SCCM Catalogs for Third-Party Software Updates

This post covers on SCCM catalogs for third party software updates. I will show you how to add or import SCCM custom catalog for example – Adobe Reader catalog into SCCM. I will also touch base on enabling third-party software updates in SCCM.

Starting with SCCM 1806 and above, to deploy third-party updates you can import a custom SCCM catalog SCCM. If the SCCM catalog is supplied by specific vendor, you can synchronize the catalog and get those updates in SCCM console. In addition to that you can deploy third-party software updates directly using SCCM.

Today many organizations prefer to patch third party applications. I agree that today there are multiple products available that facilitate the third-party application patching. However most of them aren’t free and you need to pay and import those third party catalogs in SCCM.

Using SCCM and Third-party Software Update Catalogs

As I mentioned earlier, it’s more important that you’re running the latest versions of the applications in your organization. As a result big organizations spend lot of money on these tools. Configuration Manager makes it very easy for IT admins to deploy updates to these third-party applications.

We also saw some new vendors in market facilitating the deployment of third-party updates. They provide their own catalogs with access to the latest version of applications. I am sure they first test the updates in their own setup and then release it to their customers. I will cover more information about these vendors in a separate post.

SCCM Third-Party Partner Catalogs vs Custom Catalogs

When you go to software update point and enable third-party software updates, only then you get the option to subscribe to third-party update catalogs. Furthermore you can publish these updates to WSUS and deploy it to clients.

There are two types of catalogs available – Partner catalogs and Custom catalogs :-

  • Partner catalogs – Partner catalogs are software vendor catalogs that have their information already registered with Microsoft. Hence you can subscribe to them without having to specify any additional information. For example Dell, HP, Lenovo offer partner catalogs.
  • Custom catalogs – As the name says these are the catalogs that you add manually to SCCM. You can always add a custom catalog from a third-party update vendor to Configuration Manager. Most of all remember that custom catalogs use HTTPS and the updates must be digitally signed. For example Adobe offers custom catalog.

If you would like to know some of the free SCCM Third-Party Software Update Catalogs, navigate to Software Library > Overview > Software Updates > Third-Party Software Update Catalogs.

PublisherCatalog NameType
AdobeAdobe ReaderCustom
DellDell Business Client Updates CatalogPartner
HPHP client updates catalogPartner
LenovoLenovo UpdatesPartner

Partner Catalogs vs Custom Catalogs

Enable SSL on Software Update Point

Since custom catalogs require HTTPS, you must enable SSL communication on the Software Update Point. Note that SSL must be enabled on the SUP when it’s remote. Go to Administration > Overview > Site Configuration > Servers and Site System Roles. Select the server and in the bottom pane, right click Software Update Point and click Properties.

Under WSUS configuration, enable “Require SSL Communication to the WSUS server“.

Enable SSL on Software Update Point

Enable SCCM third-party updates on Software Update Point

To enable third-party software updates on software update point :-

  • Launch Configuration Manager console.
  • Navigate to Administration > Overview > Site Configuration > Sites.
  • Select the site, right click and then select Configure Site Components > Software Update Point.
  • Click Third Party Updates tab and enable third-party software updates.

Enable third-party updates on the SUP

Configure WSUS signing certificate on Software Update Point

In the above step you enabled third party updates on SUP. The next step is to configure WSUS signing certificate. This is important because custom catalogs must use https and the updates must be digitally signed. Therefore let’s see how to configure it.

Under SUP Properties > Third party updates tab, you will find two options to configure WSUS signing certificate.

  • Configuration Manager manages the certificate
  • Manually manage the certificate

Both the above options are self-explanatory. Microsoft gives you two options to manage the WSUS signing certificate. You can tell Configuration Manager to automatically manage the third-party WSUS signing certificate using a self-signed certificate. If you need to manually configure the certificate, for example use a PKI certificate, you can do that using SCUP tool.

configure WSUS signing certificate

Enable third-party updates on the clients – Client Settings

To enable third party software updates under client settings

  • Launch Configuration Manage console.
  • Navigate to Administration > Overview > Client Settings.
  • Right click Default Client Settings and click Properties.
  • Click Software Updates on left pane. Select Yes to Enable software updates on clients.
  • Next, select Yes to Enable third party software updates. Click OK.

