Saturday, 27 April 2013

ConfigMgr 2012 / SCCM 2012 SP1 Step by Step Guide Part 16: Software Updates (Non-Microsoft)

Back to main menu

Part 15 describes the process of configuring a Microsoft Software Update solution. Part 16 now extends the solution to include Non-Microsoft updates using System Center Updates Publisher 2011 (SCUP 2011). I will be concentrating on Adobe updates for the purposes of demonstration.

I wish to acknowledge that I learned how to deploy SCUP by following this excellent guide by Kent Agerlund.

http://blog.coretech.dk/kea/the-complete-scup-2011-installation-and-configuration-guide/

Download SCUP 2011 here and save to a folder on your Config Mgr server

SystemCenterUpdatesPublisher.msi


1. SCUP Installation
2. SCUP Configuration - Integration with WSUS and Config Mgr
3. Certificates
4. GPO
5. Config Mgr package to distribute certificate
6. SCUP Configuration - Publish Updates


1. SCUP Installation

Open a command prompt as Administrator and run the command


The SCUP 2011 installation wizard starts


Click Next to continue


Ignore this as we are using a later version of WSUS. Click Next to continue through the wizard.






SCUP 2011 has now installed. See the console.



2. SCUP Configuration - Integration with WSUS and Config Mgr

Click Options on the SCUP console ribbon

Update Server: Click to "enable publishing to an update server" and Test Connection




Test is successful but we are informed that we have no signing certificate. Click to Create one.



See Certificate



Select the ConfigMgr tab



Enable Configuration Manager integration, choose whether your server is local or remote and Test Connection.



3. Certificates

Open Certificates Console

Type mmc and Add Certificate snap-in



Choose Computer Account



Choose Local Computer





Click OK



See WSUS Publishers Self-Signed Certificate that we created earlier.

Copy and Paste the certificate into Trusted Root Certification Authorities/Certificates and Trusted Publishers/Certificates.




Now we will export the certificate to use in a Config Mgr package (to deploy the certificate to the estate of computers).



Right Click the certificate and choose to Export




Choose "No, do not export the private key".



Choose DER encoded binary X.509



Choose a path for the .cer file



Finish the wizard


OK

4. GPO

Create GPO to "Allow signed updates from an intranet Microsoft update service location"




Right click required OU and "Create GPO, link it here"



Name the object



Edit the object




Computer Configuration, Administrative Templates, Windows Components, Windows Update

Enable "Allow signed updates from an intranet Microsoft update service location"




5. Config Mgr package to distribute certificate

Copy the following to a folder

yourcert.cer (mine is scupcert.cer)
certadm.dll
certutil.exe



You can find certadm.dll and certutil.exe in SysWOW64 folder




Create Config Mgr package










Create a Program to add the cert to the local Root store






certutil.exe -addstore Root scupcert.cer




Create a Program to add the cert to the Trusted Publisher store




certutil.exe -addstore TrustedPublisher scupcert.cer 


Configure to run "Add SCUP cert to local Root store" first




Distribute the package to your DPs

Deploy the package to your computers collection (I have chosen a test collection)













6. SCUP Configuration - Publish Updates

Open SCUP console. Select Catalogs tab/ Add Catalogs




Select the Adobe Catalogs and Add





Select the Updates tab and click Import




This starts the Import Software Updates Catalog wizard



Choose all the Adobe Catalogs and click Next




Click Next to continue and accept all the Security Warnings






Close the Wizard




See the Software Updates that have been imported. Highlight the updates you need, right click and choose Assign. This starts the Assign Updates Wizard




Choose "Full Content" and create a new publication. You can add multiple updates to a publication. Click OK to create the publication

Navigate to the Publication tab and select your publication





Select Publish to start the Publish Software Updates Wizard






On Summary page click Next to commence publishing



Verify progress




Wizard is complete



Verify update download and publishing via SCUP,log (log can be found in user profile - see path in screenshot)





Confirmation that updates have been published

Configure Config Mgr Software Update Point for Adobe Products






Verify synchronization via WSYNCMGR.log



See Adobe Updates in Config Mgr. They can now be deployed in the same way as the Microsoft Updates.

42 comments:

  1. This guide is really helpful. I did have to do an additional step as I'm running Server 2012 R2. I had to edit the registry following the instructions found here: http://blogs.technet.com/b/wsus/archive/2013/08/15/wsus-no-longer-issues-self-signed-certificates.aspx . Without doing the fix I wasn't able to create the certificate during the SCUP setup. Other than that I was able to get the updates working following the guide.

