Thursday, August 31, 2017

Converting from HTTP to HTTPS...Don't Forget About WSUS!

August 31, 2017 Posted by A No comments

The day has arrived! Time to move your SCCM deployment from HTTP to an HTTPS deployment! There are any number of reasons you're doing this:
  • You want to manage Apple Macs
  • You want to manage mobile devices
  • You want tighter security
  • You're an Xbox Achievement Completionist and you just want to "unlock" all of the SCCM "achievements"

Any of those reasons are valid! If you're doing this for the first time and have little experience with certificates or IIS, it may feel a little intimidating. Fret not! There are a myriad of posts out there describing in unbelievable detail how to perform this switchover. Here are just a few:

  • https://blogs.technet.microsoft.com/configmgrdogs/2015/01/21/configmgr-2012-r2-certificate-requirements-and-https-configuration/
  • https://www.youtube.com/watch?v=A_O9JWcAt1s
  • https://danikuci.wordpress.com/2014/03/26/configuring-sccm-for-managing-macs/

I'm not going to go through my own re-telling because the simplest Google search will yield an overwhelming amount of blogs describing the very process. So what exactly am I writing this post about when it comes to converting your SCCM deployment to HTTPS?

Don't Forget to Finish Converting your WSUS Server!
So this is something that most guides touch on, but not in one very specific regard.

If you have KB3159706 installed on your WSUS server and you attempt to go to SSL, you will temporarily break/suspend WSUS synchronization to SCCM. The specific step can been below (citing the first link above from ConfigMgr Dogs), during the SSL switchover for WSUS virtual directories seen here:

Once you do this SCCM/WSUS (and SCOM if monitoring SCCM) will report failures to contact one or more of these virtual directories. In order to right this and get back on the path we'll need to follow the following Technet article found here on "Update enables ESD decryption provision in WSUS in Windows Server 2012 and Windows Server 2012 R2".

Beginning with the section "If SSL is enabled on the WSUS server", we'll need to:
  • Change the ownership of the web.config file
  • Edit the binding inside of web.config file
  • Add a new entry to the web.config file

Upon performing this, it would be a good idea to issue an iisreset to verify the virtual directories have returned to a working order. Once you do this, you can verify connectivity through issuing an on demand sync from SCCM, checking SCCM health alerts, or SCOM if you are choosing to monitor SCCM with it.


Just wanted to share in the event anyone ran into this unforeseen error during their respective conversion process.