SCCM Third-Party Updates Step by Step Troubleshooting Process Guide

Historically, SCCM and SCUP were used for third-party application patching. The good news is that the SCCM 1806 or later removed the dependency of SCUP for deploying third-party software updates. In this post, you will learn the process flow of SCCM third-party Software updates troubleshooting.

This post will be your companion guide to understand end to end process with log files and the complete guide for third-party Software Updates.

[Related Post SCCM Third-Party Software Updates Setup Step by Step Guide Post 1 & Free SCCM Catalog List – SCCM Third-Party Updates Post 2]

Patch My PC

SCCM Third-Party Software Updates Troubleshooting Process Guide

You will learn how SCCM third-party software updates troubleshooting system works in the background. You can perform troubleshooting activities based on SCCM log files. The following are the logs which I’m going to use in this post to walk through the third-party software updates in SCCM.

Log Files

  • Wsyncmgr.log
  • WCM.log (C:\Program Files\Microsoft Configuration Manager\Logs)
  • PatchDownloader.log (%temp%)

Enable SCCM Third-Party Updates

You can enable third-party software updates from SCCM console. Follow the steps to complete the 3rd party updates.

Click Configure Site Components from your top-level server (CAS or standalone primary server), and select Software Update Point. Switch to the Third-Party Updates tab. Select the checkbox option called Enable third-party software updates.

1E Nomad
SCCM third-party software updates troubleshooting
Enable Third Party Software Updates

The following entries in SMS_ISVUPDATES_SYNCAGENT.log.

Settings: Third party updates are not enabled, component is inactive.
Settings: Third-party updates are enabled.  SMS_ISVUPDATES_SYNCAGENT
Settings: DefaultWSUSServer changed to ''  SMS_ISVUPDATES_SYNCAGENT
ScheduledWorkMonitor: Scheduled item (PartnerCatalogListSyncTask:00000000-0000-0000-0000-000000000000) is due in 00:00:00.
ScheduledWorkMonitor: Synchronize partner catalogs list is now due and will be addded to the work queue.
Launcher : About to start work item: SyncPartnerCatalogs.
SyncPartnerCatalogs: Downloading partner catalogs list from ''…
SCCM third-party software updates troubleshooting
Third-party updates are enabled

In the WSYNCMGR.LOG, you can see third-party signing certificate validation process. I have not enabled Update Classification called “Security Updates &Upgrades”. SCCM third-party software updates troubleshooting process starts from here.

Requested categories: UpdateClassification=Security Updates, UpdateClassification=Upgrades
Checking WSUS for third-party signing certificate…
Getting signing certificate from WSUS server.
Inserting new signing certificate into database. Thumbprint: 8CFD91177DEEADBB56E3BDGG21E4B897F0FD96C8
Successfully downloaded and stored WSUS signing certificate with thumbprint 8CC091177CEEABBB56E3BDFF21E4B897F0FD96C8
Finished checking for third-party signing certificate.

NOTE! – You will see you need to have “Updates” classification also for SCCM third-party updates. Read-on to have more details.

In WCM.LOG, you can see WSUS update classification enabled are “Security Updates & Upgrades“.

Setting new configuration state to 4 (WSUS_CONFIG_SUBSCRIPTION_PENDING)
Subscribed Update Categories <?xml version="1.0" ?>~~<Categories>~~        <Category Id="UpdateClassification:0fa1201d-4330-4fa8-8ae9-b877473b6441"><![CDATA[Security Updates]]></Category>~~        <Category Id="UpdateClassification:3689bdc8-b205-4af4-8d4a-a63924c5e9d5"><![CDATA[Upgrades]]></Category>~~ </Categories>
Configuration successful. Will wait for 1 minute for any subscription or proxy changes 
Setting new configuration state to 2 (WSUS_CONFIG_SUCCESS)

Add Custom Catalog

You can add the custom catalogs from \Software Library\Overview\Software Updates\Third-Party Software Update Catalogs node in the console.

You need to provide the following details in the Third Party Software Updates Custom Catalogs Wizard.

