Enable third-party updates

  • Article
  • 16 minutes to read

Applies to: Configuration Manager (current branch)

The Third-Party Software Update Catalogs node in the Configuration Director console allows yous to subscribe to tertiary-party catalogs, publish their updates to your software update indicate (SUP), and then deploy them to clients.

Notation

In version 2006 and earlier, Configuration Director doesn't enable this feature by default. Before using it, enable the optional feature Enable tertiary political party update support on clients. For more data, see Enable optional features from updates.

Prerequisites

  • Sufficient deejay space on the top-level software update point'south WSUSContent directory to store the source binary content for 3rd-party software updates.
    • The amount of required storage varies based on the vendor, types of updates, and specific updates that you publish for deployment.
    • If you need to motion the WSUSContent directory to some other drive with more than gratis space, meet the How to change the location where WSUS stores updates locally blog post.
  • The tertiary-party software update synchronization service requires internet access.
    • For the partner catalogs list, download.microsoft.com over HTTPS port 443 is needed.
    • Internet access to any tertiary-party catalogs and update content files. Additional ports other than 443 may be needed.
    • Third-party updates utilise the same proxy settings every bit the SUP.

Additional requirements when the SUP is remote from the top-level site server

  1. SSL should be enabled on the SUP when it's remote. This requires a server authentication document generated from an internal certificate authority or via a public provider.

    • Configure SSL on WSUS
      • When you configure SSL on WSUS, note some of the web services and the virtual directories are always HTTP and not HTTPS.
      • Configuration Director downloads 3rd-party content for software update packages from your WSUS content directory over HTTP.
    • Configure SSL on the SUP

  2. When setting the tertiary-party updates WSUS signing certificate configuration to Configuration Manager manages the document in the Software Update Signal Component Backdrop, the following configurations are required to allow the creation of the cocky-signed WSUS signing document:

    • Remote registry should be enabled on the SUP server.
    • The WSUS server connection account should accept remote registry permissions on the SUP/WSUS server.

  3. Create the following registry fundamental on the Configuration Director site server:

    • HKLM\Software\Microsoft\Update Services\Server\Setup, create a new DWORD named EnableSelfSignedCertificates with a value of ane.

  4. To enable installing the cocky-signed WSUS signing document to the Trusted Publishers and Trusted Root stores on the remote SUP server:

    • The WSUS server connection account should have remote assistants permissions on the SUP server.

      If this item isn't possible, export the certificate from the local calculator'south WSUS store into the Trusted Publisher and Trusted Root stores.

Note

The WSUS server connection account tin be identified by viewing the Proxy and Account Settings tab on the Site System function properties of the SUP. If an account is not specified, the site server'due south computer account is used.

Enable 3rd-party updates on the SUP

If you enable this pick, y'all tin can subscribe to 3rd-political party update catalogs in the Configuration Director console. You tin can then publish those updates to WSUS and deploy them to clients. The post-obit steps should exist run once per bureaucracy to enable and set up the feature for utilize. The steps may demand to exist rerun if you ever replace the elevation-level SUP's WSUS server.

  1. In the Configuration Director console, go to the Administration workspace. Aggrandize Site Configuration, and select the Sites node.

  2. Select the pinnacle-level site in the hierarchy. In the ribbon, select Configure Site Components, and select Software Update Bespeak.

  3. Switch to the Third-Party Updates tab. Select the choice Enable third-party software updates.

    Third-party updates SUP properties screenshot

Configure the WSUS signing certificate

You'll need to determine if you want Configuration Manager to automatically manage the third-party WSUS signing certificate using a self-signed certificate, or if y'all need to manually configure the document.

Automatically manage the WSUS signing certificate

If you don't have a requirement to use PKI certificates, you can choose to automatically manage the signing certificates for third-party updates. The WSUS certificate management is washed as part of the sync cycle and gets logged in the wsyncmgr.log.

  1. In the Configuration Manager console, become to the Administration workspace. Aggrandize Site Configuration, and select the Sites node.
  2. Select the top-level site in the hierarchy. In the ribbon, select Configure Site Components, and select Software Update Point.
  3. Switch to the Third-Party Updates tab. Select the option Configuration Director manages the certificate.
  4. A new certificate of type Third-party WSUS Signing is created in the Certificates node nether Security in the Assistants workspace.

Manually manage the WSUS signing certificate

If you need to manually configure the certificate, such as needing to apply a PKI document, you'll need to use either Organization Eye Updates Publisher or another tool to do then.

  1. Configure the signing document using System Centre Updates Publisher.
  2. In the Configuration Manager console, go to the Administration workspace. Aggrandize Site Configuration, and select the Sites node.
  3. Select the peak-level site in the hierarchy. In the ribbon, select Configure Site Components, and select Software Update Betoken.
  4. Switch to the Tertiary-Party Updates tab. Select the option for Manually manage the certificate.

