The Complete SCUP 2011 installation and configuration guide


The latest version of System Center Custom Updates Publisher 2011 is released and ready for download. SCUP 2011 is a freeware tool from Microsoft that can assist you in authoring and publishing 3rd. party updates to Configuration Manager and System Center Essentials.

To get you started you can download the complete SCUP 2011 installation and configuration guide here I hope the guide can save you a few hours of work and get you up and running with SCUP today.

In my guide I have references to two files used to deploy the needed certificates. Those are:

Certutil.exe and certadm.dll, both files are part of the Windows Server 2003 Administration Tools Pack.


Happy “Scuping”

By | 2011-06-10T20:40:48+00:00 June 10th, 2011|Configuration Manager (SCCM)|29 Comments

About the Author:

Kent Agerlund
Microsoft Regional Director, Enterprise Mobility MVP. Microsoft Certified Trainer and Principal consultant. I have been working with Enterprise client management since 1992. Co-founder of System Center User Group Denmark in 2009. Certified MCITP: Enterprise Administrator, MCSA+Messaing, and much more. Member of: Microsoft Denmark System Center Partner Expert Team The Danish Technet Influencers program System Center Influencers Program.


  1. […] Read his original post here. […]

  2. Ulrich Bernskov July 26, 2011 at 20:16 - Reply

    Thanks for the guide.

  3. Rashmika August 4, 2011 at 16:51 - Reply

    This PDF is exceptionally helpful and it allowed me to delpoy Java 1.6B26. However I did hit a snag with the 64 bit version of Java as it uses the same registry paths on a 64 os as the 32 bit version of Java on a 32 bit OS. The update would install, however the end result would always report a fail as the evaluation was conducted against the 64 bit version regsitry key as opposed to the 32 bit version of Java held under the SysWowNode key.

    Naturalyl the 64 version registry key would not have changed… hence the Fail result.

    In the end, I created three updates. 32 bit Java on 32 bit OS (checking key HKLMSoftwareJavasoftJava Runtime Environment1.6.0_26), 32 bit Java on 64 bit OS (checking HKLMSOFTWAREWow6432NodeJavaSoftJava Runtime Environment1.6.0_26) and 64 bit Java (checking HKLMSoftwareJavasoftJava Runtime Environment1.6.0_26). Each update also had an extra Installable Rule of either x86 or x64.

    • Sandra March 12, 2012 at 14:01 - Reply


      I have a 32 bit os and a 32 bit java, but it doesn’t work with Installable Rule (either x86 or x64) and Installed Rule (checking key HKLMSoftwareJavasoftJava Runtime Environment1.6.0_26). Does anybody have an idea why?

      • Rashmika April 26, 2012 at 18:01 - Reply

        Hi Sandra. I was somewhat premature with my apparent success! I was still unable to get all three variants to work, the 32 bit version of Java on a 64 bit OS is just an utter pig.

        What I did in the end was to create a 32 bit Java update for 32 bit OS’s and a 64 bit Java update for 64 bit OS’s. I did hit another major snag, in that sometimes Java would fail to install and then wipe itself. It left a slight footprint in the registry though, so I adjusted the Applicability rule to check higher up the tree.

        This has now worked fine for the past 6 months 

        Applicability x86:
        Registry Key ‘HKLMSoftwareJavasoft’ exists.
        NOT: Registry key ‘HKLMSoftwareJavasoftJava Runtime Environment1.6.0_31’ exists.
        File: ‘C:windowssystem32ccmlogscas.log’ exists

        Installed x86:
        Registry key ‘HKLMSoftwareJava Runtime Environment1.6.0_31’ exists.

        • Mike February 20, 2013 at 15:59 - Reply

          Not sure if anyone is still having a problem with the Java rules for 32 bit and 64 bit but I have managed to come up with a working solution by creating 3 updates with rules, one for 32 bit Java on 32 bit machines, one for 64 bit Java on 64 bit machines and one for 32bit Java on 64 bit machines. This method also allows you to jump from version 6 to 7 as well if required. It might be possible to simplify this by combining the two 32 bit Java installs into one but I was just happy to get it working!

