To help prevent man-in-the-middle attacks, the January 2021 cumulative update for Windows 10 further improves security for devices that scan Windows Server Update Services (WSUS) for updates. These improvements build on the security changes for Windows devices scanning WSUS we introduced on September 8, 2020 and can be combined with certificate pinning for greater security. I'll now explain these changes in more detail.
Scanning behavior changes
For devices scanning HTTPS-configured WSUS servers
For those using proxies, we have switched to using system proxy first, rather than user proxy. This ensures that we are first trying the most secure proxy path if a proxy is needed. We will no longer fall back to user proxy for scanning WSUS servers if the policy to allow user proxy as a fallback method is not enabled. This ensures that admins must consciously enable a less secure method for scanning as doing so will put them at higher risk of attack.
If you need to allow devices to scan utilizing user proxy as a fallback method, you can do so by configuring one of the following policies:
GPEDIT > Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify intranet Microsoft update service location > Select the proxy behavior for Windows Update client for detecting updates > Allow user proxy to be used as fallback if detection using system proxy fails
To further increase security, we have added the capability for customers to pin certificates (cert-pinning) and not allow scans, even with system proxy, if cert-pinning fails. This provides the highest level of security for devices but will require more overhead for the admin in order to ensure that certificate stores are properly configured.
Note: This capability is only available to those who have secured their WSUS servers with TLS protocol/HTTPS.
To enable cert-pinning, simply add the correct certificates to the new WSUS certificate store. Devices will then automatically begin enforcing cert-pinning when scanning your WSUS server. If no certificates are in your WSUS certificate store, cert-pinning will not be enforced. Further, if you do not wish devices to have this extra layer of security upon scan, you can ensure that cert-pinning is not enforced by configuring one of the following policies:
GPEDIT > Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify intranet Microsoft update service location > Do not enforce TLS certificate pinning for Windows Update client for detecting updates
For those devices scanning HTTP-configured WSUS servers, there have been no additional changes since those we introduced with the September 2020 cumulative update.
For online scans
The order of proxy selection for online scans, if a proxy is needed, has changed:
Scan with user proxy.
If user proxy fails, attempt scan with system proxy.
New behavior as of the January 2021 cumulative update:
Scan with system proxy.
If system proxy fails, attempt scan with user proxy.
This change ensures that we first try the most secure proxy path if a proxy is needed.
Note: For user-driven, interactive scenarios, we always use the user proxy, if one is available, regardless of policy configuration.
To prevent scan failures and ensure the highest level of security, please follow these recommendations:
Don’t enable user proxy.
If you require user proxy, enable user proxy via “Select the proxy behavior for Windows Update client for detecting updates” to ensure that devices do not encounter scan issues.
Note: While this will allow you to fallback to use user proxy for scans against your WSUS server, you should be leveraging this process only as a stop gap to continue getting updates while transitioning to system proxy or no proxy.
When scanning against a TLS/HTTPS-configured WSUS server, leverage cert-pinning to get the highest level of security and keep your devices protected. (Reminder that this requires populating the device’s certificate store.)