{"id":2207,"date":"2013-11-18T21:54:42","date_gmt":"2013-11-18T21:54:42","guid":{"rendered":"https:\/\/pipe2text.com\/?page_id=2207"},"modified":"2013-11-19T19:17:18","modified_gmt":"2013-11-19T19:17:18","slug":"configuring-software-configuration-updates-publisher-scup-2011","status":"publish","type":"page","link":"https:\/\/pipe2text.com\/?page_id=2207","title":{"rendered":"Configuring Software Configuration Updates Publisher (SCUP) 2011"},"content":{"rendered":"

Hi All,<\/p>\n

This article will cover the configuration of Systems Center Updates Publisher 2011 (SCUP). SCUP is a useful tool that lets you publish 3rd<\/sup> party updates to\u00a0the Systems Center Configuration Manager (SCCM) Site System which holds \u00a0Software Update\u00a0Point role for easy deployment. This article assumes that SCUP 2011 has already been installed and is on installed on the Site System holding the Software Update\u00a0Point role. It also assumes that you do not have a PKI infrastructure and will be using the certificate generated using SCUP. The lab I used to complete these steps was running on Windows Server 2012\u00a0 with SCCM 2012 SP1 installed. The following steps cover configuring SCUP and the clients that will receive the\u00a03rd<\/sup> party updates. Actual publishing and deployment of the 3rd<\/sup> party updates are outside the scope of this article.<\/p>\n

Log on to the server where SCUP is installed. Open the SCUP application making sure to run it as Administrator.<\/p>\n

Click \u201cConfigure WSUS and Signing Certificate\u201d under the \u201cGetting Started\u201d section.<\/p>\n

\"\"<\/p>\n

When the \u201cSystem Center Updates Publisher Options\u201d screen appears, check \u201cEnable publishing to an update server\u201d and click the \u201cTest Connection\u201d button. You will see test successful as shown below. Click \u201cOK\u201d. (In this example SCUP is installed on my SCCM Site Server with the \u201cSoftware Update Server\u201d role so I chose \u201cConnect to a local update server\u201d)<\/p>\n

\"\"<\/p>\n

Under the \u201cSigning Certificate\u201d section, click the “Create” button. A new certificate will be created and added to the \u201cWSUS\u201d certificate store on the server. You will receive success confirmation and instruction for what needs to be completed on client workstations. You will also notice the certificate issuer section is now populated as well (The certificate will be valid for 5 years from the date of creation). Click \u201cOK\u201d.<\/p>\n

\"\"<\/p>\n

Click the \u201cConfigMgr Server\u201d on the left pane. Check \u201cEnable Configuration Manager Integration\u201d. Click Test Connection. If successful, click \u201cOK\u201d.<\/p>\n

\"\"<\/p>\n

Now click “Advanced” on the right side pane as shown below. Check \u201cAdd timestamp when signing updates (Requires Internet Connectivity)\u201d to ensure the software updates will still be able to be used even after its signing certificate expires. (Providing they were stamped while the signing cert was valid). Select \u201cCheck for new catalog alerts on startup\u201d. Also, check \u201cUse a custom local source path\u201d and specify a path to search for source files. Click \u201cOK\u201d.<\/p>\n

\"\"<\/p>\n

Now that we have finished the configuration options within SCUP, it\u2019s time to Export the self-signed cert. To get into the certificate store on the machine where SCUP is installed complete the steps outline below:<\/p>\n

Open the\u00a0Start Menu and type \u201cMMC\u201d in the search box and press enter.<\/p>\n

When the console opens click \u201cFile\u201d and select \u201cAdd\/Remove Snapin\u201d.<\/p>\n

Select \u201cCertificates\u201d from available snap ins and click the \u201cAdd\u201d button to move to the \u201cSelected Snapins\u201d window and click \u201cOK\u201d.<\/p>\n

When the \u201cCertificate Snap-in\u201d windows appears, select the \u201cComputer Account\u201d radio button and click \u201cNext\u201d.<\/p>\n

