SCCM Third-Party Updates Step by Step Troubleshooting Process Guide

5
SCCM Third-Party Software Updates - Home

Historically, SCCM and SCUP were used for third-party application patching. Good news is that the SCCM 1806 or later removed the dependency of SCUP for deploying third-party software updates. In this post, you will learn the process flow of SCCM third-party Software updates troubleshooting.

This post will be your companion guide to understand end to end process with log files and the complete guide for third-party Software Updates.

[Related Post SCCM Third-Party Software Updates Setup Step by Step Guide Post 1 & Free SCCM Catalog List – SCCM Third-Party Updates Post 2]

Contents

SCCM Third-Party Software Updates Troubleshooting Process Guide

You will learn how SCCM third-party software updates troubleshooting system works in the background. You can perform troubleshooting activities based on SCCM log files. The following are the logs which I’m going to use in this post to walk through the third-party software updates in SCCM.

Log Files

  • SMS_ISVUPDATES_SYNCAGENT.log
  • Wsyncmgr.log
  • WCM.log (C:\Program Files\Microsoft Configuration Manager\Logs)
  • PatchDownloader.log (%temp%)

Enable SCCM Third-Party Updates

You can enable third-party software updates from SCCM console. Follow the steps to complete the 3rd party updates.

Click Configure Site Components from your top-level server (CAS or standalone primary server), and select Software Update Point. Switch to the Third-Party Updates tab. Select the checkbox option called Enable third-party software updates.

SCCM third-party software updates troubleshooting
Enable Third Party Software Updates

The following entries in SMS_ISVUPDATES_SYNCAGENT.log.

Settings: Third party updates are not enabled, component is inactive.
.
.
Settings: Third-party updates are enabled.  SMS_ISVUPDATES_SYNCAGENT
Settings: DefaultWSUSServer changed to 'SCCM_Prod.Intune.com'  SMS_ISVUPDATES_SYNCAGENT
ScheduledWorkMonitor: Scheduled item (PartnerCatalogListSyncTask:00000000-0000-0000-0000-000000000000) is due in 00:00:00.
ScheduledWorkMonitor: Synchronize partner catalogs list is now due and will be addded to the work queue.
Launcher : About to start work item: SyncPartnerCatalogs.
SyncPartnerCatalogs: Downloading partner catalogs list from 'https://go.microsoft.com/fwlink/?linkid=874591'…
SCCM third-party software updates troubleshooting
Third-party updates are enabled

In the WSYNCMGR.LOG, you can see third-party signing certificate validation process. I have not enabled Update Classification called “Security Updates &Upgrades”. SCCM third-party software updates troubleshooting process starts from here.

Requested categories: UpdateClassification=Security Updates, UpdateClassification=Upgrades
Checking WSUS for third-party signing certificate…
Getting signing certificate from WSUS server.
Inserting new signing certificate into database. Thumbprint: 8CFD91177DEEADBB56E3BDGG21E4B897F0FD96C8
Successfully downloaded and stored WSUS signing certificate with thumbprint 8CC091177CEEABBB56E3BDFF21E4B897F0FD96C8
Finished checking for third-party signing certificate.

NOTE! – You will see you need to have “Updates” classification also for SCCM third-party updates. Read-on to have more details.

In WCM.LOG, you can see WSUS update classification enabled are “Security Updates & Upgrades“.

Setting new configuration state to 4 (WSUS_CONFIG_SUBSCRIPTION_PENDING)
Subscribed Update Categories <?xml version="1.0" ?>~~<Categories>~~        <Category Id="UpdateClassification:0fa1201d-4330-4fa8-8ae9-b877473b6441"><![CDATA[Security Updates]]></Category>~~        <Category Id="UpdateClassification:3689bdc8-b205-4af4-8d4a-a63924c5e9d5"><![CDATA[Upgrades]]></Category>~~ </Categories>
Configuration successful. Will wait for 1 minute for any subscription or proxy changes 
Setting new configuration state to 2 (WSUS_CONFIG_SUCCESS)

Add Custom Catalog

You can add the custom catalogs from \Software Library\Overview\Software Updates\Third-Party Software Update Catalogs node in the console.

You need to provide the following details in the Third Party Software Updates Custom Catalogs Wizard.

