Remote WSUS connection is not HTTPS. This prevents software update point from getting the signing certificate for third-party updates.
Since the release of Configuration Manager 1806, some customers report that the WSUS Signing Certificate isn’t being populated in the Third Party Updates tab of the software update point. It occurs even when the option Configuration Manager manages the certificate is enabled.
What’s Configuration Manager Manages the Certificate Do Anyway?
The option for Configuration Manager to manage the certificate can be convenient since you don’t need to use a tool like System Center Updates Publisher or our Publishing Service to generate the self-signed WSUS Signing Certificate.
Why’s This Option Not Working?
The most common reason why the WSUS signing certificate doesn’t automatically get generated during a software update point synchronization (wsyncmgr.log) is that the software update point site system role is remote from your site server and the remote WSUS server isn’t configured for HTTPS.
For example, in the screenshot below SCCM3-DPMPSUP-1 is our Software update point and it’s remote from the primary site server SCCM3-SITESVR-2
When your software update point is remote from your site server, the option Configuration Manager managed the certificate will only work if the WSUS/SUP is configured for HTTPS/SSL as described in the Microsoft Docs.
Warning: Remote WSUS connection is not HTTPS. This prevents software update point from getting the signing certificate for third-party updates.
You have two options to work around this issue:
Option 1: The first workaround is to create a self-signed or import a PKI based code-signing certificate to use for the WSUS Signing Certificate using our Publishing Service and deploy the certificate to clients using group policy or an SCCM package. If you choose this method, you can change the option to Manually manage the certificate in SCCM.
This option will generally be the most straightforward because you won’t need to request a web server certificate for WSUS and configure WSUS to use SSL. The one disadvantage to this option is clients won’t have the WSUS Signing Certificate automatically deployed to their Trusted Root and Trusted Publishers certificate store natively using the SCCM client setting to enable third-party updates.
Option 2: Configure WSUS to use SSL/HTTPS to use the built-in option for Configuration Manager manages the certificate. Here are some resources that may help configure WSUS to use SSL.
- PKI certificate requirements for System Center Configuration Manager
- How to Configure the WSUS Web Site to Use SSL
- How To Configure Microsoft SCCM to Use HTTPS/PKI