Our Blog
Your questions answered
Your questions answered

Controlling SCUP-published updates with WSUS

If you are a Systems Center user, you would probably know that you are entitled to use SCUP (System Center Update Publisher) to incorporate third-party updates into your patch-cycle.

SCUP is great to update Adobe products and and can even be used to provide custom updates of your own make. In order to use it effectively, you would need to have a full installation of SCCM, which might not always be the case. If you just want to use SCUP with WSUS, then you have a problem: updates, injected with SCUP do not show up in WSUS console, since they are considered "local".

Here is a workaround that will give you back the control over the injected local updates.

WARNING: This workaround incorporates a direct editing of WSUS-database and is an unsupported configuration, use at your own risk!

The idea behind this workaround is to change the way WSUS treats the updates injected with SCUP – basically to strip them from that "locally published" attribute.

1. Locate your WSUS database and login into it with sufficient privileges for DDL.

2. Create a trigger for the table tbUpdate as follows:

CREATE TRIGGER [dbo].[InsertTRGLocalPubl]
ON  [dbo].[tbUpdate]
UPDATE  tbUpdate
SET  IsLocallyPublished = 0
FROM    tbUpdate U
JOIN    Inserted I
ON    U.LocalUpdateID = I.LocalUpdateID
WHERE   I.IsLocallyPublished = 1

3. If you already have locally published updates in your WSUS database, you might also want to change their status by running the following query:

UPDATE [dbo].[tbUpdate]
SET   IsLocallyPublished = 0
WHERE IsLocallyPublished = 1

From now on, all updates injected with SCUP will be visible in WSUS-console, where you will be able to approve or decline them.

Roman Kuznetsov @ 10.09.2013

Other posts