Let’s learn how to configure SCCM third-party Software Updates. A comprehensive guide to setup 3rd party patching with SCCM.
SCUP helped many of us to deploy third-party software updates for many years. Now, SCCM doesn’t require SCUP to deploy Third-party updates. Let’s dive into the SCCM third-party software update setup.
Microsoft applications are patched as part of the Microsoft Software Update patching process. However, the third-party applications (non-Microsoft) are NOT patched using Microsoft updates.
You should have a different process for 3rd party updates.
This post will teach you how to enable 3rd party patching using SCCM and WSUS without using SCUP. The patching of applications like Chrome, Java, etc… is not easy.
- SCCM Third-Party Software Updates Setup Step by Step Guide Post Video Guide
- Free SCCM Catalog List – SCCM Third-Party Updates Post 2
- Background Process flow with Logs – SCCM Third-Party Software Updates – Post 3
- Fix SCCM 3rd Party Patching Sync Failed Issue
Introduction
This post is a step-by-step SCCM third-party software updates setup guide for all SCCM admins.
First of all, you need to analyze and understand the business requirement of third-party updates. From my perspective, third-party patching is critical for the overall IT security landscape.
The following are some of the questions that will help you get ready for a third-party software update setup.
- What is the current process for patching third-party applications?
- Are you using the standard packaging process to perform third-party updates?
- How many application vendors are providing SCCM-friendly “Update Catalogs” for free?
- Do you need to spec up the SCCM server hardware before enabling third-party updates?
Video Guide – SCCM Third-Party Software Updates Setup Step by Step Guide Post Video Guide
Prerequisites
You can enable third-party updates from SCCM (without SCUP integration) when you have 1806 or a later version.
The SCCM third-party software updates feature allows you to subscribe to partner and custom catalogs from the SCCM console and publish the updates to WSUS.
- Partner catalogs are software vendor catalogs partnered with Microsoft. The following are the two partner catalogs (DELL & HP) available with SCCM 1902 release.
- Custom Catalogs are the third-party software catalogs that you can add manually to the SCCM console. You can find more detail in the below section.
NOTE! – There are only a few vendors that provide FREE custom catalogs. You can find more details in the blog post free List of Catalogs SCCM Third-Party Software Updates.
The following is the quick list of prerequisites that you want to ensure before enabling the update feature.
- WSUS and SUP should be configured and working fine.
- Updates Classification should be enabled from Software Update Point Component Properties.
- Valid Business requirements and find sponsorship from management.
- License cost – SCCM support is free, but if you want to use other third-party products to get more vendor application support (via Custom Catalog), you need to pay the extra licensing cost.
- SCCM Server Specs & Disk Space – Consider Upgrading Disk Space per your requirement.
- Adjust your proxy and Firewall configurations – port 443, and you might need to white list all the third-party vendor URLs to download metadata, CAB files, and source files of updates.
- Check out Certificate requirements at the Server and client-side. Also, you might need to adjust the Group Policy setting on the client-side.
- SCCM Client Settings – Enable third-party software updates policies to YES.
- Additional requirements when the SUP is remote from the top-level site server
NOTE! – Some Certificate Details – 1. WSUS (Publishers Self Signed) – Code Signing – Only WSUS Server 2. Trusted Publishers – WSUS Server & Client 3. Trusted Root Certificate – WSUS Server & Client
Enable SCCM Third-Party Software Updates
As I mentioned in the prerequisites, ensure that you have a working WSUS and SUP environment before enabling the third-party updates.
The following steps should be completed from the top site, either SCCM CAS or the Standalone primary server. The below steps will help you to enable SCCM third-party update feature.
- In the SCCM console, go to the Administration workspace. Expand Site Configuration, and select the Sites node.
- Select the top-level site in the hierarchy. Click Configure Site Components from the ribbon menu, and select Software Update Point.
- Click on the Third-Party Updates tab and select the option Enable third-party software updates from Software Update Point Component Properties.
- Select Configuration Manager manages the certificate (I selected this default option).
- I have not chosen this option – Manually manage the certificates. This option should be used when you have a requirement to use PKI certs.
