This is the first of a two-part article on System Center Updates Publisher (SCUP) 2011. Today I will explain what SCUP is and how you can use it for third-party patch management on Windows machines.

Third-party patch management

Keeping computers updated can often be one of the most challenging tasks in IT. As there is a lot of code with a lot of holes, and given that not everything has been written with a full understanding of security, there is lots of patching to do. Microsoft addresses this with Patch Tuesday, but these patches only affect Microsoft’s own products. This leaves a worrying gap. In 2010, Secunia published a report that said third-party apps were more vulnerable than the Windows.

Adobe is perhaps the worst patching offender, releasing frequent updates for Flash, Adobe Reader, and Adobe Air. Although it is tempting to let these apps update themselves over the Internet, doing so opens the door to chaos. In a true managed environment, that approach is not acceptable. In a secure environment with no Internet, it’s not even possible.


If you have System Center Configuration Manager (2007 or 2012) or even System Center Essentials, one solution to what I call third-party “churn” is another free Microsoft tool: System Center Updates Publisher 2011, or SCUP. This tool works by subscribing to partner catalogs that you publish to Configuration Manager to deploy. Vendor catalogs include the hardware partners Dell, HP, Intel, and some software companies such as Citrix and Adobe.

System Center Updates Publisher 2011

System Center Updates Publisher 2011

As such, SCUP is a tool that integrates with Configuration Manager via WSUS technology, but since Configuration Manager uses WSUS too, you can now manage third-party updates through the Configuration Manager console. You then get to update machines through Windows Update.

Note that SCUP 2011 improves on the previous version, 4.5, by improving integration, adding a new Software Update Cleanup Wizard to remove expired updates, and offering much better download options.

Installing updates with SCUP

The SCUP prerequisite is WSUS 3.0 SP2. So, when you install SCUP, the first thing it does is install a hotfix for WSUS 3.0 SP2. If you have multiple WSUS servers, you will need to push the hotfix to each one. Note that SCUP only supports Vista and Server 2008 or later.

Given the security implications of software updates, once you install SCUP you have to install certificates on the target machines. You can use a self-signed certificate from WSUS or use a PKI-generated one. The choice is yours.

With the setup and prerequisites complete, you can start configuring updates. Updates center around two things: catalogs and software updates. The big difference is simple. You download catalogs from third parties that contain lists of vendors and their product updates, whereas software updates are custom installs you supply.

Finally, SCUP integrates seamlessly into Configuration Manager, with published updates from SCUP appearing in the Updates node.

SCUP integration into Configuration Manager

SCUP integration into Configuration Manager

You now simply synchronize the Update Point for the updates you published to appear.

Using SCUP 2011 will help you save a lot of time and money by automating the deployment of third-party updates through its tight integration into Configuration Manager. The more frequently a vendor updates its software, the more time you save.

In my next post, I will explain how to create a custom SCUP catalog.

1 Comment
  1. I.Garcia 7 years ago

    I know this is an old article, but do you know if there will be a compatible SCUP for Config Mgr 15+ on Windows Server 2012 R2+ ?

Leave a reply

Please enclose code in pre tags

Your email address will not be published.


© 4sysops 2006 - 2023


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account