SCCM Catalogs for Third-Party Software Updates

This post covers on SCCM catalogs for third party software updates. I will show you how to add or import SCCM custom catalog for example – Adobe Reader catalog into SCCM. I will also touch base on enabling third-party software updates in SCCM.

Starting with SCCM 1806 and above, to deploy third-party updates, you can import a custom SCCM catalogs SCCM. If the SCCM catalog is supplied by specific vendor, you can synchronize the catalog and get those updates in SCCM console. In addition to that you can deploy third-party software updates directly using SCCM.

Today, many organizations prefer to patch third-party applications. I agree that today there are multiple products available that facilitate the third-party application patching. However, most of them aren’t free, and you need to pay and import those third-party catalogs in SCCM.

Using SCCM and Third-party Software Update Catalogs

As I mentioned earlier, it’s more important that you’re running the latest versions of the applications in your organization. As a result, big organizations spend a lot of money on these tools. Configuration Manager makes it effortless for IT admins to deploy updates to these third-party applications.

We also saw some new vendors in market facilitating the deployment of third-party updates. They provide their catalogs with access to the latest version of applications. I am sure they first test the updates in their setup and then release it to their customers. I will cover more information about these vendors in a separate post.

SCCM Third-Party Partner Catalogs vs Custom Catalogs

When you go to software update point and enable third-party software updates, only then you get the option to subscribe to third-party update catalogs. Furthermore, you can publish these updates to WSUS and deploy it to clients.

There are two types of catalogs available – Partner catalogs and Custom catalogs :-

  • Partner catalogs – Partner catalogs are software vendor catalogs that have their information already registered with Microsoft. Hence, you can subscribe to them without having to specify any additional information. For example, Dell, HP, Lenovo offer partner catalogs.
  • Custom catalogs – As the name says, these are the SCCM catalogs that you add manually to SCCM. You can always add a custom catalog from a third-party update vendor to Configuration Manager. Most of all remember that custom catalogs use HTTPS and the updates must be digitally signed. For example, Adobe offers custom catalog.

If you would like to know some free SCCM Third-Party Software Update Catalogs, navigate to Software Library > Overview > Software Updates > Third-Party Software Update Catalogs.

PublisherCatalog NameType
AdobeAdobe ReaderCustom
DellDell Business Client Updates CatalogPartner
HPHP client updates catalogPartner
LenovoLenovo UpdatesPartner
Partner Catalogs vs Custom Catalogs
SCCM Catalogs for Third-Party Software Updates

List of Available third-party software update catalogs

Microsoft recently published a list of supported software update catalogs for Configuration Manager. Some catalogs are freely available, and some catalogs have an additional cost associated with them. Microsoft recommends checking with the catalog provider for details including pricing, support, and if the catalog supports in-console third-party updates.

Enable SSL on Software Update Point

Since custom SCCM catalogs require HTTPS, you must enable SSL communication on the Software Update Point. Note that SSL must be enabled on the SUP when it’s remote. Go to Administration > Overview > Site Configuration > Servers and Site System Roles. Select the server and in the bottom pane, right click Software Update Point and click Properties.

Under WSUS configuration, enable “Require SSL Communication to the WSUS server“.

Enable SSL on Software Update Point

Enable SCCM third-party updates on Software Update Point

To enable third-party software updates on software update point :-

  • Launch Configuration Manager console.
  • Navigate to Administration > Overview > Site Configuration > Sites.
  • Select the site, right click and then select Configure Site Components > Software Update Point.
  • Click Third-Party Updates tab and enable third-party software updates.
Enable third-party updates on the SUP

Configure WSUS signing certificate on Software Update Point

In the above step you enabled third-party updates on SUP. The next step is to configure WSUS signing certificate. This is important because custom catalogs must use HTTPS and the updates must be digitally signed. Therefore, let’s see how to configure it.

Under SUP Properties > Third-party updates tab, you will find two options to configure WSUS signing certificate.

  • Configuration Manager manages the certificate
  • Manually manage the certificate

Both the above options are self-explanatory. Microsoft gives you two options to manage the WSUS signing certificate. You can tell Configuration Manager to automatically manage the third-party WSUS signing certificate using a self-signed certificate. If you need to manually configure the certificate, for example use a PKI certificate, you can do that using SCUP tool.

configure WSUS signing certificate

Enable third-party updates on the clients – Client Settings

To enable third-party software updates under client settings

  • Launch Configuration Manage console.
  • Navigate to Administration > Overview > Client Settings.
  • Right click Default Client Settings and click Properties.
  • Click Software Updates on left pane. Select Yes to Enable software updates on clients.
  • Next, select Yes to Enable third-party software updates. Click OK.

The setting sets the Windows Update agent policy to allow signed updates for an intranet Microsoft update service location.

