When you use System Center Updates Publisher(SCUP) to publish updates to SCCM/WSUS so that they can be deployed as patches you have to have a code-signing certificate, as many guides describes out there.
If you use the WSUS self-generated you need to distribute the self-signed certificate to the client computers using either SCCM or a group policy, you also need to configure the group policy setting “Allow signed updates from an intranet Microsoft Updates Service Location” otherwise the installation of the updates published with SCUP will fail on the clients.
How to use a WSUS self-signed certificate is described here: http://technet.microsoft.com/en-us/library/hh134732.aspx
What I came across is that if you use the catalogs from HP or Dell and distribute drivers e.t.c and want to do that during OS deployment group policies are not applied during OS deployment (on Windows Vista and Windows 7) then you will have to import the certificate using SCCM or have it included in your image along with the WSUS update policy setting.
I ended up doing it this way:
- Export the WSUS self signed certificate
- Create a wsuspolicy.reg file with the following content to configure the policy for self signed content:
Windows Registry Editor Version 5.00[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]"AcceptTrustedPublisherCerts"=dword:00000001Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"AcceptTrustedPublisherCerts"=dword:00000001 - Copied both the wsusself.cer file and the wsus.reg file to a directory in my packagesource share call SCUPCert
- Create a package with the SCUPcert as the packagesource
- Create three programs for the package:
- With the following command-lines:
“Import AcceptTrusteedPublishedCerts” = Regedit.exe -s wsuspolicy.reg
“Install Trusted Publisher =certutil.exe –addstore -f TrustedPublisher wsusself.cer
“Install Trusted Root” = certutil.exe –addstore Root wsusself.cer - In your OSD Task Sequence add all three as steps after the computer is rebooted into the newly installed Operating System
Then you are good to go! One thing to note is that if you not use the WSUSself signed certificate but want to use a code signing certificate from an internal CA you need to export both the Trusted Published certificate and the Trusted Root certificate for the internal CA otherwise it will not work during OSD.
Hi Jörgen,
Great article. Worked very well for me. Two things worth a mention are 1) If you’re in native mode using a TrustedPublisher cert from an enterprise CA you don’t need to import the rootca certificate as that is already done by the OSD mechanism and 2) Beware if copying the wsuspolicy.reg file straight from this page as the quotes (“) are the wrong type of quotes and have to be replaced with standard ones (you’ll see the difference when pasting in to Notepad).
Thanks very much,
tobewah
Hi Jorgen,
Great post and great work over here!
Your solution works very good with ConfigMgr 2012, but I am having a small issue with the certificate. As your solution states, you have to import the certificate during the task sequence. I also have configured a GPO that deploys the certificate to existing clients. The machine that is coming out of the OSD, is getting the certificate twice (one from the task sequence, once from the GPO). The certificate is listed twice in the Trusted Root CA and the Trusted Publishers. Do you think this will cause problems? Is there a solution avoid the duplicate certificates in the stores?
Maybe deleting the certificate at the end of the task sequence could be an idea.
Thanks!
Gr. Cédric
Hi,
That would be an option, install the certificates, deploy the updates, and then remove the certificates again from the local certificates store.
/Jörgen
Hi,
You can just run this instead, then you will not get the certificate twice.
certutil.exe -GroupPolicy -f -addstore Root “wsusself.cer”
certutil.exe -GroupPolicy -f -addstore TrustedPublisher “wsusself.cer”
You can also use the following command instead of importing a REG file:
reg add HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate /v AcceptTrustedPublisherCerts /t REG_DWORD /d 1 /f