This blog covers issues faced after setting up SCUP 2011 , when we try to install updates published by SCUP 2011 . We get the following error on the client side while installing updates “0x800b0109”
1.To start off I recommend verifying the following key points:
a.The SCUP can use the certificate to sign the custom update. This certificate can be the self-signed certificate or a certificate generated from your internal CA.
- This certificate shall be imported to Trusted Publishers store in both WSUS server and clients.
- If the certificate is a self-signed certificate, it shall be imported to Trusted Root Certification Authorities in both WSUS server and clients.
b.On the client side, ensure group policy is enabled.
Computer Configuration –> Administrative Templates –> Windows Components and select Windows Update. In the results pane, right-click Allow signed content from intranet Microsoft update service location, click Properties, click Enabled and then click OK.
c.When publishing the custom update, you can publish full content if want to deploy this update.
d.After completes the publishing, the custom update files shall be signed by the certificate and put into the WSUSContent folder. You can create the software update packages. Please choose WSUS server’s WSUSContent folder.
2.Regarding how to deploy the certificate to all machines, there are two options.
GPO and SCCM Package mentioned in setup a and b .
b.Create a package in SCCM to deploy it.
https://technet.microsoft.com/en-us/systemcenter/bb531031.aspx. If the certificate is self-signed, please use following commands to import it to both Trusted Root Certification Authorities and TrustedPublisher.
certutil.exe -addstore Root .cer
certutil.exe -addstore TrustedPublisher .cer
3.We can also check sample clients .
- We can see that we encounter the following error “0x800b0109”. We need to check the Trusted Root Certification Authorities and TrustedPublisher after deploying the certs mentioned in step 2, and if the machine didn’t get the certificate. Run “gpupdate /force” and let it get the certificate. After that the machine can download and install the updates successfully.