How to deploy certificates for custom WSUS updates to client machines
As per previous posts on the blog for custom updates using WSUS, you have to make sure that your environment is setup correctly to allow these custom (local) updates to install on client machines.
To make this work, you need to export your WSUS/SCUP self-signed certificate and make sure it is applied to all machines using Group Policy. There is also one group policy setting that needs to be switched on to allow local content updates which I’ll include in this post too.
Firstly, to export the self-cert…
Go to your WSUS/SCUP server and click Start then Run. In the box, type MMC and press Enter.
Then click File and then Add/Remove Snap In.
Select Certificates from the left column and click Add in the middle. You will then be taken to the snap-in configuration wizard.
Click Computer Account and click Next. On the next page, click Local Computer and then Finish. Then click OK – this should then bring up all your certificates on your WSUS/SCUP server.
You then need to browse to the folder called WSUS and then under that Certificates. On the right side, you should see a certificate called (could be slightly different) WSUS Publishers Self-Signed.
You now need to export this to use with your Group Policy. Right click on the certificate and click All Tasks then Export. Follow all the defaults in the wizard and then make sure you save it somewhere you will remember!
Once you have the certificate exported from your WSUS/SCCM server, you need to deploy this to your client machines. To do this, you can use Group Policy. How you setup your Group Policies is entirely up to you as everyones is different, but so long as all clients that need these updates get this policy, the updates should work.
Open the Group Policy Management MMC console on your Domain Controller
Find a policy to edit or create a new one
Click right the policy and choose Edit
Then Select Computer Configuration -> Policies -> Windows Settings — > Security Settings -> Public Key Policies -> Trusted Publishers
Click right and select Import
Browse to the location of the certificate that you earlier exported and import this certificate.
Repeat the same procedure for Trusted Root Certification Authorities
There is also a Group Policy setting that you need to set for 3rd party updates, if you do not set this setting, the update will fail.
To do this, go into your Group Policy and browse to the following location:
Computer Configuration > Policies > Admin Templates > Windows Components > Windows Updates
You should then enable the policy as below:
You can then close this and wait for the policies to apply to your machines, then, once your custom updates have been created, you should be able to run Windows Updates on your client machines and they should start to install your custom updates.
If you have any problems with anything here, just post a comment and I’ll try and help where I can.