the complete guide to system center updates publisher 2011 v1.01

Written by Kent Agerlund, Coretech A/S of 48

SCUP 2011 Installation and Configuration Guide

Author:

Kent Agerlund

Create date: 09/06-2011 Change date: 14/06-201 Document version no.: 1.1

The complete guide to System Center Updates Publisher 2011 V1.0.docx of 48

Document information

History

Date Author Version Reason for change

09/06-2011 Kent Agerlund 1.0 N/A

14/06-2011 Kent Agerlund 1.1 Minor changes in screendumps

Proof readers

Name Version Date of approval


Table of contens

Document information .................................................................................................... 2 History ....................................................................................................................... 2 Proof readers .............................................................................................................. 2

Table of contens ............................................................................................................ 3 What is SCUP 2011 ......................................................................................................... 4 SCUP requirements ......................................................................................................... 4 Installing and Configuring SCUP 2011 .............................................................................. 5

Installing SCUP 2011 ................................................................................................... 5 Installing SCUP 2011 on Windows 7.............................................................................. 8 Configure SCUP 2011 for publishing and ConfigMgr. integration .................................... 13 Export the Certificate ................................................................................................. 15

Create the Group Policy .......................................................................................... 19 Deploy the WSUS self-signed certificate to clients ........................................................ 21

Deploy using Configuration Manager 2007 ............................................................... 21 Deploy using Configuration Manager 2012 ............................................................... 23

Publish Updates ........................................................................................................... 31 Importing partner catalogs ........................................................................................ 31 Import custom catalogs ............................................................................................. 32 Publish Updates ........................................................................................................ 34

Working with Publications ....................................................................................... 34 Author updates ............................................................................................................ 38

Using Rules to author updates ................................................................................... 46


What is SCUP 2011

SCUP 2011 is a free updates publishing and authoring application. You can benefit from this application by downloading free catalogs from vendors Like Adobe, HP and Dell or subscribe to the SCUPdates catalog from Shavlik (not free). Furthermore you can author you own updates and publish those to WSUS. The benefit of using SCUP VS Application deployment in Configuration Manager and/or System Center essentials is the detection methods. As like any other Microsoft update, your updates will only be installed if the computer is requiring the update. That way, you do not have to build advanced collection queries or be afraid that updates are applied to non-applicable systems. This document can be used to install and configure the solution in both Configuration Manager 2012 and Configuration Manager 2007 environments. You can download SCUP 2011 from - http://www.microsoft.com/downloads/en/details.aspx?FamilyID=083f45ca-1ede-4f7a-be74-77854c3a9b01&displaylang=en

SCUP requirements

Supported Operating Systems o Windows Vista, Windows 7, Windows Server 2008, Windows Server 2008 R2

Windows Server Update Services (WSUS) 3.0 SP2 .NET Framework 4.0

Trusted Signing Certificate

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=083f45ca-1ede-4f7a-be74-77854c3a9b01&displaylang=en

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=083f45ca-1ede-4f7a-be74-77854c3a9b01&displaylang=en


Installing and Configuring SCUP 2011

Installing SCUP 2011

Download and install the WSUS hotfix WSUS-KB2530678-x86 or WSUS-KB2530678-x64 from http://support.microsoft.com/?kbid=2530678

Run SystemCenterUpdatesPublisher.msi and click Next.

Click Next.

http://support.microsoft.com/?kbid=2530678



Click Next.

Accept the license agreement and click Next.

Select the installation path and click OK.


Click Next to start the installation.

Click Finish.


Installing SCUP 2011 on Windows 7

Install the WSUS 3.0 SP2 administrator console.

Select Administration Console only and click Next.

Accept the license terms and click Next.


Click Next.

Click Finish.

Download and install the WSUS hotfix WSUS-KB2530678-x86 or WSUS-KB2530678-x64 from http://support.microsoft.com/?kbid=2530678




Download and install .Net Framework 4.0 from http://www.microsoft.com/downloads/en/detai

ls.aspx?FamilyID=9cfb2d51-5ff4-4491-b0e5-b386f32c0992&displaylang=en

Type SystemCenterUpdatesPublisher.msi, and click Run.

