This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(288, 42%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
Errors below received when attempting to sync Dell third-Party Software Update Catalog. Dell updates such as BIOS are appearing under All Software Updates, but the sync will not show as successful. Already tried unsubscribing and re-subscribing.
SyncUpdateCatalog: Unexpected error during synchronization of catalog SMS_ISVUPDATES_SYNCAGENT 6/7/2022 10:36:33 AM 2068 (0x0814)
SyncUpdateCatalog: ==================== Exception Detail Start ======================= SMS_ISVUPDATES_SYNCAGENT 6/7/2022 10:36:33 AM 2068 (0x0814)
SyncUpdateCatalog: Exception type: WsusObjectNotFoundException SMS_ISVUPDATES_SYNCAGENT 6/7/2022 10:36:33 AM 2068 (0x0814)
SyncUpdateCatalog: Exception HRESULT: -2146233088 SMS_ISVUPDATES_SYNCAGENT 6/7/2022 10:36:33 AM 2068 (0x0814)
SyncUpdateCatalog: Exception Message: Cannot publish package, the following Prerequisites haven't been published yet.~~c85d3eef-07cd-4ee8-858d-7d2b1b9d7246, ff87fb86-3b4e-498b-946f-d162fb06e517, 45918db7-d45d-47d1-803c-74d4fef63688, c0ff1b23-3edb-4e85-9d11-3621b4e4393b SMS_ISVUPDATES_SYNCAGENT 6/7/2022 10:36:33 AM 2068 (0x0814)
SyncUpdateCatalog: Exception source Microsoft.UpdateServices.BaseApi SMS_ISVUPDATES_SYNCAGENT 6/7/2022 10:36:33 AM 2068 (0x0814)
SyncUpdateCatalog: Exception TargetSite Void VerifyPackageRulesAndState() SMS_ISVUPDATES_SYNCAGENT 6/7/2022 10:36:33 AM 2068 (0x0814)
SyncUpdateCatalog: Stack at Microsoft.UpdateServices.Internal.BaseApi.Publisher.VerifyPackageRulesAndState()~~ at Microsoft.UpdateServices.Internal.BaseApi.Publisher.RevisePackage()~~ at Microsoft.UpdateServices.Internal.BaseApi.Update.ExpirePackage()~~ at Microsoft.ConfigurationManager.ISVUpdatesSyncAgent.WSUS.UpdateServicesWrapper.ExpireUpdate(ILogger logger, ISoftwareDistributionPackageWrapper updateSdp)~~ at Microsoft.ConfigurationManager.ISVUpdatesSyncAgent.SyncUpdateCatalog.PublishUpdate(PublishStateEvaluator wsusEvaluator, ISoftwareDistributionPackageWrapper updateSdp, PublishAction updatePublishAction, CategoryPublishOption categoryStatus, List1 successList, List1 failedList)~~ at Microsoft.ConfigurationManager.ISVUpdatesSyncAgent.SyncUpdateCatalog.PublishUpdates()~~ at System.Threading.Tasks.Task`1.InnerInvoke()~~ at System.Threading.Tasks.Task.Execute()~~--- End of stack trace from previous location where exception was thrown ---~~ at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()~~ at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)~~ at Microsoft.ConfigurationManager.ISVUpdatesSyncAgent.SyncUpdateCatalog.<DoWorkImplementation>d__19.MoveNext() SMS_ISVUPDATES_SYNCAGENT 6/7/2022 10:36:33 AM 2068 (0x0814)
SyncUpdateCatalog: ===================== Exception Detail End ======================== SMS_ISVUPDATES_SYNCAGENT 6/7/2022 10:36:33 AM 2068 (0x0814)
STATMSG: (SRVMSG_SMS_ISVUPDATES_SYNCAGENT_CATALOG_SYNC_FAILED). SMS_ISVUPDATES_SYNCAGENT 6/7/2022 10:36:33 AM 2068 (0x0814)
Errors below when attempting to publish a third party update from any third party vendor, not just Dell. Already confirmed the WSUS Code Signing Certificate is installed in the correct local computer certificate locations (Trusted Publishers and trusted root containers) on the site server, remote wsus server, remote SUSDB server, and MECM console client (also fails when syncing from site server). I also confirmed I can download the dell .cab directly. I already tried re-creating a new WSUS Code Signing Certificate with same results.
The EnableSelfSignedCertificates registry entry (HKLM\Software\Microsoft\Update Services\Server\Setup, DWORD named EnableSelfSignedCertificates with a value of 1) has also been added to the site server, remote wsus server, and remote SUSDB server. The WSUS Code Signing Certificate along with Dell certs are unblocked in the ConfigMgr console under Administration>Security>Certificates.
