Submit a ticketCall us

Looking to compare latest NPM features with previous versions of NPM?
The NPM new feature summary offers a comparison of new features and improvements offered with this release.





Home > Success Center > Patch Manager > Patch Manager 2.1.4 Administrator Guide > Configuring Patch Manager > Using Group Policy to Configure Managed Clients

Using Group Policy to Configure Managed Clients

Created by Caroline Juszczak, last modified by MindTouch on Jun 23, 2016

Views: 11 Votes: 2 Revisions: 6

Use Group Policy to configure managed clients if you do not want to use the WMI connections required by the Client Publishing Setup Wizard. This process consists of the following procedures:

Exporting the WSUS Certificate

Use the following procedure to export the WSUS publishing certificate to a file from the Patch Manager console.

To export the WSUS publishing certificate to a file:

  1. Open the Patch Manager console.
  2. In the left pane, expand Enterprise > Update Services.
  3. Select the WSUS server from which you want to export the certificate.
  4. In the Actions pane (right), click Software Publishing Certificate.
  5. If this dialog does not display the WSUS server's certificate information:
    1. Click Close.
    2. Click Refresh Update Server in the Actions pane (right).
    3. Re-open the Software Publishing Certificate dialog.
  6. Click [... ].
  7. Click the Details tab.

  8. Click Copy to File.

  9. Click Next.

  10. Leave DER encoded binary X.509 (.CER) selected, and then click Next.

  11. Specify a name and location in the File name field, and then click Next.

  12. Click Finish.

  13. Click OK.

Configuring the Group Policy Object

Use the following procedures to configure the Group Policy Object (GPO) to push to managed clients. The GPO puts the WSUS certificate into the appropriate certificate stores and configures the managed clients to accept third-party updates from non-Microsoft sources.

To configure managed clients using Group Policy on Windows Server domains:

  1. Using an account with sufficient privileges, open Group Policy Management on a Windows Server domain controller: Start > Administrative Tools > Group Policy Management.
  2. Create or edit a Group Policy Object to configure the clients.
  3. In the Group Policy Editor, expand Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies.
  4. Import the WSUS publishing certificate to the Trusted Root Certification Authorities and Trusted Publishers stores:
    1. Under Public Key Policies, select Trusted Root Certification Authorities.
    2. Click Action > Import.
    3. Click Next.
    4. Click Browse, and then browse to the certificate you saved in the previous procedure.
    5. Click Next.
    6. Click Next again.
    7. Click Finish.
    8. Click OK on success dialog.
    9. Repeat these steps for the Trusted Publishers certificate store.
  5. Expand Computer Configuration > Administrative Templates > Windows Components, and then select Windows Update.
  6. Enable the Allow signed updates from an intranet Microsoft update service location policy:
    1. In the center pane, select Allow signed updates from an intranet Microsoft update service location.
    2. Click Action > Edit.
    3. Select Enabled.
    4. Click OK.
Last modified
01:08, 23 Jun 2016