This post covers on SCCM catalogs for third party software updates. I will show you how to add or import SCCM custom catalog for example – Adobe Reader catalog into SCCM. I will also touch base on enabling third-party software updates in SCCM.
Starting with SCCM 1806 and above, to deploy third-party updates, you can import a custom SCCM catalogs SCCM. If the SCCM catalog is supplied by specific vendor, you can synchronize the catalog and get those updates in SCCM console. In addition to that you can deploy third-party software updates directly using SCCM.
Today, many organizations prefer to patch third-party applications. I agree that today there are multiple products available that facilitate the third-party application patching. However, most of them aren’t free, and you need to pay and import those third-party catalogs in SCCM.
SCCM Catalogs for Third-Party Software Updates
- Using SCCM and Third-party Software Update Catalogs
- SCCM Third-Party Partner Catalogs vs Custom Catalogs
- Available third-party software update catalogs
- Enable SSL on Software Update Point
- Enable SCCM third-party updates on Software Update Point
- Configure WSUS signing certificate on Software Update Point
- Enable third-party updates on the clients – Client Settings
- Adding Custom Catalog in SCCM
- Subscribe to a SCCM third-party catalog
- Synchronize Third-Party Updates
- Publish and deploy third-party software updates
- SCCM Third-party software updates Log Files
Using SCCM and Third-party Software Update Catalogs
As I mentioned earlier, it’s more important that you’re running the latest versions of the applications in your organization. As a result, big organizations spend a lot of money on these tools. Configuration Manager makes it effortless for IT admins to deploy updates to these third-party applications.
We also saw some new vendors in market facilitating the deployment of third-party updates. They provide their catalogs with access to the latest version of applications. I am sure they first test the updates in their setup and then release it to their customers. I will cover more information about these vendors in a separate post.
SCCM Third-Party Partner Catalogs vs Custom Catalogs
When you go to software update point and enable third-party software updates, only then you get the option to subscribe to third-party update catalogs. Furthermore, you can publish these updates to WSUS and deploy it to clients.
There are two types of catalogs available – Partner catalogs and Custom catalogs :-
- Partner catalogs – Partner catalogs are software vendor catalogs that have their information already registered with Microsoft. Hence, you can subscribe to them without having to specify any additional information. For example, Dell, HP, Lenovo offer partner catalogs.
- Custom catalogs – As the name says, these are the SCCM catalogs that you add manually to SCCM. You can always add a custom catalog from a third-party update vendor to Configuration Manager. Most of all remember that custom catalogs use HTTPS and the updates must be digitally signed. For example, Adobe offers custom catalog.
If you would like to know some free SCCM Third-Party Software Update Catalogs, navigate to Software Library > Overview > Software Updates > Third-Party Software Update Catalogs.
|Dell||Dell Business Client Updates Catalog||Partner|
|HP||HP client updates catalog||Partner|
List of Available third-party software update catalogs
Microsoft recently published a list of supported software update catalogs for Configuration Manager. Some catalogs are freely available, and some catalogs have an additional cost associated with them. Microsoft recommends checking with the catalog provider for details including pricing, support, and if the catalog supports in-console third-party updates.
Enable SSL on Software Update Point
Since custom SCCM catalogs require HTTPS, you must enable SSL communication on the Software Update Point. Note that SSL must be enabled on the SUP when it’s remote. Go to Administration > Overview > Site Configuration > Servers and Site System Roles. Select the server and in the bottom pane, right click Software Update Point and click Properties.
Under WSUS configuration, enable “Require SSL Communication to the WSUS server“.
Enable SCCM third-party updates on Software Update Point
To enable third-party software updates on software update point :-
- Launch Configuration Manager console.
- Navigate to Administration > Overview > Site Configuration > Sites.
- Select the site, right click and then select Configure Site Components > Software Update Point.
- Click Third-Party Updates tab and enable third-party software updates.
Configure WSUS signing certificate on Software Update Point
In the above step you enabled third-party updates on SUP. The next step is to configure WSUS signing certificate. This is important because custom catalogs must use HTTPS and the updates must be digitally signed. Therefore, let’s see how to configure it.
Under SUP Properties > Third-party updates tab, you will find two options to configure WSUS signing certificate.
- Configuration Manager manages the certificate
- Manually manage the certificate
Both the above options are self-explanatory. Microsoft gives you two options to manage the WSUS signing certificate. You can tell Configuration Manager to automatically manage the third-party WSUS signing certificate using a self-signed certificate. If you need to manually configure the certificate, for example use a PKI certificate, you can do that using SCUP tool.
