Microsoft

System Center Configuration Manager Feedback

Suggestion box powered by UserVoice

How can we improve Configuration Manager?

3rd Party Patching - SCUP Integration with SCCM Console

Integrate the SCUP tool on to SCCM Admin Console. This will give a single pane of glass view for all patching activities (including importing 3rd party patches).

3,792 votes
Vote
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    Prasanna K Jayapal [Microsoft ConfigMgr Product Team] shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →
    started  ·  Admindjam (Admin, System Center Configuration Manager) responded  · 

    Phase one of these changes are in 1803 tp, as well as 1802 production. We will continue to add more integration in the future with a huge chunk coming for 1806 production.

    Updating to note the improvements went in to 1802:

    Automatically importing WSUS signing certificate (which is used to sign third party updates) into the SCCM database, and then that certificate is pushed down to clients Trusted Publisher certificate store. (If admin enables this on the SUP top level site components configuration).

    Enabling “Allow signed updates from an intranet Microsoft updates service location” group policy on clients, which tells Windows to allow them to install 3rd party signed updates during normal Software Updates sync/install (if admin enables this in Software Updates client agent settings).

    86 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)
      Submitting...
      • Jeremy Cooper commented  ·   ·  Flag as inappropriate

        I would also love to see this functionality work within the OSD. As an example if you are completing an OSD you need to manually add the certs to the correct stores, and set the reg key to enable the SCUP updates to install. We do this now with a GPO, but doesn't apply during OSD for obvious reasons.

      • Anonymous commented  ·   ·  Flag as inappropriate

        So this just enables something that anyone who's already using SCUP already has enabled?

      • Steven commented  ·   ·  Flag as inappropriate

        This feature request was written almost 3 years ago; since then you just simplified the cert deployment and the GPO setting. Hilarious. We've had these features on lock in other means a CA for the cert deployment and GPO for the enablement of 3rd party updates already. What is coming for 1806 so we don't get 'teased' again. Please share your thoughts!

      • Andres Pae commented  ·   ·  Flag as inappropriate

        Its a good start, but I feels it is to late. Problem is that only some of 3rd party publishes are publishing his product updates in catalog. It is something that MS cant provide or request to do. Maybe there is to less "momentum" for going catalog way for 3praty vendors. It is to complex, less used. For God sake - even MS Skype is not patched via MS updates catalog. To be honest - this technology was avail many-many years, yes, it is inconvenient, but works. But no CONTENT ( ie patches to version, or upgrades to new version). If this is resolved - then - big applause!

      • bdam commented  ·   ·  Flag as inappropriate

        Great to see this started. I'd like to suggest that 'integration' needs to be more than skin-deep. Just getting SCUP's GUI into the ConfigMan console would be a good start but I'd argue that true integration into the update workflow is much more important. The goal should be total automation where third party updates function no differently then first party. The sync (manual or scheduled) brings in newly released updates from the catalog and ADRs can deploy them.

        Bonus points for allowing the automation of modifications to the command lines used based on vendor/product. Thinking of apps like Java and flash where different companies will want different parameters used to prevent auto-updating, desktop icons, and the like.

      • Richard Archer commented  ·   ·  Flag as inappropriate

        @Troy, according to the SCUP Preview announcement (https://cloudblogs.microsoft.com/enterprisemobility/2017/07/03/system-center-updates-publisher-june-2017-preview-is-now-available/) they're unrelated:

        "This preview is to enable SCUP 2011 features on our newest OSes and is not directly related to work that is planned for Configuration Manager Console Integration. For the latest news about that, please see the UserVoice item here."

      • Troy commented  ·   ·  Flag as inappropriate

        Some update on this would be great. Wondering if it got cancelled since the SCUP Preview got released?

      • Andrew T commented  ·   ·  Flag as inappropriate

        One thing to add - I had a problem with one of the major PC vendors who offers SCUP catalogs. Once the update metadata contained a circular reference, so when it was imported into WSUS on my SUPs all software update functionality basically broke - Ken has a good blog post of the issue here - https://blogs.technet.microsoft.com/ken_brumfield/2014/08/24/whoa-wuau-what-the-heck-is-with-the-circular-references-0x8024000f/

        It would be cool if part of these improvements to 3rd party patching, extra checks could be added to "protect" WSUS/SCCM from bugs like this in the 3rd party updates

      • Benoit Machiavello commented  ·   ·  Flag as inappropriate

        Come on MS please tell us more. It would be a massive improvement to be able to patch 3rd party software easily in SCCM

      • JS commented  ·   ·  Flag as inappropriate

        It would be great if Microsoft will provide a little bit more information on when we can expect this in a technical preview.

      • Aaron Buckley commented  ·   ·  Flag as inappropriate

        How're we looking on this, SCCM team? Just came from Ignite 2017 and I don't think I saw an announcement on this!

      • Michael McAlpine commented  ·   ·  Flag as inappropriate

        I'd love to see this feature, even if it's just for a few applications. I know I can manually audit for Java versions & deprecate old versions, but something closer to the way Ninite works would be amazing.

      ← Previous 1 3 4 5

      Feedback and Knowledge Base