Merge pull request #6549 from mestew/2111-certpinningcmg-12590425

2111-certpinningcmg-12590425

Author: PRMerger5

memdocs/configmgr/sum/get-started/software-update-point-ssl.md

@@ -5,7 +5,7 @@ description: Tutorial - Configure Windows Server Update Services (WSUS) servers
 author: mestew
 ms.author: mstewart
 manager: dougeby
-ms.date: 04/05/2021
+ms.date: 01/14/2022
 ms.topic: tutorial
 ms.prod: configuration-manager
 ms.technology: configmgr-sum
@@ -289,11 +289,13 @@ Starting in Configuration Manager 2103, you can further increase the security of
 - Configuration Manager version 2103
 - Ensure your WSUS servers and software update points are configured to use TLS/SSL
 - Add the certificates for your WSUS servers to the new `WindowsServerUpdateServices` certificate store on your clients
+   - When using certificate pinning with a cloud management gateway (CMG), the `WindowsServerUpdateServices` store needs the CMG certificate. If clients switch from internet to VPN both the CMG and WSUS server certificates are needed in the `WindowsServerUpdateServices` store. <!--12590425-->
 
 > [!Note]
 > Software update scans for devices will continue to run successfully using the default value of **Yes** for the **Enforce TLS certificate pinning for Windows Update client for detecting updates** client setting. This includes scans over both HTTP and HTTPS. The certificate pinning doesn't take effect until a certificate is in the client's `WindowsServerUpdateServices` store and the WSUS server is configured to use TLS/SSL.
 
 
+
 ### Enable or disable TLS certificate pinning for devices scanning HTTPS-configured WSUS servers
 
 1. From the Configuration Manager console, go to **Administration** > **Client Settings**.
@@ -306,4 +308,4 @@ Starting in Configuration Manager 2103, you can further increase the security of
 
 ## Next steps
 
-[Deploy software updates](../deploy-use/deploy-software-updates.md)
+[Deploy software updates](../deploy-use/deploy-software-updates.md)