Recently having installed SCUP and set it up to publish updates using an internal CA I needed to deploy the custom certificate to all the client machines so  that they will receive and install the updates correctly. It turns out that the place to install a “Trusted publisher” certificate is not where you would think.

  • Open “Group Policy Manager”
  • Under Computer Configuration – Windows Settings – Security Settings – Software Restriction Policies
  • Right click and create a new SR policy if you haven’t got one already


  • Under Additional rules right click and create new “Certificate rule”
  • Click browse and select the exported certificate that is being used to sign the updates (.cer file)
  • Change the “Security Level” to Unrestricted otherwise you will stop the computers running any programs!


  • Exit out of the windows and that should be all.


Update 1 29/01/2013 – on Server 2012 / 2008 R2 you might get an additional dialogue:



Choose “No” as you don’t want to enforce the rules, just push the certificate out to client machines.

I should also point out that this article was written in 2008 using Server 2003 and I haven’t checked if there is a newer / better way to push out a certificate in newer versions of Windows…


Update 2 – Turns out in newer Group Policy you can deploy the certificate direct to the “Trusted publisher” certificate container see here.

Remember that if you are using a self signed certificate you need to push your stand-alone root into “Trusted Root Certificate Authorities” as well. I’ve not tested if this method works with down level clients like Windows XP

[tags]scup,group policy[/tags]