The Complete SCUP 2011 installation and configuration guide

The latest version of System Center Custom Updates Publisher 2011 is released and ready for download. SCUP 2011 is a freeware tool from Microsoft that can assist you in authoring and publishing 3rd. party updates to Configuration Manager and System Center Essentials.

To get you started you can download the complete SCUP 2011 installation and configuration guide here I hope the guide can save you a few hours of work and get you up and running with SCUP today.

In my guide I have references to two files used to deploy the needed certificates. Those are:

Certutil.exe and certadm.dll, both files are part of the Windows Server 2003 Administration Tools Pack.

Happy “Scuping”

By Kent Agerlund|2011-06-10T20:40:48+01:00juni 10th, 2011|Configuration Manager (SCCM)|29 Comments

Om forfatteren: Kent Agerlund

Microsoft Regional Director, Enterprise Mobility MVP. Microsoft Certified Trainer and Principal consultant. I have been working with Enterprise client management since 1992. Co-founder of System Center User Group Denmark in 2009. Certified MCITP: Enterprise Administrator, MCSA+Messaing, and much more. Member of: Microsoft Denmark System Center Partner Expert Team The Danish Technet Influencers program System Center Influencers Program.

29 kommentarer

[SCCM] Publication d'un guide d'installation/configuration pour SCUP 2011 - Jean-Sébastien DUCHENE Blog's juni 12, 2011 af 15:59

[…] Pour plus d’informations et obtenir le guide, rendez-vous sur : http://blog.coretech.dk/kea/the-complete-scup-2011-installation-and-configuration-guide/ […]
The Complete SCUP 2011 installation and configuration guide - Chris Nackers Blog juni 13, 2011 af 20:39

[…] Read his original post here. […]
Ulrich Bernskov juli 26, 2011 af 20:16

Thanks for the guide.
Rashmika august 4, 2011 af 16:51

This PDF is exceptionally helpful and it allowed me to delpoy Java 1.6B26. However I did hit a snag with the 64 bit version of Java as it uses the same registry paths on a 64 os as the 32 bit version of Java on a 32 bit OS. The update would install, however the end result would always report a fail as the evaluation was conducted against the 64 bit version regsitry key as opposed to the 32 bit version of Java held under the SysWowNode key.

Naturalyl the 64 version registry key would not have changed… hence the Fail result.

In the end, I created three updates. 32 bit Java on 32 bit OS (checking key HKLMSoftwareJavasoftJava Runtime Environment1.6.0_26), 32 bit Java on 64 bit OS (checking HKLMSOFTWAREWow6432NodeJavaSoftJava Runtime Environment1.6.0_26) and 64 bit Java (checking HKLMSoftwareJavasoftJava Runtime Environment1.6.0_26). Each update also had an extra Installable Rule of either x86 or x64.
- Sandra marts 12, 2012 af 14:01
  
  Hello
  
  I have a 32 bit os and a 32 bit java, but it doesn’t work with Installable Rule (either x86 or x64) and Installed Rule (checking key HKLMSoftwareJavasoftJava Runtime Environment1.6.0_26). Does anybody have an idea why?
  - Rashmika april 26, 2012 af 18:01
    
    Hi Sandra. I was somewhat premature with my apparent success! I was still unable to get all three variants to work, the 32 bit version of Java on a 64 bit OS is just an utter pig.
    
    What I did in the end was to create a 32 bit Java update for 32 bit OS’s and a 64 bit Java update for 64 bit OS’s. I did hit another major snag, in that sometimes Java would fail to install and then wipe itself. It left a slight footprint in the registry though, so I adjusted the Applicability rule to check higher up the tree.
    
    This has now worked fine for the past 6 months 
    
    Applicability x86:
    Registry Key ‘HKLMSoftwareJavasoft’ exists.
    NOT: Registry key ‘HKLMSoftwareJavasoftJava Runtime Environment1.6.0_31’ exists.
    File: ‘C:windowssystem32ccmlogscas.log’ exists
    
    Installed x86:
    Registry key ‘HKLMSoftwareJava Runtime Environment1.6.0_31’ exists.
    - Mike februar 20, 2013 af 15:59
      
      Not sure if anyone is still having a problem with the Java rules for 32 bit and 64 bit but I have managed to come up with a working solution by creating 3 updates with rules, one for 32 bit Java on 32 bit machines, one for 64 bit Java on 64 bit machines and one for 32bit Java on 64 bit machines. This method also allows you to jump from version 6 to 7 as well if required. It might be possible to simplify this by combining the two 32 bit Java installs into one but I was just happy to get it working!
      
