You are on page 1of 6

Wsus Package Publisher : Installation Guide

I.

II.

III.

Check pre-requisites :
a. Microsoft .NET 4.0 must be installed on the local machine.
b. You must be Administrator of the local machine.
c. The Wsus server must be at release 3.0 SP2 or greater.
d. You can run Wsus Package Publisher on the Wsus server, or on a workstation. If so,
Wsus Administration Console must be installed first (or RSAT for Windows 8). And
the account use to run Wsus Package Publisher must be part of the Wsus
Administrators group of the Wsus server.
e. To run on Windows 8, first install RSAT (Remote Server Administration Tools).
f. Wsus Server and Wsus Console must be at the same level of release.
Download binaries :
a. Go to : http://wsuspackagepublisher.codeplex.com/releases
b. Get the latest release.
Connecting to the Wsus Server :
a. Start : Wsus Package Publisher.exe. If WPP runs on the Wsus server, it will detect the
Wsus Role, and therefore will automatically add the local server to the servers list.
b. Go to : Tools then Settings
1 : Display the list of defined Wsus Servers.

c.
d.
e.
f.

Select which one you want to edit.


2 : The name of the current Wsus Server that
you are editing.
3 : Checked this option if WPP runs directly on
the Wsus Server, and not on an administrative
computer. Some features will be available only
if this option is active. When this option is
active, WPP won't use options 4 and 5.
4 : Select the TCP port on which Wsus listens.
5 : Select, whether or not, Wsus uses SSL.
6 : When you define a deadline for an update,
these numbers will be added to the current
time, to set the default date-time deadline.
7 : If you are using a valid certificate but WPP
thinks it is not, then you can check this option
to tell WPP to ignore Certificate validation
errors.
8 : If you want to see locally published updates
in the Wsus console, you need to choose Let
me choose or Always make this update .
You need to check Connect to local server
to make this option available.

Fill the Server Name field.


Choose the Connection Port
Checked the Use SSL as needed.
If Wsus Package Publisher runs on the Wsus server, check the Connect to local
server checkbox.
g. Click on the Add Server button.
h. Add other Server if necessary.
i. Click Ok to close the Settings Form.
WSUS Package Publisher Documentation

j.

Ensure the right Server is selected :

k. Click on the Connect to Server button.

IV.

Setting the certificate :


a. When connected, go to Tools then Certificate :

Since Wsus 6.3 (Wsus on Windows


Server 2012R2), Wsus is not able
to issue a Self-Signed certificate
anymore. Hence, WPP will do it
instead of Wsus. To do that, WPP
needs to run locally on the Wsus
Server. You will need to have
Administrator privileges.

b. If you dont have a Code Signing Certificate, click on Generate the certificate . If
Wsus run on Windows Server 2012R2 or beyond, then you have to run WPP locally
on the server to generate this Self-Signed Certificate. With previous version of
Windows Server, you can run WPP on a remote machine or locally on the Wsus
Server.
c. Once the certificate have been generate, click on the Save the certificate button
to record the file onto the disk. (You will need it in the next step). Don't forget to
restart the Wsus Server.

WSUS Package Publisher Documentation

d. If you already own a Code Signing Certificate, then enter the Certificate password
into the password field and click on the Load a certificate button. To be able
to load a certificate, you must run WPP on the Wsus server or remotely through a
SSL connection. (You will have to provide a .pfx file). Don't forget to restart the Wsus
Server.

On the Wsus server, open


mmc.exe and add the
Certificate snappin
(local computer).
If the operation succeed,
you should see the
certificate into
Certificate snappin .

WSUS Package Publisher Documentation

V.

Distributing certificate to clients :


a. Case you use the Wsus self-signed certificate :
i. The certificate you have saved in the IV. c. step have to be distribute by GPO.
Both to the Trusted Root Certification Authorities and Trusted
Publishers certificates folder.
b. Case you provide your own certificate :
i. You only have to distribute the certificate to the Trusted Publishers
certificates folder.
ii. The certificate of the Authority that had generated the Code Signing
Certificate should already be present in the Trusted Root Certification
Authorities .
You can distribute the Certificate
by GPO.
The Certificate used to sign
package must be put in the
Trusted Publishers .
The Certificate of the issuer (the
same than above if you are using a
self-signed certificate), must be
put in the Trusted Roots
Certification Authorities

WSUS Package Publisher Documentation

On clients computers you should see:

Look in Local Computer Stores

You should see the certificate in the


Trusted Roots Certification Authorities
and in the
Trusted Publishers

VI.

Set Computers to install Locally Publish Updates :


a. In Workgroup:
You have to set this registry Value:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AcceptTrustedPu
blisherCerts = 1
b. In Active Directory:
In the GPO you use to set your computers, set the option Allow signed content from intranet
Microsoft update service location to yes.

WSUS Package Publisher Documentation

Checking certificate deployment:


If you dont have your own Root Certificate Authority, you are using a Self-Signed Certificate
issued by Wsus (Wsus 3.2 or Wsus 6.2) or WPP (Wsus 6.3). Check your deployment against
green row.
If you have your own Root Certificate Authority, you are using a Home-Made Certificate.
Check you deployment against the blue row.
Certificate issued by
Wsus/WPP (SelfSigned Certificate)

Your Certificate
authority

Certificate
Code Signing

Code Signing

Root Authority

Wsus Server
Client Machine
Wsus Store
Trusted
Publisher Store
Trusted
Publisher Store
Trusted Root
Certification
Trusted Root
Authorities
Certification
Authorities
Wsus Store
Trusted
Publisher Store
Trusted
Publisher Store
Trusted Root
Trusted Root
Certification
Certification
Authorities
Authorities

The Wsus Store is create by Wsus when calling the API SetSigningCertificate()

WSUS Package Publisher Documentation

You might also like