Forum Discussion
WSUS Certificate pinning
Hi, is there any docs as to how to enable certificate pinning? Asking because in those posts, it says that we can do this to secure our WSUS servers, but I can't seem to find out to actually do i...
Jason_Sandys
Microsoft
MicrosoftHi Stephane,
The details are documented at https://docs.microsoft.com/en-us/mem/configmgr/core/clients/deploy/about-client-settings#enforce-tls-certificate-pinning-for-windows-update-client-for-detecting-updates. Basically, you need to add the HTTPS cert configured for WSUS to the WindowsServerUpdateServices cert store on the clients.
The details are documented at https://docs.microsoft.com/en-us/mem/configmgr/core/clients/deploy/about-client-settings#enforce-tls-certificate-pinning-for-windows-update-client-for-detecting-updates. Basically, you need to add the HTTPS cert configured for WSUS to the WindowsServerUpdateServices cert store on the clients.
Is it possible to store the Certificate directly in WindowsServerUpdateServices per GPO ?Jason_Sandys
- Jason_SandysHi Lotsch17. No, this is not directly possible as the GPO template is not aware of this certificate location unfortunately. Using a script is the best path invoking certutil (although there may be a direct PowerShell cmdlet as well). You can deploy this script using whatever method is at your disposal including Intune (or ConfigMgr).
