Security best practices for Windows Server Update Services (WSUS)

Published Aug 13 2020 11:39 AM 37.2K Views
Microsoft

To help provide additional protection from potential malware attacks, Microsoft recommends using HTTPS with Windows Server Update Services (WSUS).

In this post, we will walk you through the steps required to configure each of your WSUS servers to use HTTPS. We will then share details on how to obtain and bind the necessary certificate, enforce Secure Sockets Layer (SSL)/Transport Layer Security (TLS) encryption, and configure WSUS to use HTTPS. From there, we will discuss how to configure clients to use HTTPS and how to configure WSUS to use HTTPS for synchronization for downstream servers only. We will conclude with a recommended configuration order. These steps are critical in keeping the clients within your organization more secure and we hope you will find this post helpful.

At a time when malware attacks are on the rise across industries, configuring WSUS with HTTPS may further reduce the ability of a potential attacker to remotely compromise a client and elevate privileges. To ensure that the best security protocols are in place, we recommend that you use the SSL/TLS protocol to help secure your WSUS infrastructure. Windows Server Update Services uses SSL/TLS to authenticate client computers and downstream WSUS servers to the upstream WSUS server. WSUS also uses SSL/TLS to encrypt update metadata.

Configuring WSUS to use HTTPS

Note: Securing your server with TLS may result in a slight loss in performance.

To configure WSUS to use HTTPS, you will need to:

  1. Obtain a certificate.
  2. Bind the certificate.
  3. Enforce SSL/TLS encryption (require SSL) on the following applications:
    1. ApiRemoting30
    2. ClientWebService
    3. DSSAuthWebService
    4. ServerSyncWebService
    5. SimpleAuthWebService
  4. Configure WSUS to use HTTPS using the wsusutil configuressl command.
  5. Configure clients to use HTTPS communications with WSUS, and specify the intranet Microsoft update service location.

If you have downstream WSUS servers, you will need to complete an additional step. Please reference configure downstream WSUS servers to use HTTPS when syncing. (Use SSL when synchronizing update information.)

Important: Follow the WSUS best practices for disabling recycling and configuring memory limits prior to configuring WSUS to use HTTPS.

Obtain a certificate

There are a few methods available to obtain a certificate for use with Internet Information Services (IIS). For example, you can create a certificate request and send that request to a known certificate authority (CA), such as Verisign or GeoTrust, or obtain a certificate from an online CA in your intranet domain. If you are using an online CA in your intranet domain, you can follow the steps below to create the required certificate.

  1. Log on to the WSUS server using a user account that is a member of the local Administrators group.

    NOTE: By default, the WebServer certificate template will only issue to Domain Admins. If the user logging in is not a domain admin, their user account will need to be granted the Enroll permission on the WebServer certificate template.

  2. Launch Internet Information Services (IIS) Manager.
  3. Click on your server and then launch Server Certificates.
  4. In the Actions pane, select Create Domain Certificate.
  5. Fill in the Distinguished Name Properties and select Next. The Common name value must be the FQDN of the WSUS server.
  6. On the Online Certification Authority page, select your CA and enter a friendly name for the certificate and select Finish.

Bind the certificate

  1. In Internet Information Services (IIS) Manager expand your server, expand Sites, and select WSUS Administration.
  2. In the Actions pane, select Bindings.
  3. Select the SSL binding and click Edit.
  4. In the drop-down for SSL certificate, select the appropriate SSL certificate and click OK.
  5. Select Close on the Site Bindings dialog box.

Enforce SSL/TLS encryption

  1. In Internet Information Services (IIS) Manager expand your server, expand Sites, and expand WSUS Administration.
  2. Select the application ApiRemoting30 and launch SSL Settings.
  3. Check Require SSL and then click Apply.
  4. Repeat the same steps for the other applications noted above.

Configure WSUS to use HTTPS

  1. Launch an elevated command prompt on the WSUS server.
  2. Navigate to your WSUS installation folder, e.g. cd “c:\Program Files\Update Services\Tools”.
  3. Execute the following command:
    WSUSUtil.exe configuressl FQDNofWSUSServer
  4. Restart the WSUS server to make sure all changes take effect.

Configure clients to use HTTPS

To configure clients to require HTTPS communication to the WSUS server, simply update the domain Group Policy Object (GPO) or the Configuration Service Provider (CSP) policy used to configure WSUS to leverage HTTPS and the desired port.

  • For those using Group Policy, configure the Specify intranet Microsoft update service location policy values of : Set the intranet update service for detecting updates and Set the intranet statistics server  to point to your desired port  (ex. HTTPS://servername:8531). See To enable WSUS through a domain GPO for more info.
  • For those using a mobile device management (MDM) tool, CSPs, please configure the Update/UpdateServiceUrl policy to point to your desired port (for example, HTTPS://servername:8531).

Configure WSUS to use HTTPS for synchronization (Downstream servers only)

  1. Log on to the WSUS server using a user account that is a member of the local Administrators group or the WSUS Administrators group.
  2. Launch Windows Server Update Services.
  3. In the right pane, expand the server name.
  4. Select Options, and then select Update Source and Proxy Server.
  5. On the Update Source tab, under Synchronize from another Windows Server Update Services server, type the port number that the server uses for SSL connections into the Port number text box.
  6. Select Use SSL when synchronizing update information and then select OK.

Configuration order

Because every WSUS server must be configured to use the SSL/TLS protocol, the order in which the steps are performed will depend on your environment. If you have a simple infrastructure where the required steps can be performed on all WSUS servers within a single timeframe, then a top-down approach can be used. However, if you have a large infrastructure that will require a phased approach, then a bottom-up approach should be used.

Example 1: Environment with a small number of WSUS Servers

In this example, it is assumed that all WSUS servers can be configured within a single timeframe. In this case, the upstream WSUS server can be configured first using the steps above. Any downstream WSUS servers can then be configured using the steps above in addition to setting the WSUS option to Use SSL when synchronizing update information.

Example 2: Environment with many WSUS Servers

In this example, it is assumed that a phased approach will be required to configure all WSUS servers. In this case, a bottom-up approach should be leveraged. All downstream WSUS servers should be configured for HTTPS before their upstream WSUS server is configured to use HTTPS. After their upstream WSUS server is configured to use HTTPS, the WSUS setting Use SSL when synchronizing update information on each downstream server can be enabled.

Call to action

We recommend that you review the security of your WSUS infrastructure. If HTTPS is not currently in use, see Securing WSUS and follow the instructions in this article to achieve a greater level of security.

 

20 Comments
Senior Member

For example, you can create a certificate request and send that request to a known certificate authority (CA), such as Verisign or GeoTrust

Such a certificate isn't cheap.

 

Three years ago, I asked our manager to buy such a certificate. Upon seeing the price, they said, "Define your security parameters. What exactly do we get if we move our Intranet traffic over HTTPS?" I had nothing.

To help provide additional protection from potential malware attacks, Microsoft recommends using HTTPS with Windows Server Update Services (WSUS).

Alright same question here: Please define your security parameters. How does HTTPS exactly protect against malware attacks here? A decade ago, anyone inside Microsoft who proposed such a threat drew a diagram detailing the attack steps and explaining how HTTPS protects against it. I'm not exactly asking for a diagram here, but yes, I need those details. Managers ask me for them.

Frequent Contributor

@The_Smart_One You can use a Microsoft PKI CA certificate which comes for free.

But before you do please consider some day-to-day pitfalls:

Setting up a Microsoft PKI CA is not a click and point adventure

- all default templates are nuts, designed for maximum compatibility (down to Windows 2000!) not aimed for any security of todays standards.

- MS PKI CA still supports CSP for compatiblity but KSP should be used, reason: see above.

- you should not use RSA DH 2048 and higher causes high response time and CPU load, Germany BSI recommends using EC methods instead.  512 Keylenght are ok. 

 

Now for the caveats in WSUS @Michael_Cureton 

 

If one does install WSUS on Server Core there are different issues:

- IIS certificate management is ugly via Powershell

- IIS Remote management, also secured by a MS PKI and limited to certain addresses is a good practice

- IIS Remote Management does not support any certificate management
- WAC does not offer any remote management IIS capabilities or WSUS capabilities for now

The biggest bummer imho: If you follow the instructions to secure WSUS, this does not mean you are allowed to remove binding in IIS with Port 80, as this will render clients contacting the WSUS sending no reports or not even showing up in WSUS with an error code on the client.

even if you specify both links in GPO to use https. 

 

This means: whatever you do to secure WSUS with https: WSUS does utilize port 80 and needs it to be enabled on bindings.

 

In addition IIS on WSUS, and other IIS, should be hardened. There is no official MS tool to do so.
https://techcommunity.microsoft.com/t5/itops-talk-blog/windows-server-101-hardening-iis-via-security...

This can be recommended:
https://www.nartac.com/Products/IISCrypto/

 

offopic:
WSUS is a (not officially) deprecated product in many ways. I strongly recommend moving on to WuFB and Delivery Optmization.


If you setup a new WSUS server on Windows Server 2019:

 

- it will use an outdated local DB (SQL 2012) by default.

 

- will require lots of outdated stuff like Report Viewer 2012 etc. 

 

- Importing WSUS updates from update catalog only works if IE is your default browser on your remote place using Windows Updates MMC, or locally on the WSUS Server. No Edge Chromium does not do. It is hard coded. 

 

- the IIS App Pool settings are wrong and leading to malfunctions like crashing IIS. All of this is pretty much documented.

 

No one at Microsoft does really maintenance WSUS anymore so the wizard would make a perfect and easy deployment. perhaps including all the Reportviewer etc in the wizard / dism, or use more recent ones. The fact WSUS does still exist, might me not the SMB but other things like MECM / ConfigMgr and other do use it as a base.

In fact till today


- WSUS has a lot of issues, MS call by design, just like not being able to seperate 1903 from 1909 machines. AJtek WSUS script (paid) will fix this and many other things, but leaves the taste why MS is not doing this anymore - even saying it is by design, when it can be fixed by others. 

 

Do not expect any better: vServer Next will have no GUI based fixes or improvements new features / improvements in traditional GUI based tools such as MMC, Server Manager, ADAC. Citing Jeff Woosley (WAC team).

 

So please consider this, if you really want to use WSUS, before investing into potential security. 

edit: correcting the cite of Jeff Woosley.

Frequent Contributor

Oh I forgot one important thing. IIS "obtain certificate wizard" that you outlined in the instructions will not show up your MS PKI CA if you are using a modern template for webserver. Only the default webserver template is recognized by this wizard. 

Senior Member

@K_Wester-EbbinghausWell, thanks a lot. That must have been one of the most informed and honest posts I've read in this website for a very long time. Of course, I know everything you wrote under the "offtopic" (sic.) section already; I've discovered them all by myself. In fact, I've struggled to fix them via PowerShell. Oh, yeah, I know about the WAM script too; the company never allocated any funds for its license. So, I wrote one myself. The worst of all of these issues is a bug that crashes the MMC instance if I close the report window mid-process!

