SCUP Integration with SCCM

What is SCUP 2011

SCUP 2011 is a free updates publishing and authoring application. You can benefit from this application by downloading free catalogs from vendors Like Adobe, HP and Dell. Furthermore you can author you own updates and publish those to WSUS.

You can download SCUP 2011 from - http://www.microsoft.com/downloads/en/details.aspx?FamilyID=083f45ca-1ede-4f7a-be74-77854c3a9b01&displaylang=en

SCUP requirements Supported Operating Systems

- Windows Vista, Windows 7, Windows Server 2008, Windows Server 2008 R2

Windows Server Update Services (WSUS) 3.0 SP2 .NET Framework 4.0 Trusted Signing Certificate

System requirement for SCUP installation

Supported Operating Systems: Windows 7 Service Pack 1, Windows Server 2008 R2 SP1, Windows Server 2008 Service Pack 2, Windows Vista Service Pack 2

Windows Server Update Services 3.0 (WSUS) Service Pack 2 full or Administrator Console installed

Must install WSUS 3.0 SP2 hotfix Download and install the WSUS hotfix WSUS-KB2530678-x86 or WSUS-KB2530678-x64 from http://support.microsoft.com/?kbid=2530678

Download and install .Net Framework 4.0 from http://www.microsoft.com/downloads/en/details.aspx?FamilyID=9cfb2d51-5ff4-4491-b0e5-b386f32c0992&displaylang=en

(Note : If SCUP,WSUS & SCCM all are on 3 different boxes, then WSUS hotfix needs to be installed on all 3 systems)

Screenshots of installation of SCUP

Click Next

It will ask for the prerequisites to be installed first, it will also ask you to install .Net framework 4.0 to be installed before continuing the installation

Click Next

Select the installation path and click OK

Click Next to start the installation

Click Finish

Configuration of SCUPStart System Center Updates publisher from the start menu. From the Ribbon click Options.

For installations with a local WSUS: Select Connect to a local update server. For installations with a remote WSUS: Select Connect to a remote update server and type: Name: SCCM4 Port: 8530

Click Test Connection and click OK in the dialog.

In Signing Certificate click Create and OK. Only select this option if you do not have an existing WSUS signing certificate.

(Note: The moment you create the certificate, you will find a new self signed certificate created on WSUS server, you can verify that certificate while looking into WSUS certificate store with the name: WSUS Publishers Self-signed)

Click ConfigMgr Server

For installations on the site server: Select Connect to a remove Configuration Manager Server and type: Click Test Connection and OK in the dialog. For installations on a remote server or workstation: Type: SCCM4 Requested client count threshold: 1 Package source size threshold: 30 Click OK to close the configuration.

Placing the self signed certificate in appropriate location

Next you'll need to import the certificate into Trusted Publisher and Trusted Root Publishers.

Select Start, Run and type MMC

Click Ctrl+M and click Add to add a snap-in to the console. Select Certificates and click Add.

Select Computer account and click Next.

Click Finish Click Add and Close to return to the MMC with Certificate snap-in

Select Certificates, WSUS, Certificates

Right click the WSUS Publisher Self-signed certificate, select Copy.

Select Certificates, Trusted Root certification Authorities, Certificates. Right click and select Paste

Select Certificates, Trusted Root certification Authorities, Certificates. Right click and select Paste

Select Certificates, Trusted Publishers, Certificates. Right click and select Paste. Notice, the certificate must also be imported on the Configuration Manager server. If the server is on a remote host, export the certificate and import it on the Configuration Manager server.

Next export the certificate so it can be deployed using a ConfigMgr. Package. Right click the certificate, select All Tasks, Export.

Click Next.

Self signed certificate needs to be copied on each Trusted Root CA & Trusted publishers store for each and every client system in your environment. This can be accomplish through any 3 steps mentioned below:

Step 1. Perform the Manual Copy paste of the certificate on each and every system by accessing their Computer personal store(Practically not feasible)Step 2. Using Group Policy to add the certificate to clients appropriate certificate storeProcedure:

export the certificate

Click Next

Click Next.

Click Next.

Export the certificate by giving any name

Click Finish.

Step 3. Perform the Manual Copy paste of the certificate on each and every system by accessing their Computer personal store(Practically not feasible)

Deploy certificate by SCCM Package

To import signing certificate to “Trusted Publishers” and “Trusted Root Certification Authorities”Go to Console Root-> Certificates (Local Computer)-> (Trusted Publishers [and] Trusted Root Certification Authorities ) node-> Right Click-> All Tasks-> Import…-> enter path to exported certificate-> follow rest of defaults and complete wizard.

I know this can be a pretty manual task, but there are ways to automate it.  One way that I know works is to use "CertUtil.exe" to deploy the certificates.  In ConfigMgr 2007 you can create a program that contains CertUtil.exe (found in Windows Server 2003 Administration

Tools Pack) and your exported certificate.  You want to call run both commands on each machine by advertising each program.

To place in "Trusted Root Certification Authorities" store call "certutil.exe -addstore ROOT <certname>.cer"To place in "Trusted Publishers" store call "certutil.exe -addstore TrustedPublisher <certname>.cer"

Now that you have the signing certificate stored in all the right places the last setup step is to tell Windows Update agent to accept updates signed by entities other than Microsoft.