Configure Patch Manager with WSUS for first-time use after initially installing the product

Overview

This article describes how to configure the Patch Manager server for first-time use after installation of Patch Manager.

Do NOT go through the First Time Usage Wizard after installation. Follow the steps in this article instead.

Environment

• All Patch Manager versions
• WSUS

Steps

1. Launch the Patch Manager Console.
2. After launching the Patch Manager, verify that WSUS has been added into the console:
   1. Expand Enterprise > Update Services. If a WSUS server appears, proceed to Step e, otherwise follow next step.
   2. Run the Add or Configure WSUS Server task in the Actions Pane.
   3. Input your WSUS server name and select Resolve.
      Note: Verify that you are using the correct port for your WSUS, ports 80 and 443(SSL), ports 8530 and 8531(SSL). Check the Administrative settings in IIS on WSUS to verify which port to use.
   4. Click Save.
   5. Once your WSUS appears in the console, configure credentials to access/manage it via Patch Manager. 
      1. In the left-pane, expand Patch Manager System Configuration > Security and User Management.
      2. Add your credentials using the Add Credential task in the Actions Pane:
         • DOMAIN\Username for domain accounts
         • .\ for local accounts
      3. Add more accounts and a local admin account, for various actions that the Patch Manager takes such as Inventory, Update Management, Approvals. The account required for the WSUS needs to be in the WSUS administrators group on the WSUS server. Check your users and groups on the server to verify.
      4. Once the credential has been added, assign it to the resource it will be managing using the Credential Rings in the middle pane. Double-click on the <Default> Credential Ring.
      5. In Step 2 of the Credential Ring Wizard, select the accounts from the drop-down, then Add in Step 3. 
      6. Assign the credentials to the actual resources they will be managing.
         1. Select Add Rule > Update Services Server.
         2. Click + by Update Services only.
         3. Once you see your server in the list on the left then select UPDATE SERVICES SERVERS to get the list to appear in the Middle-pane.
         4. Once in the middle-pane double-click your WSUS server to add it to the bottom list then click Ok. It will prompt you to select the credential.
            Note: You can also set your other resources. For example the Local Admin and Active Directory Domains and Workgroups.
         5. Click Finish. 
   6. Configure an inventory against these credentials to collect the information required to populate reports with data by adding the WSUS to the Management Groups, in Patch Manager System Configuration > Management Groups, run the Patch Manager Group Wizard if there is no Managed Enterprise listed. If Managed Enterprise is listed, select Managed Enterprise in the left-pane, then the middle and run Management Group Wizard.
      1. Run Patch Manager Group Wizard and type the name Managed Enterprise and continue the wizard as follows.
      2. Select Windows Server Update Services, then Next.
      3. Select your WSUS server from the drop-down menu and click Add Update Server.
      4. Click Next and then Finish.
      5. Once your WSUS appears in the Managed Enterprise list select it in the middle-pane
      6. In the Actions Pane, select Inventory to launch a Scheduling wizard.
      7. Schedule a time for after the machines have reported in to WSUS to ensure that you have the most up-to-date information from the WSUS db.
      8. Select the Recurrence pattern and the Range of recurrence, and click OK to launch the WSUS Inventory Options.
      9. Select the options as desired or select defaults for basic reporting.
      10. Click Save. You can find this inventory task in Administration and Reporting > Scheduled Tasks to verify it was generated.
      11. Select your AD then right-click Inventory.
      12. In the Inventory Configuration Editor, select the data points you want to collect or select the defaults reporting features.
      13. Follow the prompts run the report on the preferred schedule and click OK.
          Note: SolarWinds recommends that you run this during the day when the machines are on such that the connection to the client will not time out.
3. Configure the WSUS as a Publishing Server to accept the Third Party Updates to be published and to generate the certificate that will need to be installed on the clients to allow Third Party Update installation. 
   1. In the tree view in the left pane of the application, select Administration and Reporting > Software Publishing.
   2. Click Server Publishing Setup Wizard from the Actions pane. 
   3. On the first page of the wizard, select the upstream WSUS server from the WSUS Server menu. 
      1. If the wizard returns details for an existing publishing certificate, select Distribute existing WSUS signing certificate to required servers. 
      2. If the wizard does not return details for an existing publishing certificate, select Create self-signed certificate. 
   4. Click Next. 
   5. Select the Patch Manager servers, publishing servers, and downstream WSUS servers to which you want to distribute the publishing certificate, and then click Next. 
   6. Review the summary screen for any errors, and then click Finish.             
   7. On the dialog that instructs you to configure your managed clients, click OK. Review the following section for additional information about this process.
4. After configuring your WSUS server for Publishing, install the WSUS Self-Signing Certificate on your clients in the Trusted Root Certification Authorities and the Trusted Publishers directories. This can be done through GPO (© 2017 Microsoft, available at https://technet.microsoft.com, obtained on February 24, 2017.) (which is recommended) or you can do this through Client Certificate Management:
   1. In the left pane of the Patch Manager console, select Administration and Reporting. 
   2. In the center pane, click Client Certificate Management. 
   3. On the Client Certificate Management window, specify the WSUS publishing certificate to distribute: 
      1. Select Distribute and install Update Services Signing Certificate. 
         1. If you want to distribute the certificate directly from the WSUS server, select certificate from WSUS server, and then select the WSUS server from the active menu. (Recommended)
         2. If you want to distribute the certificate from a .cer file, select certificate from file, and then click […] to browse to the file location. 
      2. If the managed clients require SSL for remote connections: 
         1. Select Distribute and install Update Services Server SSL Certificate.
         2. Next to the File Name field, click […] to browse to the file location.
   4. Click Distribute.
   5. Complete the Task Options Wizard to specify the target systems and schedule and/or execute the task. For additional information on the Task Options Wizard see page 52 of the Admin Guide.
5. Following the WSUS configuration, configure your Patch Manager to update the Software Publishing catalogs with the latest updates for the Third-Party updates you wish to patch.
   1. In the left pane Select Administration and Reporting > Software Publishing, go to the Actions pane and select the Synchronization Settings.
   2. The first tab Synchronization will allow you to schedule the time and frequency of your synchronization tasks. SolarWinds recommends daily off-hours in the morning. You can also select to be notified in the console or via Email by configuring Email Settings on page 32 of the Admin Guide.
   3. Select the applications you prefer to sync in the Subscriptions tab.
   4. Configure Proxy Settings and verify that they are also configured as described on page 34 of the Admin Guide.
   5. Click OK.

This completes your initial configuration of the Patch Manager with WSUS. If you run into any issues with the steps please contact support.

For deploying Automation servers in your environment if you receive the Mismatching API Error when publishing or creating the Server Publishing certificate take a look at this thwack post.

If you are deploying in a disconnected/DMZ environment use this post