Jump to content


keywan

How to change easy on the SCCM Server , the WSUS Server from http to https

By keywan, in System Center Configuration Manager (Current Branch)

Recommended Posts

keywan Contributor

keywan

Posted
Posted

Hi,

 

I have a SCCM Server with WSUS Server on the same machine with Windows Server 2025. Now I want to change the WSUS Server from http to https.

Is that easy or is there any step by step guide?

I have to be 100% sure after change from HTTP to HTTPS, my SCCM and WSUS Server work fine

Regards

Keywan

Share this post

Link to post
Share on other sites
anyweb Proficient

anyweb

Posted
Posted

you haven't stated if you have a pki infrastructure in place, do you ? if not you'll need to set that up also, see > 

to convert SCCM and WSUS services to HTTPS i cover the process here, 

my recommendation is test this in a lab first and/or hire a pki consultant to assist with the job

Share this post

Link to post
Share on other sites
keywan Contributor

keywan

Posted
Posted

No I dont have pki infrastructure in place, I want only to convert or to change the WSUS Server from HTTP to HTTPS. An I have to be sure that after convert the WSUS and SCCM does work together for SUP and Windows Updates. What should I do for WSUS Server on the SCCM and for all Clients machine?

Thank you for help

Share this post

Link to post
Share on other sites
anyweb Proficient

anyweb

Posted
Posted

you can't convert from http to https without a pki infrastructure in place first. Moving to https means you need something to deliver and create those certificates, that's where the PKI infrastructure comes into play.

There is something from Microsoft called enhanced http, but that's not the same thing, you can read about it here:

https://learn.microsoft.com/en-us/intune/configmgr/core/plan-design/hierarchy/enhanced-http

so if you truly want your SCCM and WSUS infrastructure and clients to operate in PKI (https) mode, then you'll need a PKI infrastructure in place, it's not that hard to setup if you follow my detailed guides. 

Test in a lab first !!

below is the response from Copilot on this subject

Short answer: No — you can’t properly convert SCCM (Configuration Manager) from HTTP to HTTPS without a PKI infrastructure.

Why PKI is required

SCCM’s HTTPS mode relies entirely on certificates for:

  • Client authentication
  • Site system role authentication (MP, DP, SUP, etc.)
  • Encrypted communication between clients and site systems

These certificates must come from a trusted Certification Authority (CA). That’s exactly what a PKI provides. Without it, SCCM has no trusted mechanism to validate identities.

What happens if you try without PKI

  • Clients won’t trust the management point
  • Authentication will fail
  • You’ll see certificate or communication errors (MP unreachable, client not approved, etc.)
  • Core features like software deployment and inventory break

Your realistic options

Option 1 — Stay on HTTP (not recommended long-term)

  • Works without PKI
  • Less secure (deprecated in modern environments)
  • Microsoft is pushing away from this model

Option 2 — Use Enhanced HTTP (recommended middle ground)

  • Does NOT require full PKI
  • Uses self-signed certificates automatically managed by SCCM
  • Provides encryption and improved security compared to HTTP
  • Much easier to implement

👉 This is what most organizations do if they don’t have PKI.

Option 3 — Build PKI and move to full HTTPS

  • Requires:
    • Active Directory Certificate Services (AD CS)
    • Certificate templates (client auth, web server, etc.)
    • Deployment of certs to clients and servers
  • Most secure and fully featured option

Recommendation

If you currently have no PKI:

  1. Enable Enhanced HTTP first
  2. Plan PKI deployment separately
  3. Later transition to full HTTPS when ready

Summary

Mode Requires PKI Security Level Notes
HTTP Low Deprecated direction
Enhanced HTTP Medium Best without PKI
Full HTTPS High Requires PKI

Share this post

Link to post
Share on other sites
anyweb Proficient

anyweb

Posted
Posted

if you are only talking about the WSUS server then the following could be possible, but messy.

Short answer: Yes, you can enable HTTPS on a WSUS server without a full PKI infrastructure, but you still need some form of certificate, and the approach has trade‑offs.

🔐 What WSUS requires for HTTPS

WSUS itself doesn’t require a Microsoft AD CS / enterprise PKI. It only requires:

  • An SSL certificate bound in IIS to the WSUS website
  • Clients that trust that certificate

So the real question is not “PKI or not,” but how you issue and trust the certificate.

Your main options without PKI

1. Self-signed certificate (most common workaround)

You can generate a self-signed cert directly on the WSUS server.

Steps:

 

New-SelfSignedCertificate -DnsName wsus.yourdomain.local -CertStoreLocation Cert:\LocalMachine\My

 

Then:

  • Bind it in IIS to the WSUS Administration site
  • Configure WSUS to require SSL:

& "C:\Program Files\Update Services\Tools\wsusutil.exe" configuressl wsus.yourdomain.local

Pros

  • No PKI needed at all
  • Quick and simple

Cons

  • Clients won’t trust it automatically
  • You must manually or via GPO:
    • Export the cert
    • Deploy it to Trusted Root Certification Authorities on all clients

2. Public certificate (rare for WSUS, but possible)

If your WSUS server has a publicly resolvable name, you can use a certificate from a public CA (e.g., DigiCert, Let’s Encrypt).

Pros

  • Already trusted by clients
  • No GPO distribution needed

Cons

  • Usually not practical (WSUS is internal)
  • DNS + internet validation required

3. Private CA alternative (lightweight, not full PKI)

If you don’t want “full PKI,” you can still:

  • Stand up a minimal AD CS (even temporary)
  • Or use tools like:
    • OpenSSL CA
    • Small internal CA solution

This is technically “PKI,” but much lighter than a full enterprise deployment.

⚠️ Critical things people overlook

1. WSUS only secures metadata, not update binaries

Even with HTTPS:

  • Update content can still download over HTTP
  • This is by design (Microsoft signs updates)

So HTTPS mainly protects:

  • Client ↔ WSUS communication
  • Metadata integrity in transit

2. Required IIS configuration

WSUS does not require SSL on all virtual directories.

You should:

  • Require SSL on:

    • SimpleAuthWebService
    • DSSAuthWebService
    • ServerSyncWebService
    • APIRemoting30
    • ClientWebService

  • Do NOT require SSL on:

    • Content
    • Selfupdate

3. Group Policy must be updated

After switching to HTTPS: 

Specify intranet Microsoft update service location

Change: 

http://wsus:8530

To: 

https://wsus:8531

4. Firewall and ports

  • Default WSUS HTTPS port: 8531
  • Ensure clients can reach it

Recommended approach (real-world)

If you truly don’t want a PKI:

👉 Use a self-signed certificate + GPO distribution

This is the most common setup in smaller environments.

🧠 Bottom line

  • You do NOT need a full PKI infrastructure
  • You DO need a certificate
  • ⚠️ The key requirement is certificate trust on clients

 

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.