SCCM Third-party software update is one of the top-voted SCCM User voice items (this user voice item is removed now as the feature is included in the product). The latest updates from SCCM Third-Party Software Updates Setup Step By Step Guide 1.
[Related Posts – SCCM Third-Party Software Update Support without SCUP & How Tedious for SCCM Admins to Patch Third-Party Applications via SCUP]
This User Voice proves that the SCCM Third-Party Software Update is the most tedious activity for SCCM admins.
SCCM production release can create group policies on the client machine to enable third-party software updates/patching. These are the first steps to help third-party software update support.
Table of Contents
Bit of History on SCCM Third-Party Software Update – 3rd Party Application Patching
I have a post that explains SCCM third-party (3rd) Software Update patching troubles for SCCM admins. Also, please find some SCUP and SCCM integration video tutorials for more details.
David James (Director of Engineering, ConfigMgr, and Microsoft) promised us that we would work on third-party software updates. He kept his promise, and we could see the SCCM CB 1802 production release improvements.
Phase One of these changes is in 1803 tp and 1802 production. We will continue to add more integration in the future, with a huge chunk coming for 1806 production.
Automatically import the WSUS signing certificate (which is used to sign SCCM third-party updates) into the SCCM database, and then push that certificate down to the client’s Trusted Publisher certificate store (if the admin enables this on the SUP top-level site components configuration).
Enabling the “Allow signed updates from an intranet Microsoft updates service location” group policy on clients, which tells Windows to allow them to install 3rd party signed updates during normal Software Updates sync/install (if admin enables this in Software Updates client agent settings).
- SCCM Patch Management is Enough for Vulnerability Management
- SCCM 2403 New Key Features and Improvements
- New Features in SCCM Technical Preview 2401
- New Key Features of SCCM 2309 | Top Improvements
- Download SCCM 2309 Early Ring Version using PowerShell Script
- SCCM Versions Build Numbers Client Console Site
- End of Support Dates for SCCM CB Current Branch | ConfigMgr | SCCM End of Life
SCCM Third-Party Software Update – 3rd Party Application Patching and SCCM
We can now enable the configuration of SCCM clients for third-party software updates. When we Enable third-party software updates for the SUP component properties, the SUP will download the signing certificate used by WSUS for third-party updates.
I recommend reading the Third-Party update via SCCM without SCUP from the following documentation.
Selecting Enable SCCM Third-Party Software Update in client settings does the following on the SCCM CB 1802 client machine.
SCCM Third-Party Software Update |
---|
It sets the Group Policy to ‘Allow signed updates for an intranet Microsoft update service location.’ |
Installs the signing certificate to the Trusted Publisher store. |

Where is the SCCM Third-Party Software Update Option
This action should be done on the topmost site server in your hierarchy (CAS or Standalone Primary). On the top site in the SCCM 1802 or later scale, go to the Administration node, expand Site Configuration, then Sites.
SCCM Server Side
- Right-click on your topmost site server and select Configure Site Components, then Software Update Point.
- Click on the Third-Party Updates tab and check Enable third-party software updates.
SCCM Client Settings
- Open Client Settings and go to the settings for Software Updates.
- Ensure that third-party software updates are enabled and set it to Yes.
SCCM Third Party (3rd) Software Updates Patching
I’m excited about the future development of SCCM CB and third (3rd) party software update (application) patching. I expect a load of ease in the entire 3rd party patching process with SCUP, SCCM, and WSUS.
Look out for new improvements in the SCCM CB 1803 preview and other preview versions of SCCM. I hope we will have a robust working solution for third (3rd) party software updates (patching) with the release of the SCCM CB 1806 production version.
Feedback on SCCM Third-Party Software Update and SUP HTTPS Required
Thank you, Steven M. Salter. On the SCCM Facebook Group, mention the following details: This feature needs the SUP/WSUS server to run in HTTP.
If you have HTTP WSUS, you will see this mentioned in the wsyncmgr logs, but Microsoft does not mention this in the release notes or this feature in said notes.