 

As for moving on to "WuFB (sic.) and Delivery Optimization", I am afraid that's just a lot of words for the plain old Windows Update. WSUS lets me download once and update 4,500 computers at once, giving me 4,499x bandwidth saving. I have my own business interests to consider.

Frequent Contributor


@The_Smart_One 
The script is honestly worth it and for the price and ongoing maintenance of it, pretty much not worth the time you have spent on it. Miscalculation from your company if you allow me to say. I am not getting any reward for promoting the script, other than I am a completely satisfied "user".

Thanks for the praise on my post. I am glad if it helps you and other to take decisions.

 

You might misunderstood the concept of WuFB and Delivery Optmization. Especially if you use Office / (Microsoft 365).

The computers in the same subnet or whatever you define per GPO will download Feature updates, WU, Office Updates, drivers all from their neighbors.

 

Whereas WSUS will download once but ALL clients will have to pull from WSUS with full package, where as DO (P2P) will only download the needed bits from neighbors. 

 

Please revisit this topic about DO https://docs.microsoft.com/en-us/windows/deployment/update/waas-delivery-optimization

it is more savy to your WAN AND LAN than WSUS. By far. It can also be combined with other technologies around MEMCM (ConfigMgr), but does work fine without.

 

Senior Member

@K_Wester-Ebbinghaus 

Oh, hello! :smiling_face_with_smiling_eyes: Glad to see you write back! First, you are welcome! It was a pleasure. After all, your post did an excellent job of listing obscure WSUS quirks that I had learned over the years. Your WSUS knowledge seems to genuinely come from experience, despite all the typos in your post. ;) (But maybe you'd like to refrain from writing WuFB. Its proper spelling is WUfB.)

 

By the way, ever since I've talked to you about the certificate, my colleagues keep telling me I should get a Let's Encrypt certificate. I vaguely remember having heard about it. I keep postponing an investigation into it.

 

I had a strained relationship with Delivery Optimization (DO) since the time I was called into the manager's office to explain the reason behind a spike in the Internet bill. (Apart from the incurred cost, such a spike in the Internet bandwidth usage could mean being under attack.) Our newly deployed Windows 10 devices were the culprits. The so-called Dual Scan circumvented WSUS. Since then, I made it my duty to read everything Microsoft publishes about DO and fully test it. In the end, my answer to DO is NO!

 

The computers in the same subnet or whatever you define per GPO will download Feature updates, WU, Office Updates, drivers all from their neighbors.

Ethernet LAN ndoes don't have neighbors. (Mesh and token ring nodes do.) All Ethernet nodes are connected to a hub or switch. All computers downloading from the WSUS machine is the same as all computers downloading from each other. Even when there are two or three hubs and switches between WSUS and its clients, WSUS is still more efficient than DO. After all, DO relies on a server on the Internet, in which case, there are definitely many, many, many more intervening hubs, switches, and routers. And while DO can download from LAN peers, most of the times, it does not. By the way, I install Feature Updates on my own terms. Not even WSUS is allowed to download them.

 

Whereas WSUS will download once but ALL clients will have to pull from WSUS with full package, where as DO (P2P) will only download the needed bits from neighbors.

I've heard it before. I used Wireshark to test the veracity of this claim. For Office 365, it was correct. For everything else, no. DO downloads full packages, but downloads them in chunks. Each chunk can come from a different source. One of the chunks always comes from Microsoft. These chunks are usually massive. So, for small updates (say below 50 MB), there is no saving whatsoever. Mind you, I eventually jury-rigged a much more efficient update system for Office 365.

 

... WAN...

WANs are crazy expensive here. Internet connection is not. The cheapest policy is: Deploy one WSUS per site, connect it to the Internet. Keep the WAN traffic to the absolute minimum.

Frequent Contributor

"Ethernet LAN don't have neighbors. (Mesh and token ring nodes do.) All Ethernet nodes are connected to a hub or switch. All computers downloading from the WSUS machine is the same as all computers downloading from each other. Even when there are two or three hubs and switches between WSUS and its clients, WSUS is still more efficient than DO. After all, DO relies on a server on the Internet, in which case, there are definitely many, many, many more intervening hubs, switches, and routers. And while DO can download from LAN peers, most of the times, it does not. By the way, I install Feature Updates on my own terms. Not even WSUS is allowed to download them."

Hi @The_Smart_One the term "neighbours" can have different meanings and there are different settings in the GPO to define what a neighbor is for DO.
This can be a subnet, a domain, DHCP Options (since 2004, 20H2), etc.

I would be interested if you can revisit 2004 ADMX DO settings.


More information:
Impacts and optimization of DO
https://techcommunity.microsoft.com/t5/windows-it-pro-blog/measuring-delivery-optimization-and-its-i...

Guide to use DO together with WSUS (german), for en-us you might want use Chrome or new Edge.

https://www.windowspro.de/wolfgang-sommergut/delivery-optimization-uebermittlungsoptimierung-zusamme...


using DO with Intune and Connected Cache
https://oliverkieselbach.com/2020/03/07/delivery-optimization-with-intune-and-microsoft-connected-ca...



Senior Member

@K_Wester-Ebbinghaus 

Oh, hi again.

 

I did a thorough reading of DO documentations on Microsoft Docs and now I am confident no one can blame me for not reading the documentations. I put together a table that shows how WU+DO stacks up against WSUS.

 

Criteria

WU+DO

WSUS

Saving on the Internet bill per extra computers

0% to 100%, depending on your luck

Best in Microsoft screenshots: 66%

Best I achieved: 12%

100%

Supports Windows 10 updates

Yes

Yes

Supports Windows 10 upgrades

Yes; zero benefit

Yes

Supports Windows Defender updates

Yes

Yes

Support device driver updates

Yes

Yes

Supports Microsoft Store apps

Yes

No

Supports Microsoft Office C2R updates

Yes; negligible benefit

No

Supports Windows 8.1, 8, 7, Vista, XP

No

Yes

Support admin approval

No

Yes

Size restriction

Contents bigger than 50 MB

None

Supports downloading in off-peak hours, when downloading is faster and cheaper

No

Yes

Supports computers without Internet connectivity

No

Yes

Supports peer-to-peer

Yes

Yes, via BranchCache

Relies on a server in possession of Microsoft, which an admin cannot diagnose

Yes

No

Sends customer's network topology to Microsoft, causing a privacy concern

Yes

No

Cache/Repo/DB

Volatile

Stable, high-maintenance, requires disk space investment

Can be managed with a PowerShell module

Yes, "DeliveryOptimization"

Yes, "UpdateServices"

PowerShell module quality

Undocumented; one cmdlet uses the illegal "Delete" verb

Well-documented, although some old documentations are lost

Can be managed with API

Yes, "DO API"

Yes, "Update Service API" and "Update Services Specs"

Centralized management and reporting

No, unless you purchase an Intune plan

Yes

Disrupts other Windows components unceremoniously

Yes, WSUS and BranchCache

No

Complexity

Zero. Then again, why am I constantly accused of not understanding it?

Very complex. Nevertheless, not once am I accused of not reading its documentation or not understanding it

Benefit for home users

Negligible

Zero

Real-life analogy

A trophy wife with a perpetual claim of being underappreciated

A hard working wife in perpetual need of medications

Sci-Fi classification ;)

Black magic

Lost tech

 

By the way, does the "Preview" button work for you in this site?

Occasional Contributor

"

Size restriction

Contents bigger than 50 MB

"

you can change to match your environment

 

a hint:

https://docs.microsoft.com/en-us/windows/deployment/update/waas-delivery-optimization-setup

Senior Member

@Rafał Fitt 

Thanks, but I afraid it is still a case of "broken, but you can fix" product. Curiously thought, the article says the local caching policy is by default set to 10 MB, not 50 MB. Perhaps I must repeat my test again. Sadly, my job isn't recurrently testing broken Microsoft products, hoping that one day, they get fixed.

Established Member

@The_Smart_One Wow, that's a great table, several interesting cons there that hopefully MS will address.  One of those is very bothersome to me.  As someone who maintains 100s of Windows servers for our company this one has me worried.

Support admin approval

No

Yes

 

Please don't tell me that it would automatically download MS SQL CUs, that would be terrible.

We have automation to update our servers and we've done a great job of making sure that our servers can even be patched during the day except for a few SPOF type things like MS SQL and if these were pulled down without admin approval then that's a huge issue for us as we vet significant updates in our test environment first.  Along with the installation of a CU for MS SQL actually causes the SQL service to stop during the install which we cannot do during the middle of the day outside of our smaller maintenance window where we actually have to have services be down for a short period.

While I'm here worried about the direction MS is going with regards to patching.  Another issue which has been made well known to MS Support is that they've added a Scheduled Task to 2016 and 2019 that will automatically reboot boxes that have updates installed in the "outside of hours" time.  Sorry but that definitely doesn't belong in a server product.  Took me a long time to figure out why our newly created servers were automatically rebooting themselves where we're not controlling when they reboot.  This does not exist on 2012 R2 and they've worked fine for years with the patching automation we have in place.

Another issue is that you need to make sure not to remote into a 2016 or 2019 post reboot after installing updates, there is a few minute window of time where if you do this it will cause the updates to fail with error code "0x800f0922".  Adding a 5 minute waiting period to our scripts helped fix an issue that caused me days worth of pain each month having to manually fix these servers.  But definitely should be fixed as well.  Oh and this is another "feature" that 2012 R2 does not have but 2016 and 2019 have.  :(

It becoming more and more difficult as the years/months go by to keep our Windows servers fully up to date.  We're a mix of Windows and *nix OS wise but each month I'm leaning more and more towards making sure we use Windows less and less which is too bad as I've been using Windows professionally for at least 30 years now and this company has probably been using Windows products for that same amount of time.  In fact I used to be part of the Windows team before I moved on to a company where I could live closer to my daughter.

Mike

Senior Member

@mle_ii  Hello, Mike. Thanks for the tip about 0x800f0922. It was driving me crazy for a while, and now, I know why it is not happening: The COVID-19 quarantine has brought that chance down. I'll make sure it'll never happens ever again.

 

As for the admin approval mode:

  • The default WSUS settings make it check for updates (the term is "synchronize" in WSUS) round the clock and immediately install them, so that you won't end up installing WSUS and accidentally keep your network out of date. (Better to run up a huge Internet bill than have your latest military drone drawings stolen.) But immediately after the initial setup, you can delete all auto-approval rules, so that no update gets installed without your consent. Personally, I'd add an auto-approval rule for Windows Defender (and maybe MSE) only.
  • The bad news is that there are a huge lot of updates that you don't need and want to deny, e.g. 32-bit, prerelease, farm, failover cluster, security-only, and ARM64 updates. The good news is, after a year, my PowerShell script did all the denying with impeccable accuracy.
  • You can keep the rest of the updates in the pending state until your departments are ready to receive them, e.g. until midnight or whatever. I had schedules for them.
  • The most annoying part is remembering to disable Dual Scan.

You can see all of this as either flexibility or complexity; I think it is both. But with WU+DO, none of them is possible; updates come whenever Windows Update (a piece of code that is dumber than soup) decides.

