System Center Updates Publisher and OSD

When you use System Center Updates Publisher(SCUP) to publish updates to SCCM/WSUS so that they can be deployed as patches you have to have a code-signing certificate, as many guides describes out there.
If you use the WSUS self-generated you need to distribute the self-signed certificate to the client computers using either SCCM or a group policy, you also need to configure the group policy setting “Allow signed updates from an intranet Microsoft Updates Service Location” otherwise the installation of the updates published with SCUP will fail on the clients.
How to use a WSUS self-signed certificate is described here:

What I came across is that if you use the catalogs from HP or Dell and distribute drivers e.t.c and want to do that during OS deployment group policies are not applied during OS deployment (on Windows Vista and Windows 7) then you will have to import the certificate using SCCM or have it included in your image along with the WSUS update policy setting.
I ended up doing it this way:

  1. Export the WSUS self signed certificate
  2. Create a wsuspolicy.reg file with the following content to configure the policy for self signed content:

    Windows Registry Editor Version 5.00

    Windows Registry Editor Version 5.00


  3. Copied both the wsusself.cer file and the wsus.reg file to a directory in my packagesource share call SCUPCert
  4. Create a package with the SCUPcert as the packagesource
  5. Create three programs for the package:
  6. With the following command-lines:
    “Import AcceptTrusteedPublishedCerts” = Regedit.exe -s wsuspolicy.reg
    “Install Trusted Publisher =certutil.exe –addstore -f TrustedPublisher wsusself.cer
    “Install Trusted Root” = certutil.exe –addstore Root wsusself.cer
  7. In your OSD Task Sequence add all three as steps after the computer is rebooted into the newly installed Operating System
    SCUPOSD1Then you are good to go! One thing to note is that if you not use the WSUSself signed certificate but want to use a code signing certificate from an internal CA you need to export both the Trusted Published certificate and the Trusted Root certificate for the internal CA otherwise it will not work during OSD.

Add a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.