SCCM Third-Party Software Updates Setup Step by Step Guide Post 1

34
Setup SCCM Third-Party Updates - Home

SCUP helped many of us to deploy third-party software updates for many years. Now, SCCM doesn’t require SCUP to deploy Third-party updates. Let’s dive into the SCCM third-party software updates setup.

***Updated 13th June 2019

Related Posts 1. SCCM Third-Party Software Updates Setup Step by Step Guide Post Video Guide, 2. Free SCCM Catalog List – SCCM Third-Party Updates Post 2 & 3. Background Process flow with Logs – SCCM Third-Party Software Updates – Post 3

Contents

Introduction

This post is a step by step SCCM third-party software updates setup guide for all SCCM admins.

First of all, you need to analyze and understand the business requirement of third-party updates. From my perspective, third-party patching is critical for overall IT security landscape.

The following are some of the questions which will help you to get ready for third-party software update setup.

  • What is the current process for patching third-party applications?
  • Are you using the standard packaging process to perform third-party updates?
  • How many application vendors are providing SCCM friendly “Update Catalogs” for free?
  • Do you need to spec up the SCCM server hardware before enabling third-party updates?

Video Guide – SCCM Third-Party Software Updates Setup Step by Step Guide Post Video Guide

Prerequisites

You can enable third-party updates from SCCM (without SCUP integration) when you have 1806 or later version.

The SCCM third-party software updates feature allows you to subscribe to partner and custom catalogs from SCCM console and publish the updates to WSUS.

  • Partner catalogs are software vendor catalogs partnered with Microsoft. The following are the two partner catalogs (DELL & HP) available with SCCM 1902 release.
  • Custom Catalogs are the third-party software catalogs which you can add manually to SCCM console. You can find more detail in the below section.

NOTE! – There are only few vendors provide FREE custom catalogs. You can find more details in the blog post Free List of Catalogs SCCM Third-Party Software Updates.

The following is the quick list of pre requisites which you want to make sure before enabling the update feature.

  • WSUS and SUP should be configured and Working fine.
  • Updates Classification should be enabled from Software Update Point Component Properties.
  • Valid Business Requirement and find sponsorship from management.
  • License cost – SCCM support is free, but if you want to use other third-party products for getting the more vendor application support (via Custom Catalog), then you need to pay the extra licensing cost.
  • SCCM Server Specs & Disk Space – Consider Upgrading Disk Space as per your requirement.
  • Adjust your proxy and Firewall configurations – port 443, and you might need to white list all the third-party vendor URLs to download meta data, CAB files, and source files of updates.
  • Check out Certificate requirements at the Server and client side. Also, you might need to adjust the Group Policy setting at the client side.
  • SCCM Client Settings – Enable third party software updates policies to YES.
  • Additional requirements when the SUP is remote from the top-level site server

NOTE! – Some Certificate Details – 1. WSUS (Publishers Self Signed) – Code Signing – Only WSUS Server 2. Trusted Publishers – WSUS Server & Client 3. Trusted Root Certificate – WSUS Server & Client

Enable SCCM Third-Party Software Updates

As I mentioned in the prerequisites, make sure that you have working WSUS and SUP environment before enabling the third-party updates.

The following steps should be completed from the top site either SCCM CAS or Standalone primary server. The below steps will help you to enable SCCM third-party update feature.

  • In the SCCM console, go to the Administration workspace. Expand Site Configuration, and select the Sites node.
  • Select the top-level site in the hierarchy. Click Configure Site Components from the ribbon menu, and select Software Update Point.
  • Click on the Third-Party Updates tab and Select the option Enable third-party software updates from Software Update Point Component Properties.
    • Select Configuration Manager manages the certificate (I selected this default option).
    • I have not chosen this option – Manually manage the certificates. More details available here. This option should be used when you have a requirement to use PKI certs.

NOTE! – I would recommend using the default options of SCCM configuration wizard unless you have a specific reason to select another option. I have chosen the configuration manager managed the certificate option.

When you don’t have any PKI certificate requirements for SCCM third-party updates, then you can use the default option as I mentioned above.

You might be able to see a new certificate type “third-party WSUS Signing” (as I showed in the below picture) when you use Configuration Manager manages the certificate option from the above wizard.

Navigate to – \Administration\Overview\Security\Certificates

Subscribe to Partner Catalog

In this section, you can to subscribe partner catalogs (out of box settings as I mentioned above).

