Most Popular Posts

Friday 22 June 2012

Publishing updates through SCUP from Shavlik

This blog post will show you how to publish 3rd party updates from SCUP through to SCCM and ultimately to your clients.

If you missed it or dont have SCUP setup yet, here is another blogpost on setting up & configuring it.

 This post will cover the following


  • Assigning And Publishing Software Updates To WSUS
  • Synchronising SCCM with WSUS
  • Creating A Deployment Package For Your Software Updates
  • Verifying Installation On Client Machines
  • Troubleshooting


  • Assigning And Publishing Software Updates To WSUS

    First open your SCUP console and locate a third party update you wish to deploy. Once you have one right click on it and select Assign


    Below I have selected Full Content as I know I want to deploy this right away, but you have the choice of Full content, Metadata, or Automatic.
    Metadata and full content are self explanitory, automatic however will not download the content until client machines request it (see my other post here for a look at the thresholds for this)

    I just want to point out at this point, that assigning software updates to publications is completely optional. It serves only as a logical grouping of updates, much like updates lists in config mgr. There is nothing stopped you clicking Publish without assigning an update.

    Now Select Assign Software update to a new publication, give it a name and press OK

    Once done click on Publications from the bottom left and find your newly created publication. You should see that it contains your update. Now hightlight it and click Publish from the ribbon

     This will launch a wizard, be sure to tick the box at the bottom. This will resign any with a new certificate, should your old one expire in the future, very handy indeed!. Once done hit Next

    Next again...

    Wait for it to download and publish the update, then hit Next

    Verify it was successful and click Close

    In %temp% you will find scup.log, open it up and wait for the message Publish wizard complete

    Now close SCUP. The update has now been sent from SCUP into your WSUS database. If you open your SCCM console you will not yet see this update, you must synchronise your SCCM server with your WSUS database first.

    Synchronising SCCM with WSUS

    To do this right click on All software updates and select Synchronise software updates

    After a successful synchronisation you will see the update in the SCCM console!


    Creating A Deployment Package For Your Software Updates


    Highlight your software update and click Create Software Update Group from the ribbon


    Enter a name for the SUG and click Create

    Now if you expand Software Update Groups in the SCCM console you will see your SUG, right click on it and click Deploy

    Now fill out the details of the Deployment wizard that launches. Here choose a Collection to target your deployment at and press Next

    Fill out these details as you wish then hit Next
      
     Change the time to UTC and if you are in a lab like me or if this is a critical update change the Available time and the Deadline to As soon as possible

    Next configure your user experience as you wish. Here you can specify what types of notifications they will see etc. once you are happy hit Next

    Configure Ops Mgr alerts as you wish and hit Next

    Configure download settings as you wish and click Next

    Now to create a Deployment package, Configure yours similar to mine below, giving it a meaningful name and a suitable location. Once done hit Next

    Add your Distribution Point(s) or Group(s), and hit Next

    Select Download software update from the internet and click Next

    Select your language and hit Next

    Review the information presented in the Summary and click Next

    Now the software update will filter through to any clients in the collection you targeted your deployment at.

    Verifying Installation On Client Machines

    Given time to filter through, on client machines you should see the update listed in the software Center as shown below and you should be able to install it manually (just to speed things up)


    Troubleshooting

    if you see this error in your windowsupdate.log file on your client machines:



    See my previous blogpost here  and make sure you have configured your GPO correctly and distributed your certificate to your client machines

    Wayne

    Tuesday 19 June 2012

    Configuring SCUP 2011, Shavlik/VMware Vcenter Protect Update Catalog With PKI

    In-case you were unaware VMware acquired Shavlik technologies some time last year, that means the product formally known as Shavlik SCUPdates is now known as VMware vcenter protect update catalog.

    The function of this product is to provide update management of third party apps such as flash, Java etc directly from the ConfigMgr 2007/2012 console.

    This blog post assumes you already have WSUS and Config Mgr 2012 running on the same server although I'm sure the process will be no different for Config Mgr 2007.

    This post will guide you through the following:

    • Installing SCUP & required hotfix
    • Creating a certificate template for WSUS
    • Requesting a certificate from the root CA
    • Installing the certificate in SCUP and configuring Config Mgr integration
    • Exporting the certificate with the public Key
    • Importing the certificate into the correct stores
    • Adding the Shavlik catalog to SCUP
    • Creating a GPO to distrubte your certificate and update settings

    Installing SCUP 2011 & required hotfix

    First off download SCUP 2011 from here and this hotfix

    Install the hotfix first which should take no more than a few seconds and then run though the SCUP 2011 install, accepting all of the defaults and skipping the hotfix (since you already did this).