          I used the registry folder Wow6432Node to know if it was a 32 or 64 bit machine and to know where to install the correct version. This is how I updated all our machines from various version 6 and 7 Java up to the latest Java 7 Update 13:

          32bit Java on 32bit Machines:
          Installable Rules:
          Registry Key ‘HKLMSoftwareJavasoftJava Runtime Environment’ exists.
          NOT Registry Key ‘HKLMSoftwareJavasoftJava Runtime Environment1.7.0_13’ exists.
          NOT Registry Key ‘HKLMSoftwareWow6432Node’ exists.
          Installed Rules:
          Registry Key ‘HKLMSoftwareJavasoftJava Runtime Environment1.7.0_13’ exists.

          64bit Java on 64bit Machines:
          Installable Rules:
          Registry Key ‘HKLMSoftwareJavasoftJava Runtime Environment’ exists.
          NOT Registry Key ‘HKLMSoftwareJavasoftJava Runtime Environment1.7.0_13’ exists.
          Registry Key ‘HKLMSoftwareWow6432Node’ exists.
          Installed Rules:
          Registry Key ‘HKLMSoftwareJavasoftJava Runtime Environment1.7.0_13’ exists.

          32bit Java on 64bit Machines:
          Installable Rules:
          Registry Key ‘HKLMSoftwareWow6432NodeJavasoftJava Runtime Environment’ exists.
          NOT Registry Key ‘HKLMSoftwareWow6432NodeJavasoftJava Runtime Environment1.7.0_13’ exists.
          Installed Rules:
          Registry Key ‘HKLMSoftwareWow6432NodeJavasoftJava Runtime Environment1.7.0_13’ exists.

          I hope this helps anyone that is still having a problem with getting Java to install across 32 and 64 bit machines.

          I am using WSUS 3.0 SP2, SCUP 2011 and Local Update Publisher in replace for SCCM which is just overcomplicated if you just want it for deploying updates.

          • Siddharth July 19, 2013 at 12:54

            Hi Guys ,

            We have to deploy SCUP 2011 with our existing SCCM 07 Infrastructure, With all Primary Sites on Windows Server 2008 R2 .I have few queries regarding the implementation:
            1.The guide line that kent has provided is same for Windows Server 2008 R2 as well, as it is written “Certutil.exe and certadm.dll, both files are part of the Windows Server 2003 Administration Tools Pack.”
            so do we need any other settings to be configured apart from these mentioned in guide .
            Can any guide me on this it would be a great help…..thanks in advance
            Siddharth Sharma

  4. Ben November 28, 2011 at 6:51 - Reply

    Thanks Kent.

    Your guides helped me a lot.


  5. […] Coretch, que tem um guia excelente para a configuração, preparação e integração com SCUP com o ConfigMgr. […]

  6. Lee March 8, 2012 at 11:08 - Reply

    Kent, Im having problems to get SCUP to connect to remote ConfigMgr Site server to validate connection in SCUP setup wizard in Configuration Manager Integration section.

    Error message says to verify that current user has REQUIRED access. Im not sure what that required access is. Is it on dB layer or should be added to some local group?

    thanks for reply.

    • Erik October 24, 2012 at 3:58 - Reply

      Right click and run scup as admin.

  7. MV September 13, 2012 at 23:22 - Reply

    Do I need Configuration Manager 2007 in order to run SCUP 2011?

  8. Andrew January 29, 2013 at 9:22 - Reply

    Is there any specific reason to use SCCM package to distribute WSUS publisher certificate? Isn’t it easier to just add it to the same GPO where we allow signed custom updates?

  9. Kent January 29, 2013 at 9:24 - Reply

    No, there is no specific reason except that I (as a consultant) often do not have access to AD and GPO’s.

  10. […] […]

  11. Haecki February 26, 2013 at 9:58 - Reply

    Hi Kent,

    first, thanks to this post.

    In our company we want to update our HP Servers (HP ProLiant DL380 G6/G7/Gen8) with SCUP 2011.
    But it seems that HP does not update their “” file (Download:
    The latest version is from 25/06/2012 which means since that date, all drivers and firmware are not included/available.
    There is no statement from HP about that.

    With this fact, it makes no sense to use this great tool.

    Do you know, if HP is still “supporting/concerning” SCUP or is there another utility where we can reach my aim?

