Configuration Manager with Jason Lewis
SCUP Catalogs Best Practices
Follow me on Twitter @JLewisMS
I wanted to let everybody know that I’m moving on to another opportunity inside Microsoft and will no longer be working on the Configuration Manager (and SCUP) Team. My last day on the Configuration Manager Team is this Friday (1/13). With my transition I will no longer be blogging about Configuration Manager and SCUP. All the content that is posted here will remain. I’m not sure yet if I will be blogging in my new role, but if so I will re-brand this blog (as it is under my name) but all content will remain here: http://blogs.technet.com/b/jasonlewis/p/configmgr.aspx.
Over the years I’ve received many emails regarding SCUP, DCM and other features that I thoroughly enjoyed answering. Moving forward I encourage you to bring those discussions to our forums where everyone can learn from your questions. You can find the Software Update Management forum here: http://social.technet.microsoft.com/Forums/en-US/configmgrsum/threads.
I started this blog back in June of 2007 to help build a SCUP community and educate customers on this great application. When SCUP first came out it was part of Systems Management Server 2003 R2 and called Custom Updates Publishing Tool (CUPT). Over the past 4 1/2 years we have rebranded and built a really great custom software update managing and authoring experience for ConfigMgr customers. We could not have done it without all the feedback we’ve received from you over the years. The SCUP community is growing everyday and is stronger than it ever has been. I would like to personally thank every reader of this blog and those that commented or emailed me. Each discussion was a great learning experience for how you use our products.
Lastly I would like to thank you for being great customers and making SCUP and the community what it is today! It was a great pleasure and experience working with each of you.
Minfang, a tester on our SCUP team, wrote this great blog article on how to troubleshoot applicability rules when writing your own software updates. Check it out here: http://blogs.msdn.com/b/minfangl/archive/2011/10/26/troubleshoot-detection-logic-issue-for-updates-created-by-system-center-update-publisher-2011.aspx
Here is the next screencast in my series covering System Center Updates Publisher 2011. This screencast gives you a in-depth look at How to Cleanup Software Updates. Enjoy!
Here is the next screencast in my series covering System Center Updates Publisher 2011. This screencast gives you a in-depth look at How to use the Automatic Publication Type. Enjoy!
Here is the next screencast in my series covering System Center Updates Publisher 2011. This screencast gives you a in-depth look at How to Deploy Software Updates. Enjoy!
Special thank you goes out to Minfang Lv, our SCUP Lead Tester, who wrote this step by step guide to creating your own signing certificate.
System Center Update Publisher 2011 is an application that can be used with System Center Configuration Manager to deploy 3rd party software updates: http://technet.microsoft.com/en-us/systemcenter/bb741049 .
To have the ability to publish updates to WSUS Server and deploy updates to Configuration Manager Clients, you need a signing certificate for System Center Update Publisher 2011. You can either generate a self-signed certificate through System Center Update Publisher 2011 UI or use a certificate from your own Public Key Infrastructure.
This following post will show you the step by step on how to create and deploy a System Center Update Publisher signing certification with Windows Server 2008 R2 certification authority (CA) and Group Policy.
Step 1: Creating and Issuing the Signing Certificate Template on the Certification Authority
6. Click the Request Handling tab, and check Allow private key to be exported.
7. Click the Subject Name tab, and then click Build from this Active Directory information.
8. Click the Extensions tab, and make sure Key Usage has the Digital signature.
9. Click the Security tab, select Authenticated Users and grant it Read and Enroll permission.
10. Leave the other as default. Click OK and close the Certificate Templates administrator console. 11. In Certification Authority, right-click Certificate Templates, click New, and then click Certificate Template to Issue. 12. In the Enable Certificate Templates dialog box, select the new template you have just created, SCUPSigningCertificate, and then click OK.