  • Download URL –
  • Publisher – Dell
  • Name – Dell Business Client Update
  • Description – You can provide any tesxt value. URLs are not allowed

NOTE! – You will be wondering how did I get the DOWNLOAD URL Details for Third-Party Updates? The following picture will give you a clue. I will explain to you this in a different blog post.

SCCM third-party software updates troubleshooting
SCUP – Partner Catalogs

Subscribe to Custom Catalog

You can subscribe to the added partner catalog by right-clicking on the catalog (DELL in this example) and select Subscribe to Catalog. SCCM third-party software updates troubleshooting steps mentioned below will be a help for you.

You can click on Sync Now button from Software Updates\Third-Party Software Update Catalogs node to start syncing the metadata to the WSUS.

The above sync now action will initiate two (2) internal syncs. Details below:

  • Partner Catalogs Sync
  • Update Catalogs sync

The first sync is called partner catalogs sync. You can check patchdownloader.log to check the download of meta data from vendor site. This Sync Now action will try to sync all the subscribed third-party partner catalogs into WSUS.

SMS_ISVUPDATES_SYNCAGENT.log will have the following entries.

Launcher : About to start work item: SyncPartnerCatalogs.
SyncUpdateCatalog: SyncUpdateCatalog : f3bf16c2-3d49-41c8-ac37-42cb2a0a73df - Completed.
SyncPartnerCatalogs: Downloading partner catalogs list from ''...
SyncPartnerCatalogs: Download of partner catalogs list completed successfully.
SyncPartnerCatalogs: Extracted catalogs list.
SyncPartnerCatalogs: Parsing the partner catalogs list and updating the database.
SyncPartnerCatalogs: Catalog 'HP Client Updates Catalog' was not found, adding.
SyncPartnerCatalogs: Catalog 'Dell Business Client Updates Catalog' was not found, adding.
SyncPartnerCatalogs: Successfully updated the list of partner catalogs
SyncPartnerCatalogs: Completed update of catalogs list.
SyncPartnerCatalogs: Completed.
SCCM third-party software updates troubleshooting
Third-Party Software Updates Parent Catalog Sync

The second part of the sync is called Update Catalogs sync. This sync will check for all the updates available for a particular partner catalog and get the metadata synced with WSUS.

NOTE! – Make sure that the third-party partner(s) and custom catalog(s) certificates are UNBLOCK(ed) from SCCM console. Also, you can install the certificate on the primary server.

More details entries available in SMS_ISVUPDATES_SYNCAGENT.log.

Launcher : About to start work item: SyncUpdateCatalog.
SyncUpdateCatalog: Starting download for catalog 'Dell Business Client Updates Catalog' from '' …
SyncUpdateCatalog: Downloading file: '' to 'C:\Program Files\Microsoft Configuration Manager\ISVTemp\q0c0kepl.sh5\'.
ScheduledWorkMonitor: Synchronize updates from catalog '41a7ad54-9744-4779-acd8-bf596e11e12f' is due and will be added to the work queue.
SyncUpdateCatalog: Decompressing catalog files to 'C:\Program Files\Microsoft Configuration Manager\ISVTemp\gqixdh4l.r4p' for processing…
SyncUpdateCatalog: A catalog manifest was found for use during catalog processing.
SyncUpdateCatalog: Completed parsing of catalog 'Dell Business Client Updates Catalog'
SyncUpdateCatalog: Added certificate 01E17CEBB6EABA3DDF5932EA3298BAAAC7921DA6.

NOTE! – The above “Sync Now” won’t make the SCCM third-party updates available in SCCM under All Software Updates node. Read on to get more details to get the third-party updates in SCCM console.

Third-Party Update Catalogs Sync Skipped?

I mentioned in the above section that I didn’t enable the classification called “Updates” and because that sync (SCCM Third-party Updates Catalog sync) skipped from adding the metadata to WSUS.