Established Member

Sorry if I wasn't clear, we use WSUS and it's my job to go through and approve/release/deny updates there on the server.  We also use it to tell us what is out of date for other things that we install manually as we cannot have unexpected/uncontrolled downtime.  We are able to control most of it and patching through our scripting, but for updates like MS SQL we install updates manually as we want to control exactly when it installs and reboots.  Luckily we only have a handful or two of those and it's not too difficult to handle manually.

My main concern was with how your table seems to indicate that WU+DO does not have this aspect, though perhaps I'm misunderstanding your table and what you've said.

Really do appreciate your feedback here, it'll help for sure if/when we want to see about using something besides WSUS to control how/when servers are updated and what shows up.

Also for a bit more detail on the issue we hit with error 0x800f0922 I posted here in the Reddit Patch Thursday thread for July 2020.
https://www.reddit.com/r/sysadmin/comments/hr2eav/patch_tuesday_megathread_20200714/fyd4ttu/?utm_sou...

Also interesting information on the Dual Scan issue, I'll have to see if that's something we're hitting on the Windows 10 boxes our developers use.

 

You seem to know a lot, have you figured out what causes the random 100% cpu/core use with the TiWorker process?  TiWorker is a process related to WU in case you're not familiar with that name.  It seems to happen randomly and I have yet to figure out why, though now that I know the WU logs better I need to take another look.  Normally it doesn't seem to happen outside of the weeks when we're doing patch Tuesday installs.  But it'll even sit there eating up a core with 100% use on a fully patched box.  :\  Mainly 2016 and 2019 but sometimes 2012 R2.

Senior Member

@mle_ii

You seem to know a lot, have you figured out what causes the random 100% cpu/core use with the TiWorker process?

I saw it but while I was investigating it, the problem disappeared. I suspect it is because I started using a modified version of Invoke-WsusDbMaintenance.ps1 by Prox. The modifications are mine, so don't worry about copyright stuff.

 

My main concern was with how your table seems to indicate that WU+DO does not have this aspect, though perhaps I'm misunderstanding your table and what you've said.

Okay, let me try again. You were talking about the "Supports admin approval" field in my table. This field says "WU+DO" does NOT support admin approval while WSUS does. What I meant was this:

  • WSUS let's you (1) choose, (2) download, (3) test, (4) approve, and (5) install updates at your convenience, whether (a) manually, (b) by script, or (c) by schedule. (That's 15 different variations, right?)
  • WU+DO doesn't. (1) The only choice it gives you is to check for updates for all supported Microsoft products, not just Windows. (2) It checks for update whenever it likes and downloads them immediately, (3 and 4) won't give you any chance to test or approve them, and (5) installs them immediately. You might be able to emulate #3 and #4 using Group Policy and Intune. There are blog posts in this blog covering this subject. The result of this emulation, however, is inelegant. There is no one dashboard to rule them all.

So, (i) if you enable Windows Update on your SQL Server machines, (ii) tell it to check for all kinds of updates (not just Windows), and (iii) Windows Update supports SQL Server, then WU tries to update your SQL Server whenever it wants. The third part is what trips me. Does WU support SQL Server? I don't know. (We used SQL Server a long time ago, and only briefly. Our in-house developers moved on to MariaDB. I've seen things like "SQL Sever 2019 Cumulative Update" on WSUS though.)

Established Member

@The_Smart_One  Yeah, most times the 100% cpu use just "magically" goes away on its own by the time I have a chance to look at it, and I cannot figure out the repro for our setup.

 

You were talking about the "Supports admin approval" field in my table.

Got it, that's what I thought I understood from your table, thanks for the confirmation.  That is pretty bad that WU+DO does what it does there.  Apparently these folks don't maintain servers on their own.  And indeed WSUS can pull down SQL Server updates, luckily all I use that feature for is to see what SQL server updates there are for our servers.  I then create a case to handle those manually due to them requiring downtime and don't approve them in WSUS so they don't get applied without our say so.

Frequent Contributor

@The_Smart_One I am aware we are offtopic discussing DO for most time, yet I find it important because the thing is yes WSUS is scifi class "Lost tech"

 

I've seen this comparison you brough up long ago.

I can pretty much recall it because the funny scifi classification.

 

"WU+DO doesn't. (1) The only choice it gives you is to check for updates for all supported Microsoft products, not just Windows. (2) It checks for update whenever it likes and downloads them immediately, (3 and 4) won't give you any chance to test or approve them, and (5) installs them immediately. You might be able to emulate #3 and #4 using Group Policy and Intune"

 

you can

- setup groups and rings via GPO and control install and download time, and enforcements (watch enforcements will disable any set time)

- thus you can test using WU+DO, it does not mean everyone gets same updates at a time. Use GPO and security groups to apply on computer accounts. Use DO GPO to control peer to peer.

- dashboard: Desktop Health dashboard in Azure / Analytics (paid per use)

 

you cannot: 

- manage to approve updates - this is by design - Microsoft wants us to stop doing that and rather using policies. install on the 1st week of months of prev. updates is fine with most scenarios. One week earlier for testing.

 

- revoke updates / uninstall updates at scale without powershell scripting.

 

New Contributor

HI, 

For configuring WSUS downstream server (which is a replica of upstream server) do I need to perform IIS -> Certificate Bind -> SSL/TLS Encryption force on downstream server as well?

 

I have just followed below points on downstream so far :- 

  1. Select Options, and then select Update Source and Proxy Server.
  2. On the Update Source tab, under Synchronize from another Windows Server Update Services server, type the port number that the server uses for SSL connections into the Port number text box.
  3. Select Use SSL when synchronizing update information and then select OK.
Frequent Contributor

Dear @Michael_Cureton can you please consider to leave an update on @RSA111 question?

Microsoft

@RSA111 yes. This assumes you have clients communicating with the DSS for which you want to leverage https. What you have configured thus far covers the communication between the USS and DSS.

