How to deploy certificates for custom WSUS updates to client machines

Microsoft Blue Logo
()

As per previous posts on the blog for custom updates using WSUS, you have to make sure that your environment is set up correctly to allow these custom (local) updates to install on client machines.

To make this work, you need to export your WSUS/SCUP self-signed certificate and make sure it is applied to all machines using Group Policy. There is also one group policy setting that needs to be switched on to allow local content updates which I’ll include in this post too.

Step by Step Guide

Exporting the Self-Cert

Go to your WSUS/SCUP server and click Start then Run. In the box, type MMC and press Enter.

Then click File and then Add/Remove Snap-In.

Select Certificates from the left column and click Add in the middle. You will then be taken to the snap-in configuration wizard.

Click Computer Account and click Next. On the next page, click Local Computer and then Finish. Then click OK – this should then bring up all your certificates on your WSUS/SCUP server.

You then need to browse to the folder called WSUS and then under that Certificates. On the right side, you should see a certificate called (could be slightly different) WSUS Publishers Self-Signed.

You now need to export this to use with your Group Policy. Right-click on the certificate and click All Tasks then Export. Follow all the defaults in the wizard and then make sure you save it somewhere you will remember!

Once you have the certificate exported from your WSUS/SCCM server, you need to deploy this to your client machines. To do this, you can use Group Policy. How you set up your Group Policies is entirely up to you as everyone’s is different, but so long as all clients that need these updates to get this policy, the updates should work.

Related...  New Microsoft Edge MSI Pack

Group Policy

  • Open the Group Policy Management MMC console on your Domain Controller
  • Find a policy to edit or create a new one
  • Click right the policy and choose Edit
  • Then Select Computer Configuration -> Policies -> Windows Settings — > Security Settings -> Public Key Policies -> Trusted Publishers
  • Click right and select Import
  • Browse to the location of the certificate that you earlier exported and import this certificate.
  • Repeat the same procedure for Trusted Root Certification Authorities
  • There is also a Group Policy setting that you need to set for 3rd party updates, if you do not set this setting, the update will fail.
  • To do this, go into your Group Policy and browse to the following location:
  • Computer Configuration > Policies > Admin Templates > Windows Components > Windows Updates

You should then enable the policy as below:

Allow signed updates from an intranet microsoft update service location in group policy settings.

You can then close this and wait for the policies to apply to your machines, then, once your custom updates have been created, you should be able to run Windows Updates on your client machines and they should start to install your custom updates.

Comments

If you have any problems with anything here, just post a comment and I’ll try and help where I can.

How useful was this post?

Click on a star to rate it!

Average rating / 5. Vote count:

No votes so far! Be the first to rate this post.

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?

About A.J. Armstrong

Founder of TechyGeeksHome and Head Editor for over eight years! IT expert in multiple areas for over 21 years. Sharing experience and knowledge whenever possible! Making IT Happen.

View all posts by A.J. Armstrong

Leave us a message...

This site uses Akismet to reduce spam. Learn how your comment data is processed.