Articles in this section

See more

7a. How to Configure SSL for WSUS

 

Important Notes

  • WSUS requires two ports for SSL: one port that uses HTTPS to send encrypted metadata, and one port that uses HTTP to send updates.
    • Microsoft reduces the risk of sending update files over an unencrypted channel by signing each update. In addition, a hash is computed and sent together with the metadata for each update. When an update is downloaded, WSUS checks the digital signature and hash. If the update has been changed, it is not installed."
  • You cannot configure the whole WSUS website to require SSL because all traffic to the WSUS site would have to be encrypted. WSUS encrypts update metadata only. If a computer attempts to retrieve update files on the HTTPS port, the transfer will fail.
  • The certificate of the certification authority (CA) must be imported into the local computer Trusted Root CA store, or the Windows Server Update Service Trusted Root CA store on downstream WSUS servers. If the certificate is only imported to the Local User Trusted Root CA store, the downstream WSUS server will not be authenticated on the upstream server.
  • You must import the certificate to all computers that will communicate with the WSUS server. This includes all client computers, downstream servers, and computers that run the WSUS Administration Console. The certificate should be imported into the local computer Trusted Root CA store or into the Windows Server Update Service Trusted Root CA store.

Step-by-Step Guide to Configure SSL on WSUS

Open the IIS Management Console

  1. Open up Server Manager on your WSUS server
    Server 2012 R2 - Server Manager
  2. Select Tools -> Internet Information Services (IIS) Manager Server Manager - Tools - Internet Information Services IIS Manager

Configure Certificate Binding in IIS

  1. Open Sites in the connection tree > Click 'WSUS Administration'
    Screen_Shot_2020-05-13_at_11.26.48_AM.png
  2. Under Actions column to your right, click on Bindings
    Screen_Shot_2020-05-13_at_11.29.21_AM.png
  3. Select the 'https 8531' row and click editScreen_Shot_2020-05-13_at_11.31.32_AM.png
  4.  Select the SSL certificate you have just created in the dropdown list. Click 'View'Screen_Shot_2020-05-13_at_11.34.24_AM.png
  5. Copy to clipboard the FQDN of the 'Issued to' server.  Click OK.Screen_Shot_2020-05-13_at_11.36.55_AM.png
  6. Enter the hostname you have copied in the previous step to the Host name field. Click OK and then click on Close.
    Screen_Shot_2020-05-13_at_11.38.45_AM.png

    Notes    :
    • Ensure the value you use in the Host name field is a FQDN. 
    • ping from the Endpoint/s to the WSUS FQDN should be resolved to the correct IPv4 address

Enforce SSL Encryption on All Required WSUS Administration Virtual Roots

  • SimpleAuthWebService
  • DSSAuthWebService
  • ServerSyncWebService
  • APIremoting30
  • ClientWebService

You can do this with PowerShell:

Set-WebConfigurationProperty -Filter //security/access -name sslflags -Value "Ssl" -PSPath IIS:\ -Location "WSUS Administration/SimpleAuthWebService"
Set-WebConfigurationProperty -Filter //security/access -name sslflags -Value "Ssl" -PSPath IIS:\ -Location "WSUS Administration/DSSAuthWebService"
Set-WebConfigurationProperty -Filter //security/access -name sslflags -Value "Ssl" -PSPath IIS:\ -Location "WSUS Administration/ServerSyncWebService"
Set-WebConfigurationProperty -Filter //security/access -name sslflags -Value "Ssl" -PSPath IIS:\ -Location "WSUS Administration/APIRemoting30"
Set-WebConfigurationProperty -Filter //security/access -name sslflags -Value "Ssl" -PSPath IIS:\ -Location "WSUS Administration/ClientWebService

Alternatively, you can also do this via IIS Manager console. Steps are as below.

  1. Expand 'WSUS Administration'  and for each of the directories above, follow the steps below:
  2. Select the virtual site
  3. Double click on SSL Settings
  4. Check Require SSL and leave client certificates set to ignore.
  5. Click Apply at the top right corner

Finalize WSUS SSL Configuration

  1. Open up an elevated command prompt as Administrator
  2. Navigate to your WSUS installation folder
    cd “c:\Program Files\Update Services\Tools”
  3. Execute the following command (replace your server with the correct FQDN):
    WSUSUtil.exe configuressl <YOUR-FQDN-of-WSUS-SERVER>”

Export the WSUS SSL certificate

  1. Run MMC in Administrator mode.  Click File>Add/Remote Snap-in
    1.png
  2. Click on Certificates >  Click Add.
    2.png
  3.  Click the radio button 'Computer account'.  Click Next.
    3.png
  4. Click on the Finish button
    4.png
  5. Click OK
    5.png
  6.  Expand the Certificates (Local Computer) \ Trusted Root Certification Authorities
    1.  Click on Certificates
    2. Right-click on the certificate that matches the FQDN of this server.  Click All Tasks > Export. gilicropped.jpg
  7. DONE. The exported certificate can be installed to the Trusted Root Certification Authorities on WSUS client servers.

Next Steps

To ensure secure communication between WSUS and Windows endpoints, complete the following steps:

1. Install the RootCA Certificate in the Trusted Root Certification Authorities Store and the WSUS SSL Certificate in the Trusted Publishers Certificate Store

On each client computer, you must install the RootCA certificate (the certificate that issued the WSUS SSL certificate) into the Trusted Root Certification Authorities store. This certificate validates that the WSUS SSL certificate comes from a trusted source.

Note: If your WSUS SSL certificate is self-signed, it acts as both the WSUS SSL certificate and the RootCA certificate. In this case, you must install the same certificate in both the Trusted Root Certification Authorities and Trusted Publishers stores.

In addition, on each client computer, you must install the WSUS SSL certificate into the Trusted Publishers store. This step is necessary to trust signed updates from your WSUS server.

For guidance on deploying the RootCA and WSUS SSL certificates to your endpoints, please refer to the related article on deploying certificates.

3. Enable Signed Updates

You must configure your system to allow signed updates from an intranet update location. For detailed steps, please refer to the related article.

4. Update the Intranet Microsoft Update Service (if applicable)

If your endpoints are already configured to use WSUS on port 8530, you must update the intranet Microsoft update service URL on each endpoint to make sure they use HTTPS on port 8531. For example, change the update service URL to: https://<your_wsus_server_FQDN>:8531

Related articles

Comments

2 comments

Date Votes
  • Marc Sorbier

    Hi,

    Thanks for that article, you should add the information that the certicat must be imported to all the clients in both the Trusted Root and Trusted Publishers

    i ve lost a lot of time finding that it must be in those 2 places ;)

    1
    Comment actions Permalink
  • Marc Sorbier

    Also, on each clients you must use gpedit.msc and go local computer > computer configuration > administrative templates > windows components > Windows update 

    Then set ENABLED the option Allow Signed update from an intranet microsoft update location

    1
    Comment actions Permalink

Please sign in to leave a comment.