Regular Visitor

good.nice

%3CLINGO-SUB%20id%3D%22lingo-sub-1587536%22%20slang%3D%22en-US%22%3ESecurity%20best%20practices%20for%20Windows%20Server%20Update%20Services%20(WSUS)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1587536%22%20slang%3D%22en-US%22%3E%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3ETo%20help%20provide%20additional%20protection%20from%20potential%20malware%20attacks%2C%20Microsoft%20recommends%20using%20HTTPS%20with%20Windows%20Server%20Update%20Services%20(WSUS).%3C%2FP%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3EIn%20this%20post%2C%20we%20will%20walk%20you%20through%20the%20steps%20required%20to%20configure%20each%20of%20your%20WSUS%20servers%20to%20use%20HTTPS.%20We%20will%20then%20share%20details%20on%20how%20to%20obtain%20and%20bind%20the%20necessary%20certificate%2C%20enforce%20Secure%20Sockets%20Layer%20(SSL)%2FTransport%20Layer%20Security%20(TLS)%20encryption%2C%20and%20configure%20WSUS%20to%20use%20HTTPS.%20From%20there%2C%20we%20will%20discuss%20how%20to%20configure%20clients%20to%20use%20HTTPS%20and%20how%20to%20configure%20WSUS%20to%20use%20HTTPS%20for%20synchronization%20for%20downstream%20servers%20only.%20We%20will%20conclude%20with%20a%20recommended%20configuration%20order.%20These%20steps%20are%20critical%20in%20keeping%20the%20clients%20within%20your%20organization%20more%20secure%20and%20we%20hope%20you%20will%20find%20this%20post%20helpful.%3C%2FP%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3EAt%20a%20time%20when%20malware%20attacks%20are%20on%20the%20rise%20across%20industries%2C%20configuring%20WSUS%20with%20HTTPS%20may%20further%20reduce%20the%20ability%20of%20a%20potential%20attacker%20to%20remotely%20compromise%20a%20client%20and%20elevate%20privileges.%20To%20ensure%20that%20the%20best%20security%20protocols%20are%20in%20place%2C%20we%20recommend%20that%20you%20use%20the%20SSL%2FTLS%20protocol%20to%20help%20secure%20your%20WSUS%20infrastructure.%20Windows%20Server%20Update%20Services%20uses%20SSL%2FTLS%20to%20authenticate%20client%20computers%20and%20downstream%20WSUS%20servers%20to%20the%20upstream%20WSUS%20server.%20WSUS%20also%20uses%20SSL%2FTLS%20to%20encrypt%20update%20metadata.%3C%2FP%3E%0A%3CH2%20style%3D%22margin-top%3A%2036px%3B%20margin-bottom%3A%2020px%3B%20font-family%3A%20'Segoe%20UI'%2C%20Segoe%2C%20Tahoma%2C%20Geneva%2C%20sans-serif%3B%20font-weight%3A%20600%3B%20font-size%3A%2020px%3B%20color%3A%20%23333333%3B%22%20id%3D%22toc-hId--1294348170%22%20id%3D%22toc-hId--1294348170%22%20id%3D%22toc-hId--1294348170%22%20id%3D%22toc-hId--1294348170%22%20id%3D%22toc-hId--1294348170%22%20id%3D%22toc-hId--1294348170%22%20id%3D%22toc-hId--1294348170%22%20id%3D%22toc-hId--1294348170%22%20id%3D%22toc-hId--1294348170%22%20id%3D%22toc-hId--1294348170%22%20id%3D%22toc-hId--1294348170%22%20id%3D%22toc-hId--1294348170%22%20id%3D%22toc-hId--1294348170%22%20id%3D%22toc-hId--1294348170%22%20id%3D%22toc-hId--1294348170%22%20id%3D%22toc-hId--1294348170%22%20id%3D%22toc-hId--1294348170%22%20id%3D%22toc-hId--1294348170%22%20id%3D%22toc-hId--1294348170%22%20id%3D%22toc-hId--1294348170%22%20id%3D%22toc-hId--1294348170%22%20id%3D%22toc-hId--1294348170%22%20id%3D%22toc-hId--1294348170%22%20id%3D%22toc-hId--1294348170%22%20id%3D%22toc-hId--1294348170%22%20id%3D%22toc-hId--1294348170%22%20id%3D%22toc-hId--1294348170%22%20id%3D%22toc-hId--1294348170%22%20id%3D%22toc-hId--1294348170%22%20id%3D%22toc-hId--1294348170%22%20id%3D%22toc-hId--1294348170%22%20id%3D%22toc-hId--1294348170%22%20id%3D%22toc-hId--1294348170%22%20id%3D%22toc-hId--1294348170%22%20id%3D%22toc-hId--1294348170%22%20id%3D%22toc-hId--1294348170%22%20id%3D%22toc-hId--1294348170%22%20id%3D%22toc-hId--1294348170%22%20id%3D%22toc-hId--1294348170%22%20id%3D%22toc-hId--1294348170%22%20id%3D%22toc-hId--1294348170%22%20id%3D%22toc-hId--1294348170%22%20id%3D%22toc-hId--1294348170%22%20id%3D%22toc-hId--1294348170%22%20id%3D%22toc-hId--1294348170%22%20id%3D%22toc-hId--1294348170%22%20id%3D%22toc-hId--1294348170%22%20id%3D%22toc-hId--1294348170%22%20id%3D%22toc-hId--1294348170%22%20id%3D%22toc-hId--1294348170%22%20id%3D%22toc-hId--1294348170%22%20id%3D%22toc-hId--1294348170%22%20id%3D%22toc-hId--1294348170%22%20id%3D%22toc-hId--1294348170%22%20id%3D%22toc-hId--1294348170%22%20id%3D%22toc-hId--1294348170%22%20id%3D%22toc-hId--1294348170%22%20id%3D%22toc-hId--1294348170%22%20id%3D%22toc-hId--1294348170%22%20id%3D%22toc-hId--1294348170%22%20id%3D%22toc-hId--1294348170%22%20id%3D%22toc-hId--1294348170%22%20id%3D%22toc-hId--1294348170%22%20id%3D%22toc-hId--1294348170%22%20id%3D%22toc-hId--1294348170%22%20id%3D%22toc-hId--1294348170%22%20id%3D%22toc-hId--1294348170%22%20id%3D%22toc-hId--1294348170%22%20id%3D%22toc-hId--1294348170%22%20id%3D%22toc-hId--1294348170%22%20id%3D%22toc-hId--1294348170%22%20id%3D%22toc-hId--1294348170%22%20id%3D%22toc-hId--1294348170%22%20id%3D%22toc-hId--1294348170%22%20id%3D%22toc-hId--1294348170%22%20id%3D%22toc-hId--1294348170%22%20id%3D%22toc-hId--1294348170%22%20id%3D%22toc-hId--1294348170%22%20id%3D%22toc-hId--1294348170%22%20id%3D%22toc-hId--1294348170%22%20id%3D%22toc-hId--1294348170%22%20id%3D%22toc-hId--1294348170%22%20id%3D%22toc-hId--1294348170%22%3EConfiguring%20WSUS%20to%20use%20HTTPS%3C%2FH2%3E%0A%3CTABLE%20style%3D%22background-color%3A%20%23deeaf6%3B%22%20width%3D%22100%25%22%3E%0A%3CTBODY%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22100%25%22%3E%3CP%20style%3D%22margin%3A%2010px%3B%22%3E%3CSTRONG%3ENote%3A%3C%2FSTRONG%3E%20Securing%20your%20server%20with%20TLS%20may%20result%20in%20a%20slight%20loss%20in%20performance.%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3ETo%20configure%20WSUS%20to%20use%20HTTPS%2C%20you%20will%20need%20to%3A%3C%2FP%3E%0A%3COL%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%20margin-top%3A%2020px%3B%22%3EObtain%20a%20certificate.%3C%2FLI%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%22%3E%3CA%20href%3D%22%23_Bind_the_certificate%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3EBind%20the%20certificate%3C%2FA%3E.%3C%2FLI%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%22%3E%3CA%20href%3D%22%23_Enforce_SSL%2FTLS_encryption%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3EEnforce%20SSL%2FTLS%20encryption%3C%2FA%3E%20(require%20SSL)%20on%20the%20following%20applications%3A%3COL%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%20margin-top%3A%2020px%3B%22%3EApiRemoting30%3C%2FLI%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%22%3EClientWebService%3C%2FLI%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%22%3EDSSAuthWebService%3C%2FLI%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%22%3EServerSyncWebService%3C%2FLI%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%22%3ESimpleAuthWebService%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3C%2FLI%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%22%3E%3CA%20href%3D%22%23_Configure_WSUS_to_3%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3EConfigure%20WSUS%20to%20use%20HTTPS%3C%2FA%3E%20using%20the%20wsusutil%20configuressl%20command.%3C%2FLI%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%22%3E%3CA%20href%3D%22%23_Configure_clients_to_1%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3EConfigure%20clients%20to%20use%20HTTPS%20communications%20with%20WSUS%3C%2FA%3E%2C%20and%20specify%20the%20intranet%20Microsoft%20update%20service%20location.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3EIf%20you%20have%20downstream%20WSUS%20servers%2C%20you%20will%20need%20to%20complete%20an%20additional%20step.%20Please%20reference%20configure%20downstream%20WSUS%20servers%20to%20use%20HTTPS%20when%20syncing.%20(Use%20SSL%20when%20synchronizing%20update%20information.)%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CTABLE%20style%3D%22background-color%3A%20%23deeaf6%3B%22%20width%3D%22100%25%22%3E%0A%3CTBODY%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22100%25%22%3E%3CP%20style%3D%22margin%3A%2010px%3B%22%3E%3CSTRONG%3EImportant%3A%3C%2FSTRONG%3E%20Follow%20the%20%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fhelp%2F4490414%2Fwindows-server-update-services-best-practices%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EWSUS%20best%20practices%3C%2FA%3E%20for%20disabling%20recycling%20and%20configuring%20memory%20limits%20prior%20to%20configuring%20WSUS%20to%20use%20HTTPS.