%3CLINGO-SUB%20id%3D%22lingo-sub-1645547%22%20slang%3D%22en-US%22%3EChanges%20to%20improve%20security%20for%20Windows%20devices%20scanning%20WSUS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1645547%22%20slang%3D%22en-US%22%3E%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3EWith%20the%20September%202020%20cumulative%20update%20for%20Windows%2010%2C%20we%20introduced%20changes%20that%20help%20improve%20the%20security%20of%20devices%20that%20scan%20Windows%20Server%20Update%20Services%20(WSUS)%20for%20their%20updates.%20This%20post%20will%20describe%20those%20changes%2C%20outline%20the%20actions%20you%20need%20to%20take%20to%20ensure%20your%20devices%20continue%20to%20scan%20for%20updates%2C%20and%20offer%20basic%20recommendations%20to%20help%20you%20better%20secure%20the%20devices%20in%20you%20organization.%3C%2FP%3E%0A%3CH2%20style%3D%22margin-top%3A%2036px%3B%20margin-bottom%3A%2020px%3B%20font-family%3A%20'Segoe%20UI'%2C%20Segoe%2C%20Tahoma%2C%20Geneva%2C%20sans-serif%3B%20font-weight%3A%20600%3B%20font-size%3A%2020px%3B%20color%3A%20%23333333%3B%22%20id%3D%22toc-hId--1269472597%22%20id%3D%22toc-hId--1269472597%22%20id%3D%22toc-hId--1269472597%22%20id%3D%22toc-hId--1269472597%22%20id%3D%22toc-hId--1269472597%22%20id%3D%22toc-hId--1269472597%22%20id%3D%22toc-hId--1269472597%22%20id%3D%22toc-hId--1269472597%22%20id%3D%22toc-hId--1269472597%22%20id%3D%22toc-hId--1269472597%22%20id%3D%22toc-hId--1269472597%22%20id%3D%22toc-hId--1269472597%22%20id%3D%22toc-hId--1269472597%22%20id%3D%22toc-hId--1269472597%22%20id%3D%22toc-hId--1269472597%22%20id%3D%22toc-hId--1269472597%22%20id%3D%22toc-hId--1269472597%22%20id%3D%22toc-hId--1269472597%22%20id%3D%22toc-hId--1269472597%22%20id%3D%22toc-hId--1269472597%22%20id%3D%22toc-hId--1269472597%22%20id%3D%22toc-hId--1269472597%22%20id%3D%22toc-hId--1269472597%22%20id%3D%22toc-hId--1269472597%22%20id%3D%22toc-hId--1269472597%22%20id%3D%22toc-hId--1269472597%22%20id%3D%22toc-hId--1269472597%22%20id%3D%22toc-hId--1269472597%22%20id%3D%22toc-hId--1269472597%22%20id%3D%22toc-hId--1269472597%22%20id%3D%22toc-hId--1269472597%22%20id%3D%22toc-hId--1269472597%22%20id%3D%22toc-hId--1269472597%22%20id%3D%22toc-hId--1269472597%22%20id%3D%22toc-hId--1269472597%22%20id%3D%22toc-hId--1269472597%22%20id%3D%22toc-hId--1269472597%22%20id%3D%22toc-hId--1269472597%22%20id%3D%22toc-hId--1269472597%22%20id%3D%22toc-hId--1269472597%22%20id%3D%22toc-hId--1269472597%22%20id%3D%22toc-hId--1269472597%22%20id%3D%22toc-hId--1269472597%22%20id%3D%22toc-hId--1269472597%22%20id%3D%22toc-hId--1269472597%22%20id%3D%22toc-hId--1269472597%22%20id%3D%22toc-hId--1269472597%22%20id%3D%22toc-hId--1269472597%22%20id%3D%22toc-hId--1269472597%22%20id%3D%22toc-hId--1269472597%22%20id%3D%22toc-hId--1269472597%22%20id%3D%22toc-hId--1269472597%22%20id%3D%22toc-hId--1269472597%22%20id%3D%22toc-hId--1269472597%22%20id%3D%22toc-hId--1269472597%22%20id%3D%22toc-hId--1269472597%22%20id%3D%22toc-hId--1269472597%22%20id%3D%22toc-hId--1269472597%22%20id%3D%22toc-hId--1269472597%22%20id%3D%22toc-hId--1269472597%22%3ESecure%20by%20default%3C%2FH2%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3EFirst%2C%20beginning%20with%20the%20September%202020%20cumulative%20update%2C%20HTTP-based%20intranet%20servers%20will%20be%20secure%20by%20default.%20To%20ensure%20that%20your%20devices%20remain%20inherently%20secure%2C%20we%20are%20no%20longer%20allowing%20HTTP-based%20intranet%20servers%20to%20leverage%20user%20proxy%20by%20default%20to%20detect%20updates.%20If%20you%20have%20a%20WSUS%20environment%20not%20secured%20with%20TLS%20protocol%2FHTTPS%20and%20a%20device%20requires%20a%20proxy%20in%20order%20to%20successfully%20connect%20to%20intranet%20WSUS%20Servers%E2%80%94and%20that%20proxy%20is%20only%20configured%20for%20users%20(not%20devices)%E2%80%94then%20your%20software%20update%20scans%20against%20WSUS%20will%20start%20to%20fail%20after%20your%20device%20successfully%20takes%20the%20September%202020%20cumulative%20update.%3C%2FP%3E%0A%3CH2%20style%3D%22margin-top%3A%2036px%3B%20margin-bottom%3A%2020px%3B%20font-family%3A%20'Segoe%20UI'%2C%20Segoe%2C%20Tahoma%2C%20Geneva%2C%20sans-serif%3B%20font-weight%3A%20600%3B%20font-size%3A%2020px%3B%20color%3A%20%23333333%3B%22%20id%3D%22toc-hId-1218040236%22%20id%3D%22toc-hId-1218040236%22%20id%3D%22toc-hId-1218040236%22%20id%3D%22toc-hId-1218040236%22%20id%3D%22toc-hId-1218040236%22%20id%3D%22toc-hId-1218040236%22%20id%3D%22toc-hId-1218040236%22%20id%3D%22toc-hId-1218040236%22%20id%3D%22toc-hId-1218040236%22%20id%3D%22toc-hId-1218040236%22%20id%3D%22toc-hId-1218040236%22%20id%3D%22toc-hId-1218040236%22%20id%3D%22toc-hId-1218040236%22%20id%3D%22toc-hId-1218040236%22%20id%3D%22toc-hId-1218040236%22%20id%3D%22toc-hId-1218040236%22%20id%3D%22toc-hId-1218040236%22%20id%3D%22toc-hId-1218040236%22%20id%3D%22toc-hId-1218040236%22%20id%3D%22toc-hId-1218040236%22%20id%3D%22toc-hId-1218040236%22%20id%3D%22toc-hId-1218040236%22%20id%3D%22toc-hId-1218040236%22%20id%3D%22toc-hId-1218040236%22%20id%3D%22toc-hId-1218040236%22%20id%3D%22toc-hId-1218040236%22%20id%3D%22toc-hId-1218040236%22%20id%3D%22toc-hId-1218040236%22%20id%3D%22toc-hId-1218040236%22%20id%3D%22toc-hId-1218040236%22%20id%3D%22toc-hId-1218040236%22%20id%3D%22toc-hId-1218040236%22%20id%3D%22toc-hId-1218040236%22%20id%3D%22toc-hId-1218040236%22%20id%3D%22toc-hId-1218040236%22%20id%3D%22toc-hId-1218040236%22%20id%3D%22toc-hId-1218040236%22%20id%3D%22toc-hId-1218040236%22%20id%3D%22toc-hId-1218040236%22%20id%3D%22toc-hId-1218040236%22%20id%3D%22toc-hId-1218040236%22%20id%3D%22toc-hId-1218040236%22%20id%3D%22toc-hId-1218040236%22%20id%3D%22toc-hId-1218040236%22%20id%3D%22toc-hId-1218040236%22%20id%3D%22toc-hId-1218040236%22%20id%3D%22toc-hId-1218040236%22%20id%3D%22toc-hId-1218040236%22%20id%3D%22toc-hId-1218040236%22%20id%3D%22toc-hId-1218040236%22%20id%3D%22toc-hId-1218040236%22%20id%3D%22toc-hId-1218040236%22%20id%3D%22toc-hId-1218040236%22%20id%3D%22toc-hId-1218040236%22%20id%3D%22toc-hId-1218040236%22%20id%3D%22toc-hId-1218040236%22%20id%3D%22toc-hId-1218040236%22%20id%3D%22toc-hId-1218040236%22%20id%3D%22toc-hId-1218040236%22%20id%3D%22toc-hId-1218040236%22%3ERecommendations%20for%20greater%20security%3C%2FH2%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3ETo%20help%20ensure%20the%20security%20of%20your%20WSUS%20infrastructure%2C%20Microsoft%20recommends%20using%20the%20TLS%2FSSL%20protocol%20between%20your%20devices%20and%20your%20WSUS%20servers.%20The%20Microsoft%20Update%20system%20(including%20WSUS)%20relies%20on%20two%20types%20of%20content%3A%20update%20payloads%20and%20update%20metadata.%20Update%20payloads%20are%20the%20data%20files%20that%20contain%20the%20software%20update%20components%20that%20make%20up%20the%20update.%20Update%20metadata%20is%20all%20the%20information%20that%20the%20Microsoft%20Update%20system%20needs%20to%20know%20%3CEM%3Eabout%3C%2FEM%3E%20the%20updates%2C%20including%20which%20updates%20are%20available%2C%20which%20devices%20each%20update%20can%20be%20applied%20to%2C%20and%20where%20to%20retrieve%20the%20payloads%20for%20each%20update.%20Both%20types%20of%20content%20are%20crucial%20and%20they%20both%20need%20to%20be%20protected%20to%20help%20keep%20your%20computers%20secure%20and%20up%20to%20date.%3C%2FP%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3EUpdate%20payloads%20are%20protected%20against%20modification%20by%20multiple%20means%2C%20including%20digital%20signature%20checks%20and%20cryptographic%20hash%20verifications.%20HTTPS%20provides%20a%20proper%20chain%20of%20custody%20which%20the%20client%20uses%20to%20prove%20the%20data%20is%20trusted.%3C%2FP%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3EWhen%20a%20device%20receives%20updates%20directly%20from%20Microsoft%20Update%2C%20that%20device%20receives%20update%20metadata%20directly%20from%20Microsoft%20servers.%20This%20metadata%20is%20always%20transmitted%20via%20HTTPS%20to%20prevent%20tampering.%20When%20you%20use%20WSUS%20or%20Configuration%20Manager%20to%20manage%20your%20organization's%20updates%2C%20the%20update%20metadata%20travels%20from%20Microsoft%20servers%20to%20your%20devices%20via%20a%20chain%20of%20connections.%20%3CSTRONG%3EEach%20one%20of%20these%20connections%20needs%20to%20be%20protected%20against%20malicious%20attacks.%20%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3EYour%20WSUS%20server%20connects%20with%20Windows%20Update%20servers%20and%20receives%20update%20metadata.%20This%20connection%20always%20uses%20HTTPS%2C%20and%20the%20HTTPS%20security%20features%20guard%20the%20metadata%20against%20tampering.%20If%20you%20have%20multiple%20WSUS%20servers%20arranged%20in%20a%20hierarchy%2C%20the%20downstream%20servers%20receive%20metadata%20from%20the%20upstream%20servers.%20Here%2C%20you%20have%20a%20choice%3A%20you%20can%20use%20HTTP%20or%20HTTPS%20for%20these%20metadata%20connections.%20Using%20HTTP%3B%20however%2C%20can%20be%20very%20dangerous%20as%20it%20breaks%20the%20chain%20of%20trust%20and%20can%20leave%20you%20vulnerable%20to%20attack.%20Using%20HTTPS%20enables%20the%20WSUS%20server%20to%20prove%20that%20it%20trusts%20the%20metadata%20it%20receives%20from%20the%20upstream%20WSUS%20server.%3C%2FP%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3EIn%20order%20to%20maintain%20the%20chain%20of%20trust%20and%20prevent%20attacks%20on%20your%20client%20computers%2C%20you%20must%20ensure%20that%20all%20metadata%20connections%20within%20your%20organizations%20%E2%80%93%20the%20connections%20between%20upstream%20and%20downstream%20WSUS%20servers%2C%20and%20the%20connections%20between%20the%20WSUS%20servers%20and%20your%20client%20computers%20%E2%80%93%20are%20defended%20against%20attacks.%20To%20do%20so%2C%20we%20highly%20recommend%20that%20you%20configure%20your%20WSUS%20network%20to%20protect%20these%20connections%20using%20HTTPS.%20To%20learn%20more%2C%20see%20Michael%20Cureton%E2%80%99s%20post%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fwindows-it-pro-blog%2Fsecurity-best-practices-for-windows-server-update-services-wsus%2Fba-p%2F1587536%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3ESecurity%20best%20practices%20for%20Windows%20Server%20Update%20Services%20(WSUS)%3C%2FA%3E.%3C%2FP%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3EEven%20with%20HTTPS%20configured%2C%20it%20is%20still%20very%20important%20that%20you%20utilize%20a%20system-based%20proxy%20rather%20than%20a%20user-based%20proxy%20if%20a%20proxy%20is%20needed.%20When%20using%20a%20user-based%20proxy%2C%20a%20user%2C%20even%20one%20without%20elevated%20privileges%2C%20could%20intercept%20and%20manipulate%20the%20data%20being%20exchanged%20between%20the%20update%20client%20and%20the%20update%20server.%3C%2FP%3E%0A%3CH2%20style%3D%22margin-top%3A%2036px%3B%20margin-bottom%3A%2020px%3B%20font-family%3A%20'Segoe%20UI'%2C%20Segoe%2C%20Tahoma%2C%20Geneva%2C%20sans-serif%3B%20font-weight%3A%20600%3B%20font-size%3A%2020px%3B%20color%3A%20%23333333%3B%22%20id%3D%22toc-hId--589414227%22%20id%3D%22toc-hId--589414227%22%20id%3D%22toc-hId--589414227%22%20id%3D%22toc-hId--589414227%22%20id%3D%22toc-hId--589414227%22%20id%3D%22toc-hId--589414227%22%20id%3D%22toc-hId--589414227%22%20id%3D%22toc-hId--589414227%22%20id%3D%22toc-hId--589414227%22%20id%3D%22toc-hId--589414227%22%20id%3D%22toc-hId--589414227%22%20id%3D%22toc-hId--589414227%22%20id%3D%22toc-hId--589414227%22%20id%3D%22toc-hId--589414227%22%20id%3D%22toc-hId--589414227%22%20id%3D%22toc-hId--589414227%22%20id%3D%22toc-hId--589414227%22%20id%3D%22toc-hId--589414227%22%20id%3D%22toc-hId--589414227%22%20id%3D%22toc-hId--589414227%22%20id%3D%22toc-hId--589414227%22%20id%3D%22toc-hId--589414227%22%20id%3D%22toc-hId--589414227%22%20id%3D%22toc-hId--589414227%22%20id%3D%22toc-hId--589414227%22%20id%3D%22toc-hId--589414227%22%20id%3D%22toc-hId--589414227%22%20id%3D%22toc-hId--589414227%22%20id%3D%22toc-hId--589414227%22%20id%3D%22toc-hId--589414227%22%20id%3D%22toc-hId--589414227%22%20id%3D%22toc-hId--589414227%22%20id%3D%22toc-hId--589414227%22%20id%3D%22toc-hId--589414227%22%20id%3D%22toc-hId--589414227%22%20id%3D%22toc-hId--589414227%22%20id%3D%22toc-hId--589414227%22%20id%3D%22toc-hId--589414227%22%20id%3D%22toc-hId--589414227%22%20id%3D%22toc-hId--589414227%22%20id%3D%22toc-hId--589414227%22%20id%3D%22toc-hId--589414227%22%20id%3D%22toc-hId--589414227%22%20id%3D%22toc-hId--589414227%22%20id%3D%22toc-hId--589414227%22%20id%3D%22toc-hId--589414227%22%20id%3D%22toc-hId--589414227%22%20id%3D%22toc-hId--589414227%22%20id%3D%22toc-hId--589414227%22%20id%3D%22toc-hId--589414227%22%20id%3D%22toc-hId--589414227%22%20id%3D%22toc-hId--589414227%22%20id%3D%22toc-hId--589414227%22%20id%3D%22toc-hId--589414227%22%20id%3D%22toc-hId--589414227%22%20id%3D%22toc-hId--589414227%22%20id%3D%22toc-hId--589414227%22%20id%3D%22toc-hId--589414227%22%20id%3D%22toc-hId--589414227%22%20id%3D%22toc-hId--589414227%22%3ERecommendations%20for%20those%20who%20absolutely%20need%20user%20proxy%3C%2FH2%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3EIf%20you%20do%20need%20to%20leverage%20a%20user-based%20proxy%20to%20detect%20updates%20while%20using%20an%20HTTP-based%20intranet%20server%2C%20despite%20the%20vulnerabilities%20it%20presents%2C%20make%20sure%20to%20configure%20the%20proxy%20behavior%20to%20%22Allow%20user%20proxy%20to%20be%20used%20as%20a%20fallback%20if%20detection%20using%20system%20proxy%20fails.