How to Deploy certificate from SCCM 

How to manage signing certificates using SCCM


Users of SCCM 1806 and upwards, now have the option to deploy signing certificates right from the SCCM console in contrast to manual deployment using group policy object (GPO) method. This document demonstrates the step-by-step procedure on how to configure SCCM to manage code-signing certificates.


1. From the bottom left corner of the console, select 'Administration', click on 'Sites' from under 'Site Configuration' and select the node for which you would like SCCM manage the certificates.

Failed to sign package 2147942403

2. Click on 'Configure Site Components', and then on 'Software Update Point'.

Failed to sign package 2147942403

3. Now, from under the 'Third-Party Updates' tab, you will find two options. Make sure to enable 'Manually manages the certificate' checkbox before proceeding to the next step.

Failed to sign package 2147942403

4. Next, go to 'Software Library', click on 'All Software Updates' and then 'Synchronize Software Updates'.

Failed to sign package 2147942403

5.Now go to 'Administration', from the bottom left corner,  click on 'Client Settings' and then on 'Default Client Settings'

6. Once the 'Default Settings' window opens, select 'Software Updates'  and enable Software Updates first.

7. Lastly, from the bottom of the window change 'Enable third party software updates' to Yes.

Failed to sign package 2147942403

You have now successfully configured SCCM to manage the code signing certificates! You can alternatively use the GPO method to manually deploy certificates to client machines.