  • Download URL – https://downloads.dell.com/Catalog/DellSDPCatalogPC.cab
  • Publisher – Dell
  • Name – Dell Business Client Update
  • Description – You can provide any tesxt value. URLs are not allowed

NOTE! – You will be wondering how did I get the DOWNLOAD URL Details for Third-Party Updates? The following picture will give you a clue. I will explain to you this in a different blog post.

SCCM third-party software updates troubleshooting
SCUP – Partner Catalogs

Subscribe to Custom Catalog

You can subscribe to the added partner catalog by right-clicking on the catalog (DELL in this example) and select Subscribe to Catalog. SCCM third-party software updates troubleshooting steps mentioned below will be a help for you.

You can click on Sync Now button from Software Updates\Third-Party Software Update Catalogs node to start syncing the metadata to the WSUS.

The above sync now action will initiate two (2) internal syncs. Details below:

  • Partner Catalogs Sync
  • Update Catalogs sync

The first sync is called partner catalogs sync. You can check patchdownloader.log to check the download of meta data from vendor site. This Sync Now action will try to sync all the subscribed third-party partner catalogs into WSUS.

SMS_ISVUPDATES_SYNCAGENT.log will have the following entries.

Launcher : About to start work item: SyncPartnerCatalogs.
SyncUpdateCatalog: SyncUpdateCatalog : f3bf16c2-3d49-41c8-ac37-42cb2a0a73df - Completed.
SyncPartnerCatalogs: Downloading partner catalogs list from 'https://go.microsoft.com/fwlink/?linkid=874591&pc=3rdPartyUpdates1806Production'...
SyncPartnerCatalogs: Download of partner catalogs list completed successfully.
SyncPartnerCatalogs: Extracted catalogs list.
SyncPartnerCatalogs: Parsing the partner catalogs list and updating the database.
SyncPartnerCatalogs: Catalog 'HP Client Updates Catalog' was not found, adding.
SyncPartnerCatalogs: Catalog 'Dell Business Client Updates Catalog' was not found, adding.
STATMSG: (SRVMSG_SMS_ISVUPDATES_SYNCAGENT_PARTNERS_SYNCED).
SyncPartnerCatalogs: Successfully updated the list of partner catalogs
SyncPartnerCatalogs: Completed update of catalogs list.
SyncPartnerCatalogs: Completed.
SCCM third-party software updates troubleshooting
Third-Party Software Updates Parent Catalog Sync

The second part of the sync is called Update Catalogs sync. This sync will check for all the updates available for a particular partner catalog and get the metadata synced with WSUS.

NOTE! – Make sure that the third-party partner(s) and custom catalog(s) certificates are UNBLOCK(ed) from SCCM console. Also, you can install the certificate on the primary server.

More details entries available in SMS_ISVUPDATES_SYNCAGENT.log.

Launcher : About to start work item: SyncUpdateCatalog.
SyncUpdateCatalog: Starting download for catalog 'Dell Business Client Updates Catalog' from 'https://downloads.dell.com/Catalog/DellSDPCatalogPC.cab' …
SyncUpdateCatalog: Downloading file: 'https://downloads.dell.com/Catalog/DellSDPCatalogPC.cab' to 'C:\Program Files\Microsoft Configuration Manager\ISVTemp\q0c0kepl.sh5\DellSDPCatalogPC.cab'.
ScheduledWorkMonitor: Synchronize updates from catalog '41a7ad54-9744-4779-acd8-bf596e11e12f' is due and will be added to the work queue.
SyncUpdateCatalog: Decompressing catalog files to 'C:\Program Files\Microsoft Configuration Manager\ISVTemp\gqixdh4l.r4p' for processing…
SyncUpdateCatalog: A catalog manifest was found for use during catalog processing.
SyncUpdateCatalog: Completed parsing of catalog 'Dell Business Client Updates Catalog'
SyncUpdateCatalog: Added certificate 01E17CEBB6EABA3DDF5932EA3298BAAAC7921DA6.

NOTE! – The above “Sync Now” won’t make the SCCM third-party updates available in SCCM under All Software Updates node. Read on to get more details to get the third-party updates in SCCM console.

Third-Party Update Catalogs Sync Skipped?

I mentioned in the above section that I didn’t enable the classification called “Updates” and because that sync (SCCM Third-party Updates Catalog sync) skipped from adding the metadata to WSUS.

