How to setup SCUP and ConfigMgr 2007 to deploy custom updates

I’ve met with a few customers over the past month that had similar questions regarding deploying custom updates.  I wanted to write a quick high level summary on how to this in a small environment.

First step is to setup System Center Updates Publisher (SCUP) to publish updates to your Windows Server Updates Service (WSUS) server that is being used with System Center Configuration Manager (ConfigMgr 2007).

Setup SCUP to use an update server
Open SCUP-> Settings-> Update Server Tab-> Check “Enable publishing to an update server”-> (set local or remote update server)-> Test Connection.

If you do not have a signing certificate specified you will receive the following message, “The test connection succeeded.  However, no signing certificate was detected for the update server.  You will not be able to publish content to the update server without first registering a signing certificate”.  If your company does not have a specific certificate they want to use you can create what is called a WSUS Publishers Self-signed certificate.  By clicking the “Create” button WSUS will create a certificate that will be used for all future publishing.  Once a certificate is either inserted or created it does not need to be re-created until it expires or needs to be replaced due to some business need.

Note, anytime you change (or re-create) your signing certificate you will need to execute the rest of the certificate steps below again in order to get those updates signed by the new certificate to deploy.  By changing your signing certificate you won’t invalidate your currently deployed updates in ConfigMgr 2007 but unless you follow the below certificate steps again the new updates will not deploy.

Now that you have a signing certificate specified you need to add it into two locations, “Trusted Publishers” and “Trusted Root Certification Authorities” on all machines where custom updates will be deployed.  The signing certificate will also need to be added to the two above locations on your SCUP machine and WSUS server if different.  Follow these steps to first export the WSUS signing certificate and then re-import it to the appropriate locations.

To open Certificates (Local Computer) in MMC.
Open MMC-> File-> Add/Remove Snap-In…-> Add -> Certificates-> Add-> Computer account ->Next-> Finish-> Close-> Ok

To export signing certificate.
Go to Console Root-> Certificates (Local Computer)-> WSUS-> Certificates-> Select certificate-> Right Click-> All Tasks-> Export…-> run through wizard using all defaults-> provide file name-> Finish Wizard.

To import signing certificate to “Trusted Publishers” and “Trusted Root Certification Authorities”
Go to Console Root-> Certificates (Local Computer)-> (Trusted Publishers [and] Trusted Root Certification Authorities ) node-> Right Click-> All Tasks-> Import…-> enter path to exported certificate-> follow rest of defaults and complete wizard.

I know this can be a pretty manual task, but there are ways to automate it.  One way that I know works is to use "CertUtil.exe" to deploy the certificates.  In ConfigMgr 2007 you can create a program that contains CertUtil.exe (found in Windows Server 2003 Administration Tools Pack) and your exported certificate.  You want to call run both commands on each machine by advertising each program.

To place in "Trusted Root Certification Authorities" store call "certutil.exe -addstore ROOT <certname>.cer"
To place in "Trusted Publishers" store call "certutil.exe -addstore TrustedPublisher <certname>.cer"

Now that you have the signing certificate stored in all the right places the last setup step is to tell Windows Update agent to accept updates signed by entities other than Microsoft.

To set Group Policy to allow custom update deployments
Note, the below step needs to be executed only once, even if you change your signing cert.
Active Directory Users and Computers -> Right Click on your domain-> Properties -> Group Policy Tab -> Edit.  Then Computer Configuration -> Administrative Templates -> Windows Components -> Windows Update -> Enable “Allow signed content from intranet Microsoft update service location”.

After following these steps you will be able to publish your updates to ConfigMgr 2007 using SCUP and then deploy the updates in your environment as you would any other update.  Hope this helps clarify things, if anybody has questions please send mail or leave a comment.

Comments (6)

  1. John Cereck says:

    My WSUS, SCCM, and SCUP are all on 1 server.

    I have followed all the above steps to configure SCCM 2007 and SCUP 2007, however when I go to publish the updates to WSUS I get the following error in the UpdatesPublisher.log file.

    "Exception occurred during publishing:  Verification of file signature failed for file."

    I have exported my Godaddy Cert and imported it into “Trusted Publishers” and “Trusted Root Certification Authorities”

    I have configured my GPO to enable “Allow signed content from intranet Microsoft update service location”.

    I have researched Technet:…/c3d20fed-2f2e-4229-9a9b-9450cb01fb74

    Still getting Verification of file signature errors.

    Anyone have a solution for this?

  2. Paul DeBrino says:

    Feb 2011 – I've found it necessary to distribute a Publishers Self-Signed Certificate into the following THREE stores. Prior to doing this, the cert was being removed / deleted / disappearing from "Trusted Root Certification Authorities," after rebooting Windows 2000 computers.  

    1. "Trusted Root Certification Authorities" store:  certutil.exe -addstore -enterprise Root <certname>.cer

    2. "Trusted Publishers" store:  certutil.exe -addstore -enterprise TrustedPublisher <certname>.cer

    3. "Third-Party Root Certification Authorities" store:  certutil.exe -addstore AuthRoot <certname>.cer

    Note the use of -enterprise on two of the three aforementioned commands.

    To check the cert:  certutil.exe -verifystore -enterprise "Certificate Name"

  3. Anonymous says:

    ~ Subbulakshmi Kumar | Support Engineer System Center Updates Publisher (SCUP) is an independent tool

  4. Anonymous says:

    ~ Subbulakshmi Kumar | Support Engineer System Center Updates Publisher (SCUP) is an independent tool

  5. Ignacio says:

    Hi. i Work for a client that has 70 Exchange servers and like 8 dags, a 3rd party company comes and update servers using their tool and every time that have to patch they have issues due reboot servers with out permissions, and update process comes to
    near 20 hours of pathing and being on call, i had an idea since they have sccm 2007, if is possible to make them upload patchs on sccm for me to deploy and script the exchange reboot and MBX dbs movement. is that possible?

Skip to main content