How to install SCUP and configure

 How to install SCUP and configure

 

This will show the steps on how to install SCUP and also configure a third party catalogue, (EH Adobe Flash player) and deploy the clients reporting to SCCM server.

 

You can download the SCUP from the following link https://www.microsoft.com/downloads/en/details.aspx?FamilyID=0446cce9-94a4-4fb0-b335-e7516044063d&displaylang=en

 

On the SCCM server or on any other server you can install System Center Updates Publisher.

The perquisite is to have SQL server. You can use the express installation or use any other SQL server.

 

Updates Publisher is supported on the following operating systems:

  • ·       The Microsoft Windows® XP Professional operating system with Service Pack 2 (SP2)
  • ·       The Microsoft Windows® XP Professional x64 Edition operating system
  • ·       The 32-bit versions of the Microsoft Windows Server®°2003 operating systems with Service Pack 1 (SP1)
  • ·       The x64-based editions of the Microsoft Windows Server®°2003 operating systems
  • ·       The 32-bit versions of the Microsoft Windows Server®°2003 R2 operating systems
  • ·       The x64-based editions of the Microsoft Windows Server®°2003 R2 operating systems
  • ·       The Windows Vista™ operating systems
  • ·       The x64-based editions of the Windows Vista™ x64 Edition operating systems

Software Requirements

  • ·       Updates Publisher has the following software requirements:
  • ·       Microsoft Management Console 3.0 (MMC). MMC 3.0 must be installed prior to running the Updates Publisher Setup. You can download the MMC 3.0 from the Microsoft Download Center Web site (https://go.microsoft.com/fwlink/?linkid=21788).
  • ·       For Updates Publisher 4.5, WSUS 3.0 SP2SP1 Administration Console. If WSUS 3.0 SP2 is not already installed on the local computer, the WSUS 3.0 SP2 Administration Console must be installed prior to running the Updates Publisher Setup. You can download the WSUS 3.0 SP2 Administration Console from the Windows Server Update Services Web site
  • ·       Microsoft Internet Explorer 6 SP1 or later. A supported version of Internet Explorer must be installed prior to running the Updates Publisher Setup. You can download Internet Explorer 6 SP1 from the Microsoft Download Center Web site (https://go.microsoft.com/fwlink/?linkid=21788).
  • ·       Microsoft Windows Installer 3.1. The Updates Publisher Setup installs Windows Installer 3.1, if required.
  • ·       Microsoft .NET Framework 2.0. The Updates Publisher Setup installs .NET Framework 2.0, if required.
  • ·       Microsoft SQL Server 2005 SP1 or Microsoft SQL Server 2005 Express Edition SP2. The Updates Publisher Setup installs SQL Server 2005 Express Edition SP2, if required.

 

 

How to install SCUP

 

Double click the SystemCenterUpdatesPublisher45.exe.

 

 

Click next and it will ask to select local database or install SQL express edition. DO the same

 

Once clicked next it will install the perquisite and then will proceed the installation

 

Select The folder 

 

 Installation will proceed and will complete the installation

 

Once done complete the installation click on finish. 

 

 

How to configure SCUP

 

Once the installation is over open the console of SCUP.

 

 

Click on import updates from the right side. You can download the adobe flash player catalogue from the following link https://fpdownload.adobe.com/get/flashplayer/current/licensing/win/AdobeFlashPlayerCatalog_SCUP.cab

Click on Single Catalogue Import 

 

Point to the CAB file downloaded. 

 

IT will then start uploading  

 

 Click on Accept

 Once you have completed this you will find adobe flash player as shown below.

 

 Now the set the Publish flag. On the Adobe flash player select settings and then do the following configuration. Select the update server if locally installed the same one or you can select the remote in case you install SCUP.

 

First, you have to configure SCUP to sign patches with the WSSC.  To do that, select the settings option from the console screen

On the Update Server tab, select create to create the WSSC

Once complete, you should have a new WSSC as shown

This action creates the WSSC in the WSUS > Certificates note of the Certificates.msc as shown

So the certificate we need is now created, but we aren’t ready to go yet.  Next we have to make sure the WSSC cert is included in the Trusted Publishers > Certificates and the Trusted Root Certificate Authorities > Certificates store.Simple process to export the cert and import it to the other two stores.  To export the cert, just right click on it and select to export – take all the defaults and save the cert to a .cer file.  To import, just right click on the Trusted Publishers and Trusted Root Certificate Authorities nodes, respectively, and select to import and point to the file. 

One this is completed On the SCUP console please do the following. Click on Publish updates

 

  

Click on Accept

 

 

 Once successfully published run the Synchronization in the SCCM server

 

  Once the synchronization is completed the security update you would see the adobe flash layer

 

 Now on the SCCM server Download the update and then create a deployment

 

Select the DP

 

 

 

  Create a Deployment

 

 Now on the clients do the following settings

 

So now SCUP should be configured to sign updates with the WSSC and publish updates to the SCCM Software Update point and you can deploy them to clients. But, the clients aren’t ready to receive them and will reject the update if it arrives. To get the client ready to receive updates you need to transfer the WSSC to the clients certificate store as well. You can do this manually or even through software distribution using the certutil command.

To deploy the certificate with software distribution, do the following.

  1. Export the WSUS Publishers Self-signed certificate and public key to a directory on the local computer.
  2. Copy the Certutil.exe and Certadm.dll files to the same directory as the exported files. Certutil.exe is a command-line program that is installed as part of Certificate Services in the Windows Server 2003 family and both files are installed in %windir%\system32, by default.
  3. Create a software distribution package containing the files from step 1 and step 2. For more information, see How to Create a Package (https://go.microsoft.com/fwlink/?LinkId=108444)
  4. Add a software distribution program that runs the following command-line: certutil.exe -addstore TrustedPublisher wsus.cer, where TrustedPublisher is the name of the certificate store and wsus.cer is the name of the exported certificate. For more information about creating a software distribution program, see How to Create a Program (https://go.microsoft.com/fwlink/?LinkId=108446). For more information about certutil.exe, see the Certutil Web site on TechNet (https://go.microsoft.com/fwlink/?LinkId=108447)
  5. Create an advertisement for distributing the package and program to the appropriate collection. For more information, see How to Create an Advertisement (https://go.microsoft.com/fwlink/?LinkId=108449).

You may also have to include the WSSC in the Trusted Root Certificate Authorities node as well, which can be done with easy adjustments to the package if needed. Be sure and test first to determine exactly what is needed for your environment.

Once you have the certificates deployed, now you just have to adjust local policy to allow signed cupdates from an intranet Microsoft update service location. You can find that setting as shown below. 

To test that everything is working, deploy a SCUP patch to a test client and review the WUAHandler.log. If all is configured properly, you should see the patch install if needed. If there are problems you will notice errors similar to the following in the log.

In the server the updatepublisher.log in %temp% on the SCUP installed machine also help to check the error.

 

Hope this information would be useful

 

 Sudheesh Narayanaswamy