Using SCUP to Create 3rd Party Updates: Publish an Update

This post is part of an ongoing series about using SCUP to publish 3rd party updates in MEMCM. For a post on installing and setting SCUP, see Using System Center Update Publisher to Create 3rd Party Updates: Intro.

With your workforce likely working from home under COVID-19 lockdown, it’s more important than ever to ensure that your patching is up-to-date, to include 3rd party updates. It’s not enough anymore to just ensure that Windows is patched.

The blog was put together using MEMCM 2002 and SCUP 6.0.394.0, available here:


Deploying updates is not the most modern experience out there. There are several limitations and gotchas that you should be aware of to make sure that your deployment is successful.

First, the installation/upgrade installer that you use must be a single file. Wrapper scripts, transform files, configuration files, etc cannot be used in a standard update. This is not like packages or applications in MEMCM, where MEMCM delivers a payload and runs it. This must be a single file. Come back for a future blog post on overcoming this limitation using a self-extracting EXE.

Next, the applicability and installation rules do not carry the same logic as MEMCM applications. We’ll address this a little later when we make an update, but you must first check if a registry key or file exists, then check its version. The version check does not count as the “file exists” check. I spent the better of a day figuring this one out.

Finally, try to get everything right the first time when creating updates in SCUP. There are oddities that occur when trying to modify information about the update after the update is created. Also, I would recommend testing every update in a development MEMCM environment. Once an update is sync’d to MEMCM, it’s very difficult to get it out, so you could end up with a lot of superseded and expired updates in your console. Over time, these will degrade the performance of your environment.

Creating an Update

We’re going to Firefox 75.0 for this example. You can download the Firefox installer as an MSI, which is what I recommend for updates. EXE’s work fine, but MSI’s are always more predictable.

I’ve downloaded Firefox 75 and copied it to a source directory on a network share where my development MEMCM primary server and Software Update Point (SUP) server have read/write access.

  1. Open the Updates Publisher console and navigate to the Updates Workspace.
  2. Click the Update button in the ribbon.
  3. After the Create Update wizard opens, click Browse and navigate to your source directory. Select the Firefox MSI file.
  1. Type (or copy) the path to this MSI file (including the file name) in the Download URL (or UNC) box.
  1. Provide any additional command line parameters in the Command Line box. I don’t want the Firefox installer to create a desktop shortcut, so I added the DESKTOP_SHORTCUT=false parameter. (NOTE: for MSI installers, /q and /norestart are assumed. Do not provide these, as the installation will fail.)
  1. Click Next.
  2. Fill out/select the Title, Description, Vendor, Product, and More info URL boxes and click Next.
  1. If you would like to fill out any of the information on the next screen, then do it and click Next. I would recommend specifying a Severity of Important for your regular monthly updates, and critical if an update is released out-of-band.
  1. You can skip the Prerequisite and Supersedence screens. For future Firefox updates like Firefox 76, you can specify this update on the Supersedence screen.
  2. On the Applicability screen, you should already see a pre-populated rule for the MSI. We’re going to create two more rules.
  3. Click the Add button.
  1. The first rule is going to check to see if Firefox.exe exists, so set the Common paths box to PROGRAM_FILES, the Path box to Mozilla Firefox, and the File name to firefox.exe.
  1. Click OK. The rule is created as part of an And statement.
  2. Now we need to do a file version check, because we wouldn’t want to install this version of Firefox over top of a newer version. So, to add a new rule, click the Add button again.
  3. Fill in the same information as the last rule.
  4. Click the radio button next to The file must satisfy the following rule on the target computer to indicate applicability.
  5. Change the Property to Version. Change Operator to Less Than.
  6. In the Value box, type in the exact file version of firefox.exe (this one happens to be
  1. Click OK.
  2. You should now have three rules, and it should like this screenshot. Click Next.
  1. On the Installed screen of the wizard, repeat step 10 a-f to create the same file exists rule. 
  2. Add a second rule by clicking the Add button.
  3. Fill out the Common paths, Path, and File name boxes exactly how we’ve been doing.
  4. Click the radio button next to The file must satisfy the following rule on the target computer to indicate applicability.
  5. Change the Property to Version. Leave Operator set to Equal To.
  6. In the Value box, type in the exact file version of firefox.exe (this one happens to be
  1. Check that you have three installed rules and click Next.
  1. Click Next through the Summary, Progress and Confirmation screens. Accept any certificate notifications.

Publishing an Update

Now that we have an update ready, we need to publish it to WSUS.

  1. Click Publish in the SCUP ribbon.
  1. Click the Full Content radio button.
  1. Click Next through the rest of the wizard. Accept any certification notifications.
  2. Once the update is published, sync the MEMCM SUP.
    1. Launch the MEMCM console. Go to the Software Library workspace, expand Software Updates, and click All Software Updates.
    2. Click Synchronize Software Updates in the ribbon.
    3. Wait for synchronization to complete.
  3. After the synchronization is done, add the update to an existing software update group (or create a new one) and deploy it.

Now you’ve created and deployed a 3rd party software update. Be sure to come back later in the week to see how to deploy a 3rd party software update that requires multiple files.


All content provided on this blog is for information purposes only. Windows Management Experts, Inc makes no representation as to accuracy or completeness of any information on this site. Windows Management Experts, Inc will not be liable for any errors or omission in this information nor for the availability of this information. It is highly recommended that you consult one of our technical consultants, should you need any further assistance.



Contact Us

On Key

More Posts

WME Security Briefing 27 May 2024

Kinsing Hacker Group Exploits Docker Vulnerabilities Overview Recent investigations have shown that the hacker group Kinsing is actively exploiting Docker vulnerabilities to gain unauthorized access to systems. The modified hacker group targets misconfigured Docker API ports deployed with cryptocurrency mining malware.

Read More »
WME Cybersecurity Briefings No. 010
Cyber Security

WME Security Briefing 20 May 2024

Advanced Persistent Threats: North Korean Hackers Launch Golang Malware Overview A new malware strain, called Titan Stealer, is currently actively circulating in the threat landscape, targeting a variety of personal data and linked to North Korean state-sponsored cyber espionage

Read More »
WME Cybersecurity Briefings No. 009
Cyber Security

WME Security Briefing 08 May 2024

Exploitable vulnerability in Microsoft Internet Explorer, used to deploy VBA Malware Overview Cybersecurity researchers discovered a severe exploitation targeting a bug that had already been patched in the Microsoft Internet Explorer browser. Their report added that

Read More »
Be assured of everything

Get WME Services

Stay ahead of the competition with our Professional IT offerings.