This post will show how you can set up Third Party Updates in SCCM Current Branch 1806 using a catalog from Patch My PC. This is a fresh lab with no certificates or GPO’s configured. We will let SCCM create the Trusted Publisher certificate and take care of it on the clients by configuring the SCCM client settings, and also use the client settings to allow signed updates from an intranet location.
The below set up has the SUP installed on the same server as my Primary Site. My SUP is configured for HTTP mode. SSL must be enabled on the SUP if it is remote. See https://docs.microsoft.com/en-us/sccm/sum/deploy-use/third-party-software-updates for further details.
First thing is to enable third party updates, and then let SCCM manage the certificate.
Once this is done, and you sync your software update point, it will then create and install the code signing certificate. You can see this in the wsyncmgr.log
If you open up certlm.msc you can also see the WSUS Publishers Self-signed certificate in the WSUS store.
You can also see this certificate in the Trusted Publishers store as well.
Once the sync has completed, you can see there is now information about the certificate in the third party updates tab of the software update point properties.
Next we will configure third party updates in the client settings. Open up the client settings and select the software updates section, then enable third party updates. This will add a local policy to the clients to allow signed updates from an intranet location, and also install the code signing certificate into the trusted publishers store. There is no need for a GPO to do this.
If you open gpedit.msc on a machine that has received the new policy, and go to Computer Configuration > Administrative Templates > Windows Components > Windows Update, you will see the “Allow signed updates from an intranet Microsoft update service location” is now enabled.
If you doa gpresult /computer you can also see the local policy has set this as well.
You can also see that the code signing certificate has been installed.
Now we need to add our third party update catalogs. You will see in the SCCM console you can right click on Third Party Software Update Catalogs and add a new catalog. In my example I will be adding some Patch My PC catalogs and then syncing them.
Click on View Certificate and then click OK.
Once you have viewed the certificate you can click Next.
Once you have added the required catalogs, you now have to subscribe to them (the catalogs will synchronize automatically every 7 days)
Once the updates have been subscribed to, the catalog will then download. You need to do a sync to import the metadata from the WSUS database into the SCCM database.
Once the sync has finished, go back into your SUP properties, click products, and add the product.
Another SUP sync needs to be done for the metadata to appear.
Once the metadata has appeared from the catalogs we have added, we need to publish them before we can deploy them. You will see the updates download in the SMS_ISVUPDATES_SYNCAGENT.log
After the updates have been published and downloaded, we need to do another sync.
You can see that the icon has changed from the blue metadata, to green, We can now deploy our third party updates to a collection as normal.
On my test client, you can see that it needed some Adobe Acrobat Reader, Google Chrome, and an Oracle Java update.
The updates have installed correctly. We know that the trusted publisher certificate and the allow signed updates from the intranet settings worked successfully.