    Creating a certificate template for WSUS

    Once installed connect up to your root CA and open the certsrv MMC snap-in (typing certsrv.msc from run is the quickest way to find it)

    Now right click on certificate templates and click Manage


    In the new window that opens, find the computer template, right click and Duplicate Template

    In the dialog box that launches select Windows Server 2003 Enterprise

    On the general tab enter a name, up the validity period if you wish (I did since this is in my testlab) and tick the box Publish certificate in Active Directory

    On the request handling tab change the minimum key size to 2048 and tick Allow private key to be exported


    On the subject Name tab select Common name for the subject name format, and leave DNS name ticked

    Then on the extensions tab, highlight Application Policies and click edit. Remove both the client and server authentication and press ok

    Now on the security tab add the computer account of your SCCM server and give it read and enroll acess and press ok

     Now back in the certsrv console right click on Certificate Templates and select New-> Certificate Template to issue

     Select your WSUS Certificate from the list and press Finish


    Requesting a certificate from the root CA

    Back on your SCCM/SCUP/WSUS server open the certificates mmc snap-in, when asked choose computer account and local computer. Once open right click on personal and click All Tasks-> Request New Certificate


    Press Next

    You should see your certificate template in the list, select it and press Enroll

    Once complete it should give you a nice healthy green tick, press Finish

    Now right click on the certificate and click All Tasks ->Export

    Hit Next...

    Tick Yes, export the private key

    Leave defaults as shown below

    Enter a password to protect the certificate and press Next

    Select a location to save it and hit Next

    Now click Finish



     Installing the certificate in SCUP and configuring Config Mgr integration

    Launch the SCUP console as administrator for this part, if you don't you WILL get an error at some point during this process.

    Once open click the ribbon icon top left and select Options


    On the update server tab tick Enable publishing to an update server, select Connect to a local update server, click browse and select your exported certificate, press Test Connection and then input your certificate password. Once done Click OK.

    **NOTE**
    I found a bug with this dialog box,  even if you have local update server selected but have removed the values from the remote update server box it will display red exclamation marks and OK will be greyed out until you put something in the box, so watch out for that one!

    Now select the ConfigMgr Server tab and tick Enable Configuration Manager Integration, enter the details as shown below and press ok once done.

    The threshold values you see define how many clients must have requested a package and how big it can be. This ONLY applies when you select automatic as your publication type for updates (as opposed to metadata or full content)

    It is also a very good idea to go into advanced options and select the checkbox Add timestamp when signing updates (requires Internet connectivity) to allow software updates to remain usable after their signing certificate expires. The updates will remain valid as long as they were signed and time stamped when the signing certificate is valid. By default, software updates cannot be deployed after their signing certificate expires.



     Exporting the certificate with the public Key

    Now, still on your SCCM/SCUP/WSUS server switch back to your certificate console and refresh, you will see a new WSUS node on the left hand side, you if you expand it you will see the certificate we imported. Right click on it, All Tasks -> Export



    This will launch the export wizard, click Next

    Select No, do not export the private key

    Select as shown below, and press Next

    Click browse and give the certificate a name and location, then click Next

    Click Finish

    Keep this certificate safe, we need to distribute it to our clients in order that they trust the updates SCUP has signed with it.

    Importing the certificate into the correct stores

    Now you need to import this certificate into 2 stores. Still in the certificate console right click on trusted publishers -> All Tasks -> Import


    Press Next

    Browse to the location of the certificate we just exported and click Next

    Verify the location is as shown and click Next

    Click Finish

    If you are NOT using PKI you need to do the same for trusted root certification authorities. If you are using PKI then you can skip this step as your Root CA is already trusted by your SCUP/WSUS server and the clients

    Same again, right click -> All tasks -> Import

    Click Next

    Browse to the location of the certificate we just exported and click Next

    Verify the location is as shown and click Next

    Click Finish


    Adding the Shavlik catalog to SCUP
    First you need to download your Shavlik cab file straight from Shavlik/VMware.
    Then this part is as easy as opening the console, clicking import and selecting your cab file and pressing next

    Wait for the cab file to import and click Next

    Verify it was successful and click Close


    Creating a GPO to distrubte your certificate and update settings

    The last thing you need to do is distribute the certificate that was used to sign your updates to your client machines. The easiest way to do this is to create a GPO.

    Inside the GPO you need to import your certificate into trusted publishers as shown below:


    In addition to importing the certificate, your clients also need to trust signed updates coming from a location other than Microsoft. Here is the location to enable this. Computer Configuration -> Administrative Templates -> Windows Components ->Windows Update.
    In the details pane, click Allow signed content from intranet Microsoft update service location, and click Enabled.
    Link the GPO to an OU containing your machines and that's it for this post!
    I will post some more around using the console and no doubt some other bits as soon as I can.

    EDIT: 2nd post here on how to publish 3rd party updates from SCUP through to SCCM clients
    Cheers
    Wayne