- We are still working to gain full command and control over our systems. The previous IT manager didn't feel that total command and control over computers was really needed, so I still am working to bring all computers under domain control.
- Because we are a 2 man IT shop, and honestly we have been so swamped trying to fix our larger IT issues (see item number 1), that patching has unfortunately went by the way side.
- No command and control = Sneakernet for updates.
While out searching for advice on patching software, I stumbled upon a answer to a post at Spiceworks. In it a user stated that they used a open source product call Local Update Publisher (LUP). I began to read the very small amount of documentation on the SourceForge website for this software. It had a Windows GUI, which is nice, seemed fairly straight forward, so I figured what the hell, I'll give it a shot. To be honest it took me about 2 hours of tinkering and messing around following the documentation to get things up and running. And for it's price, this product has completely blown me away. I am able to publish an update for Java, Flash, Acrobat Reader, or just about any program that comes in an MSI form, in less then five minutes, and then approve and push those updates on schedule with my existing WSUS settings. What follows are the steps that I had to take to get LUP up and running. Feel free to use this as needed, I hope that I can knock your setup time down to an hour or less, and save you some budget so you can buy your CEO a new iPad Air thus making you the nicest IT guy on the block.
If you want to just figure it out on your own, and not read the rest of this article, which I would completely understand, then you can head to LUPs SorceForge Page. There you will find good install instructions, below I have just attached screenshots to help you out.
Installing and setting up Local Update Publisher (LUP)
First you must have WSUS set up, and I'm going to assume that you have this step done, as there is not enough space in this post to walk through a WSUS install.Fist step is to download the LUP files, you can find those at this link.
On either a computer running the WSUS administration console, or on your WSUS server, run the installer. I just next, next, finished through the installer.
After you have completed the installer you will need to run LUP as an administrator. If you don't, WSUS will block LUP from connecting to it. It took me 20 minutes to figure out the error that this causes, because the error doesn't pop up till three steps later, and makes no reference to this being the problem.
After you have started LUP you will see the dialog box below.
You can put the IP address or web address of your WSUS server into Servers field, or leave it as is if LUP is installed on the server WSUS is installed on.
You can choose to name the server in the name text box, or you can leave it blank. If you choose to leave it blank the server you connect to will be named local server.
You can change the port if you use a port other then the standard port, as well as use SSL if that's the flavor of WSUS you have installed.
After you have completed these steps the program will open up, you will need to double click on LOCALHOST, or the name that you put in for your server, to connect to the server. If you get an error that you are unable to connect at this point, and then LUP tells you that it wants to close out, verify that you are running the program as an administrator.
After you have connected to the WSUS server the following window will pop up, in the image above, you then need to click yes and you will be taken to a dialog box where it will ask you to either import (if you have an existing PKI or internal certificate system I am going to assume that you are able to import your certificate to the WSUS server, or have already done so in the past and will not need to complete this step) or create a new certificate for the server. If you choose to create the certificate you will need to export it, by clicking the export button in the dialog you will see below.
Follow the dialog box to save the exported certificate in a location that you can find later on. After you have exported the certificate you will need to place that certificate into a GPO so that it can be published to all of the computer.
To do this create a GPO, and then go to Computer Configuration/Administrative Templates/Windows Components/Windows Updates/Allow Signed Content from intranet Microsoft update service location, and set it to enabled.
Then go to Computer Configuration/Windows Settings/Security Settings/Public Key policies and import the certificate to both "Trusted Publishers" and "Trusted Root Certification Authority"
Save the GPO and assign it to a group of test computers that you want to test your updates on.
Creating an update in Local Update Publisher (LUP).
After you have completed the above steps we will proceed to set up an Adobe Flash update, it is the same process for Java or any other program/update that you want to push via WSUS. The LUP documentation provides an overview of how to build the major third party updates here.So your first step is to open Tools, and then select Create Update, as seen below.
The window in the image below appears, in the update file line, via browse, point to the location of your update file )I host all of my GPO and update files on a hidden file share that all computer and users have access too). It will have to be an MSI file type for the program to find it. Adobe files can be found for download at ftp://ftp.adobe.com/pub/adobe/. After you have linked the file click next.
In the next window, you will need to input the vendor and product name as they are required, also make sure to select the reboot action that you want the update to perform.
In the next field you can create rules as to what computer the update effects, allow it to skip computers if it possess a certain program, or version that you do not want WSUS to update. The sky is the limit with the settings that you can use here. I personally did not mess with any of these settings.
Again the next window allows you to be modify the updates behavior based on metadata if there was a previous installation, and you are wanting to update it.
This last windows contains all of the XML data that WSUS uses to be able to run the update, and parse our which computers to install the update too feel free to edit this at your own risk. I'm not an XML guy, so I just leave it alone.
Click finish, and you will see the update appear in the left hand window under Local Host > Updates > Vendor > Product Name. You can then choose to approve the update, and use any of the existing computer groups that you have to apply the updates, the update approval uses the same dialog that WSUS uses when you are approving Microsoft updates.
Also on a small side note, any update that you create in LUP will not show up in the WSUS console, at least not anywhere that I have been able to locate. You also have to use the LUP console to verify the status of the published update. If you select the update, and then the status tab in the lower right hand window, it will show the status of how many computer are updated, failed, etc.
I have been using this for around two weeks, and it has changed my patching life, I was able to update all of my domain computers, and it took me all of 5 minutes to create the update, approve it, and push it out to the end users computers. And it cost me 3 hours of my time, and no capital outlay to get this patching operation up and running. I hope you find this as useful as I have. Please feel free to leave any comments about your experiences with this product.
