Documentation forPatch Manager

Configure the group policy to enable third-party updates

Perform this procedure only if your organization implements a group policy on all corporate systems.

The group policy defines the user, security, and networking policies for all computers in the network. To enable the managed computers to receive third-party updates from the WSUS server, export the software publishing certificate from the WSUS server to a certificate file. When you are finished, configure the Group Policy Object (GPO) on the domain controller and import the certificate file and the supporting Windows® Update policies.

Patch Manager signs all third-party packages with the software publishing certificate. This certificate must be installed in the local Trusted Root Certification Authority and Trusted Publishers keystores of each managed computer so they can receive third-party updates.

Export the software publishing certificate from the WSUS server

Export the software publishing certificate so you can add the file to the Group Policy (GPO). When you push the GPO to the managed systems, each system can accept third-party updates from non-Microsoft® sources.

  1. Select the WSUS server in the Patch Manager menu.

  2. In the Actions column, click Software Publishing Certificate.
  3. Click [...] in the Publishing Certificate Information window.

  4. On the Details tab, select the WSUS publishing certificate.

  5. Click Copy to File in the Certificate window.
  6. Click Next in the Certificate Export Wizard.
  7. Select DER encoded binary X.509 (.CER), and click Next.
  8. Enter a file name (for example, WSUS Publishing Certificate).
  9. Complete the Certificate Export Wizard.

    The software publishing certificate is exported to a file.

Configure the GPO for the targeted domain

This procedure configures Windows Update policies to the certificate stores on the managed computers so they accept third-party updates from non-Microsoft sources.

  1. Log in to the domain controller as an administrator.
  2. Copy the software publishing certificate to the domain controller desktop or another location on the server.
  3. Navigate to the control panel and open Group Policy Management.
  4. In the Group Policy Management menu, navigate to the domain that contains the GPO for the targeted domain (for example, Default Domain Policy).

    If you need to create a GPO, right-click the domain (for example, gir.lab), select Create a GPO in this domain, and link it here. Enter a name for the GPO, and click OK. The domain tree displays the GPO.

  5. Double-click the GPO (for example, Default Domain Policy).

  6. Review the Group Policy Management Console window text, and click OK.

    The Scope tab is displayed.

  7. In the Windows Update window, enable:

    Allow signed updates from an intranet Microsoft update service location

    This setting enables Windows Update on managed computers to accept non-Microsoft updates (or third-party updates) from a Microsoft Update location (or WSUS server) in the corporate network.

    1. Right-click the GPO and select Edit.
    2. In the Group Policy Management Editor, expand Computer Configuration > Policies > Administrative Templates > Windows Components.
    3. Scroll down and select Windows Update.
    4. Double-click Allow signed updates from an intranet Microsoft update service location in the Windows Update window.
    5. Select Enabled in the Configure Automatic Updates window.
    6. Click OK.

      This policy setting is displayed as Enabled in the Windows Update window.

  8. Add the WSUS software publishing certificate to the group policy.

    This process adds the publishing certificate to the Trusted Root Certification Authority and Trusted Publishers certificate stores in the managed computers, enabling each computer to establish a secure network connection to the WSUS server and receive third-party updates.

    1. In the Group Policy Management Editor, click Policies > Windows Settings > Security Settings > Public Key Policies > Trusted Root Certification Authorities.
    2. Right-click Trusted Root Certification Authorities and select Import.
    3. Complete the Certificate Import Wizard.

      When you are finished, the WSUS certificate is imported into the Trusted Root Certification Authority directory. This directory includes SolarWinds certificates, Microsoft certificates, and all certificates in the Third-Party Root Certification Authorities keystore.

    4. Navigate to the Public Key Policies directory.
    5. Expand the directory, right-click Trusted Publishers, and select Import.
    6. Complete the Certificate Import wizard.

      When you are finished, the certificate is imported into the Trusted Publishers directory. This directory includes certificates from trusted Certificate Authorities.

      The WSUS software publishing certificate is added to the group policy.

  9. Enable and configure the Configure Automatic Updates policy setting so the managed computers can automatically check the WSUS server for Windows and third-party updates each day or once a week at a scheduled time.
    1. Double-click Configure Automatic Updates in the Windows Update window.
    2. Select Enabled in the Configure Automatic Updates window.
    3. Click the Configure automatic updating drop-down menu and select an update method for the managed computers.

      The following table provides descriptions for each setting. Accept Auto download and notify for install (default setting) or select the setting that meets the deployment requirements.

      SettingDescription
      Notify before downloading and installing updatesPatch Manager notifies you when updates are ready to download.
      Auto download and notify for installPatch Manager automatically downloads the updates and notifies the system administrator when they are ready to be installed.
      Automatically download updates and install them on the schedule specified below. Patch Manager automatically downloads the updates and installs them every day or on a specific day (such as Sunday) at a specific time.
      Allow local administrators to select the configuration mode that Automatic Updates should notify and install updates. Patch Manager allows only the system administrator to use the Windows Update control panel to select a configuration option (for example, Not Configured, Enabled, or Disabled). Local administrators cannot disable the Automatic Updates configuration.
    4. Schedule a date and time for the installations.
    5. Click OK.

      The policy setting is displayed as Enabled in the Windows Update window.


  10. Enable the Specify Intranet Microsoft Update service location policy setting in the group policy. This setting enables the managed computers to identify the Microsoft Update service location (or WSUS server location) where they can receive Microsoft updates from the WSUS server.

    This setting is required to enable a WSUS server in the network.

    1. Double-click Specify intranet Microsoft update service location in the Windows Update window.
    2. Select Enabled in the window.
    3. Enter the IP address of the WSUS server in both Options box fields.

      If you do not have an intranet statistics server in the deployment, enter the WSUS server IP address in both fields.

      Use the information in the table below to complete the Options box fields.

      WSUS Server OS SSL Enabled? Enter this IP address

      Windows Server 2012

      Windows Server 2012 R2

      Windows Server 2016

      Yes https://<ip_address>:8531
      No http://<ip_address>:8530
      Windows Server 2008 Yes http://<ip_address>:443
      No http://<ip_address>

      Windows Server 2008 systems use port 80 by default

    4. Click OK.

      The policy setting is displayed as Enabled in the Windows Update window.

      The GPO is configured on the targeted domain.