%22%3C%2FP%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3E%3CSTRONG%3EGroup%20Policy%20path%3A%3C%2FSTRONG%3E%20Windows%20Components%26gt%3BWindows%20Update%26gt%3BSpecify%20intranet%20Microsoft%20update%20service%20location%3C%2FP%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3E%3CSTRONG%3EConfiguration%20Service%20Provider%20path%3A%3C%2FSTRONG%3E%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fwindows%2Fclient-management%2Fmdm%2Fpolicy-csp-update%23update-allowupdateservice%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EUpdate%2F%20SetProxyBehaviorForUpdateDetection%3C%2FA%3E%3C%2FP%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22update-service-location.png%22%20style%3D%22width%3A%20602px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F217065iC84D3B6FD368A121%2Fimage-dimensions%2F602x537%3Fv%3D1.0%22%20width%3D%22602%22%20height%3D%22537%22%20title%3D%22update-service-location.png%22%20alt%3D%22update-service-location.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CH2%20style%3D%22margin-top%3A%2036px%3B%20margin-bottom%3A%2020px%3B%20font-family%3A%20'Segoe%20UI'%2C%20Segoe%2C%20Tahoma%2C%20Geneva%2C%20sans-serif%3B%20font-weight%3A%20600%3B%20font-size%3A%2020px%3B%20color%3A%20%23333333%3B%22%20id%3D%22toc-hId-1898098606%22%20id%3D%22toc-hId-1898098606%22%20id%3D%22toc-hId-1898098606%22%20id%3D%22toc-hId-1898098606%22%20id%3D%22toc-hId-1898098606%22%20id%3D%22toc-hId-1898098606%22%20id%3D%22toc-hId-1898098606%22%20id%3D%22toc-hId-1898098606%22%20id%3D%22toc-hId-1898098606%22%20id%3D%22toc-hId-1898098606%22%20id%3D%22toc-hId-1898098606%22%20id%3D%22toc-hId-1898098606%22%20id%3D%22toc-hId-1898098606%22%20id%3D%22toc-hId-1898098606%22%20id%3D%22toc-hId-1898098606%22%20id%3D%22toc-hId-1898098606%22%20id%3D%22toc-hId-1898098606%22%20id%3D%22toc-hId-1898098606%22%20id%3D%22toc-hId-1898098606%22%20id%3D%22toc-hId-1898098606%22%20id%3D%22toc-hId-1898098606%22%20id%3D%22toc-hId-1898098606%22%20id%3D%22toc-hId-1898098606%22%20id%3D%22toc-hId-1898098606%22%20id%3D%22toc-hId-1898098606%22%20id%3D%22toc-hId-1898098606%22%20id%3D%22toc-hId-1898098606%22%20id%3D%22toc-hId-1898098606%22%20id%3D%22toc-hId-1898098606%22%20id%3D%22toc-hId-1898098606%22%20id%3D%22toc-hId-1898098606%22%20id%3D%22toc-hId-1898098606%22%20id%3D%22toc-hId-1898098606%22%20id%3D%22toc-hId-1898098606%22%20id%3D%22toc-hId-1898098606%22%20id%3D%22toc-hId-1898098606%22%20id%3D%22toc-hId-1898098606%22%20id%3D%22toc-hId-1898098606%22%20id%3D%22toc-hId-1898098606%22%20id%3D%22toc-hId-1898098606%22%20id%3D%22toc-hId-1898098606%22%20id%3D%22toc-hId-1898098606%22%20id%3D%22toc-hId-1898098606%22%20id%3D%22toc-hId-1898098606%22%20id%3D%22toc-hId-1898098606%22%20id%3D%22toc-hId-1898098606%22%20id%3D%22toc-hId-1898098606%22%20id%3D%22toc-hId-1898098606%22%20id%3D%22toc-hId-1898098606%22%20id%3D%22toc-hId-1898098606%22%20id%3D%22toc-hId-1898098606%22%20id%3D%22toc-hId-1898098606%22%20id%3D%22toc-hId-1898098606%22%20id%3D%22toc-hId-1898098606%22%20id%3D%22toc-hId-1898098606%22%20id%3D%22toc-hId-1898098606%22%20id%3D%22toc-hId-1898098606%22%20id%3D%22toc-hId-1898098606%22%20id%3D%22toc-hId-1898098606%22%20id%3D%22toc-hId-1898098606%22%3ENext%20steps%3C%2FH2%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3EIf%20you%20are%20an%20IT%20administrator%20who%20currently%20manages%20an%20HTTP-configured%20WSUS%20environment%20and%20relies%20on%20user-based%20proxy%20for%20client%20scans%2C%20please%20consider%20taking%20one%20of%20the%20following%20actions%20as%20soon%20as%20possible.%20If%20none%20of%20these%20actions%20are%20taken%20your%20devices%20will%20stop%20successfully%20scanning%20for%20software%20updates%20after%20the%20September%202020%20security%20update.%3C%2FP%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3EOptions%20to%20ensure%20that%20devices%20in%20your%20environment%20can%20continue%20to%20successfully%20scan%20for%20updates%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%20margin-top%3A%2020px%3B%22%3ESecure%20your%20WSUS%20environment%20with%20TLS%2FSSL%20protocol%20(configure%20servers%20with%20HTTPS).%3C%2FLI%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%22%3ESet%20up%20system-based%20proxy%20for%20detecting%20updates%20if%20needed.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1645547%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20September%202020%20security%20update%20improves%20security%20for%20devices%20scanning%20WSUS%20for%20updates%2C%20but%20may%20require%20you%20to%20take%20action.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1645547%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EServicing%20and%20updates%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1646437%22%20slang%3D%22en-US%22%3ERe%3A%20Changes%20to%20improve%20security%20for%20Windows%20devices%20scanning%20WSUS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1646437%22%20slang%3D%22en-US%22%3E%3CP%3EOh%2C%20another%20one%20of%20those%20lovely%20posts%20about%20about%20securing%20WSUS%20traffic%20with%20TLS.%20And%2C%20as%20always%2C%20we%20have%20this%3A%3C%2FP%3E%3CBLOCKQUOTE%3E%3CP%3EWhen%20you%20use%20WSUS%20or%20Configuration%20Manager%20to%20manage%20your%20organization's%20updates%2C%20the%20update%20metadata%20travels%20from%20Microsoft%20servers%20to%20your%20devices%20via%20a%20chain%20of%20connections.%20%3CSTRONG%3EEach%20one%20of%20these%20connections%20needs%20to%20be%20protected%20against%20malicious%20attacks.%3C%2FSTRONG%3E%3C%2FP%3E%3C%2FBLOCKQUOTE%3E%3CP%3EAnd%20as%20always%2C%20here%20I%20am%2C%20asking%20you%20these%20question%3A%20What%20malicious%20attacks%3F%20From%20where%20do%20they%20originate%3F%20What%20is%20their%20attack%20vector%3F%20What's%20your%20threat%20model%3F%20And%20%E2%80%93%20to%20quote%20Microsoft's%20engineer%20Raymond%20Chen%20%E2%80%93%20does%20it%20not%20involve%20being%20on%20the%20other%20side%20of%20the%20airtight%20hatchway%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1646747%22%20slang%3D%22en-US%22%3ERe%3A%20Changes%20to%20improve%20security%20for%20Windows%20devices%20scanning%20WSUS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1646747%22%20slang%3D%22en-US%22%3E%3CP%3EThe%26nbsp%3B%3CSPAN%3E%E2%80%9CAllow%20user%20proxy%20to%20be%20used%20as%20a%20fallback%20if%20detection%20using%20system%20proxy%20fails%E2%80%9D%20policy%20does%20not%20exist%20in%201909%20or%202004%20ADMX's%20or%20am%20i%20wrong%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EHow%20can%20this%20be%20configured%20as%20a%20Registry%20key%20only%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1647030%22%20slang%3D%22en-US%22%3ERe%3A%20Changes%20to%20improve%20security%20for%20Windows%20devices%20scanning%20WSUS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1647030%22%20slang%3D%22en-US%22%3E%3CP%3EHey%20Aria%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20you%20provide%20some%20more%20details%20regarding%20the%20policy-setting%3F%20As%20stated%20by%20Richard%2C%20this%20doesn't%20seem%20to%20be%20included%20within%20the%20ADMX's.