SCCM third-party software updates troubleshooting
Software Update Classification – “Updates” Enabled

SMS_ISVUPDATES_SYNCAGENT.log entries.

SyncUpdateCatalog: Skipping 'Dell Latitude 7290/7390/7490 System BIOS,1.8.0 (Update:'1126ad02-f993-449a-b2cf-e21604a6a5fe' Vendor:'Dell' Product:'Bios')' due to it's classification: 'Updates'.
STATMSG: (SRVMSG_SMS_ISVUPDATES_SYNCAGENT_CATALOG_SYNCED).
SyncUpdateCatalog: 0 updates were synchronized to WSUS succesfully, and 0 failed to publish
SCCM Third-Party Updates Step by Step Troubleshooting Process Guide 1
Skipping Third -Party Software Updates

Added the Updates classification into software update point properties. You can see the new classification category in WCM.log. This is one of the important step in SCCM third-party software updates troubleshooting process.

The WSUS will automatically detect the changes in the classifications without initiating the WSUS sync from SCCM console.

Third Party Update Catalogs Sync Completed

You need to re-initiate sync by clicking the “Sync Now” button from
Third-Party Software Update Catalogs node. This action will successfully update the third-party software updates metadata to WSUS.

You can check the SMS_ISVUPDATES_SYNCAGENT.log entries to confirm the successful sync.

SyncUpdateCatalog: WSUS synchronizing update: 'Broadcom 57XX Gigabit Integrated Controller Driver,12.8.0,A01 (Update:'c84906e1-010a-4269-bb55-b6011e1d8e1d' Vendor:'Dell' Product:'Drivers and Applications')'
STATMSG: (SRVMSG_SMS_ISVUPDATES_SYNCAGENT_CATALOG_PARTIAL_WARN).
SyncUpdateCatalog: 3062 updates were synchronized to WSUS succesfully, and 1 failed to publish.
Launcher : Work item SyncUpdateCatalog has completed queued time was 00:00:00.0729599 run time was 01:16:40.3197109
SyncUpdateCatalog: SyncUpdateCatalog : 41a7ad54-9744-4779-acd8-bf596e11e12f - Completed.
SCCM third-party software updates troubleshooting
SCCM Third-Party Updates – Catalog Update Success

New Product listing in Software Update Point Component Properties

Once you finish the above sync from third-party update node, you would be able to see the new third-party products under Products tab of software update point component properties.

The new products available in Software update point component properties. In this example, Dell products got available in my scenario below.

I selected Dell – BIOS to make all the Dell Bios related updates available in All Software Updates node.

SCCM third-party software updates troubleshooting
Products – SCCM third-party software updates troubleshooting

Another WSUS Sync

You might need to initiate WSUS Sync from All Updates node of SCCM console to make Third-Party updates available in SCCM console. This is another critical step of SCCM third-party software updates troubleshooting process.

You can find the following entries in WSYNCMGR.log

Full sync required due to changes in category subscriptions.
Synchronizing WSUS server SCCM_PROD …
sync: Starting WSUS synchronization
sync: WSUS synchronizing categories
Done synchronizing WSUS Server SCCM_PROD
Sleeping 120 more seconds for WSUS server sync results to become available
........
Collecting existing updates…
sync: SMS synchronizing categories
sync: SMS synchronizing categories, processed 0 out of 337 items (0%)
sync: SMS synchronizing categories, processed 337 out of 337 items (100%)
sync: SMS synchronizing updates
Collecting existing updates…
sync: SMS synchronizing updates, processed 0 out of 273 items (0%)
Synchronizing update 2337372b-fd44-45f2-b1de-3a76fd0da2f5 - Dell Latitude 3190 & 3190 2-in-1 System BIOS,1.5.0
Skipped update d3338d65-33bb-4961-bd7c-a88df159fe25 - LATITUDE E6510 SYSTEM BIOS,A09 because it was superseded.
sync: SMS synchronizing updates, processed 242 out of 273 items (88%), ETA in 00:00:31
sync: SMS synchronizing updates, processed 273 out of 273 items (100%)
Done synchronizing SMS with WSUS Server SCCM_PROD
Sync succeeded. Setting sync alert to canceled state on site PR3
SCCM third-party software updates troubleshooting
WSYNCMGR.log

You can see the third party software update metadata entries in SCCM console after a successful WSUS Sync with SCCM.

