Tag Archives: SCUP

Office 2013 and KB3101488

This is a bit of a retrospective post rant.

In November we were well into the swing of a migration from Office 2010 to Office 2013. The vast majority of the update alpha test group were running Office 2010. The vast majority of the beta test group were Office 2013.

As part of the November 2015 monthly release, I deployed KB3101488. It went through the alpha testing and no issues were recorded… but as noted above, we were light on the ground for Office 2013 :-/

Worryingly, it sailed through beta testing.

Continue reading


Windows Update Agent woe Part II

Following on from my blog here, I applied the server-side WSUS update, KB2938066. I then ran the server clean up wizard and was quite surprised at the numbers:



It does make me wonder if the server clean up wizard alone is enough. it’s something I need to look into… I would not have considered there to be so many deletions for a database that is cleaned up once a month. However I digress.

Continue reading

SCUP and a PKI Certificate – SCUP Headache NUmber 2!

Following on from the WSUS/SUP rebuild I blogged about here, I noticed that all SCUP updates in Config Manager were flagged up with a grey cross. All except the most recent Adobe reader/ acrobat/flash which were in the monthly test cycle.

I downloaded all the updates and everything seemed to be fine.

However reports started to float in for reader/acrobat/flash failing to install, with error code  0x80091007. The failures were only limited to the very latest updates, which were now live. The older SCUP updates installed fine.

Uh oh… too much of a coincidence here.

I tried removing the affected updates from the SUGs and deleting them from the package; I published and resigned the updates but this had no affect. I then deleted the updates from SCUP and removed the catalogue; next I imported the library from Adobe but interestingly the updates were now marked as expired. I duplicated them and tagged as MKII. and published into the WSUS catalogue.

This now worked… the affected updates, or rather the MKII versions, now installed without any errors. Strangely the original updates are flagged as not expired but if I attempted to publish them, it would error stating they are expired.



The root cause? I’m not sure but I am going to suggest that having them in multiple SUGs as part of the monthly testing and rollout ended up with them being stuck in our WSUS catalogue signed with the old self-signed certificate. It is very odd how it only affected these three… Maybe I missed the initial clear out but it’s strange that from the word go they had a green icon instead of the grey cross like other SCUP updates.

Anyway, prodigious use of duplicate and “MKII” saved the day 😛

SCUP and a PKI Certificate

As I am dabbling (drowning?) with a PKI and HTTPS. I thought it would be a jolly good idea to use a PKI generated certificate instead of the SCUP self-signed certificate. How wrong I was.

I created my template the usual way. I won’t reinvent the wheel here. If you need a guide on creating a template, I used this blog.

One thing I would add here, is that I did not give Authenticated Users Enrol. Quite why you would want every Tom, Dick and Harry with access to a Certificate that can be exported along with its full private key is beyond me, but then I do admit I am no expert.

Personally I feel this is elevating attack profiles… I gave Enrol to one user account, the account I would be requesting the certificate with.

This leads me to my next niggle. The certificate is a User Based certificate; as such it cannot be requested under the machine account context. This is important as it caused an issue for me later!

The final niggle is the way the certificate is displayed. Being user based, I had to request it with my user account. The certificate was entered into my Personal Store, stamped with my UPN. When exported, it seemed to retain to information. When I deployed the certificate to another PC and a different logon, yup, it appeared in the Trusted Publishers store using my original name.


I already have the stigma of being “the updates man” or perhaps more affectionately, “the man who breaks things with his updates every month”. I really do not want to further reinforce the association between myself and Software Updates.

It appears I was almost alone in my OCDesque compulsion, but I did find this TechNet post. Whilst I applaud the inventiveness, no effing way am I doing that dirty hack (lol). So I had a think… and as ever, the simplest solution came to me whilst I was anally interfacing with a toilet seat.

Create a user account with the desired name. Well herp derp, kinda obvious huh? So I ended up with this .CER in the Trusted Publisher store:


Just like the Ting Tings, that's not my name.

Just like the Ting Tings, that’s not my name.


Great! Well not actually. I made the mistake of adding the certificates manually to the User’s Trusted Publisher, so all the SCUP updates failed to apply. After beating my head against a wall of “it’s a certificate issue”, I suddenly it was a certificate issue but just not quite the one(s) everyone else was getting. Presumably because everyone else wasn’t being one hundred percent dick and adding the certificate to the wrong context.

I popped the certificate into Trusted Publishers under the computer account context, and bizarrely it worked fine. Funny that.

I deployed the .CER via GPO to all domain PCs and manually added it to my WSUS servers; bear in mind that as this is a PKI certificate, it doesn’t need to be added to the Trusted Root Authority a la the self-signed certificate.

Don’t forget to add the .PFX file to SCUP.

One final note. I did come across some “better SCUP guides”, such as this one or this one where they advise to remove the Application Policies from the Certificate Template. These do seem to be older guides, and whilst they may have been appropriate for Config Manager 2007, you do not need to do this for Config Manager 2012. Needless to say, the thought of having an unlimited certificate, available to all authenticated users to be exported with a full private key seems like career suicide.

Leave the Application Policies alone – they help limit what the certificate can be used for 🙂

SCUP and Adobe – headache Number 1

Windows 8 rolled into our office a couple of years ago now. I came across a problem with Flash not installing on the Windows 8 PCs.

I’ve been deploying Flash via Config Manager as a Software Update since I managed to get System Centre Updates Publisher (SCUP) working. I had not previously encountered a problem with it… however it steadfastly refused to install, and constantly reported a failure in the Software Centre.

I wondered if it was some kind of certificate issue with Windows 8 or perhaps something to do with Windows 8 already having Flash installed.

…but no, it was a typical, er expected?, Adobe cock up.

I must admit I ignored this problem for as long as I could (several months).

This isn't the issue you're looking for. /MovealongMovealong

This isn’t the issue you’re looking for. /Movealong

We didn’t support Windows 8 at that point, and quite frankly I am getting sick of the attitude where people can do what the hell they like and expect I.T. to run around after them picking the pieces.

*ahem* Anyway!

I took a look at this age old pain, and noticed something which had passed everyone, myself included, by. The Flash update failing to install wasn’t the monthly release, it was failing to install version I dug into this and found that Adobe had released this version of Flash with a set of Installable or Installed rules that did not work with Windows 8. In effect, the update was not applicable for Windows 8, but due to how the rules were set, the client would never realise this and was always erroneously marked as required.

Amusingly the machines were actually installing the monthly release of Flash, where required.

I expired the update in SCUP, published it, synced the Config Manager SUP and the problem went away.

Quite why Adobe couldn’t maintain their catalogue correctly is another question, as this is a known issue.

The TechNet forum post I found deserves a mention; once I realised it was version, this post clarified for me what was happening.