This post covers on SCCM catalogs for third-party software updates. I will show you how to add or import SCCM custom catalog for example – Adobe Reader catalog into SCCM. I will also touch base on enabling third-party software updates in SCCM.
Starting with SCCM 1806 and above, to deploy third-party updates, you can import a custom SCCM catalogs SCCM. If the SCCM catalog is supplied by specific vendor, you can synchronize the catalog and get those updates in SCCM console. In addition to that you can deploy third-party software updates directly using SCCM.
Today, many organizations prefer to patch third-party applications. I agree that today there are multiple products available that facilitate the third-party application patching. However, most of them aren’t free, and you need to pay and import those third-party catalogs in SCCM.
Table of Contents
Using SCCM and Third-party Software Update Catalogs
As I mentioned earlier, it’s more important that you’re running the latest versions of the applications in your organization. As a result, big organizations spend a lot of money on these tools. Configuration Manager makes it effortless for IT admins to deploy updates to these third-party applications.
We also saw some new vendors in market facilitating the deployment of third-party updates. They provide their catalogs with access to the latest version of applications. I am sure they first test the updates in their setup and then release it to their customers. I will cover more information about these vendors in a separate post.
SCCM Third-Party Partner Catalogs vs Custom Catalogs
When you go to software update point and enable third-party software updates, only then you get the option to subscribe to third-party update catalogs. Furthermore, you can publish these updates to WSUS and deploy it to clients.
There are two types of catalogs available – Partner catalogs and Custom catalogs :-
- Partner catalogs – Partner catalogs are software vendor catalogs that have their information already registered with Microsoft. Hence, you can subscribe to them without having to specify any additional information. For example, Dell, HP, Lenovo offer partner catalogs.
- Custom catalogs – As the name says, these are the SCCM catalogs that you add manually to SCCM. You can always add a custom catalog from a third-party update vendor to Configuration Manager. Most of all remember that custom catalogs use HTTPS and the updates must be digitally signed. For example, Adobe offers custom catalog.
If you would like to know some free SCCM Third-Party Software Update Catalogs, navigate to Software Library > Overview > Software Updates > Third-Party Software Update Catalogs.
| Publisher | Catalog Name | Type |
| Adobe | Adobe Reader | Custom |
| Dell | Dell Business Client Updates Catalog | Partner |
| HP | HP client updates catalog | Partner |
| Lenovo | Lenovo Updates | Partner |
List of Available third-party software update catalogs
Microsoft recently published a list of supported software update catalogs for Configuration Manager. Some catalogs are freely available, and some catalogs have an additional cost associated with them. Microsoft recommends checking with the catalog provider for details including pricing, support, and if the catalog supports in-console third-party updates.
Enable SSL on Software Update Point
Since custom SCCM catalogs require HTTPS, you must enable SSL communication on the Software Update Point. Note that SSL must be enabled on the SUP when it’s remote. Go to Administration > Overview > Site Configuration > Servers and Site System Roles. Select the server and in the bottom pane, right click Software Update Point and click Properties.
Under WSUS configuration, enable “Require SSL Communication to the WSUS server“.
Enable SCCM third-party updates on Software Update Point
To enable third-party software updates on software update point :-
- Launch Configuration Manager console.
- Navigate to Administration > Overview > Site Configuration > Sites.
- Select the site, right click and then select Configure Site Components > Software Update Point.
- Click Third-Party Updates tab and enable third-party software updates.
Configure WSUS signing certificate on Software Update Point
In the above step you enabled third-party updates on SUP. The next step is to configure WSUS signing certificate. This is important because custom catalogs must use HTTPS and the updates must be digitally signed. Therefore, let’s see how to configure it.
Under SUP Properties > Third-party updates tab, you will find two options to configure WSUS signing certificate.
- Configuration Manager manages the certificate
- Manually manage the certificate
Both the above options are self-explanatory. Microsoft gives you two options to manage the WSUS signing certificate. You can tell Configuration Manager to automatically manage the third-party WSUS signing certificate using a self-signed certificate. If you need to manually configure the certificate, for example use a PKI certificate, you can do that using SCUP tool.
