10 sccm 2007- system center updates publisher v1.1

of 34

Mastering ConfigMgr System Center Configuration Manager

SCUP 4.5 Installation and Configuration Guide

Author:

Kent Agerlund

Create date: 22/09-2010 Change date: 21/01-2011 Document version no.: 1.1

10 SCCM 2007- System Center Updates Publisher V1.1.docx of 34

Document information

History

Date Author Version Reason for change

06/09-2010 Kent Agerlund 1.0 N/A

21/01-2011 Kent Agerlund 1.1 Minor changes

Proof readers

Name Version Date of approval


Table of contents

Document information .................................................................................................... 2 History ....................................................................................................................... 2 Proof readers .............................................................................................................. 2

Table of contents ........................................................................................................... 3 Installing SCUP .............................................................................................................. 4 Check that the installation went successfully ..................................................................... 6 Configure Certificates and Group Policies .......................................................................... 7 Deploy the WSUS self-signed certificate to clients ........................................................... 11 Importing the catalog into SCUP .................................................................................... 14 Creating Custom updates .............................................................................................. 15 Publish Updates ........................................................................................................... 22

Import new catalogues .............................................................................................. 24 Expire updates .......................................................................................................... 28

Install SCUP console remotely ....................................................................................... 29 Creating a Search Folder in SCCM with Custom updates .................................................. 32 Troubleshooting ........................................................................................................... 34


Installing SCUP

Run Setup.exe and click Next

Accept the license terms and click Next

Select Local Database and click Next

Click Next


Select the installation destination folder and click Next.

Click Next.

Click Finish.


Check that the installation went successfully

o PTBootstrappersetup.log: Contains information about whether the minimum requirements have been met during the initial phase of the Updates Publisher Setup. Verify that this phase of Setup was successful by looking at the last three lines of the log file, which should read MSI installation complete, MSI finished with success message, and Setup completed successfully.

o PTDatabase.log: Contains information about the creation of the Updates Publisher database during Setup. Verify that the database was created successfully by looking for DBCC execution completed in the log file.

o PublishingToolsetup.log: Contains information about the Updates Publisher Setup. Verify that Setup completed successfully by looking for Product: System Center Updates Publisher -- Installation operation completed successfully about ten lines from the end of the log file.

Above information is taken from the readme file.


Configure Certificates and Group Policies

Right click the System Center Updates Publisher top node and select Settings.

Select the Update Server tab.

Select Enable publishing to an Update Server and click Test Connection. If no signing certificate exists click OK


In Signing Certificate click Create

Click OK

Next you'll need to import the certificate into Trusted Publisher and Trusted Root Publishers. Select Start, Run and type MMC

Click Ctrl+M and click Add to add a snap-in to the console. Select Certificates and click Add.

Select Computer account and click Next.


Click Finish Click Add and Close to return to the MMC with Certificate snap-in

Select Certificates, WSUS, Certificates.

Right click the WSUS Publisher Self-signed certificate, select Copy.

Select Certificates, Trusted Root certification Authorities, Certificates. Right click and select Paste

Select Certificates, Trusted Publishers, Certificates. Right click and select Paste. Notice, the certificate must also be imported on the Configuration Manager 2007 server. If the server is on a remote host, export the certificate and import it on the Configuration Manager server.


Open Active Directory Users and Computers. Right click your Domain, select Properties.

Select Group Policy, create a New Group Policy or edit the Default Domain Policy.

Enable, Computer Configuration, Administrative Templates, Windows Components, Windows Update, Allow signed content from intranet Microsoft update service location


Deploy the WSUS self-signed certificate to clients

First export the exported certificate along with Certutil.exe and Certadm.dll files to the same directory. In this example the wsus certificate is called wsusscup.cer

Create a new package in Config Mgr. Select the folder containing the three files as the source folder.

Create two new programs with these command lines certutil.exe –addstore TrustedPublisher wsusSCUP.cer certutil.exe –addstore Root wsusSCUP.cer


In the second program configure Run another program first: and select the first program. You can also create a bat file or script to run both commands from a single program.

Configure the program to Run with administrative rights.


Create a new advertisement.


Importing the catalog into SCUP

Right click the System Center Updates Publisher top node and select Settings.

Select Import List Click Add to manually add a 3rd. party catalog. Click Find, to automatically discovery 3rd. party catalog files.

Select the Publisher and click Add click OK to close the dialog.


Creating Custom updates

Before you can create a custom update you need to have the source file. In this example Adobe Reader 9.1 will be made available for all computers with Adobe Reader 9.0 installed. Download the update from Adobe.com.

Open the System Center Custom Updates publisher console and navigate to the appropriate catalog folder. Click Create Update in the Actions pane.

Fill out the information about the Update. You can create your own Vendor and Product values by typing in the dropdown boxes. Notice: The WSUS/SUP must be configured to synchronize the selected classification. Click Next.


Fill out more information about the update. Only required field is More Info URL. Select the Impact and Reboot behavior values. Click Next.

