1. Preparation of Automation Script
- Download the Script: Access the following link to download the automation PowerShell script.
- Script Placement: Save the downloaded script onto the WSUS server for execution.
2. Executing the PowerShell Script
- Open PowerShell in Admin Mode: On the WSUS server, launch PowerShell with administrative privileges.
- Run the Script: Execute the downloaded PowerShell script. When prompted, input the server's IPv4 address. Ensure that the script runs successfully and verify the output.
The script performs the following steps to secure WSUS with SSL:
- Creates a self-signed certificate using the Fully Qualified Domain Name (FQDN) of the server and an optional IP address.
- Exports the certificate's public key to the local user's Documents folder.
- Imports the public key into the Trusted Root Certificate Authorities store.
- Configures SSL bindings in IIS for the WSUS website.
- Requires SSL for specific WSUS virtual roots.
- Configures WSUS to use SSL by invoking the WsusUtil.exe tool with SSL parameters.
Note: An optional parameter that specifies an alternative IP address for the self-signed certificate. If not provided, only the FQDN will be used.
EXAMPLE:
- Execute the script with an optional IP address parameter for Subject Alternative Names (SAN)
- To include IP Address (v4) as a SAN, specify the IP when prompted and press ENTER
- To have Hostname/FQDN as the only SAN, leave blank when prompted for IP and press ENTER
.\SecureWSUSWithSSL.ps1
3. Certificate Management
- Locate the Exported Certificate: Find the exported certificate's public key within the "Documents" folder on the user's system.
- Import the Certificate: Copy and import the WSUS public key into the client's "Trusted Root Certification Authorities" store/vault.
4. Client Configuration to Connect to WSUS
- WSUS Connection via IP: Configure client systems to connect to the WSUS server using the IP address through Local Group Policy Object (GPO) or an alternative method of your preference. Use the following format for the WSUS connection:
https://IPAddress:8531
.
5. Client Update and Synchronization
To ensure that the client settings are updated and initiate a synchronization with the WSUS server, execute the following commands in sequence on the client system:
gpupdate /force /target:computer
- Forces an immediate update of group policies.USOClient.exe RefreshSettings
- Refreshes the settings for the update client.USOClient.exe StartScan
- Initiates a scan for updates.- To search for and list available updates, use the following PowerShell command:
$updateSession = new-object -com "Microsoft.Update.Session"; $updates = $updateSession.CreateupdateSearcher().Search($criteria).Updates
Examples of Different Configuration Scenarios (WSUS Management Console is accessible and running on Local/SSL TCP 8531)
- Clients can connect to the WSUS Server via the web service URL:
https://wsus-server:8531
- Certificate Common Name: wsus-server
- Certificate Subject Alternative Name (SAN) | DNS Name: wsus-server
- Clients can connect to the WSUS Server via the following web service URLs:
https://wsus-server:8531
&https://10.0.0.123:8531
- Certificate Common Name: wsus-server
- Certificate Subject Alternative Name (SAN) | DNS Name: wsus-server
- Certificate Subject Alternative Name (SAN) | IP address (v4): 10.0.0.123
Comments
0 comments
Article is closed for comments.