Publishing a Package from Patch Daemon without Local Administrator Rights
Perform the following steps to publish a package from Patch Daemon without local Admin rights.
To publish a package from Patch Daemon without Local Admin Rights:
|
1.
|
Install the patch daemon, configure it using local Administrator account and perform the following steps: |
|
a.
|
Add your Flexera Software Vulnerability Manager Patch Daemon service account user (for example: test_user) to local Administrators and WSUS Administrators groups on your DC. |
Note:Some of the security policies in environments do not allow adding users to the local Administrators group but only to WSUS Administrators.
|
b.
|
To resolve permission issues when you cannot add a user to the local Administrators group, you would need to configure the below settings in the machine where the patch daemon is installed to allow your user to publish a package successfully. |
Give your service user account Full control over all the below items and perform all actions using an administrative account.
|
c.
|
Ensure that test machine contains WSUS certificate. If not, please export the certificate from WSUS machine from path Trusted publishers and install in the test machines in Trusted root certification authority and Trusted publishers. |
|
a.
|
Add permission to the below registries to your service account (test_user) in the test machine where patch daemon is installed. |
HKEY_LOCAL_MACHINE\Software\Flexera
HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed
HKLM\Software\Microsoft\SystemCertificates\Disallowed
HKLM\Software\Microsoft\Update Services\Server\Setup
|
b.
|
Add permission to the below registries to your service account (test_user) in the WSUS machine. |
HKLM\SOFTWARE\Classes\AppID
{8F5D3447-9CCE-455C-BAEF-55D42420143B}
You might have to take ownership of this key. A logged-in user, which is used to configure all permissions, needs full control of this key. This is required when configuring DCOM permissions. Settings for currently logged-in users can be changed back when all is completed.
|
c.
|
Windows Explorer in test machine. |
C:\ProgramData\Microsoft\Crypto
C:\ProgramData\Flexera Software\SVM Patch
|
•
|
The service user account needs to be added to WSUS administrators. |
|
•
|
WSUS administrators need to have full access to WSUS content location. Share and NTFS. |
|
e.
|
DCOM - Distributed Component Object Model in WSUS machine. |
Open Dcomcnfg and go to Component Services > Computers > My Computer > DCOM Config, and modify WSUSCertServer security settings:
|
•
|
Launch and Activation permissions - give Local Launch and Local Activation rights to WSUS administrators group/your service user |
|
•
|
Access permissions - give Local Access rights to WSUS administrators group/your service user. |
|
•
|
Reboot the machine, after changing DCOM settings. |
|
3.
|
Service Login and publishing. |
|
a.
|
Change logon user to the test_user and restart the service. |
|
b.
|
Once service restarted you can login to the test machine though your test user and publish patches. |
Note:test_user does not have a privilege to restart patch daemon service.