NOTE! – I would recommend using the default options of the SCCM configuration wizard unless you have a specific reason to select another option. I have chosen the configuration manager-managed certificate option.
If you don’t have any PKI certificate requirements for SCCM third-party updates, you can use the default option as I mentioned above.
You might be able to see a new certificate type “third-party WSUS Signing” (as I showed in the below picture) when you use Configuration Manager to manage the certificate option from the above wizard.
Navigate to – \Administration\Overview\Security\Certificates
Subscribe to Partner Catalog
In this section, you can subscribe to partner catalogs (out-of-box settings, as I mentioned above).
- Launch SCCM Console
- Navigate \Software Library\Overview\Software Updates\Third-Party Software Update Catalogs node
- Click on the “Lenovo” partner catalog from the list on the right side
- Click on Subscribe
Add a Custom Catalog
The next step in setting up SCCM third-party software updates is to add the custom catalogs. In the console, you can add the custom catalogs from \Software Library\Overview\Software Updates\Third-Party Software Update Catalogs.
You might already see the partner catalogs in the SCCM console. HP and Dell are the only two(2) partner catalogs available for SCCM 1902 version.
You can follow the below steps to add a custom catalog to SCCM.
- Navigate to \Software Library\Overview\Software Updates\Third-Party Software Update Catalogs.
- Click on Add Custom Catalog from the ribbon menu.
You must provide the following details in the Third-Party Software Updates Custom Catalogs Wizard. The next four(4) values are mandatory.
- Download URL – https://armmf.adobe.com/arm-manifests/win/SCUP/Reader11_Catalog.cab
- Publisher – Adobe
- Name – Adobe Reader 11
- Description – You can provide any text description.
NOTE! You will wonder how I got the DOWNLOAD URL Details for Adobe Reader 11 Third-Party Updates? I will explain this to you in a different blog post.
Subscribe to Custom Catalogs
The Subscribe to Catalog step is the following configuration for enabling the SCCM Third-Party Software Updates setup. The Third-Party Software Update Catalogs node allows you to subscribe to third-party custom and partner catalogs.
The subscription of partner and custom third-party catalogs helps SCCM environments to get regular updates (or patches) from third-party application vendors.
The following steps ensure that the SCCM environment is subscribed to the vendor’s product updates, similar to Microsoft Software updates.
- Navigate to the Software Updates Library workspace from the SCCM console.
- Expand Software updates, and select theThird-Party Software Update Catalogs node.
- Select the Custom Catalogs to which you want to Subscribe to:
- I selected Adobe Reader 11
- Click the NEXT button from Third-Party Software Updates Wizard
- On the Download page of the third-party software update wizard, SCCM will download the CAB file using the URL you provided while adding a custom catalog.
NOTE! – You need to have appropriate internet connections, as I mentioned in the prerequisites section above. If not, the download will fail, and you won’t be able to proceed with the third-party software update wizard. This wizard uses the same proxy connection you set up in the SUP configuration.
- Review and Approve the catalog certificate from the review and approve page of the Third-party updates wizard
- Click on the View Certificates box to view the certificate properties and review them.
NOTE! – I would recommend reviewing and installing the Certificate to the Local Machine (Default location) – If you don’t do this, the Publishing of third-party update content will fail in the later stage of this process. You can check the certificate details in the Certificates node of the SCCM console, as I mentioned in the above section.
- Click the OK button on certificate properties windows.
- Click on the Checkbox near “I have read and understood” to agree and proceed further.
- Click on the Next button to continue and finish the subscription process of the third-party catalog.
- Click on NEXT on Confirm Settings page.
- FINISH the wizard to start the metadata updates synchronization on to WSUS.
- Click on Adobe Custom Catalog and initiate a Sync (Sync Now button from the ribbon) from the Third-Party Software Update Catalogs node.
- Make sure the Last Sync Status is SUCCESS.
The above sync will make all the Adobe Reader 11 updates into the WSUS database. You can refer to the log file called SMS_ISVUPDATES_SYNCAGENT.log.
NOTE! – The above Sync (use Sync Now button from the ribbon) from \Software Library\Overview\Software Updates\Third-Party Software Update Catalogs won’t make the metadata of adobe reader 11 updates available in the SCCM console.