      I used the registry folder Wow6432Node to know if it was a 32 or 64 bit machine and to know where to install the correct version. This is how I updated all our machines from various version 6 and 7 Java up to the latest Java 7 Update 13:
      
      32bit Java on 32bit Machines:
      Installable Rules:
      Registry Key ‘HKLMSoftwareJavasoftJava Runtime Environment’ exists.
      NOT Registry Key ‘HKLMSoftwareJavasoftJava Runtime Environment1.7.0_13’ exists.
      NOT Registry Key ‘HKLMSoftwareWow6432Node’ exists.
      Installed Rules:
      Registry Key ‘HKLMSoftwareJavasoftJava Runtime Environment1.7.0_13’ exists.
      
      64bit Java on 64bit Machines:
      Installable Rules:
      Registry Key ‘HKLMSoftwareJavasoftJava Runtime Environment’ exists.
      NOT Registry Key ‘HKLMSoftwareJavasoftJava Runtime Environment1.7.0_13’ exists.
      Registry Key ‘HKLMSoftwareWow6432Node’ exists.
      Installed Rules:
      Registry Key ‘HKLMSoftwareJavasoftJava Runtime Environment1.7.0_13’ exists.
      
      32bit Java on 64bit Machines:
      Installable Rules:
      Registry Key ‘HKLMSoftwareWow6432NodeJavasoftJava Runtime Environment’ exists.
      NOT Registry Key ‘HKLMSoftwareWow6432NodeJavasoftJava Runtime Environment1.7.0_13’ exists.
      Installed Rules:
      Registry Key ‘HKLMSoftwareWow6432NodeJavasoftJava Runtime Environment1.7.0_13’ exists.
      
      I hope this helps anyone that is still having a problem with getting Java to install across 32 and 64 bit machines.
      
      I am using WSUS 3.0 SP2, SCUP 2011 and Local Update Publisher in replace for SCCM which is just overcomplicated if you just want it for deploying updates.
      - Siddharth juli 19, 2013 af 12:54
        
        Hi Guys ,
        
        We have to deploy SCUP 2011 with our existing SCCM 07 Infrastructure, With all Primary Sites on Windows Server 2008 R2 .I have few queries regarding the implementation:
        1.The guide line that kent has provided is same for Windows Server 2008 R2 as well, as it is written “Certutil.exe and certadm.dll, both files are part of the Windows Server 2003 Administration Tools Pack.”
        so do we need any other settings to be configured apart from these mentioned in guide .
        Can any guide me on this it would be a great help…..thanks in advance
        Regards
        Siddharth Sharma
Ben november 28, 2011 af 6:51

Thanks Kent.

Your guides helped me a lot.

Regards,
Ben.
System Center Custom Updates Publisher 2011 « System Center PT december 28, 2011 af 13:04

[…] Coretch, que tem um guia excelente para a configuração, preparação e integração com SCUP com o ConfigMgr. […]
Lee marts 8, 2012 af 11:08

Kent, Im having problems to get SCUP to connect to remote ConfigMgr Site server to validate connection in SCUP setup wizard in Configuration Manager Integration section.

Error message says to verify that current user has REQUIRED access. Im not sure what that required access is. Is it on dB layer or should be added to some local group?

thanks for reply.
- Erik oktober 24, 2012 af 3:58
  
  Right click and run scup as admin.
MV september 13, 2012 af 23:22

Do I need Configuration Manager 2007 in order to run SCUP 2011?
Andrew januar 29, 2013 af 9:22

Is there any specific reason to use SCCM package to distribute WSUS publisher certificate? Isn’t it easier to just add it to the same GPO where we allow signed custom updates?
Kent januar 29, 2013 af 9:24

Andrew,
No, there is no specific reason except that I (as a consultant) often do not have access to AD and GPO’s.
Adobe Flash - SCCM 2012 Software updates februar 18, 2013 af 17:15

[…] […]
Haecki februar 26, 2013 af 9:58

Hi Kent,

first, thanks to this post.

In our company we want to update our HP Servers (HP ProLiant DL380 G6/G7/Gen8) with SCUP 2011.
But it seems that HP does not update their “proliant.cab” file (Download: ftp://ftp.hp.com/pub/softlib/software10/COL25555/sy-65640-1/ProLiant.cab).
The latest version is from 25/06/2012 which means since that date, all drivers and firmware are not included/available.
There is no statement from HP about that.

With this fact, it makes no sense to use this great tool.

Do you know, if HP is still “supporting/concerning” SCUP or is there another utility where we can reach my aim?