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAdditionally%2C%20the%20GPO%20being%20referred%20to%20is%20one%20also%20being%20managed%20through%20Configuration%2FEndPoint%20Manager..%20Setting%20the%20GPO%20'll%20cause%202%20management%20systems%20in%20trying%20to%20define%20the%20setting%20on%20the%20managed%20workstation%2Fdevice.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ELast%20but%20not%20least%3A%20The%20link%20provided%20(%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fclient-management%2Fmdm%2Fpolicy-csp-update%23update-allowupdateservice%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fclient-management%2Fmdm%2Fpolicy-csp-update%23update-allowupdateservice%3C%2FA%3E)%20does%20not%20refer%20to%20any%20sub-section%20%22%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fwindows%2Fclient-management%2Fmdm%2Fpolicy-csp-update%23update-allowupdateservice%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EUpdate%2F%20SetProxyBehaviorForUpdateDetection%3C%2FA%3E%22%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20you%20provide%20an%20updated%20location%2C%20that%20includes%20the%20%22SetProxyBehaviourForUpdateDetection%22%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EGrtz%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1648400%22%20slang%3D%22en-US%22%3ERe%3A%20Changes%20to%20improve%20security%20for%20Windows%20devices%20scanning%20WSUS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1648400%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F158630%22%20target%3D%22_blank%22%3E%40Aria%20Carley%3C%2FA%3E%26nbsp%3BThere%20seems%20to%20be%20some%20confusion%20about%20exact%20what%20a%20user%20proxy%20is%20versus%20a%20system%2Fdevice%20proxy.%26nbsp%3B%20Which%20is%20to%20say%3A%20people%20don't%20clearly%20know%20if%20they%20are%20impacted%20by%20this%20or%20not.%26nbsp%3B%20I%20read%20'user%20proxy'%20as%20one%20defined%20in%20'Internet%20Options'%20either%20by%20the%20user%20themselves%20or%20via%20Group%20Policy%20and%20'system'%20proxy%20as%20one%20configured%20using%20'netsh%20winhttp'%20commands.%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3EIf%20an%20organization%20legitimately%20needs%20a%20proxy%20to%20reach%20their%20WSUS%20server%20how%20do%20they%20configure%20(or%20verify%20that%20they%20are%20using)%20a%20system%20proxy%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1649945%22%20slang%3D%22en-US%22%3ERe%3A%20Changes%20to%20improve%20security%20for%20Windows%20devices%20scanning%20WSUS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1649945%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20not%20sure%20if%20this%20affects%20me%20as%20we%20have%20SCCM%20server%20(wsus%20incorporated)%20and%20our%20clients%20use%20proxy%20app%20to%20allow%20internet%20out%3F%3C%2FP%3E%3CP%3Eis%20there%20a%20better%20way%20to%20make%20sure%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1650921%22%20slang%3D%22en-US%22%3ERe%3A%20Changes%20to%20improve%20security%20for%20Windows%20devices%20scanning%20WSUS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1650921%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F286572%22%20target%3D%22_blank%22%3E%40RichardSheath%3C%2FA%3E%26nbsp%3Bthis%20policy%20should%20appear%20in%20the%20group%20policy%20ADMX%20file%20once%20the%20September%20security%20update%20is%20taken.%20It%20is%20typically%20not%20recommended%20to%20set%20the%20registry%20key%20directly%2C%20given%20that%20it%20could%20then%20be%20easily%20overwritten%20if%20the%20policy%20is%20set%20(either%20locally%20or%20by%20a%20management%20tool).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1650923%22%20slang%3D%22en-US%22%3ERe%3A%20Changes%20to%20improve%20security%20for%20Windows%20devices%20scanning%20WSUS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1650923%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F265903%22%20target%3D%22_blank%22%3E%40bdam55%3C%2FA%3E%26nbsp%3BThe%20key%20difference%20when%20we%20are%20taking%20about%20user%2C%20system%20proxy%20is%20that%20a%20user%20proxy%20can%20be%20configured%20per%20logged%20on%20user%20(and%20hence%20modified%20by%20a%20non-admin)%2C%20whereas%20a%20system%20proxy%20is%20configured%20for%20the%20entire%20machine%20(can%E2%80%99t%20be%20modified%20by%20a%20low%20privileged%20user).%20The%20online%20Microsoft%20docs%2C%20as%20well%20as%20external%20sources%2C%20can%20provide%20more%20information%20on%20both%20types%20of%20proxies%3CBR%20%2F%3E%3CBR%20%2F%3EYou%20can%20configure%20system%20proxy%20using%20netsh%20command-line%20utility%20from%20an%20elevated%20cmd.%3CBR%20%2F%3E-%20Check%20if%20system%20proxy%20is%20already%20set%3A%20netsh%20winhttp%20show%20proxy%3CBR%20%2F%3E-%20Set%20a%20new%20system%20proxy%3A%20netsh%20winhttp%20set%20proxy%20%3CPORT%3E%3C%2FPORT%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1650928%22%20slang%3D%22en-US%22%3ERe%3A%20Changes%20to%20improve%20security%20for%20Windows%20devices%20scanning%20WSUS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1650928%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F630730%22%20target%3D%22_blank%22%3E%40Dolinhas%3C%2FA%3E%26nbsp%3Bthat%20would%20depend%20on%20what%20your%20proxy%20app%20is%20doing.%20That%20said%2C%20you%20can%20determine%20if%20there%20is%20a%20system%20proxy%20already%20in%20place%20by%20using%20the%20netsh%20command-line%20utility%20as%20an%20administrator%20and%20running%20netsh%20winhttp%20show%20proxy.%20I%20hope%20this%20helps!%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1651348%22%20slang%3D%22en-US%22%3ERe%3A%20Changes%20to%20improve%20security%20for%20Windows%20devices%20scanning%20WSUS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1651348%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F158630%22%20target%3D%22_blank%22%3E%40Aria%20Carley%3C%2FA%3E%26nbsp%3BThanks%20for%20the%20clarification%20although%20it%20sort%20of%20confirms%20the%20confusion.