Using SCUP to Create 3rd Party Updates: Publish a Scripted Update

This post is part of an ongoing series about using SCUP to publish 3rd party updates in MEMCM. Previous posts on SCUP and 3rd party updates:

• Using System Center Update Publisher to Create 3rd Party Updates: Intro
• Using SCUP to Create 3rd Party Updates: Publish an Update

With your workforce likely working from home under COVID-19 lockdown, it’s more important than ever to ensure that your patching is up-to-date, to include 3rd party updates. It’s not enough anymore to just ensure that Windows is patched.

This post will focus on a method to deploy updates that require a script or wrap. You may need to script the update’s install to remove a previous version, remove desktop shortcuts, or perform a post-installation configuration. This is not possible by default, as SCUP only accepts and deploys single-file EXE or MSI files. We will use 7zip to create a self-extracting archive and the sign tool from the Windows SDK.

The blog was put together using MEMCM 2002 and SCUP 6.0.394.0, available here: https://www.microsoft.com/en-us/download/details.aspx?id=55543.

Requirements

This can be complicated and will require a few things in addition to MEMCM and SCUP. To complete this process you will need to acquire the following items. We’re going to use

• Code-signing certificate. This can either be a code-signing certificate from a public CA (GoDaddy, etc.) or a code-signing certificate from a local CA. If you use a local CA, your clients will need to trust it (including the workstation/server running SCUP, ConfigMgr primary server, and SUP), either by importing it directly on clients, or ensuring that the proper root certificates are installed.
• SignTool.exe. You will need to download and install the Windows SDK, available here: https://developer.microsoft.com/en-us/windows/downloads/windows-10-sdk/. Signtool.exe is also installed with Visual Studio.

HINT: If you only want to install signtool.exe and not the entire SDK, you can mount the ISO, and run Windows SDK Signing Tools-x86_en-us.msi from the Installers directory.

• 7zip, available here: https://www.7-zip.org/.
• 7zSD.sfx. This is 7zip’s self-extractor. It is available here: https://www.7-zip.org/a/7z920_extra.7z. This will download a 7zip archive file; extract this archive and save the 7zSD.sfx file.

Create Self-Extracting Archive

Now that we have all of the tools we need, it’s time to make our archive. I’m going to use Adobe Reader as my example. I need to completely uninstall Reader before installing the new version, so this action must be scripted. The wrapper script can be either a bat file or PowerShell script.

1. Create and test your wrapper script. If you use a bat file as your wrapper, name it execute.bat and proceed to step 3.
2. If your wrapper script is a PowerShell script, then create a bat file called execute.bat. Paste this into the bat file (I would test it again, just for good measure):

@ECHO OFF
powershell.exe -noprofile -executionpolicy bypass -command "& '%~dp0<name of script>.ps1'"

3. Copy all source files, including installation files and the wrapper script, to a folder. In my example, I’ve named the folder source-files.
4. Right-click on the source-files folder, select 7-Zip, then Add to “source-files.7z”.

5. Copy the 7zSD.sfx file to the same directory as source-files.7z.
6. Create a text file in this directory called config.txt.

7. In this file, paste the following text.

;!@Install@!UTF-8!
RunProgram="execute.bat"
;!@InstallEnd@!

8. Open a cmd prompt and cd to your working directory.
9. Run this command to build the self-extracting archive: copy /b 7zSD.sfx + config.txt + source-files.7z < self-extracting exe name>.
10. CD to the directory where signtool.exe installed. By default, this directory is C:\Program Files (x86)\Windows Kits\10\bin\<version>\x64.
11. Run this command to sign the EXE: signtool.exe sign /a /v <path to exe>\<exe>. If you have the code-signing certificate imported properly, signtool.exe will automatically select it and use it to sign the EXE.
12. Import the EXE into SCUP as described in Using SCUP to Create 3rd Party Updates: Publish an Update. There are no parameters for EXE.

Happy updating!

Disclaimer

All content provided on this blog is for information purposes only. Windows Management Experts, Inc makes no representation as to accuracy or completeness of any information on this site. Windows Management Experts, Inc will not be liable for any errors or omission in this information nor for the availability of this information. It is highly recommended that you consult one of our technical consultants, should you need any further assistance.