Scan changes and certificates add security for Windows devices using WSUS for updates
Published Jan 12 2021 10:00 AM 30.3K Views
Microsoft

To help prevent man-in-the-middle attacks, the January 2021 cumulative update for Windows 10 further improves security for devices that scan Windows Server Update Services (WSUS) for updates. These improvements build on the security changes for Windows devices scanning WSUS we introduced on September 8, 2020 and can be combined with certificate pinning for greater security. I'll now explain these changes in more detail.

Scanning behavior changes

For devices scanning HTTPS-configured WSUS servers

For those using proxies, we have switched to using system proxy first, rather than user proxy. This ensures that we are first trying the most secure proxy path if a proxy is needed. We will no longer fall back to user proxy for scanning WSUS servers if the policy to allow user proxy as a fallback method is not enabled. This ensures that admins must consciously enable a less secure method for scanning as doing so will put them at higher risk of attack.

If you need to allow devices to scan utilizing user proxy as a fallback method, you can do so by configuring one of the following policies:

Group Policy

GPEDIT > Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify intranet Microsoft update service location > Select the proxy behavior for Windows Update client for detecting updates > Allow user proxy to be used as fallback if detection using system proxy fails

Configuration Service Provider (CSP) policy

Set Update/SetProxyBehaviorForUpdateDetection to 1 - Allow user proxy to be used as a fallback if detection using system proxy fails

Configuration Manager

Configure the new Allow User Proxy for software update scans setting to Yes to allow user proxy in Microsoft Endpoint Configuration Manager, version 2010 and later.


To further increase security, we have added the capability for customers to pin certificates (cert-pinning) and not allow scans, even with system proxy, if cert-pinning fails. This provides the highest level of security for devices but will require more overhead for the admin in order to ensure that certificate stores are properly configured.

Note: This capability is only available to those who have secured their WSUS servers with TLS protocol/HTTPS.

To enable cert-pinning, simply add the correct certificates to the new WSUS certificate store. Devices will then automatically begin enforcing cert-pinning when scanning your WSUS server. If no certificates are in your WSUS certificate store, cert-pinning will not be enforced. Further, if you do not wish devices to have this extra layer of security upon scan, you can ensure that cert-pinning is not enforced by configuring one of the following policies:

Group Policy

GPEDIT > Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify intranet Microsoft update service location > Do not enforce TLS certificate pinning for Windows Update client for detecting updates

Configuration Service Provider (CSP) policy

Set Update/DoNotEnforceEnterpriseTLSCertPinningForUpdateDetection to 1 - Do not enforce certificate pinning


specify-intranet-Microsoft-update-service-location.png

For devices scanning HTTP-configured WSUS servers

For those devices scanning HTTP-configured WSUS servers, there have been no additional changes since those we introduced with the September 2020 cumulative update.

For online scans

The order of proxy selection for online scans, if a proxy is needed, has changed:

Old behavior:

  • Scan with user proxy.
  • If user proxy fails, attempt scan with system proxy.

New behavior as of the January 2021 cumulative update:

  • Scan with system proxy.
  • If system proxy fails, attempt scan with user proxy.

This change ensures that we first try the most secure proxy path if a proxy is needed.

Note: For user-driven, interactive scenarios, we always use the user proxy, if one is available, regardless of policy configuration.

Next steps

To prevent scan failures and ensure the highest level of security, please follow these recommendations:

  • Don’t enable user proxy.
  • If you require user proxy, enable user proxy via “Select the proxy behavior for Windows Update client for detecting updates” to ensure that devices do not encounter scan issues.

    Note: While this will allow you to fallback to use user proxy for scans against your WSUS server, you should be leveraging this process only as a stop gap to continue getting updates while transitioning to system proxy or no proxy.

  • Secure your WSUS server with TLS protocol/HTTPS. This is pivotal to maintain the chain of trust and prevent attacks on your client computers, see Recommendations for greater security in the previous Changes to improve security for Windows devices scanning WSUS blog.
  • When scanning against a TLS/HTTPS-configured WSUS server, leverage cert-pinning to get the highest level of security and keep your devices protected. (Reminder that this requires populating the device’s certificate store.)

 

9 Comments
Microsoft

"To enable cert-pinning, simply add the correct certificates to the new WSUS certificate store." - could this be expanded please?

  • Where does one find the WSUS certificate store, on clients, on the WSUS server itself, in Group Policy, somewhere else...?
  • How does one provision certificates into this store? (If it's the server, obviously just a single operation; if it's clients, deployment might be tricky?)
Iron Contributor

@Aria Carley how can we verify if we have user proxy enabled?

 

Asking because I haven't found a clear definition of the difference between user and system proxies?

 

Thks in advance.

Copper Contributor

 

View user proxy settings:

Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings" -Name "AutoConfigURL"
Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings" -Name "ProxyEnable"

View system proxy settings:

netsh winhttp show proxy

WSUS Certificate Store - Available on/after the September 2020 update (I guess I should have added the WSUS cert, oh well) 

Screen Shot 2021-01-13 at 9.54.40 PM.png

 

Brass Contributor

@Aria Carley, I really wish the guidance for hardening our WSUS environments was more prescriptive.  The info you shared does not help your customers go out and take action today.  Many of your customers are not running the newest versions of your server OS on domain controllers so they will be baffled by not seeing a WSUS Certificate Store on a Server 2012 R2 (still supported by Microsoft).  So how many will spin their wheels looking for an in-depth posting on how to get that WSUS certificate on their PCs using Group Policy?  I didn't see any guidance in the WSUS documentation that many of us have used to setup our WSUS servers over the years... only a dozen or so "parrot sites" that scrap Microsoft content, but do not add any value.

 

 

Microsoft

@EddieRowe we are working on putting together in depth guidance for Microsoft docs that will explain step by step how to take these actions. This will be added to the WSUS docs shortly. Apologies for the delay! 

Copper Contributor

hi,

nice explication, but did you have information on

  • How to check the correct working of the cert-pinning .... i try to find any succes (or not) in the event log (client side) but i don't see anything ... i just find information in Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational when i delete a certificat, but nothing when i put a certificat ... , did you have any trace in a log on the cert-pinning ? like cert has been verify, cert are correct or not ..
  • i don't find a possibility to add the certificat into the store by GPO .... actually, i make it by script but for me it's not the best solution ( i think) ...

Thanks in advance

 

Microsoft

@EricN135 Hello, you'll need to enable verbose WU logging after which you can see the below trace line in WindowsUpdate.log.

"Cert in WSUS store: Yes/No"

In case the wrong certificate is added to the WindowsUpdateServerServices store, you would see the Windows Update detection failing with WU_E_TRUST_PROVIDER_UNKNOWN.

Copper Contributor

谢谢

Copper Contributor

thanks

Co-Authors
Version history
Last update:
‎Feb 02 2023 10:56 AM
Updated by: