Let’s understand how to fix the ConfigMgr third-party updates Last Sync Status Trust Failed issue. Recently, I have seen an issue with third-party software update syncs. Some of the syncs are getting failed with TRUST related errors. I tried to manually initiate sync without any success. Let’s find out how to fix this issue in this post.
The third-Party Software Updates setup is completed using the Step by Step guide. Most of the 3rd party software updates troubleshooting scenarios are covered in the Process Guide. You can get more details about logs files from the troubleshooting blog post.
In the test environment, I use only the default/out of the box third party update catalogs (a.k.a Partner catalogs) available in Configuration Manager (a.k.a SCCM). There are custom catalogs also available from different vendors and service providers. A list of free third-party catalogs is available in the Free SCCM Catalogs post.
Let’s analyze the Trust Failed error for Lenovo and Dell partner catalogs. HP catalog seems to sync successfully.
- To check whether you have the same problem – Navigate to \Software Library\Overview\Software Updates\Third-Party Software Update Catalogs.
- Check the Last Sync Status Column.
As you can see in the following screen shot, the third party sync is failed for Dell and Lenovo catalogs.
The log file SMS_ISVUPDATES_SYNCAGENT.log is your friend here to analyze further issue SCCM third-party software update catalog sync issues. This log file is located in the default log location on the primary server or CAS server.
- Opened the SMS_ISVUPDATES_SYNCAGENT.log log file with CMTrace.
- Search with the Keyword DELL (because Dell catalog sync is failed).
- Error Messages are right there:
SyncUpdateCatalog: SyncUpdateCatalog : 41a7ad54-9744-4779-acd8-bf596e11e12f - No previous hash was found, catalog has not been synced previously or hash was reset. SyncUpdateCatalog: File 'F:\Program Files\Microsoft Configuration Manager\ISVTemp\plnn5z1u.jyu\DellSDPCatalogPC.cab' appears to be signed, retrieved certificate, checking signature… ScheduledWorkMonitor: Scheduled item (GroomJobsTask:00000000-0000-0000-0000-000000000000) is due in 03:48:11.6277400. SyncUpdateCatalog: Certificate '211D4485D4807F486E99D98E71' is not yet approved, try again after approval. STATMSG: (SRVMSG_SMS_ISVUPDATES_SYNCAGENT_CATALOG_TRUST_FAILED). Launcher : Work item SyncUpdateCatalog has completed queued time was 00:00:00.3878648 run time was 00:00:01.3577095
- I could also see same errors for Lenovo Catalog updates as well.
SyncUpdateCatalog: SyncUpdateCatalog : 8fe44f76-98a1-484c-a34c-b4897a26990a - No previous hash was found, catalog has not been synced previously or hash was reset. SyncUpdateCatalog: File 'F:\Program Files\Microsoft Configuration Manager\ISVTemp\if2ycodc.v5l\LenovoUpdatesCatalog2v2.cab' appears to be signed, retrieved certificate, checking signature… SyncUpdateCatalog: Certificate 'B9D8C79DD172D23694B91' is not yet approved, try again after approval. STATMSG: (SRVMSG_SMS_ISVUPDATES_SYNCAGENT_CATALOG_TRUST_FAILED).
So important notes from these log file snippets are given below:
- It seems there are new catalogs from Dell and Lenovo (?) – No previous hash was found, catalog has not been synced previously or hash was reset.
- Status Message – STATMSG: (SRVMSG_SMS_ISVUPDATES_SYNCAGENT_CATALOG_TRUST_FAILED)
- The main Error – Certificate ‘XYZ’ is not yet approved, try again after approval.
From the above lines of log file, I got an indication that this is something to do with new certificates. Let’s go to resolution now.
Let’s try to fix the third-party catalog sync issue.
- Navigate to \Administration\Overview\Security\Certificates.
- sort the with Status column.
- Find out the Blocked certificates.
- Right-Click on Dell certificate.
- Select Unblock button.
- Go back to \Software Library\Overview\Software Updates\Third-Party Software Update Catalogs.
- Right-click on Dell Catalog.
- Select Sync Now option.
- Select Yes from the Sync Catalog pop-up window.
- Check the log file SMS_ISVUPDATES_SYNCAGENT.log and as per the log the DELL third-party software update sync completed successfully.
SyncUpdateCatalog: Skipping 'NVIDIA Quadro Desktop Graphics Driver,126.96.36.19939,A00' (Update:'ce132397-bb6b-4985-bc14-1c4dd36d7f8c') Vendor 'Dell' Product:'Drivers and Applications' due to it's classification: 'Updates'. STATMSG: (SRVMSG_SMS_ISVUPDATES_SYNCAGENT_CATALOG_SYNCED). SyncUpdateCatalog: 0 updates were synchronized to WSUS successfully, and 0 failed to publish. SyncUpdateCatalog: SyncUpdateCatalog : 8fe44f76-98a1-484c-a34c-b4897a26990a - Completed.
- To confirm the update catalogs sync – Navigate to \Software Library\Overview\Software Updates\Third-Party Software Update Catalogs.
- Check Last Sync Status column in the console.
- Success is good sign!
- Free Catalog List – SCCM Third-Party Updates Post 2
- SCCM Third-Party Updates Step by Step Background Process Guide Post 3
- Monitor software updates
- Enable third-party updates SCCM 1902
- How to Install, Configure and Integrate with SCUP 2017 with SCCM
- How to Publish 3rd Party Abode Acrobat Patches via SCCM SCUP 2017