On the \u201cSelect Computer\u201d window, select the \u201cLocal Computer\u201d radio button.<\/p>\n

You will now see that it has been added to the selected snap-ins.\u00a0 Click \u201cOK\u201d.<\/p>\n

Now that you have the local certificate MMC open you can start to Export the cert. Expand \u201cCertificates (Local Computer)\u201d then expand \u201cWSUS\u201d and highlight \u201cCertificates\u201d. Right click the certificate to be exported (in this case WSUS Publishers Self Signed), select \u201cAll Tasks\u201d then \u201cExport\u201d from the menu as shown below.<\/p>\n

\"\"<\/p>\n

The \u201cCertificate Export Wizard\u201d will appear, click \u201cNext\u201d on the \u201cWelcome to\u00a0the Certificate Export Wizard\u201d screen.\"\"<\/p>\n

On the \u201cExport Private Key\u201d screen select \u201cNo, do not export private key\u201d and click \u201cNext\u201d.<\/p>\n

\"\"<\/p>\n

On the \u201cExport File Format\u201d screen choose \u201cDER encoded binary X.509 (.CER)\u201d and click \u201cNext\u201d.<\/p>\n

\"\"<\/p>\n

On the \u201cFile to Export\u201d screen, Browse to the directory where you would like to export the certificate including the name of the file as shown below. Click \u201cNext\u201d.<\/p>\n

\"\"<\/p>\n

On the \u201cCompleting the Certificate Export Wizard\u201d screen review your settings and click \u201cFinish\u201d.<\/p>\n

\"\"<\/p>\n

When you receive confirmation that the export was successful, Click \u201cOK\u201d and \u201cFinish\u201d.<\/p>\n

\"\"<\/p>\n

Now that the Export is complete, let\u2019s Import the cert to the \u201cTrusted Root Certificate Authorities\u201d and \u201cTrusted Publishers\u201d stores on the SCUP machine. You should still have the \u201cCertificates MMC\u201d open. Expand \u201cCertificates (Local Computer)\u201d then expand \u201cTrusted Root Certification Authorities\u201d and highlight \u201cCertificates\u201d. Right click the \u201cCertificates\u201d container\u201d, select \u201cAll Tasks\u201d then \u201cImport\u201d from the menu as shown below.<\/p>\n

\"\"<\/p>\n

When the \u201cCertificate Import Wizard\u201d appears, click \u201cNext\u201d on the \u201cWelcome to Certificate the Import Wizard\u201d screen.<\/p>\n

\"\"<\/p>\n

On the \u201cFile to Import\u201d screen, browse to the directory where you previously saved the certificate file and click \u201cNext\u201d.<\/p>\n

\"\"<\/p>\n

On the \u201cCertificate Store\u201d screen, the \u201cPlace all certificates in the following store\u201d should be selected with \u201cTrusted Root Certification Authorities\u201d as the \u201cCertificate Store\u201d.<\/p>\n

\"\"<\/p>\n

On the \u201cCompleting the Certificate Import Wizard\u201d screen, click \u201cFinish\u201d. \"\"<\/p>\n

Click \u201cOK\u2019 on the confirmation that it was successful.<\/p>\n

\"\"<\/p>\n

You will now see the <\/strong>certificate listed as shown below. Now r<\/strong>epeat the same steps that we used to Import the certificate to the \u201c<\/strong>Trusted Root Certification<\/strong> Authorities\u201d above to import the cert to the \u201cTrusted Publishers\u201d certificate store as well<\/strong> <\/strong>(The only difference is you will right click \u201cCertificates\u201d under \u201cTrusted Publishers\u201d at the beginning of the steps)<\/strong>. <\/strong><\/p>\n

\"\"<\/p>\n

Configuring Group Policy<\/span><\/strong><\/span><\/strong><\/p>\n

Next you will need to configure Group Policy so that the client machines that will be receiving the updates trust the Signing Certificate. To do this, we will need to push the certificate we exported earlier to the \u201cTrusted Root Certification Authorities\u201d and the \u201cTrusted Publishers\u201d certificate stores on all client machines. If you don\u2019t have one already, create a GPO and link it to the link it to the proper location in Active Directory so that it will apply the machines you would like to target.<\/p>\n

