SCCM Third-party software upate is one of the top voted SCCM User voice item here (this user voice item is removed now as the feature is included in the product).
[Related Posts – SCCM Third Party Software Update Support without SCUP & How Tedious for SCCM Admins to Patch Third- Party Applications via SCUP]
This Uer Voice proves that the SCCM Third-Party Software Update is the most tedious activity for SCCM admins.
SCCM production release has an option to create group policies on the client machine to enable the 3rd party software update/patching. This first steps to enable third-party software update support.
Table of Contents
Bit of History on SCCM Third-Party Software Update – 3rd Party Application Patching
I have a post which explains about SCCM third party (3rd) Software Update patching troubles for SCCM admins. Also some SCUP and SCCM integration video tutorials to get more details.
David James (Director of Engineering, ConfigMgr, and Microsoft) promised us to work on 3rd party software updates. He kept his promises and we could see the improvements in SCCM CB 1802 production release.
Phase one of these changes is in 1803 tp, as well as 1802 production. We will continue to add more integration in the future with a huge chunk coming for 1806 production.
Automatically importing WSUS signing certificate (which is used to sign SCCM third party updates) into the SCCM database, and then that certificate is pushed down to clients Trusted Publisher certificate store. (If admin enables this on the SUP top level site components configuration).
Enabling “Allow signed updates from an intranet Microsoft updates service location” group policy on clients, which tells Windows to allow them to install 3rd party signed updates during normal Software Updates sync/install (if admin enables this in Software Updates client agent settings).
SCCM Third-Party Software Update – 3rd Party Application Patching and SCCM
We can now enable configuration of SCCM clients for third party software updates. When we Enable third party software updates for the SUP component properties, the SUP will download the signing certificate used by WSUS for third party updates.
I would recommend reading the Third-Party update via SCCM without SCUP from the following documentation.
Selecting Enable SCCM Third-Party Software Update in client settings does the following on the SCCM CB 1802 client machine:-
- It sets the Group Policy for ‘Allow signed updates for an intranet Microsoft update service location’.
- Installs the signing certificate to the Trusted Publisher store.
Where is SCCM Third-Party Software Update Option
This action should be done on the topmost site server in your hierarchy (CAS or Standalone Primary). On the topmost site in the SCCM 1802 or later hierarchy, go to the Administration node, expand Site Configuration, then Sites.
SCCM Server Side
- Right-click on your topmost site server and select Configure Site Components then Software Update Point.
- Click on the Third Party Updates tab and check Enable third party software updates.
SCCM Client Settings
- Open Client Settings and go to the settings for Software Updates.
- Ensure Enable third party software updates is set to Yes.
SCCM Third Party (3rd) Software Updates Patching
I’m excited about future development of SCCM CB and third (3rd) party software update (application) patching. I except a load of ease in the entire 3rd party patching process with SCUP, SCCM, and WSUS.
Lookout for new improvements in SCCM CB 1803 preview and other preview versions of SCCM. I hope we will have a robust working solution for third (3rd) party software updates (patching) with the release of SCCM CB 1806 production version.
Feedback on SCCM Third-Party Software Update and SUP HTTPS Required
Thank you Steven M. Salter on SCCM Facebook Group to mention the following details. This feature needs SUP/WSUS server to be running in https to work. You will see this mentioned in the wsyncmgr logs if you have http WSUS but nowhere does Microsoft mention this in release notes, nor did they even mention this feature at all in said notes.
The log says:
Done Synchronizing SMS with WSUS Server SCCM Warning: WSUS Connection is not HTTPS. This prevents software updates Point from getting the signing certificate for 3rd Party updates. Finished checking for 3rd party signing certificate.”
Does this means if I enabled third party software updates in SCCM client settings it will enable “Allow signed updates from an intranet Microsoft updates service location” in devices local policy?
Yes, that is what I think… But I need to test this again 🙁
After enabling the SUP and client settings, I’m not seeing this GPO become enabled, nor am I seeing the cert automatically install into Trusted Publishers. Did these work for anyone yet?
Hey. Do you know how to config it from a HTTP to HTTPS ?
After i change it to HTTPS my clients cant scan for updates.
There really needs to be a guide from MS:
Great article Anoop. There is very little on this subject that has been documented so far. While most of the details will come by 1806 TP, have you heard of anyone using it in production/QA environments? What are the results looking like? Does it support enough packages to replace something like ManageEngine?
This is just starting point for this feature. As I mentioned in the post. This helps to setup some group policies for 3rd party patching with this release. I would suggest to test Technical Preview version to get more updated version of this feature
Hi Anoop,
I am getting the following errors in the wsyncmgr.log:
Exception when attempting to get signing certificate from WSUS server: The system cannot find the file specified
Failed to sync third party signing certificate from WSUS.
Exception: System.ComponentModel.Win32Exception (0x80004005): The system cannot find the file specified~~ at Microsoft.SystemsManagementServer.SoftwareUpdatesManagement.WsusSyncAction.WSyncAction.SyncWsusSigningCertificate(String& sThumbprint)~~ at Microsoft.SystemsManagementServer.SoftwareUpdatesManagement.WsusSyncAction.WSyncAction.DoSync()
Do you have any information how to issue and install the required cert on the WSUS server? I can’t find anything online.
Thanks,
Ivailo
I believe a code signing cert is needed.
Thank you for the that comment
thank you for the great post. After we turned it on, we canot download any office 365 updates. error 404. is that a coincidence or related?
Hello,
The Content Information on the Software Update item is not always picked from the same server, same location, where is it coming from? Does a setting affect this location?
Thanks,
Dom
Hello,
So I was wondering if you have seen the “Third Party Updates” tab from the Software Update Point Component Properties missing before? I am on version 1806 console version:5.1806.1074.1500. I have tried to find some articles on the subject but so far nothing. Any input would be awesome, thank you
Hi – Can you try this ? https://docs.microsoft.com/en-us/sccm/sum/deploy-use/third-party-software-updates
Aaron – I had the same issue. Go to Administration > Updates and Servicing > Features and turn on “Enable third party update support on clients.” After I did this and rebooted the tab appeared.
Hello, If I have only 1 SUP site infrastructure and it is remote, I believe it will break entire Software update on machines not part the same domain(since they do not have client cert for the PKI communication).
Am I correct in this view?
Thanks,
Ajay
Sorry what you mean by PKI communication… https communication is not mandatory for third party patching