The function of this product is to provide update management of third party apps such as flash, Java etc directly from the ConfigMgr 2007/2012 console.
This blog post assumes you already have WSUS and Config Mgr 2012 running on the same server although I'm sure the process will be no different for Config Mgr 2007.
This post will guide you through the following:
- Installing SCUP & required hotfix
- Creating a certificate template for WSUS
- Requesting a certificate from the root CA
- Installing the certificate in SCUP and configuring Config Mgr integration
- Exporting the certificate with the public Key
- Importing the certificate into the correct stores
- Adding the Shavlik catalog to SCUP
- Creating a GPO to distrubte your certificate and update settings
Installing SCUP 2011 & required hotfix
First off download SCUP 2011 from here and this hotfix
Install the hotfix first which should take no more than a few seconds and then run though the SCUP 2011 install, accepting all of the defaults and skipping the hotfix (since you already did this).
Creating a certificate template for WSUS
Once installed connect up to your root CA and open the certsrv MMC snap-in (typing certsrv.msc from run is the quickest way to find it)
Now right click on certificate templates and click Manage
In the new window that opens, find the computer template, right click and Duplicate Template
In the dialog box that launches select Windows Server 2003 Enterprise
On the general tab enter a name, up the validity period if you wish (I did since this is in my testlab) and tick the box Publish certificate in Active Directory
On the request handling tab change the minimum key size to 2048 and tick Allow private key to be exported
On the subject Name tab select Common name for the subject name format, and leave DNS name ticked
Then on the extensions tab, highlight Application Policies and click edit. Remove both the client and server authentication and press ok
Now on the security tab add the computer account of your SCCM server and give it read and enroll acess and press ok
Select your WSUS Certificate from the list and press Finish
Requesting a certificate from the root CA
Back on your SCCM/SCUP/WSUS server open the certificates mmc snap-in, when asked choose computer account and local computer. Once open right click on personal and click All Tasks-> Request New Certificate
Press Next
You should see your certificate template in the list, select it and press Enroll
Once complete it should give you a nice healthy green tick, press Finish
Now right click on the certificate and click All Tasks ->Export
Hit Next...
Tick Yes, export the private key
Leave defaults as shown below
Enter a password to protect the certificate and press Next
Select a location to save it and hit Next
Now click Finish
Launch the SCUP console as administrator for this part, if you don't you WILL get an error at some point during this process.
Once open click the ribbon icon top left and select Options
On the update server tab tick Enable publishing to an update server, select Connect to a local update server, click browse and select your exported certificate, press Test Connection and then input your certificate password. Once done Click OK.
**NOTE**
I found a bug with this dialog box, even if you have local update server selected but have removed the values from the remote update server box it will display red exclamation marks and OK will be greyed out until you put something in the box, so watch out for that one!
Now select the ConfigMgr Server tab and tick Enable Configuration Manager Integration, enter the details as shown below and press ok once done.
The threshold values you see define how many clients must have requested a package and how big it can be. This ONLY applies when you select automatic as your publication type for updates (as opposed to metadata or full content)
It is also a very good idea to go into advanced options and select the checkbox Add timestamp when signing updates (requires Internet connectivity) to allow software updates to remain usable after their signing certificate expires. The updates will remain valid as long as they were signed and time stamped when the signing certificate is valid. By default, software updates cannot be deployed after their signing certificate expires.
Exporting the certificate with the public Key
Now, still on your SCCM/SCUP/WSUS server switch back to your certificate console and refresh, you will see a new WSUS node on the left hand side, you if you expand it you will see the certificate we imported. Right click on it, All Tasks -> Export
This will launch the export wizard, click Next
Select No, do not export the private key
Select as shown below, and press Next
Click Finish
Keep this certificate safe, we need to distribute it to our clients in order that they trust the updates SCUP has signed with it.
Importing the certificate into the correct stores
Now you need to import this certificate into 2 stores. Still in the certificate console right click on trusted publishers -> All Tasks -> Import
Press Next
Browse to the location of the certificate we just exported and click Next
Verify the location is as shown and click Next
Click Finish
If you are NOT using PKI you need to do the same for trusted root certification authorities. If you are using PKI then you can skip this step as your Root CA is already trusted by your SCUP/WSUS server and the clients
Same again, right click -> All tasks -> Import
Click Next
Browse to the location of the certificate we just exported and click Next
Verify the location is as shown and click Next
Click Finish
Adding the Shavlik catalog to SCUP
First you need to download your Shavlik cab file straight from Shavlik/VMware.
Then this part is as easy as opening the console, clicking import and selecting your cab file and pressing next
Wait for the cab file to import and click Next
Verify it was successful and click Close
Creating a GPO to distrubte your certificate and update settings
The last thing you need to do is distribute the certificate that was used to sign your updates to your client machines. The easiest way to do this is to create a GPO.
Inside the GPO you need to import your certificate into trusted publishers as shown below:
In addition to importing the certificate, your clients also need to trust signed updates coming from a location other than Microsoft. Here is the location to enable this. Computer Configuration -> Administrative
Templates -> Windows Components ->Windows
Update.
In the details pane, click Allow signed
content from intranet Microsoft update service location, and click Enabled.
Link the GPO to an OU containing your machines and that's it for this post!
I will post some more around using the console and no doubt some other bits as soon as I can.
EDIT: 2nd post here on how to publish 3rd party updates from SCUP through to SCCM clients
EDIT: 2nd post here on how to publish 3rd party updates from SCUP through to SCCM clients
Cheers
Wayne
No comments:
Post a Comment