SCCM third-party software updates troubleshooting
The Third-Party updates are visible in Console

Publish Third-Party Software Update Content

Now, the metadata is available under “All Software Updates,” you can publish third-party software updates content available in SCCM. This action should be performed before downloading the SCCM third-party software updates.

As you can see in the below picture, there are four stages to publish third-party software update content to SCCM.

NOTE! – You should go to Certificates node and right click on the blocked third-party custom catalog (this is applicable only older version of catalog file) certificate and click on UNBLOCK. If you miss this step, you might get a failure message while publishing the third-party update content from WSUS to SCCM.

How to get to Certificates Node in SCCM Console - \Administration\Overview\Security 

You can find the following log entries after publishing third-party software update catalog content in SMS_ISVUPDATES_SYNCAGENT.log.

PollingWorkMonitor: There are 1 jobs that are pending in the jobs table.
PollingWorkMonitor: Starting job 72057594037927941 for subject 32d0d4e6-58e3-4321-a0d2-586a4b4dccf0.
Creating a new SyncUpdate work item for update 32d0d4e6-58e3-4321-a0d2-586a4b4dccf0, jobid is 72057594037927941
Launcher : About to start work item: SyncUpdate.
SyncUpdate: 'Dell XPS L421X System BIOS,A18 (Update:'32d0d4e6-58e3-4321-a0d2-586a4b4dccf0' Vendor:'Dell' Product:'Bios')' is synchronized to WSUS without content, revision to add content is required.
SyncUpdate: Checking if certificate is registered for server SCCM_PROD
SyncUpdate: 32d0d4e6-58e3-4321-a0d2-586a4b4dccf0 - Downloading file: 'http://downloads.dell.com/FOLDER04976362M/1/L421XA18W.exe' to 'C:\Program Files\Microsoft Configuration Manager\ISVTemp\tssug4tt.dc2\L421XA18W.exe'.
SyncUpdate: 32d0d4e6-58e3-4321-a0d2-586a4b4dccf0 - Download of is 12 percent completed.
SyncUpdate: 32d0d4e6-58e3-4321-a0d2-586a4b4dccf0 - Download of is 96 percent completed.
SyncUpdate: 32d0d4e6-58e3-4321-a0d2-586a4b4dccf0 - Successfully completed download of content from 'http://downloads.dell.com/FOLDER04976362M/1/L421XA18W.exe' to 'C:\Program Files\Microsoft Configuration Manager\ISVTemp\tssug4tt.dc2\L421XA18W.exe.
STATMSG: (SRVMSG_SMS_ISVUPDATES_SYNCAGENT_UPDATECONTENT_SUCCESS).
SyncUpdate: 32d0d4e6-58e3-4321-a0d2-586a4b4dccf0 - Completed.
SCCM Third-Party Updates Step by Step Troubleshooting Process Guide 4
SCCM Third-Party Updates – Content Download

Click on Synchronize Software Updates button from All Software Updates node and check out WSYNCMGR.log file. SCCM third-party software updates troubleshooting process steps will help to secure your environment.

sync: Starting WSUS synchronization
sync: WSUS synchronizing categories
sync: WSUS synchronizing updates
Done synchronizing WSUS Server SCCM_PROD
sync: SMS synchronizing updates, processed 0 out of 1 items (0%)
Synchronizing update 32d0d4e6-58e3-4321-a0d2-586a4b4dccf0 - Dell XPS L421X System BIOS,A18
sync: SMS synchronizing updates, processed 1 out of 1 items (100%)
Done synchronizing SMS with WSUS Server SCCM_PROD
Set content version of update source {77756C2C-A568-4030-B8E4-5864C7E51302} for site PR3 to 2
  • Before publishing the content – Third-Party Software Update icon color is BLUE (#1 in the above picture)
  • After publishing the content and WSync (#2.5 in the above picture) – Third-Party Software Update icon color is GREEN (#3 in the above picture)

Download & Create Software Update Package

Quickly created a third party software update patch with one Dell BIOS update.

The following is the details of the software update package creation Wizard which I filled in. You can use my video tutorial to learn more about creating and deploying a software update package.

Package:
 The software updates will be placed in a new package:
•        Dell Bios
 Content (1):
•        SCCM_PROD.INTUNE.COM
 Distribution Settings
•        Priority: Medium
•        Enable for on-demand distribution: Disabled
•        Prestaged distribution point settings: Automatically download content when packages are assigned to distribution points

Now, you can track the download of software update package content via PatchDownloader.log. The following are some of the entries of PatchDownloader.log.