  • Launch SCCM Console
  • Navigate \Software Library\Overview\Software Updates\Third-Party Software Update Catalogs node
  • Click on “Lenovo” partner catalog from the list on right side
  • Click on Subscribe and then follow the steps explained here.
Subscribe to Partner Catalog - SCCM Third-Party Software Updates
Subscribe to Partner Catalog

Add a Custom Catalog

Next step in setting up SCCM third-party software updates adds the custom catalogs. You can add the custom catalogs from \Software Library\Overview\Software Updates\Third-Party Software Update Catalogs node in the console.

You might already see the partner catalogs in SCCM console. HP and Dell are the only two(2) partner catalogs available for SCCM 1902 version.

You can follow the below steps to add custom catalog into SCCM.

  • Navigate to \Software Library\Overview\Software Updates\Third-Party Software Update Catalogs.
  • Click on Add Custom Catalog from the ribbon menu.

You have to provide the following details in the Third Party Software Updates Custom Catalogs Wizard. The following four(4) values are mandatory.

NOTE! – You will be wondering how did I get the DOWNLOAD URL Details for Adobe Reader 11 Third-Party Updates? I will explain to you this in a different blog post.

Subscribe to Custom Catalogs

The Subscribe to Catalog step is the next configuration for enabling SCCM Third-Party Software Updates setup. Third-Party Software Update Catalogs node allows you to subscribe to third-party custom and partner catalogs.

The subscription of partner and custom third-party catalogs helps SCCM environments to get the regular updates (or patches) from third-party application vendors.

The following steps make sure that the SCCM environment is subscribed to the vendor’s product updates similar to Microsoft Software updates.

  • Navigate to the Software Updates Library workspace from SCCM console.
  • Expand Software updates, and select the Third-Party Software Update Catalogs node.
  • Select the Custom Catalogs which you want Subscribe to:
    • I selected Adobe Reader 11
  • Click NEXT button from Third-Party Software Updates Wizard
  • On the Download page of third-party software update wizard, SCCM will download the CAB file using the URL which you provided while adding a custom catalog.

NOTE! – You need to have appropriate internet connections as I mentioned in the prerequisites section above. If not, the download will fail, and you won’t be able to proceed with the third-party software update wizard. I think this wizard uses the same proxy connection which you setup in the SUP configuration.

  • Review and Approve the catalog certificate from review and approve page of Third-party updates wizard
  • Click on View Certificates box to view the certificate properties and review it.

NOTE! – I would recommend reviewing and install Certificate to Local Machine (Default location) – If you don’t do this, the Publishing third-party update content will fail in the later stage of this process. You can check the certificate details in the Certificates node of SCCM console as I mentioned in the above section.

  • Click the OK button on certificate properties windows.
  • Click on the Checkbox near to “I have read and understood” to agree and proceed further.
  • Click on Next button to continue and Finish the subscription process of the third-party catalog.
  • Click on NEXT on Confirm Settings page.
  • FINISH the wizard to start the metadata updates synchronization on to WSUS.
  • Click on Adobe Custom Catalog and initiate a Sync (Sync Now button from the ribbon) from Third-Party Software Update Catalogs node.
  • Make sure the Last Sync Status is SUCCESS.

The above sync will make all the Adobe Reader 11 updates into the WSUS database. You can refer to the log file called SMS_ISVUPDATES_SYNCAGENT.log.

NOTE! – The above Sync (use Sync Now button from the ribbon) from \Software Library\Overview\Software Updates\Third-Party Software Update Catalogs won’t make the meta data of adobe reader 11 updates available in SCCM console.

Products Selection

Now, you would be able to see the Adobe Reader underneath “All Products – Adobe Systems. Inc.” on Software Update Point Component Properties window.

Select the product “Abode Reader” as I showed in the below picture and click OK.

NOTE! – I have seen people complaining about some of the Abode patches are missing from SCCM console. It could be possible that Adobe changed the product name. So, it’s recommended to check whether any new products got added or not. You might need to enable those new products from software update point component properties.

Another Sync

It’s time for another Sync. But, this time it’s not from the same place. You need to follow the below steps to make all Adobe Reader 11 updates (meta data) available in SCCM console “All Software Updates” node.

  • Navigate to \Software Library\Overview\Software Updates\All Software Updates.
  • Click on the Synchronize Software Updates button from the ribbon menu.
  • After finishing this sync successfully (WSYNCMGR.log to verify), you would be able to see all the Adobe Reader 11 related updates as you can see in the following picture.

NOTE! – Check out the BLUE color icons for Adobe Reader 11 updates metadata (metadata-only updates = BLUE). More details about the change of Third-Party Software Updates icons in the below section.

