I was contacted by colleague that Configmgr is not showing the updates that were published day ago by SCUP . So i started checking the SCUP configuration (proxy) and the updates status if they are published or not using the date published and also verified SCUP logs.
From SCUP perspective,all looks good. Next to look at Configmgr ,in this ,i checked the SUP properties if the published products are selected or not , check the proxy details in site system role properties.
Next to look at proxy details that are configured in IE for system account for which ,you can use psexec tool to verify it.
How to open IE using system account or check the proxy details in cmd using pxecec ? run the cmd using administrator ,run psexec –i –s cmd.exe
Type netsh winhttp show proxy it must give you the proxy details if at all configured .Run the following command to open IE using system account
PsExec.exe -i -s "C:\Program Files\Internet Explorer\iexplore.exe"
set the proxy in IE ,once this is done ,come back to cmd prompt (system account) and run netsh winhttp import proxy source =ie to import the IE settings .
This also looks good to me .What else could go wrong for the updates not shown up in SCCM console ?
Now ,i move onto the SUP logs WCM.log and WSUSCtrl.log both looks good and the final log is sync log wsyncmgr.log which has some errors init.
Sync failed: UssCommunicationError: WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.~~at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest request). Source: Microsoft.SystemsManagementServer.SoftwareUpdatesManagement.WsusSyncAction.WSyncAction.SyncWSUS
we know that ,there are no changes to IIS or any configurations in the last few months with respect to SSL. I have tried the sync by providing the user name in site system role properties to use credentials to connect to proxy server but it failed with same error.
After searching in Google with above error ,found few blogs that refers to https://technet.microsoft.com/en-us/library/dn265983.aspx (configure trusted roots) but they do not apply to me .
https://the-d-spot.org/2011/05/17/sccm-sup-sync-failed-6703/
https://www.windows-noob.com/forums/topic/7559-sup-sync-issue/
After sometime ,got to know from another colleague that ,there were some changes made to the proxy server by NOC team which requires SSL authentication. What it means is ,software update sync happens using system account instead of user account which require SSL authentication and in this case, we need to get approval from security team to allow the SCCM site server computer account to bypass or added to exception list.
References and troubleshooting https://support.microsoft.com/en-us/help/10329/configuring-software-update-synchronization-in-system-center-configura
https://technet.microsoft.com/en-sg/library/bb892795.aspx
1 Comment
Your colleagues seem to be quite helpful.