Managing Security for System Center Updates Publisher 2011

Use the procedures in this topic to configure a self-signing certificate on the client computer, to configure the certificate store on the update server, and to configure the Group Policy to allow Windows Update Agent 3.0 on computers to scan for published updates.

Configuring a Self-signing Certificate on Client Computers

On client computers, the Windows Update Agent (WUA) will scan for the updates from the catalog, but will fail to install the update unless it can locate the digital certificate in the Trusted Publishers store on the local computer. If a self-signed certificate was used when publishing the updates catalog, such as WSUS Publishers Self-signed, the certificate must also be in the Trusted Root Certification Authorities certificate store on the local computer to verify the validity of the certificate.

There are several methods for configuring certificates on client computers, such as using Group Policy and the Certificate Import Wizard or by using the Certutil tool and software distribution. Use one of the following procedures for the steps to configure the signing certificate on client computers.

To configure a self-signing certificate on client computers

Click Start, click Run, type MMC in the text box, and then click OK to open the Microsoft Management Console (MMC).
Click File, click Add/Remove Snap-in, click Add, click Certificates, click Add, select Computer account, and then click Next.
Select Another computer, type the name of the update server or click Browse to find the update server computer, click Finish, click Close, and then click OK.
Expand Certificates (update server name), expand WSUS, and then click Certificates.
Right-click the certificate in the results pane, click All Tasks, and then click Export. Complete the Certificate Export Wizard using the default settings to create an export certificate file with the name and location specified in the wizard.

Use a method to add the certificate used to sign the updates catalog to each client computer that will use WUA to scan for the updates in the catalog. Add the certificate on the client computer as follows:

For self-signed certificates: Add the certificate to the Trusted Root Certification Authorities and Trusted Publishers certificate stores.
For certification authority (CA) issued certificates: Add the certificate to the Trusted Publishers certificate store.

Note
The WUA also checks whether the Allow signed content from intranet Microsoft update service location Group Policy setting is enabled on the local computer. This policy setting must be enabled for WUA to scan for the updates that were created and published with Updates Publisher. For more information about enabling this Group Policy setting, see How to Configure the Group Policy on Client Computers.

Note

The WUA also checks whether the Allow signed content from intranet Microsoft update service location Group Policy setting is enabled on the local computer. This policy setting must be enabled for WUA to scan for the updates that were created and published with Updates Publisher. For more information about enabling this Group Policy setting, see How to Configure the Group Policy on Client Computers.

Configuring the Certificate Store on the Update Server

In System Center Updates Publisher 2011, a digital certificate used to sign the updates in the catalog must be specified and the certificate must be copied to the appropriate certificate stores on the update server. The certificate must also be copied on the Updates Publisher computer if it is remote from the update server, before the catalog can be published to the update server.

There are several methods for adding the certificates to the appropriate certificate stores. The following procedure provides one method for configuring the certificate store.

To configure the certificate store on the update server

Click Start, click Run, type MMC in the text box, and then click OK to open the Microsoft Management Console (MMC).
Click File, click Add/Remove Snap-in, click Add, click Certificates, click Add, select Computer account, and then click Next.
Select Another computer, type the name of the update server or click Browse to find the update server computer, click Finish, click Close, and then click OK.
Expand Certificates (update server name), expand WSUS, and then click Certificates.
In the results pane, right-click the desired certificate, click All Tasks, and then click Export.
In the Certificate Export Wizard, use the default settings to create an export file with the name and location specified in the wizard. This file must be available to the update server before proceeding to the next step.
Right-click Trusted Publishers, click All Tasks, and then click Import. Complete the Certificate Import Wizard using the exported file from step 6.
If a self-signed certificate is used, such as WSUS Publishers Self-signed, right-click Trusted Root Certification Authorities, click All Tasks, and then click Import. Complete the Certificate Import Wizard using the exported file from step 6.
Right-click Certificates (update server name), click Connect to another computer, enter the computer name for the Updates Publisher computer, and click OK.
If Updates Publisher is remote from the update server, repeat steps 7 through 9 to import the certificate to the certificate store on the Updates Publisher computer.

Configuring the Group Policy to allow WUA 3.0 on computers to scan for published updates

Before the Windows Update Agent (WUA) 3.0 on computers will scan for updates that were created and published with the Updates Publisher 2011, a Group Policy setting must be enabled to allow signed content from an intranet Microsoft update service location. When the policy setting is enabled, WUA 3.0 will accept updates received through an intranet location if the updates are signed in the Trusted Publishers certificate store on the local computer. There are several methods for configuring Group Policy on computers in the environment.

Note
The Group Policy is available only to computers that have WUA 3.0 installed.

For computers that are not on the domain, a registry key setting can be configured that will allow signed content from an intranet Microsoft update service location.

The following procedures provide the basic steps that can be used to configure Group Policy for computers on the domain and a registry key value on computers that are not on the domain.

To configure the Group Policy to allow WUA 3.0 on computers to scan for published updates

Open the Group Policy Object Editor Microsoft Management Console (MMC) snap-in with a user that has the appropriate security rights to configure Group Policy.
Click Browse and select the domain, OU, or GPOs linked to the site where the configured Group Policy will propagate to the desired client computers. Click OK, click Finish, click Close, and then click OK.
Expand the selected policy setting in the console tree, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update.
In the results pane, right-click Allow signed content from intranet Microsoft update service location, click Properties, click Enabled, and then click OK.