Publish Third-Party Software Update Content

Once the third-party software updates are available in the console, you can go ahead and publish those Adobe Updates to WSUS.

The following steps will help you to publish Adobe Reader Third-Party Software Update content to WSUS.

  • Navigate to \Software Library\Overview\Software Updates\All Software Updates node
  • Select the Abode Reader Updates you want to publish.
  • Click on Publish Third-Party Software Update Content button from ribbon menu.
  • Check out SMS_ISVUPDATES_SYNCAGENT.log to monitor the progress.
  • The update files (for Adobe it was .MSP files) will get downloaded to a temporary folder called C:\Program Files\Microsoft Configuration Manager\ISVTemp. (the folder name ends with .mrm or .mgm or some random name – that is nice)

NOTE! – When you publish third-party software update content, any certificates used to sign the content are added to the site. I have seen that if you don’t install the certificates used to sign the third-party update content, then the publishing the content might fail.

You can also check whether the certificate status is BLOCKED or UNBLOCKED status from SCCM console (\Administration\Overview \Security\Certificates). If the certificate is blocked, then there is a chance of failure in the publishing process.

  • Once the publishing process is finished, you might need to perform another Sync (WSyncMGR.log) to make the software update available for SUP to deploy and to change the icon from BLUE to GREEN.

Download and Deploy SCCM Third-Party Software Updates

Now, it’s the time to download and deploy the SCCM third-party software updates to Windows devices.

Create Software Update Group

The following steps will help you create a Software Update group, Download, and Deploy the third-party updates.

  • Navigate to \Software Library\Overview\Software Updates\All Software Updates node.
  • Select the third-party software updates which you want to download and deploy.
  • Click on Create Software Update Group.
    • Enter the name of the software update group = Reader 11 0 23 (“.” is not allowed)
    • Enter the description of the group.
  • Click OK to finish the creation of Software Update Group.

Start Deploy Software Update Wizard

You have already created Software Update groups in the above section. Now, you can go ahead and start the deployment wizard for third-party updates.

In this section, you can select the name of third-party update deployment name and device collection.

  • Navigate to \Software Library\Overview\Software Updates\Software Update Groups.
  • Select the Reader 11 0 23 group which is created above and click on Deploy button from the ribbon button.
  • Follow through the deployment wizard
    • Deployment Name = Adobe Systems, Inc. Third-Party Software Updates
    • Select the Collection of devices which you want to deploy Third-Party Software update and Click Next.

Scheduling & Deployment Settings

This section helps to schedule the third-party software updates.

  • Specify Deployment Settings for this deployment.
    • Type of deployment = Required.
    • Details level = Only Success and error messages.
  • Click on Next button.
  • Configure Schedule Details for this Deployment.
    • Schedule Evaluation – Time Based on: Client Local Time.
    • Software Available Time – As soon as possible.
    • Installation Deadline – Specific Time.
  • Click on Next button to continue….

User Experiences & Alerts

I selected all the default settings in the following two pages of User Experiences & Alters.

  • Specify the User Experience for this Deployment – User Visual Experience.
    • User Notifications – Display in Software Center and show all notifications – Default option.
    • Deadline Behavior – When the installation deadline is reached, allow the following activities to be performed outside maintenance windows:
      • Software update installation
      • System Restart (if necessary)
    • Device Restart Behavior – Some software updates require a system restart to complete the installation process. You can suppress this restart on servers and workstations.
      • Suppress the system restart on the following Devices:
        • Servers
        • Workstations
    • Write filter handling for Windows Embedded devices
      • Commit changes at deadline or during a maintenance Windows (requires restarts) – Default option
  • Specify Software Update Alert Options for this deployment
    • Configuration Manager Alerts
    • Operation Manager Alerts

Create Deployment Package Third-Party Software Updates

The section will help you to understand how to create third-party software updates package.

  • Specify the Package to Use page
    • Create a new deployment package:
      • Name – Adobe Reader 11 0 15
      • Package SourceUNC Path – \SCCM_Prod\Sources\Third-Party Updates\Adobe\Reader 11 0 15
      • Sending PriorityMedium
      • Enable Binary Differential Replication (Not Mandatory – But Recommended settings)
      • No Deployment package (NOT Mandatory Option)
        • Clients download content from peers or Microsoft Cloud (NOT Suitable option for Third-Party Updates).
        • Click Next to go next page
    • Specify the Distribution point groups to host the content
      • Add Distribution Point and click Next
    • Specify the source location for the Software Update that you will download
      • Download software updates from the Internet
  • Specify the Languages of the updates
    • Product – There are two products – Windows Update and Office 365 Client Update – The language selected is English
    • There is an Edit option to add another language if available from third-party software updates
    • Click NEXT
  • Specify Download Settings of this Deployment
    • Deployment Options
      • Do not install software updates
    • Deployment Options
      • Download and Install Software Updates from the Distribution points in site default boundary group

Conclusion

Now, you deployed the third-party software updates. You can check out the content distribution status from the SCCM console. The deployment success with third-party software updates compliance report from SSRS.

