If you’re using SCUP to publish updates, it’s first necessary to push the SCUP signing certificate to your clients or the updates will fail to install. This post covers creating a group policy object to push the SCUP certificate to clients.
- The certificate file should have been exported during the SCUP install. The second half of my previous post on SCUP covers exporting the certificate in case you’ve lost the file.
SCCM 2007 – System Center Updates Publisher 2011
- Click Start -> Run, then enter “gpmc.msc”, then click “OK”.
- Right-click the container “Group Policy Objects” and choose “New”.
- For “Name” enter “Push SCUP Certificate” then click “OK”.
- Find your new GPO in the container, right-click it, then choose “Edit”.
- Right-click the GPO root and select “Properties”.
- On the properties window, check the “Disable User Configuration settings” box.
- A pop-up warning box should appear with a warning — click “Yes”.
- Now, press “OK” on the properties window.
- Next, navigate to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Public Key Policies -> Trusted Root Certification Authorities. Right-click “Trusted Root Certification Authorities” and choose “Import”.
- On the ‘Welcome to the Certificate Import Wizard’ screen, click “Next”.
- On the ‘File to Import’ screen, browse to your SCUP signing certificate, then click “Next”.
- On the ‘Certificate Store’ screen, click “Next”.
- On the confirmation scree, click “Finish”.
- Treasure the success message box, then click “OK”.
- Now, you should see a certificate in the Trusted Root Certification Authorities container.
- Next, import your certificate to the “Trusted Publishers” container using the same method.
- When finished, your certificate should be listed under the Trusted Publisher container.
- Now, right-click the Organizational Unit that the certificate will be deployed to, then click “Link an Existing GPO”.
- Find and select your newly created GPO in the list, then click “OK”.
Congrats! Your clients should receive and install the new certificate on the next group policy refresh. Now, let’s verify.
For help running MMC and navigating to the correct area, including screen shots, check out the end section of a previous post of mine titled SCCM 2007 – System Center Updates Publisher 2011.
- Open a command prompt on a client PC.
- Run the following command to initiate a group policy refresh and reboot the computer.
gpupdate /force /boot
- On the client PC, click Start -> Run, type “mmc”, then press “OK”.
- In the MMC window, click “File” then “Add/Remote Snap-In…”.
- Select ‘Certificates” from the left pane then click “Add”
- When asked, choose to view certificates for the “Computer Account”, and “Local Computer”, then click “OK”.
- Expand the certificates view and click on “Trusted Publishers”.
- Your WSUS Signing Certificate should be installed!
Congrats! You’re ready to push Adobe updates now! I’ll have a blog post about that shortly.