- The 3rd Party Software Plugin should be installed in the Primary WSUS machine.
- WSUS must be at release 6.2 or greater.
- Operating System - Windows Server 2012 / 2012R2 / 2016 / 2019.
- .NET Framework 4 or greater must be installed.
- The credential used to run 3rd party software plugin must be part of the WSUS Administrators group of the WSUS Server
Installing and configuring the 3rd party software plugin
- Download: Get the latest release from the JetPatch catalog website (access required).
- Install the 3rd party software
- Launch JetPatch 3rd party software
- Connect to WSUS: Go to Menu, then Options and enable Publishing to an Update Server.
The 3rd party software plugin will sign the packages with a certificate that should be configured for each client as well.
- Signing Certificate - Click on "Create" a new Certificate
- Load Certificate - Click on “Browse” then select the certificate in format ".pfx "
- The pfx certificate is provided by the JetPatch team.
- Insert Password - Fill in the certificate password of the ".pfx" certificate.
- Restart The program.
To validate the certificate was created/imported successfully, open the program , go to Options -> Update server, and look if the information was provided in "Certificate issuer" and "Expiration Date"
Deploy your code signing certificate to clients and WSUS
Configure Code Signing Certificate on WSUS server
It should be listed twice on the server in the local certificates MMC (Publisher & WSUS):
- Upload the certificate to the client
- Double-click certificate on each client and install to the “Trusted Root Certification Authorities” and “Trusted Publishers”:
- Create/edit a GPO used to import the certificate to all the endpoints in the domain (Computer Config > Windows Settings > Security Settings > Public Key Policies):
Configure the Windows Update Agent settings
Follow the instruction in Endpoint and JetPatch Configuration for WSUS article in JetPatch Knowledge Center.
Note - It may also be required to adjust the PowerShell Execution Policy.
Tell Computers to install Locally Publish Updates :
Using the same GPO that you use to set your computers, set the option “Allow signed content from intranet Microsoft update service location” to "enable".
How: Navigate to Computer configuration > Policies > Administrative Templates > Windows Components > Windows Update. Select "Allow signed content from intranet Microsoft update service location" and click Edit policy settings.
The next thing consist to import and Publish 3rd Party Applications to WSUS.