How to deploy certificates for custom WSUS updates to client machines

Microsoft Blue Logo

As per previous posts on the blog for custom updates using WSUS, you have to make sure that your environment is setup correctly to allow these custom (local) updates to install on client machines.

To make this work, you need to export your WSUS/SCUP self-signed certificate and make sure it is applied to all machines using Group Policy. There is also one group policy setting that needs to be switched on to allow local content updates which I’ll include in this post too.

Step by Step Guide

Firstly, to export the self-cert…

Go to your WSUS/SCUP server and click Start then Run. In the box, type MMC and press Enter.

Then click File and then Add/Remove Snap In.

Select Certificates from the left column and click Add in the middle. You will then be taken to the snap-in configuration wizard.

Click Computer Account and click Next. On the next page, click Local Computer and then Finish. Then click OK – this should then bring up all your certificates on your WSUS/SCUP server.

You then need to browse to the folder called WSUS and then under that Certificates. On the right side, you should see a certificate called (could be slightly different) WSUS Publishers Self-Signed.

You now need to export this to use with your Group Policy. Right click on the certificate and click All Tasks then Export. Follow all the defaults in the wizard and then make sure you save it somewhere you will remember!

Once you have the certificate exported from your WSUS/SCCM server, you need to deploy this to your client machines. To do this, you can use Group Policy. How you setup your Group Policies is entirely up to you as everyones is different, but so long as all clients that need these updates get this policy, the updates should work.

Open the Group Policy Management MMC console on your Domain Controller

Find a policy to edit or create a new one

Click right the policy and choose Edit

Then Select Computer Configuration -> Policies -> Windows Settings — > Security Settings -> Public Key Policies -> Trusted Publishers

Click right and select Import

Browse to the location of the certificate that you earlier exported and import this certificate.

Repeat the same procedure for Trusted Root Certification Authorities

There is also a Group Policy setting that you need to set for 3rd party updates, if you do not set this setting, the update will fail.

To do this, go into your Group Policy and browse to the following location:

Computer Configuration > Policies > Admin Templates > Windows Components > Windows Updates

You should then enable the policy as below:

You can then close this and wait for the policies to apply to your machines, then, once your custom updates have been created, you should be able to run Windows Updates on your client machines and they should start to install your custom updates.

If you have any problems with anything here, just post a comment and I’ll try and help where I can.

You might also like...

Leave us a message...

This site uses Akismet to reduce spam. Learn how your comment data is processed.