The log says:
Synchronizing SMS with WSUS Server SCCM Warning: WSUS Connection is not HTTPS. This prevents software updates Point from getting the signing certificate for 3rd Party updates. Finished checking for 3rd party signing certificate.”
SCCM Third-Party Software Update Patching – Learn How to Upgrade SCUP to the Latest Version
In this video, we will see how to upgrade the SCUP version to the latest one without removing the already installed SCUP. System Center Updates Publisher (SCUP) is a stand-alone tool that enables independent software vendors (third-party applications) or line-of-business application developers to manage custom updates.
SCCM SCUP 2017 Configuration Third-party patching Step-by-Step Video Guide
More details about 3rd party app patching 3rd party patching Step by Step Video Guide via SCUP 2017 https://www.anoopcnair.com/scup-2017-… Is SCUP still required? Not sure yet.
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP from 2015 onwards for consecutive 10 years! He is a Workplace Solution Architect with more than 22+ years of experience in Workplace technologies. He is a Blogger, Speaker, and Local User Group Community leader. His main focus is on Device Management technologies like SCCM and Intune. He writes about technologies like Intune, SCCM, Windows, Cloud PC, Windows, Entra, Microsoft Security, Career etc…
Does this means if I enabled third party software updates in SCCM client settings it will enable “Allow signed updates from an intranet Microsoft updates service location” in devices local policy?
Yes, that is what I think… But I need to test this again 🙁
After enabling the SUP and client settings, I’m not seeing this GPO become enabled, nor am I seeing the cert automatically install into Trusted Publishers. Did these work for anyone yet?
Hey. Do you know how to config it from a HTTP to HTTPS ?
After i change it to HTTPS my clients cant scan for updates.
There really needs to be a guide from MS:
Great article Anoop. There is very little on this subject that has been documented so far. While most of the details will come by 1806 TP, have you heard of anyone using it in production/QA environments? What are the results looking like? Does it support enough packages to replace something like ManageEngine?
This is just starting point for this feature. As I mentioned in the post. This helps to setup some group policies for 3rd party patching with this release. I would suggest to test Technical Preview version to get more updated version of this feature
Hi Anoop,
I am getting the following errors in the wsyncmgr.log:
Exception when attempting to get signing certificate from WSUS server: The system cannot find the file specified
Failed to sync third party signing certificate from WSUS.
Exception: System.ComponentModel.Win32Exception (0x80004005): The system cannot find the file specified~~ at Microsoft.SystemsManagementServer.SoftwareUpdatesManagement.WsusSyncAction.WSyncAction.SyncWsusSigningCertificate(String& sThumbprint)~~ at Microsoft.SystemsManagementServer.SoftwareUpdatesManagement.WsusSyncAction.WSyncAction.DoSync()
Do you have any information how to issue and install the required cert on the WSUS server? I can’t find anything online.
Thanks,
Ivailo
I believe a code signing cert is needed.
Thank you for the that comment
thank you for the great post. After we turned it on, we canot download any office 365 updates. error 404. is that a coincidence or related?
Hello,
The Content Information on the Software Update item is not always picked from the same server, same location, where is it coming from? Does a setting affect this location?
Thanks,
Dom
Hello,
So I was wondering if you have seen the “Third Party Updates” tab from the Software Update Point Component Properties missing before? I am on version 1806 console version:5.1806.1074.1500. I have tried to find some articles on the subject but so far nothing. Any input would be awesome, thank you
Hi – Can you try this ? https://docs.microsoft.com/en-us/sccm/sum/deploy-use/third-party-software-updates
Aaron – I had the same issue. Go to Administration > Updates and Servicing > Features and turn on “Enable third party update support on clients.” After I did this and rebooted the tab appeared.
Hello, If I have only 1 SUP site infrastructure and it is remote, I believe it will break entire Software update on machines not part the same domain(since they do not have client cert for the PKI communication).
Am I correct in this view?
Thanks,
Ajay
Sorry what you mean by PKI communication… https communication is not mandatory for third party patching