Tell Computers to install Locally Publish Updates
Non-domain-joined clients:
- Open the group policy of the endpoint (start->run->gpedit.msc)
- Configure Updates by going to Computer Configuration -> Administrative Templates -> Windows Components -> Windows Updates ->
- Allow signed updates from an intranet Microsoft update service location -> Enable the policy
Configure in bulk using a built-in task
See the endpoint configuration for WSUS steps (note: if you already ran this script before to initially configure the endpoints to WSUS, you can skip this step).
Domain-joined clients:
Using the same GPO that you use to set your computers, set the option “Allow signed content from intranet Microsoft update service location” to "enable".
How: Navigate to Computer configuration > Policies > Administrative Templates > Windows Components > Windows Update. Select "Allow signed content from intranet Microsoft update service location" and click Edit policy settings.
Deploy your code signing certificate on Endpoints
Non-domain-joined clients:
- Upload the certificate (.CER) to the client
- Double-click certificate on each client and install to the “Trusted Root Certification Authorities” and “Trusted Publishers”:
Configure in bulk using a built-in task
See the 3rd party patching certificates steps
Domain-joined clients:
- Create/edit a GPO used to import the certificate (.CER) to all the endpoints in the domain (Computer Config > Windows Settings > Security Settings > Public Key Policies):
Import to both “Trusted Root Certification Authorities” and “Trusted Publishers”
Troubleshooting
Note: If you receive a download fail when trying to deploy 3rd party patches via JetPatch activites, it is likely due to certificate issue (either PFX is uploaded or the CER is not uploaded to both places properly).
Comments
0 comments
Please sign in to leave a comment.