SCCM CB 1802 Enable Third Party Software Update Support

Third Party Software Update

Third party patching is one of the top voted SCCM/ConfigMgr User voice item here. This proves that the 3rd party application patching is the most tedious activity for SCCM admins. SCCM CB 1802 production release has an option to create group policies on the client machine to enable the 3rd party software update/patching. This first steps to enable third-party software update support.

I recommend reading more about the latest production version of SCCM CB 1802 and step by step upgrade guide to get more details. Also, I believe SCCM CB 1802 helps organisations to keep their infra neat and clean with new management insight features.

Bit of History on Third Party Software Update – 3rd Party Application Patching

I have a post which explains about third party (3rd) Software Update patching troubles for SCCM admins. Also some SCUP and SCCM integration video tutorials to get more details.

David James (Director of Engineering, ConfigMgr, and Microsoft) promised us to work on 3rd party software updates. He kept his promises and we could see the improvements in SCCM CB 1802 production release.

Phase one of these changes is in 1803 tp, as well as 1802 production. We will continue to add more integration in the future with a huge chunk coming for 1806 production.

Automatically importing WSUS signing certificate (which is used to sign third party updates) into the SCCM database, and then that certificate is pushed down to clients Trusted Publisher certificate store. (If admin enables this on the SUP top level site components configuration).

Enabling “Allow signed updates from an intranet Microsoft updates service location” group policy on clients, which tells Windows to allow them to install 3rd party signed updates during normal Software Updates sync/install (if admin enables this in Software Updates client agent settings).

Third Party Software Update – 3rd Party Application Patching and SCCM CB 1802

We can now enable configuration of SCCM clients for third party software updates. When we Enable third party software updates for the SUP component properties, the SUP will download the signing certificate used by WSUS for third party updates.

Selecting Enable third party software updates in client settings does the following on the SCCM CB 1802 client machine:-

  • It sets the Group Policy for ‘Allow signed updates for an intranet Microsoft update service location’.
  • Installs the signing certificate to the Trusted Publisher store.

Third Party Software Update

Where is Third (3rd) Party Software Updates Option

This action should be done on the topmost site server in your hierarchy (CAS or Standalone Primary). On the topmost site in the SCCM 1802 or later hierarchy, go to the Administration node, expand Site Configuration, then Sites.

SCCM Server Side

  • Right-click on your topmost site server and select Configure Site Components then Software Update Point.
  • Click on the Third Party Updates tab and check Enable third party software updates.

SCCM Client Settings

  • Open Client Settings and go to the settings for Software Updates.
  • Ensure Enable third party software updates is set to Yes.

Third (3rd) Party Software Updates Patching & SCCM 1806

I’m excited about future development of SCCM CB and third (3rd) party software update (application) patching. I except a load of ease in the entire 3rd party patching process with SCUP, SCCM, and WSUS.

Lookout for new improvements in SCCM CB 1803 preview and other preview versions of SCCM. I hope we will have a robust working solution for third (3rd) party software updates (patching) with the release of SCCM CB 1806 production version.

Feedback on SCCM 3rd party patching and SUP HTTPS Required

Thank you Steven M. Salter on SCCM Facebook Group to mention the following details. This feature needs SUP/WSUS server to be running in https to work. You will see this mentioned in the wsyncmgr logs if you have http WSUS but nowhere does Microsoft mention this in release notes, nor did they even mention this feature at all in said notes.

The log says:

Done Synchronizing SMS with WSUS Server SCCM 
Warning: WSUS Connection is not HTTPS. This prevents software updates Point from getting the signing certificate for 3rd Party updates.
Finished checking for 3rd party signing certificate.”


  1. Does this means if I enabled third party software updates in SCCM client settings it will enable “Allow signed updates from an intranet Microsoft updates service location” in devices local policy?

  2. Hey. Do you know how to config it from a HTTP to HTTPS ?
    After i change it to HTTPS my clients cant scan for updates.
    There really needs to be a guide from MS:

  3. Great article Anoop. There is very little on this subject that has been documented so far. While most of the details will come by 1806 TP, have you heard of anyone using it in production/QA environments? What are the results looking like? Does it support enough packages to replace something like ManageEngine?

    • This is just starting point for this feature. As I mentioned in the post. This helps to setup some group policies for 3rd party patching with this release. I would suggest to test Technical Preview version to get more updated version of this feature

  4. Hi Anoop,

    I am getting the following errors in the wsyncmgr.log:

    Exception when attempting to get signing certificate from WSUS server: The system cannot find the file specified

    Failed to sync third party signing certificate from WSUS.

    Exception: System.ComponentModel.Win32Exception (0x80004005): The system cannot find the file specified~~ at Microsoft.SystemsManagementServer.SoftwareUpdatesManagement.WsusSyncAction.WSyncAction.SyncWsusSigningCertificate(String& sThumbprint)~~ at Microsoft.SystemsManagementServer.SoftwareUpdatesManagement.WsusSyncAction.WSyncAction.DoSync()

    Do you have any information how to issue and install the required cert on the WSUS server? I can’t find anything online.




Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.