Forum Discussion
WSUS Certificate pinning
Hi, is there any docs as to how to enable certificate pinning?
Asking because in those posts, it says that we can do this to secure our WSUS servers, but I can't seem to find out to actually do it.
Changes to improve security for Windows devices scanning WSUS - Microsoft Tech Community
Scan changes and certificates add security for Windows devices using WSUS for updates - Microsoft Tech Community
Thank you in advance and don't hesitate if you have any questions
3 Replies
- Jason_Sandys
Microsoft
Hi Stephane,
The details are documented at https://docs.microsoft.com/en-us/mem/configmgr/core/clients/deploy/about-client-settings#enforce-tls-certificate-pinning-for-windows-update-client-for-detecting-updates. Basically, you need to add the HTTPS cert configured for WSUS to the WindowsServerUpdateServices cert store on the clients.Is it possible to store the Certificate directly in WindowsServerUpdateServices per GPO ?Jason_Sandys
- Jason_SandysHi Lotsch17. No, this is not directly possible as the GPO template is not aware of this certificate location unfortunately. Using a script is the best path invoking certutil (although there may be a direct PowerShell cmdlet as well). You can deploy this script using whatever method is at your disposal including Intune (or ConfigMgr).