Resources

Bonus Details

Subscribe to a custom catalog Wizard template:

Subscribe To Catalog
• Catalog Name : Adobe Reader 11
• Publisher : Adobe
• Description : More Details
• Support URL :
• Support Contact :
• Download URL : https://armmf.adobe.com/arm-manifests/win/SCUP/Reader11_Catalog.cab

Create, Download, and Deploy Third-Party Software Updates Package Template:

Updates Targeted:
• Reader 11.0.11 Update APSB15-10(Article ID)
General:
• Deployment Name: Adobe Systems, Inc. Software Updates
• Collection: Test Static Collection
Deployment Settings:
• Send wake-up packets: No
• Verbosity Level: Only success and error messages
Scheduling:
• Deployment schedules will be based on: Client local time
• Available to target computers: 13-04-2019 02:41:00
• Deadline for software update installation: 20-04-2019 00:07:00
• Delayed enforcement on deployment: No
User Experience:
• User Notifications: Display in Software Center and show all notifications
• Install software updates outside the maintenance window when deadline is reached: No
• Restart system outside the maintenance window when deadline is reached: Suppressed
• If a restart is required it will be: Allowed
• Commit changes at deadline or during a maintenance window (requires restarts): Yes
• If any update in this deployment requires a system restart, run updates deployment evaluation cycle after restart: No
Alerts:
• On software update installation error generate a Window Event: No
• Disable Window Event while software updates install: No
Package:
The software updates will be placed in a new package:
• Adobe Reader 11 0 15
Content (1):
• SCCM_PROD.INTUNE.COM
Software updates that will be downloaded from the internet
Reader 11.0.11 Update
Windows Update Language Selection:
English
Office 365 Client Update Language Selection:
English (United States)
Download Settings:
• Computers can retrieve content from remote distribution points: No
• Download and install software updates from the fallback content source location: Yes

34 COMMENTS

  1. Hello,
    I’ve followed your step by step but I’ve a strange behavoir.
    I’ve tried with the “Adobe Flash Player Plugin” Update (version 32.0.0.171).
    I have deployed it to a test computer with an older version installer (32.0.0.141).
    The update isn’t seen from the computer and from the report it says: ALREADY COMPLIANT.
    Also the required column is 0, and also the column already installed is 0.

  2. Hello Anoop,
    Cert is installed (although if there was a problem with the certificate, I would have problem with the installation, not the detection).
    Policy is set to allow third party (also via CM Client Policy; and checked regkey it’s present and configured).
    I’ve checked the client side troubleshooting section and unfortunately no clue in the logs.

    • Unfortunately, I don’t have any other suggestion because I don’t have any clue what is happening. I might need to test and re-pro the issue later whenever I get time.
      I would still think there would some hints like whether the policy is received by client or is it evaluated by client etc … that would help you further troubleshooting

      • Solved 😆
        my bad … this Adobe Flash update nomenclature is getting me crazy. On SCCM you have PPAPI & Plugin … I needed the Plugin one and not the PPAPI…
        I will test out also Reader & Pro just to make sure it works.
        Thank you in advice and sorry 😆

  3. Thanks for the guide Anoop! It was helpful.

    I am trying to deploy an Adobe Reader 2015 Classic Track update using your instructions.

    The SMS_ISVUPDATES_SYNCAGENT log gives me this error when I try to publish third-party software update content:

    Failed to publish update “07c4ec0f-71cd-49f7-94f3-aa3da81fb72b” due to missing update metadata.

    Possible cause: The update may have been synchronized to WSUS outside of Configuration Manager.
    Solution: Synchronize the update with Configuration Manager before attempting to publish it’s content. If an external tool was used to publish the update metadata then use the same tool to publish the update content.

    I followed your instructions exactly. I did not use an external tool like the message indicates. Do you know where I might look to solve the problem?

    Thanks for any insight you may have.

