Third party patching is one of the top voted SCCM User voice item here (this user voice item is removed now as the feature is included in the product). This UV proves that the 3rd party application patching is the most tedious activity for SCCM admins.
SCCM production release has an option to create group policies on the client machine to enable the 3rd party software update/patching. This first steps to enable third-party software update support.
Bit of History on Third Party Software Update – 3rd Party Application Patching
David James (Director of Engineering, ConfigMgr, and Microsoft) promised us to work on 3rd party software updates. He kept his promises and we could see the improvements in SCCM CB 1802 production release.
Phase one of these changes is in 1803 tp, as well as 1802 production. We will continue to add more integration in the future with a huge chunk coming for 1806 production.
Automatically importing WSUS signing certificate (which is used to sign third party updates) into the SCCM database, and then that certificate is pushed down to clients Trusted Publisher certificate store. (If admin enables this on the SUP top level site components configuration).
Enabling “Allow signed updates from an intranet Microsoft updates service location” group policy on clients, which tells Windows to allow them to install 3rd party signed updates during normal Software Updates sync/install (if admin enables this in Software Updates client agent settings).
Third Party Software Update – 3rd Party Application Patching and SCCM
We can now enable configuration of SCCM clients for third party software updates. When we Enable third party software updates for the SUP component properties, the SUP will download the signing certificate used by WSUS for third party updates.
I would recommend reading the Third-Party update via SCCM without SCUP from the following documentation.
Selecting Enable third party software updates in client settings does the following on the SCCM CB 1802 client machine:-
- It sets the Group Policy for ‘Allow signed updates for an intranet Microsoft update service location’.
- Installs the signing certificate to the Trusted Publisher store.
Where is Third (3rd) Party Software Updates Option
This action should be done on the topmost site server in your hierarchy (CAS or Standalone Primary). On the topmost site in the SCCM 1802 or later hierarchy, go to the Administration node, expand Site Configuration, then Sites.
SCCM Server Side
- Right-click on your topmost site server and select Configure Site Components then Software Update Point.
- Click on the Third Party Updates tab and check Enable third party software updates.
SCCM Client Settings
- Open Client Settings and go to the settings for Software Updates.
- Ensure Enable third party software updates is set to Yes.
Third (3rd) Party Software Updates Patching & SCCM 1806
I’m excited about future development of SCCM CB and third (3rd) party software update (application) patching. I except a load of ease in the entire 3rd party patching process with SCUP, SCCM, and WSUS.
Lookout for new improvements in SCCM CB 1803 preview and other preview versions of SCCM. I hope we will have a robust working solution for third (3rd) party software updates (patching) with the release of SCCM CB 1806 production version.
Feedback on SCCM 3rd party patching and SUP HTTPS Required
Thank you Steven M. Salter on SCCM Facebook Group to mention the following details. This feature needs SUP/WSUS server to be running in https to work. You will see this mentioned in the wsyncmgr logs if you have http WSUS but nowhere does Microsoft mention this in release notes, nor did they even mention this feature at all in said notes.
The log says:
Done Synchronizing SMS with WSUS Server SCCM Warning: WSUS Connection is not HTTPS. This prevents software updates Point from getting the signing certificate for 3rd Party updates. Finished checking for 3rd party signing certificate.”