Using Shavlik Patch with Configuration Manager 2012 R2 – Part 4 : Configuring Your Shavlik Patch Settings

Posted: April 28, 2014 in Configuration Manager, System Center Configuration Manager 2012
Tags: , ,

The first time you use the Shavlik Patch add-in the Shavlik Patch Settings dialog will automatically be displayed. You must use this dialog to specify how to connect to your WSUS server and to your Protect Cloud account. You can return to this dialog at any time using the Settings button on the Home tab.

Before we start configuring the Shavlik Patch add-in we have to create the code signing certificate and configure our clients to Allow signed updates from an intranet Microsoft update service location via Group Policy.

Overview of Creating and Distributing Certificate

A code signing certificate is required when using Shavlik Patch with Configuration Manager and WSUS to publish third-party updates. In general, you must:

  1. Create a code signing certificate. You can do this using either an internal Certificate Authority (CA) or your WSUS server. In this series we’ll use an Certificate Authority (CA).
  2. If you use an internal CA to create the code signing certificate, you must import the certificate into WSUS, which you can do using Shavlik Patch.
  3. Export the certificate.
  4. Distribute the code signing certificate to the Trusted Publishers certificate store on all your WSUS servers and to your client machines.

Since the code-signing certificate will be issued by a CA whose root is already trusted by your clients, we only need to copy the certificate to the Trusted Publishers certificate store on our WSUS and client machines.

If you choose to create a code signing certificate on your WSUS server and you are using WSUS on Windows Server 2012 R2, the ability to create self-signed code signing certificates has been deprecated and is disabled by default. You can, however, restore this capability by using the workaround described in this article: WSUS no longer issues self-signed certificates (Shavlik Patch will automatically invoke this workaround if you choose to create a self-signed certificate using the Settings dialog.) Thanks to @Heinrich_Pelser for pointing this out.

Certificate Requirements

The minimum requirements of the signing certificate are:

  • Allow private key to be exported option enabled
  • Key Usage set to digital signature
  • Minimum key size is at least 2048
Creating and Issuing the Signing Certificate Template on the Certification Authority
  1. On the machine that running the Certification Authority start the Certification Authority management console.
  2. Expand the name of your certification authority (CA), and then click Certificate Templates.
  3. Right-click Certificate Templates, and click Manage to load the Certificates Templates management console.
  4. In the results pane, right-click the entry that displays Code Signing in the Template Display Name column, and then click Duplicate Template.
  5. On the Compability Tab, set Client Authority to “Windows Server 2003” and Certificate recipient to “Windows XP/Server 2003”.1
  6. Click the General tab, enter a template name for the signing certificate template, such as Company Name WSUS Signing. This make it easy to identify the purpose of the certificate. You can also change the Validity period to match your requirements.2
  7. Click the Request Handling tab, and check Allow private key to be exported.3
  8. Click the Subject Name tab, and then click Build from this Active Directory information and set Subject name format to: Common name.4
  9. Click the Extensions tab, and make sure Key Usage has the Digital signature.5
  10. Click the Security tab, select Authenticated Users and grant it Read and Enroll permission. (This is in a demo environment, in production you could secure this more by only allowing intended systems to enroll the certificate.)6
  11. Leave the other as default. Click OK and close the Certificate Templates administrator console.
  12. In Certification Authority, right-click Certificate Templates, click New, and then click Certificate Template to Issue.
  13. In the Enable Certificate Templates dialog box, select the new template you have just created, ThinkIT Solutions WSUS Signing and then click OK.
Requesting the Signing Certificate
  1. On a domain joined machine, type mmc.exe, and then press Enter.
  2. In the empty management console, click File, and then click Add/Remove Snap-in.
  3. In the Add or Remove Snap-ins dialog box, select Certificates from the list of Available snap-ins, and then click Add.
  4. In the Certificate snap-in dialog box, select My user account, and then click Finish.
  5. In the Add or Remove Snap-ins dialog box, click OK.
  6. In the console, expand Certificates – Current User, expand Personal and click Certificates 
  7. Right click Certificates, and click All Tasks and Request New Certificate…
  8. Follow the Certificate Enrollment wizard to select the new created certificate template, set a friendly name in certificate properties and click Enroll:7
  9. After enroll succeed, you will find the new certificate under Certificates – Current User -> Personal -> Certificates.
  10. Right click the certificate you just enrolled and click All Tasks -> Export. Follow the export wizard to export the certificate without private key and save to WSUS.cer.
  11. Export the certificate again, and this time, select Yes, export the private key in the second page of Certificate Export Wizard, and save to WSUSCodeSign.pfx.
Deploy the Signing Certificate through Group Policy
  1. On the domain controller, start the Group Policy Management console.
  2. Navigate to your domain, right-click the domain, and then select Create a GPO in this domain, and Link it here.
  3. In the New GPO dialog box, enter a name for the new Group Policy, such as WSUS Signing Certificate, and click OK.
  4. In the results pane, on the Linked Group Policy Objects tab, right-click the new Group Policy, and then click Edit.
  5. In the Group Policy Management Editor, expand Policies under Computer Configuration, and then navigate to Windows Settings / Security Settings / Public Key Policies / Trusted Root Certificate Authorities.
  6. Click the Action menu, and then click Import. Follow the Certificate Import Wizard and import the WSUS.cer file.
  7. In the Group Policy Management Editor, expand Policies under Computer Configuration, and then navigate to Windows Settings / Security Settings / Public Key Policies / Trusted Publisher.
  8. Click the Action menu, and then click Import. Follow the Certificate Import Wizard and import the WSUS.cer file.
  9. Close Group Policy Management.
Using the Signing Certificate in the Shavlik Patch add-in
  1. Start Configuration Manager Console with the Run as administrator option (the certificate import will fail if you don’t do this).
  2. Within the Configuration Manager Software Library workspace, expand the Software Updates folder and click on Shavlik Patch.
  3. On the Configuration Manager Home tab, click Settings.
  4. On the Shavlik Patch Settings dialog, select the WSUS Server tab.8
  5. Click Import.
  6. Navigate to the certificate file and click OK.9
  7. Click OK and close the Shavlik Patch Settings dialog.
Client Group Policy
  1. On the domain controller, start the Group Policy Management console.
  2. Update or Create a GPO to include the Allow signed updates from an intranet Microsoft update service location policy setting. (This is needed by all systems that will install 3rd Party updates comming through Shavlik Patch.
  3. In the Group Policy Management Editor, expand Policies under Computer Configuration, and then navigate to Administrative Templates / Windows Compontents / Windows Update
  4. Enable the Allow signed updates from an intranet Microsoft update service location policy setting.
  5. Close Group Policy Management.

