SCCM Third-Party Software Update Support without SCUP ConfigMgr 3rd Party Application Patching

SCCM Third-party software update is one of the top-voted SCCM User voice items (this user voice item is removed now as the feature is included in the product). The latest updates from SCCM Third-Party Software Updates Setup Step By Step Guide 1.

[Related PostsSCCM Third-Party Software Update Support without SCUP & How Tedious for SCCM Admins to Patch Third-Party Applications via SCUP]

This User Voice proves that the SCCM Third-Party Software Update is the most tedious activity for SCCM admins.

SCCM production release can create group policies on the client machine to enable third-party software updates/patching. These are the first steps to help third-party software update support.

Patch My PC

Bit of History on SCCM Third-Party Software Update – 3rd Party Application Patching

I have a post that explains SCCM third-party (3rd) Software Update patching troubles for SCCM admins. Also, please find some SCUP and SCCM integration video tutorials for more details.

David James (Director of Engineering, ConfigMgr, and Microsoft) promised us that we would work on third-party software updates. He kept his promise, and we could see the SCCM CB 1802 production release improvements.

Phase One of these changes is in 1803 tp and 1802 production. We will continue to add more integration in the future, with a huge chunk coming for 1806 production.

Automatically import the WSUS signing certificate (which is used to sign SCCM third-party updates) into the SCCM database, and then push that certificate down to the client’s Trusted Publisher certificate store (if the admin enables this on the SUP top-level site components configuration).

Enabling the “Allow signed updates from an intranet Microsoft updates service location” group policy on clients, which tells Windows to allow them to install 3rd party signed updates during normal Software Updates sync/install (if admin enables this in Software Updates client agent settings).

SCCM Third-Party Software Update – 3rd Party Application Patching and SCCM

We can now enable the configuration of SCCM clients for third-party software updates. When we Enable third-party software updates for the SUP component properties, the SUP will download the signing certificate used by WSUS for third-party updates.

I recommend reading the Third-Party update via SCCM without SCUP from the following documentation.

Selecting Enable SCCM Third-Party Software Update in client settings does the following on the SCCM CB 1802 client machine.

SCCM Third-Party Software Update
It sets the Group Policy to ‘Allow signed updates for an intranet Microsoft update service location.’
Installs the signing certificate to the Trusted Publisher store.
SCCM Third-Party Software Update Support without SCUP ConfigMgr 3rd Party Application Patching – Table 1
SCCM Third-Party Software Update Support without SCUP ConfigMgr 3rd Party Application Patching - Fig.1
SCCM Third-Party Software Update Support without SCUP ConfigMgr 3rd Party Application Patching – Fig.1

Where is the SCCM Third-Party Software Update Option

This action should be done on the topmost site server in your hierarchy (CAS or Standalone Primary). On the top site in the SCCM 1802 or later scale, go to the Administration node, expand Site Configuration, then Sites.

SCCM Server Side

  • Right-click on your topmost site server and select Configure Site Components, then Software Update Point.
  • Click on the Third-Party Updates tab and check Enable third-party software updates.

SCCM Client Settings

  • Open Client Settings and go to the settings for Software Updates.
  • Ensure that third-party software updates are enabled and set it to Yes.

SCCM Third Party (3rd) Software Updates Patching

I’m excited about the future development of SCCM CB and third (3rd) party software update (application) patching. I expect a load of ease in the entire 3rd party patching process with SCUP, SCCM, and WSUS.

Look out for new improvements in the SCCM CB 1803 preview and other preview versions of SCCM. I hope we will have a robust working solution for third (3rd) party software updates (patching) with the release of the SCCM CB 1806 production version.

Feedback on SCCM Third-Party Software Update and SUP HTTPS Required

Thank you, Steven M. Salter. On the SCCM Facebook Group, mention the following details: This feature needs the SUP/WSUS server to run in HTTP.

If you have HTTP WSUS, you will see this mentioned in the wsyncmgr logs, but Microsoft does not mention this in the release notes or this feature in said notes.

