings:

     

    Configure automatic updates

    Specify intranet Microsoft Update service location

    Allow signed content from intranet Microsoft Update service locations

    No auto-restart for scheduled Automatic Updates installations

     

    For more information about the Group Policy settings, please also see the following documents:

     

    Essentials Update Management Configuration

    http://technet.microsoft.com/en-us/library/ff603593.aspx

     

    How to Create Custom Update Settings for Client and Server Computers in Essentials

    http://technet.microsoft.com/en-us/library/ff621487.aspx

     

    4.    Check the related certificates:

     

    1) Ensure the WSUSCodeSighingCert.cer and WSUSSSLCert.cer exist in %programfiles%\system center essentials\certificates.

     

    2) Launch a MMC command and add the certificates snap-in for computer account of the local computer on SCE server.

     

    3) Check if the WSUSCodeSigningCert.cer has been imported into following nodes:

     

    a)     Trusted Root Certification Authorities

    b)     Trusted Publishers

    c)     Third-Party Root Certification Authorities

     

    Meanwhile, the certificate of these nodes matches WSUSCodeSighingCert.cer of %programfiles%\system center essentials\certificates.

     

    If the issue persists, please check the Event Log on the server and client; if there are any related errors, please let us know the details.

     

    Hope this helps.

     

    Thanks.

     

    Nicholas Li

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tnmff@microsoft.com.


    Nicholas Li - MSFT
    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Marked as answer by Nicholas Li Friday, August 19, 2011 7:39 AM
    • Unmarked as answer by Ravenmike Friday, August 19, 2011 11:53 AM
    • Marked as answer by Ravenmike Friday, August 19, 2011 11:54 AM
    • Unmarked as answer by Ravenmike Friday, August 19, 2011 11:54 AM
    • Marked as answer by Ravenmike Friday, August 19, 2011 11:54 AM
    Friday, August 12, 2011 8:02 AM
  •  

    I just want to say hi and see how this is going. Please drop me a quick note at you convenience to let me know the current status of this issue. If you have any concerns, please do not hesitate to let me know.

     

    Thanks, and have a great day!

     

    Nicholas Li

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tnmff@microsoft.com.


    Nicholas Li - MSFT
    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Tuesday, August 16, 2011 9:55 AM
  • Just to follow up...The reason the software deployment was not working was because of a GPO setting for the Windows Update policy.  I was unaware of the requirement or the link between the software deployment in SCE and the WSUS settings.

    Specifically, the <"Allow signed content from intranet Microsoft Update service locations" policy was not set.  Once I modified this, the software deployed to our clients with no further issues.


    Thanks very much for the assistance!!!

    Friday, August 19, 2011 11:53 AM
  •  

    Hi,

     

    Thank you for your update.

     

    I am glad to know the information is helpful and the issue has been resolved. Your time and efforts are highly appreciated.

     

    In the future, if you experience any issues regarding our products or if you have any feedbacks, you are also welcome to post a new thread in our forum. It is always our pleasure to be of assistance.

     

    Thanks again! Have a nice day!

     

    Nicholas Li

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tnmff@microsoft.com.
    Nicholas Li - MSFT
    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Monday, August 22, 2011 2:46 AM