1 Reply Latest reply on Jan 17, 2020 4:13 PM by pmanson

    SCCM Version Support & Upgrade Certificate

    pmanson

      I have two questions, ahead of upgrading PM for the first time.  Reviewing the Upgrade Preflight Checklist, I find the "Run All Windows Updates" task.  Makes sense, but there is a note stating to "Generate a new 2048-bit publishing certificate" once the Windows Updates are applied.  It seems odd to me one would have anything to do with the other, and there is nothing later in the document detailing what to do with the new certificate.  In my environment, we ended up having to take the WSUS code certificate and deploy it in GPO to the clients to support the self signed updates.  So if I reissue it, I can only assume that I will have to deploy it again.  Has anyone had to follow this step and issue a new certificate during the Windows Update task?

       

      Second, has anyone had experience upgrading SCCM beyond the version supported in the release notes?  I am on 2.1.7 currently, but the SCCM team is looking to move to 1910, which is not supported on either 2.1.7 or 2019.4 (up to 1906).  Are people upgrading SCCM beyond the recommendation successfully?  Is anyone running SCCM 1910 with either 2.1.7 or 2019.4?  Thank you!

        • Re: SCCM Version Support & Upgrade Certificate
          pmanson

          Support answered my questions.  First the support statement is what is is for 1910, that it hasn't been certified yet, although there were no specific issues which could be described to me.  Second, there appears to be mis-information in the documentation.

           

          https://documentation.solarwinds.com/archive/pdf/patchman/SPM_Install_Guide.pdf

          Page: 47 (Upgrade Checklist)

           

          Run all Windows updates

          - "When you are finished, generate a new 2048-bit publishing certificate on your primary application server."

           

          Per support, this might be there as a good practice, to ensure you don't forget to keep the cert updated (mine was created for 5 years), but that doing this step will invalidate what you've done with the old cert.  This should only be done under a specific effort when the cert needs to be updated.