SCCM third-party software updates troubleshooting
Software Update Classification – “Updates” Enabled


SyncUpdateCatalog: Skipping 'Dell Latitude 7290/7390/7490 System BIOS,1.8.0 (Update:'1126ad02-f993-449a-b2cf-e21604a6a5fe' Vendor:'Dell' Product:'Bios')' due to it's classification: 'Updates'.
SyncUpdateCatalog: 0 updates were synchronized to WSUS succesfully, and 0 failed to publish
SCCM Third-Party Updates Step by Step Troubleshooting Process Guide 1
Skipping Third -Party Software Updates

Added the Updates classification into software update point properties. You can see the new classification category in WCM.log. This is one of the important step in SCCM third-party software updates troubleshooting process.

The WSUS will automatically detect the changes in the classifications without initiating the WSUS sync from SCCM console.

Third Party Update Catalogs Sync Completed

You need to re-initiate sync by clicking the “Sync Now” button from
Third-Party Software Update Catalogs node. This action will successfully update the third-party software updates metadata to WSUS.

You can check the SMS_ISVUPDATES_SYNCAGENT.log entries to confirm the successful sync.

SyncUpdateCatalog: WSUS synchronizing update: 'Broadcom 57XX Gigabit Integrated Controller Driver,12.8.0,A01 (Update:'c84906e1-010a-4269-bb55-b6011e1d8e1d' Vendor:'Dell' Product:'Drivers and Applications')'
SyncUpdateCatalog: 3062 updates were synchronized to WSUS succesfully, and 1 failed to publish.
Launcher : Work item SyncUpdateCatalog has completed queued time was 00:00:00.0729599 run time was 01:16:40.3197109
SyncUpdateCatalog: SyncUpdateCatalog : 41a7ad54-9744-4779-acd8-bf596e11e12f - Completed.
SCCM third-party software updates troubleshooting
SCCM Third-Party Updates – Catalog Update Success

New Product listing in Software Update Point Component Properties

Once you finish the above sync from third-party update node, you would be able to see the new third-party products under Products tab of software update point component properties.

The new products available in Software update point component properties. In this example, Dell products got available in my scenario below.

I selected Dell – BIOS to make all the Dell Bios related updates available in All Software Updates node.

SCCM third-party software updates troubleshooting
Products – SCCM third-party software updates troubleshooting

Another WSUS Sync

You might need to initiate WSUS Sync from All Updates node of SCCM console to make Third-Party updates available in SCCM console. This is another critical step of SCCM third-party software updates troubleshooting process.

You can find the following entries in WSYNCMGR.log

Full sync required due to changes in category subscriptions.
Synchronizing WSUS server SCCM_PROD …
sync: Starting WSUS synchronization
sync: WSUS synchronizing categories
Done synchronizing WSUS Server SCCM_PROD
Sleeping 120 more seconds for WSUS server sync results to become available
Collecting existing updates…
sync: SMS synchronizing categories
sync: SMS synchronizing categories, processed 0 out of 337 items (0%)
sync: SMS synchronizing categories, processed 337 out of 337 items (100%)
sync: SMS synchronizing updates
Collecting existing updates…
sync: SMS synchronizing updates, processed 0 out of 273 items (0%)
Synchronizing update 2337372b-fd44-45f2-b1de-3a76fd0da2f5 - Dell Latitude 3190 & 3190 2-in-1 System BIOS,1.5.0
Skipped update d3338d65-33bb-4961-bd7c-a88df159fe25 - LATITUDE E6510 SYSTEM BIOS,A09 because it was superseded.
sync: SMS synchronizing updates, processed 242 out of 273 items (88%), ETA in 00:00:31
sync: SMS synchronizing updates, processed 273 out of 273 items (100%)
Done synchronizing SMS with WSUS Server SCCM_PROD
Sync succeeded. Setting sync alert to canceled state on site PR3
SCCM third-party software updates troubleshooting

You can see the third party software update metadata entries in SCCM console after a successful WSUS Sync with SCCM.

SCCM third-party software updates troubleshooting
The Third-Party updates are visible in Console

Publish Third-Party Software Update Content

Now, the metadata is available under “All Software Updates,” you can publish third-party software updates content available in SCCM. This action should be performed before downloading the SCCM third-party software updates.

