I’ve met with a few customers over the past month that had similar questions regarding deploying custom updates. I wanted to write a quick high level summary on how to this in a small environment.
First step is to setup System Center Updates Publisher (SCUP) to publish updates to your Windows Server Updates Service (WSUS) server that is being used with System Center Configuration Manager (ConfigMgr 2007).
Setup SCUP to use an update server
Open SCUP-> Settings-> Update Server Tab-> Check “Enable publishing to an update server”-> (set local or remote update server)-> Test Connection.
If you do not have a signing certificate specified you will receive the following message, “The test connection succeeded. However, no signing certificate was detected for the update server. You will not be able to publish content to the update server without first registering a signing certificate”. If your company does not have a specific certificate they want to use you can create what is called a WSUS Publishers Self-signed certificate. By clicking the “Create” button WSUS will create a certificate that will be used for all future publishing. Once a certificate is either inserted or created it does not need to be re-created until it expires or needs to be replaced due to some business need.
Note, anytime you change (or re-create) your signing certificate you will need to execute the rest of the certificate steps below again in order to get those updates signed by the new certificate to deploy. By changing your signing certificate you won’t invalidate your currently deployed updates in ConfigMgr 2007 but unless you follow the below certificate steps again the new updates will not deploy.
Now that you have a signing certificate specified you need to add it into two locations, “Trusted Publishers” and “Trusted Root Certification Authorities” on all machines where custom updates will be deployed. The signing certificate will also need to be added to the two above locations on your SCUP machine and WSUS server if different. Follow these steps to first export the WSUS signing certificate and then re-import it to the appropriate locations.
To open Certificates (Local Computer) in MMC.
Open MMC-> File-> Add/Remove Snap-In…-> Add -> Certificates-> Add-> Computer account ->Next-> Finish-> Close-> Ok
To export signing certificate.
Go to Console Root-> Certificates (Local Computer)-> WSUS-> Certificates-> Select certificate-> Right Click-> All Tasks-> Export…-> run through wizard using all defaults-> provide file name-> Finish Wizard.
To import signing certificate to “Trusted Publishers” and “Trusted Root Certification Authorities”
Go to Console Root-> Certificates (Local Computer)-> (Trusted Publishers [and] Trusted Root Certification Authorities ) node-> Right Click-> All Tasks-> Import…-> enter path to exported certificate-> follow rest of defaults and complete wizard.
I know this can be a pretty manual task, but there are ways to automate it. One way that I know works is to use “CertUtil.exe” to deploy the certificates. In ConfigMgr 2007 you can create a program that contains CertUtil.exe (found in Windows Server 2003 Administration Tools Pack) and your exported certificate. You want to call run both commands on each machine by advertising each program.
To place in “Trusted Root Certification Authorities” store call “certutil.exe -addstore ROOT <certname>.cer”
To place in “Trusted Publishers” store call “certutil.exe -addstore TrustedPublisher <certname>.cer”
Now that you have the signing certificate stored in all the right places the last setup step is to tell Windows Update agent to accept updates signed by entities other than Microsoft.
To set Group Policy to allow custom update deployments
Note, the below step needs to be executed only once, even if you change your signing cert.
Active Directory Users and Computers -> Right Click on your domain-> Properties -> Group Policy Tab -> Edit. Then Computer Configuration -> Administrative Templates -> Windows Components -> Windows Update -> Enable “Allow signed content from intranet Microsoft update service location”.
After following these steps you will be able to publish your updates to ConfigMgr 2007 using SCUP and then deploy the updates in your environment as you would any other update. Hope this helps clarify things, if anybody has questions please send mail or leave a comment.