Let’s understand the impact of Running SCCM WSUS with HTTP Communication & proxy after the Windows 10 Sep update. The recommendation from Microsoft on a secured connection is required for software updates using SCCM and WSUS. These changes could impact many SCCM infra around the world who are running HTTP communications.
This change is related to WSUS technologies and not directly connected to ConfigMgr as a product. However, we all know ConfigMgr is tightly integrated with WSUS for all the update processes. Hence, all the SCCM admins should take some time to understand the impact on your environment.
New Client Settings – Enable User Proxy for Software Update Scans option– Top 5 New Features Of SCCM 2010 | ConfigMgr HTMD Blog (anoopcnair.com)
Impact
As per the latest Microsoft Community blog, each one of these connections explained above needs to be protected against malicious attacks. The following are the key points that you need to understand:
- You have an SCCM + WSUS environment with HTTP communication.
- A Windows 10 device requires a proxy in order to successfully connect to intranet WSUS Servers.
- The proxy is only configured for users (, not devices)
If the above points are true, then Monthly patching (software update scans against WSUS) will start to fail after your Windows 10 device is successfully installed with the September 2020 cumulative update patch.
NOTE! – In most of the organizations, I have seen that intranet communications between Windows 10 device and WSUS are bypassed from the proxy.
The Key Message From Community
The key message from Microsoft was When you use SCCM to manage your Windows updates, the update metadata travels from Microsoft servers to WSUS and then to Windows 10 devices via a chain of connections.
I saw the tweet from Julie Andreacola and Bryan Dam today morning explaining the topic.
Security Updates can affect WSUS this month. IF you are using a user based proxy between WSUS and the client machines, there is a policy change you will need to make. Read the details here #MEMCM #SCCM #ConfigMgr #PatchTuesday https://t.co/J4ERv8UvHe
— Julie Andreacola (@jandreacola) September 8, 2020
c/o @TheNotoriousDRR:the exploit explanation.
Part 1: https://t.co/CDChol2wd2
Part 2: https://t.co/6vUs8duufT
— Bryan Dam (@bdam555) September 8, 2020
WSUS Metadata Update from Microsoft Server
Your WSUS server connects with Windows Update servers and receives update metadata. This connection always uses HTTPS so this is already a secured connection. You don’t have to perform any actions related to this. This might make sure metadata has not been tampered.
If you have multiple WSUS servers arranged in a hierarchy, the downstream servers receive metadata from the upstream servers. I think Microsoft is recommending we enable the connection between upstream and downstream WSUS servers to HTTPS.
However, I think this is not mandatory to change the communication between WSUS upstream and downstream servers to HTTPS as per the blog post.
Windows 10 Client Changes
Windows 10 cumulative update of September 2020 make important changes in HTTP-based intranet servers. By default, all Windows 10 devices will be using HTTPS communication to contact internal servers like WSUS.
To ensure that your devices remain inherently secure, we are no longer allowing HTTP-based intranet servers to leverage user proxy by default to detect updates.
What If you need to use a User proxy
It seems Microsoft might release more details about the ADMX policies and CSPs. Let me know in the comments if you know any other way to achieve the change explained in the Microsoft blog post.
I have not seen more details about the options in the following KB article as well. https://support.microsoft.com/en-in/help/4577064/windows-server-2008-update
Also, try to read the comments section of the post to have more details about other thoughts. Registry entry details are also given in the comments over Group policy and local policy restrictions.
The following paragraphs are quoted from the comments of the Microsoft post by Aria Carley:
The local ADMX will update with the new policy once the September patch is taken. You should then be able to grab the ADMX/L files from such a device. As for your second point,
I fully understand your concern. ConfigMgr is currently unable to manage the new proxy behavior setting. So in the case of managed environments where user proxy is needed, for the short term, you will need to set the desired proxy behavior via the registry directly. We hope to make this a more seamless process in the future.
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\SetProxyBehaviorForUpdateDetection
– Value 0 – Only use system proxy
– Value 1 – Allow user proxy as fallback…
Resources
- Changes to improve security for Windows devices scanning WSUS
- WSUS Attacks Part 1: Introducing PyWSUS
- WSUS Attacks Part 2: CVE-2020-1013 a Windows 10 Local Privilege Escalation 1-Day
- Difference Between Windows Patch Management Using Intune Vs ConfigMgr | SCCM | Software Updates
Thank you Sir for this article. Saved us from trouble.
Providing it as reference to my workstation patching team so they can be aware of it.
I am using SCCM for patch Management for Desktop only. But there is no user/system proxy is being used for accessing the internet. Do I need to change WSUS as HTTPS which is hosted on SCCM Site Server? And using WSUS for roaming client where client take approved metadata from DMZ based WSUS server which is configured in HTTP mode only and then download it directly from MS Update Server. Can I set it up in SCCM instead of WSUS HTTPS? Any possibility?