The log says:

Synchronizing SMS with WSUS Server SCCM Warning: WSUS Connection is not HTTPS. This prevents software updates Point from getting the signing certificate for 3rd Party updates. Finished checking for 3rd party signing certificate.”

SCCM Third-Party Software Update Support without SCUP ConfigMgr 3rd Party Application Patching – Video 1

SCCM Third-Party Software Update Patching – Learn How to Upgrade SCUP to the Latest Version

In this video, we will see how to upgrade the SCUP version to the latest one without removing the already installed SCUP. System Center Updates Publisher (SCUP) is a stand-alone tool that enables independent software vendors (third-party applications) or line-of-business application developers to manage custom updates.

SCCM Third-Party Software Update Support without SCUP ConfigMgr 3rd Party Application Patching – Video 2

SCCM SCUP 2017 Configuration Third-party patching Step-by-Step Video Guide

More details about 3rd party app patching 3rd party patching Step by Step Video Guide via SCUP 2017 https://www.anoopcnair.com/scup-2017-… Is SCUP still required? Not sure yet.

SCCM Third-Party Software Update Support without SCUP ConfigMgr 3rd Party Application Patching – Video 3

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP from 2015 onwards for consecutive 10 years! He is a Workplace Solution Architect with more than 22+ years of experience in Workplace technologies. He is a Blogger, Speaker, and Local User Group Community leader. His main focus is on Device Management technologies like SCCM and Intune. He writes about technologies like Intune, SCCM, Windows, Cloud PC, Windows, Entra, Microsoft Security, Career etc…

16 thoughts on “SCCM Third-Party Software Update Support without SCUP ConfigMgr 3rd Party Application Patching”

  1. Does this means if I enabled third party software updates in SCCM client settings it will enable “Allow signed updates from an intranet Microsoft updates service location” in devices local policy?

    Reply
  2. Hey. Do you know how to config it from a HTTP to HTTPS ?
    After i change it to HTTPS my clients cant scan for updates.
    There really needs to be a guide from MS:

    Reply
  3. Great article Anoop. There is very little on this subject that has been documented so far. While most of the details will come by 1806 TP, have you heard of anyone using it in production/QA environments? What are the results looking like? Does it support enough packages to replace something like ManageEngine?

    Reply
    • This is just starting point for this feature. As I mentioned in the post. This helps to setup some group policies for 3rd party patching with this release. I would suggest to test Technical Preview version to get more updated version of this feature

      Reply
  4. Hi Anoop,

    I am getting the following errors in the wsyncmgr.log:

    Exception when attempting to get signing certificate from WSUS server: The system cannot find the file specified

    Failed to sync third party signing certificate from WSUS.

    Exception: System.ComponentModel.Win32Exception (0x80004005): The system cannot find the file specified~~ at Microsoft.SystemsManagementServer.SoftwareUpdatesManagement.WsusSyncAction.WSyncAction.SyncWsusSigningCertificate(String& sThumbprint)~~ at Microsoft.SystemsManagementServer.SoftwareUpdatesManagement.WsusSyncAction.WSyncAction.DoSync()

    Do you have any information how to issue and install the required cert on the WSUS server? I can’t find anything online.

    Thanks,

    Ivailo

    Reply
  5. thank you for the great post. After we turned it on, we canot download any office 365 updates. error 404. is that a coincidence or related?

    Reply
  6. Hello,
    The Content Information on the Software Update item is not always picked from the same server, same location, where is it coming from? Does a setting affect this location?
    Thanks,
    Dom

    Reply
  7. Hello,
    So I was wondering if you have seen the “Third Party Updates” tab from the Software Update Point Component Properties missing before? I am on version 1806 console version:5.1806.1074.1500. I have tried to find some articles on the subject but so far nothing. Any input would be awesome, thank you

    Reply
  8. Hello, If I have only 1 SUP site infrastructure and it is remote, I believe it will break entire Software update on machines not part the same domain(since they do not have client cert for the PKI communication).

    Am I correct in this view?

    Thanks,
    Ajay

    Reply

Leave a Comment