We use Microsoft Deployment Toolkit to build our machines with 100% clean fresh installs of our OS's, it is how we are required to do it (before anyone suggest we should just switch to getting a machine 100% up to date and then sysprep) and how we prefer to do it.
We have recently started getting problems with older machines that we need to rebuild (hard disk failures etc)
Our Build is Windows 7 SP1 x64, and we run our own Internal WSUS setup that is SSL secured, and all our Internet traffic is restricted and run through an authenticated proxy that we will not allow to be bypassed, none of this is going to be allowed to be changed.
This setup has been working for years, but now however the WSUS portion of the Build process sits there for ages and then fails, it would seem that Virgin Win7 SP1 is now so old that the certificate we use to sign our WSUS server (purchased through a wildcard cert purchased through Godaddy that we use to secure multiple services) cannot seemingly be verified as their Root cert had not been issues when SP1 was first brought out. We have verified this by manually editing the Registry at the relevant point in the build process and allowing the building machine to connect to WSUS without SSL, but this process must be automated and we cant change our GPO's to allow non SSL connections to our WSUS servers.
There does not appear to be any Root Cert updates available for Windows 7 that we can use to fix this, does anyone have any suggestions on a set of files and command lines I can use to push the updated certs to the machine prior to the WSUS section?
The section of the build process in question is run as the machine local administrator account and therefore is not allowed to connect to the internet and do an Online certificates update