How to deploy certificates for custom WSUS updates to client machines

How to deploy certificates for custom WSUS updates to client machines 1

Last updated on April 16th, 2023 at 11:24 pm

Read Time:2 Minute, 37 Second

As per previous posts on the blog for custom updates using WSUS, you have to make sure that your environment is set up correctly to allow these custom (local) updates to install on client machines.

To make this work, you need to export your WSUS/SCUP self-signed certificate and make sure it is applied to all machines using Group Policy. There is also one group policy setting that needs to be switched on to allow local content updates which I’ll include in this post too.

Step by Step Guide

Exporting the Self-Cert

Go to your WSUS/SCUP server and click Start then Run. In the box, type MMC and press Enter.

Then click File and then Add/Remove Snap-In.

Select Certificates from the left column and click Add in the middle. You will then be taken to the snap-in configuration wizard.

Click Computer Account and click Next. On the next page, click Local Computer and then Finish. Then click OK – this should then bring up all your certificates on your WSUS/SCUP server.

You then need to browse to the folder called WSUS and then under that Certificates. On the right side, you should see a certificate called (could be slightly different) WSUS Publishers Self-Signed.

You now need to export this to use with your Group Policy. Right-click on the certificate and click All Tasks then Export. Follow all the defaults in the wizard and then make sure you save it somewhere you will remember!

Once you have the certificate exported from your WSUS/SCCM server, you need to deploy this to your client machines. To do this, you can use Group Policy. How you set up your Group Policies is entirely up to you as everyone’s is different, but so long as all clients that need these updates to get this policy, the updates should work.

Group Policy

  • Open the Group Policy Management MMC console on your Domain Controller
  • Find a policy to edit or create a new one
  • Click right the policy and choose Edit
  • Then Select Computer Configuration -> Policies -> Windows Settings — > Security Settings -> Public Key Policies -> Trusted Publishers
  • Click right and select Import
  • Browse to the location of the certificate that you earlier exported and import this certificate.
  • Repeat the same procedure for Trusted Root Certification Authorities
  • There is also a Group Policy setting that you need to set for 3rd party updates, if you do not set this setting, the update will fail.
  • To do this, go into your Group Policy and browse to the following location:
  • Computer Configuration > Policies > Admin Templates > Windows Components > Windows Updates

You should then enable the policy as below:

Allow Signed Updates Group Policy Setting
Allow Signed Updates Group Policy Setting

You can then close this and wait for the policies to apply to your machines, then, once your custom updates have been created, you should be able to run Windows Updates on your client machines and they should start to install your custom updates.

Comments

If you have any problems with anything here, just post a comment and I’ll try and help where I can.

Click to rate this post!
[Total: 0 Average: 0]

Free Subscription

If you want to be notified when we post more quality guides like this one, sign up to our free subscription service and you will receive an email when a new post is live.

Join 441 other subscribers.

No need to worry, we will not be filling your inbox with spam and you can unsubscribe anytime you like.


Leave us a message...

This site uses Akismet to reduce spam. Learn how your comment data is processed.