"I’m pretty sure that the latest version of Flash was synced to SCUP with the cert it has now." so the update in CM is using a newer cert, which you defined in SCUP and signed that update with. on the CLIENT (not CM), is that newer cert in both Trusted Publisher and Trusted Root, on that client? You might want to visually verify that looking at the mmc, certificates for the machine. The Client has to trust the code-signing certificate used to sign that update. It also needs to have that regkey about trusting those certs when used with Windows Update. HKLM\Software\Policies\Microsoft\windowsUpdate\AcceptTrustedPublisherCerts, regdword=1. That one is also usually delivered via GPO.
All of those things have to be there, for the client to install an update which did not originate from a known trusted source (in Microsoft's world, that's Microsoft alone). If you want a client to trust something else--like something you signed in SCUP that you got from who-knows-where (in this case, Adobe, not Microsoft); the whole chain of trust and signing has to be there from beginning to end. On Thu, Jan 12, 2017 at 12:52 PM, Heaton, Joseph@Wildlife < [email protected]> wrote: > Hmm, actually, I did change the cert just the other day, after downloading > in SCUP, and pushing over to SCCM. > > > > I’ll delete the updates from SCCM, and try again. I’m pretty sure that > the latest version of Flash was synced to SCUP with the cert it has now. > > > > *From:* [email protected] [mailto:listsadmin@lists. > myitforum.com] *On Behalf Of *Sherry Kissinger > *Sent:* Thursday, January 12, 2017 10:22 AM > *To:* [email protected] > *Subject:* Re: [mssms] RE: Flash Player and SCUP > > > > https://support.microsoft.com/en-us/kb/2477936 > > for cm2007; but might still apply. > > > > Are you SURE you have the certificate you used to sign the update in scup, > on that client's Trusted Publisher and Trusted Root? What does it say in > windowsupdate.log? Did you add that cert to your GPO so that clients get > it automatically? (there's other ways to get a code-signing cert to be > trusted by your clients; but that's what many people do--whatever cert they > used to sign their updates, is what they deliver to their cilents via > GPO--and that cert has to be in both trusted root and trusted publisher) > > > > On Thu, Jan 12, 2017 at 10:09 AM, Heaton, Joseph@Wildlife < > [email protected]> wrote: > > Sorry for the confusion. I used SCUP, and pushed it over to SCCM so it > shows up under All Software Updates. I then “downloaded” it there, into a > deployment package, created a SUG, and I’m working with the SUG, deploying > it to my 3 test machines. > > > > I think I am making progress, but I’m still not there. I did the GP > changes that were pointed out yesterday. I manually installed Flash Player > 23.0.0.185 on one of my test machines, the NPAPI, and Active X. I then > redeployed the SUG this morning, telling it to show in Software Center, so > I can follow, and at least see if it’s even trying to send the content to > my test machine. Both updates showed up, tried to install and failed. > This is the error message: > > > > > > I did a quick Bing search, and came up empty. I’m not seeing anything in > Event Viewer, either. > > > > *From:* [email protected] [mailto:listsadmin@lists. > myitforum.com] *On Behalf Of *Sherry Kissinger > *Sent:* Thursday, January 12, 2017 5:48 AM > *To:* [email protected] > *Subject:* Re: [mssms] RE: Flash Player and SCUP > > > > One thing about your setup, Joseph; that I might be confused on. You > stated earlier "packaged up into an updates deployment package," Do you > mean that you downloaded the msi separately, went through a packaging > process, and created your own, made-it-up-yourself rules in the SCUP > console, which just so happened to be flashplayer; or did you import the > rule from Adobe as a catalog, and downloaded the payload from Adobe, via > that catalog? > > > > If you created your own package and rules, then we'll have to take a step > back and look at what your package does, and what you put into the SCUP > customization for "what means applicable", "what means compliant". > > > > On Wed, Jan 11, 2017 at 3:55 PM, Brad DeHart <[email protected]> wrote: > > SCUP packages are updates. You still need a base version deployed before > you can install an update on top of it. Depending on your settings, SCCM > will take a while to discover changes. For testing, you’ll end up manually > running detections quite a bit. > > > > > > Thank you, > > Brad DeHart > Kern Health Systems > Senior Network Systems Administrator > Phone: 661-664-5068 <(661)%20664-5068> > Fax: 661-664-5410 <(661)%20664-5410> > [email protected] > www.kernfamilyhealthcare.com > > > > *From:* *[email protected] <[email protected]>* > [mailto:*[email protected] <http://myitforum.com>*] *On > Behalf Of *Heaton, Joseph@Wildlife > > > *Sent:* Wednesday, January 11, 2017 10:59 AM > > > *To:* *[email