I'm wondering if having a SUSDB that is on a remote SQL server separate from the remote WSUS server is not supported for third party updates vs. having WSUS and the SUSB on the same server. I'm looking for clarification on this and a solution other than having to rebuild WSUS.
SyncUpdate: 0c9dd6bc-56fe-4bfc-bf57-077feb52c56f - Download of is 96 percent completed. SMS_ISVUPDATES_SYNCAGENT 6/7/2022 10:42:24 AM 5336 (0x14D8)
SyncUpdate: 0c9dd6bc-56fe-4bfc-bf57-077feb52c56f - Successfully completed download of content from 'https://downloads.dell.com/FOLDER08416075M/1/OptiPlex_XXXX_1.11.0.exe' to 'E:\SMS\ISVTemp\lftf1ep1.dho\OptiPlex_XXXX_1.11.0.exe. SMS_ISVUPDATES_SYNCAGENT 6/7/2022 10:42:24 AM 1280 (0x0500)
SyncUpdate: File 'E:\SMS\ISVTemp\lftf1ep1.dho\OptiPlex_XXXX_1.11.0.exe' appears to be signed, retrieved certificate, checking signature... SMS_ISVUPDATES_SYNCAGENT 6/7/2022 10:42:24 AM 5176 (0x1438)
SyncUpdate: 0c9dd6bc-56fe-4bfc-bf57-077feb52c56f - Signature check on download binary has completed. SMS_ISVUPDATES_SYNCAGENT 6/7/2022 10:42:25 AM 5176 (0x1438)
SyncUpdate: 0c9dd6bc-56fe-4bfc-bf57-077feb52c56f - Calling WSUS to add content for 'Dell OptiPlex XXXX System BIOS,1.11.0,1.11.0' (Update:'0c9dd6bc-56fe-4bfc-bf57-077feb52c56f') Vendor 'Dell' Product:'Bios' SMS_ISVUPDATES_SYNCAGENT 6/7/2022 10:42:25 AM 8976 (0x2310)
SyncUpdate: InvalidException occurred in update server API Publish SMS_ISVUPDATES_SYNCAGENT 6/7/2022 10:42:57 AM 8976 (0x2310)
SyncUpdate: ==================== Exception Detail Start ======================= SMS_ISVUPDATES_SYNCAGENT 6/7/2022 10:42:57 AM 8976 (0x2310)
SyncUpdate: Exception type: InvalidOperationException SMS_ISVUPDATES_SYNCAGENT 6/7/2022 10:42:57 AM 8976 (0x2310)
SyncUpdate: Exception HRESULT: -2146233079 SMS_ISVUPDATES_SYNCAGENT 6/7/2022 10:42:57 AM 8976 (0x2310)
SyncUpdate: Exception Message: Failed to sign package; error was: 2148081670 SMS_ISVUPDATES_SYNCAGENT 6/7/2022 10:42:57 AM 8976 (0x2310)
SyncUpdate: Exception source Microsoft.UpdateServices.BaseApi SMS_ISVUPDATES_SYNCAGENT 6/7/2022 10:42:57 AM 8976 (0x2310)
SyncUpdate: Exception TargetSite Void SignPackageCab(Boolean, System.String) SMS_ISVUPDATES_SYNCAGENT 6/7/2022 10:42:57 AM 8976 (0x2310)
SyncUpdate: Stack at Microsoft.UpdateServices.Internal.BaseApi.Publisher.SignPackageCab(Boolean dualSign, String httpTimeStamp)~~ at Microsoft.UpdateServices.Internal.BaseApi.Publisher.PublishPackage(String sourcePath, String additionalSourcePath, String packageDirectoryName, Boolean dualSign, String httpTimeStamp)~~ at Microsoft.ConfigurationManager.ISVUpdatesSyncAgent.WSUS.UpdateServicesWrapper.AddContentForUpdate(ILogger logger, ISoftwareDistributionPackageWrapper updateSdp, String contentLocation, StatusMessageReporter statusMessageReporter) SMS_ISVUPDATES_SYNCAGENT 6/7/2022 10:42:57 AM 8976 (0x2310)
SyncUpdate: ===================== Exception Detail End ======================== SMS_ISVUPDATES_SYNCAGENT 6/7/2022 10:42:57 AM 8976 (0x2310)
SyncUpdate: Verify the WSUS signing certificate has been configured properly: SMS_ISVUPDATES_SYNCAGENT 6/7/2022 10:42:57 AM 8976 (0x2310)
SyncUpdate: 1) The signing certificate must not be expired. SMS_ISVUPDATES_SYNCAGENT 6/7/2022 10:42:57 AM 8976 (0x2310)
SyncUpdate: 2) The signing certificate must be in the Trusted Publishers container on the WSUS server. SMS_ISVUPDATES_SYNCAGENT 6/7/2022 10:42:57 AM 8976 (0x2310)
SyncUpdate: 3) If using self-signed certificates, the certificate must also be in the trusted root container on the WSUS server. SMS_ISVUPDATES_SYNCAGENT 6/7/2022 10:42:57 AM 8976 (0x2310)
SyncUpdate: 4) If using PKI certificates, the certificate must have been issued by a trusted CA. SMS_ISVUPDATES_SYNCAGENT 6/7/2022 10:42:57 AM 8976 (0x2310)
STATMSG: (SRVMSG_SMS_ISVUPDATES_SYNCAGENT_UPDATECONTENT_PUBLISH_FAIL_CERTCONFIG). SMS_ISVUPDATES_SYNCAGENT 6/7/2022 10:42:57 AM 8976 (0x2310)
