SCCM 2007 – Pushing the SCUP Certificate to Clients

If you’re using SCUP to publish updates, it’s first necessary to push the SCUP signing certificate to your clients or the updates will fail to install. This post covers creating a group policy object to push the SCUP certificate to clients.

The Process:

  1. The certificate file should have been exported during the SCUP install. The second half of my previous post on SCUP covers exporting the certificate in case you’ve lost the file.
    SCCM 2007 – System Center Updates Publisher 2011
  2. Click Start -> Run, then enter “gpmc.msc”, then click “OK”.
  3. Right-click the container “Group Policy Objects” and choose “New”.
  4. For “Name” enter “Push SCUP Certificate” then click “OK”.
  5. Find your new GPO in the container, right-click it, then choose “Edit”.
  6. Right-click the GPO root and select “Properties”.
  7. On the properties window, check the “Disable User Configuration settings” box.
  8. A pop-up warning box should appear with a warning — click “Yes”.
  9. Now, press “OK” on the properties window.
  10. Next, navigate to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Public Key Policies -> Trusted Root Certification Authorities. Right-click “Trusted Root Certification Authorities” and choose “Import”.
  11. On the ‘Welcome to the Certificate Import Wizard’ screen, click “Next”.
  12. On the ‘File to Import’ screen, browse to your SCUP signing certificate, then click “Next”.
  13. On the ‘Certificate Store’ screen, click “Next”.
  14. On the confirmation scree, click “Finish”.
  15. Treasure the success message box, then click “OK”.
  16. Now, you should see a certificate in the Trusted Root Certification Authorities container.
  17. Next, import your certificate to the “Trusted Publishers” container using the same method.
  18. When finished, your certificate should be listed under the Trusted Publisher container.
  19. Now, right-click the Organizational Unit that the certificate will be deployed to, then click “Link an Existing GPO”.
  20. Find and select your newly created GPO in the list, then click “OK”.

Congrats! Your clients should receive and install the new certificate on the next group policy refresh. Now, let’s verify.


For help running MMC and navigating to the correct area, including screen shots, check out the end section of a previous post of mine titled SCCM 2007 – System Center Updates Publisher 2011.

  1. Open a command prompt on a client PC.
  2. Run the following command to initiate a group policy refresh and reboot the computer.
    gpupdate /force /boot
  3. On the client PC, click Start -> Run, type “mmc”, then press “OK”.
  4. In the MMC window, click “File” then “Add/Remote Snap-In…”.
  5. Select ‘Certificates” from the left pane then click “Add”
  6. When asked, choose to view certificates for the “Computer Account”, and “Local Computer”, then click “OK”.
  7. Expand the certificates view and click on “Trusted Publishers”.
  8. Your WSUS Signing Certificate should be installed!

Congrats! You’re ready to push Adobe updates now! I’ll have a blog post about that shortly.

7 thoughts on “SCCM 2007 – Pushing the SCUP Certificate to Clients

  1. Pingback: Installing and Configuring Secunia « windowsmasher

  2. Hi,

    Is there a way I can contact you for some help in resolving some issues with SCCM 2012 RC2 after moving the CM database to another drive?

    • Harjit,
      I’m afraid that I don’t know much about SCCM 2012 yet. I’ve installed it, but that’s about as far as I’ve gotten. I would try the SCCM forums. Sorry! However, if I hear anything moving the CM database then I’ll let you know.

      • Thanks for getting back to me. The database move issue is a bug and even Microsoft doesn’t have the answers. They were able to replicate the problem. I ended up reinstalling SCCM, which solved the CM database issue but this solution wasn’t ideal as various components, roles, and configs had to be re-done, as well as the reinstallation of client agents. But since, were in a test phase, it’s not a big set back and I’m glad we discovered some issues in advance before we go into production.

        Any particular SCCM forums you recommend? Thanks.

  3. Pingback: Sertaç Topal – Kişisel Sitesi » System Center Updates Publisher 2011 Kurulumu

  4. Pingback: System Center Updates Publisher 2011 Kurulumu « SAMİ GÖNCÜ

  5. Pingback: Table of Contents | windowsmasher

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s