Products Selection
Now, you would be able to see the Adobe Reader underneath “All Products – Adobe Systems. Inc.” on the Software Update Point Component Properties window.
Select the product “Abode Reader” as I showed in the below picture and click OK.
NOTE! – I have seen people complaining about some of the Abode patches are missing from the SCCM console. It could be possible that Adobe changed the product name. So, it’s recommended to check whether any new products got added or not. You might need to enable those new products from software update point component properties.
Another Sync
It’s time for another Sync. But, this time, it’s not from the same place. You need to follow the below steps to make all Adobe Reader 11 updates (metadata) available in the SCCM console “All Software Updates” node.
- Navigate to \Software Library\Overview\Software Updates\All Software Updates.
- Click on the Synchronize Software Updates button from the ribbon menu.
- After finishing this sync successfully (WSYNCMGR.log to verify), you will be able to see all the Adobe Reader 11-related updates, as you can see in the following picture.
NOTE! – Check out the BLUE color icons for Adobe Reader 11 updates metadata (metadata-only updates = BLUE). More details about the change of Third-Party Software Updates icons are below.
Publish Third-Party Software Update Content
Once the third-party software updates are available in the console, you can publish those Adobe Updates to WSUS.
The following steps will help you publish Adobe Reader Third-Party Software Update content to WSUS.
- Navigate to \Software Library\Overview\Software Updates\All Software Updates node
- Select the Abode Reader Updates you want to publish.
- Click on Publish Third-Party Software Update Content button from the ribbon menu.
- Check out SMS_ISVUPDATES_SYNCAGENT.log to monitor the progress.
- The update files (for Adobe, it was . MSP files) will get downloaded to a temporary folder called C:\Program Files\Microsoft Configuration Manager\ISVTemp. (the folder name ends with .mrm or .mgm or some random name – that is nice)
NOTE! – When you publish third-party software update content, any certificates used to sign the content are added to the site. If you don’t install the certificates used to sign the third-party update content, publishing the content might fail.
You can also check whether the certificate status is BLOCKED or UNBLOCKED from the SCCM console (\Administration\Overview \Security\Certificates). If the certificate is blocked, there is a chance of failure in the publishing process.
- Once the publishing process is finished, you might need to perform another Sync (WSyncMGR.log) to make the software update available for SUP to deploy and change the icon from BLUE to GREEN.
Download and Deploy SCCM Third-Party Software Updates
Now, it’s time to download and deploy the SCCM third-party software updates to Windows devices.
Create Software Update Group
The following steps will help you create a Software Update Group, Download and Deploy the third-party updates.
- Navigate to \Software Library\Overview\Software Updates\All Software Updates node.
- Select the third-party software updates which you want to download and deploy.
- Click on Create Software Update Group.
- Enter the name of the software update group = Reader 11 0 23 (“.” is not allowed)
- Enter the description of the group.
- Click OK to finish the creation of Software Update Group.
Start Deploy Software Update Wizard
You have already created Software Update groups in the above section. Now, you can start the deployment wizard for third-party updates.
In this section, you can select the third-party update deployment name and device collection name.
- Navigate to \Software Library\Overview\Software Updates\Software Update Groups.
- Select the Reader 11 0 23 groups created above, and click on the Deploy button from the ribbon button.
- Follow through with the deployment wizard.
- Deployment Name = Adobe Systems, Inc. Third-Party Software Updates
- Select the Collection of devices you want to deploy Third-Party Software update and Click Next.
Scheduling & Deployment Settings
This section helps to schedule the third-party software updates.
- Specify Deployment Settings for this deployment.
- Type of deployment = Required.
- Details level = Only Success and error messages.
- Click on the Next button.
- Configure Schedule Details for this Deployment.
- Schedule Evaluation – Time Based on: Client Local Time.
- Software Available Time – As soon as possible.
- Installation Deadline – Specific Time.
- Click on the Next button to continue…
User Experiences & Alerts
I selected all the default settings in the following two pages of User Experiences & Alters.
- Specify the User Experience for this Deployment – User Visual Experience.
- User Notifications – Display in Software Center and show all notifications – Default option.
