Setting Up the Trust Relationship

 

Applies To: Windows Server Update Services

You must set up both the update server and update clients to trust content published by the update server before starting the local publishing process. By default, the Windows Update agent trusts only Microsoft signed content, so you must create and deploy your own signed certificate.

Important

A self-signed certificate is less secure than a certificate signed by a trusted root authority, such as Microsoft or a local certification authority. Deploying a self-signed certificate requires configuring clients to trust a new root authority.

The topic, Getting a Software Publisher Certificate (https://go.microsoft.com/fwlink/?LinkId=102046) provides information about Authenticode and digitally signed certificates.

Set up the update server and clients for locally-published updates

The following steps must be performed in order to initialize a trust relationship between the update server and its clients.

To set up the update server for locally-published content

  1. Call SetSigningCertificate to install a self-signed certificate. This method has three overloads. The method SetSigningCertificate creates and installs the certificate, while SetSigningCertificate and SetSigningCertificate install an existing certificate.

  2. Call Save to add this information to the configuration.

  3. Export the public key for the certificate into a .cer file:

    • Click Start, then Run, and type mmc.

    • In the MMC console, click File, click Add/Remove Snap-in, and then select Add.

    • Add the Certificates snap-in, and set it to manage certificates for the local computer account.

    • Navigate to the WSUS node in the snap-in, and then find the certificate you added in step 1.

    • Right-click the certificate and select All Tasks, then Export. For security reasons, you should export only the public key, not the private key.

  4. Configure your WSUS server to trust this certificate by installing the public key for this certificate in your trusted publisher store.

    • In the Certificates snap-in, select Trusted Root Certification Authorities, then right-click Certificates, select All Tasks, then Import, and import the certificate you just exported.

    • Select Trusted Publishers, then right-click Certificates, select All Tasks, then Import, and import the certificate.

You must configure each client machine to accept packages signed with this certificate.

Note

Make sure that the certificate is located in a directory visible to the clients before importing it.

To set up update clients to trust locally-published content

  1. You can configure a WSUS client to use signed content using the Group Policy Object Editor. There are two Group Policy settings you need to create.

  2. To configure a WSUS client policy for clients to trust content signed by a trusted-publisher using the local Group Policy Object Editor, complete the following steps.

    • Click Start, then Run, then type gpedit.msc.

    • Select Computer Configuration, then Administrative Templates, then Windows Update.

    • Enable Allow signed content from intranet Microsoft Update service location.

    • To verify that the policy has been set, In the registry, go to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate, and verify that AcceptTrustedPublisherCerts is set to 1.

  3. To configure a WSUS client policy to trust the specific signing certificate you installed on the server, click Add/Remove Snap-in, and then select Add.

  4. Add the Certificates snap-in, and set it to manage certificates for the local computer account.

  5. In the Certificates snap-in, select Trusted Root Certification Authorities, then right-click Certificates, select All Tasks, then Import, and import the certificate.

  6. Select Trusted Publishers, then right-click Certificates, select All Tasks, then Import, and import the certificate.

Important Enabling local publishing has security implications; your update clients and servers will now trust code signed with the certificate above. For security reasons, if you choose to enable local publishing, we strongly recommend that you restrict access to the private key of the code signing certificate and that you configure your update server to use SSL for all communications.