It’s because the cert isn’t in the trusted publishers and the allow signed updates isn’t enabled.
You are likely enabling these VIA GPO and GPO’s don’t apply until after the task sequence. Thanks, Justin Chalfant Premier Field Engineer – Configuration Manager Public Sector Microsoft Services Tel : (303) 846-2701 Email: [email protected]<mailto:[email protected]> If you have any feedback about my work, please let either myself or my manager Rusty Gray know at [email protected]<mailto:[email protected]> From: [email protected] [mailto:[email protected]] On Behalf Of Steve Whitcher Sent: Tuesday, December 23, 2014 7:47 AM To: [email protected] Subject: [mssms] SCUP Certificate expired - How to republish old updates? A couple of weeks ago, our OSD TS started failing. In the logs, I found a few updates were failing to install. All of the problem updates were for 3rd party software, published through SCUP. When I tried republishing updates from SCUP, I found that the signing certificate had expired. (I wouldn't expect that to have caused already published updates to fail to be deployed, especially since I do have the time-stamp option enabled in SCUP, but I can't find any other reason that these particular updates would be failing to deploy.) I removed the affected updates from update groups so that they wouldn't be deployed anymore, and now the TS is completing successfully. I've requested a new cert from our CA and installed it in SCUP. I added the new cert to trusted publishers via group policy. I added a handful of new updates to an publication in SCUP and tried to re-publish it. The publish fails early on, with a failure to verify the signature on a package. Looking at the logs, it appears that the package in question is an update that was published previously. Since the package is the same and only metadata has changed, SCUP doesn't push the package again, but tries to update the metadata only. I am guessing that the signature verification fails because the package was signed with the old certificate, which was valid at the time, but has since expired. Does that make sense? At this point, I removed all old updates from the publication in SCUP and published it successfully with only the new updates. I believe I need to somehow get the old updates re-published though, so that they will have the updated metadata and the correct signature on the package, and can be added back into update groups for deployment. How can I get these previously published updates to republish to SCCM? Thanks, Steve Whitcher