Enable third-party updates on the clients

Adding Custom Catalog in SCCM

In the above section I have already covered on Partner Catalogs vs Custom Catalogs. I will be adding a custom catalog (basically an Adobe SCUP catalog) which will enable us to deploy Adobe Reader updates using SCCM.

Adobe company provides custom catalogs. If you are looking for a free SCCM catalog for Adobe products check this link. When you visit the link note that there is one catalog for Reader and one for Acrobat. So, what’s the difference between them? The Acrobat updating always involves installing every MSP update in order. Reader updates may involve quarterly MSI files that don’t require installing previous updates.

I will be adding the Adobe catalog whose URL is https://armmf.adobe.com/arm-manifests/win/SCUP/ReaderCatalog-2017.cab

To import custom catalog in SCCM

  • Go to Software Library > Software Updates > Third-Party Software Update Catalogs.
  • Right click Third-Party Software Update Catalogs and click Add Custom Catalog.
Add Third-Party Software Update Catalogs in SCCM
SCCM Catalogs for Third-Party Software Updates

In the Third-Party Software Updates Custom Catalogs wizard, enter the Download URL. You must also enter the catalog description. Click Next.

Add Third-Party Software Update Catalogs in SCCM
SCCM Catalogs for Third-Party Software Updates

On the Summary page, click Next.

Add Third-Party Software Update Catalogs in SCCM
SCCM Catalogs for Third-Party Software Updates

Finally click Close on Completion page.

Add Third-Party Software Update Catalogs in SCCM
SCCM Catalogs for Third-Party Software Updates

Subscribe to a SCCM third-party catalog

In the above step we successfully added the Adobe Reader SCUP catalog. We will now look at the steps to subscribe to this catalog.

Navigate to Software Library > Software Updates > Third-Party Software Update Catalogs. On the right pane select Adobe Reader catalog and click Subscribe to Catalog.

Subscribe to a third-party catalog
SCCM Catalogs for Third-Party Software Updates

Notice that download URL is exactly the same that you provided while adding the catalog. Click Next.

Subscribe to a third-party catalog
SCCM Catalogs for Third-Party Software Updates

The catalog download is successful. Click Next.

Subscribe to a third-party catalog
SCCM Catalogs for Third-Party Software Updates

Before creating subscription to Adobe Reader SCUP catalog, you must review and approve the catalog signing certificate. Click View Certificate.

On the Certificate window, click Install Certificate. Ensure that you import the certificate and close the certificate import wizard.

Subscribe to a third-party catalog

Tick the box I have read and understood this message. Click Next.

Subscribe to a third-party catalog

On the Summary Page, click Next.

Subscribe to a third-party catalog

Click Close. That completes the steps to subscribe to a custom catalog.

Subscribe to a third-party catalog

Synchronize Third-Party Updates in SCCM

After you have successfully subscribed to the catalog, you must synchronize the catalog so that you see the updates contained in this catalog.

Right click the Adobe Reader catalog and click Sync now. At this point perform a manual software updates synchronization.

Synchronize the Updates
SCCM Catalogs for Third-Party Software Updates

Publish and deploy third-party software updates

After you perform the software updates synchronization, go to Software Update Point component properties. Click Products tab and you should find Adobe as one of the product listed. Select Adobe Reader and click OK.

Publish and deploy third-party software updates
SCCM Catalogs for Third-Party Software Updates

We still don’t see the updates yet until we run a software updates sync again. Under All Software updates you should see Adobe Reader Updates.

Wait for the Sync to complete and refresh the Software Updates. Now that you see the updates, you can easily deploy them using SCCM. Check this guide to deploy software updates using SCCM – https://www.prajwaldesai.com/deploy-software-updates-using-sccm-2012-r2/

Publish and deploy third-party software updates
SCCM Catalogs for Third-Party Software Updates

SCCM Third-party software updates Log Files

It is important to monitor the log files during the software update synchronization. Out of all those SCCM log files, open wsyncmgr.log file to monitor the updates synchronization.

SCCM Third-party software updates Log

Synchronization of third-party software updates is handled by the SMS_ISVUPDATES_SYNCAGENT component on the top-level default software update point.

SCCM Third-party software updates Log

Few lines of code from the SMS_ISVUPDATES_SYNCAGENT.log file.

SyncUpdateCatalog: Starting download for catalog 'Adobe Reader' from 'https://armmf.adobe.com/arm-manifests/win/SCUP/ReaderCatalog-2017.cab' ...	SMS_ISVUPDATES_SYNCAGENT
SyncUpdateCatalog: Downloading file: 'https://armmf.adobe.com/arm-manifests/win/SCUP/ReaderCatalog-2017.cab' to 'C:\Program Files\Microsoft Configuration Manager\ISVTemp\iydaylkb.q1m\ReaderCatalog-2017.cab'.
SyncUpdateCatalog: Download from 'https://armmf.adobe.com/arm-manifests/win/SCUP/ReaderCatalog-2017.cab' completed successfully.

Need Assistance?

Send us a message or post your question in forums.