Windows 10 Sep Update + Impact of Running WSUS with HTTP SCCM

1
Windows 10 Sep Update Impact of Running WSUS with HTTP

Let’s understand the impact of Running SCCM WSUS with HTTP Communications & proxy after the Windows 10 Sep update. The recommendation from Microsoft on a secured connection required for software updates using SCCM and WSUS. These changes could impact many SCCM infra around the world who are running HTTP communications.

This change is related to WSUS technologies and not directly connected to the ConfigMgr as a product. However, we all know ConfigMgr is tightly integrated with WSUS for all the update process. Hence, all the SCCM admins should take some time to understand the impact of your environment.

Impact

As per the latest Microsoft Community blog, each one of these connections explained above needs to be protected against malicious attacks. The following are the key points that you need to understand:

  • You have an SCCM + WSUS environment with HTTP communication.
  • A Windows 10 device requires a proxy in order to successfully connect to intranet WSUS Servers.
  • The proxy is only configured for users (, not devices)

If the above points are true, then Monthly patching (software update scans against WSUS) will start to fail after your Windows 10 device successfully installed with the September 2020 cumulative update patch.

NOTE! – In most of the organizations, I have seen that intranet communications between Windows 10 device and WSUS are bypassed from the proxy.

Running SCCM WSUS with HTTP Communications
Sample picture from the post – Difference Between Windows Patch Management Using Intune Vs ConfigMgr | SCCM | Software Updates Running SCCM WSUS with HTTP Communications

The Key Message From Community

The key message from Microsoft was When you use SCCM to manage your Windows updates, the update metadata travels from Microsoft servers to WSUS and then to Windows 10 devices via a chain of connections.

I saw the tweet from Julie Andreacola and Bryan Dam today morning explaining the topic.

WSUS Metadata Update from Microsoft Server

Your WSUS server connects with Windows Update servers and receives update metadata. This connection always uses HTTPS so this is already a secured connection. You don’t have to perform any actions related to this. This might make sure metadata has not tampered.

If you have multiple WSUS servers arranged in a hierarchy, the downstream servers receive metadata from the upstream servers. I think Microsoft is recommending us to enable the connection between upstream and downstream WSUS servers to HTTPS.

However, I think this is not mandatory to change the communication between WSUS upstream and downstream servers to HTTPS as per the blog post.

Windows 10 Client Changes

Windows 10 cumulative update of September 2020 make important changes in HTTP-based intranet servers. By default, all Windows 10 devices will be using HTTPS communication to contact internal servers like WSUS.

To ensure that your devices remain inherently secure, we are no longer allowing HTTP-based intranet servers to leverage user proxy by default to detect updates.

What If you need to use User proxy

It seems Microsoft might release more details about the ADMX policies and CSPs. Let me know in the comments if you know any other way to achieve the change explained in the Microsoft blog post.

I have not seen more details about the options in the following KB article as well. https://support.microsoft.com/en-in/help/4577064/windows-server-2008-update

Also, try to read the comments section of the post to have more details about other thoughts. Registry entry details are also given in the comments to over Group policy and local policy restrictions.

Following Paragraphs are quoted from the comments of the Microsoft post by Aria Carley:

The local ADMX will update with the new policy once the September patch is taken. You should then be able to grab the ADMX/L files from such a device. As for your second point,

I fully understand your concern. ConfigMgr is currently unable to manage the new proxy behavior setting. So in the case of managed environments where user proxy is needed, for the short term, you will need to set the desired proxy behavior via the registry directly. We hope to make this a more seamless process in the future.

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\SetProxyBehaviorForUpdateDetection
– Value 0 – Only use system proxy
– Value 1 – Allow user proxy as fallback…

Resources

1 COMMENT

  1. Thank you Sir for this article. Saved us from trouble.
    Providing it as reference to my workstation patching team so they can be aware of it.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.