System Center Updates Publisher Configuration

These are notes from the SCUP Help File….

To configure the certificate store on the update server
  1. Click Start, click Run, type MMC in the text box, and then click OK to open the Microsoft Management Console (MMC).

  2. Click File, click Add/Remove Snap-in, click Add, click Certificates, click Add, select Computer account, and then click Next.

  3. Select Another computer, type the name of the update server or click Browse to find the update server computer, click Finish, click Close, and then click OK.

  4. Expand Certificates ( update server name ) , expand WSUS, and then click Certificates.

  5. In the results pane, right-click the desired certificate, click All Tasks, and then click Export.

  6. In the Certificate Export Wizard, use the default settings to create an export file with the name and location specified in the wizard. This file must be available to the update server before proceeding to the next step.

  7. Right-click Trusted Publishers, click All Tasks, and then click Import. Complete the Certificate Import Wizard using the exported file from step 6.

  8. If a self-signed certificate is used, such as WSUS Publishers Self-signed, right-click Trusted Root Certification Authorities, click All Tasks, and then click Import. Complete the Certificate Import Wizard using the exported file from step 6.

  9. Right-click Certificates ( update server name ) , click Connect to another computer, enter the computer name for the Updates Publisher computer, and click OK.

  10. If Updates Publisher is remote from the update server, repeat steps 7 through 9 to import the certificate to the certificate store on the Updates Publisher computer.

 

To configure a self-signing certificate on client computers
  1. Click Start, click Run, type MMC in the text box, and then click OK to open the Microsoft Management Console (MMC).

  2. Click File, click Add/Remove Snap-in, click Add, click Certificates, click Add, select Computer account, and then click Next.

  3. Select Another computer, type the name of the update server or click Browse to find the update server computer, click Finish, click Close, and then click OK.

  4. Expand Certificates ( update server name ) , expand WSUS, and then click Certificates.

  5. Right-click the certificate in the results pane, click All Tasks, and then click Export. Complete the Certificate Export Wizard using the default settings to create an export certificate file with the name and location specified in the wizard.

  6. Use a method to add the certificate used to sign the updates catalog to each client computer that will use WUA to scan for the updates in the catalog. Add the certificate on the client computer as follows:

    • For self-signed certificates: Add the certificate to the Trusted Root Certification Authorities and Trusted Publishers certificate stores.
    • For certification authority (CA) issued certificates: Add the certificate to the Trusted Publishers certificate store.

    Note:  The WUA also checks whether the Allow signed content from intranet Microsoft update service location Group Policy setting is enabled on the local computer.

 

To deploy the WSUS self-signed certificate using software distribution and certutil.exe
  1. Export the WSUS Publishers Self-signed certificate and public key to a directory on the local computer.

  2. Copy the Certutil.exe and Certadm.dll files to the same directory as the exported files. Certutil.exe is a command-line program that is installed as part of Certificate Services in the Windows Server 2003 family and both files are installed in %windir%\system32, by default.

  3. Create a software distribution package containing the files from step 1 and step 2.

  4. Add a software distribution program that runs the following command-line: certutil.exe -addstore TrustedPublisher wsus.cer, where TrustedPublisher is the name of the certificate store and wsus.cer is the name of the exported certificate. For more information about certutil.exe, see the Certutil Web site on TechNet (https://go.microsoft.com/fwlink/?LinkId=108447)

  5. Create an advertisement for distributing the package and program to the appropriate collection.

 

To configure the Group Policy to allow WUA 3.0 on computers to scan for published updates
  1. Open the Group Policy Object Editor Microsoft Management Console (MMC) snap-in with a user that has the appropriate security rights to configure Group Policy.

  2. Click Browse and select the domain, OU, or GPOs linked to the site where the configured Group Policy will propagate to the desired client computers. Click OK, click Finish, click Close, and then click OK.

  3. Expand the selected policy setting in the console tree, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update.

  4. In the results pane, right-click Allow signed content from intranet Microsoft update service location, click Properties, click Enabled, and then click OK.

 

 

--