As you can see in the below picture, there are four stages to publish third-party software update content to SCCM.

NOTE! – You should go to Certificates node and right click on the blocked third-party custom catalog (this is applicable only older version of catalog file) certificate and click on UNBLOCK. If you miss this step, you might get a failure message while publishing the third-party update content from WSUS to SCCM.

How to get to Certificates Node in SCCM Console - \Administration\Overview\Security 

You can find the following log entries after publishing third-party software update catalog content in SMS_ISVUPDATES_SYNCAGENT.log.

PollingWorkMonitor: There are 1 jobs that are pending in the jobs table.
PollingWorkMonitor: Starting job 72057594037927941 for subject 32d0d4e6-58e3-4321-a0d2-586a4b4dccf0.
Creating a new SyncUpdate work item for update 32d0d4e6-58e3-4321-a0d2-586a4b4dccf0, jobid is 72057594037927941
Launcher : About to start work item: SyncUpdate.
SyncUpdate: 'Dell XPS L421X System BIOS,A18 (Update:'32d0d4e6-58e3-4321-a0d2-586a4b4dccf0' Vendor:'Dell' Product:'Bios')' is synchronized to WSUS without content, revision to add content is required.
SyncUpdate: Checking if certificate is registered for server SCCM_PROD
SyncUpdate: 32d0d4e6-58e3-4321-a0d2-586a4b4dccf0 - Downloading file: '' to 'C:\Program Files\Microsoft Configuration Manager\ISVTemp\tssug4tt.dc2\L421XA18W.exe'.
SyncUpdate: 32d0d4e6-58e3-4321-a0d2-586a4b4dccf0 - Download of is 12 percent completed.
SyncUpdate: 32d0d4e6-58e3-4321-a0d2-586a4b4dccf0 - Download of is 96 percent completed.
SyncUpdate: 32d0d4e6-58e3-4321-a0d2-586a4b4dccf0 - Successfully completed download of content from '' to 'C:\Program Files\Microsoft Configuration Manager\ISVTemp\tssug4tt.dc2\L421XA18W.exe.
SyncUpdate: 32d0d4e6-58e3-4321-a0d2-586a4b4dccf0 - Completed.
SCCM Third-Party Updates Step by Step Troubleshooting Process Guide 4
SCCM Third-Party Updates – Content Download

Click on Synchronize Software Updates button from All Software Updates node and check out WSYNCMGR.log file. SCCM third-party software updates troubleshooting process steps will help to secure your environment.

sync: Starting WSUS synchronization
sync: WSUS synchronizing categories
sync: WSUS synchronizing updates
Done synchronizing WSUS Server SCCM_PROD
sync: SMS synchronizing updates, processed 0 out of 1 items (0%)
Synchronizing update 32d0d4e6-58e3-4321-a0d2-586a4b4dccf0 - Dell XPS L421X System BIOS,A18
sync: SMS synchronizing updates, processed 1 out of 1 items (100%)
Done synchronizing SMS with WSUS Server SCCM_PROD
Set content version of update source {77756C2C-A568-4030-B8E4-5864C7E51302} for site PR3 to 2
  • Before publishing the content – Third-Party Software Update icon color is BLUE (#1 in the above picture)
  • After publishing the content and WSync (#2.5 in the above picture) – Third-Party Software Update icon color is GREEN (#3 in the above picture)

Download & Create Software Update Package

Quickly created a third party software update patch with one Dell BIOS update.

The following is the details of the software update package creation Wizard which I filled in. You can use my video tutorial to learn more about creating and deploying a software update package.

 The software updates will be placed in a new package:
•        Dell Bios
 Content (1):
 Distribution Settings
•        Priority: Medium
•        Enable for on-demand distribution: Disabled
•        Prestaged distribution point settings: Automatically download content when packages are assigned to distribution points

Now, you can track the download of software update package content via PatchDownloader.log. The following are some of the entries of PatchDownloader.log.