SyncUpdate: 0c9dd6bc-56fe-4bfc-bf57-077feb52c56f - Failed to add content for 'Dell OptiPlex XXXX System BIOS,1.11.0,1.11.0' (Update:'0c9dd6bc-56fe-4bfc-bf57-077feb52c56f') Vendor 'Dell' Product:'Bios' to WSUS. SMS_ISVUPDATES_SYNCAGENT 6/7/2022 10:42:57 AM 8976 (0x2310)
I also verified the following:
Confirmed the WsusContent and UpdateServicesPackages folders on WSUS server have full control Share Permissions for NETWORK SERVICE, WSUS Administrators, and Administrators.
Confirmed NTFS permissions on the WsusContent and UpdateServicesPackages folders on WSUS server, full control is set for: SYSTEM, NETWORK SERVICE, WSUS Administrators, Administrators.
Validated the WSUS ContentDir in the Registry check: HKLM\SOFTWARE\Microsoft\Update Services\Server\Setup: ContentDir has the same root folder (drive:\wsus) as the value in the SUSDB by running the following query in SQL: Select LocalContentCacheLocation from tbConfigurationB
Hi @Steve ,
As we mentioned, we have a SUSDB that is on a remote SQL server separate from the remote WSUS server is not supported for third party updates, does it mean that the WSUS server is separate from the site server? Once we install the SUP role, and SUP role is installed on the WSUS server, so there is additional requirements when the SUP is remote from the top-level site server:
-->1. SSL should be enabled on the SUP when it's remote. This requires a server authentication certificate generated from an internal certificate authority or via a public provider.
-->2. When setting the third-party updates WSUS signing certificate configuration to Configuration Manager manages the certificate in the Software Update Point Component Properties, the following configurations are required to allow the creation of the self-signed WSUS signing certificate:
Remote registry should be enabled on the SUP server.
The WSUS server connection account should have remote registry permissions on the SUP/WSUS server.
-->3. Create the following registry key on the Configuration Manager site server:
HKLM\Software\Microsoft\Update Services\Server\Setup, create a new DWORD named EnableSelfSignedCertificates with a value of 1.
-->4. To enable installing the self-signed WSUS signing certificate to the Trusted Publishers and Trusted Root stores on the remote SUP server:
The WSUS server connection account should have remote administration permissions on the SUP server.
If this item isn't possible, export the certificate from the local computer's WSUS store into the Trusted Publisher and Trusted Root stores.
Here is the detailed article about the management:
https://learn.microsoft.com/en-us/mem/configmgr/sum/deploy-use/third-party-software-updates
If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
"As we mentioned, we have a SUSDB that is on a remote SQL server separate from the remote WSUS server is not supported for third party updates, does it mean that the WSUS server is separate from the site server? Once we install the SUP role, and SUP role is installed on the WSUS server, so there is additional requirements when the SUP is remote from the top-level site server:"
Just to clarify, the WSUS, site server, and SUSDB are all separate servers; SSL is configured. Are you saying third party updates will not work (sync/publish) unless WSUS and the SUSDB are on the same server?
Hi,
No, it does not. I mean at this situation, the SUP role is installed on WSUS server, not SUSDB, and WSUS server is separate from the site server, we could ensure these above configurations has been set, for example, Remote registry, WSUS server connection account.
Best regards,
Amanda
Does the SSL certificate need to be imported on the remote SUSDB server? I am able to connect in the WSUS Console from the site server to the SUP (WSUS) server over secure port 8531.
