Third-Party Patching for SCCM

Patch over 335+ third-party updates across 190 products in SCCM

Knowledge Base ArticlesDownload Trial

Remote WSUS connection is not HTTPS. This prevents software update point from getting the signing certificate for third-party updates.

Since the release of Configuration Manager 1806, some customers report that the WSUS Signing Certificate isn’t being populated in the Third Party Updates tab of the software update point. It occurs even when the option Configuration Manager manages the certificate is enabled.

WSUS Signing Certificate Not Populating in SCCM

What’s Configuration Manager Manages the Certificate Do Anyway?

The option to have Configuration Manager manages the certificate will allow SCCM to created a self-signed WSUS Signing Certificate. This option can be helpful when PKI certificates aren’t mandatory.

The option for Configuration Manager to manage the certificate can be convenient since you don’t need to use a tool like System Center Updates Publisher or our Publishing Service to generate the self-signed WSUS Signing Certificate.

Why’s This Option Not Working?

The most common reason why the WSUS signing certificate doesn’t automatically get generated during a software update point synchronization (wsyncmgr.log) is that the software update point site system role is remote from your site server and the remote WSUS server isn’t configured for HTTPS.

For example, in the screenshot below SCCM3-DPMPSUP-1 is our Software update point and it’s remote from the primary site server SCCM3-SITESVR-2

When your software update point is remote from your site server, the option Configuration Manager managed the certificate will only work if the WSUS/SUP is configured for HTTPS/SSL as described in the Microsoft Docs.

If the WSUS server doesn’t have a web server certificate and hasn’t been properly enabled for SSL, you will see the following warning in the wsyncmgr.log during a synchronization.

Warning: Remote WSUS connection is not HTTPS. This prevents software update point from getting the signing certificate for third-party updates.

Resolutions

You have two options to work around this issue:

Option 1: The first workaround is to create a self-signed or import a PKI based code-signing certificate to use for the WSUS Signing Certificate using our Publishing Service and deploy the certificate to clients using group policy or an SCCM package. If you choose this method, you can change the option to Manually manage the certificate in SCCM.

Import PKI or Generate Self-Signed WSUS Signing Certificate for SCCM

This option will generally be the most straightforward because you won’t need to request a web server certificate for WSUS and configure WSUS to use SSL. The one disadvantage to this option is clients won’t have the WSUS Signing Certificate automatically deployed to their Trusted Root and Trusted Publishers certificate store natively using the SCCM client setting to enable third-party updates.

Option 2: Configure WSUS to use SSL/HTTPS to use the built-in option for Configuration Manager manages the certificate. Here are some resources that may help configure WSUS to use SSL.