SCCM Catalogs for Third-Party Software Updates

This post covers on SCCM catalogs for third party software updates. I will show you how to add or import SCCM custom catalog for example – Adobe Reader catalog into SCCM. I will also touch base on enabling third-party software updates in SCCM.

Starting with SCCM 1806 and above, to deploy third-party updates you can import a custom SCCM catalog SCCM. If the SCCM catalog is supplied by specific vendor, you can synchronize the catalog and get those updates in SCCM console. In addition to that you can deploy third-party software updates directly using SCCM.

Today many organizations prefer to patch third party applications. I agree that today there are multiple products available that facilitate the third-party application patching. However most of them aren’t free and you need to pay and import those third party catalogs in SCCM.

Using SCCM and Third-party Software Update Catalogs

As I mentioned earlier, it’s more important that you’re running the latest versions of the applications in your organization. As a result big organizations spend lot of money on these tools. Configuration Manager makes it very easy for IT admins to deploy updates to these third-party applications.

We also saw some new vendors in market facilitating the deployment of third-party updates. They provide their own catalogs with access to the latest version of applications. I am sure they first test the updates in their own setup and then release it to their customers. I will cover more information about these vendors in a separate post.

SCCM Third-Party Partner Catalogs vs Custom Catalogs

When you go to software update point and enable third-party software updates, only then you get the option to subscribe to third-party update catalogs. Furthermore you can publish these updates to WSUS and deploy it to clients.

There are two types of catalogs available – Partner catalogs and Custom catalogs :-

  • Partner catalogs – Partner catalogs are software vendor catalogs that have their information already registered with Microsoft. Hence you can subscribe to them without having to specify any additional information. For example Dell, HP, Lenovo offer partner catalogs.
  • Custom catalogs – As the name says these are the catalogs that you add manually to SCCM. You can always add a custom catalog from a third-party update vendor to Configuration Manager. Most of all remember that custom catalogs use HTTPS and the updates must be digitally signed. For example Adobe offers custom catalog.

If you would like to know some of the free SCCM Third-Party Software Update Catalogs, navigate to Software Library > Overview > Software Updates > Third-Party Software Update Catalogs.

Publisher Catalog Name Type
Adobe Adobe Reader Custom
Dell Dell Business Client Updates Catalog Partner
HP HP client updates catalog Partner
Lenovo Lenovo Updates Partner

Partner Catalogs vs Custom Catalogs

Enable SSL on Software Update Point

Since custom catalogs require HTTPS, you must enable SSL communication on the Software Update Point. Note that SSL must be enabled on the SUP when it’s remote. Go to Administration > Overview > Site Configuration > Servers and Site System Roles. Select the server and in the bottom pane, right click Software Update Point and click Properties.

Under WSUS configuration, enable “Require SSL Communication to the WSUS server“.

Enable SSL on Software Update Point

Enable SCCM third-party updates on Software Update Point

To enable third-party software updates on software update point :-

  • Launch Configuration Manager console.
  • Navigate to Administration > Overview > Site Configuration > Sites.
  • Select the site, right click and then select Configure Site Components > Software Update Point.
  • Click Third Party Updates tab and enable third-party software updates.

Enable third-party updates on the SUP

Configure WSUS signing certificate on Software Update Point

In the above step you enabled third party updates on SUP. The next step is to configure WSUS signing certificate. This is important because custom catalogs must use https and the updates must be digitally signed. Therefore let’s see how to configure it.

Under SUP Properties > Third party updates tab, you will find two options to configure WSUS signing certificate.

  • Configuration Manager manages the certificate
  • Manually manage the certificate

Both the above options are self-explanatory. Microsoft gives you two options to manage the WSUS signing certificate. You can tell Configuration Manager to automatically manage the third-party WSUS signing certificate using a self-signed certificate. If you need to manually configure the certificate, for example use a PKI certificate, you can do that using SCUP tool.

configure WSUS signing certificate

Enable third-party updates on the clients – Client Settings

To enable third party software updates under client settings

  • Launch Configuration Manage console.
  • Navigate to Administration > Overview > Client Settings.
  • Right click Default Client Settings and click Properties.
  • Click Software Updates on left pane. Select Yes to Enable software updates on clients.
  • Next, select Yes to Enable third party software updates. Click OK.

The setting sets the Windows Update agent policy for Allow signed updates for an intranet Microsoft update service location.

Enable third-party updates on the clients

SCCM Catalogs for Third-Party Software Updates – Adding Custom Catalog

In the above section I have already covered on Partner Catalogs vs Custom Catalogs. I will be adding a custom catalog (basically a Adobe SCUP catalog) which will enable us to deploy Adobe Reader updates using SCCM.