Enable third-party updates on the clients – Client Settings
To enable third-party software updates under client settings
- Launch Configuration Manage console.
- Navigate to Administration > Overview > Client Settings.
- Right click Default Client Settings and click Properties.
- Click Software Updates on left pane. Select Yes to Enable software updates on clients.
- Next, select Yes to Enable third-party software updates. Click OK.
The setting sets the Windows Update agent policy to allow signed updates for an intranet Microsoft update service location.
Adding Custom Catalog in SCCM
In the above section I have already covered on Partner Catalogs vs Custom Catalogs. I will be adding a custom catalog (basically an Adobe SCUP catalog) which will enable us to deploy Adobe Reader updates using SCCM.
Adobe company provides custom catalogs. If you are looking for a free SCCM catalog for Adobe products, visit the Adobe link. When you visit the link note that there is one catalog for Reader and one for Acrobat. So, what’s the difference between them? The Acrobat updating always involves installing every MSP update in order. Reader updates may involve quarterly MSI files that don’t require installing previous updates.
I will be adding the Adobe catalog whose URL is https://armmf.adobe.com/arm-manifests/win/SCUP/ReaderCatalog-2017.cab
To import custom catalog in SCCM
- Go to Software Library > Software Updates > Third-Party Software Update Catalogs.
- Right click Third-Party Software Update Catalogs and click Add Custom Catalog.
In the Third-Party Software Updates Custom Catalogs wizard, enter the Download URL. You must also enter the catalog description. Click Next.
On the Summary page, click Next.
Finally click Close on Completion page.
Subscribe to a SCCM third-party catalog
In the above step we successfully added the Adobe Reader SCUP catalog. We will now look at the steps to subscribe to this catalog.
Navigate to Software Library > Software Updates > Third-Party Software Update Catalogs. On the right pane select Adobe Reader catalog and click Subscribe to Catalog.
Notice that download URL is exactly the same that you provided while adding the catalog. Click Next.
The catalog download is successful. Click Next.
Before creating subscription to Adobe Reader SCUP catalog, you must review and approve the catalog signing certificate. Click View Certificate.
On the Certificate window, click Install Certificate. Ensure that you import the certificate and close the certificate import wizard.
Tick the box I have read and understood this message. Click Next.
On the Summary Page, click Next.
Click Close. That completes the steps to subscribe to a custom catalog.
Synchronize Third-Party Updates in SCCM
After you have successfully subscribed to the catalog, you must synchronize the catalog so that you see the updates contained in this catalog.
Right click the Adobe Reader catalog and click Sync now. At this point perform a manual software updates synchronization.
Publish and deploy third-party software updates
After you perform the software updates synchronization, go to Software Update Point component properties. Click Products tab and you should find Adobe as one of the product listed. Select Adobe Reader and click OK.
We still don’t see the updates yet until we run a software updates sync again. Under All Software updates you should see Adobe Reader Updates.
Wait for the Sync to complete and refresh the Software Updates. Now that you see the updates, you can easily deploy them using SCCM. Check this guide to deploy software updates using SCCM – https://www.prajwaldesai.com/deploy-software-updates-using-sccm-2012-r2/
SCCM Third-party software updates Log Files
It is important to monitor the log files during the software update synchronization. Out of all those SCCM log files, open wsyncmgr.log file to monitor the updates synchronization.
Synchronization of third-party software updates is handled by the SMS_ISVUPDATES_SYNCAGENT component on the top-level default software update point.
Few lines of code from the SMS_ISVUPDATES_SYNCAGENT.log file.
SyncUpdateCatalog: Starting download for catalog 'Adobe Reader' from 'https://armmf.adobe.com/arm-manifests/win/SCUP/ReaderCatalog-2017.cab' ... SMS_ISVUPDATES_SYNCAGENT SyncUpdateCatalog: Downloading file: 'https://armmf.adobe.com/arm-manifests/win/SCUP/ReaderCatalog-2017.cab' to 'C:\Program Files\Microsoft Configuration Manager\ISVTemp\iydaylkb.q1m\ReaderCatalog-2017.cab'. SyncUpdateCatalog: Download from 'https://armmf.adobe.com/arm-manifests/win/SCUP/ReaderCatalog-2017.cab' completed successfully.