Enable third-party updates on the clients

Enable third-party updates on the clients in the customer settings. The setting sets the Windows Update agent policy for Permit signed updates for an intranet Microsoft update service location. This customer setting also installs the WSUS signing certificate to the Trusted Publisher shop on the client. The certificate management logging is seen in updatesdeployment.log on the clients. Run these steps for each custom client setting y'all want to use for third-political party updates. For more information, see the Most client settings article.

  1. In the Configuration Manager console, get to the Administration workspace and select the Client Settings node.
  2. Select an existing custom client setting or create a new ane.
  3. Select the Software Updates tab on the left-hand side. If you don't accept this tab, make sure that the Software Updates box is enabled.
  4. Set Enable third-political party software updates to Yep.

Add a custom catalog

Partner catalogs are software vendor catalogs that have their information already registered with Microsoft. With partner catalogs, you can subscribe to them without having to specify whatever additional information. Catalogs that yous add together are called custom catalogs. Yous can add a custom catalog from a 3rd-party update vendor to Configuration Director. Custom catalogs must use https and the updates must be digitally signed.

  1. Go to the Software Updates Library workspace, expand Software updates, and select the Tertiary-Party Software Update Catalogs node.

    Third-party updates node screenshot

  2. select Add Custom Catalog in the ribbon.

    Third-party updates add custom catalog

  3. On the General folio, specify the following items:

    • Download URL: A valid HTTPS address of the custom itemize.
    • Publisher: The name of the organization that publishes the itemize.
    • Name: The proper noun of the catalog to display in the Configuration Manager Console.
    • Description: A clarification of the catalog.
    • Support URL (optional): A valid HTTPS address of a website to become help with the catalog.
    • Support Contact (optional): Contact information to get help with the catalog.

  4. Select Next to review the catalog summary and to proceed with completing the Third-party Software Updates Custom Catalog Wizard.

Subscribe to a tertiary-party catalog and sync updates

When you subscribe to a third-party catalog in the Configuration Managing director panel, the metadata for every update in the itemize are synced into the WSUS servers for your SUPs. The sync of the metadata allows the clients to determine if any of the updates are applicable. Perform the post-obit steps for each third-party catalog to which you want to subscribe:

  1. In the Configuration Director panel, go to the Software Library workspace. Expand Software Updates and select the Third-Party Software Update Catalogs node.
  2. Select the catalog to subscribe and and so select Subscribe to Itemize in the ribbon. Third-party updates subscribe to catalog
  3. Review and approve the catalog certificate on the Review and approve page of the magician.

    Note

    When you subscribe to a third-party software update catalog, the document that you review and approve in the wizard is added to the site. This document is of type Third-party Software Updates Catalog. You can manage it from the Certificates node nether Security in the Assistants workspace.

  4. If the third-party catalog is v3, yous'll be offered pages to Select Categories and Phase Content. For more data about configuring these options, come across the Third-political party v3 catalog options section.
  5. Choose your options on the Schedule page:
    • Simple schedule: Choose the hour, day, or month interval. The default is a unproblematic schedule that synchronizes every 7 days.
    • Custom schedule: Set a complex schedule.
  6. Review your settings on the Summary page and consummate the magician.
  7. After the catalog is downloaded, the production metadata needs to be synchronized from the WSUS database into the Configuration Manager database. Manually start the software updates synchronization to synchronize the production information.
  8. In one case the production information is synchronized, Configure the SUP to synchronize the desired product into Configuration Manager.
  9. Manually start the software updates synchronization to synchronize the new production's updates into Configuration Manager.
  10. When the synchronization completes, you can meet the third-party updates in the All Updates node. These updates are published as metadata-only updates until y'all choose to publish them.
    • The icon with the blueish arrow represents a metadata-only software update. Metadata only software update icon

Publish and deploy third-party software updates

One time the third-party updates are in the All Updates node, y'all tin choose which updates should be published for deployment. When you lot publish an update, the binary files are downloaded from the vendor and placed into the WSUSContent directory on the top-level SUP.

  1. In the Configuration Manager console, get to the Software Library workspace. Expand Software Updates and select the All Software Updates node.

  2. Select Add together Criteria to filter the list of updates. For example, add together Vendor for HP. to view all updates from HP.

  3. Select the updates that are required past your organization. Select Publish Third-Party Software Update Content.

    • This action downloads the update binaries from the vendor then stores them in the WSUSContent directory on the superlative-level software update point.

  4. Manually beginning the software updates synchronization to alter the state of the published updates from metadata-only to deployable updates with content.

    Note

    When you lot publish 3rd-party software update content, whatsoever certificates used to sign the content are added to the site. These certificates are of blazon Third-party Software Updates Content. You can manage them from the Certificates node nether Security in the Administration workspace.