    Thanks

    ReplyDelete
    Replies
    1. Thanks for letting me know. Glad I could help.

      Delete
  2. Awsome guide, thanks! I've a question: is it possible to also deploy Adobe Reader (full version) through SCUP. For example to machines without Adobe Reader installed? So not only the updates.

    ReplyDelete
    Replies
    1. No, you would deploy the full version of Adobe Reader using normal software distribution.

      Delete
  3. Hi there, I came back here for some support since these guides always have been helpful.
    I have a problem getting flash player up-to-date using sccm, The problem is that in SCCM there is an issue 'downloading' the update, so I get the error: "Failed to download content id 16957284. Error: There was an error downloading the software update. (12002)". And when I look in Patchdownloader.log I see the following:
    - HttpSendRequest failed 12002
    - Download http://CMServer.fqdn:8530/Content/B0/5E9DC464339AC26F6C174EDE9EFD02C79282CEB0.cab to C:\Users\SCCM_A~1\AppData\Local\Temp\CAB1779.tmp returns 12002
    - ERROR: DownloadContentFiles() failed with hr=0x80072ee2

    I'm behind a required proxyserver (without authentication) but I don't think that is the problem, since the other updates work fine.

    Thanks in advance for any help

    ReplyDelete
    Replies
    1. 0x80072ee2 = Operation timed out.

      When deploying a software updates solution with a proxy, I always configure the proxy to allow this traffic without authentication and without filtering in any way. This normally avoids strange issues such as this.

      Delete
    2. I had similar problem. I added the domain name and fully qualified domain name of the server in the proxy exception list. That solved the problem.

      Delete
    3. Hi Gerry,
      Regarding the step: Config Mgr package to distribute certificate
      How can I verify on the client side and server side if the certificates are added. Any log file? In the cert console in the local machine I can not see the cert in the trusted publisher store.

      Delete
    4. There is no log file for this.

      Delete
  4. Hi Gerry,
    it was an awesome explanation.
    but i was an problem when i was publishing the updates.
    when i was checked the logs: " it saying :Exception occurred during publishing: creating directory failed"
    but i am not sure , why this error coming each time when i am publishing the updates".
    FYI: i given full access to WSUSContent folder for the (NETWORK SERVICE, WSUS ADmin, Administrators Group, SYSTEM)

    ReplyDelete
  5. The guide worked like a champ .. almost .. I'm getting the FLASH update I pushed as a test to my test machines but am getting an error on install "The software change returned error code 0x800B0109(-2146762487)." .. which I believe is a CERT issue. I took the CERT and manually installed on my machine .. to TRUSTED ROOT & TRUSTED PUBLISHERS and still fails .. Ideas?

    ReplyDelete
    Replies
    1. It is indeed a certificate issue
      0x800B0109 = A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.

      It seems that your root certificate is not trusted. I can't help you there I'm afraid.

      Delete
  6. Hi Gerry,

    I am not able to configure the SCUP 2011 with SCCM 2012 R2. On single server I have installed SCCM 2012 R2, WSUS SP2, SCUP 2011.
    When I am open the "Option" from SCUP 2011for configuration, when I check marked in check box in Enable publishing in update server and click on test connection, it's always exclamatory mark there. And also when I click on create, there is nothing happen. I have open Certificate MMC, checked in WSUS folder there is no certificate.
    Thanks in advance.

    ReplyDelete
  7. Hi Gerry,

    Yes I had tried that also.

    The user from which I am configuring the SCUP, that user part of WSUS administrator.

    When we click on create option, in Certificate Issuer...there is no information showing, as I am seeing in your above post.

    ReplyDelete
  8. Hi Gerry,

    yes I am doing same way.

    when I am select create option for certificate, in certificate issuer there is no information showing.

    ReplyDelete
  9. Hi Gerry,
    I am facing two problems first is that while installing the certificate on client, it is not installing...certificate for trusted publisher is installed without issue, but for Root it is getting error "Program: Add SCUP Certificate to ROOT Store failed with exit code 2147942413" and same command if I run on command I got the error "Root
    (null)
    (null)
    CertUtil: The data is invalid."

    Second problem... Adobe reader updates are showing in SCCM console, when I am trying to download the Reader updates its gives 404 error. for this what I have did, from SCUP console edited update and go straight with clicking next and finish, after that publish the update, after doing this I am able to download the update, but this is not applicable for all updates.

    Thanks in advance.

    ReplyDelete
  10. Hi,
    I've imported Adobe catalogs, so, should I do it every time manually to get the latest updates - or the lates updates will appear in SCUP and SCCM consoles automatically?

