SCUP 2011 install on Server 2012 with ConfigMgr 2012 Integration


Issue:

Got some third party updates you wish to publish and deploy to your environment with ConfigMgr 2012? A great way to do it is with SCUP 2011 integrated into ConfigMgr 2012.

With many people going to Windows Server 2012 I wanted to do a write up that covers what is needed to handle the installation and integration in one stop document.

Resolution:

Please note this guide assumes that you are familiar with ConfigMgr 2012, Windows Server 2012, WSUS for Server 2012 and already have WSUS and ConfigMgr 2012 installed with a Software Update Point Role

References:

Download SCUP 2011: http://www.microsoft.com/en-us/download/details.aspx?id=11940

Server 2012 Create Self-signed Cert button workaround: http://blogs.technet.com/b/wsus/archive/2013/08/15/wsus-no-longer-issues-self-signed-certificates.aspx

Publishing Updates to WSUS on Windows 2012: https://technet.microsoft.com/en-us/library/hh134747.aspx#PublishToServer2012

Steps:

(If you already have SCUP 2011 installed and want to re-install add these steps):

1. Uninstall SCUP from the Server

2. Do a search on the server for all entries of "scupdb.sdf"

3. Delete all entries found for the "scupdb.sdf"

4. Reboot the server

 

Install:

1. Using the ConfigMgr 2012 Admin Account, login to the server

2. Open command prompt with Administrator Privileges(Right click and select Open as Admin), install SCUP 2011

3. Assure the "scupdb.sdf" was created under the following path:

'C:\Users\<ConfigMgr 2012 Admin Account>\AppData\Local\Microsoft\System Center Updates Publisher 2011\5.00.1727.0000'

4. Open Regedit, Navigate to "HKEY_LOCAL_MACHINE\Software\Microsoft\Update Services\Server\Setup\"

4.1 Create DWORD value: EnableSelfSignedCertificates = 1

5. Open Regedit, Navigate to "HKEY_CLASSES_ROOT\AppID\{8F5D3447-9CCE-455C-BAEF-55D42420143B}"

5.1 Click Edit, click Permissions and then click Advanced

5.2 Click Change owner to, specify Administrators and then click OK

5.3 Specify Full Control permissions for Administrators and SYSTEM.

5.4 Close Regedit

5.5 Open command prompt with Administrator Privileges(Right click and select Open as Admin), type Dcomcnfg.exe and press ENTER

5.6 Expand Component Services, expand Computer, Expand My Computer, Expand DCOM Config, right click WSUSCertServer and click Properties

5.7 Select the Security Tab and configure the following permissions

5.8 Launch and Activation: Select Allow for the Local Launch and Local Activation permissions

5.9 Access Permission: Select Allow for the Local Access permission

6. Restart the WSUSCertServer process:

6.1 Open command prompt with Administrator Privileges(Right click and select Open as Admin)

6.2 net stop wsuscertserver and press ENTER

6.3 net start wsuscertserver and press ENTER

 

Configure:

1. Using the ConfigMgr 2012 Admin Account, login to the server

2. Open the SCUP 2011 Console by right clicking and selecting Run As Administrator, choose "Options"

3. Click the Update Server Tab

3.1 Check Enable publishing to an update server

3.2 Select the Connect to a local Update Server

3.3 Click the Signing Certificate Create button, complete the wizard

(This should work now due to the work around done in the install steps)

3.4 Click the Test Connection button

3.5 You should see the information for the Certificate issues below the Create button now

4. Click the ConfigMgr Server Tab

4.1 Check Enabled Configuration Manager Integration

4.2 Choose local or remote ConfigMgr server accordingly

4.3 Click the Test Connection button

 

Get Certificate to distribute:

1. Using the ConfigMgr 2012 Admin Account, login to the server

2. Open the MMC

3. Click File, then Add \ Remove Snap-In

4. Click Certificates and then Add

5. Select Computer Account and then Next

6. Select Local Computer and then Finish

7. On the Add or Remove Snap-ins, click OK

8. Navigate to WSUS Certificate Store, right click the certificate and choose all tasks, then export

8.1 On the Export Private Key, choose No, do not export the private key and then click Next

8.2 On the Export File Format, select DER encoded binary x.509 (.CER) and then click Next

8.3 On the File to Export, Type C:\wsuscert.cer and then click Next

8.4 Click Finish and then OK

 

Publish to TrustedPublisher and Root:

1. Using the ConfigMgr 2012 Admin Account, login to the server

2. Open command prompt with Administrator Privileges(Right click and select Open as Admin)

3. type:

3.1 certutil.exe -addstore TrustedPublisher C:\wsuscert.cer (press ENTER)

3.2 certutil.exe -addstore root C:\wsuscert.cer (press ENTER)

4. Distribute the Cert out to all workstations in the environment via GPO as well.

Domain Policy Change:
You need to make sure this is enabled, to allow 3rd party updates to be installed when found on a intranet Microsoft Update Service aka WSUS \ ConfigMgr, for all clients you intend to deploy the 3rd party updates to.

Assure is that the Policy also has the “Allow Signed Updates from an Intranet Microsoft Update Service Location” to be enabled.

You find this setting under the group policy editor in the following path:
Computer Configuration \ Administrative Templates \ Windows Components \ Windows Update

Comments (1)

  1. This is excellent. Very thorough. Very clear. Thanks.