Using SCUP to Create 3rd Party Updates: Publish a Scripted Update

This post is part of an ongoing series about using SCUP to publish 3rd party updates in MEMCM. Previous posts on SCUP and 3rd party updates:

With your workforce likely working from home under COVID-19 lockdown, it’s more important than ever to ensure that your patching is up-to-date, to include 3rd party updates. It’s not enough anymore to just ensure that Windows is patched.

This post will focus on a method to deploy updates that require a script or wrap. You may need to script the update’s install to remove a previous version, remove desktop shortcuts, or perform a post-installation configuration. This is not possible by default, as SCUP only accepts and deploys single-file EXE or MSI files. We will use 7zip to create a self-extracting archive and the sign tool from the Windows SDK.

The blog was put together using MEMCM 2002 and SCUP 6.0.394.0, available here:


This can be complicated and will require a few things in addition to MEMCM and SCUP. To complete this process you will need to acquire the following items. We’re going to use

  • Code-signing certificate. This can either be a code-signing certificate from a public CA (GoDaddy, etc.) or a code-signing certificate from a local CA. If you use a local CA, your clients will need to trust it (including the workstation/server running SCUP, ConfigMgr primary server, and SUP), either by importing it directly on clients, or ensuring that the proper root certificates are installed.
  • SignTool.exe. You will need to download and install the Windows SDK, available here: Signtool.exe is also installed with Visual Studio.

HINT: If you only want to install signtool.exe and not the entire SDK, you can mount the ISO, and run Windows SDK Signing Tools-x86_en-us.msi from the Installers directory.

Create Self-Extracting Archive

Now that we have all of the tools we need, it’s time to make our archive. I’m going to use Adobe Reader as my example. I need to completely uninstall Reader before installing the new version, so this action must be scripted. The wrapper script can be either a bat file or PowerShell script.

  1. Create and test your wrapper script. If you use a bat file as your wrapper, name it execute.bat and proceed to step 3.
  2. If your wrapper script is a PowerShell script, then create a bat file called execute.bat. Paste this into the bat file (I would test it again, just for good measure):

powershell.exe -noprofile -executionpolicy bypass -command "& '%~dp0<name of script>.ps1'"

  1. Copy all source files, including installation files and the wrapper script, to a folder. In my example, I’ve named the folder source-files.
  2. Right-click on the source-files folder, select 7-Zip, then Add to “source-files.7z”.
  1. Copy the 7zSD.sfx file to the same directory as source-files.7z.
  2. Create a text file in this directory called config.txt.
  1. In this file, paste the following text.


  1. Open a cmd prompt and cd to your working directory.
  2. Run this command to build the self-extracting archive: copy /b 7zSD.sfx + config.txt + source-files.7z < self-extracting exe name>.
  3. CD to the directory where signtool.exe installed. By default, this directory is C:\Program Files (x86)\Windows Kits\10\bin\<version>\x64.
  4. Run this command to sign the EXE: signtool.exe sign /a /v <path to exe>\<exe>. If you have the code-signing certificate imported properly, signtool.exe will automatically select it and use it to sign the EXE.
  5. Import the EXE into SCUP as described in Using SCUP to Create 3rd Party Updates: Publish an Update. There are no parameters for EXE.

Happy updating!


All content provided on this blog is for information purposes only. Windows Management Experts, Inc makes no representation as to accuracy or completeness of any information on this site. Windows Management Experts, Inc will not be liable for any errors or omission in this information nor for the availability of this information. It is highly recommended that you consult one of our technical consultants, should you need any further assistance.



Contact Us

On Key

More Posts

Mastering Azure AD Connect - A Comprehensive Guide by WME
Active Directory

Mastering Azure AD Connect – A Comprehensive Guide

Modern businesses are fast moving toward cloud-based infrastructure. In fact, cloud-based business is not just a trend anymore but a strategic necessity. Microsoft’s Azure Active Directory (Azure AD) has become a frontrunner in this domain. It

Read More »
Security Best Practices in SharePoint
Office 365

Security Best Practices in SharePoint

Microsoft SharePoint is an online collaboration platform that integrates with Microsoft Office. You can use it to store, organize, share, and access information online. SharePoint enables collaboration and content management and ultimately allows your teams to

Read More »
The Ultimate Guide to Microsoft Intune - Article by WME
Active Directory

The Ultimate Guide to Microsoft Intune

The corporate world is evolving fast. And with that, mobile devices are spreading everywhere. As we venture into the year 2024, they have already claimed a substantial 55% share of the total corporate device ecosystem. You

Read More »
Protecting Microsoft 365 from on-Premises Attacks
Cloud Security

How to Protect Microsoft 365 from On-Premises Attacks?

Microsoft 365 is diverse enough to enrich the capabilities of many types of private businesses. It complements users, applications, networks, devices, and whatnot. However, Microsoft 365 cybersecurity is often compromised and there are countless ways that

Read More »
Be assured of everything

Get WME Services

Stay ahead of the competition with our Professional IT offerings.