Hello Prajwal,
Do you have the most recent Adobe Reader catalog list?
I attempted to subscribe to the above reader catalogs but received the following error.
SyncUpdateCatalog: **** Warning: Catalog is an old format, no content certificates are included and updates will not be deployable until certificates are trusted. ****
STATMSG: (SRVMSG_SMS_ISVUPDATES_SYNCAGENT_CATALOG_V1_WARN).
Nope, I always download the catalog list from Adobe site. Are you downloading the latest one?.
SyncUpdateCatalog: WebException status : ‘ConnectFailure
STATMSG: (SRVMSG_SMS_ISVUPDATES_SYNCAGENT_CATALOG_DOWNLOAD_FAILED).
SyncUpdateCatalog: Download of catalog Adobe Reader failed, unable to continue processing this catalog.
STATMSG: (SRVMSG_SMS_ISVUPDATES_SYNCAGENT_CATALOG_SYNC_FAILED).
Hello Prajawal,
I have checked all the steps and have done it successfully….. But everytime I get below error…. though Im able to download them with the same links manually from the same server
Error :
SyncUpdateCatalog: WebException status : ‘ConnectFailure
STATMSG: (SRVMSG_SMS_ISVUPDATES_SYNCAGENT_CATALOG_DOWNLOAD_FAILED).
SyncUpdateCatalog: Download of catalog Adobe Reader failed, unable to continue processing this catalog.
STATMSG: (SRVMSG_SMS_ISVUPDATES_SYNCAGENT_CATALOG_SYNC_FAILED).
Hi Prajwal,
I have configured Third-Party Software Update Catalogs as per the article. I successfully added an Adobe custom catalog, however none of the standard catalogs show , HP , Dell etc. Is there a log I can check to see what is happening wit them?
Thanks,
Paul
Can you confirm if you have enabled the third-party updates under SUP properties ?. Close the console and check again.
hi Prajwal,
i have configured third party update and its sync successfully but while downloading getting below error.
“All software updates in this selection expired or metadata only and cannot be downloaded”
Are all the updates failing ?. Did you synchronize Software Updates after publishing?
Hi Prajwal
I have created Third party update catalog for Adobe Reader with the link “ReaderCatalog-2020.cab” & Sync is successful.
Here, I did not enable the SSL for WSUS Server connection as both SUP & WSUS configured locally in the server.
I am getting same error “All software updates in this selection expired or metadata only and cannot be downloaded”.
Please advise.
Hello, Have you found any solution? I’m in the same case, and when i try to publish updates, “Verification of file signature failed”…
I had this functioning, then I rebuilt my WSUS server from scratch. I never turned off third party updates during the rebuild. I am now trying to re-do the third-party updates by unsubscribing and subscribing to the catalogs and it doesn’t seem to be doing anything. Choosing “sync now” doesn’t trigger anything. I can’t find the SMS_ISVUPDATES_SYNCAGENT.log log file either on the WSUS server nor on the primary server. I even did a dir /s <filename> from the root of C and nothing. I don’t know how to debug this.
Hey Thomas,
The SMS_ISVUPDATES_SYNCAGENT component is located in the console under monitoring/System Status/Component Status
Hello Prajwal,
We are using Adobe Acrobat reader DC in our environment and we want to installed update for adobe acrobat reader using third party update. Can we use the downlaod link “https://armmf.adobe.com/arm-manifests/win/SCUP/ReaderCatalog-2017.cab” for or will it be different link
Hi –
We installed Third-Party Updates from Dell, Adobe, Foxit and HP, we have a lot of Problems with it. So we want start over without Third-Party Updates. After reinstall WSUS and SUP all Updates from Dell, etc. appears automatically. Is there any way to clean up all Third-Party Products.
You can delete the custom catalogs from the console. And under SUP properties > Products, uncheck the ones that you don’t require.
Can this feature work in an isolated network? For example, could I manually import the catalogs from the vendors?
Prajwal my man,
Is there anyway to automate the publish process for these third party updates? It would be great if there was a way for this to work seamlessly with ADR’s and I was thinking you might have a workaround, cheers.
