Prerequisites

WSUS

• Static Public IP: WSUS must have a static public IPV4 address.  IPV6 must be disabled.

• Catalog Access: WSUS must be able to communicate with:
    http://catalog.jetpatch.com/
  (Note: Access is required. Please send your WSUS public IP to the JetPatch team. Once whitelisted, verify on the WSUS server that accessing http://catalog.jetpatch.com/10mb.msi downloads the file with an MSI extension.)

• Timestamping Access: WSUS must be able to communicate with DigiCert’s timestamping service.

  • Whitelist Requirement:
     Ensure your firewall or proxy allows access to all subdomains of DigiCert (i.e., *.digicert.com). This covers any endpoint used during the timestamping operation via http://timestamp.digicert.com.

• Installation Requirements: The 3rd Party Software Plugin should be installed on the Primary WSUS machine (as well as any relevant replicas).

• WSUS Version: WSUS must be at release 6.2 or greater.

Machine

• Operating System - Windows Server 2019 / 2022 recommended
• .NET Framework 4 or greater must be installed.
• The credential used to run 3rd party software plugin must be part of the WSUS Administrators group of the WSUS Server
• Ensure that the firewall allows the SCUP application to operate without interference. Refer to the steps below to add a firewall exclusion for SCUP, if needed.

Installing and configuring the 3rd party software plugin (including Certificate Configuration)

• Go to: http://catalog.jetpatch.com/ (access required, please send WSUS public IP to JetPatch team)
• Download and install: System Center Updates Publisher (Updates Publisher), the .PFX (you will need to load the .PFX in the Updates Publisher), and the .CER
• Launch Updates Publisher
  • Click on the blue Menu in the top left corner
  • Then click on Options
  • On the first page that will be open, hit enable Publishing to an Update Server.
  • Choose the Connect to a local update server
  • After that - Test Connection (It should say that it was successful, and will ask about a certificate (check next step))

Certificate Validation

1. Load Certificate - Click on “Browse” then select the certificate in the format ".pfx "
2. Signing Certificate -  Click on "Create" a new Certificate
3. Insert Password - Fill in the certificate password of the ".pfx" certificate (provided by the JetPatch team)
4. Test Connection Again
5. Hit OK and Restart the Program.

Open Updates Publisher validate the certificate was created/imported successfully, open the program, go to Options -> Update server, and look if the information was provided in "Certificate issuer" and "Expiration Date"

Deploy your code signing certificate on WSUS

The 3rd party software plugin will sign the packages with a self-signed certificate (should be downloaded from http://catalog.jetpatch.com/). The .CER should be installed on the WSUS server and on every endpoint that will be getting 3rd Party app updates 

• Open MMC Console as admin
• File ->  Add/Remove Snap In
• Find Certificates and click on Add
• Select Computer account
• Local computer then finish

• Install the certificate (.CER) to MMC (Trusted Root Certification Authorities, Trusted Publishers, and WSUS folders (note: WSUS folder may be spelled out WindowsServerUpdateServices in some versions of WSUS, but either way put it in that folder.):

What's Next?

The next thing consist to import and Publish 3rd Party Applications to WSUS.