In %dayjob% I’m now starting to use Microsoft Endpoint Configuration Manager (nee System Centre [Center] Configuration Manager, nee System Management Server) a lot more.
My area I’ve been looking at is Windows Updates. It’s not a
sexy area (I’ll leave that to Leon and Ben) but it pays the mortgage. I’m
cleaning things up as I go, getting rid of old Software Update Groups and moving
to Automatic Deployment Rules. This has led me to blasting away old downloaded updates
and starting again.
However, if you’ve had an install that has been upgraded
many times you might find that some of that old content won’t download again
and you disappear down a rabbit hole.
A couple of hours later I have the answer to why my ADR would
never complete, come with me on a journey!
First thing. My ADR is having EVERY update that has not been
superseded for Windows Server 2012R2 and Server 2016, this is because as new
customers come on board we don’t know the state of their OS patching, as such we
want every update to be evaluated and pushed out to their servers.
Creating my ADR (and apologies, I have had to fabricate some of these screenshots as I didn’t have them while making the initial ADR). Selected Updates for Server 2012R2 and 2016
Selected the classification of updates
~~~~~~~~~~~~~~Wavy lines of time.~~~~~~~~~~~~~~
Come back to ADR and…. Hum…..
Strange, looks like a certificate thing…..
Humm, okay, let’s try downloading the update from All Software Updates and putting into the Deployment Package manually
I got back to the logs and find the list of files that fail to download, then I go and download them manually.
- kb3172989
- kb3207296
- kb3198389
- kb3173423
- kb3172729
- kb3209498
Okay, how about I import it manually,
different error but same problem in that it didn’t import.
Okay…. Let’s go and interrogate the files and see what’s the same between them all….. hummm, all are for Server 2016 Tech Preview.
kb3172989 |
Security Update for Adobe Flash Player for Windows Server 2016
Technical Preview 5 (for x64-based Systems) (KB3209498) |
kb3207296 |
Cumulative Update for Windows Server 2016 Technical Preview 5 for
x64-based Systems (KB3207296) |
kb3198389 |
Security Update for Windows Server 2016 Technical Preview 5
(KB3198389) |
kb3173423 |
Update for Windows Server 2016 Technical Preview 5 (KB3173423) |
kb3172729 |
Security Update for Windows Server 2016 Technical Preview 5
(KB3172729) |
kb3209498 |
Security Update for Adobe Flash Player for Windows Server 2016
Technical Preview 5 (for x64-based Systems) (KB3209498) |
Ohhh, so SHA256 cert on all has expired. And since August SHA1
updates are no longer allowed:
https://support.microsoft.com/en-us/help/4472027/2019-sha-2-code-signing-support-requirement-for-windows-and-wsus
My thoughts are if I had done this work in July then the updates would have downloaded fine!
So….. how to get around it. I simply excluded these updates
from the ADR
And now my ADR is fully up to date!