Thanks for you support.
Kind regards Haecki
Chuck Roast marts 2, 2013 af 1:57

In the guide when you do the second Test Connection against the server does the same warning about the certificate appear? If so could you update your documentation to reflect this. It is important to know because I keep getting that error. If it doesn’t give you the error then I’ll re-re-re-review the information.
Gerd maj 29, 2013 af 11:55

Thank you very much for this helpful post.
One thing I would change is the “Deploy the WSUS self-signed certificate to clients”.
Instead of deploying it via SCCM I would recommend using GPOs. On one hand it is easier and faster on the other hand not everybody has a SCCM:

Use the exported certificate and import it to the newly generated WSUS-GPO:

Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies
-> Right-click on Trusted Root Certification Authorities and select Import
-> Right-click on Trusted Publishers and select Import
-> Certificate Services Client – Auto-Enrollment: Change the Configuration Model to Enabled (leave anything else default)
-> Certificate Path Validation Settings: checkmark “Define these policy settings” (leave anything else default)

Computer Configuration > Policies > Admin Templates > Windows Components > Windows Updates
-> Allow signed updates from intranet Microsoft update service: enabled
SHOKEY66 januar 23, 2014 af 4:39

Guys,
I am using SCCM2012 R2, SCUP 2011, Server 2012. CAS and WSUS is on same box using PKI Certificate from server 2012 Certificate Authority as server 2012 server and client windows 8. all is set up and updates show up in SCCM but cant not download them (download goes up to 90%) and error
download wizard in sccm error: Invalid certificate signature
patchdownloader error
Authentication of file appdatalocaltempCABEEED3.TMP failed
Installing Cumulative Updates in Configuration Manger using SCUP - Justin Chalfant's Blog - Site Home - TechNet Blogs marts 12, 2014 af 15:54

[…] This guide is also assuming you currently have SCUP 2011 setup and configured in your environment (If not MVP Kent Agerlund has a great guide here: http://blog.coretech.dk/kea/the-complete-scup-2011-installation-and-configuration-guide/). […]
Trent maj 21, 2014 af 17:46

I am running CM2012, SCUP 2011 on Server 2008 (same server). I setup and configured SCUP following Kent’s instructions but I am unable to download the Software Update Group. When I attempt to download I receive “Failed to download content id xyz. Error: Invalid certificate signature”. I see this same error in the PatchDownloader.log file. I have tried to delete the cert from the stores and recreate a new self signed cert but the end result is the same.

What did I miss? Anyone has any thoughts for me?
Thanks!
SCUP 2011 + WSUS + SCCM 2012 | loveitandhateit august 4, 2014 af 13:50

[…] this works fine no comments […]
SCCM: Updates published via SCUP fail with Error = 0x800b0109 | IT Consultant Everyday Notes oktober 7, 2014 af 20:18

[…] to deploy third-party updates via SCCM. SCUP implementation is well documented for example here by Kent […]
Brando oktober 31, 2014 af 18:13

Hello…does this product require SCCM? We currently deploy updates to our Labs using WSUS. Can these products integrate and work together?

Brando
Ales Rajh marts 24, 2015 af 9:23

Hello Kent

We are using SCCM 2012 + SCUP 2011 for update distribution. Last week we had Microsoft RAS workshop regarding PKI infrastructure. One remark marked as important was that we have SCUP signed certificate inside trusted root authorities. I have setup our SCUP two years ago based on your instruction. There you mentioned that certificate must be in Trusted Publisher and Trusted Root Publishers store. Trusted Root Publishers store is something that doesn’t exist. Later in the same manuals you have instructions: Right click the WSUS Publisher Self-signed certificate, select Copy. Select Certificates, Trusted Root certification Authorities, Certificates. Right click and select Paste Select Certificates, Trusted Publishers, Certificates. Right click and select Paste.
Is it really necessary to have certificate also inside Trusted Root certification Authorities?
Is this only because you have used self-signed cert in manuals and is this certificate untrusted if is not also in trusted root?
We use internal PKI and we have root cert from our root PKI in trusted root. Does that mean if we use internal PKI that signing cert issued by our infrastructure must be only in Trusted Publishers?
Thanks for answers in advance
Anonymous september 15, 2017 af 8:54

DEAD LINK, your guide is not available for read or download !
Sahil januar 23, 2018 af 9:06

Hi Kent, Seems like the link is not available for Download.

Please share the PDF
SegunB maj 28, 2018 af 0:31

Hello Kent,

Quite a number of the links in this current site still points to the old site which have become unavailable – could you update please.

Thank you.