To run software updates via ConfigMgr's software updates management, the proxy service account must be a member of the local Administrator's group. To work around security policies that only allow you to add users to the WSUS Administrators group, not the local Administrator's group, you can give the service account control over specific items necessary for package publishing.
To give the proxy service account the full set of necessary permissions:
In the Windows Registry Editor
1. Open the Windows Registry Editor on the WSUS server.
2. For each HKEY listed:
- Right-click on the HKEY and click Permissions.
- Click Add and add a service account.
- Allow for Full Control and apply your changes.
HKEY_LOCAL_MACHINE\Software\Flexera
HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed
HKLM\Software\Microsoft\SystemCertificates\Disallowed
HKLM\Software\Microsoft\Update Services\Server\Setup
HKLM\SOFTWARE\Classes\AppID\{8F5D3447-9CCE-455C-BAEF-55D42420143B}
In Windows Explorer
1. In Windows Explorer, navigate to:
C:\ProgramData\Microsoft\Crypto
C:\ProgramData\Flexera Software\SVM Patch
At each location:
1. Right-click on Properties and select Security.
2. Select the service account for which you want to allow package publishing.
3. Allow for Full Control and apply your changes.
For Shares and Groups
Under Local Users and Groups, add the service account to WSUS Administrators, which requires full access to the WSUS content location, including Share and NTFS.
For DCOM (Distributed Component Object Model)
1. In the DCOMCNFG tool, go to Component Services > Computers > My Computer > DCOM Config.
2. Modify the WSUSCertServer security settings:
- Grant Local Launch and Local Activation rights to the WSUS Administrators group.
- Grant Local Access rights to the WSUS Administrators group.
3. Reboot the device.