If so, in which certificate store(s) on the SUSDB server does the SSL cert need to be imported?
Does the SSL cert also need to be imported on the host (including site server) that is running the MECM console that is attempting to sync/publish third party updates? If so, in which certificate store(s)?
Is there a way to reset or delete the Dell third party update catalog (e.g. SQL command) vs rebuilding WSUS?
Hi,
Thanks for your reply.
We just enable SSL on the SUP, which located in WSUS server, it is not required to enable SSL on the site server and SUSDB server, so SSL certificate is not required.
Best regards,
Amanda
How do I get past the below exception message?
SyncUpdateCatalog: Exception Message: Cannot publish package, the following Prerequisites haven't been published yet.~~c85d3eef-07cd-4ee8-858d-7d2b1b9d7246, ff87fb86-3b4e-498b-946f-d162fb06e517, 45918db7-d45d-47d1-803c-74d4fef63688, c0ff1b23-3edb-4e85-9d11-3621b4e4393b SMS_ISVUPDATES_SYNCAGENT 6/14/2022 2:37:55 PM 10992 (0x2AF0)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 18%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECN%3C/text%3E%3C/svg%3E)
I too am having the same exact issue and warnings. I have also checked all the things that Steve-3491 has checked. Our configuration is as follows
WSUS and the WSUSDB are both installed on the Site server.
There are however 2 Distribution Points with the SUP role installed.
SSL is not configured for WSUS.
Do I need SSL configured with the SUP roles being installed on the remote Distribution Points? If so, will this effect my clients getting updates, they are using http, or is the SSL only used for communication between WSUS and the SUP's?
The solution for at least finally being able to sync Dell Third party updates was to update the ConfigMgrWebService Application Pool with the the correct AD service account under Identity, then the Dell drivers synced. Lesson learned was to avoid changing MEMCM service accounts. I'm still seeing an issue when trying to publish the update "The signing certificate must be in the Trusted Publishers container on the WSUS server. If using self-signed certificates, the certificate must also be in the trusted root container on the WSUS server. SRVMSG_SMS_ISVUPDATES_SYNCAGENT_UPDATECONTENT_PUBLISH_FAIL_CERTCONFIG" in SMS_ISVUPDATES_SYNCAGENT. Dell and WSUS signing certificates are unblocked in the MECM console under Security and the WSUS signing cert is located in Trusted Publishers and trusted root container on the WSUS server.
I was able to get past certificate errors but still running into missing prerequisites for the Dell third party driver sync. Regarding the below portion of the error message, are these considered Unique Update ID GUIDs in the MECM DB? If these prerequisites are third party updates, how can they be published without being able to sync first?
I can't seem to find the below GUIDs in the MECM SQL DB or by searching all updates, is there a SQL query or specific way to determine a more readable name for the below prerequisites?
I ran the below query, and it didn't find the below Unique Update ID GUIDs (CI_UniqueID column). The prerequisite missing GUIDs in the SMS_ISVUPDATES__SYNCAGENT.log log may change if selecting different Dell models to sync.
SELECT *
FROM v_UpdateInfo INNER JOIN v_CIAssignmentToCI ON
v_UpdateInfo.CI_ID = v_CIAssignmentToCI.CI_ID INNER JOIN v_CIAssignment ON
v_CIAssignmentToCI.AssignmentID = v_CIAssignment.AssignmentID
From SMS_ISVUPDATES__SYNCAGENT.log:
SyncUpdateCatalog: Exception Message: Cannot publish package, the following Prerequisites haven't been published yet.~~c85d3eef-07cd-4ee8-858d-7d2b1b9d7246, ff87fb86-3b4e-498b-946f-d162fb06e517, 45918db7-d45d-47d1-803c-74d4fef63688, c0ff1b23-3edb-4e85-9d11-3621b4e4393b
Making sure the Windows firewall service is running and unchecking 'Require SSL' on the upstream WSUS/SUP for the below IIS virtual directories allowed downloading of some of the Dell third-party updates in addition to Windows 11 feature updates, but still getting the below "Prerequisites haven't been published yet" errors; no Dell certificates are blocked in the console.
· ApiRemoting30
· ClientWebService
· DSSAuthWebService
· ServerSyncWebService
· SimpleAuthWebService
SyncUpdateCatalog: Exception Message: Cannot publish package, the following Prerequisites haven't been published yet.~~c85d3eef-07cd-4ee8-858d-7d2b1b9d7246, ff87fb86-3b4e-498b-946f-d162fb06e517, 45918db7-d45d-47d1-803c-74d4fef63688, c0ff1b23-3edb-4e85-9d11-3621b4e4393b