Configuring ConfigMgr for 3rd Party Updates

Scope: Easy2Patch (All Versions)

3rd Party settings on ConfigMgr

Go to Administration\Overview\Site Configuration\Servers and Site System Roles node and enter Properties screen with right click on Software Update Point role, then select "Require SSL communication to the WSUS server" check box and OK button.

To require SSL communication to the WSUS server for SCCM 3rd party updates, you can follow these steps:

  1. Open the Configuration Manager console and go to Administration > Site Configuration > Servers and Site System Roles.

  2. Select server that contains Software Update Point role.

  3. In the site system roles pane select Software Update Point role and click properties in right click menu.

  4. Select the site that you want to configure, and click on "Configure Site Components" in the ribbon.

  5. Go to the "General" tab.

  6. Check the box that says "Require SSL communication to the WSUS server".

  7. Click "OK" to save the changes.

To configure other settings for 3rd party updates in SCCM, you can follow these additional steps:

  1. Open the Configuration Manager console and go to Administration > Site Configuration > Sites.

  2. Select the site that you want to configure, and click on "Configure Site Components" in the ribbon.

  3. Click on "Software Update Point", go to the "Third Party Updates" tab.

  4. Check the box that says "Enable third party updates".

  5. In the same screen select "Manually manage the certificate" option.

  6. Click "OK" to save the changes.

You can also configure additional settings for individual third-party update sources by selecting the "Third-Party Update Catalogs" node in the Configuration Manager console and then selecting the catalog that you want to configure. From there, you can configure settings such as proxy server settings, download location, and update categories.

Client Settings

Finally enable 3rd Party updates on clients. For this go to "Client settings" node on Administration pane.

  1. On the client settings screen, right-click on "Default Client Settings" or the appropriate client update policy and the properties screen opens.

  2. Software updates screen is displayed. On this screen, "Enable third party software updates" is selected as "Yes".

  3. Click OK to save the settings.

Security

User accounts with different authorizations may be needed to run and use the Easy2Patch software. User type and privileges will vary for each scenario.

Easy2Patch Application

In order for the application to be run and used, the logged in user account must be a user belonging to the local administrators group.

Easy2PatchSvc Service

Easy2PatchSvc (Easy2Patch Service) service works with the "Local System" account. This service can be set to use a user account from the SCCM/WSUS settings screen.

SCCM Connection Account

Publishing updates on SCCM, triggering synchronization, etc. For SCCM jobs, a user account is needed to be created in Active Directory. This user account needs the following SCCM privileges.

  • Application: Read, Modify, Delete, Set Security Scope, Create, Move Object, Modify Folder

  • Software Updates: Read, Modify

  • Distribution Point: Read, Copy to Distribution Point

  • Distribution Point Group: Read, Copy to Distribution Point Group

  • Folder Class: Read, Modify, Create

  • Security Scopes: Read

  • Site: Read

SQL Connection Account

In order to view the number of systems on which the software is installed, a connection to the SCCM Server database system is required. The minimum permission required to make this connection can be given with the following SQL script. This SQL script is run on the SCCM database. The "CM_E2P" name and user account must be changed to suit your environment.

givePermSQL.sql
-- Replace the DB name that says E2P with the appropriate name in your environment
USE [CM_E2P]
GO

-- {Domain\Username | Domain\ServerName$} replace it with the appropriate user account
DECLARE @UserName nvarchar(128) = 'Domain\Username'
--DECLARE @UserName nvarchar(128) = 'Domain\ServerName$'
  
DECLARE @cmDBUserAccount nvarchar(128) = QUOTENAME(@UserName);

IF NOT EXISTS(SELECT principal_id FROM sys.server_principals WHERE name = @UserName) BEGIN
DECLARE @SQLLoginAccount as varchar(500);
SET @SQLLoginAccount = 'CREATE LOGIN '+ @cmDBUserAccount + ' FROM WINDOWS';
EXEC (@SQLLoginAccount);
END

IF NOT EXISTS(SELECT principal_id FROM sys.database_principals WHERE name = @UserName) BEGIN
DECLARE @UserSQL as varchar(500);
SET @UserSQL = 'CREATE USER ' + @cmDBUserAccount + ' FOR LOGIN ' + @cmDBUserAccount;
EXEC (@UserSQL);
END

DECLARE @GivePermSQL as varchar(500);
SET @GivePermSQL = 'GRANT SELECT ON [dbo].[v_FullCollectionMembership] TO ' + @cmDBUserAccount +
' GRANT SELECT ON [dbo].[v_GS_ADD_REMOVE_PROGRAMS] TO ' + @cmDBUserAccount +
' GRANT SELECT ON [dbo].[v_Collection] TO ' + @cmDBUserAccount +
' GRANT SELECT ON [dbo].[v_GS_ADD_REMOVE_PROGRAMS_64] TO ' + @cmDBUserAccount +
' GRANT SELECT ON [dbo].[v_Add_Remove_Programs] TO ' + @cmDBUserAccount +
' GRANT SELECT ON [dbo].[v_R_System] TO ' + @cmDBUserAccount +
' GRANT SELECT ON [dbo].[v_GS_INSTALLED_SOFTWARE] TO ' + @cmDBUserAccount
EXEC (@GivePermSQL);
PreviousConfiguring SSL WSUS for 3rd Party UpdateNextEasy2Patch Settings

Last updated