protected] <[email protected]>* > *Subject:* [mssms] RE: Flash Player and SCUP > > > > I did not, so I did enable that setting. I then created a new deployment > in SCCM for this. Now, one machine is already showing as Compliant, with > no folder in CCMCache, and no Flash Player installed. This machine did > have Flash Player installed yesterday, 23.0.0.207. The package I’m testing > with is deploying 24.0.0.186. During testing yesterday, I did uninstall > 23.0.0.207 from the one test machine that is currently showing as > Compliant. > > > > This brings up a question of expected behavior of deploying this through > SCUP/SCCM. If a machine does NOT have Flash Player installed, will this > deployment install it? Or does it require Flash Player to be installed in > order for the deployment to install the new version? > > > > *From:* *[email protected] <[email protected]>* > [*mailto:listsadmin@lists <listsadmin@lists>.myitforum.com > <http://myitforum.com>*] *On Behalf Of *Duncan McAlynn > *Sent:* Tuesday, January 10, 2017 6:24 PM > *To:* *[email protected] <[email protected]>* > *Subject:* [mssms] RE: Flash Player and SCUP > > > > Do you have the GPO enabled to accept signed content from an intranet > server? > > > > Enable allowance of signed updates. > > a) From the tree on the left inside the *Group Policy Management > Editor*dialog, > expand > > to *Computer Configuration *> *Policies *> *Administrative Templates... *> > *Windows* > > *Components *> *Windows Update*. > > b) From the main pane, double-click *Allow signed updates from an > intranet Microsoft update* > > *service location*. > > *Note: *This option may be called *Allow signed content from an intranet > Microsoft update* > > *service location *on different operating older supported operating > systems. > > c) Select *Enabled *and click *OK*. > > > > *Duncan McAlynn*, Solutions Director, Americas > *HEAT Software* > M: *+1.512.391.9111 <(512)%20391-9111>* | *[email protected] > <[email protected]>* > HEAT Software | 490 N McCarthy Blvd. Suite 100 | Milpitas, CA 95035 > > > > *From:* *[email protected] <[email protected]>* > [*mailto:listsadmin@lists <listsadmin@lists>.myitforum.com > <http://myitforum.com>*] *On Behalf Of *Heaton, Joseph@Wildlife > *Sent:* Tuesday, January 10, 2017 16:15 > *To:* '*[email protected] <[email protected]>*' > <*[email protected] > <[email protected]>*> > *Subject:* [mssms] Flash Player and SCUP > > > > I’ve got my SCUP installed, the certs are done and on my test machines. > I’ve been able to get Flash Player updates into SCCM, packaged up into an > updates deployment package, and into a SUG. I’ve deployed this SUG to a > test collection, holding my 3 machines that have the certs installed. The > deployment now says 100% compliant, and none of the machines have Flash > player installed. > > > > Ideas on what I may have messed up? > > > > Thanks, > > > > Joe Heaton > > Information Technology Operations Branch > > Data and Technology Division > > CA Department of Fish and Wildlife > > 1700 9th Street, 3rd Floor > > Sacramento, CA 95811 > > Desk: *(916) 323-1284 <(916)%20323-1284>* > > > > Every Californian should conserve water. Find out how at: > > *SaveOurWater.com* · *Drought.CA.gov <http://Drought.CA.gov>* > > > > > > > > > ------------------------------ > > > Kern Health Systems Confidentiality Statement: > > This email and any attachments are legally privileged and can contain > business proprietary and/or confidential information intended for a > specific individual and purpose. This information is intended only for the > use of the individual or entity named above. The authorized recipient of > this information is prohibited from disclosing this information to any > other party unless required to do so by law or regulation and is required > to destroy the information after its stated need has been fulfilled. > > If you are not the intended recipient, you are hereby notified that any > disclosure, copying, distribution, or action taken in reliance on the > contents of these documents is strictly prohibited. If you have received > this information in error, please notify the sender immediately and arrange > for the return or destruction of these documents. > > > > > > > -- > > Thank you, > > Sherry Kissinger > > > My Parameters: Standardize. Simplify. Automate > Blogs: *http://www.mofmaster.com <http://www.mofmaster.com>*, > *http://mnscug.org/blogs/ > <http://mnscug.org/blogs/>sherry-kissinger*, *http://www.smguru.org > <http://www.smguru.org>* > > <http://www.kernfamilyhealthcare.com> > > > > > > > -- > > Thank you, > > Sherry Kissinger > > > My Parameters: Standardize. Simplify. Automate > Blogs: http://www.mofmaster.com, http://mnscug.org/blogs/sherry-kissinger, > http://www.smguru.org > > > > -- Thank you, Sherry Kissinger My Parameters: Standardize. Simplify. Automate Blogs: http://www.mofmaster.com, http://mnscug.org/blogs/sherry-kissinger, http://www.smguru.org
