Once all is working in terms of connectivity it takes a full sync for this to appear which is by default every 7 days.At this point if you see errors along the lines of “Unable to connect to site database“in the ISV sync log on WSUS and the partner catalogs not being populated, check the permissions for the SUP machine account on the SCCM database.Check the SMS_ISVUPDATES_SYNCAGENT.log for similar entries as in the image above for a success. Make sure your site system can connect to this URL. The go. link in the log re-directs to this page. The component connects to using the proxy configured for your site system (in this case the WSUS). The synchronization of the partner catalogs is triggered by the WSUS via the SMS_ISVUPDATES_SYNCAGENT component.Issue 1:- Cannot see the partner catalogs list in console. For more information, see Netsh commands for WinHTTP. To mitigate this issue, configure the WinHTTP proxy settings on the site system.
When the third-party software update synchronization service on the top-level software update point requires a proxy server for internet access, digital signature checks may fail.If it isn't, you may see issues with the signature check during the download/sync of third-party updates. The WSUS signing certificate must be trusted on the console machine.
If using a PKI issued cert, make sure that authority is trusted all on relevant systems including the client.
The client will also get the cert added to its trusted root with the next MEM CM client policy update. If the WSUS server connection account has remote admin permissions on the WSUS this will be done by the system itself but make sure these certs exist. If you are using the self-signed cert the cert needs to be Trusted Publisher store and Trusted root store on the CAS and the WSUS.HKLM\Software\Microsoft\Update Services\Server\Setup, create a new DWORD named EnableSelfSignedCertificates with a value of 1.The WSUS server connection account should have remote registry permissions on the SUP/WSUS server.Remote registry should be enabled on SUP server.
Choose between Configuration Manager Generated Self-Signed WSUS certificate for signing third party updates and for this to work or choose your own code signing cert issued by your Organisation.Configure SSL on WSUS/SUP (assumption is that is remote.).Third party updates use the same proxy settings as SUP and the proxy should allow the required URLs for the respective update catalog for the sync to work.Īdditional Pre-Requisites on the SUP as the SUP is remote in this case.This connection goes out from the SUP and if the SUP can get to the above said URL, the next full sync of the SUP, which is typically every 7 days will populate the catalog entries. Only if this is allowed the HP, DELL and Lenovo entries will appear in the console. For partner catalog list, over HTTPS port 443 is needed.The third-party software update synchronization requires internet access.In our case the top level is the CAS and the SUP on CAS is configured to store the content. Enough disk space on the top-level update point’s WSUS Content folder to store the source binary for third party updates.I know most of it is duplicate from the Microsoft docs site but I will call it out just so you have it for reference while reading this blog. Both are catalogs published by third parties but the there is a difference in the way the communication flows for each and hence why I am calling it out. Partner Catalogs are currently HP, Dell and Lenovo. There are two types of Catalogs in the MEM CM third party patching, Partner Catalogs and Custom Catalogs.