Configure clients using Group Policy

To avoid using WMI connections required by the Client Publishing Setup Wizard, configure the clients using your Group Policy by exporting the WSUS certificate to a file. When you are finished, configure the Group Policy object, and then push the file to your managed clients. You can also deploy certificates using the Group Policy.

Export the WSUS certificate

Perform the following procedure to export the WSUS publishing certificate to a file from the Patch Manager Administrator Console.

  1. Open the Patch Manager Admin Console.
  2. In the navigation menu, expand Enterprise > Update Services.

  3. Select the WSUS server to export the certificate.

    In the example above, SPM-MGOM is the WSUS server.

  4. In the Actions pane, click Software Publishing Certificate to display the Publishing Certificate Information window.

    If the window does not display the WSUS server certificate information:

    1. Click Close.
    2. Click Refresh Update Server in the Actions pane.
    3. Click Software Publishing Certificate in the Actions pane.
  5. Click [...].
  6. In the Certificate window, click the Details tab.

  7. Click Copy to File, and click Next.
  8. In the Certificate Export Wizard, click Next.
  9. Select DER encoded binary X.509 (.CER), and click Next.

  10. Enter a file name, and click Next.

  11. Click Finish, and then click OK.

Configure the Group Policy Object

Use the following procedure to configure the Group Policy Object (GPO) and push to your managed clients in your Microsoft® Windows® domain.

The GPO stores the WSUS certificate in the certificate stores and configures the managed clients to accept third-party updates from non-Microsoft sources.

  1. Using an account with administrator privileges, open Administrative Tools and click Edit group policy.
  2. Create or edit a Group Policy Object to configure the clients.
  3. In the Group Policy Editor, expand Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies.
  4. Import the WSUS publishing certificate to the Trusted Root Certification Authorities and Trusted Publishers stores.
    1. Under Public Key Policies, select Trusted Root Certification Authorities.
    2. Click Action > Import.
    3. Click Next.
    4. Click Browse, and then browse to the certificate you saved in the previous procedure.
    5. Click Next.
    6. Click Next again.
    7. Click Finish.
    8. Click OK on the Success dialog box.
    9. Repeat these steps for the Trusted Publishers certificate store.
  5. Expand Computer Configuration > Administrative Templates > Windows Components, and select Windows Update.
  6. Enable the Allow signed updates from an intranet Microsoft update service location policy.
    1. In the center pane, select Allow signed updates from an intranet Microsoft update service location.
    2. Click Action > Edit.
    3. Select Enabled.
    4. Click OK.

Deploy certificates using Group Policy

You can deploy a certificate to multiple computers using Active Directory Domain Services and the GPO. Use this method each time you need to push a certificate to your client computers.

For example, you can push a WSUS self-signed or CA-signed certificate to all clients before they can trust a publish third-party package.

  1. Verify that you are a member of the local administrator group (or equivalent).
  2. Open the Group Policy Management Console.
  3. Locate an existing GPO or create a GPO that contains the certificate settings. Ensure that the GPO is associated with the domain, site, or organizational unit that includes the users you want to include in the policy.
  4. Right-click the GPO and select Edit.

    The Group Policy Management Editor opens and display the current policy object contents.

  5. In the navigation pane, go to Computer Configuration > Windows Settings > Security Settings > Public Key Policies > Trusted Publishers.
  6. Click the Action menu and select Import.
  7. Complete the Certificate Import Wizard to locate and import the certificate.
  8. If the certificate is signed and cannot be tracked back to a certificate in the Trusted Root Certification Authorities certificate store, copy the certificate to the store.
    1. In the navigation pane, click Trusted Root Certification Authorities.
    2. Complete step 6 through step 7 to install a copy of the certificate to the store.