As per previous posts on the blog for custom updates using WSUS, you have to make sure that your environment is set up correctly to allow these custom (local) updates to install on client machines.
To make this work, you need to export your WSUS/SCUP self-signed certificate and make sure it is applied to all machines using Group Policy. There is also one group policy setting that needs to be switched on to allow local content updates which I’ll include in this post too.
Step by Step Guide
Exporting the Self-Cert
Go to your WSUS/SCUP server and click Start then Run. In the box, type MMC and press Enter.
Then click File and then Add/Remove Snap-In.
Select Certificates from the left column and click Add in the middle. You will then be taken to the snap-in configuration wizard.
Click Computer Account and click Next. On the next page, click Local Computer and then Finish. Then click OK – this should then bring up all your certificates on your WSUS/SCUP server.
You then need to browse to the folder called WSUS and then under that Certificates. On the right side, you should see a certificate called (could be slightly different) WSUS Publishers Self-Signed.
You now need to export this to use with your Group Policy. Right-click on the certificate and click All Tasks then Export. Follow all the defaults in the wizard and then make sure you save it somewhere you will remember!
Once you have the certificate exported from your WSUS/SCCM server, you need to deploy this to your client machines. To do this, you can use Group Policy. How you set up your Group Policies is entirely up to you as everyone’s is different, but so long as all clients that need these updates to get this policy, the updates should work.
- Open the Group Policy Management MMC console on your Domain Controller
- Find a policy to edit or create a new one
- Click right the policy and choose Edit
- Then Select Computer Configuration -> Policies -> Windows Settings — > Security Settings -> Public Key Policies -> Trusted Publishers
- Click right and select Import
- Browse to the location of the certificate that you earlier exported and import this certificate.
- Repeat the same procedure for Trusted Root Certification Authorities
- There is also a Group Policy setting that you need to set for 3rd party updates, if you do not set this setting, the update will fail.
- To do this, go into your Group Policy and browse to the following location:
- Computer Configuration > Policies > Admin Templates > Windows Components > Windows Updates
You should then enable the policy as below:
You can then close this and wait for the policies to apply to your machines, then, once your custom updates have been created, you should be able to run Windows Updates on your client machines and they should start to install your custom updates.
If you have any problems with anything here, just post a comment and I’ll try and help where I can.