Adobe company provides custom catalogs. If you are looking for a free SCCM catalog for Adobe products check this link. When you visit the link note that there is one catalog for Reader and one for Acrobat. So what’s the difference between them ?. The Acrobat updating always involves installing every MSP update in order. Reader updates may involve quarterly MSI files that don’t require installing previous updates.

I will be adding the Adobe catalog whose URL is

To import custom catalog in SCCM

  • Go to Software Library > Software Updates > Third-Party Software Update Catalogs.
  • Right click Third-Party Software Update Catalogs and click Add Custom Catalog.

Add Third-Party Software Update Catalogs in SCCM

In the Third-Party Software Updates Custom Catalogs wizard, enter the Download URL. You must also enter the catalog description. Click Next.

Add Third-Party Software Update Catalogs in SCCM

On the Summary page, click Next.

Add Third-Party Software Update Catalogs in SCCM

Finally click Close on Completion page.

Add Third-Party Software Update Catalogs in SCCM

Subscribe to a SCCM third-party catalog

In the above step we successfully added the Adobe Reader SCUP catalog. We will now look at the steps to subscribe to this catalog.

Navigate to Software Library > Software Updates > Third-Party Software Update Catalogs. On the right pane select Adobe Reader catalog and click Subscribe to Catalog.

Subscribe to a third-party catalog

Notice that download URL is exactly the same that you provided while adding the catalog. Click Next.

Subscribe to a third-party catalog

The catalog download is successful. Click Next.

Subscribe to a third-party catalog

Before creating subscription to Adobe Reader SCUP catalog, you must review and approve the catalog signing certificate. Click View Certificate.

On the Certificate window, click Install Certificate. Ensure that you import the certificate and close the certificate import wizard.

Subscribe to a third-party catalog

Tick the box I have read and understood this message. Click Next.

Subscribe to a third-party catalog

On the Summary Page, click Next.

Subscribe to a third-party catalog

Click Close. That completes the steps to subscribe to a custom catalog.

Subscribe to a third-party catalog

Synchronize Third Party Updates

After you have successfully subscribed to the catalog, you must synchronize the catalog so that you see the updates contained in this catalog.

Right click the Adobe Reader catalog and click Sync now. At this point perform a manual software updates synchronization.

Synchronize the Updates

Publish and deploy third-party software updates

After you perform the software updates synchronization, go to Software Update Point component properties. Click Products tab and you should find Adobe as one of the product listed. Select Adobe Reader and click OK.

Publish and deploy third-party software updates

We still don’t see the updates yet until we run a software updates sync again. Under All Software updates you should see Adobe Reader Updates.

Wait for the Sync to complete and refresh the Software Updates. Now that you see the updates, you can easily deploy them using SCCM. Check this guide to deploy software updates using SCCM –

Publish and deploy third-party software updates

SCCM Third-party software updates Log Files

It is important to monitor the log files during the software update synchronization. Out of all those SCCM log files, open wsyncmgr.log file to monitor the updates synchronization.

SCCM Third-party software updates LogSynchronization of third-party software updates is handled by the SMS_ISVUPDATES_SYNCAGENT component on the top-level default software update point.

SCCM Third-party software updates LogFew lines of code from the SMS_ISVUPDATES_SYNCAGENT.log file.

SyncUpdateCatalog: Starting download for catalog 'Adobe Reader' from '' ...	SMS_ISVUPDATES_SYNCAGENT
SyncUpdateCatalog: Downloading file: '' to 'C:\Program Files\Microsoft Configuration Manager\ISVTemp\iydaylkb.q1m\'.
SyncUpdateCatalog: Download from '' completed successfully.

Prajwal Desai

Hi, I am Prajwal Desai. For last few years I have been working on multiple technologies such as SCCM / Configuration Manager, Intune, Azure, Security etc. I created this site so that I can share valuable information with everyone.

Related Articles


  1. Hi Prajwal,

    I have configured Third-Party Software Update Catalogs as per the article. I successfully added an Adobe custom catalog, however none of the standard catalogs show , HP , Dell etc. Is there a log I can check to see what is happening wit them?


  2. I had this functioning, then I rebuilt my WSUS server from scratch. I never turned off third party updates during the rebuild. I am now trying to re-do the third-party updates by unsubscribing and subscribing to the catalogs and it doesn’t seem to be doing anything. Choosing “sync now” doesn’t trigger anything. I can’t find the SMS_ISVUPDATES_SYNCAGENT.log log file either on the WSUS server nor on the primary server. I even did a dir /s <filename> from the root of C and nothing. I don’t know how to debug this.

