System Center Update Publisher (SCUP) is a nice mechanism to deploy third-party updates via SCCM. SCUP implementation is well documented for example here by Kent Agerlund.
One of the requirements is allowing Update Client to install updates signed by “Trusted Publisher” in our case – SCUP.
Without that third-party update deployment will fail on “Preparing for installation step” and you can see above-mentioned error in “details” section of error in GUI and in WUAHandler.log
For Domain-joined machines it is pretty easy and can be done via GPO as described by Microsoft: here
but you cannot do that for workgroup/DMZ machines.
One of workarounds is creating a package with registry modifier and deploy it
or, you can use Compliance Settings introduced in SCCM 2012 (improved Desired Configuration Management from SCCM 2007) to let SCCM remediate the setting if machine is not compliant.
for that, first create the registry setting we plan to monitor on SCCM server (if it is not present)
a next, create a new Configuration item under Compliance Settings node:
leave default for Supported Platforms and create a setting to monitor (use Browse to navigate to the registry setting we created earlier)
Under Compliance Rule tab add an additional rule and allow remediation for it
You should have two in result:
finish new CI wizard, create a new Baseline and add the CI to it (alternatively you can add the new CI to one of your existing CIs)
Finish New Baseline wizard and deploy the Baseline to a collection (I use All Desktop and Server Clients)
Members of the collection should receive the new Baseline on next Machine Policy refresh
Test: on one of the Clients set registry setting to 0
Now, go to SCCM Client on that machine and re-evaluate the baseline
Client should find the non-compliancy and remediate it (since it was allowed in CI and Deployment). Check the registry settings – it should be 1 now:
Third-party updates should be installed successfully now.