Submit a ticketCall us

Quickly Address Software Vulnerabilities
Patch Manager is an intuitive patch management software which extends the capabilities of WSUS and SCCM to not only patch Windows® servers and workstations, and Microsoft® applications, but also other 3rd-party applications which are commonly exploited by hackers. Learn more about our patch management solution.


Home > Success Center > Patch Manager > Patch Manager 2.1.5 Administrator Guide > Configuring Patch Manager > Using Group Policy to Configure Managed Clients

Using Group Policy to Configure Managed Clients

Created by Caroline Juszczak, last modified by Steve.Hawkins on May 19, 2017

Views: 670 Votes: 2 Revisions: 9

Use Group Policy to configure managed clients if you do not want to use the WMI connections required by the Client Publishing Setup Wizard. This process consists of the following procedures:

Exporting the WSUS Certificate

Use the following procedure to export the WSUS publishing certificate to a file from the Patch Manager console.

  1. Open the Patch Manager Console.
  2. In the Patch Manager menu, expand Enterprise > Update Services. 
  3. Select the WSUS server from which you want to export the certificate.
  4. Click Software Publishing Certificate in the Actions pane.
    If the certificate information does not display: 
    1. Click Close.
    2. Click Refresh Update Server in the Actions pane. 
    3. Click Software Publishing Certificate in the Actions pane. 
  5. Click [...]. 
  6. Click the Details tab. 

  7. Click Copy to File. 

  8. Click Next. 

  9. Leave DER encoded binary X.509 (.CER) selected, and click Next. 

  10. Specify a name and location in the File Name field, and click Next. 

  11. Click Finish. 

  12. Click OK. 

Configuring the Group Policy Object

Use the following procedure in Windows Server domains to configure the Group Policy Object (GPO) to push to managed clients. The GPO places the WSUS certificate into the appropriate certificate stores and configures the managed clients to accept third-party updates from non-Microsoft sources.

  1. Using an account with sufficient privileges, open Group Policy Management on a Windows Server domain controller.
  2. Create or edit a Group Policy Object to configure the clients.
  3. In the Group Policy Editor, expand Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies.
  4. Import the WSUS publishing certificate to the Trusted Root Certification Authorities and Trusted Publishers stores. 
    1. Under Public Key Policies, select Trusted Root Certification Authorities. 
    2. Click Action > Import. 
    3. Click Next. 
    4. Click Browse and select the certificate you saved in the previous procedure.
    5. Click Next. 
    6. Click Next again. 
    7. Click Finish. 
    8. Click OK. 
    9. Repeat these steps for the Trusted Publishers certificate store. 
  5. Expand Computer Configuration > Administrative Templates > Windows Components, and select Windows Update.
  6. Enable the Allow signed updates from an intranet Microsoft update service location policy. 
    1. In the center pane, select Allow signed updates from an intranet Microsoft update service location. 
    2. Click Action > Edit. 
    3. Select Enabled.
    4. Click OK.
Last modified
13:15, 19 May 2017