Configure SCCM Software Update Point for SSL

Microsoft deprecated HTTP-only communication in Configuration Manager to increase security. The HTTP-only communication will not be supported with first release after Oct 31, 2022. Hence, existing infrastructure should be configured for HTTPS based communication in ConfigMgr. The HTTPS communication can be enabled using PKI certificates.

The HTTPS communication is also required for Software Update Point if you want to use Cloud Management Gateway (CMG) to support internet-based clients. If you are not ready for HTTPS based communication for all clients and need SSL Software Update point for CMG only then dedicate a site systems for CMG and have both management point and software update point role on that.

In this blog post, we will walk through the SSL requirements and configuration for SCCM Software Update Point. We will use SSL certificates from Microsoft Public Key Infrastructure (PKI).

Deploy client authentication certificate for SCCM clients

Table Of Contents

Issue & Enroll server authentication certificates for ConfigMgr IIS servers
Bind the certificate to the WSUS Administration site
Configure the WSUS web services to require SSL
Configure the WSUS application to use SSL
Configure Software Update Point for SSL
Verify the WSUS console can connect using SSL
Verify the site server can sync updates
Verify a client can scan for updates
Related Posts:

Issue & Enroll server authentication certificates for ConfigMgr IIS servers

If you have already configured the Management Point for HTTPS and SUP role is installed on same site system server then this step can be skipped. We can use the same PKI certificate for IIS WSUS administration site SSL configuration.

If you need the PKI certificate for Software Update Point site system server then follow the below steps.

Bind the certificate to the WSUS Administration site

Binding a certificate to a website in IIS means that you are activating the installed digital certificate and associating it with a particular website, port, and/or IP Address.

Follow the below process to bind a certificate to default IIS website.

On the WSUS server, open Internet Information Services (IIS) Manager.

Go to Sites > WSUS Administration, select Edit Bindings

In the Site Bindings window, select the line for https, then select Edit….

Don’t remove the HTTP site binding. WSUS uses HTTP for the update content files.

Under the SSL certificate option, click on drop down list and select the certificate.

Click on Ok to close Edit Site Binding window.

Configure the WSUS web services to require SSL

In IIS Manager on the WSUS server, go to Sites > WSUS Administration ,

expand the WSUS Administration site so you see the list of web services and virtual directories for WSUS.

Select ApiRemovint30 and make following changes.

Enable the Require SSL option.
Verify the Client certificates option is set to Ignore.
Select Apply.

Repeat the above steps for below WSUS services as well.

ClientWebService
DSSAuthWebService
ServerSyncWebService
SimpleAuthWebService

Configure the WSUS application to use SSL

Once you configured the web services for SSL, the WSUS application needs to be notified to perform additional configuration to support the change. The configuration need to be done using WsusUtil.exe

To make the changes perform below steps:

Open an admin command prompt on the WSUS server. The user account running this command must be a member of either the WSUS Administrators group or the local Administrators group.

Change directory to the tools folder for WSUS: cd “c:\Program Files\Update Services\Tools”

Configure WSUS to use SSL with the following command: WsusUtil.exe configuressl <WSUS Server FQDN>

WsusUtil returns the URL of the WSUS server with the port number specified at the end. The port will be either 8531 (default) or 443. Verify the URL returned is what you expected. If something was mistyped, you can run the command again.

Configure Software Update Point for SSL

Perform the below steps to configure software update point to require SSL communication to WSUS server.

Open the Configuration Manager console and connect to either your central administration site or the primary site server for the software update point you need to edit.
Go to Administration > Overview > Site Configuration > Servers and Site System Roles.
Select the site system server where WSUS is installed, then select the software update point site system role.
From the ribbon, choose Properties.
Enable the Require SSL communication to the WSUS server option.

Verify the WSUS console can connect using SSL

Open the WSUS console and select Action > Connect to Server.

Enter the FQDN of the WSUS server for the Server name option.
Select Use Secure Sockets Layer (SSL) to connect to this server
Click on Connect

If the configurations are good then console will connect to WSUS server without any issue.

Verify the site server can sync updates

You can follow below steps to confirm that ConfigMgr site server able to sync software updates from Microsoft updates.

To validate the same, go to Software Library > Software Updates > All Software Updates and select Synchronize Software Updates

Monitor the wsyncmgr.log on ConfigMgr site server. You should see the synchronization progress in the log file.

Verify a client can scan for updates

Check the LocationServices.log to confirm that the client sees the correct WSUS SSL URL

Review the WUAHandler.log to verify that the client can successfully scan.

Tags: CMG

Subscribe to Techuisitive Newsletter

Be the first to know about our new blog posts. Get our newsletters directly in your inbox and stay up to date about Modern Desktop Management technologies & news.