Cannot deploy custom updates which is published by the SCUP 2011

This blog covers issues faced after setting up SCUP 2011 , when we try to install updates published by SCUP 2011 . We get the following error on the client side while installing updates “0x800b0109”

1.To start off I recommend verifying the  following key points:

a.The SCUP can use the certificate to sign the custom update. This certificate can be the self-signed certificate or a certificate generated from your internal CA.

  • This certificate shall be imported to Trusted Publishers store in both WSUS server and clients.
  • If the certificate is a self-signed certificate, it shall be imported to Trusted Root Certification Authorities in both WSUS server and clients.

b.On the client side, ensure group policy is enabled.

Computer Configuration –> Administrative Templates –> Windows Components and select Windows Update. In the results pane, right-click Allow signed content from intranet Microsoft update service location, click Properties, click Enabled and then click OK.

c.When publishing the custom update, you can publish full content if want to deploy this update.

d.After completes the publishing, the custom update files shall be signed by the certificate and put into the WSUSContent folder. You can create the software update packages. Please choose WSUS server’s WSUSContent folder.

2.Regarding how to deploy the certificate to all machines, there are two options.

GPO and SCCM Package mentioned in setup a and b .


b.Create a package in SCCM to deploy it. If the certificate is self-signed, please use following commands to import it to both Trusted Root Certification Authorities and TrustedPublisher.

certutil.exe -addstore Root .cer

certutil.exe -addstore TrustedPublisher .cer

3.We can also check sample clients .

  • We can see that we encounter the following error “0x800b0109”. We need to  check the Trusted Root Certification Authorities and TrustedPublisher after deploying the certs mentioned in step 2, and if the machine didn’t get the certificate. Run “gpupdate /force” and let it get the certificate. After that the machine can download and install the updates successfully.


Categories: SCCM

Tagged as: , ,

1 reply »

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.