Submit a ticketCall us

WebinarUpcoming Webinar: How Help Desk and Remote Support Pays for Itself

Learn how help desk software can simplify ticketing management, allow you to track hardware and software assets, and accelerate the speed of IT support and service delivery. Gain insights on how remote support tools allow your IT team to maximize their efficiency and ticket resolution by expediting desktop troubleshooting, ultimately helping keep end-users happy and productive.

Register here.

Home > Success Center > Patch Manager > Patch Manager Documentation > Patch Manager 2.1.5 Administrator Guide > Configuring Patch Manager > Configure clients using Group Policy

Configure clients using Group Policy

Created by Caroline Juszczak, last modified by Steve.Hawkins on May 18, 2018

Views: 3,186 Votes: 2 Revisions: 12

To avoid using WMI connections required by the Client Publishing Setup Wizard, configure the clients using your Group Policy by exporting the WSUS certificate to a file. When you are finished, configure the Group Policy object, and then push the file to your managed clients.

Export the WSUS Certificate

Perform the following procedure to export the WSUS publishing certificate to a file from the Patch Manager Administrator Console.

  1. Open the Patch Manager Administrator Console.
  2. In the navigation menu, expand Enterprise > Update Services.


  3. Select the WSUS server to export the certificate.

    In the example above, SPM-MGOM is the WSUS server.

  4. In the Actions pane, click Software Publishing Certificate to display the Publishing Certificate Information window.


    If the window does not display the WSUS server certificate information:

    1. Click Close.
    2. Click Refresh Update Server in the Actions pane. 
    3. Click Software Publishing Certificate in the Actions pane. 
  5. Click [...]. 
  6. Click the Details tab in the certificate window.

  7. Click Copy to File, and click Next. 

  8. In the Certificate Export Wizard, click Next. 

  9. Select DER encoded binary X.509 (.CER), and click Next.


  10. Enter a file name, and click Next.


  11. Click Finish, and then click OK.  

Configuring the Group Policy Object

Use the following procedure to configure the Group Policy Object (GPO) and push to your managed clients in your Microsoft® Windows® domain.

The GPO stores the WSUS certificate in the certificate stores and configures the managed clients to accept third-party updates from non-Microsoft sources.

  1. Using an account with administrator privileges, open Administrative Tools and click Edit group policy.
  2. Create or edit a Group Policy Object to configure the clients.
  3. In the Group Policy Editor, expand Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies.
  4. Import the WSUS publishing certificate to the Trusted Root Certification Authorities and Trusted Publishers stores. 
    1. Under Public Key Policies, select Trusted Root Certification Authorities. 
    2. Click Action > Import. 
    3. Click Next. 
    4. Click Browse and select the certificate you saved in the previous procedure.
    5. Click Next. 
    6. Click Next again. 
    7. Click Finish. 
    8. Click OK. 
    9. Repeat these steps for the Trusted Publishers certificate store. 
  5. Expand Computer Configuration > Administrative Templates > Windows Components, and select Windows Update.
  6. Enable the Allow signed updates from an intranet Microsoft update service location policy. 
    1. In the center pane, select Allow signed updates from an intranet Microsoft update service location. 
    2. Click Action > Edit. 
    3. Select Enabled.
    4. Click OK.
Last modified