[German]Today a note to the administrators among my blog readers who use Windows Server Update Services (WSUS) to manage client updates. Microsoft demands that clients will soon have to communicate with WSUS via https – the September 2020 updates have laid the foundation for this.
WSUS must be capable of https
I would not have cover this topic again here, if blog reader Andreas E. hadn’t sent me a private message on Facebook like this: ‘The WSUS has to talk https soon, otherwise Windows 10 won’t talk to the’ (thanks for that). I don’t use WSUS myself, but a few days ago I already mentioned this topic in my blog post Windows 10: Changes in WSUS update scan. But I’ll bring up the topic again, because Andreas E raised the question`: For which Windows versions this applies?
To which Windows versions does that apply?
German blog reader Andreas E. insisted during the discussion with the question ‘I don’t know if it applies to [Windows] 10 or also to 7 and 8? He had pointed me to the Techcommunity article Changes to improve security for Windows devices scanning WSUSS from Microsoft, which I had already linked in the blog post Windows 10: Changes in WSUS update scan. Aria Carley from Microsoft explains a lot about this topic, but remains nebulous about the affected Windows versions. Andreas E. wrote about this ‘of course it’s written within the Techcommunity article!’ and added ‘I read it everywhere as if it was only for 10 but it doesn’t look right’.
September 2020 update prepares Windows 7 up to 10 for the change
So I have done some search (in my own blog) and can remedy this. In the description of the cumulative update KB4571756 for Windows 10 version 2004 you can find the following hint about the interesting change:
Addresses a security vulnerability issue with user proxies and HTTP-based intranet servers. After installing this update, HTTP-based intranet servers cannot leverage a user proxy by default to detect updates. Scans using these servers will fail if the clients do not have a configured system proxy. If you must leverage a user proxy, you must configure the behavior using the Windows Update policy “Allow user proxy to be used as a fallback if detection using system proxy fails.” This change does not affect customers who secure their Windows Server Update Services (WSUS) servers with the Transport Layer Security (TLS) or Secure Sockets Layer (SSL) protocols. For more information, see Improving security for devices receiving updates via WSUS.
The update therefore addresses a security vulnerability in user proxies and HTTP-based intranet servers. After installing this update, HTTP-based intranet servers cannot use a user proxy by default to detect updates. So WSUS scans of corresponding clients will fail if the clients do not have a configured system proxy. For details, see the linked Techcommunity article Changes to improve security for Windows devices scanning WSUS from Microsoft. So far nothing new and the confirmation that this applies to Windows 10 2004.
List of more updates with changed admx
I then went through my blog posts about the patchday of September 8, 2020 (see links at the end of the article). I found the above passage in the following updates during random checks:
- Update KB4574727 for Windows 10 Version 190x
- Update KB4570333 for Windows 10 Version 1809
- KB4577066 (Monthly Rollup) for Windows 8.1/Server 2012 R2
- KB4577051 (Monthly Rollup) for Windows 7/Windows Server 2008 R2
It concerns all updates for Windows 7 to Windows 10 as well as the respective server counterparts. Only in the security-only updates for Windows 7 SP1 and Windows 8.1 including their server counterparts Microsoft has not omitted to do so. However, it assumes that this also applies to the machines supplied with security-only updates.
Wolfgang Sommergut writes in the Windows Pro article Clients hinter Proxy erfordern HTTPS-Verbindung zu WSUS,that KB4571756 installs an updated ADMX template. This adds a new option Proxy Behavior for the Windows Update client to the Internal Path for the Microsoft update service to detect updates with a non-TLS (HTTP) based service. There you can enable the use of a user proxy as fallback if the detection by system proxy fails. This is described in the Techcommunity article Changes to improve security for Windows devices scanning WSUS.
There might be a problem with Windows 7 SP1/Server 2008 R2 machines that have been protected by 0patch. The September 2020 update is not available there. Here it might be necessary to clarify if Bypass BypassESU can be used – but the number of affected machines in the WSUS environment might be zero.
Maybe the explanations will help in case of ambiguities – otherwise just check if the ADMX template was installed. In case of new findings or errors in the above text you can leave feedback in the comments.