3rd Party patch management - Part 4

Hi All,

this is the part 4 where we will see how to prepare the environment (gpo and certificates). As we are using a self-signed certificate, we need install this certificate on all machines that will connect to the wsus, it means, every single machine on the network.

to do it easily, i'll be doing the changes on the default domain gpo...

1st step is to open the MMC console on the Path manager server, in my case SRV0010

on the menu file select add/remove snap-in. select certificates and click add

on this snap-in will always manage certificate for, select computer and click next

on select the computer you want this snap-in to manage, select Local computer and click finish

on the add or remove snap-ins, click ok

on the mmc console, expand certificates, trusted root certification authorities and select certificates, right click on WSUS Publishers self-signed certificate, all tasks, export

on the welcome to the certificate export wizard, click next

on export file format, select DER and click next

on file to export type the folder/file name or use the browse button. once done, click next

on completing the certificate export wizard, click finish

on certificate export wizard, click ok

now it is time to edit the GPO, to do this, on any machine with Group Policy management installed, edit the default domain policy

on the group policy management editor, expand computer configuration, policies, windows settings, security settings, Public Key Infrastructure and select Trusted Root Certification Authorities

Start the wizard to import the certificate and on the welcome screen, click next

on file to import, select the file you exported before and click next

on certificate store, click next

on completing the certificate import wizard, click next

on the certificate import wizard, click ok

note that the certificate was imported into the list

now it is time to import the same certificate into the Trusted Publishers.

once it is done, the certificate will appear in the list

now, expand computer configuration, policies, administrative templates, windows components, windows update

edit the allow signed updates from an intranet Microsoft update service location and select Enabled

once its done, you'll need to update the GPO on the machines either using gpupdate /force or rebooting the machine. and to validate if it has been applied properly, use the MMC and confirm that the certificate has been imported into the certificate stores

but what if you don't want use self-signed certificate? you can use any certificate from your company. to do this, check Jason T. Lewis blog post on http://blogs.technet.com/b/jasonlewis/archive/2011/07/12/system-center-updates-publisher-signing-certificate-requirements-amp-step-by-step-guide.aspx