System centre updates publisher in conjunction with ConfigMgr 2012 is a powerful tool. Using this I manage our in house application updates, using ConfigMgr I can report on versions, updates, missing updates, exactly the same as you can with Windows updates deployed thorough ConfigMgr.
Download SCUP from the above link – you don’t have to install it on your site server, it can be a workstation or another server. I installed it on my site server in this scenario. You need to run the installation as admin, if that does not work, run the installation from an elevated CMD prompt. I have seen some strange behaviour on some servers/workstations during installation! If using WSUS 3.0 install the hotfix as requested.
So once installed – run the program as admin go to the options tab:
Then hit enable publishing to an update server. I have selected local update server as it’s on the same server, connect to remote and supply the FQDN of the server and the port. Remember if you are using WSUS 4 the port is not 80 – 8530 or similar.
Test connection and you will get a warning about certificates. No problem, click create and follow through, this will create a self signed WSUS certificate for you. I’m only going to cover this route, but you can use an existing WSUS signing certificate.
Ok, before we go any further we need to deal with the generated certificate, open an MMC, add remove snap in – certificates, manage for the computer account, local computer. Browse to the WSUS part and you will see the certificate.
On all clients that you want to push updates to, this cert needs to be in Trusted Root and Trusted publisher, so we are going to deploy a ConfigMgr package to all of our machines with the cert. Export the certificate, then create a .bat file with the following:
certutil -addstore Root WSUS.cer
certutil -addstore TrustedPublisher WSUS.cer
Where WSUS.cer is the name of your certificate. Put both this and the certificate file you exported in a folder ready to create a package.
In your ConfigMgr console, create a package to install the certificate using the install.bat file and deploy to your clients.
Next you need to make sure that your domain is ready, open another mmc and add the group policy management snap in. Open your policy or create a new one, browse to Computer Configuration, Policies, Admin Templates, Windows Components, windows update. Configure the Allow signed updates form and intranet Microsoft update service location as below:
So now back to SCUP:
Click ConfigMgr Server and enable, fill in the details and test connection:
Go through the rest of the settings and configure as required. So that’s part 1, all installed and configured. In part 2 we will go though importing vendor catalogues and deploying updates. In part 3 we will go through creating your own software catalogue and deploying updates for in house applications.