  5. Review the progress in the SMS_ISVUPDATES_SYNCAGENT.log. The log is located on the top-level software update point in the site system Logs folder.

  6. Deploy the updates using the Deploy software updates process.

  7. On the Download Locations folio of the Deploy Software Updates Wizard, select the default choice to Download software updates from the net. In this scenario, the content is already published to the software update point, which is used to download the content for the deployment packet.

  8. Clients will demand to run a scan and evaluate updates before you tin see compliance results. You can manually trigger this wheel from the Configuration Manager control console on a customer by running the Software Updates Scan Cycle activity.

3rd-political party v3 catalog options

V3 catalogs permit for categorized updates. When using catalogs that include categorized updates, you lot can configure synchronization to include merely specific categories of updates to avoid synchronizing the entire itemize. With categorized catalogs, when you're confident you'll deploy a category, you tin configure it to automatically download and publish to WSUS.

Important

This choice is but available for v3 tertiary-party update catalogs, which back up categories for updates. These options are disabled for catalogs that aren't published in the v3 format.

  1. In the Configuration Manager panel, go to the Software Library workspace. Aggrandize Software Updates and select the Third-Party Software Update Catalogs node.

  2. Select the catalog to subscribe and select Subscribe to Catalog in the ribbon.

  3. Choose your options on the Select Categories page:

    • Synchronize all update categories (default)

      • Synchronizes all updates in the third-political party update itemize into Configuration Manager.

    • Select categories for synchronization

      • Choose which categories and child categories to synchronize into Configuration Manager.

      Select update categories to synchronize into Configuration Manager

  4. Choose if you want to Phase update content for the itemize. When you phase the content, all updates in the selected categories are automatically downloaded to your pinnacle-level software update bespeak meaning y'all don't demand to ensure they're already downloaded before deploying. You should only automatically phase content for updates yous are likely to deploy them to avoid excessive bandwidth and storage requirements.

    • Practice not stage content, synchronize for scanning only (recommended)
      • Don't download any content for updates in the third-party itemize
    • Phase the content for selected categories automatically
      • Choose the update categories that volition automatically download content.
      • The content for updates in selected categories will be downloaded to the acme-level software update point's WSUS content directory. Select update categories to stage content

  5. Set your Schedule for catalog synchronization, and then consummate the wizard.

Edit an existing subscription

You lot can edit and existing subscription by selecting Properties from the ribbon or the correct-click menu.

Important

Some options are only bachelor for v3 tertiary-party update catalogs, which support categories for updates. These options are disabled for catalogs that aren't published in the v3 format.

  1. In the Third-Party Software Update Catalogs node, correct-click on the catalog and select Backdrop or select Properties from the ribbon.
  2. You can update the following information from the General tab:
    • Download URL (non editable): The HTTPS address of the custom catalog.
    • Publisher: The name of the organization that publishes the catalog.
    • Name: The name of the catalog to display in the Configuration Managing director Console.
    • Description: A description of the catalog.
    • Support URL (optional): A valid HTTPS accost of a website to get help with the itemize.
    • Support Contact (optional): Contact information to become assistance with the itemize.
  3. Cull your options on the Select Categories tab.
    • Synchronize all update categories (default)
      • Synchronizes all updates in the 3rd-party update catalog into Configuration Director.
    • Select categories for synchronization
      • Cull which categories and kid categories to synchronize into Configuration Manager.
  4. Choose your options for the Stage update content tab.
    • Exercise non stage content, synchronize for scanning only (recommended)
      • Don't download any content for updates in the third-party catalog
    • Stage the content for selected categories automatically
      • Choose the update categories that volition automatically download content.
      • The content for updates in selected categories will exist downloaded to the top-level software update signal'southward WSUS content directory.
  5. Select how often to synchronize the itemize on the Schedule tab.
    • Simple schedule: Choose the hour, 24-hour interval, or month interval.
    • Custom schedule: Set up a complex schedule.

Unsubscribe from catalog and delete custom catalogs

In the Third-Political party Software Update Catalogs node, right-click on the catalog and select Unsubscribe to stop synchronizing the catalog. Yous can too utilise the Unsubscribe option from the ribbon. When y'all unsubscribe from a itemize, the approval for catalog signing and update content certificates are removed. Existing updates aren't removed, but you may not be able to deploy them. With custom catalogs, you too have the choice of deleting it after you lot've unsubscribed. Select Delete Custom Catalog from either the ribbon or the correct-click menu for the catalog. Deleting the custom catalog removes information technology from view in the Third-Party Software Update Catalogs node.

