Thursday, September 8, 2011

Integrate System Center Updates Publisher (SCUP) 2011 with ConfigMgr

With System Center Configuration Manager (ConfigMgr) and WSUS integrated, it's possible to install and use System Center Updates Publisher (SCUP) 2011 also (free usage). With SCUP 2011 you can create and install packages that's not in WSUS by default. That way updates from DELL, HP and ADOBE (for example) can be used in your existing WSUS installation for deploying to clients. By default there are some catalogs that can be imported in SCUP 2011. Manually created packages from JAVA (for example) can be used also.

First download and install SCUP 2011 from the following website:
Microsoft DotNet 4.0 is needed on the server to have SCUP 2011 installed.

After that install the following hotfix on the server (needed for the Signing certificate): (x86)
or (x64)

When SCUP 2011 is installed successfully choose Options. Choose "Enable publishing to an update server" and create an Signing certificate also. On the next tab select "Enable Configuration Manager integration". Now open a Management Console with the Certificates component in it.

The Signing certificate created will be available in the WSUS Certicate folder after configuraton. Choose copy, and past in on both "Trusted Root certification" and "Trusted Publishers". There is also the choice to save a local copy from it. That way it can be published bij Group Policy if needed for client computers. The Management Console can be closed after that.

Best thing now is to reboot the server, and open the SCUP 2011 console again. Now it's time to import the default catalogs and create additional packages yourself. After synchronization these updates will be available in ConfigMgr. Just select the updates needed, choose Assign and Publish to create them. When synchronization with WSUS is done, they will be available in ConfigMgr.

Kent Agerlund, ConfigMgr MVP, wrote a great getting starting guide to System Center Updates Publisher 2011 up on his blog. Check it out here


  1. Hi Henk,
    Thank you.
    Can i use SCUP 2011 integrated with COnfig Manager 2012 to publish adobe application patches to Windows XP? if yes.. What are version of WIndows XP supported?

  2. Hi, it's possible to use SCUP only with WSUS?

  3. Unfortunately you need both ConfigMgr and WSUS for SCUP functionality. It can't be done with WSUS only.

  4. Can SCUP be used just for 3rd party updates while wsus handles all microsoft security and critical patches? I am trying to stay away from using SCCM Software Updates for patch management.

  5. No, that isn't possible. This because SCUP updates will be published in ConfigMgr only. When using both WSUS and ConfigMgr for updates you get GPO issues.

  6. To elaborate on Marco’s question. What if we had 2 servers? One SCCM server with WSUS and SCUP installed for the 3rd party updates and our original WSUS server for Microsoft patching?

  7. Yes that's possible if using multiple OU's. With Group Policy you can decide then on which OU (with systems) WSUS will be used. When both ConfigMgr and WSUS GPO is used on the same system it won't work.

    Sometimes I see this at customers when only clients are patched with ConfigMgr. The servers will then be patched by WSUS, because of licensing costs. So don't use them both on the same system and you will be fine.

  8. it's possible to use SCUP only with WSUS?

  9. Hi, unfortunately you need both ConfigMgr and WSUS for SCUP functionality. It can't be done with WSUS only.

  10. Henk zou je SCUP zelf gebruiken in een productie omgeving?

    Je moet natuurlijk aparte certificaten gaan distribueren en er zit geen support op. Tenminste ik verwacht dat je bij problemen geen support vanuit Adobehoeft te verwachten.
    Ben benieuwd naar je reactie

    1. Hoi, ik heb het vandaag nog werkend gezien in een productie omgeving (met VMware vCenter Protect Update Catalog) en het werkt naar behoren. Het is dus een welkome aanvulling op Software update management!

  11. For the Signing Certificate, will the SCCM Server be enrolling for the cert or should a service account be used instead? I cannot find this information. Thanks