System Center Updates Publisher (SCUP) is a stand-alone tool used with Microsoft System Center Configuration Manager (ConfigMgr / SCCM). It allows system administrators to author their own updates, or import software update catalogs from third-party software vendors or Line of Business (LoB) applications. It can publish software updates for third-party applications to a local Windows Server Update Services (WSUS) server, which subsequently synchronizes these custom updates with ConfigMgr for deployment to computers and servers in the organization.
SCUP was introduced and offered as a free tool by Microsoft to help ease patching of third-party applications in 2011, hence the name System Center Updates Publisher 2011. It is commonly referred to by ConfigMgr admins as SCUP 2011. Since its release, there hasn’t been much development for this tool by Microsoft. Its use case has been limited and weak, specifically due to the fact that update catalogs are not widely provided by software vendors, other than a select few. Some of the free catalogs available are from Adobe (Reader and Flash), Dell (client and server updates), HP (client and server updates, and Fujitsu (client and server updates). There are a few paid catalogs available from vendors who provide third-party patch management solutions, which can vary in cost based on the licensing tiers. Custom software update definitions can also be created for EXE-, MSI-, and MSP-based installers.
SCUP 2011 is supported on Windows 7, Windows Server 2008 R2, and—yes you heard it right— Windows Vista! It also requires ConfigMgr 2007 or 2012 or 2012 R2, WSUS 3.0, and a Code Signing Certificate since we are dealing with non-Microsoft updates. To add support for Windows 10 and Windows Server 2016, Microsoft has now released System Center Updates Publisher (SCUP) Preview. An announcement was published on the Enterprise Mobility and Security Blog. While SCUP Preview enables SCUP 2011 features on newer operating systems such as Windows 10 and Windows Server 2016, “there are no major changes to the way the SCUP works,” according to Microsoft. There are a few things to note in regards to SCUP Preview:
- Windows 7 and WSUS 3.0 is not supported. You will continue to use SCUP 2011.
- SCUP Preview does not upgrade existing installation of SCUP 2011; however, the two installations can co-exist and do not share data or interfere with each other.
- .Net 4.5.2 is required.
- SCUP Preview is a 64-bit application and installs by default in C:\Program Files\Microsoft\UpdatesPublisher.
- The log file is located in the user temp folder in C:\Users\<username>\AppData\Local\Temp\UpdatesPublisher.log.
- Single user only application, similar to SCUP 2011.
The installation of SCUP Preview is very simple and takes a few seconds to complete, unlike SCUP 2011. SCUP 2011 installation generated an error indicating it required administrator privileges for installation, and one needed to do so via an Administrator Command Prompt. SCUP Preview makes this process easier with a UAC prompt for administrator privilege elevation. The installation is silent and does not provide any indication of installation completion; however, you’ll find it in a new product group in the Start Menu as seen below.
On launch of the SCUP Preview console, you’ll notice that the application performs a quick check to see if an updated version is available. It also performs a database availability check. This is a setting which is enabled by default in the Option settings under the “Updates” menu.
The functionality of the application remains the same as SCUP 2011; however, there are some UI improvements in the console. The first noticeable change is in the naming of the panes or modules, with the convention changed to “Workspace.” It includes Updates Workspace, Publication Workspace, Rules Workspace, and Catalogs Workspace.
Here’s the new SCUP Preview console:
Here’s the old SCUP 2011 console for comparison:
The next significant change you’ll find is that there are seven menus in Options compared to five in SCUP 2011. They are Update Server, ConfigMgr Server, Proxy Server, Trusted Publishers, Advanced, Updates, and Logging. The two newly added options are Updates and Logging.
SCUP Preview vs SCUP 2011 options:
In the Advanced menu, it is now possible to change the database location directly in the console which was not possible in SCUP 2011 unless the change was modified in the config file (Scup2011.exe.config). This is a great improvement and makes it much easier to handle.
The Logging menu provides the ability to configure the maximum log file size and the level of log detail preferred which you can adjust via a slider in six predefined positions. How much detail each level provides is yet to be known.
Looking at the new release of SCUP along with the UI improvements, it appears that Microsoft will be making an attempt to update this tool and provide additional functionality on a faster cycle. ConfigMgr and Windows 10 are moving along on a rapid improvement cycle and Microsoft-provided tools to manage endpoints are highly requested by admins. Microsoft is seeking feedback for feature requests, and ideas to help improve this product. For issues or bug reports, you can email directly to scupfeedback@microsoft.com .
As we deal with daily threats of malware, ransomware, exploits, data breaches, and much more on a daily basis, it is clearly evident that computer security is a top priority and must be taken seriously. Software updates are one step in mitigating these threats and risks on the operating system level. It’s also important to make sure that endpoints are protected and secured from an application standpoint, which users rely on for their day-to-day productive business needs. Third-party patch management solutions are great for providing management, functionality, and deployment mechanisms for third-party applications; however, they can be costly for some organizations. With that said, SCUP Preview is a free tool from Microsoft. At the very least, organizations can take advantage of it to provide some security vectors for their endpoints. Remember, patch your Operating Systems and patch your applications for basic endpoint security.