Hi,
But regkey will be a bit tricky for XP machines.There is a GPO for this setting : "Administration Templates -> Windows Components -> Windows Updatec Components -> 'Allow Signed Content from intranet Microsoft update service location'
any security risks?This setting allows the WU agent to trust a package that have been signed by a trusted publisher. The certificate must be already in the TrustedPublisherCertificate store, so the risk is very low. To corrupt a machine, an attacker must first import a certificate in this store and then published a fake update in your Wsus (that's mean, know an account that have administrative privilege on tha attacked computer and on Wsus server) !
