Patch My Pc Third Party Updates
Elfreda Dasovich
The Third-Party Software Update Catalogs node in the Configuration Manager console allows you to subscribe to third-party catalogs, publish their updates to your software update point (SUP), and then deploy them to clients.
In version 2006 and earlier, Configuration Manager doesn't enable this feature by default. Before using it, enable the optional feature Enable third party update support on clients. For more information, see Enable optional features from updates.
When setting the third-party updates WSUS signing certificate configuration to Configuration Manager manages the certificate in the Software Update Point Component Properties, the following configurations are required to allow the creation of the self-signed WSUS signing certificate:
The WSUS server connection account can be identified by viewing the Proxy and Account Settings tab on the Site System role properties of the SUP. If an account is not specified, the site server's computer account is used.
If you enable this option, you can subscribe to third-party update catalogs in the Configuration Manager console. You can then publish those updates to WSUS and deploy them to clients. The following steps should be run once per hierarchy to enable and set up the feature for use. The steps may need to be rerun if you ever replace the top-level SUP's WSUS server.
You'll need to decide if you want Configuration Manager to automatically manage the third-party WSUS signing certificate using a self-signed certificate, or if you need to manually configure the certificate.
If you don't have a requirement to use PKI certificates, you can choose to automatically manage the signing certificates for third-party updates. The WSUS certificate management is done as part of the sync cycle and gets logged in the wsyncmgr.log.
Enable third-party updates on the clients in the client settings. The setting sets the Windows Update agent policy for Allow signed updates for an intranet Microsoft update service location. This client setting also installs the WSUS signing certificate to the Trusted Publisher store on the client. The certificate management logging is seen in updatesdeployment.log on the clients. Run these steps for each custom client setting you want to use for third-party updates. For more information, see the About client settings article.
Partner catalogs are software vendor catalogs that have their information already registered with Microsoft. With partner catalogs, you can subscribe to them without having to specify any additional information. Catalogs that you add are called custom catalogs. You can add a custom catalog from a third-party update vendor to Configuration Manager. Custom catalogs must use https and the updates must be digitally signed.
When you subscribe to a third-party catalog in the Configuration Manager console, the metadata for every update in the catalog are synced into the WSUS servers for your SUPs. The sync of the metadata allows the clients to determine if any of the updates are applicable. Perform the following steps for each third-party catalog to which you want to subscribe:
When you subscribe to a third-party software update catalog, the certificate that you review and approve in the wizard is added to the site. This certificate is of type Third-party Software Updates Catalog. You can manage it from the Certificates node under Security in the Administration workspace.
Once the third-party updates are in the All Updates node, you can choose which updates should be published for deployment. When you publish an update, the binary files are downloaded from the vendor and placed into the WSUSContent directory on the top-level SUP.
When you publish third-party software update content, any certificates used to sign the content are added to the site. These certificates are of type Third-party Software Updates Content. You can manage them from the Certificates node under Security in the Administration workspace.
On the Download Locations page of the Deploy Software Updates Wizard, select the default option to Download software updates from the internet. In this scenario, the content is already published to the software update point, which is used to download the content for the deployment package.
Clients will need to run a scan and evaluate updates before you can see compliance results. You can manually trigger this cycle from the Configuration Manager control panel on a client by running the Software Updates Scan Cycle action.
V3 catalogs allow for categorized updates. When using catalogs that include categorized updates, you can configure synchronization to include only specific categories of updates to avoid synchronizing the entire catalog. With categorized catalogs, when you're confident you'll deploy a category, you can configure it to automatically download and publish to WSUS.
In the Configuration Manager console, go to the Software Library workspace. Expand Software Updates and select the Third-Party Software Update Catalogs node.
Choose if you want to Stage update content for the catalog. When you stage the content, all updates in the selected categories are automatically downloaded to your top-level software update point meaning you don't need to ensure they're already downloaded before deploying. You should only automatically stage content for updates you are likely to deploy to avoid excessive bandwidth and storage requirements.
If you need to change any of the information here, you have to add a new custom catalog.
Provided the download URL is unchanged, the existing catalog must be removed before one with the same download URL can be added.
In the Third-Party Software Update Catalogs node, right-click on the catalog and select Unsubscribe to stop synchronizing the catalog.
You can also use the Unsubscribe option from the ribbon. When you unsubscribe from a catalog, the approval for catalog signing and update content certificates are removed. Existing updates aren't removed, but you may not be able to deploy them. With custom catalogs, you also have the option of deleting it after you've unsubscribed. Select Delete Custom Catalog from either the ribbon or the right-click menu for the catalog. Deleting the custom catalog removes it from view in the Third-Party Software Update Catalogs node.
Synchronization of third-party software updates is handled by the SMS_ISVUPDATES_SYNCAGENT component on the top-level default software update point. You can view status messages from this component, or see more detailed status in the SMS_ISVUPDATES_SYNCAGENT.log. This log is on the top-level software update point in the site system Logs folder. By default this path is C:\Program Files\Microsoft Configuration Manager\Logs. For more information on monitoring the general software update management process, see Monitor software updates.
To help you find custom catalogs that you can import for third-party software updates, there's a documentation page with links to catalog providers. Starting in Configuration Manager 2107, you can also choose More Catalogs from the ribbon in the Third-party software update catalogs node. Right-clicking on Third-Party Software Update Catalogs node displays a More Catalogs menu item. Selecting More Catalogs opens a link to a documentation page containing a list of additional third-party software update catalog providers.
The United States Cybersecurity and Infrastructure Security Agency recommends applying patches to protect against supply chain attacks and compromises, including in third-party software.
With our Power Bi and SSRS dashboards, you will be able to scan, identify, triage, and mitigate discovered vulnerabilities. Reporting and remediation are critical in requirements set forth by the National Institute of Standards and Technology (NIST).
Part of our company values is to create great experiences for our customers. As a result, we hire the best engineers in the industry to ensure that it will be a great experience if you ever need support.
Since the day we implemented 3rd party app patching through Patch My PC, we have achieved a more controlled but mainly fast way to update our clients. Our previous packaging process always took at least 1-2 weeks before an updated version of an app was available for deployment.
Our experience has been great! We used to use SCCM for Adobe and Java updates only, but now we are able to use it for all of our 3rd party software while still using SCCM. It has made our endpoints much more secure in an automatic way.
There's nothing like seeing our product live. During a live demo with an engineer we will showcase the product and answer any questions you may have. See for yourself how simple it is to use Patch My PC.
This article covers the steps to enable and configure third-party software updates using SCCM (ConfigMgr). You can use this SCCM third-party software updates deployment guide in your enterprise to setup 3rd party patching with SCCM.
The Third-Party Software Update Catalogs node in the Configuration Manager console allows you to subscribe to third-party catalogs, publish their updates to your software update point (SUP), and then deploy them to clients.
If you are planning to deploy third-party software updates using SCCM, there are a series of configurations that you require in place. I have covered the steps required to enable and configure SCCM Third-Party software updates. Refer to the guide on deploying software updates using SCCM.
d3342ee215