%26nbsp%3B%20I've%20been%20told%20the%20opposite%20by%20a%20MS%20PFE%20whom%20I%20know%20and%20have%20reason%20to%20trust%3A%20that%20this%20is%20about%20how%20the%20proxy%20authenticates%2C%20not%20the%20mechanism%20by%20which%20it%20is%20configured.%26nbsp%3B%20And%20yet%20your%20description%20is%20the%20one%20that%20makes%20sense%20to%20me.%26nbsp%3B%20The%20exploit%20is%20that%20a%20user-space%20proxy%20can%20be%20altered%20by%20a%20non-privileged%20user%20and%20thus%20spoofed%20...%20how%20that%20proxy%20authenticates%20is%20irrelevant.%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3EI%20looked%20for%20official%20docs%20on%20system%20vs%20user%20proxies%20and%20didn't%20come%20up%20with%20anything%20other%20than%20'how%20to%20configure%20a%20proxy%20with%20GPO'%20and%20the%20like.%26nbsp%3B%20So%20if%20you%20have%20docs%20handy%20to%20help%20clarify%20that'd%20be%20great.%3CBR%20%2F%3E%3CBR%20%2F%3EIn%20short%2C%20I%20don't%20think%20the%20terms%20'system%20proxy'%20or%20'user%20proxy'%20have%20any%20universally%20agreed%20upon%20definition%20and%20it%20would%20be%20wise%20to%20further%20clarify%20how%20you%20are%20using%20those%20terms%20in%20the%20post.%20I'm%20seeing%20wide%20amounts%20of%20confusion%20surrounding%20how%20to%20know%20if%20your%20org%20is%20going%20to%20be%20impacted%20or%20not.%26nbsp%3B%20There's%20both%20an%20incredible%20amount%20of%20organizations%20using%20non-HTTPS%20WSUS%20(it's%20always%20been%20the%20default)%20and%20using%20proxies%20(almost%20universal%20in%20large%20orgs).%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1651351%22%20slang%3D%22en-US%22%3ERe%3A%20Changes%20to%20improve%20security%20for%20Windows%20devices%20scanning%20WSUS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1651351%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F158630%22%20target%3D%22_blank%22%3E%40Aria%20Carley%3C%2FA%3E%26nbsp%3BThanks%20for%20the%20response%20but%20I'm%20not%20sure%20you%20are%20correct%20with%20regards%20to%20the%20policy%20info.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYes%20you%20are%20correct%20in%20that%20the%20setting%20only%20appears%20after%20the%20update%20is%20applied%20%2C%20but%20it%20is%20a%20local%20policy%20and%20not%20controlled%20by%20GPO%20so%20how%20can%20an%20ADMX%20file%20be%20modified%20by%20a%20client%20side%20patch%20being%20installed%20when%20these%20files%20reside%20on%20a%20Domain%20Controller%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESurely%20to%20take%20advantage%20of%20this%20setting%20we'd%20need%20an%20updated%20ADMX%20pack%20with%20the%20modified%20Windows%20Update.admx%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1651771%22%20slang%3D%22en-US%22%3ERe%3A%20Changes%20to%20improve%20security%20for%20Windows%20devices%20scanning%20WSUS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1651771%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20ADMX%20for%202004%20have%20been%20updated%20again%20on%20the%20downloads%20page%20check%20if%20is%20is%20contained%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F286572%22%20target%3D%22_blank%22%3E%40RichardSheath%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1653881%22%20slang%3D%22en-US%22%3ERe%3A%20Changes%20to%20improve%20security%20for%20Windows%20devices%20scanning%20WSUS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1653881%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F286572%22%20target%3D%22_blank%22%3E%40RichardSheath%3C%2FA%3E%26nbsp%3BSorry%2C%20to%20clarify%3A%20the%20local%20group%20policy%20files%20will%20be%20updated%20once%20you%20take%20the%20September%20patch.%20From%20there%20you%20can%20copy%20the%20updated%20ADMX%2FL%20files%20to%20your%20central%20store%20and%20use%20them%20to%20set%20the%20policy%20on%20your%20organization's%20devices.%20You%20are%20correct%20that%20the%20online%20files%20will%20not%20be%20automatically%20updated.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1654709%22%20slang%3D%22en-US%22%3ERe%3A%20Changes%20to%20improve%20security%20for%20Windows%20devices%20scanning%20WSUS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1654709%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F786690%22%20target%3D%22_blank%22%3E%40N3rdy77%3C%2FA%3E%26nbsp%3B%26nbsp%3BThe%20local%20ADMX%20will%20update%20with%20the%20new%20policy%20once%20the%20September%20patch%20is%20taken.%20You%20should%20then%20be%20able%20to%20grab%20the%20ADMX%2FL%20files%20from%20such%20a%20device.%20As%20for%20your%20second%20point%2C%20I%20fully%20understand%20your%20concern.%20ConfigMgr%20is%20currently%20unable%20to%20manage%20the%20new%20proxy%20behavior%20setting.%20So%20in%20the%20case%20of%20managed%20environments%20where%20user%20proxy%20is%20needed%2C%20for%20the%20short%20term%2C%20you%20will%20need%20to%20set%20the%20desired%20proxy%20behavior%20via%20the%20registry%20directly.%20We%20hope%20to%20make%20this%20a%20more%20seamless%20process%20in%20future.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EComputer%5CHKEY_LOCAL_MACHINE%5CSOFTWARE%5CPolicies%5CMicrosoft%5CWindows%5CWindowsUpdate%5CSetProxyBehaviorForUpdateDetection%3CBR%20%2F%3E-%20Value%200%20%E2%80%93%20Only%20use%20system%20proxy%3CBR%20%2F%3E-%20Value%201%20%E2%80%93%20Allow%20user%20proxy%20as%20fallback%E2%80%A6%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%5E%26nbsp%3B%3CEM%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F286572%22%20target%3D%22_blank%22%3E%40RichardSheath%3C%2FA%3E%26nbsp%3Bas%20you%20asked%20for%20the%20Regkey%20as%20well.%26nbsp%3B%3C%2FEM%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1660154%22%20slang%3D%22en-US%22%3ERe%3A%20Changes%20to%20improve%20security%20for%20Windows%20devices%20scanning%20WSUS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1660154%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F158630%22%20target%3D%22_blank%22%3E%40Aria%20Carley%3C%2FA%3E%26nbsp%3BTnx%20for%20the%20info%20%3B)%3C%2Fimg%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20worries%20are%20a%20bit%20smaller%20now.%20Now%20let's%20see%20whether%20the%20%22fail-fast%22-principle%20is%20needed%20or%20not%20%3AD%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1660896%22%20slang%3D%22en-US%22%3ERe%3A%20Changes%20to%20improve%20security%20for%20Windows%20devices%20scanning%20WSUS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1660896%22%20slang%3D%22en-US%22%3E%3CP%3ESigning%20binaries%20only%20is%20not%20enough%20is%20halfway%20protection.%20Update%20metadata%20should%20be%20signed%20by%20Microsoft%20as%20well.