In this post I will show you how to install Dell and Lenovo third-party updates using SCCM. With proper configuration we can easily deploy the 3rd party updates which are available as partner catalog for Dell, Lenovo and HP. This is just not limited to these 3 vendors only, we can add custom catalog as well such as Adobe or any other.
Requirement for configuring third-party updates
Configuring of SSL is one of the most important steps on WSUS and SUP setting. Enabling of SSL on SUP is only required when it’s remote.
Configure SSL on WSUS One of the important configurations is to configured SSL on WSUS which is used as Software Update Point Site System role. Follow the link on how to configure WSUS / SUP to use SSL for communication which will show you how to configure it. This consists of creating Web Server certificate through internal certificate authority for WSUS and enabling few of the web services directory to use SSL.
Configure SSL on SUP : This is a straight forward setting by enabling the check box “Require SSL communication to the WSUS server”. This setting can be found by launching Configuration manager console and navigating to AdministrationOverviewSite ConfigurationServers and Site System Roles and select the Site System Role with SUP installed. Under bottom pane (Site System Roles), double click Software update point role to open properties. Just check the box under WSUS Configuration showing “Require SSL communication”.
Process to enable third-party updates
The process consists of several steps which publishes the third-party updates to Software update point (SUP) which can further be deployed to the clients. Belo mentioned process is valid for 3 kinds of partner catalogs such as:
- Dell
- Lenovo
- HP
Enable third-party updates on SUP
On Configuration Manager console, navigate to AdministrationOverviewSite ConfigurationSites, select the site and click on Configure Site Components > Software update point.
This will open Software Update Point Component Properties, click on Third Party Updates. Here you have to check the box “Enable third-party software updates”.
We also need to generate code signing certificate for WSUS signing certificate configuration. We have 2 options:
- Configuration Manager manages the certificate – Selecting this option automatically manages the WSUS signing certificate.
- Manually manage the certificate – You need to manually configure the certificate using PKI certificate or using System Center Updates Publisher (SCUP).
Let’s select Configuration Manager manages the certificate which will generate the certificate for you automatically.
Click on ok. Current WSUS signing certificate details will not be generated immediately.
You have to wait for next sync to happen or you can initiate it manually.
Once sync is completed, you will see certificate details got generated.
Generation of third-party signing certificate can be seen under wsyncmgr.log:
Successfully inserted new WSUS signing certificate with thumbprint
You can also verify this certificate under local computer store on SUP. Launch certlm.msc to open Certificates- Local computer. You will see newly created folder WSUS > Certificates. WSUS Publishers Self-signed certificate will be visible.
Enable third-party updates on Clients
Clients will not get third-party updates until unless it is not enabled in client settings. Navigate to AdministrationOverviewClient Settings, select existing Client settings. Under Software Updates:
Enable third party software updates, change the value to Yes.
Subscribe the Partner Catalog (Dell / Lenovo)
Once the sync is completed, partner catalog for Dell, HP and Lenovo will be created. Navigate to Software LibraryOverviewSoftware UpdatesThird-Party Software Update Catalogs, you will be able to see 3 Publisher Name:
- Dell : Dell Business Client Updates Catalog
- HP: HP Client Updates Catalog
- Lenovo: Lenovo Updates
These are the 3 partner’s catalog got enable with the options we selected previously. We can also add custom catalog by clicking on Add Custom Catalog for Adobe and others.
Subscribe to Catalog
Select Dell and click on Subscribe to Catalog.
This will launch Third-party Software Updates Wizard with Download URL for CAB file already listed (https://downloads.dell.com/Catalog/DellSDPCatalogPC.cab), this happened automatically as this is Partner Catalog (not custom catalog), click Next.
Catalog will be downloaded, click Next.
Under Review and approve > Approval to subscribe, you can view the certificate for Dell. Click on “I have read and understood this message” and click Next.
Under Select Categories, we will have options to select update categories. I click on Select categories for Synchronization by selecting few devices only, click Next.
Under Stage update content, select Do not stage content, synchronize for scanning only (recommended) as we don’t want to download everything.
Under Set custom schedule, specify the synchronization schedule which will run weekly / daily based upon the settings specified, click Next.
Verify the Summary and click Next to initiate the process.
This will initiate the sync and after waiting for some time, we can see the Last sync status as “Success”.
You can view the synchronization of Dell updates through log file SMS_ISVUPDATES_SYNCAGENT.log located under <Microsoft configuration Manager Install location>logs with following info:
SyncUpdateCatalog: Starting download for catalog 'Dell Business Client Updates Catalog' from 'https://downloads.dell.com/Catalog/DellSDPCatalogPC.cab' ...
SyncUpdateCatalog: Downloading file: 'https://downloads.dell.com/Catalog/DellSDPCatalogPC.cab' to 'D:Program FilesMicrosoft Configuration ManagerISVTempkq30oqbe.mb1DellSDPCatalogPC.cab'.
SyncUpdateCatalog: Download from 'https://downloads.dell.com/Catalog/DellSDPCatalogPC.cab' completed successfully.
SyncUpdateCatalog: SyncUpdateCatalog : 41a7ad54-9744-4779-acd8-bf596e11e12f - Completed.
Enable Dell Products under Software Update Point Component
As the first level of sync is completed for Dell, this would have created the catalog entry under All products. Navigate to AdministrationOverviewSite ConfigurationSites. Under Configure Site Components > Software Update Point > Products tab, we can see Dell category available, select the options and click on OK.
Initiate then sync by navigating to Software LibraryOverviewSoftware UpdatesAll Software Updates and click on Synchronize Software Updates.
