Microsoft deprectaed HTTP-only communication in Configuration Manager to increase security. The HTTP-only communication will not be supported with first release after Oct 31, 2022. Hence, existing infrastructure should be configured for HTTPS based communication in ConfigMgr. The HTTPS communication can be enabled using PKI certificates.
The HTTPS communication is also required for Software Update Point if you want to use Cloud Management Gateway (CMG) to support internet-based clients. If you are not ready for HTTPS based communication for all clients and need SSL Software Update point for CMG only then dedicate a site systems for CMG and have both management point and software update point role on that.
In this blog post, we will walk through the SSL requirements and configuration for SCCM Software Update Point. We will use SSL certificates from Microsoft Public Key Infrastructure (PKI).
Configure Management Point for HTTPS | ConfigMgr | SCCM
Deploy client authentication certificate for SCCM clients
- Issue & Enroll server authentication certificates for ConfigMgr IIS servers
- Bind the certificate to the WSUS Administration site
- Configure the WSUS web services to require SSL
- Configure the WSUS application to use SSL
- Configure Software Update Point for SSL
- Verify the WSUS console can connect using SSL
- Verify the site server can sync updates
- Verify a client can scan for updates
- Related Posts:
Issue & Enroll server authentication certificates for ConfigMgr IIS servers
If you have already configured the Management Point for HTTPS and SUP role is installed on same site system server then this step can be skipped. We can use the same PKI certificate for IIS WSUS administration site SSL configuration.
If you need the PKI certificate for Software Update Point site system server then follow the below steps.
- Issue server authentication certificate for ConfigMgr IIS servers
- Enroll Web server certificate on ConfigMgr IIS servers
Bind the certificate to the WSUS Administration site
Binding a certificate to a website in IIS means that you are activating the installed digital certificate and associating it with a particular website, port, and/or IP Address.
Follow the below process to bind a certificate to default IIS website.
On the WSUS server, open Internet Information Services (IIS) Manager.
Go to Sites > WSUS Administration, select Edit Bindings
In the Site Bindings window, select the line for https, then select Edit….
Don’t remove the HTTP site binding. WSUS uses HTTP for the update content files.
Under the SSL certificate option, click on drop down list and select the certificate.
Click on Ok to close Edit Site Binding window.
Configure the WSUS web services to require SSL
In IIS Manager on the WSUS server, go to Sites > WSUS Administration ,
expand the WSUS Administration site so you see the list of web services and virtual directories for WSUS.
Select ApiRemovint30 and make following changes.
- Enable the Require SSL option.
- Verify the Client certificates option is set to Ignore.
- Select Apply.
Repeat the above steps for below WSUS services as well.
Configure the WSUS application to use SSL
Once you configured the web services for SSL, the WSUS application needs to be notified to perform additional configuration to support the change. The configuration need to be done using WsusUtil.exe
To make the changes perform below steps:
Open an admin command prompt on the WSUS server. The user account running this command must be a member of either the WSUS Administrators group or the local Administrators group.
Change directory to the tools folder for WSUS: cd “c:\Program Files\Update Services\Tools”
Configure WSUS to use SSL with the following command: WsusUtil.exe configuressl <WSUS Server FQDN>
WsusUtil returns the URL of the WSUS server with the port number specified at the end. The port will be either 8531 (default) or 443. Verify the URL returned is what you expected. If something was mistyped, you can run the command again.
Configure Software Update Point for SSL
Perform the below steps to configure software update point to require SSL communication to WSUS server.
- Open the Configuration Manager console and connect to either your central administration site or the primary site server for the software update point you need to edit.
- Go to Administration > Overview > Site Configuration > Servers and Site System Roles.
- Select the site system server where WSUS is installed, then select the software update point site system role.
- From the ribbon, choose Properties.
- Enable the Require SSL communication to the WSUS server option.
Verify the WSUS console can connect using SSL
Open the WSUS console and select Action > Connect to Server.
- Enter the FQDN of the WSUS server for the Server name option.
- Select Use Secure Sockets Layer (SSL) to connect to this server
- Click on Connect
If the configurations are good then console will connect to WSUS server without any issue.
Verify the site server can sync updates
You can follow below steps to confirm that ConfigMgr site server able to sync software updates from Microsoft updates.
To validate the same, go to Software Library > Software Updates > All Software Updates and select Synchronize Software Updates
Monitor the wsyncmgr.log on ConfigMgr site server. You should see the synchronization progress in the log file.
Verify a client can scan for updates
Check the LocationServices.log to confirm that the client sees the correct WSUS SSL URL
Review the WUAHandler.log to verify that the client can successfully scan.
- Configure Management Point for HTTPS | ConfigMgr | SCCM
- Deploy client authentication certificate for SCCM clients
- Configure Management Point for HTTPS
- Cloud Management Gateway (CMG) Setup Guide – Part 1
- MECM OSD – PXE Troubleshooting
- PXE-E99: Unexpected network error – SCCM OSD
- Configuration Manager OSD task sequence fails with error code 0x80004005
- MECM OSD Task Sequence Failed with Error 0x80072EE7
- SCCM Software Distribution Troubleshooting