Configure SCCM Software Update Point for SSL

Microsoft deprecated HTTP-only communication in Configuration Manager to increase security. The HTTP-only communication will not be supported with first release after Oct 31, 2022. Hence, existing infrastructure should be configured for HTTPS based communication in ConfigMgr. The HTTPS communication can be enabled using PKI certificates.

The HTTPS communication is also required for Software Update Point if you want to use Cloud Management Gateway (CMG) to support internet-based clients. If you are not ready for HTTPS based communication for all clients and need SSL Software Update point for CMG only then dedicate a site systems for CMG and have both management point and software update point role on that.

In this blog post, we will walk through the SSL requirements and configuration for SCCM Software Update Point. We will use SSL certificates from Microsoft Public Key Infrastructure (PKI).

Related Post:

Configure Management Point for HTTPS | ConfigMgr | SCCM

Deploy client authentication certificate for SCCM clients

Issue & Enroll server authentication certificates for ConfigMgr IIS servers

If you have already configured the Management Point for HTTPS and SUP role is installed on same site system server then this step can be skipped. We can use the same PKI certificate for IIS WSUS administration site SSL configuration.

If you need the PKI certificate for Software Update Point site system server then follow the below steps.

Bind the certificate to the WSUS Administration site

Binding a certificate to a website in IIS means that you are activating the installed digital certificate and associating it with a particular website, port, and/or IP Address.

Follow the below process to bind a certificate to default IIS website.

On the WSUS server, open Internet Information Services (IIS) Manager.

Go to Sites > WSUS Administration, select Edit Bindings

WSUS IIS bindings

In the Site Bindings window, select the line for https, then select Edit….

Don’t remove the HTTP site binding. WSUS uses HTTP for the update content files.

IIS site bindings

Under the SSL certificate option, click on drop down list and select the certificate.

IIS site bindings

Click on Ok to close Edit Site Binding window.

IIS site bindings

Configure the WSUS web services to require SSL

In IIS Manager on the WSUS server, go to Sites > WSUS Administration ,

expand the WSUS Administration site so you see the list of web services and virtual directories for WSUS.

IIS site bindings | API Remoting

Select ApiRemovint30 and make following changes.

  • Enable the Require SSL option.
  • Verify the Client certificates option is set to Ignore.
  • Select Apply.

Repeat the above steps for below WSUS services as well.

  • ClientWebService
  • DSSAuthWebService
  • ServerSyncWebService
  • SimpleAuthWebService

IIS site bindings

Configure the WSUS application to use SSL

Once you configured the web services for SSL, the WSUS application needs to be notified to perform additional configuration to support the change. The configuration need to be done using WsusUtil.exe

To make the changes perform below steps:

Open an admin command prompt on the WSUS server. The user account running this command must be a member of either the WSUS Administrators group or the local Administrators group.

Change directory to the tools folder for WSUS: cd “c:\Program Files\Update Services\Tools”

Configure WSUS to use SSL with the following command: WsusUtil.exe configuressl <WSUS Server FQDN>

WsusUtil returns the URL of the WSUS server with the port number specified at the end. The port will be either 8531 (default) or 443. Verify the URL returned is what you expected. If something was mistyped, you can run the command again.

SCCM IIS Server SSL Configuration

Configure Software Update Point for SSL

Perform the below steps to configure software update point to require SSL communication to WSUS server.

  • Open the Configuration Manager console and connect to either your central administration site or the primary site server for the software update point you need to edit.
  • Go to Administration > Overview > Site Configuration > Servers and Site System Roles.
  • Select the site system server where WSUS is installed, then select the software update point site system role.
  • From the ribbon, choose Properties.
  • Enable the Require SSL communication to the WSUS server option.

SCCM Software Update Point } Enable SSL

Verify the WSUS console can connect using SSL

Open the WSUS console and select Action > Connect to Server.

  • Enter the FQDN of the WSUS server for the Server name option.
  • Select Use Secure Sockets Layer (SSL) to connect to this server
  • Click on Connect

If the configurations are good then console will connect to WSUS server without any issue.

WSUS console

Verify the site server can sync updates

You can follow below steps to confirm that ConfigMgr site server able to sync software updates from Microsoft updates.

To validate the same, go to Software Library > Software Updates > All Software Updates and select Synchronize Software Updates

SCCM sync updates

Monitor the wsyncmgr.log on ConfigMgr site server. You should see the synchronization progress in the log file.

wsyncmgr.log

Verify a client can scan for updates

Check the LocationServices.log to confirm that the client sees the correct WSUS SSL URL

wsynmgr.log

Review the WUAHandler.log to verify that the client can successfully scan.

Related Posts:

Subscribe to Techuisitive Newsletter

Be the first to know about our new blog posts. Get our newsletters directly in your inbox and stay up to date about Modern Desktop Management technologies & news.

Scroll to Top