%20SSL%2FTLS%20protection%20can%20be%20easily%20bypassed%20by%20any%20intermediate%20rogue%20WSU%20that%20uses%20legitimate%20SSL%2FTLS%20certificates%20(e.g.%20from%20StartSSL).%20As%20it%20is%20now%2C%20any%20Windows%20client%20can%20be%20fooled%20to%20run%20legitimate%20MS-signed%20binaries%20with%20rogue%20command%20line%20parameters.%20As%20it%20is%20now%20WSUS%20seems%20like%20a%20trojan%20horse%2C%20and%20can%20be%20used%20to%20hijack%20in%20a%20massive%20way%20all%20of%20its%20clients%20through%20their%20update%20channel.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1661263%22%20slang%3D%22en-US%22%3ERE%3A%20Changes%20to%20improve%20security%20for%20Windows%20devices%20scanning%20WSUS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1661263%22%20slang%3D%22en-US%22%3EJUST%20IM%20HAVE%20PROBLEM%20THIS%20WINDOWS%2010%20UPDATE%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1661937%22%20slang%3D%22en-US%22%3ERe%3A%20Changes%20to%20improve%20security%20for%20Windows%20devices%20scanning%20WSUS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1661937%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F158630%22%20target%3D%22_blank%22%3E%40Aria%20Carley%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%E7%B4%A0%E6%99%B4%E3%82%89%E3%81%97%E3%81%84%E8%AA%AC%E6%98%8E%E3%82%92%E3%81%82%E3%82%8A%E3%81%8C%E3%81%A8%E3%81%86%E3%80%82%3C%2FP%3E%3CP%3E%E3%83%AC%E3%82%B8%E3%82%B9%E3%83%88%E3%83%AA%E8%A8%AD%E5%AE%9A%E3%82%84GPO%E3%81%8C%E6%8F%90%E4%BE%9B%E3%81%95%E3%82%8C%E3%81%AA%E3%81%84%E3%81%93%E3%81%A8%E3%81%AF%E6%9C%AC%E6%96%87%E3%81%AB%E8%BF%BD%E8%A8%98%E3%81%97%E3%81%A6%E3%81%BB%E3%81%97%E3%81%84%E3%81%A7%E3%81%99%E3%80%82%3C%2FP%3E%3CP%3E%E4%BB%A5%E4%B8%8B%E3%81%AE%E3%82%B5%E3%82%A4%E3%83%88%E3%81%A0%E3%81%91%E3%81%A7%E3%81%AFadmx%E3%82%92%E6%BA%96%E5%82%99%E3%81%97%E3%81%8D%E3%82%8C%E3%81%AA%E3%81%84%E3%80%82%E3%81%A8%E3%81%84%E3%81%86%E3%81%93%E3%81%A8%E3%81%A7%E3%81%99%E3%82%88%E3%81%AD%EF%BC%9F%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Ftroubleshoot%2Fwindows-client%2Fgroup-policy%2Fcreate-and-manage-central-store%3FWT.mc_id%3DWDIT-MVP-5002496%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Ftroubleshoot%2Fwindows-client%2Fgroup-policy%2Fcreate-and-manage-central-store%3FWT.mc_id%3DWDIT-MVP-5002496%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1650311%22%20slang%3D%22en-US%22%3ERe%3A%20Changes%20to%20improve%20security%20for%20Windows%20devices%20scanning%20WSUS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1650311%22%20slang%3D%22en-US%22%3E%3CDIV%20class%3D%22lia-message-author-with-avatar%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F289393%22%20target%3D%22_blank%22%3E%40K_Wester-Ebbinghaus%3C%2FA%3E%26nbsp%3Bthis%20policy%20will%20be%20available%20on%20Windows%207%2B%20(including%20Vista%20and%20all%20versions%20of%20Windows%2010)%20once%20devices%20take%20the%20September%20security%20update.%20Note%2C%20without%20taking%20the%20security%20update%20released%20on%20the%208th%20of%20September%2C%20you%20will%20not%20be%20able%20to%20leverage%20this%20policy.%26nbsp%3B%3C%2FDIV%3E%0A%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1646381%22%20slang%3D%22en-US%22%3ERe%3A%20Changes%20to%20improve%20security%20for%20Windows%20devices%20scanning%20WSUS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1646381%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F158630%22%20target%3D%22_blank%22%3E%40Aria%20Carley%3C%2FA%3E%26nbsp%3Bgreat%20write%20up.%3C%2FP%3E%3CP%3EWhat's%20the%20minimum%20ADMX%20%2F%20OS%20build%20level%20needed%20for%20this%20setting%20to%20exist%20%2F%20work%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1720908%22%20slang%3D%22en-US%22%3ERe%3A%20Changes%20to%20improve%20security%20for%20Windows%20devices%20scanning%20WSUS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1720908%22%20slang%3D%22en-US%22%3E%3CP%3EFYI%2C%20%3CEM%3E%3CSTRONG%3Ethe%20change%20affects%20not%20only%20Windows%2010%2C%20but%20also%20Windows%208.1%2C%20Windows%208%2F8.1%20Embedded%2C%20Windows%20Server%202012%2C%20and%20Windows%20Server%202012%20R2%3C%2FSTRONG%3E%3C%2FEM%3E.%20The%20following%20are%20links%20to%20related%20Sept%202020%20update%20articles%2C%20and%20an%20excerpt%20from%20them%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3ESeptember%208%2C%202020%E2%80%94KB4577038%20(Monthly%20Rollup)%20--%20Windows%20Server%202012%20%26amp%3B%20Windows%20Embedded%208%20Standard%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F4577038%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F4577038%3C%2FA%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3ESeptember%208%2C%202020%E2%80%94KB4577066%20(Monthly%20Rollup)%20--%20Windows%208.1%2C%20Windows%20Server%202012%20R2%20%26amp%3B%20Windows%20Embedded%208.1%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F4577066%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F4577066%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%3CEM%3EAddresses%20a%20security%20vulnerability%20issue%20with%20user%20proxies%20and%20HTTP-based%20intranet%20servers.%20After%20you%20install%20this%20update%2C%20HTTP-based%20intranet%20servers%20cannot%20leverage%20a%20user%20proxy%20to%20detect%20updates%20by%20default.%20Scans%20that%20use%20these%20servers%20will%20fail%20if%20the%20clients%20do%20not%20have%20a%20configured%20system%20proxy.%20If%20you%20must%20leverage%20a%20user%20proxy%2C%20you%20must%20configure%20the%20behavior%20by%20using%20the%20Windows%20Update%20policy%20%E2%80%9CAllow%20user%20proxy%20to%20be%20used%20as%20a%20fallback%20if%20detection%20using%20system%20proxy%20fails.%E2%80%9D%20This%20change%20does%20not%20affect%20customers%20who%20secure%20their%20Windows%20Server%20Update%20Services%20(WSUS)%20servers%20that%20use%20the%20Transport%20Layer%20Security%20(TLS)%20or%20Secure%20Sockets%20Layer%20(SSL)%20protocols.%20For%20more%20information%2C%20see%20Improving%20security%20for%20devices%20receiving%20updates%20via%20WSUS.%3C%2FEM%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1721407%22%20slang%3D%22es-ES%22%3ERe%3A%20Changes%20to%20improve%20security%20for%20Windows%20devices%20scanning%20WSUS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1721407%22%20slang%3D%22es-ES%22%3E%3CP%3EAt%20the%20moment%20I%20have%20no%20problems%2C%20just%20a%20little%20slow%20on%20startup%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1722249%22%20slang%3D%22en-US%22%3ERe%3A%20Changes%20to%20improve%20security%20for%20Windows%20devices%20scanning%20WSUS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1722249%22%20slang%3D%22en-US%22%3E%3CP%3Ealkou%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