%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CH3%20style%3D%22margin-top%3A%2036px%3B%20margin-bottom%3A%2020px%3B%20font-family%3A%20'Segoe%20UI'%2C%20Segoe%2C%20Tahoma%2C%20Geneva%2C%20sans-serif%3B%20font-weight%3A%20600%3B%20font-size%3A%2017px%3B%20color%3A%20%23333333%3B%22%20id%3D%22toc-hId--603786696%22%20id%3D%22toc-hId--603786696%22%20id%3D%22toc-hId--603786696%22%20id%3D%22toc-hId--603786696%22%20id%3D%22toc-hId--603786696%22%20id%3D%22toc-hId--603786696%22%20id%3D%22toc-hId--603786696%22%20id%3D%22toc-hId--603786696%22%20id%3D%22toc-hId--603786696%22%20id%3D%22toc-hId--603786696%22%20id%3D%22toc-hId--603786696%22%20id%3D%22toc-hId--603786696%22%20id%3D%22toc-hId--603786696%22%20id%3D%22toc-hId--603786696%22%20id%3D%22toc-hId--603786696%22%20id%3D%22toc-hId--603786696%22%20id%3D%22toc-hId--603786696%22%20id%3D%22toc-hId--603786696%22%20id%3D%22toc-hId--603786696%22%20id%3D%22toc-hId--603786696%22%20id%3D%22toc-hId--603786696%22%20id%3D%22toc-hId--603786696%22%20id%3D%22toc-hId--603786696%22%20id%3D%22toc-hId--603786696%22%20id%3D%22toc-hId--603786696%22%20id%3D%22toc-hId--603786696%22%20id%3D%22toc-hId--603786696%22%20id%3D%22toc-hId--603786696%22%20id%3D%22toc-hId--603786696%22%20id%3D%22toc-hId--603786696%22%20id%3D%22toc-hId--603786696%22%20id%3D%22toc-hId--603786696%22%20id%3D%22toc-hId--603786696%22%20id%3D%22toc-hId--603786696%22%20id%3D%22toc-hId--603786696%22%20id%3D%22toc-hId--603786696%22%20id%3D%22toc-hId--603786696%22%20id%3D%22toc-hId--603786696%22%20id%3D%22toc-hId--603786696%22%20id%3D%22toc-hId--603786696%22%20id%3D%22toc-hId--603786696%22%20id%3D%22toc-hId--603786696%22%20id%3D%22toc-hId--603786696%22%20id%3D%22toc-hId--603786696%22%20id%3D%22toc-hId--603786696%22%20id%3D%22toc-hId--603786696%22%20id%3D%22toc-hId--603786696%22%20id%3D%22toc-hId--603786696%22%20id%3D%22toc-hId--603786696%22%20id%3D%22toc-hId--603786696%22%20id%3D%22toc-hId--603786696%22%20id%3D%22toc-hId--603786696%22%20id%3D%22toc-hId--603786696%22%20id%3D%22toc-hId--603786696%22%20id%3D%22toc-hId--603786696%22%20id%3D%22toc-hId--603786696%22%20id%3D%22toc-hId--603786696%22%20id%3D%22toc-hId--603786696%22%20id%3D%22toc-hId--603786696%22%20id%3D%22toc-hId--603786696%22%20id%3D%22toc-hId--603786696%22%20id%3D%22toc-hId--603786696%22%20id%3D%22toc-hId--603786696%22%20id%3D%22toc-hId--603786696%22%20id%3D%22toc-hId--603786696%22%20id%3D%22toc-hId--603786696%22%20id%3D%22toc-hId--603786696%22%20id%3D%22toc-hId--603786696%22%20id%3D%22toc-hId--603786696%22%20id%3D%22toc-hId--603786696%22%20id%3D%22toc-hId--603786696%22%20id%3D%22toc-hId--603786696%22%20id%3D%22toc-hId--603786696%22%20id%3D%22toc-hId--603786696%22%20id%3D%22toc-hId--603786696%22%20id%3D%22toc-hId--603786696%22%20id%3D%22toc-hId--603786696%22%20id%3D%22toc-hId--603786696%22%20id%3D%22toc-hId--603786696%22%20id%3D%22toc-hId--603786696%22%20id%3D%22toc-hId--603786696%22%20id%3D%22toc-hId--603786696%22%20id%3D%22toc-hId--603786696%22%3EObtain%20a%20certificate%3C%2FH3%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3EThere%20are%20a%20few%20methods%20available%20to%20obtain%20a%20certificate%20for%20use%20with%20Internet%20Information%20Services%20(IIS).%20For%20example%2C%20you%20can%20create%20a%20certificate%20request%20and%20send%20that%20request%20to%20a%20known%20certificate%20authority%20(CA)%2C%20such%20as%20Verisign%20or%20GeoTrust%2C%20or%20obtain%20a%20certificate%20from%20an%20online%20CA%20in%20your%20intranet%20domain.%20If%20you%20are%20using%20an%20online%20CA%20in%20your%20intranet%20domain%2C%20you%20can%20follow%20the%20steps%20below%20to%20create%20the%20required%20certificate.%3C%2FP%3E%0A%3COL%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%20margin-top%3A%2020px%3B%22%3ELog%20on%20to%20the%20WSUS%20server%20using%20a%20user%20account%20that%20is%20a%20member%20of%20the%20local%20Administrators%20group.%20%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSTRONG%3ENOTE%3C%2FSTRONG%3E%3A%20By%20default%2C%20the%20WebServer%20certificate%20template%20will%20only%20issue%20to%20Domain%20Admins.%20If%20the%20user%20logging%20in%20is%20not%20a%20domain%20admin%2C%20their%20user%20account%20will%20need%20to%20be%20granted%20the%20Enroll%20permission%20on%20the%20WebServer%20certificate%20template.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLI%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%22%3ELaunch%20Internet%20Information%20Services%20(IIS)%20Manager.%3C%2FLI%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%22%3EClick%20on%20your%20server%20and%20then%20launch%20%3CSTRONG%3EServer%20Certificates%3C%2FSTRONG%3E.%3C%2FLI%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%22%3EIn%20the%20%3CSTRONG%3EActions%3C%2FSTRONG%3E%20pane%2C%20select%20%3CSTRONG%3ECreate%20Domain%20Certificate%3C%2FSTRONG%3E.%3C%2FLI%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%22%3EFill%20in%20the%20Distinguished%20Name%20Properties%20and%20select%20%3CSTRONG%3ENext%3C%2FSTRONG%3E.%20The%20%3CSTRONG%3ECommon%20name%3C%2FSTRONG%3E%20value%20must%20be%20the%20FQDN%20of%20the%20WSUS%20server.%3C%2FLI%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%22%3EOn%20the%20%3CSTRONG%3EOnline%20Certification%20Authority%3C%2FSTRONG%3E%20page%2C%20select%20your%20CA%20and%20enter%20a%20friendly%20name%20for%20the%20certificate%20and%20select%20%3CSTRONG%3EFinish%3C%2FSTRONG%3E.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CH3%20style%3D%22margin-top%3A%2036px%3B%20margin-bottom%3A%2020px%3B%20font-family%3A%20'Segoe%20UI'%2C%20Segoe%2C%20Tahoma%2C%20Geneva%2C%20sans-serif%3B%20font-weight%3A%20600%3B%20font-size%3A%2017px%3B%20color%3A%20%23333333%3B%22%20id%3D%22toc-hId-1883726137%22%20id%3D%22toc-hId-1883726137%22%20id%3D%22toc-hId-1883726137%22%20id%3D%22toc-hId-1883726137%22%20id%3D%22toc-hId-1883726137%22%20id%3D%22toc-hId-1883726137%22%20id%3D%22toc-hId-1883726137%22%20id%3D%22toc-hId-1883726137%22%20id%3D%22toc-hId-1883726137%22%20id%3D%22toc-hId-1883726137%22%20id%3D%22toc-hId-1883726137%22%20id%3D%22toc-hId-1883726137%22%20id%3D%22toc-hId-1883726137%22%20id%3D%22toc-hId-1883726137%22%20id%3D%22toc-hId-1883726137%22%20id%3D%22toc-hId-1883726137%22%20id%3D%22toc-hId-1883726137%22%20id%3D%22toc-hId-1883726137%22%20id%3D%22toc-hId-1883726137%22%20id%3D%22toc-hId-1883726137%22%20id%3D%22toc-hId-1883726137%22%20id%3D%22toc-hId-1883726137%22%20id%3D%22toc-hId-1883726137%22%20id%3D%22toc-hId-1883726137%22%20id%3D%22toc-hId-1883726137%22%20id%3D%22toc-hId-1883726137%22%20id%3D%22toc-hId-1883726137%22%20id%3D%22toc-hId-1883726137%22%20id%3D%22toc-hId-1883726137%22%20id%3D%22toc-hId-1883726137%22%20id%3D%22toc-hId-1883726137%22%20id%3D%22toc-hId-1883726137%22%20id%3D%22toc-hId-1883726137%22%20id%3D%22toc-hId-1883726137%22%20id%3D%22toc-hId-1883726137%22%20id%3D%22toc-hId-1883726137%22%20id%3D%22toc-hId-1883726137%22%20id%3D%22toc-hId-1883726137%22%20id%3D%22toc-hId-1883726137%22%20id%3D%22toc-hId-1883726137%22%20id%3D%22toc-hId-1883726137%22%20id%3D%22toc-hId-1883726137%22%20id%3D%22toc-hId-1883726137%22%20id%3D%22toc-hId-1883726137%22%20id%3D%22toc-hId-1883726137%22%20id%3D%22toc-hId-1883726137%22%20id%3D%22toc-hId-1883726137%22%20id%3D%22toc-hId-1883726137%22%20id%3D%22toc-hId-1883726137%22%20id%3D%22toc-hId-1883726137%22%20id%3D%22toc-hId-1883726137%22%20id%3D%22toc-hId-1883726137%22%20id%3D%22toc-hId-1883726137%22%20id%3D%22toc-hId-1883726137%22%20id%3D%22toc-hId-1883726137%22%20id%3D%22toc-hId-1883726137%22%20id%3D%22toc-hId-1883726137%22%20id%3D%22toc-hId-1883726137%22%20id%3D%22toc-hId-1883726137%22%20id%3D%22toc-hId-1883726137%22%20id%3D%22toc-hId-1883726137%22%20id%3D%22toc-hId-1883726137%22%20id%3D%22toc-hId-1883726137%22%20id%3D%22toc-hId-1883726137%22%20id%3D%22toc-hId-1883726137%22%20id%3D%22toc-hId-1883726137%22%20id%3D%22toc-hId-1883726137%22%20id%3D%22toc-hId-1883726137%22%20id%3D%22toc-hId-1883726137%22%20id%3D%22toc-hId-1883726137%22%20id%3D%22toc-hId-1883726137%22%20id%3D%22toc-hId-1883726137%22%20id%3D%22toc-hId-1883726137%22%20id%3D%22toc-hId-1883726137%22%20id%3D%22toc-hId-1883726137%22%20id%3D%22toc-hId-1883726137%22%20id%3D%22toc-hId-1883726137%22%20id%3D%22toc-hId-1883726137%22%20id%3D%22toc-hId-1883726137%22%20id%3D%22toc-hId-1883726137%22%20id%3D%22toc-hId-1883726137%22%20id%3D%22toc-hId-1883726137%22%20id%3D%22toc-hId-1883726137%22%3EBind%20the%20certificate%3C%2FH3%3E%0A%3COL%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%20margin-top%3A%2020px%3B%22%3EIn%20Internet%20Information%20Services%20(IIS)%20Manager%20expand%20your%20server%2C%20expand%20%3CSTRONG%3ESites%3C%2FSTRONG%3E%2C%20and%20select%20%3CSTRONG%3EWSUS%20Administration%3C%2FSTRONG%3E.%3C%2FLI%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%22%3EIn%20the%20%3CSTRONG%3EActions%3C%2FSTRONG%3E%20pane%2C%20select%20%3CSTRONG%3EBindings%3C%2FSTRONG%3E.%3C%2FLI%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%22%3ESelect%20the%20%3CSTRONG%3ESSL%3C%2FSTRONG%3E%20binding%20and%20click%20%3CSTRONG%3EEdit%3C%2FSTRONG%3E.%3C%2FLI%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%22%3EIn%20the%20drop-down%20for%20%3CSTRONG%3ESSL%20certificate%3C%2FSTRONG%3E%2C%20select%20the%20appropriate%20SSL%20certificate%20and%20click%20%3CSTRONG%3EOK%3C%2FSTRONG%3E.%3C%2FLI%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%22%3ESelect%20%3CSTRONG%3EClose%3C%2FSTRONG%3E%20on%20the%20%3CSTRONG%3ESite%20Bindings%3C%2FSTRONG%3E%20dialog%20box.