Fix SCCM WSUS with HTTP Proxy Communication Issues | ConfigMgr

Let’s understand the impact of Running SCCM WSUS with HTTP Communication and proxy after the Windows 10 Sep update. Microsoft recommended a secured connection for software updates using SCCM and WSUS. These changes could impact many SCCM infra around the world who are running HTTP communications.

This change is related to WSUS technologies and not directly connected to ConfigMgr as a product. However, as we all know, ConfigMgr is tightly integrated with WSUS for all the update processes. Hence, all SCCM admins should take some time to understand the impact on their environment.

HTTP proxies are helpful for internet users who want to conceal their identity online, access restricted websites, or enforce access policies on specific websites. An HTTP proxy helps save significant amounts of bandwidth by caching files and webpages, which can also reduce the number of ads users receive.

A proxy error is an HTTP error status when a request sent to the web server via a proxy fails. A proxy server acts as an intermediary between you and the internet, allowing you to access websites without revealing your IP address.

• Fix SCCM Scan Issues with Software Updates Patching | ConfigMgr
• SCCM Patch Software Update Deployment Process Guide.

Index
Impact
The Key Message From Community
WSUS Metadata Update from Microsoft Server
Windows 10 Client Changes
What If You need to Use a User Proxy

New Client Settings – Enable User Proxy for Software Update Scans option– Top 5 New Features Of SCCM 2010 | ConfigMgr HTMD Blog (anoopcnair.com)

Impact

As per the latest Microsoft Community blog, each one of these connections explained above needs to be protected against malicious attacks. The following are the key points that you need to understand:

• You have an SCCM + WSUS environment with HTTP communication.
• A Windows 10 device requires a proxy to connect to intranet WSUS Servers successfully.
• The proxy is only configured for users (not devices)

If the above points are valid, then Monthly patching (software update scans against WSUS) will fail after your Windows 10 device is successfully installed with the September 2020 cumulative update patch.

NOTE! In most organizations, I have seen that the proxy bypasses intranet communications between Windows 10 devices and WSUS.

The Key Message From Community

Microsoft’s critical message was that when you use SCCM to manage your Windows updates, the updated metadata travels from Microsoft servers to WSUS and then to Windows 10 devices via a chain of connections.

WSUS Metadata Update from Microsoft Server

Your WSUS server connects with Windows Update servers and receives update metadata. This connection always uses HTTPS, so it is already secured. You don’t have to perform any actions related to this, but this might ensure that metadata has not been tampered with.

If multiple WSUS servers are arranged in a hierarchy, the downstream servers receive metadata from the upstream servers. I think Microsoft recommends connecting upstream and downstream WSUS servers to HTTPS.

However, as the blog post states, changing the communication between WSUS upstream and downstream servers to HTTPS is not mandatory.

Windows 10 Client Changes

The September 2020 cumulative update of Windows 10 makes important changes in HTTP-based intranet servers. All Windows 10 devices will use HTTPS communication to contact internal servers like WSUS by default.

To ensure your devices remain inherently secure, we no longer allow HTTP-based intranet servers to leverage user proxy by default to detect updates.

What If You need to Use a User Proxy

It seems that Microsoft might release more details about the ADMX policies and CSPs. In the comments, let me know if you know of any other way to achieve the change explained in the Microsoft blog post.

I have also not seen more details about the options in the KB article. https://support.microsoft.com/en-in/help/4577064/windows-server-2008-update

Also, read the post, Changes to improve security for Windows devices scanning WSUS‘s comments section for more details about other thoughts. Registry entry details are also given in the comments on group policy and local policy restrictions.

The following paragraphs are quoted from the comments of the Microsoft post by Aria Carley:

The local ADMX will update the new policy once the September patch is taken. You should then be able to grab the ADMX/L files from such a device. As for your second point,

I fully understand your concern. ConfigMgr is currently unable to manage the new proxy behavior setting. So, in managed environments where a user proxy is needed, you must set the desired proxy behavior directly via the registry for the short term. We hope to make this a more seamless process in the future.

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\SetProxyBehaviorForUpdateDetection
– Value 0 – Only use system proxy
– Value 1 – Allow user proxy as fallback…

Resources

• Changes to improve security for Windows devices scanning WSUS
• WSUS Attacks Part 1: Introducing PyWSUS
• WSUS Attacks Part 2: CVE-2020-1013 a Windows 10 Local Privilege Escalation 1-Day
• Difference Between Windows Patch Management Using Intune Vs ConfigMgr | SCCM | Software Updates

We are on WhatsApp. To get the latest step-by-step guides and news updates, Join our Channel. Click here –HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His primary focus is Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.