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=9cfb2d51-5ff4-4491-b0e5-b386f32c0992&displaylang=en




Click Next.

Click Next.

Accept the license agreement and click Next.


Select the installation path and click OK.

Click Next to start the installation.

Click Finish.


Configure SCUP 2011 for publishing and ConfigMgr. integration

Start System Center Updates publisher from the start menu. From the Ribbon click Options.

For installations with a local WSUS: Select Connect to a local update server. For installations with a remote WSUS: Select Connect to a remote update server and type: Name: SCCM4 Port: 8530

Click Test Connection and click OK in the dialog.

In Signing Certificate click Create and OK. Only select this option if you do not have an existing WSUS signing certificate.


Click ConfigMgr Server

For installations on the site server: Select Connect to a remove Configuration Manager Server and type: Click Test Connection and OK in the dialog. For installations on a remote server or workstation: Type: SCCM4 Requested client count threshold: 1 Package source size threshold: 30 Click OK to close the configuration.


Export the Certificate

Different certificate solutions are supported with SCUP. Use of a public certificate is explained here http://blogs.msdn.com/b/steverac/archive/2009/03/31/using-third-party-certificate-with-scup.aspx In my example I’ll use the certificate created by SCUP.

Next you'll need to import the certificate into Trusted Publisher and Trusted Root Publishers. Select Start, Run and type MMC

Click Ctrl+M and click Add to add a snap-in to the console. Select Certificates and click Add.

Select Computer account and click Next.

Click Finish Click Add and Close to return to the MMC with Certificate snap-in

http://blogs.msdn.com/b/steverac/archive/2009/03/31/using-third-party-certificate-with-scup.aspx

http://blogs.msdn.com/b/steverac/archive/2009/03/31/using-third-party-certificate-with-scup.aspx


Select Certificates, WSUS, Certificates.

Right click the WSUS Publisher Self-signed certificate, select Copy.

Select Certificates, Trusted Root certification Authorities, Certificates. Right click and select Paste

Select Certificates, Trusted Publishers, Certificates. Right click and select Paste. Notice, the certificate must also be imported on the Configuration Manager server. If the server is on a remote host, export the certificate and import it on the Configuration Manager server.

Next export the certificate so it can be deployed using a ConfigMgr. Package. Right click the certificate, select All Tasks, Export.


Click Next.

Click Next.

Click Next.


I export the certificate to a folder containing Certutil.exe and Certadm.dll. In this example the WSUS certificate is called wsus2011.cer For more information about certutil.exe check http://technet.microsoft.com/en-us/library/cc732443(WS.10).aspx Click Next.

Click Finish.

http://technet.microsoft.com/en-us/library/cc732443(WS.10).aspx

http://technet.microsoft.com/en-us/library/cc732443(WS.10).aspx


Create the Group Policy

In this example I create a new group policy at the domain level. Open Group Policy Management console.

Right click the Domain and select Create a GPO in this domain, and link it here

Type WSUS as the name and click OK.

Right click the WSUS policy and select Edit.


Navigate to Computer Configuration, Administrative Templates, Windows Components, Windows Update

Right click Allow signed content from intranet Microsoft update service location and select Properties.

Select Enabled, click OK and close the group policy.


Deploy the WSUS self-signed certificate to clients

Deploy using Configuration Manager 2007

Open the Configuration Manager 2007 administrator console. Navigate to Computer Management, Software Distribution, Packages.

Create a new package in Config Mgr. Select the folder containing the three files as the source folder.


Create two new programs with these command lines certutil.exe -addstore Root wsus2011.cer certutil.exe -addstore TrustedPublisher wsus2011.cer Remember to suppress program notifications on both programs.

In the second program configure the first program to run first. You can also create a bat file or script to run both commands from a single program.


Configure the program to run with administrative rights and create a new mandatory advertisement.

Deploy using Configuration Manager 2012

Open the Configuration Manager console and navigate to the Software Library workspace.

Select Application Management, Packages and click Create Package on the Ribbon.