Next define any prerequisites for the update. In this example I will only allow it to run on Windows XP SP3 DK edition computers. Click the yellow plus sign to start creating the rules.

Select Create Basic rule. In Comparison: Select Equal to In rule type select Windows Version. For detailed information about the versions hit F1 and check the help file. Select Save your rule as and type Windows XP SP3 Click OK to save the rule


Click the yellow plus sign to create the next rule.

Click Create Basic rule. In Rule type: select Danish. Save the rule as: Danish and click OK

The operator will automatically default to Or. Change the value to And and click Next.


In installer type select: Command line installation (.exe) In Update Package source select: The source file. Download URL select: A location from where the SCUP can download the update once it is published. In Success Return Codes type: 0, 1234, 1235,

1236, 1237, 1238, 1239, 1240, 1241, 1242, 1243, 1244, 1245, 1246, 1247, 1248, 1249, 1

In Success Pending Reboot Codes type: 3010 In binary language select: Danish In command line type: /sAll /rs Click Next

Click the yellow plus sign to create the next rule.

Click Create Basic rule In Rule Type select: Registry Value Exists In Registry Path type:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\

Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1030-7B44-A90000000001}\DisplayVersion In Registry value type:9.0.0 In Registry value type select: REG_SZ Save the rule as: Adobe Reader 9.0 Click OK


Click Next

Click the yellow plus icon to create the rule that will check which computers already have the update installed.

Select Create MSI rule In Product Code type: AC76BA86-7AD7-1030-7B44-A91000000001 In Maximum version type: 9.9.9 In Minimum version type: 9.1.0 In language select: Danish Save the rule as Adobe Reader 9.1 min version Click OK


Click OK in the warning dialog.

Click Next

Click Next

Click Close


The update is now created in the console.


Publish Updates

Select the update(s) that should be published.

Right click the update and select Set Publish Flag, Full Content. Metadata only will only allow for scanning not for deployment of the update.

Once the update has a publish flag it’s ready to be published.

Click Publish Updates in the Actions pane.

Click Next.


In the Content Validation dialog box select: Always accept content from Adobe Systems, Incorporated and click Accept.

Click Close.

You can monitor the sync process between the WSUS and ConfigMgr site server in the wsyncmgr.log on the site server.


Import new catalogues

Open System Center Updates Publisher management console. Right click System Center Updates Publisher and select Import Update(s).

Select Single Catalog Import and click Next.

Navigate to the folder containing the latest cab files. Select the cab file and click Next. Notice: You need to run the wizard once for each cab file.


Click Next.

Importing a new catalog will overwrite existing updates. Click Yes to All.

Click Close.

After the new catalogues are imported you need to publish the updates to WSUS.


Go thru the catalog, right click the new updates, select Set Publish Flag, Full Content. Full content will force SCUP to download the content and make it available for deployment in Configuration Manager. Metadata should only be selected when monitoring of patch compliance is needed for the given update.

When all needed updates are marked for publishing click Publish Updates in the Actions pane. This will publish all updates to WSUS. Updates marked with Full Content will be downloaded during this process. The process might take a few minutes (5-10 minutes depending on the number of updates).

Click Next.

For each Vendor you will be prompted to accept their content. Select Always accept and click Accept.


The updates are now added to WSUS and will be available in Configuration Manager after the next Software Update synchronization process.


Expire updates

Right click the update in SCUP, select Set Expire Status, Expired.

Publish the changes by clicking Publish Updates.

Open the ConfigMgr. Console, navigate to Computer Management, Software Updates. Expiry information will be synchronized during full synchronization cycles only.

All expired updates will be shown with a Grey icon in ConfigMgr and the Expired status will change to Yes.


Install SCUP console remotely

Before installing the SCUP console you’ll need to install the WSUS 3.0 administrator console. Start the installation and click Next.

Select Administration Console only and click Next.

Accept the license terms and click Next.

Click Next.

Click Finish.

Start the SCUP installation and click Next.


Accept the license agreement.

Select Remote database and type Database Server: SCCM1 SQL Instance:

Click Install.

Click Next.

Click Next.

Click Next.


Click Finish.

Open System Center Update Publisher Management console from the Start menu. Right click System Center Updates Publisher and select Settings.

Select the Update Server tab. Click: Enable publishing to an update server Enable: Connect to a remote update server and type: SCCM1 on port 8530. Click OK.


Creating a Search Folder in SCCM with Custom updates

Open the Configuration Manager console, navigate to Computer Management, Software Updates, Update Repository, Search Folders.

Right click Search Folders and select New Search Folder.

Enable Search all folders under this feature. Select Vendor and click on the link <Items to find>

Select the vendors. Notice that only vendors with updates will be shown. You will need to update the Search folder after adding updates from new vendors in SCUP. Click OK twice to close the Search folder.


The Search folder.


Troubleshooting

Updatespublisher.log is stored in %temp% and it’s readable with SMS trace (trace32.exe). All information about SCUP publishing is recorded in this log file.

10 sccm 2007- system center updates publisher v1.1

Documents