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CH3%20style%3D%22margin-top%3A%2036px%3B%20margin-bottom%3A%2020px%3B%20font-family%3A%20'Segoe%20UI'%2C%20Segoe%2C%20Tahoma%2C%20Geneva%2C%20sans-serif%3B%20font-weight%3A%20600%3B%20font-size%3A%2017px%3B%20color%3A%20%23333333%3B%22%20id%3D%22toc-hId-76271674%22%20id%3D%22toc-hId-76271674%22%20id%3D%22toc-hId-76271674%22%20id%3D%22toc-hId-76271674%22%20id%3D%22toc-hId-76271674%22%20id%3D%22toc-hId-76271674%22%20id%3D%22toc-hId-76271674%22%20id%3D%22toc-hId-76271674%22%20id%3D%22toc-hId-76271674%22%20id%3D%22toc-hId-76271674%22%20id%3D%22toc-hId-76271674%22%20id%3D%22toc-hId-76271674%22%20id%3D%22toc-hId-76271674%22%20id%3D%22toc-hId-76271674%22%20id%3D%22toc-hId-76271674%22%20id%3D%22toc-hId-76271674%22%20id%3D%22toc-hId-76271674%22%20id%3D%22toc-hId-76271674%22%20id%3D%22toc-hId-76271674%22%20id%3D%22toc-hId-76271674%22%20id%3D%22toc-hId-76271674%22%20id%3D%22toc-hId-76271674%22%20id%3D%22toc-hId-76271674%22%20id%3D%22toc-hId-76271674%22%20id%3D%22toc-hId-76271674%22%20id%3D%22toc-hId-76271674%22%20id%3D%22toc-hId-76271674%22%20id%3D%22toc-hId-76271674%22%20id%3D%22toc-hId-76271674%22%20id%3D%22toc-hId-76271674%22%20id%3D%22toc-hId-76271674%22%20id%3D%22toc-hId-76271674%22%20id%3D%22toc-hId-76271674%22%20id%3D%22toc-hId-76271674%22%20id%3D%22toc-hId-76271674%22%20id%3D%22toc-hId-76271674%22%20id%3D%22toc-hId-76271674%22%20id%3D%22toc-hId-76271674%22%20id%3D%22toc-hId-76271674%22%20id%3D%22toc-hId-76271674%22%20id%3D%22toc-hId-76271674%22%20id%3D%22toc-hId-76271674%22%20id%3D%22toc-hId-76271674%22%20id%3D%22toc-hId-76271674%22%20id%3D%22toc-hId-76271674%22%20id%3D%22toc-hId-76271674%22%20id%3D%22toc-hId-76271674%22%20id%3D%22toc-hId-76271674%22%20id%3D%22toc-hId-76271674%22%20id%3D%22toc-hId-76271674%22%20id%3D%22toc-hId-76271674%22%20id%3D%22toc-hId-76271674%22%20id%3D%22toc-hId-76271674%22%20id%3D%22toc-hId-76271674%22%20id%3D%22toc-hId-76271674%22%20id%3D%22toc-hId-76271674%22%20id%3D%22toc-hId-76271674%22%20id%3D%22toc-hId-76271674%22%20id%3D%22toc-hId-76271674%22%20id%3D%22toc-hId-76271674%22%20id%3D%22toc-hId-76271674%22%20id%3D%22toc-hId-76271674%22%20id%3D%22toc-hId-76271674%22%20id%3D%22toc-hId-76271674%22%20id%3D%22toc-hId-76271674%22%20id%3D%22toc-hId-76271674%22%20id%3D%22toc-hId-76271674%22%20id%3D%22toc-hId-76271674%22%20id%3D%22toc-hId-76271674%22%20id%3D%22toc-hId-76271674%22%20id%3D%22toc-hId-76271674%22%20id%3D%22toc-hId-76271674%22%20id%3D%22toc-hId-76271674%22%20id%3D%22toc-hId-76271674%22%20id%3D%22toc-hId-76271674%22%20id%3D%22toc-hId-76271674%22%20id%3D%22toc-hId-76271674%22%20id%3D%22toc-hId-76271674%22%20id%3D%22toc-hId-76271674%22%20id%3D%22toc-hId-76271674%22%20id%3D%22toc-hId-76271674%22%20id%3D%22toc-hId-76271674%22%20id%3D%22toc-hId-76271674%22%3EEnforce%20SSL%2FTLS%20encryption%3C%2FH3%3E%0A%3COL%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%20margin-top%3A%2020px%3B%22%3EIn%20Internet%20Information%20Services%20(IIS)%20Manager%20expand%20your%20server%2C%20expand%20%3CSTRONG%3ESites%3C%2FSTRONG%3E%2C%20and%20expand%20%3CSTRONG%3EWSUS%20Administration%3C%2FSTRONG%3E.%3C%2FLI%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%22%3ESelect%20the%20application%20%3CSTRONG%3EApiRemoting30%3C%2FSTRONG%3E%20and%20launch%20%3CSTRONG%3ESSL%20Settings%3C%2FSTRONG%3E.%3C%2FLI%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%22%3ECheck%20%3CSTRONG%3ERequire%20SSL%3C%2FSTRONG%3E%20and%20then%20click%20%3CSTRONG%3EApply%3C%2FSTRONG%3E.%3C%2FLI%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%22%3ERepeat%20the%20same%20steps%20for%20the%20other%20applications%20noted%20above.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CH3%20style%3D%22margin-top%3A%2036px%3B%20margin-bottom%3A%2020px%3B%20font-family%3A%20'Segoe%20UI'%2C%20Segoe%2C%20Tahoma%2C%20Geneva%2C%20sans-serif%3B%20font-weight%3A%20600%3B%20font-size%3A%2017px%3B%20color%3A%20%23333333%3B%22%20id%3D%22toc-hId--1731182789%22%20id%3D%22toc-hId--1731182789%22%20id%3D%22toc-hId--1731182789%22%20id%3D%22toc-hId--1731182789%22%20id%3D%22toc-hId--1731182789%22%20id%3D%22toc-hId--1731182789%22%20id%3D%22toc-hId--1731182789%22%20id%3D%22toc-hId--1731182789%22%20id%3D%22toc-hId--1731182789%22%20id%3D%22toc-hId--1731182789%22%20id%3D%22toc-hId--1731182789%22%20id%3D%22toc-hId--1731182789%22%20id%3D%22toc-hId--1731182789%22%20id%3D%22toc-hId--1731182789%22%20id%3D%22toc-hId--1731182789%22%20id%3D%22toc-hId--1731182789%22%20id%3D%22toc-hId--1731182789%22%20id%3D%22toc-hId--1731182789%22%20id%3D%22toc-hId--1731182789%22%20id%3D%22toc-hId--1731182789%22%20id%3D%22toc-hId--1731182789%22%20id%3D%22toc-hId--1731182789%22%20id%3D%22toc-hId--1731182789%22%20id%3D%22toc-hId--1731182789%22%20id%3D%22toc-hId--1731182789%22%20id%3D%22toc-hId--1731182789%22%20id%3D%22toc-hId--1731182789%22%20id%3D%22toc-hId--1731182789%22%20id%3D%22toc-hId--1731182789%22%20id%3D%22toc-hId--1731182789%22%20id%3D%22toc-hId--1731182789%22%20id%3D%22toc-hId--1731182789%22%20id%3D%22toc-hId--1731182789%22%20id%3D%22toc-hId--1731182789%22%20id%3D%22toc-hId--1731182789%22%20id%3D%22toc-hId--1731182789%22%20id%3D%22toc-hId--1731182789%22%20id%3D%22toc-hId--1731182789%22%20id%3D%22toc-hId--1731182789%22%20id%3D%22toc-hId--1731182789%22%20id%3D%22toc-hId--1731182789%22%20id%3D%22toc-hId--1731182789%22%20id%3D%22toc-hId--1731182789%22%20id%3D%22toc-hId--1731182789%22%20id%3D%22toc-hId--1731182789%22%20id%3D%22toc-hId--1731182789%22%20id%3D%22toc-hId--1731182789%22%20id%3D%22toc-hId--1731182789%22%20id%3D%22toc-hId--1731182789%22%20id%3D%22toc-hId--1731182789%22%20id%3D%22toc-hId--1731182789%22%20id%3D%22toc-hId--1731182789%22%20id%3D%22toc-hId--1731182789%22%20id%3D%22toc-hId--1731182789%22%20id%3D%22toc-hId--1731182789%22%20id%3D%22toc-hId--1731182789%22%20id%3D%22toc-hId--1731182789%22%20id%3D%22toc-hId--1731182789%22%20id%3D%22toc-hId--1731182789%22%20id%3D%22toc-hId--1731182789%22%20id%3D%22toc-hId--1731182789%22%20id%3D%22toc-hId--1731182789%22%20id%3D%22toc-hId--1731182789%22%20id%3D%22toc-hId--1731182789%22%20id%3D%22toc-hId--1731182789%22%20id%3D%22toc-hId--1731182789%22%20id%3D%22toc-hId--1731182789%22%20id%3D%22toc-hId--1731182789%22%20id%3D%22toc-hId--1731182789%22%20id%3D%22toc-hId--1731182789%22%20id%3D%22toc-hId--1731182789%22%20id%3D%22toc-hId--1731182789%22%20id%3D%22toc-hId--1731182789%22%20id%3D%22toc-hId--1731182789%22%20id%3D%22toc-hId--1731182789%22%20id%3D%22toc-hId--1731182789%22%20id%3D%22toc-hId--1731182789%22%20id%3D%22toc-hId--1731182789%22%20id%3D%22toc-hId--1731182789%22%20id%3D%22toc-hId--1731182789%22%20id%3D%22toc-hId--1731182789%22%20id%3D%22toc-hId--1731182789%22%20id%3D%22toc-hId--1731182789%22%3EConfigure%20WSUS%20to%20use%20HTTPS%3C%2FH3%3E%0A%3COL%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%20margin-top%3A%2020px%3B%22%3ELaunch%20an%20elevated%20command%20prompt%20on%20the%20WSUS%20server.%3C%2FLI%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%22%3ENavigate%20to%20your%20WSUS%20installation%20folder%2C%20e.g.%20cd%20%E2%80%9Cc%3A%5CProgram%20Files%5CUpdate%20Services%5CTools%E2%80%9D.%3C%2FLI%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%22%3EExecute%20the%20following%20command%3A%3CBR%20%2F%3EWSUSUtil.exe%20configuressl%26nbsp%3BFQDNofWSUSServer%3C%2FLI%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%22%3ERestart%20the%20WSUS%20server%20to%20make%20sure%20all%20changes%20take%20effect.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CH3%20style%3D%22margin-top%3A%2036px%3B%20margin-bottom%3A%2020px%3B%20font-family%3A%20'Segoe%20UI'%2C%20Segoe%2C%20Tahoma%2C%20Geneva%2C%20sans-serif%3B%20font-weight%3A%20600%3B%20font-size%3A%2017px%3B%20color%3A%20%23333333%3B%22%20id%3D%22toc-hId-756330044%22%20id%3D%22toc-hId-756330044%22%20id%3D%22toc-hId-756330044%22%20id%3D%22toc-hId-756330044%22%20id%3D%22toc-hId-756330044%22%20id%3D%22toc-hId-756330044%22%20id%3D%22toc-hId-756330044%22%20id%3D%22toc-hId-756330044%22%20id%3D%22toc-hId-756330044%22%20id%3D%22toc-hId-756330044%22%20id%3D%22toc-hId-756330044%22%20id%3D%22toc-hId-756330044%22%20id%3D%22toc-hId-756330044%22%20id%3D%22toc-hId-756330044%22%20id%3D%22toc-hId-756330044%22%20id%3D%22toc-hId-756330044%22%20id%3D%22toc-hId-756330044%22%20id%3D%22toc-hId-756330044%22%20id%3D%22toc-hId-756330044%22%20id%3D%22toc-hId-756330044%22%20id%3D%22toc-hId-756330044%22%20id%3D%22toc-hId-756330044%22%20id%3D%22toc-hId-756330044%22%20id%3D%22toc-hId-756330044%22%20id%3D%22toc-hId-756330044%22%20id%3D%22toc-hId-756330044%22%20id%3D%22toc-hId-756330044%22%20id%3D%22toc-hId-756330044%22%20id%3D%22toc-hId-756330044%22%20id%3D%22toc-hId-756330044%22%20id%3D%22toc-hId-756330044%22%20id%3D%22toc-hId-756330044%22%20id%3D%22toc-hId-756330044%22%20id%3D%22toc-hId-756330044%22%20id%3D%22toc-hId-756330044%22%20id%3D%22toc-hId-756330044%22%20id%3D%22toc-hId-756330044%22%