- How to create a PowerShell alias - Tue, Jul 29 2014
- System Center Updates Publisher - Create a SCUP catalog - Fri, May 23 2014
- System Center Updates Publisher - Third-party patch management - Wed, May 21 2014
Third-party patch management ^
Keeping computers updated can often be one of the most challenging tasks in IT. As there is a lot of code with a lot of holes, and given that not everything has been written with a full understanding of security, there is lots of patching to do. Microsoft addresses this with Patch Tuesday, but these patches only affect Microsoft’s own products. This leaves a worrying gap. In 2010, Secunia published a report that said third-party apps were more vulnerable than the Windows.
Adobe is perhaps the worst patching offender, releasing frequent updates for Flash, Adobe Reader, and Adobe Air. Although it is tempting to let these apps update themselves over the Internet, doing so opens the door to chaos. In a true managed environment, that approach is not acceptable. In a secure environment with no Internet, it’s not even possible.
SCUP and SCCM/WSUS ^
If you have System Center Configuration Manager (2007 or 2012) or even System Center Essentials, one solution to what I call third-party “churn” is another free Microsoft tool: System Center Updates Publisher 2011, or SCUP. This tool works by subscribing to partner catalogs that you publish to Configuration Manager to deploy. Vendor catalogs include the hardware partners Dell, HP, Intel, and some software companies such as Citrix and Adobe.
System Center Updates Publisher 2011
As such, SCUP is a tool that integrates with Configuration Manager via WSUS technology, but since Configuration Manager uses WSUS too, you can now manage third-party updates through the Configuration Manager console. You then get to update machines through Windows Update.
Note that SCUP 2011 improves on the previous version, 4.5, by improving integration, adding a new Software Update Cleanup Wizard to remove expired updates, and offering much better download options.
Installing updates with SCUP ^
The SCUP prerequisite is WSUS 3.0 SP2. So, when you install SCUP, the first thing it does is install a hotfix for WSUS 3.0 SP2. If you have multiple WSUS servers, you will need to push the hotfix to each one. Note that SCUP only supports Vista and Server 2008 or later.
Given the security implications of software updates, once you install SCUP you have to install certificates on the target machines. You can use a self-signed certificate from WSUS or use a PKI-generated one. The choice is yours.
With the setup and prerequisites complete, you can start configuring updates. Updates center around two things: catalogs and software updates. The big difference is simple. You download catalogs from third parties that contain lists of vendors and their product updates, whereas software updates are custom installs you supply.
Finally, SCUP integrates seamlessly into Configuration Manager, with published updates from SCUP appearing in the Updates node.
SCUP integration into Configuration Manager
You now simply synchronize the Update Point for the updates you published to appear.
Using SCUP 2011 will help you save a lot of time and money by automating the deployment of third-party updates through its tight integration into Configuration Manager. The more frequently a vendor updates its software, the more time you save.
In my next post, I will explain how to create a custom SCUP catalog.