I just installed SCCM about a week and a half ago. At first I installed SCCM just for Endpoint Protection, but then I realized you can use it for update deployments. Eventually I want to go on to moving from my WDS to OS deployment through SCCM too, but for now I'm stuck on updates.

So here's what I'm trying to do:

Deploy my WSUS Certificate, Update Java, Update Adobe reader, Update Flash.

On my Windows 7 computers everything is working. I look in my software center and everything is installing correctly. I did notice that java doesn't install over itself (I don't mean whole versions, I mean V7U11 not installing over V7U7.... kinda weird) but that's besides the point. Adobe installs right.

I did enable intranet installations though GPO, otherwise this wouldn't work on my W7 computers. I run a gpresult on the XP computers and I can see the policies are being applied. Boundaries and boundary groups are set correctly - otherwise W7 wouldn't work either.

Here's some background info: Right now I'm working with one domain before I branch off. WSUS wasn't working at first so I made a boundary for my IP scope, "Default-First-Site-Name" and one for my domain. I realize that I only need the IP setting, but I don't know if deleting the other two will mess something up. I'm not prepared to test that now. I have one boundary group encompassing all three boundaries.

I would also like to note - I have five domains in my district. I will eventually branch out to all five - for this reason I have created folders for each domain. In my All Systems I only have one domain, though, because I've only discovered my one domain thus far. It will not be this way forever though. Once I discover my other domains I will have thousands of computers. For this reason I made a group in my domain's folder called All Comptuers. The limiting collection is All Devices and it simply queries my domain OUs (My All Computers OU and the "Computers" OU that computers default to in AD).

This Collection doesn't recognize any of my computers. None. I've searched for days on this (while doing everything else) and my queries are right. Boundaries are right... I have three more collections that do work correctly when quering an AD daughter OU of "All Computers" limiting it to All Devices. This may have something to do with it: When I create a query for OU containers I can only see "All Computers" and sub OUs of "All Computers". I should be able to see all of the sub OUs of my domain right? That's how it was at first.. I don't know how it changed. So I had to choose "domain\All Computers" then I had to write in "domain\Computers".

These are the small problems I'm having. I don't mean to have all of this done for me as I'm sure I'll figure it out, but it wouldn't be fair not to mention these as they may be the source of my more immediate update problem.

Thanks for your help!!

To reiterate my problems:

WSUS Certificate is a batch file  -   Working on W7, Not working on XP   Software Center Error: 0x1(1)

Java is a batch file   -   Working on W7, Haven't deployed to XP (Will by tomorrow to see if it works)

Adobe is NOT a batch file It's a premade library in SCUP that I'm deploying through SCCM.   -   Working on W7, Not working on XP   Software Center Error: The software change returned error code 0x800B0109(-2146762487). 

While doing some reading I found that UNC deployments are not ideal:

(Can't post the link)

My WSUS Certificate batch deployment is UNC.

certutil -addstore Root \\"server"\sources\cert\WSUS.cer
certutil -addstore TrustedPublisher \\"server"\sources\cert\WSUS.cer

where "server: is my server name. It worked on my W7 machines. Is UNC the problem for my XP machines? Onces the WSUS certificate is installed I'm willing to bet Adobe will work... I do have the box checked (that's default) that says download then install.  

I'll be waiting for an answer :)

• Edited by Quincy R Monday, January 14, 2013 9:40 PM

Hi,

For the OU's that you are seeing, in the result list you will only see OU's from where you have discovered computers, how have you configured the Active Directory System Discovery agent? this is where you Control which OU's will be used for discovering computers.

Computers i AD is a Container and not an OU so that is why you don't see that in the result.

For the installation of the certificate, on XP certutil is not part of the operating System, you have to manually copy that, if that can be the issue. You can use the one from the Windows Server 2003 Administration Tools Pack..

regards,
Jrgen

Hi,

To add the error you are getting translates to

"A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.

Source: Windows
-----"

So I guess you have the certutil files there...

