RESOLVED!!!! Yay! Yes, I screwed around with the certs the other day. The newer cert was in both places, but the version of Flash I was installing, was published to SCCM with the original cert. Today, I put the original certs back in place, and voila! The install worked on my 3 test machines.
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Sherry Kissinger Sent: Thursday, January 12, 2017 1:00 PM To: mssms@lists.myitforum.com Subject: Re: [mssms] RE: Flash Player and SCUP "I’m pretty sure that the latest version of Flash was synced to SCUP with the cert it has now." so the update in CM is using a newer cert, which you defined in SCUP and signed that update with. on the CLIENT (not CM), is that newer cert in both Trusted Publisher and Trusted Root, on that client? You might want to visually verify that looking at the mmc, certificates for the machine. The Client has to trust the code-signing certificate used to sign that update. It also needs to have that regkey about trusting those certs when used with Windows Update. HKLM\Software\Policies\Microsoft\windowsUpdate\AcceptTrustedPublisherCerts, regdword=1. That one is also usually delivered via GPO. All of those things have to be there, for the client to install an update which did not originate from a known trusted source (in Microsoft's world, that's Microsoft alone). If you want a client to trust something else--like something you signed in SCUP that you got from who-knows-where (in this case, Adobe, not Microsoft); the whole chain of trust and signing has to be there from beginning to end. On Thu, Jan 12, 2017 at 12:52 PM, Heaton, Joseph@Wildlife <joseph.hea...@wildlife.ca.gov<mailto:joseph.hea...@wildlife.ca.gov>> wrote: Hmm, actually, I did change the cert just the other day, after downloading in SCUP, and pushing over to SCCM. I’ll delete the updates from SCCM, and try again. I’m pretty sure that the latest version of Flash was synced to SCUP with the cert it has now. From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] On Behalf Of Sherry Kissinger Sent: Thursday, January 12, 2017 10:22 AM To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com> Subject: Re: [mssms] RE: Flash Player and SCUP https://support.microsoft.com/en-us/kb/2477936 for cm2007; but might still apply. Are you SURE you have the certificate you used to sign the update in scup, on that client's Trusted Publisher and Trusted Root? What does it say in windowsupdate.log? Did you add that cert to your GPO so that clients get it automatically? (there's other ways to get a code-signing cert to be trusted by your clients; but that's what many people do--whatever cert they used to sign their updates, is what they deliver to their cilents via GPO--and that cert has to be in both trusted root and trusted publisher) On Thu, Jan 12, 2017 at 10:09 AM, Heaton, Joseph@Wildlife <joseph.hea...@wildlife.ca.gov<mailto:joseph.hea...@wildlife.ca.gov>> wrote: Sorry for the confusion. I used SCUP, and pushed it over to SCCM so it shows up under All Software Updates. I then “downloaded” it there, into a deployment package, created a SUG, and I’m working with the SUG, deploying it to my 3 test machines. I think I am making progress, but I’m still not there. I did the GP changes that were pointed out yesterday. I manually installed Flash Player 23.0.0.185 on one of my test machines, the NPAPI, and Active X. I then redeployed the SUG this morning, telling it to show in Software Center, so I can follow, and at least see if it’s even trying to send the content to my test machine. Both updates showed up, tried to install and failed. This is the error message: I did a quick Bing search, and came up empty. I’m not seeing anything in Event Viewer, either. From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] On Behalf Of Sherry Kissinger Sent: Thursday, January 12, 2017 5:48 AM To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com> Subject: Re: [mssms] RE: Flash Player and SCUP One thing about your setup, Joseph; that I might be confused on. You stated earlier "packaged up into an updates deployment package," Do you mean that you downloaded the msi separately, went through a packaging process, and created your own, made-it-up-yourself rules in the SCUP console, which just so happened to be flashplayer; or did you import the rule from Adobe as a catalog, and downloaded the payload from Adobe, via that catalog? If you created your own package and rules, then we'll have to take a step back and look at what your package does, and what you put into the SCUP customization for "what means applicable", "what means compliant". On Wed, Jan 11, 2017 at 3:55 PM, Brad DeHart <br...@khs-net.com<mailto:br...@khs-net.com>> wrote: SCUP packages are updates. You still need a base version deployed before you can install an update on top of it. Depending on your settings, SCCM will take a while to discover changes. For testing, you’ll end up manually running detections quite a bit. Thank you, Brad DeHart Kern Health Systems Senior Network Systems Administrator Phone: 661-664-5068<tel:(661)%20664-5068> Fax: 661-664-5410<tel:(661)%20664-5410> br...