SCCM 1806 – Third Party Updates

This post will show how you can set up Third Party Updates in SCCM Current Branch 1806 using a catalog from Patch My PC. This is a fresh lab with no certificates or GPO’s configured. We will let SCCM create the Trusted Publisher certificate and take care of it on the clients by configuring the SCCM client settings, and also use the client settings to allow signed updates from an intranet location.

The below set up has the SUP installed on the same server as my Primary Site. My SUP is configured for HTTP mode. SSL must be enabled on the SUP if it is remote. See https://docs.microsoft.com/en-us/sccm/sum/deploy-use/third-party-software-updates for further details.

First thing is to enable third party updates, and then let SCCM manage the certificate.

TPA01

Once this is done, and you sync your software update point, it will then create and install the code signing certificate. You can see this in the wsyncmgr.log

TPA02

If you open up certlm.msc you can also see the WSUS Publishers Self-signed certificate in the WSUS store.

TPA03

You can also see this certificate in the Trusted Publishers store as well.

TPA04

Once the sync has completed, you can see there is now information about the certificate in the third party updates tab of the software update point properties.

TPA05

Next we will configure third party updates in the client settings. Open up the client settings and select the software updates section, then enable third party updates. This will add a local policy to the clients to allow signed updates from an intranet location, and also install the code signing certificate into the trusted publishers store. There is no need for a GPO to do this.

TPA06

If you open gpedit.msc on a machine that has received the new policy, and go to Computer Configuration > Administrative Templates > Windows Components > Windows Update, you will see the “Allow signed updates from an intranet Microsoft update service location” is now enabled.

TPA07

If you doa gpresult /computer you can also see the local policy has set this as well.

TPA08

You can also see that the code signing certificate has been installed.

TPA09

Now we need to add our third party update catalogs. You will see in the SCCM console you can right click on Third Party Software Update Catalogs and add a new catalog. In my example I will be adding some Patch My PC catalogs and then syncing them.

TPA10

Click on View Certificate and then click OK.

TPA12

Once you have viewed the certificate you can click Next.

TPA13

Once you have added the required catalogs, you now have to subscribe to them (the catalogs will synchronize automatically every 7 days)

TPA11

Once the updates have been subscribed to, the catalog will then download. You need to do a sync to import the metadata from the WSUS database into the SCCM database.

TPA14

Once the sync has finished, go back into your SUP properties, click products, and add the product.

TPA15

Another SUP sync needs to be done for the metadata to appear.

TPA16

Once the metadata has appeared from the catalogs we have added, we need to publish them before we can deploy them. You will see the updates download in the SMS_ISVUPDATES_SYNCAGENT.log

TPA17

After the updates have been published and downloaded, we need to do another sync.

TPA18

You can see that the icon has changed from the blue metadata, to green, We can now deploy our third party updates to a collection as normal.

TPA19

On my test client, you can see that it needed some Adobe Acrobat Reader, Google Chrome, and an Oracle Java update.

TPA

The updates have installed correctly. We know that the trusted publisher certificate and the allow signed updates from the intranet settings worked successfully.

TPA21

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s