Have you imported the Root certificate is installed in the trusted root store?

http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/b9c343f0-88d4-40e5-b32f-acd2d1d5214b/

Regards,
Jrgen

Why aren't you using a GPO to deploy the WSUS cert?

Also, certutil is *not* universal meaning that the XP does not come with certutil and to my knowledge you cannot use certutil from Win7 for XP -- you need to get a copy from W2K3 resource kit if memory serves.

As for the UNC, it's technically OK as long as you configure the perms properly but its bad practice IMO because it doesn't scale.

Hi,

For the OU's that you are seeing, in the result list you will only see OU's from where you have discovered computers, how have you configured the Active Directory System Discovery agent? this is where you Control which OU's will be used for discovering computers.

AD System Discovery:

LDAP://OU=All Computers
LDAP://CN=Computers

Ok great - I changed my Device Collection to say CN instead of OU for "Computers", but on my device collection I still included my "All Computers" OU and it recognized nothing.

I have updated membership on my Device Collection "All Computers" (Querying OU=All Computers and CN=Computers - this should include all computers on my campus) and still I have 0 member count.

The query of the Device Collection and AD System Discovery are the same. Is this a problem? If so I guess I can go recognize all of the other district. I don't really want to if I can't have a collection with just this domains computers.

----------------------------------------------------------------------

"For the installation of the certificate, on XP certutil is not part of the operating System, you have to manually copy that, if that can be the issue. You can use the one from the Windows Server 2003 Administration Tools Pack.."

I downloaded the admin pack for Server 2003 tool pack. Can I just deploy that through SCCM by creating a package with the Server 2003 Tool Pack  .EXE?

Hi,

To add the error you are getting translates to

"A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider."

This error was for Adobe, not for WSUS (CertUtil)

It's going to take me a while to see if the "Root certificate is installed in the trusted root store" as I don't know what that's talking about. Is that talking about the WSUS cert not being installed? Again, Adobe installs on Windows 7.

"Why aren't you using a GPO to deploy the WSUS cert?"

I guess I could have done that.. SCCM just happened to be right at my fingertips then. I figured I would try out deployment with something. Deploying with GPO would only take a second to do, but would it work since I'm using CertUtil? How would you deploy that to XP computers if you can't use Certutil? Deploy the admin pack first?

"As for the UNC, it's technically OK as long as you configure the perms properly but its bad practice IMO because it doesn't scale."

I'm going to go look up how to do it right - local from the server or what. I definitely want to run things right from the start.

Thanks for the help so far!

• Edited by Quincy R Monday, January 14, 2013 10:10 PM

Ok great - I changed my Device Collection to say CN instead of OU for "Computers", but on my device collection I still included my "All Computers" OU and it recognized nothing.

I have updated membership on my Device Collection "All Computers" (Querying OU=All Computers and CN=Computers - this should include all computers on my campus) and still I have 0 member count.

Well I guess I should have seen that. I created one query that had the conditions of All computers AND CN Computers. Obviously they're not going to be in both... I don't know why I didn't catch that :P   Now that part is working. So... we know that .. what... the boundary and discovery methods are ok? -_-

I guess the big question is - can you install any kind of update without the WSUS certificate on the client computer first?

I don't know if this matters to you guys, but since I'm testing this all with my computer lab I should probably mention this as well. I have 33 computers in the lab all in the "Computer Lab" device collection. Out of those 33 computers, 10 of them won't install the clients. The computers are on and everything looks good. I've tried installing the client many times and nothing. If this has nothing to do with updates then.. disreguard this :)  I am updating the lab to Windows 7 in about a month so.. the updates should be resolved? However, still ~500 computers on this campus will be XP so I hope you can help me find an answer!

• Edited by Quincy R Tuesday, January 15, 2013 4:02 PM

Yes, I know this is an old post, but Im trying to clean them up. Did you solve this problem, if so what was the solution?

Since no one has answer this post, I recommend opening  a support case with Microsoft Customer Support Services (CSS) as they can work with you to solve this problem.