  4. How does this work with machine updates? I installed the Lenovo.cab and it downloaded a bunch of drivers, which was my intention. I’m learning how to use SCCM to image our machines. Can I use this method for Driver Packages? If so, how would I go about doing that?

  5. Hello,
    Again great article.
    I still have a problem with the 3rd party updates.
    For Adobe Reader DC & Adobe Acrobat DC – I can sync updates but under “REQUIRED” I have 0 for every available update.

  6. Hello,
    Again Great article.
    I can get the adobe reader & adobe acrobat updates to work.
    The updates are synced successfully but show that aren’t required on any machine (which obviously isn’t true).

    I then checked the Report: Compliance 2 – Specific software update and break it down to my computer to see what it was showing.
    I then selected “Update Class” and … I can see only Adobe Flash player as a result of “indexed” updates – no trace of a Adobe Reader or Adobe Acrobat update.

    So my guess is now, is it possible that the hw inventory in some way doesn’t report back to the update point the whole software list?

  7. Hi,

    Thanks for your great post.
    I’ve suscribed to Dell catalog, and I notice that I’ve no Dell drivers which are required by my clients (1500 Dell machines).
    Which is quite strange..

    Do you think I need to enable additional hardware inventory classes in Client Settings? Or is there any reasons?

    Thanks in advance

    • Hi, I never a heard about updating hardware inventory to cater the requirement of driver updates.
      Have you checked the Dell machines and checked the requirement of driver update ?

      What I’m trying to say is “are those machines require a driver update” ? Or the drivers installed on those machines are not there in the dell catalog

  8. Hi Anoop

    This is very helpfull post to configure the third party updates, Please help to share how we can cleanup the older updates metadata and contents from SCCM site server and systems as well as content from source location. So that we can maintain our SCCM environment.

  9. Hello!

    Great article! As far as the update package creation is concerned, what is the source of the files? I don’t have \SCCM_Prod\Sources\Third-Party Updates and checking the content tab of one of the Adobe updates shows another UNC path that I can’t seem to locate on my server.

    Any help is appreciated!

  10. Hi Anoop

    After Turning on the SSL on update point, all the clients were stopped getting any updates. WuHandler showed error:

    OnSearchComplete – Failed to end search job. Error = 0x80240440. WUAHandler 8/10/2019 2:32:10 PM 4552 (0x11C8)
    Scan failed with error = 0x80240440. WUAHandler 8/10/2019 2:32:10 PM 4552 (0x11C8)
    Its a WSUS Update Source type ({D3FC19DE-264D-4295-A309-0C42523AAF3E}), adding it. WUAHandler 8/10/2019 2:32:21 PM 4552 (0x11C8)
    This device is not enrolled into Intune. WUAHandler 8/10/2019 2:32:21 PM 6748 (0x1A5C)
    Device is not MDM enrolled yet. All workloads are managed by SCCM. WUAHandler 8/10/2019 2:32:21 PM 6748 (0x1A5C)
    SourceManager::GetIsWUfBEnabled – There is no Windows Update for Business settings assignment. Windows Update for Business is not enabled through ConfigMgr WUAHandler 8/10/2019 2:32:21 PM 6748 (0x1A5C)
    Existing WUA Managed server was already set (https:SERVERNAME:8531), skipping Group Policy registration. WUAHandler 8/10/2019 2:32:21 PM 4552 (0x11C8)
    Added Update Source ({D3FC19DE-264D-4295-A309-0C42523AAF3E}) of content type: 2 WUAHandler 8/10/2019 2:32:21 PM 4552 (0x11C8)
    Scan results will include superseded updates only when they are superseded by service packs and definition updates. WUAHandler 8/10/2019 2:32:21 PM 4552 (0x11C8)
    Search Criteria is (DeploymentAction=* AND Type=’Software’) OR (DeploymentAction=* AND Type=’Driver’) WUAHandler 8/10/2019 2:32:21 PM 4552 (0x11C8)
    Async searching of updates using WUAgent started. WUAHandler 8/10/2019 2:32:21 PM 4552 (0x11C8)
    Async searching completed. WUAHandler 8/10/2019 2:32:25 PM 2824 (0x0B08)
    OnSearchComplete – Failed to end search job. Error = 0x80240440. WUAHandler 8/10/2019 2:32:25 PM 4552 (0x11C8)
    Scan failed with error = 0x80240440. WUAHandler 8/10/2019 2:32:25 PM 4552 (0x11C8)

    Restarted the Server and client machines and still same issue. And as soon as I turned off the SSL , all start working again? Is there am misisng?

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.