Download destination = \\SCCM_Prod\Sources\Third-Party Updates\Dell\32d0d4e6-58e3-4321-a0d2-586a4b4dccf0.1\552219ed-9943-4a13-a4f9-a44ad26b98d7_1.cab .
Query to run: select f.FileName, ct.ContentSource from SMS_CIToContent c join SMS_CIContentFiles f on c.ContentID = f.ContentID join SMS_Content ct on c.ContentID = ct.ContentID where c.ContentDownloaded = 1 and f.FileHash = 'SHA1:531921E13A4FBB87E74FEEE702B61EBB518B6FC9'
Downloading content for ContentID = 16777309,  FileName = 552219ed-9943-4a13-a4f9-a44ad26b98d7_1.cab.
Connecting - Adding file range by calling HttpAddRequestHeaders, range string = "Range: bytes=0-"
Download http://sccm_prod:8530/Content/C9/531921E13A4FBB87E74FEEE702B61EBB518B6FC9.cab in progress: 10 percent complete
Download http://sccm_prod:8530/Content/C9/531921E13A4FBB87E74FEEE702B61EBB518B6FC9.cab to C:\Users\anoop\AppData\Local\Temp\2\CAB15D.tmp returns 0
Download http://sccm_prod:8530/Content/C9/531921E13A4FBB87E74FEEE702B61EBB518B6FC9.cab to C:\Users\anoop\AppData\Local\Temp\2\CAB15D.tmp returns 0
Successfully moved C:\Users\anoop\AppData\Local\Temp\2\CAB15D.tmp to \\SCCM_Prod\Sources\Third-Party Updates\Dell\32d0d4e6-58e3-4321-a0d2-586a4b4dccf0.1\552219ed-9943-4a13-a4f9-a44ad26b98d7_1.cab
Renaming \\SCCM_Prod\Sources\Third-Party Updates\Dell\32d0d4e6-58e3-4321-a0d2-586a4b4dccf0.1 to \\SCCM_Prod\Sources\Third-Party Updates\Dell\32d0d4e6-58e3-4321-a0d2-586a4b4dccf0
Successfully moved \\SCCM_Prod\Sources\Third-Party Updates\Dell\32d0d4e6-58e3-4321-a0d2-586a4b4dccf0.1 to \\SCCM_Prod\Sources\Third-Party Updates\Dell\32d0d4e6-58e3-4321-a0d2-586a4b4dccf0

Conclusion

Successfully created the third-party Software update package in SCCM.

SCCM third-party software updates troubleshooting
SCCM Third-Party Updates Guide

Resources

5 COMMENTS

  1. Hey Anoop, is there any easy way to update a password protected BIOS and Bitlocker enabled system using Third party catalog. I’ve been trying a step in TS ” Install software Updates” to install the BIOS updates by making them available. I also add steps to remove BIOS password and suspend Bitlocker( with reboot count 1) in the TS prior running this step. But i’m afraid this method will still go uncontrolled as we don’t want BIOS to be flashed with bitlocker on.

    Do you have any suggestion that we can try?

    • Hey Shailesh – Yes Task Sequence is the best Option that I have seen in many scenarios. I don’t think third-party software updates can provide a method with TS granularity

  2. Wonderful Article Anoop. We have deployed drivers udaptes using 3rd party..however some anamolies on clients.. report show success but driver version still old on clent, reboot pending but we dont see what is upgraded… any clues on what logs to refer to on clients ? How do we troubleshoot failures, how do we confirm succesul driver update ?

    • I thought all the 3rd patching piece is handled similar to normal software update. Do you check the scanagent.log etc ? You didn’t see any traces of driver updates in there ?

  3. Thanks for promopt reply Anoop. Regular logs of not much help unfortunately. Even if they show succesful, in reality drivers hasnt upgrade, which makes us clueless. In normal udpates case, we refer to eventvwr or installed udpated in Control Panel, some more logs on %temp% etc… here with drivers, post SCCM, it makes us nowhere other than Device Manager :-).

    Next big challenge is what logic it uses to check if a Wifi/LAN/Display on a client etc is needing an udpate versus showing it a compliant… as we see anamolies here, knowing the logic helps to troubbleshoot well

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.