- Deadline Behavior – When the installation deadline is reached, allow the following activities to be performed outside maintenance windows:
- Software update installation
- System Restart (if necessary)
- Device Restart Behavior – Some software updates require a system restart to complete the installation process. You can suppress this restart on servers and workstations.
- Suppress the system restart on the following Devices:
- Servers
- Workstations
- Suppress the system restart on the following Devices:
- Write filter handling for Windows Embedded devices
- Commit changes at the deadline or during a maintenance Windows (requires restarts) – Default option
- Specify Software Update Alert Options for this deployment
- Configuration Manager Alerts
- Operation Manager Alerts
Create Deployment Package – Third-Party Software Updates
The section will help you understand how to create a third-party software update package.
- Specify the Package to Use page
- Create a new deployment package:
- Name – Adobe Reader 11 0 15
- Package Source – UNC Path – \SCCM_Prod\Sources\Third-Party Updates\Adobe\Reader 11 0 15
- Sending Priority – Medium
- Enable Binary Differential Replication (Not Mandatory – But Recommended settings)
- No Deployment package (NOT Mandatory Option)
- Clients download content from peers or Microsoft Cloud (NOT a Suitable option for Third-Party Updates).
- Click Next to go next page.
- Create a new deployment package:
- Specify the Distribution point groups to host the content
- Add Distribution Point and click Next.
- Specify the source location for the Software Update that you will download
- Download software updates from the Internet
- Specify the Languages of the updates
- Product – There are two products-Windows Update and Office 365 Client Update – The language selected is English
- There is an Edit option to add another language if available from third-party software updates.
- Click NEXT
- Specify Download Settings of this Deployment
- Deployment Options
- Do not install software updates
- Deployment Options
- Download and Install Software Updates from the Distribution points in the site default boundary group
- Deployment Options
Conclusion
Now, you deployed the third-party software updates. You can check out the content distribution status from the SCCM console. The deployment success with third-party software updates compliance report from SSRS.
Resources
- SCCM Third-Party Software Updates Setup Step by Step Guide Post Video Guide
- Free SCCM Catalog List – SCCM Third-Party Updates Post 2
- How to Install, Configure and Integrate with SCUP 2017 with SCCM
- How to Publish 3rd Party Abode Acrobat Patches via SCCM SCUP 2017
Bonus Details
Subscribe to a custom catalog Wizard template:
Subscribe To Catalog
• Catalog Name: Adobe Reader 11
• Publisher: Adobe
• Description: More Details
• Support URL :
• Support Contact :
• Download URL: https://armmf.adobe.com/arm-manifests/win/SCUP/Reader11_Catalog.cab
Create, Download, and Deploy Third-Party Software Updates Package Template:
Updates Targeted:
• Reader 11.0.11 Update APSB15-10(Article ID)
General:
• Deployment Name: Adobe Systems, Inc. Software Updates
• Collection: Test Static Collection
Deployment Settings:
• Send wake-up packets: No
• Verbosity Level: Only success and error messages
Scheduling:
• Deployment schedules will be based on: Client’s local time
• Available to target computers: 13-04-2019 02:41:00
• Deadline for software update installation: 20-04-2019 00:07:00
• Delayed enforcement on deployment: No
User Experience:
• User Notifications: Display in Software Center and show all notifications
• Install software updates outside the maintenance window when the deadline is reached: No
• Restart system outside the maintenance window when the deadline is reached: Suppressed
• If a restart is required, it will be: Allowed
• Commit changes at the deadline or during a maintenance window (requires restarts): Yes
• If any update in this deployment requires a system restart, run updates deployment evaluation cycle after restart: No
Alerts:
• On software update installation error generate a Window Event: No
• Disable Window Event while software updates install: No
Package:
The software updates will be placed in a new package:
• Adobe Reader 11 0 15
Content (1):
• SCCM_PROD.INTUNE.COM
Software updates that will be downloaded from the internet
Reader 11.0.11 Update
Windows Update Language Selection:
English
Office 365 Client Update Language Selection:
English (United States)
Download Settings:
• Computers can retrieve content from remote distribution points: No
• Download and install software updates from the fallback content source location: Yes
Author
AnoopisMicrosoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…