With the September 2020 cumulative update for Windows 10, we introduced changes that help improve the security of devices that scan Windows Server Update Services (WSUS) for their updates. This post will describe those changes, outline the actions you need to take to ensure your devices continue to scan for updates, and offer basic recommendations to help you better secure the devices in you organization.

Secure by default

First, beginning with the September 2020 cumulative update, HTTP-based intranet servers will be secure by default. To ensure that your devices remain inherently secure, we are no longer allowing HTTP-based intranet servers to leverage user proxy by default to detect updates. If you have a WSUS environment not secured with TLS protocol/HTTPS and a device requires a proxy in order to successfully connect to intranet WSUS Servers—and that proxy is only configured for users (not devices)—then your software update scans against WSUS will start to fail after your device successfully takes the September 2020 cumulative update.

Recommendations for greater security

To help ensure the security of your WSUS infrastructure, Microsoft recommends using the TLS/SSL protocol between your devices and your WSUS servers. The Microsoft Update system (including WSUS) relies on two types of content: update payloads and update metadata. Update payloads are the data files that contain the software update components that make up the update. Update metadata is all the information that the Microsoft Update system needs to know about the updates, including which updates are available, which devices each update can be applied to, and where to retrieve the payloads for each update. Both types of content are crucial and they both need to be protected to help keep your computers secure and up to date.

Update payloads are protected against modification by multiple means, including digital signature checks and cryptographic hash verifications. HTTPS provides a proper chain of custody which the client uses to prove the data is trusted.

When a device receives updates directly from Microsoft Update, that device receives update metadata directly from Microsoft servers. This metadata is always transmitted via HTTPS to prevent tampering. When you use WSUS or Configuration Manager to manage your organization's updates, the update metadata travels from Microsoft servers to your devices via a chain of connections. Each one of these connections needs to be protected against malicious attacks.

Your WSUS server connects with Windows Update servers and receives update metadata. This connection always uses HTTPS, and the HTTPS security features guard the metadata against tampering. If you have multiple WSUS servers arranged in a hierarchy, the downstream servers receive metadata from the upstream servers. Here, you have a choice: you can use HTTP or HTTPS for these metadata connections. Using HTTP; however, can be very dangerous as it breaks the chain of trust and can leave you vulnerable to attack. Using HTTPS enables the WSUS server to prove that it trusts the metadata it receives from the upstream WSUS server.

In order to maintain the chain of trust and prevent attacks on your client computers, you must ensure that all metadata connections within your organizations – the connections between upstream and downstream WSUS servers, and the connections between the WSUS servers and your client computers – are defended against attacks. To do so, we highly recommend that you configure your WSUS network to protect these connections using HTTPS. To learn more, see Michael Cureton’s post Security best practices for Windows Server Update Services (WSUS).

Even with HTTPS configured, it is still very important that you utilize a system-based proxy rather than a user-based proxy if a proxy is needed. When using a user-based proxy, a user, even one without elevated privileges, could intercept and manipulate the data being exchanged between the update client and the update server.

Recommendations for those who absolutely need user proxy

If you do need to leverage a user-based proxy to detect updates while using an HTTP-based intranet server, despite the vulnerabilities it presents, make sure to configure the proxy behavior to "Allow user proxy to be used as a fallback if detection using system proxy fails."

Group Policy path: Windows Components>Windows Update>Specify intranet Microsoft update service location

Configuration Service Provider path: Update/ SetProxyBehaviorForUpdateDetection

update-service-location.png

Next steps

If you are an IT administrator who currently manages an HTTP-configured WSUS environment and relies on user-based proxy for client scans, please consider taking one of the following actions as soon as possible. If none of these actions are taken your devices will stop successfully scanning for software updates after the September 2020 security update.

Options to ensure that devices in your environment can continue to successfully scan for updates:

  • Secure your WSUS environment with TLS/SSL protocol (configure servers with HTTPS).
  • Set up system-based proxy for detecting updates if needed.
  • Enable the “Allow user proxy to be used as a fallback if detection using system proxy fails” policy.

 

 

22 Comments
Occasional Contributor

Thanks @Aria Carley great write up.

What's the minimum ADMX / OS build level needed for this setting to exist / work?

 

 

Senior Member

Oh, another one of those lovely posts about about securing WSUS traffic with TLS. And, as always, we have this:

When you use WSUS or Configuration Manager to manage your organization's updates, the update metadata travels from Microsoft servers to your devices via a chain of connections. Each one of these connections needs to be protected against malicious attacks.

