SCUP Integration with SCCM
What is SCUP 2011
SCUP 2011 is a free updates publishing and authoring application. You can benefit from this application by downloading free catalogs from vendors Like Adobe, HP and Dell. Furthermore you can author you own updates and publish those to WSUS.
You can download SCUP 2011 from - http://www.microsoft.com/downloads/en/details.aspx?FamilyID=083f45ca-1ede-4f7a-be74-77854c3a9b01&displaylang=en
SCUP requirements
· Supported Operating Systems
- Windows Vista, Windows 7, Windows Server 2008, Windows Server 2008 R2
· Windows Server Update Services (WSUS) 3.0 SP2
· .NET Framework 4.0
· Trusted Signing Certificate
System requirement for SCUP installation
Supported Operating Systems: Windows 7 Service Pack 1, Windows Server 2008 R2 SP1, Windows Server 2008 Service Pack 2, Windows Vista Service Pack 2
Ø Windows Server Update Services 3.0 (WSUS) Service Pack 2 full or Administrator Console installed
Ø Must install WSUS 3.0 SP2 hotfix
Download and install the WSUS hotfix WSUS-KB2530678-x86 or WSUS-KB2530678-x64 from http://support.microsoft.com/?kbid=2530678
Ø Download and install .Net Framework 4.0 from http://www.microsoft.com/downloads/en/details.aspx?FamilyID=9cfb2d51-5ff4-4491-b0e5-b386f32c0992&displaylang=en
(Note : If SCUP,WSUS & SCCM all are on 3 different boxes, then WSUS hotfix needs to be installed on all 3 systems)
Screenshots of installation of SCUP
Click Next
It will ask for the prerequisites to be installed first, it will also ask you to install .Net framework 4.0 to be installed before continuing the installation
Click Next
Select the installation path and click OK
Click Next to start the installation
Click Finish
Configuration of SCUP
Start System Center Updates publisher from the start menu. From the Ribbon click Options.
For installations with a local WSUS:
Select Connect to a local update server.
For installations with a remote WSUS:
Select Connect to a remote update server and type:
Name: SCCM4
Port: 8530
Click Test Connection and click OK in the dialog.
In Signing Certificate click Create and OK.
Only select this option if you do not have an existing WSUS signing certificate.
(Note: The moment you create the certificate, you will find a new self signed certificate created on WSUS server, you can verify that certificate while looking into WSUS certificate store with the name: WSUS Publishers Self-signed)
Click ConfigMgr Server
For installations on the site server:
Select Connect to a remove Configuration Manager Server and type:
Click Test Connection and OK in the dialog.
For installations on a remote server or workstation:
Type: SCCM4
Requested client count threshold: 1
Package source size threshold: 30
Click OK to close the configuration.
Placing the self signed certificate in appropriate location
Next you'll need to import the certificate into Trusted Publisher and Trusted Root Publishers.
Select Start, Run and type MMC
Click Ctrl+M and click Add to add a snap-in to the console. Select Certificates and click Add.
Select Computer account and click Next.
Click Finish
Click Add and Close to return to the MMC with Certificate snap-in
Select Certificates, WSUS, Certificates
Right click the WSUS Publisher Self-signed certificate, select Copy.
Select Certificates, Trusted Root certification Authorities, Certificates. Right click and select Paste
Select Certificates, Trusted Root certification Authorities, Certificates. Right click and select Paste
Select Certificates, Trusted Publishers, Certificates. Right click and select Paste.
Notice, the certificate must also be imported on the Configuration Manager server. If the server is on a remote host, export the certificate and import it on the Configuration Manager server.
Next export the certificate so it can be deployed using a ConfigMgr. Package. Right click the certificate, select All Tasks, Export.
Click Next.
Self signed certificate needs to be copied on each Trusted Root CA & Trusted publishers store for each and every client system in your environment. This can be accomplish through any 3 steps mentioned below:
Step 1. Perform the Manual Copy paste of the certificate on each and every system by accessing their Computer personal store(Practically not feasible)
Step 2. Using Group Policy to add the certificate to clients appropriate certificate store
Procedure:
export the certificate
Click Next
Click Next.
Click Next.
Export the certificate by giving any name
Click Finish.
Step 3. Perform the Manual Copy paste of the certificate on each and every system by accessing their Computer personal store(Practically not feasible)
Deploy certificate by SCCM Package
To import signing certificate to “Trusted Publishers” and “Trusted Root Certification Authorities”
Go to Console Root-> Certificates (Local Computer)-> (Trusted Publishers [and] Trusted Root Certification Authorities ) node-> Right Click-> All Tasks-> Import…-> enter path to exported certificate-> follow rest of defaults and complete wizard.
I know this can be a pretty manual task, but there are ways to automate it. One way that I know works is to use "CertUtil.exe" to deploy the certificates. In ConfigMgr 2007 you can create a program that contains CertUtil.exe (found in Windows Server 2003 Administration Tools Pack) and your exported certificate. You want to call run both commands on each machine by advertising each program.
To place in "Trusted Root Certification Authorities" store call "certutil.exe -addstore ROOT <certname>.cer"
To place in "Trusted Publishers" store call "certutil.exe -addstore TrustedPublisher <certname>.cer"
Now that you have the signing certificate stored in all the right places the last setup step is to tell Windows Update agent to accept updates signed by entities other than Microsoft.