Let’s understand how ConfigMgr can help to configure Allow User Proxy for Software Update Scans. Microsoft announced changes WSUS with HTTP Communications & proxy with Windows 10 Sep 2020 update. The recommendation from Microsoft is to have an HTTPS connection between (a secured connection) required for software updates scans (SCCM and WSUS).
If your organization is using a system proxy, you don’t have to read this post further. This post is applicable only your organization uses user based proxy. The software update scans against WSUS will start failing when user proxy is configured. The fix or workaround for the scan failures because of this issue is explained in the below section.
Issue (Security Enhancement)
The WSUS security enhancement related to scanning is pointed out in the below list. These changes could cause some issues if your WSUS connections are not secured. In this post, we will find out how to resolve the issues caused by these WSUS changes using the ConfigMgr client setting policy.
- WSUS Scanning behavior changed.
- No longer fall back to USER proxy for scanning WSUS servers.
- HTTP-based WSUS servers will be secure by default.
- Switch to system proxy instead of user proxy.
- A client scanning for updates against an HTTP-based WSUS will no longer be allowed to leverage a user proxy by default.
- Capability for customers to pin certificates (cert-pinning).
Enable User Proxy for Software Update Scans
As mentioned in the above section, it’s not recommended to use user-based proxy authentication for WSUS (software update) scanning. Many organizations are (still) using user proxy instead of system proxy. And the changes required at the proxy level might take many months (some cases years) in my experience.
Microsoft WSUS and Configuration Manager (a.k.a SCCM) team worked together to produce a solution for this user proxy issue with WSUS scanning. With the 2010 version of ConfigMgr, you can configure a “special (NOT RECOMMENDED)” policy to have successfull WSUS scan.
- ConfigMgr 2010 or later
Let’s see how to enable Allow user proxy for software update scans is the new option from Client Settings.
- Navigate to \Administration\Overview\Client Settings
NOTE! – I don’t recommend changing the Default client settings policy. You are better off with custom client setting policy and deploying to the device collection.
- Right click on Custom client settings policy.
- Select Properties option.
- Select Software Updates section.
- Select Yes from the drop-down option of Allow User proxy for Software update scans (WSUS).
- Click on OK to save the settings.
Windows 10 CSP Policies
If you are looking for Windows 10 CSP is also available to perform similar Software Updates scanning or WSUS scanning settings.
- The integer value 1 – Allow user proxy to be used as a fallback if detection using system proxy fails.
More details about the WSUS enhanced security details are available in the following post. Scan changes and certificates add security for Windows devices using WSUS for updates.