Create a new package with these settings and click Next Name: SCUP 2011 Certificate Source Files: \\sccm4\sccm_sources$\Software\SCUP ConfigMgr package

Select program for computers and click Next

Create a program with these settings and click Next. Name: Import WSUS certificate into root Commandline: certutil.exe –addstore Root wsus2011.cer Program can run: Whether or not a user is logged on


Click Next and finish the creation.

Select the WSUS Signing Certificate package and click Create Program in the Ribbon

Select Program for computers and click Next.


Create a new program with these settings and click Next. Name: Import WSUS certificate into Trusted Commandline: certutil.exe –addstore TrustedPublisher wsus2011.cer Program can run: Whether or not a user is logged on

Select Run another program first and select the WSUS Signing Certificate package and the Import WSUS certificate into root program. Click Next.

Finish the wizard.


Open the properties for both programs (one at the time), select the Advanced tab and enable Suppress program notifications.

Select the WSUS Signing Certificate package and click Distribute Content on the Ribbon.

Click Next.


Click Add and select the Content target. In my example I use a Distribution Point Group called EMEA. Finish the wizard.

Select the WSUS Signing Certificate package and click Deploy on the Ribbon.

Select the Import WSUS Certificate into Trusted program and deploy that to the All Desktop and Server Clients collection. Click Next.


Configure the deployment purpose to Required and click Next.

Schedule the application to be available now and configure the assignment to be mandatory As soon as possible

Click Next.


Click Next and finish the wizard.


Publish Updates

Importing partner catalogs

Select the Catalog workspace.

Select Add Catalogs. SCUP will now detect any free partner catalogs that are not already added.

Select the Updates workspace and click Import. Select the catalogs and click Next. During the import process, SCUP will prompt to accept the Certificate for each vendor.


Import custom catalogs

Select the Catalog workspace and click Add.

Fill in the catalog information and click OK.

Alerts will automatically be raised whenever there is a change in one or more of the catalogs.


Click Import and select the newly updated catalogs.


Publish Updates

Updates can be published with three different flags:

Full Content, this will download the binaries and make them available for a deployment in Configuration Manager.

Metadata only, will only download metadata and is suitable when you only want to track compliance.

Automatic, will only download metadata but might download the complete set of binaries if any Configuration Manager clients are requesting the update. This setting requires that you have configured the ConfigMgr. Integration. This method will force SCUP to query Configuration Manager for clients requesting the updates. If none are requesting an update only metadata will be published otherwise it will be full content. The automatic rules works very well together with publications.

Working with Publications

Publications are a new feature in SCUP 2011. It allows you to logically group published updates. Publications can be created based on Vendors, periods or what-ever make sense in your environment. The main benefit of working with Publications is overview. You can easily see which updates you have published. In my example I will add all needed updates to a Publication and finally publish that. I will create a Publication based on Quarters (that make sense in my environment).

Open SCUP 2011, select the Updates workspace. Find the update(s) you want to publish and click Assign.


Select the publication type, in this example I’m using Full Content. Type a name for the Publication and click OK. In my example I’m typing 2011-Q2. Click OK. You can add multiple updates into the same publication.

Navigate to the Publication workspace, select the publication and click Publish.

Click Next.


Click Next.

Click Close.

The updates will now be published to WSUS. You can monitor the activity by reading the scup.log file found in the %temp% folder.


Updates will become available in Configuration Manager next time ConfigMgr. Synchronizes content with WSUS. In this example I have created an Update Group in Configuration Manager 2012 with updates that are now ready for deployment.


Author updates

Before you start author any update you will need to do some detective work. You need to figure out:

A way to download patch, either vendor site or local file server A method to detect whether a given update is required or not. A method to detect that you successfully deployed the update. Figure out the command line to do a silent installation Find the vendor website that contains information about the update.

