Local Update Package Signing Certificate Configuration

Microsoft.Windows.Server.UpdateServices.2012.R2.Server.CertificateConfiguration (UnitMonitor)

Monitors whether the certificate for signing local update packages is configured correctly.

Knowledge Base article:

Summary

This monitor provides notifications about any misconfiguration of the certificate that is used for signing local update packages.

If the WSUS server is not configured for signing local update packages, this monitor will always indicate a healthy state.

Resolutions

An error is triggered because the expected signing certificate could not be located. To resolve the issue, you have three options:

Remove the signing certificate from the WSUS server. (Please note that after removing the certificate, you can no longer publish unsigned local update packages.)
- On the WSUS server, open a PowerShell command prompt. You must run the command line as a user account that belongs to either the WSUS Administrators group or the local Administrators group.
- Run the following commands:
- $wsus = Get-WsusServer
- $configuration = $wsus.GetConfiguration()
- $configuration.SetSigningCertificate($null, $null)
- $configuration.Save()
Manually re-set the signing certificate on the WSUS server. (Use this option, if you initially installed the signing certificate yourself.)
- This article assumes the certificate is located at C:\wsus\signing-certificate.cer and the password for accessing the private key is Password. Update file path and password accordingly.
- On the WSUS server, open a PowerShell command prompt. You must run the command line as a user account that belongs to either the WSUS Administrators group or the local Administrators group.
- Run the following commands:
- $wsus = Get-WsusServer
- $configuration = $wsus.GetConfiguration()
- $configuration.SetSigningCertificate("C:\wsus\signing-certificate.cer", "Password")
- $configuration.Save()
Replace the signing certificate on the WSUS server. (Use this option, if you use a third-party tool for local update publishing, for example System Center Configuration Manager.)
In this case, refer to the documentation provided by the vendor for that third-party tool.

Element properties:

Target

Microsoft.Windows.Server.UpdateServices.2012.R2.Server

Parent Monitor

Microsoft.Windows.Server.UpdateServices.2012.R2.Server.CertificateRollup

Category

AvailabilityHealth

Enabled

True

Alert Generate

True

Alert Severity

Error

Alert Priority

Normal

Alert Auto Resolve

True

Monitor Type

Microsoft.Windows.2SingleEventLog2StateMonitorType

Remotable

True

Accessibility

Public

Alert Message

Local Update Package Signing Certificate Configuration

The expected signing certificate could not be located on the WSUS server.

RunAs

Default

Source Code:

<UnitMonitor ID="Microsoft.Windows.Server.UpdateServices.2012.R2.Server.CertificateConfiguration" Accessibility="Public" Enabled="true" Target="Microsoft.Windows.Server.UpdateServices.2012.R2.Server" ParentMonitorID="Microsoft.Windows.Server.UpdateServices.2012.R2.Server.CertificateRollup" Remotable="true" Priority="Normal" TypeID="Windows!Microsoft.Windows.2SingleEventLog2StateMonitorType" ConfirmDelivery="false">

  <Category>AvailabilityHealth</Category>

  <AlertSettings AlertMessage="Microsoft.Windows.Server.UpdateServices.2012.R2.Server.CertificateConfiguration.AlertMessage">

    <AlertOnState>Error</AlertOnState>

    <AutoResolve>true</AutoResolve>

    <AlertPriority>Normal</AlertPriority>

    <AlertSeverity>Error</AlertSeverity>

  </AlertSettings>

  <OperationalStates>

    <OperationalState ID="CertificateConfigurationError" MonitorTypeStateID="FirstEventRaised" HealthState="Error"/>

    <OperationalState ID="CertificateConfigurationOK" MonitorTypeStateID="SecondEventRaised" HealthState="Success"/>

  </OperationalStates>

  <Configuration>

    <FirstComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</FirstComputerName>

    <FirstLogName>Application</FirstLogName>

    <FirstExpression>

      <And>

        <Expression>

          <SimpleExpression>

            <ValueExpression>

              <XPathQuery>PublisherName</XPathQuery>

            </ValueExpression>

            <Operator>Equal</Operator>

            <ValueExpression>

              <Value>Windows Server Update Services</Value>

            </ValueExpression>

          </SimpleExpression>

        </Expression>

        <Expression>

          <SimpleExpression>

            <ValueExpression>

              <XPathQuery>EventDisplayNumber</XPathQuery>

            </ValueExpression>

            <Operator>Equal</Operator>

            <ValueExpression>

              <Value>10072</Value>

            </ValueExpression>

          </SimpleExpression>

        </Expression>

      </And>

    </FirstExpression>

    <SecondComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</SecondComputerName>

    <SecondLogName>Application</SecondLogName>

    <SecondExpression>

      <And>

        <Expression>

          <SimpleExpression>

            <ValueExpression>

              <XPathQuery>PublisherName</XPathQuery>

            </ValueExpression>

            <Operator>Equal</Operator>

            <ValueExpression>

              <Value>Windows Server Update Services</Value>

            </ValueExpression>

          </SimpleExpression>

        </Expression>

        <Expression>

          <RegExExpression>

            <ValueExpression>

              <XPathQuery>EventDisplayNumber</XPathQuery>

            </ValueExpression>

            <Operator>MatchesRegularExpression</Operator>

            <Pattern>^(10070|10060)$</Pattern>

          </RegExExpression>

        </Expression>

      </And>

    </SecondExpression>

  </Configuration>

</UnitMonitor>