As of Configuration Manager Current Branch 1806 it is now possibly to natively subscribe to third party software catalogs and deploy third party updates. There is no longer a need for System Center Updates Publisher (SCUP).
Currently there is one shortcoming in the feature: regular deployments of third-party updates are working fine, but when using the Install Software Updates step in an OSD Task Sequence the third-party updates are not installing. This may go unnoticed as the Task Sequence does not error out.
Initial investigation shows this is most likely because of the WSUS signing certificate only being installed on the client when Software Updates client policy lands after the task sequence has completed. This is logged in the UpdatesDeployment.log :
As a result the third-party updates cannot be installed during the task sequence.
From a security perspective most organizations will want their devices fully patched before they leave the deployment bench. Also from an end-user experience perspective the experience is suboptimal when booting your new device for the very first time … just to have it install new updates (and potentially reboot).
Hopefully we will see this fixed in an upcoming release of Configuration Manager – to help speed up the process and make sure this gets some attention, please make sure to vote up this entry on User Voice.
Thanks – and until next time.