20id%3D%22toc-hId-756330044%22%20id%3D%22toc-hId-756330044%22%20id%3D%22toc-hId-756330044%22%20id%3D%22toc-hId-756330044%22%20id%3D%22toc-hId-756330044%22%20id%3D%22toc-hId-756330044%22%20id%3D%22toc-hId-756330044%22%20id%3D%22toc-hId-756330044%22%20id%3D%22toc-hId-756330044%22%20id%3D%22toc-hId-756330044%22%20id%3D%22toc-hId-756330044%22%20id%3D%22toc-hId-756330044%22%20id%3D%22toc-hId-756330044%22%20id%3D%22toc-hId-756330044%22%20id%3D%22toc-hId-756330044%22%20id%3D%22toc-hId-756330044%22%20id%3D%22toc-hId-756330044%22%20id%3D%22toc-hId-756330044%22%20id%3D%22toc-hId-756330044%22%20id%3D%22toc-hId-756330044%22%20id%3D%22toc-hId-756330044%22%20id%3D%22toc-hId-756330044%22%20id%3D%22toc-hId-756330044%22%20id%3D%22toc-hId-756330044%22%20id%3D%22toc-hId-756330044%22%20id%3D%22toc-hId-756330044%22%20id%3D%22toc-hId-756330044%22%20id%3D%22toc-hId-756330044%22%20id%3D%22toc-hId-756330044%22%20id%3D%22toc-hId-756330044%22%20id%3D%22toc-hId-756330044%22%20id%3D%22toc-hId-756330044%22%20id%3D%22toc-hId-756330044%22%20id%3D%22toc-hId-756330044%22%20id%3D%22toc-hId-756330044%22%20id%3D%22toc-hId-756330044%22%20id%3D%22toc-hId-756330044%22%20id%3D%22toc-hId-756330044%22%20id%3D%22toc-hId-756330044%22%20id%3D%22toc-hId-756330044%22%20id%3D%22toc-hId-756330044%22%20id%3D%22toc-hId-756330044%22%20id%3D%22toc-hId-756330044%22%20id%3D%22toc-hId-756330044%22%20id%3D%22toc-hId-756330044%22%20id%3D%22toc-hId-756330044%22%3EConfigure%20clients%20to%20use%20HTTPS%3C%2FH3%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3ETo%20configure%20clients%20to%20require%20HTTPS%20communication%20to%20the%20WSUS%20server%2C%20simply%20update%20the%20domain%20Group%20Policy%20Object%20(GPO)%20or%20the%20Configuration%20Service%20Provider%20(CSP)%20policy%20used%20to%20configure%20WSUS%20to%20leverage%20HTTPS%20and%20the%20desired%20port.%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%20margin-top%3A%2020px%3B%22%3EFor%20those%20using%20Group%20Policy%2C%20configure%20the%20Specify%20intranet%20Microsoft%20update%20service%20location%20policy%20values%20of%20%3A%20Set%20the%20intranet%20update%20service%20for%20detecting%20updates%26nbsp%3Band%26nbsp%3BSet%20the%20intranet%20statistics%20server%20%26nbsp%3Bto%20point%20to%20your%20desired%20port%20%26nbsp%3B(ex.%20HTTPS%3A%2F%2Fservername%3A8531).%20See%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fadministration%2Fwindows-server-update-services%2Fdeploy%2F2-configure-wsus%23to-enable-wsus-through-a-domain-gpo%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ETo%20enable%20WSUS%20through%20a%20domain%20GPO%3C%2FA%3E%20for%20more%20info.%3C%2FLI%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%22%3EFor%20those%20using%20a%20mobile%20device%20management%20(MDM)%20tool%2C%20CSPs%2C%20please%20configure%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fclient-management%2Fmdm%2Fpolicy-csp-update%23update-updateserviceurl%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EUpdate%2FUpdateServiceUrl%20policy%3C%2FA%3E%20to%20point%20to%20your%20desired%20port%20(for%20example%2C%20HTTPS%3A%2F%2Fservername%3A8531).%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CH3%20style%3D%22margin-top%3A%2036px%3B%20margin-bottom%3A%2020px%3B%20font-family%3A%20'Segoe%20UI'%2C%20Segoe%2C%20Tahoma%2C%20Geneva%2C%20sans-serif%3B%20font-weight%3A%20600%3B%20font-size%3A%2017px%3B%20color%3A%20%23333333%3B%22%20id%3D%22toc-hId--1051124419%22%20id%3D%22toc-hId--1051124419%22%20id%3D%22toc-hId--1051124419%22%20id%3D%22toc-hId--1051124419%22%20id%3D%22toc-hId--1051124419%22%20id%3D%22toc-hId--1051124419%22%20id%3D%22toc-hId--1051124419%22%20id%3D%22toc-hId--1051124419%22%20id%3D%22toc-hId--1051124419%22%20id%3D%22toc-hId--1051124419%22%20id%3D%22toc-hId--1051124419%22%20id%3D%22toc-hId--1051124419%22%20id%3D%22toc-hId--1051124419%22%20id%3D%22toc-hId--1051124419%22%20id%3D%22toc-hId--1051124419%22%20id%3D%22toc-hId--1051124419%22%20id%3D%22toc-hId--1051124419%22%20id%3D%22toc-hId--1051124419%22%20id%3D%22toc-hId--1051124419%22%20id%3D%22toc-hId--1051124419%22%20id%3D%22toc-hId--1051124419%22%20id%3D%22toc-hId--1051124419%22%20id%3D%22toc-hId--1051124419%22%20id%3D%22toc-hId--1051124419%22%20id%3D%22toc-hId--1051124419%22%20id%3D%22toc-hId--1051124419%22%20id%3D%22toc-hId--1051124419%22%20id%3D%22toc-hId--1051124419%22%20id%3D%22toc-hId--1051124419%22%20id%3D%22toc-hId--1051124419%22%20id%3D%22toc-hId--1051124419%22%20id%3D%22toc-hId--1051124419%22%20id%3D%22toc-hId--1051124419%22%20id%3D%22toc-hId--1051124419%22%20id%3D%22toc-hId--1051124419%22%20id%3D%22toc-hId--1051124419%22%20id%3D%22toc-hId--1051124419%22%20id%3D%22toc-hId--1051124419%22%20id%3D%22toc-hId--1051124419%22%20id%3D%22toc-hId--1051124419%22%20id%3D%22toc-hId--1051124419%22%20id%3D%22toc-hId--1051124419%22%20id%3D%22toc-hId--1051124419%22%20id%3D%22toc-hId--1051124419%22%20id%3D%22toc-hId--1051124419%22%20id%3D%22toc-hId--1051124419%22%20id%3D%22toc-hId--1051124419%22%20id%3D%22toc-hId--1051124419%22%20id%3D%22toc-hId--1051124419%22%20id%3D%22toc-hId--1051124419%22%20id%3D%22toc-hId--1051124419%22%20id%3D%22toc-hId--1051124419%22%20id%3D%22toc-hId--1051124419%22%20id%3D%22toc-hId--1051124419%22%20id%3D%22toc-hId--1051124419%22%20id%3D%22toc-hId--1051124419%22%20id%3D%22toc-hId--1051124419%22%20id%3D%22toc-hId--1051124419%22%20id%3D%22toc-hId--1051124419%22%20id%3D%22toc-hId--1051124419%22%20id%3D%22toc-hId--1051124419%22%20id%3D%22toc-hId--1051124419%22%20id%3D%22toc-hId--1051124419%22%20id%3D%22toc-hId--1051124419%22%20id%3D%22toc-hId--1051124419%22%20id%3D%22toc-hId--1051124419%22%20id%3D%22toc-hId--1051124419%22%20id%3D%22toc-hId--1051124419%22%20id%3D%22toc-hId--1051124419%22%20id%3D%22toc-hId--1051124419%22%20id%3D%22toc-hId--1051124419%22%20id%3D%22toc-hId--1051124419%22%20id%3D%22toc-hId--1051124419%22%20id%3D%22toc-hId--1051124419%22%20id%3D%22toc-hId--1051124419%22%20id%3D%22toc-hId--1051124419%22%20id%3D%22toc-hId--1051124419%22%20id%3D%22toc-hId--1051124419%22%20id%3D%22toc-hId--1051124419%22%20id%3D%22toc-hId--1051124419%22%20id%3D%22toc-hId--1051124419%22%20id%3D%22toc-hId--1051124419%22%20id%3D%22toc-hId--1051124419%22%3EConfigure%20WSUS%20to%20use%20HTTPS%20for%20synchronization%20(Downstream%20servers%20only)%3C%2FH3%3E%0A%3COL%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%20margin-top%3A%2020px%3B%22%3ELog%20on%20to%20the%20WSUS%20server%20using%20a%20user%20account%20that%20is%20a%20member%20of%20the%20local%20Administrators%20group%20or%20the%20WSUS%20Administrators%20group.%3C%2FLI%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%22%3ELaunch%26nbsp%3BWindows%20Server%20Update%20Services.%3C%2FLI%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%22%3EIn%20the%20right%20pane%2C%20expand%20the%20server%20name.%3C%2FLI%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%22%3ESelect%26nbsp%3B%3CSTRONG%3EOptions%3C%2FSTRONG%3E%2C%20and%20then%20select%26nbsp%3B%3CSTRONG%3EUpdate%20Source%20and%20Proxy%20Server%3C%2FSTRONG%3E.%3C%2FLI%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%22%3EOn%20the%26nbsp%3B%3CSTRONG%3EUpdate%20Source%3C%2FSTRONG%3E%26nbsp%3Btab%2C%20under%26nbsp%3B%3CSTRONG%3ESynchronize%20from%20another%20Windows%20Server%20Update%20Services%20server%3C%2FSTRONG%3E%2C%20type%20the%20port%20number%20that%20the%20server%20uses%20for%20SSL%20connections%20into%20the%26nbsp%3B%3CSTRONG%3EPort%20number%3C%2FSTRONG%3E%26nbsp%3Btext%20box.%3C%2FLI%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%22%3ESelect%20%3CSTRONG%3EUse%20SSL%20when%20synchronizing%20update%20information%3C%2FSTRONG%3E%20and%20then%20select%26nbsp%3B%3CSTRONG%3EOK%3C%2FSTRONG%3E.