Monitoring progress of 3rd-party software updates

Synchronization of 3rd-party software updates is handled past the SMS_ISVUPDATES_SYNCAGENT component on the top-level default software update point. You can view status messages from this component, or meet more detailed status in the SMS_ISVUPDATES_SYNCAGENT.log. This log is on the top-level software update indicate in the site system Logs binder. By default this path is C:\Program Files\Microsoft Configuration Manager\Logs. For more information on monitoring the general software update management procedure, run into Monitor software updates

List additional third-political party updates catalogs

To help you observe custom catalogs that you can import for third-party software updates, there'southward a documentation page with links to catalog providers. Starting in Configuration Manager 2107, you lot can likewise choose More than Catalogs from the ribbon in the Third-political party software update catalogs node. Right-clicking on Third-Party Software Update Catalogs node displays a More Catalogs bill of fare item. Selecting More than Catalogs opens a link to a documentation folio containing a list of additional 3rd-political party software update catalog providers.

Screenshot of the Third-Party Software Update Catalogs node with the More Catalogs icon in the ribbon

Known issues

  • The machine where the panel is running is used to download the updates from WSUS and add information technology to the updates packet. The WSUS signing document must exist trusted on the panel automobile. If it isn't, yous may see issues with the signature bank check during the download of third-political party updates.
  • The third-party software update synchronization service tin can't publish content to metadata-only updates that were added to WSUS by another awarding, tool, or script, such as SCUP. The Publish tertiary-party software update content activeness fails on these updates. If you need to deploy third-party updates that this feature doesn't yet support, utilise your existing process in full for deploying those updates.
  • Configuration Director has a new version for the catalog cab file format. The new version includes the certificates for the vendor's binary files. These certificates are added to the Certificates node nether Security in the Administration workspace once you lot approve and trust the catalog.
    • You tin can still utilise the older catalog cab file version as long equally the download URL is https and the updates are signed. The content will fail to publish because the certificates for the binaries aren't in the cab file and already approved. You lot can work effectually this effect by finding the certificate in the Certificates node, unblocking it, then publish the update again. If you lot're publishing multiple updates signed with different certificates, you'll need to unblock each certificate that is used.
    • For more data, run into status messages 11523 and 11524 in the below status message tabular array.
  • When the third-political party software update synchronization service on the top-level software update point requires a proxy server for cyberspace access, digital signature checks may fail. To mitigate this issue, configure the WinHTTP proxy settings on the site organisation. For more information, see Netsh commands for WinHTTP.
  • When using a CMG for content storage, the content for third-political party updates won't download to clients if the Download delta content when bachelor client setting is enabled.
  • If the catalog provider has changed the catalog's signing certificate since you lot last approved information technology or subscribed, the itemize sync will fail until the certification is approved in the Certificates node. For more information, come across MessageID 11508 in status messages table.

Status messages

MessageID Severity Description Possible cause Possible solution
11508 Error Failure when checking signature for catalog <catalog proper noun> to WSUS. Make sure the itemize is subscribed and the catalog certificate <certificate> is not blocked. Run across SMS_ISVUPDATES_SYNCAGENT.log for farther details. The signing certification on the catalog may have changed since information technology was originally subscribed or terminal approved. Make sure to review and corroborate the certificate in the Certificates node to allow the catalog to synchronize.
11516 Error Failed to publish content for update "Update ID" because the content is unsigned. Just content with valid signatures can be published. Configuration Manager doesn't allow unsigned updates to exist published. Publish the update in an alternating way.

Encounter if a signed update is available from the vendor.
11523 Warning Itemize "10" does non include content signing certificates, attempts to publish update content for updates from this catalog may exist unsuccessful until content signing certificates are added and approved. This bulletin can occur when you import a catalog that is using an older version of the cab file format. Contact the catalog provider to obtain an updated itemize that includes the content signing certificates.

The certificates for the binaries aren't included in the cab file so the content will fail to publish. You lot can work around this issue by finding the certificate in the Certificates node, unblocking it, then publish the update once more. If you're publishing multiple updates signed with different certificates, you lot'll need to unblock each document that is used.
11524 Mistake Failed to publish update "ID" due to missing update metadata. The update may take been synchronized to WSUS outside of Configuration Manager. Synchronize the update with Configuration Manager before attempting to publish information technology'due south content.

If an external tool was used to publish the update as Metadata only, and so use the same tool to publish the update content.

Working with third-party updates video

PowerShell

You tin can use the post-obit PowerShell cmdlets to automate the direction of third-political party updates in Configuration Director:

  • Become-CMThirdPartyUpdateCatalog
  • New-CMThirdPartyUpdateCatalog
  • Remove-CMThirdPartyUpdateCatalog
  • Ready-CMThirdPartyUpdateCatalog
  • Publish-CMThirdPartySoftwareUpdateContent
  • Get-CMThirdPartyUpdateCategory
  • Ready-CMThirdPartyUpdateCategory

Next footstep