The setting sets the Windows Update agent policy for Allow signed updates for an intranet Microsoft update service location.

Enable third-party updates on the clients

SCCM Catalogs for Third-Party Software Updates – Adding Custom Catalog

In the above section I have already covered on Partner Catalogs vs Custom Catalogs. I will be adding a custom catalog (basically a Adobe SCUP catalog) which will enable us to deploy Adobe Reader updates using SCCM.

Adobe company provides custom catalogs. If you are looking for a free SCCM catalog for Adobe products check this link. When you visit the link note that there is one catalog for Reader and one for Acrobat. So what’s the difference between them ?. The Acrobat updating always involves installing every MSP update in order. Reader updates may involve quarterly MSI files that don’t require installing previous updates.

I will be adding the Adobe catalog whose URL is https://armmf.adobe.com/arm-manifests/win/SCUP/ReaderCatalog-2017.cab

To import custom catalog in SCCM

  • Go to Software Library > Software Updates > Third-Party Software Update Catalogs.
  • Right click Third-Party Software Update Catalogs and click Add Custom Catalog.

Add Third-Party Software Update Catalogs in SCCM

In the Third-Party Software Updates Custom Catalogs wizard, enter the Download URL. You must also enter the catalog description. Click Next.

Add Third-Party Software Update Catalogs in SCCM

On the Summary page, click Next.

Add Third-Party Software Update Catalogs in SCCM

Finally click Close on Completion page.

Add Third-Party Software Update Catalogs in SCCM

Subscribe to a SCCM third-party catalog

In the above step we successfully added the Adobe Reader SCUP catalog. We will now look at the steps to subscribe to this catalog.

Navigate to Software Library > Software Updates > Third-Party Software Update Catalogs. On the right pane select Adobe Reader catalog and click Subscribe to Catalog.

Subscribe to a third-party catalog

Notice that download URL is exactly the same that you provided while adding the catalog. Click Next.

Subscribe to a third-party catalog

The catalog download is successful. Click Next.

Subscribe to a third-party catalog

Before creating subscription to Adobe Reader SCUP catalog, you must review and approve the catalog signing certificate. Click View Certificate.

On the Certificate window, click Install Certificate. Ensure that you import the certificate and close the certificate import wizard.

Subscribe to a third-party catalog

Tick the box I have read and understood this message. Click Next.

Subscribe to a third-party catalog

On the Summary Page, click Next.

Subscribe to a third-party catalog

Click Close. That completes the steps to subscribe to a custom catalog.

Subscribe to a third-party catalog

Synchronize Third Party Updates

After you have successfully subscribed to the catalog, you must synchronize the catalog so that you see the updates contained in this catalog.

Right click the Adobe Reader catalog and click Sync now. At this point perform a manual software updates synchronization.

Synchronize the Updates

Publish and deploy third-party software updates

After you perform the software updates synchronization, go to Software Update Point component properties. Click Products tab and you should find Adobe as one of the product listed. Select Adobe Reader and click OK.

Publish and deploy third-party software updates

We still don’t see the updates yet until we run a software updates sync again. Under All Software updates you should see Adobe Reader Updates.

Wait for the Sync to complete and refresh the Software Updates. Now that you see the updates, you can easily deploy them using SCCM. Check this guide to deploy software updates using SCCM – https://www.prajwaldesai.com/deploy-software-updates-using-sccm-2012-r2/

Publish and deploy third-party software updates

SCCM Third-party software updates Log Files

It is important to monitor the log files during the software update synchronization. Out of all those SCCM log files, open wsyncmgr.log file to monitor the updates synchronization.

SCCM Third-party software updates LogSynchronization of third-party software updates is handled by the SMS_ISVUPDATES_SYNCAGENT component on the top-level default software update point.

SCCM Third-party software updates LogFew lines of code from the SMS_ISVUPDATES_SYNCAGENT.log file.

