Obtain Local Admin rights for WSUS Publishing

Obtain Local Admin rights for WSUS Publishing

Summary

Windows Server 2012 requires the publishing user to be a local administrator which causes a failure to sign error on users without this privilege. This article provides alternative methods to solve this problem.

Symptoms

You may find that some users are able to publish packages to WSUS and others aren't even if those users are publishing from the same machine. In this case, both users have proper disk permissions on WSUS and are members of the WSUS Administrators group.

Cause

Windows Server 2012 requires a user to be a local admin in order to publish packages to WSUS in addition to being a WSUS administrator.

Resolution

There are two paths to resolution. The first would be to make the user in question a local administrator on your WSUS Server. If this isn't an option, then you'll need to take the second path which is a workaround.

Workaround

The workaround:

Change the ownership of HKEY_CLASSES_ROOT\AppID\{8F5D3447-9CCE-455C-BAEF-55D42420143B} to Administrators. Change the permission on that key. Make sure Administrators and System have full control on that()

1. Launch Dcomcnfg.exe in elevated mode.

2. Select Component Services / Computers / My Computer / Dcom Config / WSusCertServer

3. Press Right Click and select Properties.

4. WSusCertServer Properties dialog will show up, and click on the Security tab.

5. Set Launch and Activation Permissions and Access Permissions like the following examples: 

----------------------------------------------------

6. Restart WSusCertServer service (net stop/net start)

Was this article helpful? Yes No
No ratings
Version history
Revision #:
2 of 2
Last update:
‎Sep 25, 2019 06:52 PM
Updated by:
 
Contributors