    ReplyDelete
  11. Hello

    Alex here, running server 2008 r2 and SCCM 2012 R2.

    Configured and Installed SCUP2011 as proposed by this very well written guide. Imported Adobe products, assigned to a publication and published several updates. I was also able to successfully publish to the WSUS server. The issue is that I cannot see any of the updates within configuration manager. In your tutorial images 78 of 80 in the software update point I do not see adobe products. And in your image 80 of 80 I do not see any updates within SCCM, I have verified certificates, ensured that all the patches are installed.

    Any advise on why am I not seeing the published updates within SCCM?

    ReplyDelete
    Replies
    1. Have a look at your Product selection in the Software Update Point properties (Site Components). Have you selected "Locally Published Updates"?

      Delete
    2. Gerry, I looked under Site Configuration - Sites - 'mysite' , right click properties however, I am not seein the :Locally Published Updates: checkbox. Am i looking in the correct area?

      Please advise?

      Also, to troubleshoot, I installed SCUP2011 directly onto my WSUS server went through the process but still not seeing anything within SCCM.

      Any help is greatly appreciated,

      Alex

      Delete
    3. Site Configuration > Sites > Highlight your site
      On the ribbon above select "Configure Site Components"
      Choose Software Update Point
      Choose Products
      See at the top > All Products. Do you see "Local Publisher" and Microsoft?
      Choose Local Publisher and tick "Locally published packages"

      Delete
  12. Hi Gerry,
    It's really helpful for new to SCUP.
    I have one query here....for how many products support SCUP by default?

    I came across one link and it was mentioned that "By default only three product/vendor catalogs are pre-loaded into SCUP Adobe, Dell and HP".....whats that mean?
    Please let me know your suggestion on this.
    Thanks in advance...

    ReplyDelete
    Replies
    1. That's right. These catalogs are available out of the box. You have to add other catalogs that you need. See here for more information

      https://4sysops.com/archives/system-center-updates-publisher-create-a-scup-catalog/

      https://patchmypc.net/third-party-patch-management-scup-catalog

      Delete
  13. Hi,

    I completed my SCUP environment and tried to publish Adobe update to WSUS.
    After following mentioned steps, it was successful at SCUP side, means there is no error at SCUB side but I didn't find update entry at WSUS side, Please let me know what can be cause for this scenario.
    Below are SCUP logs entries:
    Found total of 2 dependencies (may include duplicates). Updates Publisher
    2 dependencies were not found in scup database during dependency evaluation for update 'Acrobat 11.0.09 Update (UpdateId:'7f517bc7-5ff6-4765-81fd-f3f28a3213a9'
    PublishItem BEGIN--- Publishing 0 (duplicates removed) dependencies for update 'Acrobat 11.0.09 Update (UpdateId:'7f517bc7-5ff6-4765-81fd-f3f28a3213a9' Vendor:'Adobe
    END Publishing dependencies for update 'Acrobat 11.0.09 Update (UpdateId:'7f517bc7-5ff6-4765-81fd-f3f28a3213a9' Vendor:'Adobe Systems, Inc.' Product:'Adobe Acrobat')'.
    Publishing update 'Acrobat 11.0.09 Update (UpdateId:'7f517bc7-5ff6-4765-81fd-f3f28a3213a9' Vendor:'Adobe Systems, Inc.' Product:'Adobe Acrobat')'. Updates Publisher
    Evaluating software update 'Acrobat 11.0.09 Update (UpdateId:'7f517bc7-5ff6-4765-81fd-f3f28a3213a9' Vendor:'Adobe Systems, Inc.' Product:'Adobe Acrobat')' for publishing as MetadataOnly. Updates Publisher
    Item 'Acrobat 11.0.09 Update (UpdateId:'7f517bc7-5ff6-4765-81fd-f3f28a3213a9' Vendor:'Adobe Systems, Inc.' Product:'Adobe Acrobat')' is already published on the update server and has not changed so no action will be taken. Updates Publisher
    Skipping software update 'Acrobat 11.0.09 Update (UpdateId:'7f517bc7-5ff6-4765-81fd-f3f28a3213a9' Vendor:'Adobe
    Building dependency graph for update 'Reader 10.1.9 Update (UpdateId:'69c5a0e6-ef3a-4890-bf3d-2ac9a526953e' Vendor:'Adobe Systems, Inc.' Product:'Adobe
    No dependencies found for update 'Reader 10.1.9 Update (UpdateId:'69c5a0e6-ef3a-4890-bf3d-2ac9a526953e' Vendor:'Adobe Systems, Inc.' Product:'Adobe Reader')' Updates Publisher
    Found total of 0 dependencies (may include duplicates). Updates Publisher
    Update ''Reader 10.1.9 Update (UpdateId:'69c5a0e6-ef3a-4890-bf3d-2ac9a526953e' Vendor:'Adobe Systems, Inc.' Product:'Adobe Reader')'' has no dependencies. Updates Publisher
    Publishing update 'Reader 10.1.9 Update (UpdateId:'69c5a0e6-ef3a-4890-bf3d-2ac9a526953e' Vendor:'Adobe Systems, Inc.' Product:'Adobe Reader')'. Updates Publisher
    Evaluating software update 'Reader 10.1.9 Update (UpdateId:'69c5a0e6-ef3a-4890-bf3d-2ac9a526953e' Vendor:'Adobe Systems, Inc.' Product:'Adobe Reader')' for publishing as FullContent. Updates Publisher
    Item 'Reader 10.1.9 Update (UpdateId:'69c5a0e6-ef3a-4890-bf3d-2ac9a526953e' Vendor:'Adobe Systems, Inc.' Product:'Adobe Reader')' is already published on the update server and has not changed so no action will be taken. Updates Publisher
    Skipping software update 'Reader 10.1.9 Update (UpdateId:'69c5a0e6-ef3a-4890-bf3d-2ac9a526953e' Vendor:'Adobe Systems, Inc.' Product:'Adobe Reader')'. Updates Publisher
    PublishProgress Publish operation completed. Updates Publisher
    Publish: Background processing completed. Updates Publisher

    ReplyDelete
  14. Hi Gerry,

    I can publish Adobe Reader and Flash Updates (all Full Content) to my Sccm (2012 R2) and they are showing up under "All Software Updates" in the ConfigMgr Console but I only can deploy the Reader Updates to my clients. If I want to deploy the flash Updates the status under "Downloaded" says always "No" even if I click through the "Download-Wizard" with a right click on it. The Wizard says "successfully downloaded" after 1 second but the "Downloaded" Status stays on "No".

    Thanks in advance!

    ReplyDelete
  15. Hi Gerry,

    Great resource! Thanks for sharing! Can you tell me the correct way for removing OLD adobe updates? I have edited them out of the ADR but need to remove them from the "Adobe" software update group. It appears I can right click and delete but does this remove them from the source files etc? Want to make sure I am cleaning house the right way.

    Thanks for any insight you can provide!

    Tina

    ReplyDelete
    Replies
    1. No bother Tina. Glad to help. Use the SCUP Software Update Cleanup Wizard

      https://technet.microsoft.com/en-us/library/hh134744.aspx

      Delete
  16. Great Guide.
    Much appreciated.

    Neo

    ReplyDelete
  17. Hi Gerry,

    Thanks for valuable post.

    I have performed all mentioned steps but getting failure on deploying certificates through SCCM

