This will be part 1 in an ongoing series about using System Center Updates Publisher (SCUP) to deploy 3rd party updates. This part will be discussing how to set up your environment to handle 3rd party updates.
With your workforce likely working from home under COVID-19 lockdown, it’s more important than ever to ensure that your patching is up-to-date, to include 3rd party updates. It’s not enough anymore to just ensure that Windows is patched.
There are whole solutions out there to help you with 3rd party updates. If you have the need for one of those, then use one of them. They work really well and can save you some time when putting these updates together. If you can’t afford one of those solutions, or only a few apps to update, then this series might be for you.
The blog was put together using MEMCM 2002 and SCUP 6.0.394.0, available here: https://www.microsoft.com/en-us/download/details.aspx?id=55543.
SCUP vs. Update Catalogs
MEMCM introduced 3rd party update catalogs in several versions ago. This allows administrators to directly import update catalogs into the MEMCM console. Several vendors, including Adobe, Dell, HP, and Lenovo support this method and this method completely bypasses SCUP. I chose not to use this functionality and continue to use SCUP for one reason: control. I have unique situations in my environment that require special rules to get right, so I still needed to manually set up my 3rd party updates.
I do, however, import these catalogs into SCUP so that I can see how the software vendors patch their own product. These catalogs will tell the cmd line used to install the update and the applicability rules they use, which can be very valuable information. I do not, however, deploy these updates in MEMCM. I might copy them and deploy the copies, but I never deploy them outright. We’ll see why in next week’s post.
You need to ensure a few things before starting. These items will make sure that your environment can deploy 3rd party updates.
First, your Software Update Point must be using HTTPS. If it’s using HTTP, you cannot publish 3rd party updates. There are several guides online about switching to HTTPS – it’s fairly straightforward.
Next, you need to enable 3rd party updates in MEMCM.
- Open the MEMCM console and go to the Administration workspace.
- Expand Site Configuration and select your site.
- In the ribbon, expand Configure Site Components, and select Software Update Point.
- Click the Third Party Updates tab.
- Check the box for Enable third-party software updates and click Apply. Leave this screen open – we’ll need it in the next section.
Next, you need a WSUS signing certificate. You can either use one you already have (or generate one), or just let MEMCM manage it, which is what I recommend. To let MEMCM manage the certificate, do this:
- From the same screen as step five, click the button next to Configuration Manager manages the certificate.
After clicking this button and clicking Apply, the Current WSUS signing certificate details box should populate.
Next, you need to make sure that you’ve enabled 3rd party updates in client settings.
- From the Administration workspace in the MEMCM console, select Client Settings.
- Select the client settings where you need to enable 3rd party updates and click Properties in the ribbon.
- Click Software Updates in the left pane.
- Find the Enable third party software updates configuration and set it to Yes.
- Click OK.
After enabling 3rd party updates for your site and configuring clients to receive them, the MEMCM-managed WSUS signing certificate will start deploying to your systems as they refresh their client policy.
Installing and Configuring SCUP
Installing SCUP is really easy. It’s a simple installer. Configuring it can be a little harder, especially if you have a hierarchy with a lot of servers.
I run SCUP from my primary site server. It’s probably not best practice, but I found it much easier to use and it was more straightforward setting it up. My Software Update Point is NOT on my primary site server. I also know that my primary site server is fairly stable, which you’ll want after a few rounds updates. SCUP stores all of it’s information in an internal database, and it’s a database you’ll want to move around with you as you rebuild computers.
After you have SCUP installed, it needs to be configured.
- Launch the Updates Publisher application.
- Click the blue rectangle in the upper-left corner and click Options.
- Check the Enable publishing to an update server checkbox.
- If you’re running SCUP on the server that is running WSUS and your SUP, then select Connect to a local update server. If you’re running SCUP from a different computer, then select Connect to a remote update server and supply the server name.
- Finally, in the Signing Certificate box, just click Create. It’s fine to have the update server generate this certificate.
- Next, move to the ConfigMgr Server tab and check the Enable Configuration Manager integration checkbox.
- If you’re running SCUP on the MEMCM primary server, then select Connect to a local Configuration Manager server. If you’re running SCUP on a different computer, then select Connect to a remote Configuration Manager server and provide the server name.
- Next, move to the Authoring tab and check the Enable authoring mode checkbox.
- Click OK to close the configuration wizard.
Now you’re all set up. You should be able to start authoring updates. Come back soon for a post on authoring your first update where we’ll go over some of the intricacies of using SCUP to author updates and moving them to MEMCM, then we’ll have a post on using a script to install an update.
All content provided on this blog is for information purposes only. Windows Management Experts, Inc makes no representation as to accuracy or completeness of any information on this site. Windows Management Experts, Inc will not be liable for any errors or omission in this information nor for the availability of this information. It is highly recommended that you consult one of our technical consultants, should you need any further assistance.