Create a Group Policy to Deploy Your Certificate
This section describes how to create a Group Policy Object (GPO) for WSUS by using the Group Policy Management console. Once the GPO is created and linked to the correct Organizational Unit (OU), the computers in that OU will download the WSUS publisher self-signed certificate and Windows settings so that third-party updates can be downloaded correctly.
To create a Group Policy Object (GPO):
|
1.
|
Connect to the WSUS server and click Next. |
|
2.
|
When the “Export Signing Certificate” pop-up appears, click OK to save certificates to your documents folder. |
|
3.
|
Launch the Group Policy Management Console on your Domain Controller. |
|
4.
|
Navigate to Group Policy Management > Forest > Domains > Organizational Unit. |
|
5.
|
Right-click the Organizational Unit > Create a GPO in this domain, and Link it here > Name the GPO such as “SVM-WSUS” or as per your policy. |
|
6.
|
Right-click the GPO and click Edit. |
|
7.
|
Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies. |
|
8.
|
Import the previously exported “wsuskey.cer” Certificate in the ''Trusted Root Certification Authorities'' and ''Trusted Publishers'' Folders. |
|
9.
|
Navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update. |
|
10.
|
Double-click the Windows Update Folder. |
|
11.
|
Double-click Specify Intranet Microsoft update service location and change the Settings to Enabled. Specify your WSUS server address on Set the intranet update service for detecting updates and click Apply. |
Note:This setting should only be changed if you are using WSUS. Don't configure this setting if you are using SCCM).
If you have another GPO which points your machines to the correct WSUS server, then re-specifying WSUS is not required.
|
12.
|
Double-click Allow signed updates from an intranet Microsoft update service location and change the Settings to Enabled. |
|
13.
|
Click Apply > OK and close the GPO editor. |
Computers will download the Policy after the next policy refresh interval or reboot. You can force the policy to apply by running the command:
gpupate /force
Sometimes it may take several hours for the policy to actually propagate. You can verify that the GPO is being applied to the machine by checking to see if the certificates have been added to the appropriate certificate stores on any given machine.
If the GPO has not been applied yet, or it is not being applied to the machine in question, then you will receive an error (0x800b0109)when deploying third-party updates.