2111-certpinningcmg-12590425

Author: mestew

memdocs/configmgr/sum/get-started/software-update-point-ssl.md

@@ -289,10 +289,11 @@ Starting in Configuration Manager 2103, you can further increase the security of
 - Configuration Manager version 2103
 - Ensure your WSUS servers and software update points are configured to use TLS/SSL
 - Add the certificates for your WSUS servers to the new `WindowsServerUpdateServices` certificate store on your clients
+   - When using certificate pinning with a cloud management gateway (CMG), the `WindowsServerUpdateServices` store needs the CMG certificate. If clients switch from internet to VPN both the CMG and WSUS server certificates are needed in the `WindowsServerUpdateServices` store. <!--12590425-->
 
 > [!Note]
-> - Software update scans for devices will continue to run successfully using the default value of **Yes** for the **Enforce TLS certificate pinning for Windows Update client for detecting updates** client setting. This includes scans over both HTTP and HTTPS. The certificate pinning doesn't take effect until a certificate is in the client's `WindowsServerUpdateServices` store and the WSUS server is configured to use TLS/SSL.
-> - When using certificate pinning with a cloud management gateway (CMG), the `WindowsServerUpdateServices` store needs the CMG certificate. If clients switch from internet to VPN both the CMG and WSUS server certificates are needed in the `WindowsServerUpdateServices` store. <!--12590425-->
+> Software update scans for devices will continue to run successfully using the default value of **Yes** for the **Enforce TLS certificate pinning for Windows Update client for detecting updates** client setting. This includes scans over both HTTP and HTTPS. The certificate pinning doesn't take effect until a certificate is in the client's `WindowsServerUpdateServices` store and the WSUS server is configured to use TLS/SSL.
+
 
 
 ### Enable or disable TLS certificate pinning for devices scanning HTTPS-configured WSUS servers