System Center Update Publisher 2011 and Windows Server 2012

Windows Server 2012 is released recently. System Center Update Publisher 2011 can work well on Windows Server 2012 except for the following known issues:

1. On Windows Server 2012, the WSUS version is 4.0. While on all other OSes, you can only install WSUS 3.0 (with or without service pack). WSUS 3.0 & WSUS 4.0 cannot communicate with each other. So if you install SCUP on a machine with WSUS 3.0 admin console and try to publish to Windows Server 2012 with WSUS 4.0, you’ll get a WSUS version mismatch error in the SCUP log.

You can, however, install SCUP 2011 on Windows 8 and publish to the WSUS on Windows Server 2012. You need to install Remote Server Administration Tools for Win 8 on Windows 8 machine. It will install the WSUS 4.0 version of the WSUS admin console binary on Win 8. And with that, you can talk with WSUS 4.0 on Windows Server 2012.

2. Low right user scenario is broken currently on Windows Server 2012. Normally, the user should only be in the WSUS administrative group to publish updates successfully. But the user to use and publish update to Windows Server 2012 must be a member of the local administrator.

Workaround for this: (do the followings on the Windows Server 2012)

(1)    Change the ownership of HKEY_CLASSES_ROOT\AppID\{8F5D3447-9CCE-455C-BAEF-55D42420143B} to Administrators

(2)    Change the permission on that key. Make sure Administrators and System have full control on that.

(3)    launch Dcomcnfg.exe in elevated mode.

(4)    Select “Component Services”àComputeràMy Computerà”Dcom Config”àWSusCertServer. Right Click and select “Properties”.

(5)    “WSusCertServer Properties” dialog will show up. Switch to“Security tab”

(6)    Set “Launch and Activation Permissions” and “Access Permissions” like the following


(7)    restart WSusCertServer (net stop/net start)

 Hope you enjoy using SCUP 2011 with Windows Server 2012.

Comments (9)

  1. jtwaddle says:

    I have attempted to use SCUP 2011 on Server 2012 with success.  I am able to install and run it, but when I try to add the signning certificate I get the error below.

    Unable to perform the requested operation on the update server.  This can happen when you try to perform certain functions remotely that require SSL.  %1 is not a valid Win32 application

    The WSUS server is local and so is SCCM 2012 SP1.

  2. jtwaddle says:

    That should be Without success.  It is not working

  3. boggot says:

    same problem here as jtwaddle. cant find a solution at the moment

  4. fritzy05 says:

    You do have to publish the certificate for SCUP as a trusted publisher through your organization.  Have you ensured the certificate has been published?

  5. Valenko says:

    On the client side check under c:windowswindowsupdate.log for error. Second check on client – with mmc that the client has sucessufully installed wsus server certificate.

  6. Chase says:

    I had the same issue  as jtwaddle and boggot.  I resolved this by running SCUP by right clicking and choosing Run as Administrator.  This allowed me to create the certificate I browsed to for my PFX file.  Hope it helps!

  7. Chase says:

    Although I have that working, I also must run the program as admin when trying to publish or I get:

    "Publish: Update server does not appear to be configured with a certificate for publishing, publishing aborted."

    When running as admin I still get an error when publishing and have not gotten past this yet:

    PublishItem: InvalidException occurred during publishing: Verification of file signature failed for file: \

    Publish: A fatal error occurred during publishing :Signature verification exception during publish, verify the WSUS certificates and advanced timestamp setting are properly configured.

  8. Mike says:

    I am currently having the same issue as Chase. Has anyone figured this out yet?

  9. UCSD Todd says:

    I have a real Cert, Exported fine.  Had to run SCUP as Administrator to make it work.  I had the SSL error.