@khs-net.com<mailto:br...@khs-net.com> www.kernfamilyhealthcare.com<http://www.kernfamilyhealthcare.com> From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com<http://myitforum.com>] On Behalf Of Heaton, Joseph@Wildlife Sent: Wednesday, January 11, 2017 10:59 AM To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com> Subject: [mssms] RE: Flash Player and SCUP I did not, so I did enable that setting. I then created a new deployment in SCCM for this. Now, one machine is already showing as Compliant, with no folder in CCMCache, and no Flash Player installed. This machine did have Flash Player installed yesterday, 23.0.0.207. The package I’m testing with is deploying 24.0.0.186. During testing yesterday, I did uninstall 23.0.0.207 from the one test machine that is currently showing as Compliant. This brings up a question of expected behavior of deploying this through SCUP/SCCM. If a machine does NOT have Flash Player installed, will this deployment install it? Or does it require Flash Player to be installed in order for the deployment to install the new version? From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsadmin@lists<mailto:listsadmin@lists>.myitforum.com<http://myitforum.com>] On Behalf Of Duncan McAlynn Sent: Tuesday, January 10, 2017 6:24 PM To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com> Subject: [mssms] RE: Flash Player and SCUP Do you have the GPO enabled to accept signed content from an intranet server? Enable allowance of signed updates. a) From the tree on the left inside the Group Policy Management Editordialog, expand to Computer Configuration > Policies > Administrative Templates... > Windows Components > Windows Update. b) From the main pane, double-click Allow signed updates from an intranet Microsoft update service location. Note: This option may be called Allow signed content from an intranet Microsoft update service location on different operating older supported operating systems. c) Select Enabled and click OK. Duncan McAlynn, Solutions Director, Americas HEAT Software M: +1.512.391.9111<tel:(512)%20391-9111> | duncan.mcal...@heatsoftware.com<mailto:duncan.mcal...@heatsoftware.com> HEAT Software | 490 N McCarthy Blvd. Suite 100 | Milpitas, CA 95035 From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsadmin@lists<mailto:listsadmin@lists>.myitforum.com<http://myitforum.com>] On Behalf Of Heaton, Joseph@Wildlife Sent: Tuesday, January 10, 2017 16:15 To: 'mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>' <mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>> Subject: [mssms] Flash Player and SCUP I’ve got my SCUP installed, the certs are done and on my test machines. I’ve been able to get Flash Player updates into SCCM, packaged up into an updates deployment package, and into a SUG. I’ve deployed this SUG to a test collection, holding my 3 machines that have the certs installed. The deployment now says 100% compliant, and none of the machines have Flash player installed. Ideas on what I may have messed up? Thanks, Joe Heaton Information Technology Operations Branch Data and Technology Division CA Department of Fish and Wildlife 1700 9th Street, 3rd Floor Sacramento, CA 95811 Desk: (916) 323-1284<tel:(916)%20323-1284> Every Californian should conserve water. Find out how at: SaveOurWater.com · Drought.CA.gov<http://Drought.CA.gov> ________________________________ Kern Health Systems Confidentiality Statement: This email and any attachments are legally privileged and can contain business proprietary and/or confidential information intended for a specific individual and purpose. This information is intended only for the use of the individual or entity named above. The authorized recipient of this information is prohibited from disclosing this information to any other party unless required to do so by law or regulation and is required to destroy the information after its stated need has been fulfilled. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or action taken in reliance on the contents of these documents is strictly prohibited. If you have received this information in error, please notify the sender immediately and arrange for the return or destruction of these documents. -- Thank you, Sherry Kissinger My Parameters: Standardize. Simplify. Automate Blogs: http://www.mofmaster.com, http://mnscug.org/blogs/sherry-kissinger, http://www.smguru.org <http://www.kernfamilyhealthcare.com> -- Thank you, Sherry Kissinger My Parameters: Standardize. Simplify. Automate Blogs: http://www.mofmaster.com, http://mnscug.org/blogs/sherry-kissinger, http://www.smguru.org -- Thank you, Sherry Kissinger My Parameters: Standardize. Simplify. Automate Blogs: http://www.mofmaster.com, http://mnscug.org/blogs/sherry-kissinger, http://www.smguru.org