And as always, here I am, asking you these question: What malicious attacks? From where do they originate? What is their attack vector? What's your threat model? And – to quote Microsoft's engineer Raymond Chen – does it not involve being on the other side of the airtight hatchway?

 

The “Allow user proxy to be used as a fallback if detection using system proxy fails” policy does not exist in 1909 or 2004 ADMX's or am i wrong?

 

How can this be configured as a Registry key only?

Occasional Visitor

Hey Aria,

 

Can you provide some more details regarding the policy-setting? As stated by Richard, this doesn't seem to be included within the ADMX's.

 

Additionally, the GPO being referred to is one also being managed through Configuration/EndPoint Manager.. Setting the GPO 'll cause 2 management systems in trying to define the setting on the managed workstation/device.

 

Last but not least: The link provided (https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#update-allowupdates...) does not refer to any sub-section "Update/ SetProxyBehaviorForUpdateDetection

Can you provide an updated location, that includes the "SetProxyBehaviourForUpdateDetection"?

 

Grtz

 

Occasional Contributor

@Aria Carley There seems to be some confusion about exact what a user proxy is versus a system/device proxy.  Which is to say: people don't clearly know if they are impacted by this or not.  I read 'user proxy' as one defined in 'Internet Options' either by the user themselves or via Group Policy and 'system' proxy as one configured using 'netsh winhttp' commands. 

If an organization legitimately needs a proxy to reach their WSUS server how do they configure (or verify that they are using) a system proxy?

Regular Visitor

I am not sure if this affects me as we have SCCM server (wsus incorporated) and our clients use proxy app to allow internet out?

is there a better way to make sure?

Microsoft
@K_Wester-Ebbinghaus this policy will be available on Windows 7+ (including Vista and all versions of Windows 10) once devices take the September security update. Note, without taking the security update released on the 8th of September, you will not be able to leverage this policy. 

 

Microsoft

@RichardSheath this policy should appear in the group policy ADMX file once the September security update is taken. It is typically not recommended to set the registry key directly, given that it could then be easily overwritten if the policy is set (either locally or by a management tool).

 

Microsoft

@bdam55 The key difference when we are taking about user, system proxy is that a user proxy can be configured per logged on user (and hence modified by a non-admin), whereas a system proxy is configured for the entire machine (can’t be modified by a low privileged user). The online Microsoft docs, as well as external sources, can provide more information on both types of proxies

You can configure system proxy using netsh command-line utility from an elevated cmd.
- Check if system proxy is already set: netsh winhttp show proxy
- Set a new system proxy: netsh winhttp set proxy <proxy:port>

Microsoft

@Dolinhas that would depend on what your proxy app is doing. That said, you can determine if there is a system proxy already in place by using the netsh command-line utility as an administrator and running netsh winhttp show proxy. I hope this helps! 

Occasional Contributor

@Aria Carley Thanks for the clarification although it sort of confirms the confusion.  I've been told the opposite by a MS PFE whom I know and have reason to trust: that this is about how the proxy authenticates, not the mechanism by which it is configured.  And yet your description is the one that makes sense to me.  The exploit is that a user-space proxy can be altered by a non-privileged user and thus spoofed ... how that proxy authenticates is irrelevant. 

I looked for official docs on system vs user proxies and didn't come up with anything other than 'how to configure a proxy with GPO' and the like.  So if you have docs handy to help clarify that'd be great.

In short, I don't think the terms 'system proxy' or 'user proxy' have any universally agreed upon definition and it would be wise to further clarify how you are using those terms in the post. I'm seeing wide amounts of confusion surrounding how to know if your org is going to be impacted or not.  There's both an incredible amount of organizations using non-HTTPS WSUS (it's always been the default) and using proxies (almost universal in large orgs).

@Aria Carley Thanks for the response but I'm not sure you are correct with regards to the policy info.

 

Yes you are correct in that the setting only appears after the update is applied , but it is a local policy and not controlled by GPO so how can an ADMX file be modified by a client side patch being installed when these files reside on a Domain Controller?

 

Surely to take advantage of this setting we'd need an updated ADMX pack with the modified Windows Update.admx?

Occasional Contributor

The ADMX for 2004 have been updated again on the downloads page check if is is contained @RichardSheath 

Microsoft

@RichardSheath Sorry, to clarify: the local group policy files will be updated once you take the September patch. From there you can copy the updated ADMX/L files to your central store and use them to set the policy on your organization's devices. You are correct that the online files will not be automatically updated. 

Microsoft

@N3rdy77  The local ADMX will update with the new policy once the September patch is taken. You should then be able to grab the ADMX/L files from such a device. As for your second point, I fully understand your concern. ConfigMgr is currently unable to manage the new proxy behavior setting. So in the case of managed environments where user proxy is needed, for the short term, you will need to set the desired proxy behavior via the registry directly. We hope to make this a more seamless process in future.

 

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\SetProxyBehaviorForUpdateDetection
- Value 0 – Only use system proxy
- Value 1 – Allow user proxy as fallback…

 

@RichardSheath as you asked for the Regkey as well. 

Occasional Visitor

@Aria Carley Tnx for the info ;) 

The worries are a bit smaller now. Now let's see whether the "fail-fast"-principle is needed or not :D

 

Occasional Visitor

Signing binaries only is not enough is halfway protection. Update metadata should be signed by Microsoft as well. SSL/TLS protection can be easily bypassed by any intermediate rogue WSU that uses legitimate SSL/TLS certificates (e.g. from StartSSL). As it is now, any Windows client can be fooled to run legitimate MS-signed binaries with rogue command line parameters. As it is now WSUS seems like a trojan horse, and can be used to hijack in a massive way all of its clients through their update channel.

Occasional Visitor
JUST IM HAVE PROBLEM THIS WINDOWS 10 UPDATE
Senior Member

@Aria Carley 

素晴らしい説明をありがとう。

レジストリ設定やGPOが提供されないことは本文に追記してほしいです。

以下のサイトだけではadmxを準備しきれない。ということですよね?

https://docs.microsoft.com/en-us/troubleshoot/windows-client/group-policy/create-and-manage-central-...

 

Microsoft

FYI, the change affects not only Windows 10, but also Windows 8.1, Windows 8/8.1 Embedded, Windows Server 2012, and Windows Server 2012 R2. The following are links to related Sept 2020 update articles, and an excerpt from them:

 

September 8, 2020—KB4577038 (Monthly Rollup) -- Windows Server 2012 & Windows Embedded 8 Standard
https://support.microsoft.com/en-us/help/4577038

 

September 8, 2020—KB4577066 (Monthly Rollup) -- Windows 8.1, Windows Server 2012 R2 & Windows Embedded 8.1
https://support.microsoft.com/en-us/help/4577066

 

Addresses a security vulnerability issue with user proxies and HTTP-based intranet servers. After you install this update, HTTP-based intranet servers cannot leverage a user proxy to detect updates by default. Scans that use these servers will fail if the clients do not have a configured system proxy. If you must leverage a user proxy, you must configure the behavior by using the Windows Update policy “Allow user proxy to be used as a fallback if detection using system proxy fails.” This change does not affect customers who secure their Windows Server Update Services (WSUS) servers that use the Transport Layer Security (TLS) or Secure Sockets Layer (SSL) protocols. For more information, see Improving security for devices receiving updates via WSUS.

Occasional Visitor

Por el momento no tengo problemas, solo un poco lento el inicio

Occasional Visitor

alkou