Office Hours - WUFB Security

My InfoSec team loves us for implementing WUfB. We moved from Ivanti to MEM with WUfB. We patch more quickly, more thoroughly, and with significantly less effort now.

If they continue to push back, ask if they have any evidence of the 1+Billion PCs that use Windows Update being compromised by a hacked update ever. I've never heard of anything like that happening.

I can understand that moving your "security permitter" outside of your network to the cloud can be a daunting conversation with your security team. The considerations and conversations around this are three fold:

1. Windows Update for Business policies are one of the quickest ways to start testing Microsoft Quality (Bug and Security Patches earlier) since policies will allow you to quickly establish deployment rings
2. The reduction in network traffic over VPN concentrators will provide a higher level of patch compliance
3. Modern management will increase ROI almost instantly

Please refer to https://docs.microsoft.com/en-us/windows/deployment/update/waas-manage-updates-wufb for more information.

Hi rjlucas365,

 

Can you expand on their concern here?

 

All Windows updates, regardless of how they are delivered are digitally signed by Microsoft. This signature is validated by the OS before the update is installed and thus,  if the channel delivering the update to the OS is compromised or the payload is tampered with in any way, the update itself is protected and won't be installed.

I'm not sure yet, but I need to be prepared for that meeting. ;). I assume I can say that communication between the device and Azure AD/Intune is encrypted with a public/private key, same for communication with WUfB. Also the hash of the files downloaded is checked just like when SCCM downloads the update payload.

What points or concerns does your security team have?