Windows 10: Changes in WSUS update scan

Windows Update[German]With the September 2020 cumulative update for Windows 10, Microsoft introduced changes that improve the security of clients that scan Windows Server Update Services (WSUS) for updates. Here is a brief overview on this topic.


Advertising

I became aware of the topic through this tweet – Microsoft has published this Techcommunity article on this topic. 

Tweet

Standardmäßig sicher: TLS-Protokoll/HTTPS Pflicht

Starting with the September 2020 cumulative update, HTTP-based intranet servers will be secure by default. To ensure that clients remain inherently secure, Microsoft no longer allows HTTP-based intranet servers to use user proxies by default to detect updates.

In a WSUS environment that is not secured with the TLS protocol/HTTPS, and where a device requires a proxy to successfully connect to intranet WSUS servers – and this proxy is configured for users (not devices) only – then all WSUS scans for updates from the September 2020 cumulative update onwards will fail.

Starting with the September 2020 cumulative update, HTTP-based intranet servers will be secure by default. To ensure that clients remain inherently secure, Microsoft no longer allows HTTP-based intranet servers to use user proxies by default to detect updates.


Advertising

In a WSUS environment that is not secured with the TLS protocol/HTTPS, and where a device requires a proxy to successfully connect to intranet WSUS servers – and this proxy is configured for users (not devices) only – then all WSUS scans for updates from the September 2020 cumulative update onwards will fail.

To ensure the security of the WSUS infrastructure, Microsoft recommends using the TLS/SSL protocol between the devices and the WSUS servers. The Microsoft Update System (including WSUS) relies on two types of content: Update payloads and update metadata. More informatio will be found in Michael Cureton's post Security Best Practices für Windows Server Update Services (WSUS). The Techcommunity article contains more details and recommendations how to configure clients for WSUS update scans.


Advertising

This entry was posted in Security, Update, Windows and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).