Once the sync is completed, we can see all Dell drivers available under All Software Updates.
The sync status of Dell drivers can be verified through log file wsyncmgr.log
Requested categories: Company=Adobe, Company=Dell, Product=Windows 10 and later drivers, Product=Windows 10, version 1903 and later, Servicing Drivers, Product=Office 2016, Product=Microsoft 365 Apps/Office 2019/Office LTSC, Product=Windows 11, Product=Microsoft SQL Server 2019, Product=Windows 10, Product=Windows 10, version 1903 and later, Product=Windows 10, version 1903 and later, Upgrade & Servicing Drivers, Product=Windows 11 Client, version 22H2 and later, Upgrade & Servicing Drivers, UpdateClassification=Security Updates, UpdateClassification=Update Rollups, UpdateClassification=Upgrades, UpdateClassification=Updates, UpdateClassification=Definition Updates, UpdateClassification=Critical Updates
Synchronizing update 7aa07c64-b6a7-4e7f-a520-470796344cfc - Dell Command | Update Windows Universal Application,4.4.0,A00
Synchronizing update 0c3c779b-80a8-441a-b7a8-facd9123a162 - Dell OpenManage Inventory Agent(for Dell Business Client Systems), 3.7.4.0
Publish Third-party Software Update Content
The job is still not completed, though updates are available, we need to publish them. Before publishing the icon of the update is of Blue colour and Content information of the update is also blank.
Right click the specific update / updates you want to publish and select Publish Third-Party Software Update Content.
You can again verify the downloading of metadata in SMS_ISVUPDATES_SYNCAGENT.log. This has just downloaded the metadata but not the actual update.
One another sync is required for All software Updates, this can be checked through wsyncmgr.log which will eventually do the sync with 3rd party updates and make the metadata available in SCCM database.
Once this is done, you can see the icon changed to Green and Content information status of specific driver update is also visible. Another change we can see is: Metadata Only showing as No as it contains complete information of updates unlike other Dell updates which are still showing “Metadata Only” as “Yes”.
Download and Deploy Dell Driver updates
We are ready to download the drivers. It will take some time to show the count for Required updates as devices has to go through next Software Update Scan Cycle. Once this is done, you will be seeing few systems showing the update as required if they have old drivers.
Select the driver, right click and select Download.
Select “Create a new deployment package”, provide name and Package source location. Click Next.
On Distribution Points page, add DP and click Next.
On Distribution Settings, click on “Automatically download content when packages are assigned to distribution points” and click Next.
On Download Location, click on Download software updates from the Internet and click Next.
Verify the Summary and click Next to start downloading the update.
Once downloaded you will see the completion message info.
You may verify the downloading of driver updates through Patchdownloader.log with following info:
Contentsource = http://sccm01.manban.com:8530/Content/64/3A0BE110C6E03BD2F7215D97243D30B6C2EDDB64.cab .
Query to run: select f.FileName, c.ContentUniqueID from SMS_CIToContent c join SMS_CIContentFiles f on c.ContentID = f.ContentID where c.ContentID in (16787543) and f.FileHash = 'SHA1:3A0BE110C6E03BD2F7215D97243D30B6C2EDDB64'
File does not exist under current download destination.
Query to run: select f.FileName, ct.ContentSource from SMS_CIToContent c join SMS_CIContentFiles f on c.ContentID = f.ContentID join SMS_Content ct on c.ContentID = ct.ContentID where c.ContentDownloaded = 1 and f.FileHash = 'SHA1:3A0BE110C6E03BD2F7215D97243D30B6C2EDDB64' Checking machine config Created hard link: \localhostd$SourceSoftware UpdateDell R001c3c779b-80a8-441a-b7a8-facd9123a162.1ac4880f8-64ad-40f5-9a58-e88c6693b698_1.cab -> \localhostd$SourceSoftware UpdateDellc3c779b-80a8-441a-b7a8-facd9123a162ac4880f8-64ad-40f5-9a58-e88c6693b698_1.cab. Content already downloaded. Created link for ContentID = 16787543, FileName = ac4880f8-64ad-40f5-9a58-e88c6693b698_1.cab. Renaming \localhostd$SourceSoftware UpdateDell R001c3c779b-80a8-441a-b7a8-facd9123a162.1 to \localhostd$SourceSoftware UpdateDell R001c3c779b-80a8-441a-b7a8-facd9123a162 Successfully moved \localhostd$SourceSoftware UpdateDell R001c3c779b-80a8-441a-b7a8-facd9123a162.1 to \localhostd$SourceSoftware UpdateDell R001c3c779b-80a8-441a-b7a8-facd9123a162
Dell driver update patch is downloaded and ready to deployed further.
Conclusion
Deploying third-party updates looks like a complex process. But this is all about securing your WSUS with SSL and creating Code signing certificate. If we follow proper instructions (lots of Microsoft documentation also available), we can make this task easy. Rest other things on Configuration manager to enable third-party updates are pretty much easy to implement. Previously SCUP (System Center Update Publisher) was the only option available for deploying third-party updates but with new changes with configuration manager, this has now become possible.
The process remains the same for Lenovo and HP Partner Catalog. Though for Custom Catalog such as Adobe and others, it is not totally different for initial configuration, but for publishing the catalog you have to add custom catalog which is not published automatically as part of enabling third-party updates.
Important Links
Enable third-party updates – Configuration Manager | Microsoft Docs
Available third-party software update catalogs – Configuration Manager | Microsoft Docs