In this example I will deploy Java 6 update 25 x86. I have already downloaded the update to a local file share “\\sccm4\sccm_sources$\Software\JavaUpd25\jre-6u25-windows-i586.exe” To detect if a previous version of Java is installed I will query these registry keys:

Must exist: HKLM\Software\Javasoft\Java Runtime Environment\1.6 Must not exist: HKLM\Software\Javasoft\Java Runtime Environment\1.6.0_25

To verify that the installation was successful I will query this registry key

Must exist: HKLM\Software\Javasoft\Java Runtime Environment\1.6.0_25

Open the SCUP 2011 console and navigate to the Updates workspace. Create folder by using the Ribbon. In this example my folder is called Oracle

Click Create, Software Update on the Ribbon


In Package Source click Browse and navigate to: jre-6u25-windows-i586.exe. In download URL (or UNC) type the UNC path to the file: \\sccm4\sccm_sources$\Software\JavaUpd25\jre-6u25-windows-i586.exe Binary language (in my example is English) English Command line: /s "IEXPLORER=1 MOZILLA=1" /quiet Click Next.

In Language select: English In Title type: SUN Java 6 Update 25 In Description type something meaningful like what are being fixed by this update. In Classification select: Security In Vendor type: Oracle In Product type: SUN Java More Info URL type: http://www.oracle.com/technetwork/java/javase/6u25releasenotes-356444.html Click Next.

http://www.oracle.com/technetwork/java/javase/6u25releasenotes-356444.html




On the Optional information page you can type the official Update information, is none is provided I suggest you invent a naming standard for the different vendors. Bulletin ID: SUNJAVA6UPD25 Article ID QSUNJAVA6UPD25 Support URL: http://www.oracle.com/technetwork/java/javase/overview/index.html Severity: None Specified Impact: Normal Restart Behavior: Can request reboot Click Next

On the prerequisites page click Next.

On the Supersedence page you can select any older version that is being superseded with this update. It requires that the older update is also present in the catalog. In my example, this is the first Java update in the catalog, click Next.


On the Installable rules page you will type in whatever information you have to detect a previous installed version. Click the Yellow star icon.

Rule Type select: Registry Subkey type: Software\Javasoft\Java Runtime Environment\1.6 This registry key is for a 32 bit application on a 64-bit system: Enabled Click OK


Click the Yellow icon and create a new rule Rule Type select: Registry Subkey type: Software\Javasoft\Java Runtime Environment\1.6.0_25 This registry key is for a 32 bit application on a 64-bit system: Enabled Click OK

Highlight the last rule and press Alt+G or click the Not icon. Click Next.


On the Installed rules page you will type in whatever information you have to detect that this new update is successfully installed. Click the Yellow icon to create a new rule. Rule Type select: Registry Subkey type: Software\Javasoft\Java Runtime Environment\1.6.0_25 This registry key is for a 32 bit application on a 64-bit system: Enabled Click OK

Click Next.

Click Next.


Click Close

Click Publish on the Ribbon, select Full Content and click Next.

Click Next.

Click Close. The update will now become available in System Center Essentials or Configuration Manager after the next software update synchronization process.


The installation progress, preparing – installing – installed.

Java 6 update 25 is installed.


Using Rules to author updates

Rules are like templates, objects you create to ensure consistency and because you’re a mix of being smart and lazy In this example I will create a rule that I can use every time I need to create a new Java Update 1.6.XX

Open the SCUP 2011 console and navigate to the Rules workspace. Click Create on the Ribbon and assign a name like SUN Java 1.6 X86

Click the Yellow star icon and create a new rule. Rule Type select: Registry Subkey type: Software\Javasoft\Java Runtime Environment\1.6 This registry key is for a 32 bit application on a 64-bit system: Enabled Click OK


Click the Yellow icon and create a new rule Rule Type select: Registry Subkey type: Software\Javasoft\Java Runtime Environment\1.6.0_XX This registry key is for a 32 bit application on a 64-bit system: Enabled Click OK

Highlight the last rule and press Alt+G or click the Not icon. Click Next.

You can now use the rule in when authoring any update. In the rule editor you can select Rule type: Saved Rule. Select the rule and click OK.


You can edit the rules, in this example I will change the Not rule from Software\Javasoft\Java Runtime Environment\1.6.0_XX To Software\Javasoft\Java Runtime Environment\1.6.0_26 By doing so, I have in a few easy steps, created a rule that can be used when installing the SUN Java Update 26

the complete guide to system center updates publisher 2011 v1.01

Documents