Submit a ticketCall us

Announcing NCM 7.7
With NCM 7.7, you can examine the rules that make up an access control list for a Cisco ASA device. Then you can apply filters to display only rules that meet the specified criteria, order the rules by line number or by the hit count, and much more.
See new features and improvements.

Home > Success Center > Patch Manager > Configure the group policy object to enable third-party updates

Configure the group policy object to enable third-party updates

Updated March 11th, 2016

Overview

The group policy defines the user, security, and networking policies for all computers in a Microsoft® Windows® network. To enable the managed computers to receive third-party updates from the Windows Server Update Services (WSUS) server:

  1. Export the software publishing certificate from the WSUS server to a certificate file.
  2. Configure the group policy object (GPO) on the domain controller.
  3. (Optional) Refresh the group policy on the managed systems. 

Environment

All SolarWinds Patch Manager versions

Steps

Export the software publishing certificate from the WSUS server

Export the software publishing certificate so you can add the file to the group policy (GPO). When you push the GPO to the managed systems, each system can accept third-party updates from non-Microsoft® sources

  1. Open the SolarWinds Patch Manager Admin Console. 
  2. In the Patch Manager menu, expand Enterprise > Update Services, and then select the WSUS server.
    For example, SPM-MGOM.
  3. Click Software Publishing Certificate In the Actions pane.
    The certificate information is displayed in the Publishing Certificate Information window.
      
    If the certificate information does not display in the window:
    1. Click Close.
    2. In the Actions pane, click Refresh Update Server.
    3. Re-open the Software Publishing Certificate dialog.
  4. Click […] in the Publishing Certificate Information window.
  5. Click the Details tab and select WSUS Publishing Certificate.
  6. Click Copy to File in the Certificate window. 
  7. Click Next in the Certificate Export Wizard. 
  8. Select DER encoded binary X.509 (.CER), and click Next.
  9. Enter a file name.
    For example, WSUS Publishing Certificate.
  10. Complete the Certificate Export Wizard.
    The software publishing certificate is exported to a file. 

Configure the group policy object

Configure the Windows Update policies to the certificate stores on the managed computers so they accept third-party updates from non-Microsoft sources.

See the Microsoft TechNet website for additional information about configuring group policies. 

  1. Log in to the domain controller as an administrator. 
  2. Copy the software publishing certificate to the domain controller desktop or another location on the server.
  3. Navigate to the Control Panel and open Group Policy Management.
  4. In the Group Policy Management menu, navigate to the domain that contains the GPO for the targeted domain.

    For example, Default Domain Policy

  5. Double-click the GPO.
  6. Review the Group Policy Management Console window text, and click OK.
  7. In the Windows Update window, select the Allow signed updates from an intranet Microsoft update service location setting to enable Windows Update on managed computers to accept non-Microsoft updates (or third-party updates) from a Microsoft Update location (or WSUS server) in the corporate network.
    1. Right-click the GPO and select Edit.
    2. In the Group Policy Management Editor, expand Computer Configuration > Policies > Administrative Templates > Windows Components.
    3. Scroll down and select Windows Update.
    4. Double-click Allow signed updates from an intranet Microsoft update service location in the Windows Update window.
    5. Select Enabled in the Configure Automatic Updates window.
    6. Click OK.
  8. Add the WSUS software publishing certificate to the group policy.
    This procedure adds the publishing certificate to the Trusted Root Certification Authority and Trusted Publishers certificate stores in the managed computers, enabling each computer to establish a secure network connection to the WSUS server and receive third-party updates.
    1. In the Group Policy Management Editor, click Policies > Windows Settings > Security Settings > Public Key Policies > Trusted Root Certification Authorities.
    2. Right-click Trusted Root Certification Authorities and select Import.
    3. Complete the Certificate Import Wizard.
      The WSUS certificate is imported into the Trusted Root Certification Authority directory. This directory includes SolarWinds certificates, Microsoft certificates, and all certificates in the Third-Party Root Certification Authorities keystore.
    4. Navigate to the Public Key Policies directory.
    5. Expand the directory, right-click Trusted Publishers, and select Import.
    6. Complete the Certificate Import wizard.
      The WSUS certificate is imported into the Trusted Publishers directory and added to the group policy. This directory includes certificates from trusted Certificate Authorities.
  9. Enable and configure the Configure Automatic Updates policy setting so the managed computers can automatically check the WSUS server for Windows and third-party updates each day or once a week at a scheduled time.
    1. Double-click Configure Automatic Updates in the Windows Update window.
    2. Select Enabled in the Configure Automatic Updates window.
    3. Click the Configure automatic updating drop-down menu and select an update method for the managed computers.
    4. Schedule a date and time for the installations.
    5. Click OK.
      The policy setting displays as Enabled in the Windows Update window.
  10. Enable the Specify intranet Microsoft update service location policy setting in the group policy. This setting enables the managed computers to identify the Microsoft Update service location (or WSUS server location) where they can receive Microsoft updates from the WSUS server.
    1. Double-click Specify intranet Microsoft update service location in the Windows Update window.
    2. Select Enabled in the window.
    3. Enter the IP address of the WSUS server in both Options box fields.

      If you do not have an intranet statistics server in the deployment, enter the WSUS server IP address in both fields.

      Use the information in the table below to complete the Options box fields.

      WSUS server
      operating system
      SSL enabled?  IP address
      Windows Server 2012
      Windows Server 2012 R2
      Yes https://<ip_address>:8531
      No http://<ip_address>:8530
      Windows Server 2008 Yes http://<ip_address>:443
      No

      http://<ip_address>

      Windows Server 2008 systems use port 80 by default

    4. Click OK.
      The policy setting displays as Enabled in the Windows Update window.
      The GPO is configured on the targeted domain.

(Optional) Refresh the group policy on the managed systems

After you configure the group policy for third-party updates, refresh the updated group policy on the managed systems. This process enables the managed systems to trust and enable the third-party updates published by the WSUS server.

  1. Log in to Patch Manager as an administrator.
  2. In the Patch Manager menu, maximize Enterprise and select Managed Computers.
  3. Select the targeted workgroup or system in the Managed Computers pane.
  4. Right-click the selection and select Refresh Group Policy.
  5. Select the systems or workgroup in the wizard, and click Finish.

    SolarWinds Patch Manager triggers the managed system to contact the domain controller and download the policy updates.

    This process may require several hours to complete for a domain.

    When the policy updates are completed, the managed systems can receive updates from SolarWinds Patch Manager.

  6. Repeat step 3 through step 5 for any additional managed systems you want to update.

 

Disclaimer: Please note, any content posted herein is provided as a suggestion or recommendation to you for your internal use. This is not part of the SolarWinds software or documentation that you purchased from SolarWinds, and the information set forth herein may come from third parties. Your organization should internally review and assess to what extent, if any, such custom scripts or recommendations will be incorporated into your environment.  You elect to use third party content at your own risk, and you will be solely responsible for the incorporation of the same, if any.

 

Last modified
09:28, 21 Jun 2017

Tags

Classifications

Public