2 Replies Latest reply on Oct 11, 2016 9:56 AM by kellytice

    Non domain computers cannot receive 3rd party patches

    kjstech

      I have a handful of PC's not joined to our domain.  These are Kiosk machines running Provisio's SiteKiosk software for people to be able to come into our building and browse the internet.  They are very locked down terminals but we still want to keep windows, adobe acrobat and flash updated. 

       

      In the local computer group policy of the machine we configured Windows Update to use our WSUS server and we have the client side targeting set.  We imported our domain root certificate and in IE we can browse to our https://wsus server and not receive any certificate errors.  It seems Microsoft updates do install but the hang up is the Adobe updates.  We need to read PDF's from our website and small portions of flash content, but these two highly sought after applications are always prone to issues so we want to keep them up to date.

       

      I found this when investigating some bandwidth issues between remote sites.  Narrowed down the heavy usage to these kiosk machines constantly trying to download these updates from our WSUS server.  IN WindowsUpdate.log I see this:

       

      Validating signature for C:\Windows\SoftwareDistribution\Download\24baee1d295f092d9cdbce885ea27ee0\AdbeRdrUpd11016_MUI.cab with dwProvFlags 0x00000080:

      2016-10-04 09:54:24:204 472 14b0 Misc FATAL: Error: 0x800b0109 when verifying trust for C:\Windows\SoftwareDistribution\Download\24baee1d295f092d9cdbce885ea27ee0\AdbeRdrUpd11016_MUI.cab

      2016-10-04 09:54:24:204 472 14b0 Misc WARNING: Digital Signatures on file C:\Windows\SoftwareDistribution\Download\24baee1d295f092d9cdbce885ea27ee0\AdbeRdrUpd11016_MUI.cab are not trusted: Error 0x800b0109

      2016-10-04 09:54:24:219 472 14b0 DnldMgr WARNING: File failed postprocessing, error = 800b0109

       

      How can we resolve this issue?

        • Re: Non domain computers cannot receive 3rd party patches
          kjstech

          I figured it out.

           

          On my PC which is domain joined, running mmc and adding the certificates snap in for the local computer I saw a WSUS Publishing Certificate in Trusted Root Certification Authorities and also Trusted Publishers.  I exported these two and transferred them to the non-domain kiosks machines using Dameware MRC and imported the certificates.  Now everything is installing great.

           

          Also in the local policy of these kiosks I changed the BITS bandwidth to only use 100kb during business hours.

          1 of 1 people found this helpful
            • Re: Non domain computers cannot receive 3rd party patches
              kellytice

              As a side note, there is a task in Patch Manager under Administration and Reporting (or on the right-click menu if you browse to and select a machine) called "Client Certificates Management".   That task will attempt to read the cert from the WSUS server and then distribute it to the targeted machine(s) into the proper stores.      That task can be scoped to multiple machines if desired.  

               

              The main 'gotcha' with it is that it will look into the Credential Ring to find the proper credential to use to initiate the task, so if your target is a standalone/workgroup machine, it may be the case that there is not a valid credential in the credential ring.   But if there is, this way of getting the cert out might be easier than using DameWare to do it.