I have successfully set up the Dell third Party updates. I have the BIOS Downloaded and deployed. However the computer is not updating the BIOS. What step am i missing?
I’m still new-ish to SCCM, but normally a BIOS has to be updated manually. Have you tried going to one of the machines that should be receiving the update and checked Software Center to try installing the update from there?
So I have this all setup, and working, but only for Dell and Adobe. When I enable the ‘built-in’ HP and Lenovo catalogs, I get the following error when trying to sync software updates:
Sync failed: The operation has timed out. Source: Microsoft.UpdateServices.Internal.DatabaseAccess.ApiRemotingCompressionProxy.GetWebResponse
I have no proxies set anywhere, and we don’t use one.
If I disable either HP or Lenovo under the “Products” tab on the SUP, then it works fine. No certs for Lenovo or HP are blocked, so not sure where else to look since Dell and Adobe work fine.
I was able to get some updates from HP and Lenovo to come down. The Lenovo LUC Agent (which is expired) and HP Firmware and software. If I select Drivers for HP, or Lenovo Updates then it errors out.
Having this same problem and freaking out how to fix it? Once I turned Lenovo on I get an error when syncing updates and the the sync fails. How do I fix this without having to rebuild the wsus
Great post! We’re making use of Third-party updates (HP catalog only) for over an year now without any issues. But, 3 days after the update to ConfigMgr 1906 (3rd of October 2019) we’re facing issues with HP Drivers/Software deployment. Device applicable drivers/software are visible in Software Center, but when installing the driver/software it returns an error (0x80240017). The error code is telling me that the driver/software is not applicable for the device. It sounds like a faulty detection method in the HP Catalog file, but not founding other topics on the Internet related to the issue we have. Do you know anything about this behavior? Thank you.
Kind regards,
Ralf
What would be the reason for needing to use a PKI certificate? Is there a case where the self-signed certificate will not work?
For example, we are going to be using SolarWinds Patch Manager to supply the updates but SCCM to distribute them.
If my SUP and WSUS lies in same machine, should i still need to configure SSL?
Prajwal, thanks for another excellent set of instructions. Is it necessary to click “Install Certificate”? I set up the Lenovo catalog subscription and all of the updates are in the console, ready to deploy. However, I only clicked OK on the certificate window, instead of Install. Is it necessary? How do I locate the cert so it can be installed?
As far as I know it’s not needed to install the Certificate. I never did that and it was working fine until the beginning of this month. Now, I’m trying to solve the issue by installing the certificate.
You have to re-subscribe to install the certificate.
I had to go Administration > Security > Certificates > Unblock the Lenovo Certificate.
Every how-to on the internet seems to give the same advise about install the certificate. But that’s only half the information. When you click “Install Certificate” it asks you were you would like to install it. But…which store do you save it to?
Hello Prajwal, Unable to find the certificate details after enabling Configuration Manager manages the certificate?
I am running 1902 but I do not see a Third Party Updates tab in the Software Update Point Component Properties, am i missing something?
Under Administration –> Updates and Servicing –> Features, ensure “Enable third party update support on clients” is ON. The tab should then be available in the Software Update Point Component Properties.
Hi Prajwal, Thank you for this post. I noticed in the above blog “How to Add Third-Party Software Update Catalogs in SCCM” (very well written), you mentioned to check the checkbox that says “Required SSL Communication to the WSUS Server” under your listed topic “Enable SSL on Software Update Point” to get custom catalogs. As FYI, this is not required now in CB of 1806, 1810 or 1902 versions. Maybe, it was required when this functionality was in Technical Preview version (Since I only work with production versions of SCCM). All my customer SCCM production environments with WSUS/SUP are running only with HTTP and I am using Third-Party custom catalogs extensively. I thought, I will mention over here, so you can do the correction and hopefully, it will not be confusing to others.
Thanks Irfan, you may be right. As per MS documentation SSL must be enabled on the SUP when it’s remote.
Maybe you should separate both cases : Where SUP is local to primary or SUP is remote, so there is no mistake about this mandatory requirement and why you go with the SSL communication in the first place 🙂
You are correct. Initially i assumed the SSL is a must on SUP local but i was wrong. I will update the post now.