Download destination = \\SCCM_Prod\Sources\Third-Party Updates\Dell\32d0d4e6-58e3-4321-a0d2-586a4b4dccf0.1\ .
Query to run: select f.FileName, ct.ContentSource from SMS_CIToContent c join SMS_CIContentFiles f on c.ContentID = f.ContentID join SMS_Content ct on c.ContentID = ct.ContentID where c.ContentDownloaded = 1 and f.FileHash = 'SHA1:531921E13A4FBB87E74FEEE702B61EBB518B6FC9'
Downloading content for ContentID = 16777309,  FileName =
Connecting - Adding file range by calling HttpAddRequestHeaders, range string = "Range: bytes=0-"
Download http://sccm_prod:8530/Content/C9/ in progress: 10 percent complete
Download http://sccm_prod:8530/Content/C9/ to C:\Users\anoop\AppData\Local\Temp\2\CAB15D.tmp returns 0
Download http://sccm_prod:8530/Content/C9/ to C:\Users\anoop\AppData\Local\Temp\2\CAB15D.tmp returns 0
Successfully moved C:\Users\anoop\AppData\Local\Temp\2\CAB15D.tmp to \\SCCM_Prod\Sources\Third-Party Updates\Dell\32d0d4e6-58e3-4321-a0d2-586a4b4dccf0.1\
Renaming \\SCCM_Prod\Sources\Third-Party Updates\Dell\32d0d4e6-58e3-4321-a0d2-586a4b4dccf0.1 to \\SCCM_Prod\Sources\Third-Party Updates\Dell\32d0d4e6-58e3-4321-a0d2-586a4b4dccf0
Successfully moved \\SCCM_Prod\Sources\Third-Party Updates\Dell\32d0d4e6-58e3-4321-a0d2-586a4b4dccf0.1 to \\SCCM_Prod\Sources\Third-Party Updates\Dell\32d0d4e6-58e3-4321-a0d2-586a4b4dccf0


Successfully created the third-party Software update package in SCCM.

SCCM third-party software updates troubleshooting
SCCM Third-Party Updates Guide



Anoop is Microsoft MVP! He is a Solution Architect on enterprise client management with over 17 years of experience (calculation done in 2018). He is Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, Intune. He writes about technologies like ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.…

21 thoughts on “SCCM Third-Party Updates Step by Step Troubleshooting Process Guide”

  1. Hey Anoop, is there any easy way to update a password protected BIOS and Bitlocker enabled system using Third party catalog. I’ve been trying a step in TS ” Install software Updates” to install the BIOS updates by making them available. I also add steps to remove BIOS password and suspend Bitlocker( with reboot count 1) in the TS prior running this step. But i’m afraid this method will still go uncontrolled as we don’t want BIOS to be flashed with bitlocker on.

    Do you have any suggestion that we can try?

    • Hey Shailesh – Yes Task Sequence is the best Option that I have seen in many scenarios. I don’t think third-party software updates can provide a method with TS granularity

  2. Wonderful Article Anoop. We have deployed drivers udaptes using 3rd party..however some anamolies on clients.. report show success but driver version still old on clent, reboot pending but we dont see what is upgraded… any clues on what logs to refer to on clients ? How do we troubleshoot failures, how do we confirm succesul driver update ?

    • I thought all the 3rd patching piece is handled similar to normal software update. Do you check the scanagent.log etc ? You didn’t see any traces of driver updates in there ?

  3. Thanks for promopt reply Anoop. Regular logs of not much help unfortunately. Even if they show succesful, in reality drivers hasnt upgrade, which makes us clueless. In normal udpates case, we refer to eventvwr or installed udpated in Control Panel, some more logs on %temp% etc… here with drivers, post SCCM, it makes us nowhere other than Device Manager :-).

    Next big challenge is what logic it uses to check if a Wifi/LAN/Display on a client etc is needing an udpate versus showing it a compliant… as we see anamolies here, knowing the logic helps to troubbleshoot well

  4. Hi Anoop,
    Another great post.

    We have BIOS passwords configured in our environment. Do you think we can use the Software update process somehow to update BIOS?

    Thanks in advance!

