This is something I’ve written about before a couple of times. The way I see it, I’ll probably be writing more about it as well. A few companies later, it’s come up again that we need to get all of our systems on the same patch level for consistency. So I wanted to do a write up about using Microsoft System Center Updates Publisher. This free tool integrates in with WSUS and SCCM so that you can push third-party applications through WSUS and SCCM a lot easier than before. Like my other two articles, there is some prep work needed to get this functional. I’ve broken this up into two parts. This part will walk you through setting up SCUP with WSUS and SCCM. The second part will go about creating custom updates. Let’s go!
First you’ll need to get SCUP from Microsoft. Install this on your WSUS server, ideally. However, you can install it on a technician machine. The install is pretty simple.
The requirements for installing SCUP are:
- Windows Server 2016 (Standard, Datacenter)
- Windows Server 2012 R2 (Standard, Datacenter)
- Windows 10 (Pro, Education, Pro Education, Enterprise)
- Windows 8.1 (Professional, Enterprise)
There’s no cumulative update or service pack required (so Windows 10 1511 and Windows 10 1603 will still work just fine).
If you install on a technician workstation, you will need to have RSAT tools installed. On a server, it will need to have WSUS console.
Generate your certificate
In order to distribute and successfully install the software that you push, you are going to need a code signing certificate.
Microsoft has an excellent guide available on TechNet here. However, there are a few modifications. You want this to be made available for the computer account, not the user account! If you get stuck, bookmark this article and I will update it with the correct steps using Windows Server 2012 R2 or Windows Server 2016.
[TODO: Walk though generating certificate]
Once you have the certificate generated, you need to export it and distribute it via Group Policy. When you generate the PFX, you will import this into SCUP.
Importing the certificate in SCUP
Now it’s time to connect to your update server. Go to the SCUP options:
And then select the Update Server tab. Tick the enable box, enter your WSUS server, and then import the certificate.
When you go to import the certificate, it will get a little confusing. When you browse for the PFX, you then have to click the Create button in order to actually apply it. If you skip this, you will not actually add the PFX!
Now, you can click on OK and you should get a confirmation about the certificate being added. Once this is done, it’s time to setup a catalog and publish updates.
There are a few vendors of update catalogs for SCUP and some third party ones. For example, Adobe publishes Adobe Reader and Adobe Acrobat catalogs for free.
The catalogs that are included in SCUP aren’t modern though. After some hunting, this appears to be the correct catalog: http://armmf.adobe.com/arm-manifests/win/SCUP/ReaderCatalog-DC.cab
To add this catalog, click on Catalogs Workspace and Add (not Add Catalogs like you would think).
In the window that opens, add the URL to the catalog (you don’t have to download it and I would strongly encourage you to use online catalogs whenever possible so you always have the latest updates). Add the Publisher name, the Catalog name, and a Description. These are used internally so you don’t have to get too creative with them if you don’t want to.
Once you click OK, you’ll see the catalog added. Now go to your Updates Workspace and click on Import. Check the Adobe Reader DC catalog and click on Next.
SCUP will then begin to process updates for the catalog.
Once it’s done, click on Close. In this example, I had previously used this catalog which is why it says there were skipped updates. If everything is successful, you’ll see these as being imported.
Now you’ll see the product and all updates for that product.
From here, you can find the updates you want to deploy and then view the update details to get full details about the update and if you want to deploy it. Of course, you can also deploy it and then deny it from WSUS or SCCM.
Highlight the update and click on Publish. The Publish Wizard will start. On the first page, publish Full Content and click Next.
Confirm the update or updates is/are selected that you want to publish.
It’s going to then connect to the update server and publish updates. Depending on the size of updates, this can take a few minutes.
Once the update is published, you’ll be notified. In this case, I have already published this update and it wasn’t modified so there was nothing to do. If there are issues publishing the update, this is where you’ll find those errors.
Enabling the content in WSUS
Alright, now that we published a package, in order to let our clients get that package, we have to enable it through WSUS. Open up your WSUS console and force a sync. Once the sync is done, go into Products and Classifications. You’ll see an option for Adobe and Adobe Reader. Tick those and press OK and sync again. You’ll see your Adobe update come in for approval.
Enabling the content in SCCM
In the Admin console, go to Administration > Site Configuration > Sites > Your site with the Software Update Point role > right click and Manage Software Update Point.
Under the Products tab, enable Adobe Systems and Local Publisher.
You’ll now start to see these packages come into SCCM for deployment.
Java, Firefox, Chrome Updates
If it’s got a MSI, it can be managed with SCUP. These third parties don’t have any catalogs however I am currently working on one that I’m planning to distribute for free so all you have to do is setup WSUS or SCCM, your code signing cert, and SCUP.
I want to do this for free as I actually enjoy this and I enjoy giving back to the community. I’m still doing some internal testing with my package catalog and when it’s ready I’ll announce it here. If you’re interested, let me know by contacting me and I’ll email you when I am ready for beta testers. Note: I’m only going to use your email to contact you regarding the beta program. When you contact me, just mention that you want to sign up for free managed updates.
Also, this environment takes a lot of compute resources which I simply don’t have. If you can donate any amount, become a pateron, or maybe even donate an old server or two I could use for the virtual environment for this, it would mean a lot and help me churn out some updates.
If you want to do this yourself, it’s easy as deploying the MSI file.