Step 2: Requesting the Signing Certificate
1. On a domain joined machine, in the search box, type mmc.exe, and then press Enter. 2. In the empty management console, click File, and then click Add/Remove Snap-in. 3. In the Add or Remove Snap-ins dialog box, select Certificates from the list of Available snap-ins, and then click Add. 4. In the Certificate snap-in dialog box, select My user account, and then click Finish. 5. In the Add or Remove Snap-ins dialog box, click OK. 6. In the console, expand Certificates - Current User, expand Personal and click Certificates 7. Right click Certificates, and click All Tasks and Request New Certificate… 8. Follow the Certificate Enrollment wizard to select the new created certificate template, set a friendly name in certificate properties and click Enroll:
9. After enroll succeed, you will find the new certificate under Certificates - Current User -> Personal -> Certificates. 10. Right click the certificate you just enrolled and click All Tasks -> Export. Follow the export wizard to export the certificate without private key and save to scup.cer for Step 3. 11. Export the certificate again, and this time, select Yes, export the private key in the second page of Certificate Export Wizard, and save to SCUPCodeSign.pfx.
Step 3: Deploy the Signing Certificate through Group Policy
1. On the domain controller, click Start, click Administrative Tools, and then click Group Policy Management. 2. Navigate to your domain, right-click the domain, and then select Create a GPO in this domain, and Link it here.
Note: This step uses the best practice of creating a new Group Policy for custom settings rather than editing the Default Domain Policy that is installed with Active Directory Domain Services. By assigning this Group Policy at the domain level, you will apply it to all computers in the domain. However, on a production environment, you can restrict the deployment so that it applies on only selected computers by assigning the Group Policy at an organizational unit level.
3. In the New GPO dialog box, enter a name for the new Group Policy, such as SCUP Signing Certificate, and click OK. 4. In the results pane, on the Linked Group Policy Objects tab, right-click the new Group Policy, and then click Edit. 5. In the Group Policy Management Editor, expand Policies under Computer Configuration, and then navigate to Windows Settings / Security Settings / Public Key Policies / Trusted Root Certificate Authorities. 6. Click the Action menu, and then click Import. Follow the Certificate Import Wizard and import the scup.cert created in Step 2. 7. In the Group Policy Management Editor, expand Policies under Computer Configuration, and then navigate to Windows Settings / Security Settings / Public Key Policies / Trusted Publisher. 8. Click the Action menu, and then click Import. Follow the Certificate Import Wizard and import the scup.cert created in Step 2. 9. Close Group Policy Management.
Note: Import the scup.cer file, not the SCUPCodeSign.pfx file. It’s not safe to distribute the certificate with the private key to all client machines.
You need this to take effect on the WSUS Server to publish full content successfully. To make the policy applies immediately, you can run “gpupdate /force /target:Computer” on the WSUS Server.
Step 4: Using the Signing Certificate in System Center Update Publisher
1. Open System Center Update Publisher 2011 console. 2. Click Menu icon and click Options. 3. In the System Center Updates Publisher Options Dialogue, select Update Server. 4. Select Browse and select the SCUPCodeSign.pfx you created in Step2. Enter the password and click OK.
5. Click OK to close the System Center Updates Publisher Options Dialogue
Now you’re fine to publish updates through the System Center Update Publisher 2011 and deploy the clients through System Center Configuration Manager.
Note: The above example uses the Code Signing template whose Subject Type is User. If you use a template whose Subject Type is Machine, then in Step 2, you need to open the My computer (Local) Certificate Store to request enroll the certificate. Other steps are same.
Here is the next screencast in my series covering System Center Updates Publisher 2011. This screencast gives you a in-depth look at How to Create Software Update Catalogs. Enjoy!
Here is the next screencast in my series covering System Center Updates Publisher 2011. This screencast gives you a in-depth look at How to Resign Software Updates. Enjoy!
Here is the next screencast in my series covering System Center Updates Publisher 2011. This screencast gives you a in-depth look at How to Revise Software Updates. Enjoy!