    Best Regards,

    • The obvious obstacles updating a BIOS as software update is the presence of password in BIOS. From what we’ve tested BIOS password need to be removed first before any BIOS specific update can be applied or else it will fail. Also beware the update may also mess up your Bitlocker startup keys (if present) during the process so you may wanna suspend Bitlocker as well before installing the update.

      For us we dealt mostly with Dell systems, so we made use of Cctk to remove\re-enable bios password and Task sequence to deploy the update and handle the reboots. But ofcourse that would be by using the update file as packages.

      For the moment scconfigmgr modern bios management tool does a fairly good job when it comes to updating the bios also it integrates with your OSD task sequence, so you may wanna give it a try.

  5. Thanks for the article. We have our SUP on a remote server and I am having issues implementing Third Party Updates. I have successfully been able to sync, download and deploy and setup the SSL communication according to

    However when the update gets deployed it gets stuck on “Deploying Updates” until it times out. It looks like a permissions issue but the permissions are setup properly. Third-Party Updates work fine in my lab but it’s co-located all on one server.

    Do you know if there are extra steps that I’m possibly missing when it comes to the SUP being on a remote server? Especially share or folder permissions.

  6. Hi Anoop –

    We have the Dell Third-Party Software Update Catalog synching and we see about 3800 Dell drivers, BIOS, etc. in our console. However, we are hesitant to deploy them. Unlike our other 3rd party patching product, Patch MY PC, which declines superseded/expired updates and eventually flushes them out, the Dell updates don’t appear to do this – they are all just in there. So, when we go to deploy Intel RST, for example, a client machine gets 4 different versions of the product. Any suggestions on automatically declining the unused updates?

  7. Hi Anoop –

    We installed Third-Party Updates from Dell, Adobe, Foxit and HP, we have a lot of Problems with it. So we want start over without Third-Party Updates. After reinstall WSUS and SUP all Updates from Dell, etc. appears automatically. Is there any way to clean up all Third-Party Products.

  8. Hi Anoop,
    We have this implemented in our Environment however there is some problem with scheduled synchronization of catalogs. Id did not happen as planned. in the SMS_ISVUPDATES_SYNCAGENT.log I can see a lot lot of this entries “PollingWorkMonitor: Local WSUS is busy synchronizing updates.”
    Manual sync works fine, same as driver publishing. Do you have any idea what might be wrong?

    • Hello Luka – Do you think the normal software update sync and third party update sync are getting triggered on the same time ? We can have more discussion in

  9. This was great information! Question: is there a way to force a system to be non-compliant for the third-party updates? Or a way to view/adjust the compliance logic? For example, all our systems are showing compliant for a Dell BIOS update even though the systems are most definitely running an older version.


  10. Anoop, or anyone else.
    I’m interested in configuring our SCCM/MECM environment to utilize the 3rd party updates feature directly to the console. Though I need a good reason or few reasons that I can tell my manager why this would be better than our current SCUP configuration. Any help would be appreciated. Also, does anyone know why Adobe url’s to the 3rd party catalog downloads are always changing and where can I find them?

    • If you ask me I will go with any of the third-party paid catalog vendors. They do all the difficult works for you like –
      Tracking the updates for all 3rd party apps
      Customization of updates (repackaging)
      Native integration with console

  11. Great article Anoop, having the log screenshots really help us. I have successfully setup the catalog for Dell Business Client Updates Catalog and started doing some testing. The problem I am having is the clients are not showing the updates as required, for example pushing the latest Dell Command | Update version. Do you have some suggestions on how to troubleshoot that?

    • I believe you first have to deploy the Dell Openmanage Agent to the clients so that the required/installed status column gets updated. That seemed to make the difference for us.

      What I don’t understand is why do we see so many different versions of each driver for even 1 single laptop model! Clearly most of them are not the latest version of the driver so why are the older ones even listed? You have to check each one carefully before publishing it and deploying it to make sure you’re not pushing out an old driver that has since been replaced with a newer one. It’s just nuts!

      Anyone know how to remove all of the Dell updates metadata from the “All Software Updates” console view?


Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.