How to Deploy the WSUS Signing Certificate for Third-Party Software Updates
Deploying the WSUS Signing Certificate to devices is a requirement for devices to trust and install third-party software updates from standalone WSUS or a Configuration Manager environment.
If the certificate is not installed within the Trusted Root and Trusted Publishers certificate store, you will receive error code 0x800b0109 when attempting to install third-party software updates.
Option 1: Using the Configuration Manager 1806+ Feature for Automated Deployment
If your Configuration Manager site and clients are running current branch 1806 or newer, the easiest option is to enable the new built-in option within the software update point for Configuration Manager manages the updates.
To enable this option, perform the steps below:
- In the Configuration Manager console, go to the Administration workspace. Expand Site Configuration, and select the Sites node.
- Select the top-level site in the hierarchy. In the ribbon, click Configure Site Components, and select Software Update Point.
- Switch to the Third-Party Updates tab. Select the option Configuration Manager manages the certificate.
- A new certificate of type Third-party WSUS Signing is created in the Certificates node under Security in the Administration workspace.
After performing the steps above, validate the certificate is created/imported:
- Trigger a software update point synchronization by right-clicking the All Software Updates node, and clicking Synchronize Software Updates.
- If you review the wsyncmgr.log, you should see some details about the certificate being imported and created.
- If the certificate was configured successfully, if you re-open the Third Party Updates tab, you should see the certificate details.
Lastly, you need to enable the client settings to enable third-party updates on clients:
- In the Configuration Manager console, go to the Administration workspace and select the Client Settings node.
- Select the default client settings, an existing custom client setting or create a new one.
- Select the Software Updates tab on the left-hand side. If you don’t have this tab, make sure that the Software Updates box is enabled.
- Set the Enable third-party software updates to Yes.
- Validate the client settings is deployed to all devices
You can also review the step-by-step video guide for deploying the WSUS certificate using Configuration Manager below:
Note: if your software update point is remote from your site server, the software update point will need to be running in HTTPS mode for the option Configuration Manager manages the certificate to work. Please see the following Microsoft Doc for details about this scenario: Additional requirements when the SUP is remote from the top-level site server.
Option 2: Use Group Policy to Deploy the WSUS Signing Certificate
You can use group policy to deploy the WSUS Signing Certificate to devices within your environment. Please see the PDF guide below for a step-by-step guide for how to use group policy.
You can also review the step-by-step video guide for deploying the WSUS signing certificate using GPO below:
Option 3: Using a Configuration Manager Task Sequence or Package
Another option is to deploy the certificate within a Configuration Manager task sequence step or a package deployment that uses certutil.exe to import the WSUS Signing Certificate to the Trusted Root and Trusted Publishers certificate store.
For instructions using this method, please review the following knowledge base article.