Saturday, October 24, 2015

Failed to download updates to the WUAgent datastore. Error = 0x800b0109



Symptoms

Updates publish without issue but they fail to install on the client.
This error has been shown on C:\Windows\CCM\Logs\WUAHandler.log


Failed to download updates to the WUAgent datastore. Error = 0x800b0109

Cause

Self signed certificates are not in the local computers Trusted Publishers and Trusted Root Certification Authorities store and you will need to enable Allow signed updates from an intranet Microsoft update service location.

Solution

Import the WSUS self signed certificate to the client computer's Trusted Publishers and Trusted Root Certification Authorities and to change this setting in GPO.
Create a GPO which will import this certificate and enable Allow signed updates from an intranet 




To check this policy locally go to run and type in gpedit.msc
Then navigate to Computer Configuration > Windows Components > Windows Update












If the issue is still present add the following DWORD to the registry. 
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AcceptTrustedPublisherCerts
Modify and change the value to 1 in decimal.


SCUP 2011 Integrate with SCCM 2012 R2

Couple of days back got some third party updates you wish to publish and deploy to your environment with ConfigMgr 2012? A great way to do it is with SCUP 2011 integrated into ConfigMgr 2012.
I had some issue and not able to resolve that, but after some troubleshooting I found the way to resolve that. 
Resolution:
Please note this guide assumes that you are familiar with ConfigMgr 2012, Windows Server 2012, WSUS for Server 2012 and already have WSUS and ConfigMgr 2012 installed with a Software Update Point Role
References:
Download SCUP 2011: http://www.microsoft.com/en-us/download/details.aspx?id=11940
Server 2012 Create Self-signed Cert button workaround: http://blogs.technet.com/b/wsus/archive/2013/08/15/wsus-no-longer-issues-self-signed-certificates.aspx
Publishing Updates to WSUS on Windows 2012: https://technet.microsoft.com/en-us/library/hh134747.aspx#PublishToServer2012
Steps:
(If you already have SCUP 2011 installed and want to re-install add these steps):
1. Uninstall SCUP from the Server
2. Do a search on the server for all entries of "scupdb.sdf"
3. Delete all entries found for the "scupdb.sdf"
4. Reboot the server

Install:
1. Using the ConfigMgr 2012 Admin Account, login to the server
2. Open command prompt with Administrator Privileges(Right click and select Open as Admin), install SCUP 2011
3. Assure the "scupdb.sdf" was created under the following path:
'C:\Users\<ConfigMgr 2012 Admin Account>\AppData\Local\Microsoft\System Center Updates Publisher 2011\5.00.1727.0000'
4. Open Regedit, Navigate to "HKEY_LOCAL_MACHINE\Software\Microsoft\Update Services\Server\Setup\"
4.1 Create DWORD value: EnableSelfSignedCertificates = 1
5. Open Regedit, Navigate to "HKEY_CLASSES_ROOT\AppID\{8F5D3447-9CCE-455C-BAEF-55D42420143B}"
5.1 Click Edit, click Permissions and then click Advanced
5.2 Click Change owner to, specify Administrators and then click OK
5.3 Specify Full Control permissions for Administrators and SYSTEM.
5.4 Close Regedit
5.5 Open command prompt with Administrator Privileges(Right click and select Open as Admin), type Dcomcnfg.exe and press ENTER
5.6 Expand Component Services, expand Computer, Expand My Computer, Expand DCOM Config, right click WSUSCertServer and click Properties
5.7 Select the Security Tab and configure the following permissions
5.8 Launch and Activation: Select Allow for the Local Launch and Local Activation permissions
5.9 Access Permission: Select Allow for the Local Access permission
6. Restart the WSUSCertServer process:
6.1 Open command prompt with Administrator Privileges(Right click and select Open as Admin)
6.2 net stop wsuscertserver and press ENTER
6.3 net start wsuscertserver and press ENTER

Configure:
1. Using the ConfigMgr 2012 Admin Account, login to the server
2. Open the SCUP 2011 Console by right clicking and selecting Run As Administrator, choose "Options"
3. Click the Update Server Tab
3.1 Check Enable publishing to an update server
3.2 Select the Connect to a local Update Server
3.3 Click the Signing Certificate Create button, complete the wizard
(This should work now due to the work around done in the install steps)
3.4 Click the Test Connection button
3.5 You should see the information for the Certificate issues below the Create button now
4. Click the ConfigMgr Server Tab
4.1 Check Enabled Configuration Manager Integration
4.2 Choose local or remote ConfigMgr server accordingly
4.3 Click the Test Connection button

Get Certificate to distribute:
1. Using the ConfigMgr 2012 Admin Account, login to the server
2. Open the MMC
3. Click File, then Add \ Remove Snap-In
4. Click Certificates and then Add
5. Select Computer Account and then Next
6. Select Local Computer and then Finish
7. On the Add or Remove Snap-ins, click OK
8. Navigate to WSUS Certificate Store, right click the certificate and choose all tasks, then export
8.1 On the Export Private Key, choose No, do not export the private key and then click Next
8.2 On the Export File Format, select DER encoded binary x.509 (.CER) and then click Next
8.3 On the File to Export, Type C:\wsuscert.cer and then click Next
8.4 Click Finish and then OK

Publish to TrustedPublisher and Root:
1. Using the ConfigMgr 2012 Admin Account, login to the server
2. Open command prompt with Administrator Privileges(Right click and select Open as Admin)
3. type:
3.1 certutil.exe -addstore TrustedPublisher C:\wsuscert.cer (press ENTER)
3.2 certutil.exe -addstore root C:\wsuscert.cer (press ENTER)
4. Distribute the Cert out to all workstations in the environment via GPO as well.
Domain Policy Change:
You need to make sure this is enabled, to allow 3rd party updates to be installed when found on a intranet Microsoft Update Service aka WSUS \ ConfigMgr, for all clients you intend to deploy the 3rd party updates to.
Assure is that the Policy also has the “Allow Signed Updates from an Intranet Microsoft Update Service Location” to be enabled.
You find this setting under the group policy editor in the following path:
Computer Configuration \ Administrative Templates \ Windows Components \ Windows Update

Thanks to 

Charles Allen’s Blog

PXE Issue after SCCM CB 1806 upgrade

Recently i had upgraded my SCCM environment 1806 and after upgrade suddenly all PXE servers stopped working. While initiating the PXE ...