    Deployment is failing with following log details

    ----------

    Creating mandatory request for advert DEV2001C, program Import WSUS certificate to Root, package DEV00034 execmgr 1/29/2016 9:47:18 AM 6872 (0x1AD8)
    An existing MTC token was not supplied, using ExecutionRequest's Id as MTC token and this execution request is the owner of resultant MTC task. execmgr 1/29/2016 9:47:18 AM 6872 (0x1AD8)
    Request a MTC task for execution request of package DEV00034, program Import WSUS certificate to Root with request id: {ADC8DC6B-5A43-47D2-9B84-D2A923635B34} execmgr 1/29/2016 9:47:18 AM 6872 (0x1AD8)
    Execution Request for advert DEV2001C package DEV00034 program Import WSUS certificate to Root state change from WaitingDependency to Ready execmgr 1/29/2016 9:47:18 AM 6872 (0x1AD8)
    Raising client SDK event for class CCM_Program, instance CCM_Program.PackageID="DEV00034",ProgramID="Import WSUS certificate to Root", actionType 1l, value , user NULL, session 4294967295l, level 0l, verbosity 30l execmgr 1/29/2016 9:47:18 AM 6872 (0x1AD8)
    MTC task with id {ADC8DC6B-5A43-47D2-9B84-D2A923635B34}, changed state from 0 to 3 execmgr 1/29/2016 9:47:18 AM 8340 (0x2094)
    There may never be a service window for MTC task corresponding to SWD execution request with program id: Import WSUS certificate to Root, package id: DEV00034. execmgr 1/29/2016 9:47:18 AM 8340 (0x2094)
    CExecutionRequest::The program may never run because of Service Window restrictions. execmgr 1/29/2016 9:47:18 AM 8340 (0x2094)
    Raising event:
    [SMS_CodePage(437), SMS_LocaleID(1033)]
    instance of SoftDistErrorProgramMayNeverRunEvent
    {
    AdvertisementId = "DEV2001C";
    ClientID = "GUID:01CA6717-94D5-45A2-89AE-37275E93A1F5";
    DateTime = "20160129174718.292000+000";
    MachineName = "INF-RDS-001-WT";
    PackageName = "DEV00034";
    ProcessID = 1380;
    ProgramName = "Import WSUS certificate to Root";
    SiteCode = "DEV";
    ThreadID = 8340;
    };
    execmgr 1/29/2016 9:47:18 AM 8340 (0x2094)
    Succesfully raised SoftDistErrorProgramMayNeverRunEvent event for program Import WSUS certificate to Root execmgr 1/29/2016 9:47:18 AM 8340 (0x2094)
    Fatal error 0x87d01101 enountered for program Import WSUS certificate to Root. This program will not retry. execmgr 1/29/2016 9:47:18 AM 8340 (0x2094)
    Requesting MTC to delete task with id: {ADC8DC6B-5A43-47D2-9B84-D2A923635B34} execmgr 1/29/2016 9:47:18 AM 8340 (0x2094)
    MTC task with id: {ADC8DC6B-5A43-47D2-9B84-D2A923635B34} deleted successfully. execmgr 1/29/2016 9:47:18 AM 8340 (0x2094)
    Raising client SDK event for class CCM_Program, instance CCM_Program.PackageID="DEV00034",ProgramID="Import WSUS certificate to Root", actionType 1l, value , user NULL, session 4294967295l, level 0l, verbosity 30l execmgr 1/29/2016 9:47:18 AM 8340 (0x2094)


    ReplyDelete
    Replies
    1. "The program may never run because of Service Window restrictions"

      This is an issue relating to your environment. Have you configured maintenance windows?

      Delete
  18. Hi Gerry,

    Thanks for the guide (I deployed the certificates with GPO instead).

    I have an issue :

    SCUP is publishing in full contents (tested with ESR Firefox, Flash Updates) with no errors but in SCCM nothing appears in All Software Updates.
    I'm just able to see the publication in SUP Components\Products.
    I checked the bock, synchronized many times the All Software Updates but nothing ...

    Would you have something in mind to help me ?

    thank you !

    ReplyDelete
  19. Have you followed paragraph: "Configure Config Mgr Software Update Point for Adobe Products" ?

    ReplyDelete
  20. Gerry Hampson you are an absolute genius, I will look try this out on my test lab environment and hopefully i can put it on production environment.

    Thanks

    ReplyDelete
  21. Hi Gerry, i have used you guide to succesfully use SCUP in production for over 2 years. Now i'm preparing a transition from CM2012 to CM1602 and also Upgraded to WSUS 4.0. Now the whole self-signed certificate trick no longer works. SCUP log report the following:

    TestConnection: Verification succeeded. However, no signing certificate was detected for the update server. You will not be able to publish content to the update server without first registering a signing certificate.

    I can no longer create a new certificate.

    ReplyDelete
    Replies
    1. Update: the problem was Registry and DCOM permissions; https://blogs.msdn.microsoft.com/minfangl/2012/11/30/system-center-update-publisher-2011-and-windows-server-2012/

      Problem solved.

      Delete
  22. Hi Gerry

    Have a possible issue we have installed SCUP a while back on our CM2012 platform which is dealing with our Corp domain and clients all works well :) the issue I that we have a 2nd domain that we currently have a mp,dp,sup located in the 2nd domain that we are able to deploy the normal stuff through but we also need to get SCUP deployments through the question is will the Cert from the Corp domain work in the 2nd domain.

    regards Adrian

    ReplyDelete
  23. Maybe I did something wrong can any think of a reason why this wont publish. 2017-06-16 17:03:27.703 UTC Error Scup2011.15 Publisher.PublishPackage PublishPackage(): Operation Failed with Error: The network name cannot be found.

    ReplyDelete
    Replies
    1. It certainly could be a certificate problem. You'll get some good information on cross-forest configuration here
      http://myitforum.com/myitforumwp/2013/01/30/lessons-learned-with-configuration-manager-2012-cross-forest-internet-based-client-management-configuration/

      Delete