    1. Hey Thomas,
      The SMS_ISVUPDATES_SYNCAGENT component is located in the console under monitoring/System Status/Component Status

  3. Hello Prajwal,

    We are using Adobe Acrobat reader DC in our environment and we want to installed update for adobe acrobat reader using third party update. Can we use the downlaod link “” for or will it be different link

  4. Hi –

    We installed Third-Party Updates from Dell, Adobe, Foxit and HP, we have a lot of Problems with it. So we want start over without Third-Party Updates. After reinstall WSUS and SUP all Updates from Dell, etc. appears automatically. Is there any way to clean up all Third-Party Products.

  5. Can this feature work in an isolated network? For example, could I manually import the catalogs from the vendors?

  6. Prajwal my man,
    Is there anyway to automate the publish process for these third party updates? It would be great if there was a way for this to work seamlessly with ADR’s and I was thinking you might have a workaround, cheers.

  7. I have successfully set up the Dell third Party updates. I have the BIOS Downloaded and deployed. However the computer is not updating the BIOS. What step am i missing?

    1. I’m still new-ish to SCCM, but normally a BIOS has to be updated manually. Have you tried going to one of the machines that should be receiving the update and checked Software Center to try installing the update from there?

  8. So I have this all setup, and working, but only for Dell and Adobe. When I enable the ‘built-in’ HP and Lenovo catalogs, I get the following error when trying to sync software updates:

    Sync failed: The operation has timed out. Source: Microsoft.UpdateServices.Internal.DatabaseAccess.ApiRemotingCompressionProxy.GetWebResponse

    I have no proxies set anywhere, and we don’t use one.

    If I disable either HP or Lenovo under the “Products” tab on the SUP, then it works fine. No certs for Lenovo or HP are blocked, so not sure where else to look since Dell and Adobe work fine.

    1. I was able to get some updates from HP and Lenovo to come down. The Lenovo LUC Agent (which is expired) and HP Firmware and software. If I select Drivers for HP, or Lenovo Updates then it errors out.

    2. Having this same problem and freaking out how to fix it? Once I turned Lenovo on I get an error when syncing updates and the the sync fails. How do I fix this without having to rebuild the wsus

  9. Great post! We’re making use of Third-party updates (HP catalog only) for over an year now without any issues. But, 3 days after the update to ConfigMgr 1906 (3rd of October 2019) we’re facing issues with HP Drivers/Software deployment. Device applicable drivers/software are visible in Software Center, but when installing the driver/software it returns an error (0x80240017). The error code is telling me that the driver/software is not applicable for the device. It sounds like a faulty detection method in the HP Catalog file, but not founding other topics on the Internet related to the issue we have. Do you know anything about this behavior? Thank you.

    Kind regards,

  10. What would be the reason for needing to use a PKI certificate? Is there a case where the self-signed certificate will not work?
    For example, we are going to be using SolarWinds Patch Manager to supply the updates but SCCM to distribute them.

  11. Prajwal, thanks for another excellent set of instructions. Is it necessary to click “Install Certificate”? I set up the Lenovo catalog subscription and all of the updates are in the console, ready to deploy. However, I only clicked OK on the certificate window, instead of Install. Is it necessary? How do I locate the cert so it can be installed?

    1. As far as I know it’s not needed to install the Certificate. I never did that and it was working fine until the beginning of this month. Now, I’m trying to solve the issue by installing the certificate.

      You have to re-subscribe to install the certificate.

    2. Every how-to on the internet seems to give the same advise about install the certificate. But that’s only half the information. When you click “Install Certificate” it asks you were you would like to install it. But…which store do you save it to?

  12. I am running 1902 but I do not see a Third Party Updates tab in the Software Update Point Component Properties, am i missing something?

    1. Under Administration –> Updates and Servicing –> Features, ensure “Enable third party update support on clients” is ON. The tab should then be available in the Software Update Point Component Properties.

  13. Hi Prajwal, Thank you for this post. I noticed in the above blog “How to Add Third-Party Software Update Catalogs in SCCM” (very well written), you mentioned to check the checkbox that says “Required SSL Communication to the WSUS Server” under your listed topic “Enable SSL on Software Update Point” to get custom catalogs. As FYI, this is not required now in CB of 1806, 1810 or 1902 versions. Maybe, it was required when this functionality was in Technical Preview version (Since I only work with production versions of SCCM). All my customer SCCM production environments with WSUS/SUP are running only with HTTP and I am using Third-Party custom catalogs extensively. I thought, I will mention over here, so you can do the correction and hopefully, it will not be confusing to others.

      1. Maybe you should separate both cases : Where SUP is local to primary or SUP is remote, so there is no mistake about this mandatory requirement and why you go with the SSL communication in the first place 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button