Enable third-party updates on the clients – Client Settings
To enable third-party software updates under client settings
- Launch Configuration Manage console.
- Navigate to Administration > Overview > Client Settings.
- Right click Default Client Settings and click Properties.
- Click Software Updates on left pane. Select Yes to Enable software updates on clients.
- Next, select Yes to Enable third-party software updates. Click OK.
The setting sets the Windows Update agent policy to allow signed updates for an intranet Microsoft update service location.
Adding Custom Catalog in SCCM
In the above section I have already covered on Partner Catalogs vs Custom Catalogs. I will be adding a custom catalog (basically an Adobe SCUP catalog) which will enable us to deploy Adobe Reader updates using SCCM.
Adobe company provides custom catalogs. If you are looking for a free SCCM catalog for Adobe products check this link. When you visit the link note that there is one catalog for Reader and one for Acrobat. So, what’s the difference between them? The Acrobat updating always involves installing every MSP update in order. Reader updates may involve quarterly MSI files that don’t require installing previous updates.
I will be adding the Adobe catalog whose URL is https://armmf.adobe.com/arm-manifests/win/SCUP/ReaderCatalog-2017.cab
To import custom catalog in SCCM
- Go to Software Library > Software Updates > Third-Party Software Update Catalogs.
- Right click Third-Party Software Update Catalogs and click Add Custom Catalog.
In the Third-Party Software Updates Custom Catalogs wizard, enter the Download URL. You must also enter the catalog description. Click Next.
On the Summary page, click Next.
Finally click Close on Completion page.
Subscribe to a SCCM third-party catalog
In the above step we successfully added the Adobe Reader SCUP catalog. We will now look at the steps to subscribe to this catalog.
Navigate to Software Library > Software Updates > Third-Party Software Update Catalogs. On the right pane select Adobe Reader catalog and click Subscribe to Catalog.
Notice that download URL is exactly the same that you provided while adding the catalog. Click Next.
The catalog download is successful. Click Next.
Before creating subscription to Adobe Reader SCUP catalog, you must review and approve the catalog signing certificate. Click View Certificate.
On the Certificate window, click Install Certificate. Ensure that you import the certificate and close the certificate import wizard.
Tick the box I have read and understood this message. Click Next.
On the Summary Page, click Next.
Click Close. That completes the steps to subscribe to a custom catalog.
Synchronize Third-Party Updates in SCCM
After you have successfully subscribed to the catalog, you must synchronize the catalog so that you see the updates contained in this catalog.
Right click the Adobe Reader catalog and click Sync now. At this point perform a manual software updates synchronization.
Publish and deploy third-party software updates
After you perform the software updates synchronization, go to Software Update Point component properties. Click Products tab and you should find Adobe as one of the product listed. Select Adobe Reader and click OK.
We still don’t see the updates yet until we run a software updates sync again. Under All Software updates you should see Adobe Reader Updates.
Wait for the Sync to complete and refresh the Software Updates. Now that you see the updates, you can easily deploy them using SCCM. Check this guide to deploy software updates using SCCM – https://www.prajwaldesai.com/deploy-software-updates-using-sccm-2012-r2/
SCCM Third-party software updates Log Files
It is important to monitor the log files during the software update synchronization. Out of all those SCCM log files, open wsyncmgr.log file to monitor the updates synchronization.
Synchronization of third-party software updates is handled by the SMS_ISVUPDATES_SYNCAGENT component on the top-level default software update point.
Few lines of code from the SMS_ISVUPDATES_SYNCAGENT.log file.
SyncUpdateCatalog: Starting download for catalog 'Adobe Reader' from 'https://armmf.adobe.com/arm-manifests/win/SCUP/ReaderCatalog-2017.cab' ... SMS_ISVUPDATES_SYNCAGENT SyncUpdateCatalog: Downloading file: 'https://armmf.adobe.com/arm-manifests/win/SCUP/ReaderCatalog-2017.cab' to 'C:\Program Files\Microsoft Configuration Manager\ISVTemp\iydaylkb.q1m\ReaderCatalog-2017.cab'. SyncUpdateCatalog: Download from 'https://armmf.adobe.com/arm-manifests/win/SCUP/ReaderCatalog-2017.cab' completed successfully.