Edit the Group Policy and navigate to \u201cComputer Configuration\/Windows Settings\/Public Key Policies\/Trusted Root Certification Authorities\u201d. Right click and select \u201cImport\u201d as shown below.<\/p>\n

\"\"<\/p>\n

Click \u201cNext\u201d on the \u201cWelcome to Certificate the Import Wizard\u201d screen.<\/p>\n

\"\"<\/p>\n

On the \u201cFile to Import\u201d screen, browse to the directory where you saved the cert previously and click \u201cNext\u201d.<\/p>\n

\"\"<\/p>\n

On the \u201cCertificate Store\u201d screen, the \u201cPlace all certificates in the following store\u201d should be selected with \u201cTrusted Root Certification Authorities\u201d as the \u201cCertificate Store\u201d.<\/p>\n

\"\"<\/p>\n

On the \u201cCompleting the Certificate Import Wizard\u201d screen, Click \u201cFinish\u201d.<\/p>\n

\"\"<\/p>\n

Click \u201cOK\u2019 on the confirmation that it was successful.<\/p>\n

\"\"<\/p>\n

Now you will need to do the same for \u201cTrusted Publishers\u201d store by Navigating <\/strong>to <\/strong>\u201c<\/strong>Computer<\/strong> Configuration\/Windows Settings\/Public Key Policies\/Trusted Publishers<\/strong>\u201d<\/strong> and repeating all the Import steps above.<\/strong><\/p>\n

After you have configured the \u201cTrusted Root Certification Authorities\u201d and the \u201cTrusted Publishers\u201d certificate stores, navigate to \u201cComputer ConfigurationPoliciesAdministrative TemplatesWindows ComponentsWindows Update\u201d and enable \u201cAllow Signed updates from an Intranet Microsoft Update service location\u201d. Click Apply and \u201cOK\u201d<\/p>\n

\"\"<\/p>\n

You are now finished configuring the Group Policy and can close the Group Policy Editor. When the Group Policy updates on the client machines you will see the certificate you imported into the policy in the \u201cTrusted Root Certification Authorities\u201d and the \u201cTrusted Publishers\u201d certificate stores.<\/p>\n

SCUP is now configured and your SCCM clients are now ready to receive 3rd<\/sup> party updates using SCUP. As mentioned earlier, publishing and deploying the updates is out of the scope of this article. In the near future I will be writing about those topics and will add the links to this page when I do. I hope this helps. If you have any questions or feedback, please leave a comment.<\/p>\n","protected":false},"excerpt":{"rendered":"

Hi All, This article will cover the configuration of Systems Center Updates Publisher 2011 (SCUP). SCUP is a useful tool that lets you publish 3rd party updates to\u00a0the Systems Center Configuration Manager (SCCM) Site System which holds \u00a0Software Update\u00a0Point role … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"open","ping_status":"open","template":"","meta":{"_coblocks_attr":"","_coblocks_dimensions":"","_coblocks_responsive_height":"","_coblocks_accordion_ie_support":"","footnotes":""},"class_list":["post-2207","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/pipe2text.com\/index.php?rest_route=\/wp\/v2\/pages\/2207","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/pipe2text.com\/index.php?rest_route=\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/pipe2text.com\/index.php?rest_route=\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/pipe2text.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/pipe2text.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2207"}],"version-history":[{"count":21,"href":"https:\/\/pipe2text.com\/index.php?rest_route=\/wp\/v2\/pages\/2207\/revisions"}],"predecessor-version":[{"id":2246,"href":"https:\/\/pipe2text.com\/index.php?rest_route=\/wp\/v2\/pages\/2207\/revisions\/2246"}],"wp:attachment":[{"href":"https:\/\/pipe2text.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2207"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}