    Thanks for you support.
    Kind regards Haecki

  12. Chuck Roast March 2, 2013 at 1:57 - Reply

    In the guide when you do the second Test Connection against the server does the same warning about the certificate appear? If so could you update your documentation to reflect this. It is important to know because I keep getting that error. If it doesn’t give you the error then I’ll re-re-re-review the information.

  13. Gerd May 29, 2013 at 11:55 - Reply

    Thank you very much for this helpful post.
    One thing I would change is the “Deploy the WSUS self-signed certificate to clients”.
    Instead of deploying it via SCCM I would recommend using GPOs. On one hand it is easier and faster on the other hand not everybody has a SCCM:

    Use the exported certificate and import it to the newly generated WSUS-GPO:

    Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies
    -> Right-click on Trusted Root Certification Authorities and select Import
    -> Right-click on Trusted Publishers and select Import
    -> Certificate Services Client – Auto-Enrollment: Change the Configuration Model to Enabled (leave anything else default)
    -> Certificate Path Validation Settings: checkmark “Define these policy settings” (leave anything else default)

    Computer Configuration > Policies > Admin Templates > Windows Components > Windows Updates
    -> Allow signed updates from intranet Microsoft update service: enabled

  14. SHOKEY66 January 23, 2014 at 4:39 - Reply

    I am using SCCM2012 R2, SCUP 2011, Server 2012. CAS and WSUS is on same box using PKI Certificate from server 2012 Certificate Authority as server 2012 server and client windows 8. all is set up and updates show up in SCCM but cant not download them (download goes up to 90%) and error
    download wizard in sccm error: Invalid certificate signature
    patchdownloader error
    Authentication of file appdatalocaltempCABEEED3.TMP failed

  15. […] This guide is also assuming you currently have SCUP 2011 setup and configured in your environment (If not MVP Kent Agerlund has a great guide here: […]

  16. Trent May 21, 2014 at 17:46 - Reply

    I am running CM2012, SCUP 2011 on Server 2008 (same server). I setup and configured SCUP following Kent’s instructions but I am unable to download the Software Update Group. When I attempt to download I receive “Failed to download content id xyz. Error: Invalid certificate signature”. I see this same error in the PatchDownloader.log file. I have tried to delete the cert from the stores and recreate a new self signed cert but the end result is the same.

    What did I miss? Anyone has any thoughts for me?

  17. […] this works fine no comments […]

  18. […] to deploy third-party updates via SCCM. SCUP implementation is well documented for example here by Kent […]

  19. Brando October 31, 2014 at 18:13 - Reply

    Hello…does this product require SCCM? We currently deploy updates to our Labs using WSUS. Can these products integrate and work together?


  20. Ales Rajh March 24, 2015 at 9:23 - Reply

    Hello Kent

    We are using SCCM 2012 + SCUP 2011 for update distribution. Last week we had Microsoft RAS workshop regarding PKI infrastructure. One remark marked as important was that we have SCUP signed certificate inside trusted root authorities. I have setup our SCUP two years ago based on your instruction. There you mentioned that certificate must be in Trusted Publisher and Trusted Root Publishers store. Trusted Root Publishers store is something that doesn’t exist. Later in the same manuals you have instructions: Right click the WSUS Publisher Self-signed certificate, select Copy. Select Certificates, Trusted Root certification Authorities, Certificates. Right click and select Paste Select Certificates, Trusted Publishers, Certificates. Right click and select Paste.
    Is it really necessary to have certificate also inside Trusted Root certification Authorities?
    Is this only because you have used self-signed cert in manuals and is this certificate untrusted if is not also in trusted root?
    We use internal PKI and we have root cert from our root PKI in trusted root. Does that mean if we use internal PKI that signing cert issued by our infrastructure must be only in Trusted Publishers?
    Thanks for answers in advance

  21. Anonymous September 15, 2017 at 8:54 - Reply

    DEAD LINK, your guide is not available for read or download !

  22. Sahil January 23, 2018 at 9:06 - Reply

    Hi Kent, Seems like the link is not available for Download.

    Please share the PDF

  23. SegunB May 28, 2018 at 0:31 - Reply

    Hello Kent,

    Quite a number of the links in this current site still points to the old site which have become unavailable – could you update please.

    Thank you.

Leave A Comment