SyncUpdateCatalog: Starting download for catalog 'Adobe Reader' from 'https://armmf.adobe.com/arm-manifests/win/SCUP/ReaderCatalog-2017.cab' ...	SMS_ISVUPDATES_SYNCAGENT
SyncUpdateCatalog: Downloading file: 'https://armmf.adobe.com/arm-manifests/win/SCUP/ReaderCatalog-2017.cab' to 'C:\Program Files\Microsoft Configuration Manager\ISVTemp\iydaylkb.q1m\ReaderCatalog-2017.cab'.
SyncUpdateCatalog: Download from 'https://armmf.adobe.com/arm-manifests/win/SCUP/ReaderCatalog-2017.cab' completed successfully.
Related Posts

14
Leave a Reply

avatar
8 Comment threads
6 Thread replies
1 Followers
 
Most reacted comment
Hottest comment thread
newest oldest most voted
Steve
Guest
Steve

So I have this all setup, and working, but only for Dell and Adobe. When I enable the ‘built-in’ HP and Lenovo catalogs, I get the following error when trying to sync software updates:

Sync failed: The operation has timed out. Source: Microsoft.UpdateServices.Internal.DatabaseAccess.ApiRemotingCompressionProxy.GetWebResponse

I have no proxies set anywhere, and we don’t use one.

If I disable either HP or Lenovo under the “Products” tab on the SUP, then it works fine. No certs for Lenovo or HP are blocked, so not sure where else to look since Dell and Adobe work fine.

Steve
Guest
Steve

I was able to get some updates from HP and Lenovo to come down. The Lenovo LUC Agent (which is expired) and HP Firmware and software. If I select Drivers for HP, or Lenovo Updates then it errors out.

Ralf
Guest
Ralf

Great post! We’re making use of Third-party updates (HP catalog only) for over an year now without any issues. But, 3 days after the update to ConfigMgr 1906 (3rd of October 2019) we’re facing issues with HP Drivers/Software deployment. Device applicable drivers/software are visible in Software Center, but when installing the driver/software it returns an error (0x80240017). The error code is telling me that the driver/software is not applicable for the device. It sounds like a faulty detection method in the HP Catalog file, but not founding other topics on the Internet related to the issue we have. Do you… Read more »

Robert Stein
Guest
Robert Stein

What would be the reason for needing to use a PKI certificate? Is there a case where the self-signed certificate will not work?
For example, we are going to be using SolarWinds Patch Manager to supply the updates but SCCM to distribute them.

Valavan
Guest
Valavan

If my SUP and WSUS lies in same machine, should i still need to configure SSL?

Randy Warrick
Guest
Randy Warrick

Prajwal, thanks for another excellent set of instructions. Is it necessary to click “Install Certificate”? I set up the Lenovo catalog subscription and all of the updates are in the console, ready to deploy. However, I only clicked OK on the certificate window, instead of Install. Is it necessary? How do I locate the cert so it can be installed?

Ralf
Guest
Ralf

As far as I know it’s not needed to install the Certificate. I never did that and it was working fine until the beginning of this month. Now, I’m trying to solve the issue by installing the certificate.

You have to re-subscribe to install the certificate.

Shiraz
Guest
Shiraz

Hello Prajwal, Unable to find the certificate details after enabling Configuration Manager manages the certificate?

Bill Lesler
Guest
Bill Lesler

I am running 1902 but I do not see a Third Party Updates tab in the Software Update Point Component Properties, am i missing something?

Sara T
Guest
Sara T

Under Administration –> Updates and Servicing –> Features, ensure “Enable third party update support on clients” is ON. The tab should then be available in the Software Update Point Component Properties.

Irfan Fakih
Guest
Irfan Fakih

Hi Prajwal, Thank you for this post. I noticed in the above blog “How to Add Third-Party Software Update Catalogs in SCCM” (very well written), you mentioned to check the checkbox that says “Required SSL Communication to the WSUS Server” under your listed topic “Enable SSL on Software Update Point” to get custom catalogs. As FYI, this is not required now in CB of 1806, 1810 or 1902 versions. Maybe, it was required when this functionality was in Technical Preview version (Since I only work with production versions of SCCM). All my customer SCCM production environments with WSUS/SUP are running… Read more »

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More