So now that we have created, deployed and imported the code signing certificate and configured our clients to Allow signed updates from an intranet Microsoft update service location via Group Policy, we can start to configure Shavlik Patch.

Configuring Your Shavlik Patch Settings

WSUS Server Tab

The WSUS Server tab is used to configure how the add-in will communicate with your WSUS Server. It is also used to define the certificate that will be used to digitally sign the content that is published to the WSUS server.

WSUS Server Information

  • Name: Confirm the name or IP address of your WSUS Server. This information will normally be detected and automatically populated.
  • Port: Confirm the port number used when making a connection to your WSUS Server. The default value for unsecured connections is either 80 or 8530. For secured connections you will typically use either 443 or 8531.
  • Secure Connection: If your WSUS Server has been configured to use a secure connection, enable this check box. A secure connection is mandatory if you need to import a signing certificate.
  • Test connection: If you want to test your ability to access the WSUS Server, click Test connection.

Code Signing Certificate Information

A code signing certificate is required in order to publish updates to the WSUS server. If you already have a signing certificate in place it will be shown in the Current Certificate area.
You can perform the following certificate tasks:

  • Export: Exports the current certificate from within Shavlik Patch. After exporting the certificate you will distribute it to your clients and to your infrastructure machines (e.g. other machines that run the Shavlik Patch add-in, downstream WSUS servers, and Windows Update clients). This is necessary in order for the machines to receive locally published updates.
  • Import: Imports a code signing certificate that was created by a Certificate Authority (CA). A secure connection is required in order to import a certificate.
  • Create a self-signed certificate: Creates a code signing certificate for your enterprise. This process uses the services of WSUS to create the certificate.

Account Tab

You must be signed in to the Shavlik Protect Cloud service in order for the add-in to automatically access and download the full Shavlik Patch catalog. The add-in uses your Protect Cloud account to periodically check for a new catalog. If you do not have a Protect Cloud account you will only receive trial content, which consists of only a few sample updates.

For more information about the Shavlik Protect Cloud, go to: https://protectcloud.shavlik.com.11

  • User name: Type the user name that you use to authenticate to your Protect Cloud account.
  • Password: Type the password that you use to authenticate to your Protect Cloud account.
  • Register Now: If you don’t have a Protect Cloud account, click this button and follow the on-screen instructions to become a registered user. You must be a registered use in order to access the full Shavlik Patch catalog.
  • Verify: If you want to test your ability to connect to your Protect Cloud account using the supplied credentials, click Verify. If you cannot connect to your account you will not be able to access the full Shavlik Patch catalog.

Schedule Tab

This tab is used to publish updates using a recurring scheduled task. We’ll look more at this when publishing updates in the next post in this series.

Using Filters
Information displayed in the Shavlik Patch list and the Published Third-Party Updates list can be filtered to search for specific updates. You can also use a filter when scheduling a recurring task.

The default filters are identified by a leading asterisk. Default filters cannot be modified or deleted. The default filters include the following:

Shavlik Patch List

  • *All: All updates are displayed
  • *Not-Published: Only the updates that have not been published to WSUS are displayed
  • *Published: Only the updates that have been published to WSUS are displayed
  • *Selected: Only the updates you select in the grid are displayed

Published Third-Party Updates List

  • *All: All updates are displayed
  • *Selected: Only the updates you select in the grid are displayed

You can create your own custom filters. This powerful tool enables you to specify exactly which updates are displayed. Each custom filter is comprised of one or more rules. You can define as many rules in a filter as needed.

To create a new filter:

  1. Click the New Filter icon12
  2. Specify which rules in the filter must be matched.
    • All: Only those updates that match all the rules in the filter will be displayed
    • Any: Updates that match at least one rule in the filter will be displayed
  3. Define one or more rules.
    To define a rule, select an option in each of the first two logic boxes and then type the criteria in the third box. To add another rule simply click Add rule.
  4. Type a name for the filter.
  5. Click Save/Rename.

Assume you want to see a list of all critical updates for Adobe Acrobat. You simply create the following filter:13

Source for WSUS Signing Certificate steps: Jason T. Lewis
 
Postings in this series:

Using Shavlik Patch with Configuration Manager 2012 R2 – Part 1 : Introduction
Using Shavlik Patch with Configuration Manager 2012 R2 – Part 2 : System Requirements
Using Shavlik Patch with Configuration Manager 2012 R2 – Part 3 : Installing the Shavlik Patch Configuration Manager Add-in
Using Shavlik Patch with Configuration Manager 2012 R2 – Part 4 : Configuring Your Shavlik Patch Settings
Using Shavlik Patch with Configuration Manager 2012 R2 – Part 5 : How to Publish Updates
Using Shavlik Patch with Configuration Manager 2012 R2 – Part 6 : Expiring Third-Party Updates

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s