This post will be about integrating Secunia CSI 5 with SCCM 2012. Secunia CSI when integrated, will help automate patch detection and installation.
- A SCCM Site Server with the Software Update Point role installed.
- Download Secunia CSI 5.
Install Secunia CSI 5
- Connect to your SCCM VM.
- Double click the installation file you received from Secunia. The first page of the installation will appear.
- Accept the license agreement.
- Choose install location and hit “Install”.
- The installation will finish.
- A menu will appear asking “Would you like to launch Secunia CSI now?”, hit “Yes”.
- Login into Secunia using the Username and password they sent you. The main screen will appear after the login.
- Expand the “Patch” section on the left. Click on “WSUS Configuration”, then click on “Configure Upstream Sever”.
- A menu named “CSI WSUS Configuration Wizard” will appear. Enter the name of your WSUS Server, then enter the WSUS server port number(this may vary depending on your settings). If you have WSUS configured to accept SSL connections check the box next to “Use SSL Connection”. Hit the “Connect” button below, and if the connection was successful you will see a box with a green check in it. Hit “Next”.
- For the next step click “Automatically create and install certificate”. This will(should) put “WSUS Self Signed Certificates” in your “Trusted Root Certificates” and “Trusted Publishers” stores. A green check box will display when the certificates are successfully installed.
- Open the Certificates manager on the local computer. There should be a “WSUS Publishers Self-signed” Certificate in the stores of “Trusted Root” and “Trusted Publishers”.
- Export this self signed certificate in “Base-64 encoding” for future use.
- For “Step 3” in the “WSUS Configuration Wizard”, choose “Use SCCM to Distribute packages” and hit the “Close” button. We will configure Group Policy manually.
Group Policy for Secunia
- Open “Group Policy Management”. Decide where you would like to store your GPO. Right click on the folder location you chose and click “Create a GPO in this domain, and Link it here…”.
- A menu named “New GPO” will appear. Give the GPO a name and select “none” for “Source Starter GPO”. Hit “OK” when your finished.
- The GPO will be created. Right click on your new GPO and hit “Edit”.
- Under “Computer Configuration” expand “Policies” —> “Administrative Templates” —> “Windows Components” and click on the “Windows update” folder.
- Edit the last option named “Allow signed updates from an intranet Microsoft update service location”. A menu will pop up, select “Enabled” and hit “Apply” + “Ok”.
- Un-expand all menus on the left hand side.
- Expand “Computer Configuration” —> “Policies” —> “Windows Settings” —> “Public Key Policies”. Import the Certificate that you exported in the last section to the “Trusted Root and Trusted Publishers” stores.
- The GPO should now be setup correctly.
Please leave any comments, questions or concerns!