Tell Computers to install Locally Publish Updates
Non-domain-joined clients:
- Open the group policy of the endpoint (start->run->gpedit.msc)
- Configure Updates by going to Computer Configuration -> Administrative Templates -> Windows Components -> Windows Updates ->
- Allow signed updates from an intranet Microsoft update service location -> Enable the policy
Configure in bulk using a built-in task
See the endpoint configuration for WSUS steps (note: if you already ran this script before to initially configure the endpoints to WSUS, you can skip this step).
Domain-joined clients:
Using the same GPO that you use to set your computers, set the option “Allow signed content from intranet Microsoft update service location” to "enable".
How: Navigate to Computer configuration > Policies > Administrative Templates > Windows Components > Windows Update. Select "Allow signed content from intranet Microsoft update service location" and click Edit policy settings.
Deploy your code signing certificate on Endpoints
Non-domain-joined clients:
- Upload the certificate (.CER) to the client
- Double-click certificate on each client and install to the “Trusted Root Certification Authorities” and “Trusted Publishers”:
Configure in bulk using a built-in task
See the 3rd party patching certificates steps
Domain-joined clients:
- Create/edit a GPO used to import the certificate (.CER) to all the endpoints in the domain (Computer Config > Windows Settings > Security Settings > Public Key Policies):
Comments
0 comments
Please sign in to leave a comment.