Menu
CCMEXEC.COM – Enterprise Mobility
  • Home
  • General
  • Configuration Manager
  • Windows 10
  • Intune
  • GitHub
  • Windows 11
  • About the author
CCMEXEC.COM – Enterprise Mobility

System Center Updates Publisher and OSD

Posted on June 21, 2011October 11, 2011 by Jörgen Nilsson

When you use System Center Updates Publisher(SCUP) to publish updates to SCCM/WSUS so that they can be deployed as patches you have to have a code-signing certificate, as many guides describes out there.
If you use the WSUS self-generated you need to distribute the self-signed certificate to the client computers using either SCCM or a group policy, you also need to configure the group policy setting “Allow signed updates from an intranet Microsoft Updates Service Location” otherwise the installation of the updates published with SCUP will fail on the clients.
How to use a WSUS self-signed certificate is described here: http://technet.microsoft.com/en-us/library/hh134732.aspx

What I came across is that if you use the catalogs from HP or Dell and distribute drivers e.t.c and want to do that during OS deployment group policies are not applied during OS deployment (on Windows Vista and Windows 7) then you will have to import the certificate using SCCM or have it included in your image along with the WSUS update policy setting.
I ended up doing it this way:

  1. Export the WSUS self signed certificate
  2. Create a wsuspolicy.reg file with the following content to configure the policy for self signed content:

    Windows Registry Editor Version 5.00
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
    "AcceptTrustedPublisherCerts"=dword:00000001

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
    "AcceptTrustedPublisherCerts"=dword:00000001

  3. Copied both the wsusself.cer file and the wsus.reg file to a directory in my packagesource share call SCUPCert
  4. Create a package with the SCUPcert as the packagesource
  5. Create three programs for the package:
    SCUPOSD2
  6. With the following command-lines:
    “Import AcceptTrusteedPublishedCerts” = Regedit.exe -s wsuspolicy.reg
    “Install Trusted Publisher =certutil.exe –addstore -f TrustedPublisher wsusself.cer
    “Install Trusted Root” = certutil.exe –addstore Root wsusself.cer
  7. In your OSD Task Sequence add all three as steps after the computer is rebooted into the newly installed Operating System
    SCUPOSD1Then you are good to go! One thing to note is that if you not use the WSUSself signed certificate but want to use a code signing certificate from an internal CA you need to export both the Trusted Published certificate and the Trusted Root certificate for the internal CA otherwise it will not work during OSD.

5 thoughts on “System Center Updates Publisher and OSD”

  1. tobewah says:
    October 12, 2011 at 10:54 am

    Hi Jörgen,

    Great article. Worked very well for me. Two things worth a mention are 1) If you’re in native mode using a TrustedPublisher cert from an enterprise CA you don’t need to import the rootca certificate as that is already done by the OSD mechanism and 2) Beware if copying the wsuspolicy.reg file straight from this page as the quotes (“) are the wrong type of quotes and have to be replaced with standard ones (you’ll see the difference when pasting in to Notepad).

    Thanks very much,

    tobewah

    Reply
  2. Cédric Stainier says:
    June 25, 2014 at 8:07 am

    Hi Jorgen,

    Great post and great work over here!
    Your solution works very good with ConfigMgr 2012, but I am having a small issue with the certificate. As your solution states, you have to import the certificate during the task sequence. I also have configured a GPO that deploys the certificate to existing clients. The machine that is coming out of the OSD, is getting the certificate twice (one from the task sequence, once from the GPO). The certificate is listed twice in the Trusted Root CA and the Trusted Publishers. Do you think this will cause problems? Is there a solution avoid the duplicate certificates in the stores?
    Maybe deleting the certificate at the end of the task sequence could be an idea.

    Thanks!

    Gr. Cédric

    Reply
    1. Jörgen Nilsson says:
      June 25, 2014 at 8:29 am

      Hi,
      That would be an option, install the certificates, deploy the updates, and then remove the certificates again from the local certificates store.
      /Jörgen

      Reply
  3. Jens Jacobsen says:
    August 29, 2014 at 12:07 pm

    Hi,

    You can just run this instead, then you will not get the certificate twice.
    certutil.exe -GroupPolicy -f -addstore Root “wsusself.cer”
    certutil.exe -GroupPolicy -f -addstore TrustedPublisher “wsusself.cer”

    Reply
  4. Levi says:
    December 25, 2017 at 5:28 pm

    You can also use the following command instead of importing a REG file:

    reg add HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate /v AcceptTrustedPublisherCerts /t REG_DWORD /d 1 /f

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

My name is Jörgen Nilsson and I work as a Senior Consultant at Onevinn in Malmö, Sweden. This is my blog where I will share tips and stuff for my own and everyone elses use on Enterprise Mobility and Windows related topics.
All code is provided "AS-IS" with no warranties.

Tweets by ccmexec

Recent Posts

  • Windows Servicing, Personal Teams and Success.cmd
  • Windows MDM Security Baseline – Settings Catalog
  • Configuring MS Edge Security Baseline v107 using Settings Catalog
  • Configuring Desktop App Installer using CSP and script?!
  • Customizing Taskbar and Start in Windows 11 22h2 with PowerShell

©2023 CCMEXEC.COM – Enterprise Mobility | WordPress Theme by Superb Themes
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish.Accept Reject Read More
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT