Showing results for 
Show  only  | Search instead for 
Did you mean: 


A full guide on how to create a GPO to distribute WSUS certificate and Windows update settings.


This short guide describes how to create a Group Policy Object (GPO) for CSI-WSUS by using the Group Policy Management console. Once the GPO is created and linked to the correct Organizational Unit (OUs), the computers in that OU will download the WSUS publisher's self-signed certificate and Windows settings so that third-party updates can be downloaded correctly.


Login to your Software Vulnerability Manager account. 
Navigate to Patching > Configuration > WSUS / System Center > Configure Upstream Server.
Connect to the WSUS server and then click Next.
On Step 2, click "Export Signing Certificate" which will be saved to your documents folder.

Example of exporting the certificateExample of exporting the certificate
  • Launch the Group Policy Management Console on your Domain Controller.
  • Navigate to Group Policy Management > Forest > Domains > Organizational Unit
  • Right-click the Organizational Unit > Create a GPO in this domain, and Link it here > Name the GPO e.g. ''CSI-WSUS' or as per your policy.
  • Right-click the GPO and click Edit
  • Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies
  • Import the previously exported "wsuskey.cer" Certificate in the ''Trusted Root Certification Authorities'' and ''Trusted Publishers'' Folders
User-added image
  • Navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update.
  • Double-click the Windows Update Folder.
  • Double-click "Specify Intranet Microsoft update service location" and change the Settings to Enabled (Please specify your WSUS server address on ''Set the intranet update service for detecting updates'' and apply (Note: This setting should only be changed if you are using WSUS. Don't configure this setting if you are using SCCM). If you have another GPO which points your machines to the correct WSUS server, then re-specifying WSUS is not required.

User-added image
  • Double-click "Allow signed updates from an intranet Microsoft update service location" and change the Settings to "Enabled".

User-added image
  • Click Apply > Ok and close the GPO editor.

Additional Information

Computers will download the Policy after the next policy refresh interval or reboot. You can force the policy to apply by running the command:

gpupdate /force

Sometimes it may take several hours for the policy to actually propagate. You can verify that the GPO is being applied to the machine by checking to see if the certs have been added to the appropriate cert stores on any given machine.

If the GPO has not been applied yet, or it is not being applied to the machine in question, then you will receive an error (0x800b0109) when deploying third-party updates.

Was this article helpful? Yes No
No ratings
Version history
Last update:
‎Sep 16, 2019 03:29 PM
Updated by: