Monitors whether the certificate for signing local update packages is configured correctly.
This monitor provides notifications about any misconfiguration of the certificate that is used for signing local update packages.
If the WSUS server is not configured for signing local update packages, this monitor will always indicate a healthy state.
An error is triggered because the expected signing certificate could not be located. To resolve the issue, you have three options:
Remove the signing certificate from the WSUS server. (Please note that after removing the certificate, you can no longer publish unsigned local update packages.)
On the WSUS server, open a PowerShell command prompt. You must run the command line as a user account that belongs to either the WSUS Administrators group or the local Administrators group.
Run the following commands:
$wsus = Get-WsusServer
$configuration = $wsus.GetConfiguration()
$configuration.SetSigningCertificate($null, $null)
$configuration.Save()
Manually re-set the signing certificate on the WSUS server. (Use this option, if you initially installed the signing certificate yourself.)
This article assumes the certificate is located at C:\wsus\signing-certificate.cer
and the password for accessing the private key is Password
. Update file path and password accordingly.
On the WSUS server, open a PowerShell command prompt. You must run the command line as a user account that belongs to either the WSUS Administrators group or the local Administrators group.
Run the following commands:
$wsus = Get-WsusServer
$configuration = $wsus.GetConfiguration()
$configuration.SetSigningCertificate("C:\wsus\signing-certificate.cer", "Password")
$configuration.Save()
Replace the signing certificate on the WSUS server. (Use this option, if you use a third-party tool for local update publishing, for example System Center Configuration Manager.)
In this case, refer to the documentation provided by the vendor for that third-party tool.
Target | Microsoft.Windows.Server.UpdateServices.2012.R2.Server | ||
Parent Monitor | Microsoft.Windows.Server.UpdateServices.2012.R2.Server.CertificateRollup | ||
Category | AvailabilityHealth | ||
Enabled | True | ||
Alert Generate | True | ||
Alert Severity | Error | ||
Alert Priority | Normal | ||
Alert Auto Resolve | True | ||
Monitor Type | Microsoft.Windows.2SingleEventLog2StateMonitorType | ||
Remotable | True | ||
Accessibility | Public | ||
Alert Message |
| ||
RunAs | Default |
<UnitMonitor ID="Microsoft.Windows.Server.UpdateServices.2012.R2.Server.CertificateConfiguration" Accessibility="Public" Enabled="true" Target="Microsoft.Windows.Server.UpdateServices.2012.R2.Server" ParentMonitorID="Microsoft.Windows.Server.UpdateServices.2012.R2.Server.CertificateRollup" Remotable="true" Priority="Normal" TypeID="Windows!Microsoft.Windows.2SingleEventLog2StateMonitorType" ConfirmDelivery="false">
<Category>AvailabilityHealth</Category>
<AlertSettings AlertMessage="Microsoft.Windows.Server.UpdateServices.2012.R2.Server.CertificateConfiguration.AlertMessage">
<AlertOnState>Error</AlertOnState>
<AutoResolve>true</AutoResolve>
<AlertPriority>Normal</AlertPriority>
<AlertSeverity>Error</AlertSeverity>
</AlertSettings>
<OperationalStates>
<OperationalState ID="CertificateConfigurationError" MonitorTypeStateID="FirstEventRaised" HealthState="Error"/>
<OperationalState ID="CertificateConfigurationOK" MonitorTypeStateID="SecondEventRaised" HealthState="Success"/>
</OperationalStates>
<Configuration>
<FirstComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</FirstComputerName>
<FirstLogName>Application</FirstLogName>
<FirstExpression>
<And>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>PublisherName</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>Windows Server Update Services</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>10072</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</And>
</FirstExpression>
<SecondComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</SecondComputerName>
<SecondLogName>Application</SecondLogName>
<SecondExpression>
<And>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>PublisherName</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>Windows Server Update Services</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<RegExExpression>
<ValueExpression>
<XPathQuery>EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>MatchesRegularExpression</Operator>
<Pattern>^(10070|10060)$</Pattern>
</RegExExpression>
</Expression>
</And>
</SecondExpression>
</Configuration>
</UnitMonitor>