You must distribute the code-signing certificate to all servers that house your Configuration Manager and WSUS consoles and to all of your client machines. Which certificate store(s) the certificate is copied to depends on how the code-signing certificate was created.
•If your code signing certificate was created by WSUS (and is therefore a self-signed code signing certificate), you will need to copy the certificate to the following locations on all your WSUS servers, your remote Configuration Manager consoles and your client machines:
•Trusted Publishers certificate store
•Trusted Root Certificate Authorities certificate store
•If the code-signing certificate was issued by a CA whose root is already trusted by your clients, you only need to copy the certificate to the Trusted Publishers certificate store on your WSUS and client machines.