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CH2%20style%3D%22margin-top%3A%2036px%3B%20margin-bottom%3A%2020px%3B%20font-family%3A%20'Segoe%20UI'%2C%20Segoe%2C%20Tahoma%2C%20Geneva%2C%20sans-serif%3B%20font-weight%3A%20600%3B%20font-size%3A%2020px%3B%20color%3A%20%23333333%3B%22%20id%3D%22toc-hId--1061627523%22%20id%3D%22toc-hId--1061627523%22%20id%3D%22toc-hId--1061627523%22%20id%3D%22toc-hId--1061627523%22%20id%3D%22toc-hId--1061627523%22%20id%3D%22toc-hId--1061627523%22%20id%3D%22toc-hId--1061627523%22%20id%3D%22toc-hId--1061627523%22%20id%3D%22toc-hId--1061627523%22%20id%3D%22toc-hId--1061627523%22%20id%3D%22toc-hId--1061627523%22%20id%3D%22toc-hId--1061627523%22%20id%3D%22toc-hId--1061627523%22%20id%3D%22toc-hId--1061627523%22%20id%3D%22toc-hId--1061627523%22%20id%3D%22toc-hId--1061627523%22%20id%3D%22toc-hId--1061627523%22%20id%3D%22toc-hId--1061627523%22%20id%3D%22toc-hId--1061627523%22%20id%3D%22toc-hId--1061627523%22%20id%3D%22toc-hId--1061627523%22%20id%3D%22toc-hId--1061627523%22%20id%3D%22toc-hId--1061627523%22%20id%3D%22toc-hId--1061627523%22%20id%3D%22toc-hId--1061627523%22%20id%3D%22toc-hId--1061627523%22%20id%3D%22toc-hId--1061627523%22%20id%3D%22toc-hId--1061627523%22%20id%3D%22toc-hId--1061627523%22%20id%3D%22toc-hId--1061627523%22%20id%3D%22toc-hId--1061627523%22%20id%3D%22toc-hId--1061627523%22%20id%3D%22toc-hId--1061627523%22%20id%3D%22toc-hId--1061627523%22%20id%3D%22toc-hId--1061627523%22%20id%3D%22toc-hId--1061627523%22%20id%3D%22toc-hId--1061627523%22%20id%3D%22toc-hId--1061627523%22%20id%3D%22toc-hId--1061627523%22%20id%3D%22toc-hId--1061627523%22%20id%3D%22toc-hId--1061627523%22%20id%3D%22toc-hId--1061627523%22%20id%3D%22toc-hId--1061627523%22%20id%3D%22toc-hId--1061627523%22%20id%3D%22toc-hId--1061627523%22%20id%3D%22toc-hId--1061627523%22%20id%3D%22toc-hId--1061627523%22%20id%3D%22toc-hId--1061627523%22%20id%3D%22toc-hId--1061627523%22%20id%3D%22toc-hId--1061627523%22%20id%3D%22toc-hId--1061627523%22%20id%3D%22toc-hId--1061627523%22%20id%3D%22toc-hId--1061627523%22%20id%3D%22toc-hId--1061627523%22%20id%3D%22toc-hId--1061627523%22%20id%3D%22toc-hId--1061627523%22%20id%3D%22toc-hId--1061627523%22%20id%3D%22toc-hId--1061627523%22%20id%3D%22toc-hId--1061627523%22%20id%3D%22toc-hId--1061627523%22%20id%3D%22toc-hId--1061627523%22%20id%3D%22toc-hId--1061627523%22%20id%3D%22toc-hId--1061627523%22%20id%3D%22toc-hId--1061627523%22%20id%3D%22toc-hId--1061627523%22%20id%3D%22toc-hId--1061627523%22%20id%3D%22toc-hId--1061627523%22%20id%3D%22toc-hId--1061627523%22%20id%3D%22toc-hId--1061627523%22%20id%3D%22toc-hId--1061627523%22%20id%3D%22toc-hId--1061627523%22%20id%3D%22toc-hId--1061627523%22%20id%3D%22toc-hId--1061627523%22%20id%3D%22toc-hId--1061627523%22%20id%3D%22toc-hId--1061627523%22%20id%3D%22toc-hId--1061627523%22%20id%3D%22toc-hId--1061627523%22%20id%3D%22toc-hId--1061627523%22%20id%3D%22toc-hId--1061627523%22%20id%3D%22toc-hId--1061627523%22%20id%3D%22toc-hId--1061627523%22%20id%3D%22toc-hId--1061627523%22%20id%3D%22toc-hId--1061627523%22%3EConfiguration%20order%3C%2FH2%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3EBecause%20every%20WSUS%20server%20must%20be%20configured%20to%20use%20the%20SSL%2FTLS%20protocol%2C%20the%20order%20in%20which%20the%20steps%20are%20performed%20will%20depend%20on%20your%20environment.%20If%20you%20have%20a%20simple%20infrastructure%20where%20the%20required%20steps%20can%20be%20performed%20on%20all%20WSUS%20servers%20within%20a%20single%20timeframe%2C%20then%20a%20top-down%20approach%20can%20be%20used.%20However%2C%20if%20you%20have%20a%20large%20infrastructure%20that%20will%20require%20a%20phased%20approach%2C%20then%20a%20bottom-up%20approach%20should%20be%20used.%3C%2FP%3E%0A%3CH3%20style%3D%22margin-top%3A%2036px%3B%20margin-bottom%3A%2020px%3B%20font-family%3A%20'Segoe%20UI'%2C%20Segoe%2C%20Tahoma%2C%20Geneva%2C%20sans-serif%3B%20font-weight%3A%20600%3B%20font-size%3A%2017px%3B%20color%3A%20%23333333%3B%22%20id%3D%22toc-hId--371066049%22%20id%3D%22toc-hId--371066049%22%20id%3D%22toc-hId--371066049%22%20id%3D%22toc-hId--371066049%22%20id%3D%22toc-hId--371066049%22%20id%3D%22toc-hId--371066049%22%20id%3D%22toc-hId--371066049%22%20id%3D%22toc-hId--371066049%22%20id%3D%22toc-hId--371066049%22%20id%3D%22toc-hId--371066049%22%20id%3D%22toc-hId--371066049%22%20id%3D%22toc-hId--371066049%22%20id%3D%22toc-hId--371066049%22%20id%3D%22toc-hId--371066049%22%20id%3D%22toc-hId--371066049%22%20id%3D%22toc-hId--371066049%22%20id%3D%22toc-hId--371066049%22%20id%3D%22toc-hId--371066049%22%20id%3D%22toc-hId--371066049%22%20id%3D%22toc-hId--371066049%22%20id%3D%22toc-hId--371066049%22%20id%3D%22toc-hId--371066049%22%20id%3D%22toc-hId--371066049%22%20id%3D%22toc-hId--371066049%22%20id%3D%22toc-hId--371066049%22%20id%3D%22toc-hId--371066049%22%20id%3D%22toc-hId--371066049%22%20id%3D%22toc-hId--371066049%22%20id%3D%22toc-hId--371066049%22%20id%3D%22toc-hId--371066049%22%20id%3D%22toc-hId--371066049%22%20id%3D%22toc-hId--371066049%22%20id%3D%22toc-hId--371066049%22%20id%3D%22toc-hId--371066049%22%20id%3D%22toc-hId--371066049%22%20id%3D%22toc-hId--371066049%22%20id%3D%22toc-hId--371066049%22%20id%3D%22toc-hId--371066049%22%20id%3D%22toc-hId--371066049%22%20id%3D%22toc-hId--371066049%22%20id%3D%22toc-hId--371066049%22%20id%3D%22toc-hId--371066049%22%20id%3D%22toc-hId--371066049%22%20id%3D%22toc-hId--371066049%22%20id%3D%22toc-hId--371066049%22%20id%3D%22toc-hId--371066049%22%20id%3D%22toc-hId--371066049%22%20id%3D%22toc-hId--371066049%22%20id%3D%22toc-hId--371066049%22%20id%3D%22toc-hId--371066049%22%20id%3D%22toc-hId--371066049%22%20id%3D%22toc-hId--371066049%22%20id%3D%22toc-hId--371066049%22%20id%3D%22toc-hId--371066049%22%20id%3D%22toc-hId--371066049%22%20id%3D%22toc-hId--371066049%22%20id%3D%22toc-hId--371066049%22%20id%3D%22toc-hId--371066049%22%20id%3D%22toc-hId--371066049%22%20id%3D%22toc-hId--371066049%22%20id%3D%22toc-hId--371066049%22%20id%3D%22toc-hId--371066049%22%20id%3D%22toc-hId--371066049%22%20id%3D%22toc-hId--371066049%22%20id%3D%22toc-hId--371066049%22%20id%3D%22toc-hId--371066049%22%20id%3D%22toc-hId--371066049%22%20id%3D%22toc-hId--371066049%22%20id%3D%22toc-hId--371066049%22%20id%3D%22toc-hId--371066049%22%20id%3D%22toc-hId--371066049%22%20id%3D%22toc-hId--371066049%22%20id%3D%22toc-hId--371066049%22%20id%3D%22toc-hId--371066049%22%20id%3D%22toc-hId--371066049%22%20id%3D%22toc-hId--371066049%22%20id%3D%22toc-hId--371066049%22%20id%3D%22toc-hId--371066049%22%20id%3D%22toc-hId--371066049%22%20id%3D%22toc-hId--371066049%22%20id%3D%22toc-hId--371066049%22%20id%3D%22toc-hId--371066049%22%20id%3D%22toc-hId--371066049%22%3EExample%201%3A%20Environment%20with%20a%20small%20number%20of%20WSUS%20Servers%3C%2FH3%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3EIn%20this%20example%2C%20it%20is%20assumed%20that%20all%20WSUS%20servers%20can%20be%20configured%20within%20a%20single%20timeframe.%20In%20this%20case%2C%20the%20upstream%20WSUS%20server%20can%20be%20configured%20first%20using%20the%20steps%20above.%20Any%20downstream%20WSUS%20servers%20can%20then%20be%20configured%20using%20the%20steps%20above%20in%20addition%20to%20setting%20the%20WSUS%20option%20to%20%3CSTRONG%3EUse%20SSL%20when%20synchronizing%20update%20information.%20%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CH3%20style%3D%22margin-top%3A%2036px%3B%20margin-bottom%3A%2020px%3B%20font-family%3A%20'Segoe%20UI'%2C%20Segoe%2C%20Tahoma%2C%20Geneva%2C%20sans-serif%3B%20font-weight%3A%20600%3B%20font-size%3A%2017px%3B%20color%3A%20%23333333%3B%22%20id%3D%22toc-hId-2116446784%22%20id%3D%22toc-hId-2116446784%22%20id%3D%22toc-hId-2116446784%22%20id%3D%22toc-hId-2116446784%22%20id%3D%22toc-hId-2116446784%22%20id%3D%22toc-hId-2116446784%22%20id%3D%22toc-hId-2116446784%22%20id%3D%22toc-hId-2116446784%22%20id%3D%22toc-hId-2116446784%22%20id%3D%22toc-hId-2116446784%22%20id%3D%22toc-hId-2116446784%22%20id%3D%22toc-hId-2116446784%22%20id%3D%22toc-hId-2116446784%22%20id%3D%22toc-hId-2116446784%22%20id%3D%22toc-hId-2116446784%22%20id%3D%22toc-hId-2116446784%22%20id%3D%22toc-hId-2116446784%22%20id%3D%22toc-hId-2116446784%22%20id%3D%22toc-hId-2116446784%22%20id%3D%22toc-hId-2116446784%22%20id%3D%22toc-hId-2116446784%22%20id%3D%22toc-hId-2116446784%22%20id%3D%22toc-hId-2116446784%22%20id%3D%22toc-hId-2116446784%22%20id%3D%22toc-hId-2116446784%22%20id%3D%22toc-hId-2116446784%22%20id%3D%22toc-hId-2116446784%22%20id%3D%22toc-hId-2116446784%22%20id%3D%22toc-hId-2116446784%22%20id%3D%22toc-hId-2116446784%22%20id%3D%22toc-hId-2116446784%22%20id%3D%22toc-hId-2116446784%22%20id%3D%22toc-hId-2116446784%22%20id%3D%22toc-hId-2116446784%22%20id%3D%22toc-hId-2116446784%22%20id%3D%22toc-hId-2116446784%22%20id%3D%22toc-hId-2116446784%22%20id%3D%22toc-hId-2116446784%22%20id%3D%22toc-hId-2116446784%22%20id%3D%22toc-hId-2116446784%22%20id%3D%22toc-hId-2116446784%22%20id%3D%22toc-hId-2116446784%22%20id%3D%22toc-hId-2116446784%22%20id%3D%22toc-hId-2116446784%22%20id%3D%22toc-hId-2116446784%22%20id%3D%22toc-hId-2116446784%22%20id%3D%22toc-hId-2116446784%22%20id%3D%22toc-hId-2116446784%22%20id%3D%22toc-hId-2116446784%22%20id%3D%22toc-hId-2116446784%22%20id%3D%22toc-hId-2116446784%22%20id%3D%22toc-hId-2116446784%22%20id%3D%22toc-hId-2116446784%22%20id%3D%22toc-hId-2116446784%22%20id%3D%22toc-hId-2116446784%22%20id%3D%22toc-hId-2116446784%22%20id%3D%22toc-hId-2116446784%22%20id%3D%22toc-hId-2116446784%22%20id%3D%22toc-hId-2116446784%22%20id%3D%22toc-hId-2116446784%22%20id%3D%22toc-hId-2116446784%22%20id%3D%22toc-hId-2116446784%22%20id%3D%22toc-hId-2116446784%22%20id%3D%22toc-hId-2116446784%22%20id%3D%22toc-hId-2116446784%22%20id%3D%22toc-hId-2116446784%22%20id%3D%22toc-hId-2116446784%22%20id%3D%22toc-hId-2116446784%22%20id%3D%22toc-hId-2116446784%22%20id%3D%22toc-hId-2116446784%22%20id%3D%22toc-hId-2116446784%22%20id%3D%22toc-hId-2116446784%22%20id%3D%22toc-hId-2116446784%22%20id%3D%22toc-hId-2116446784%22%20id%3D%22toc-hId-2116446784%22%20id%3D%22toc-hId-2116446784%22%20id%3D%22toc-hId-2116446784%22%20id%3D%22toc-hId-2116446784%22%20id%3D%22toc-hId-2116446784%22%20id%3D%22toc-hId-2116446784%22%20id%3D%22toc-hId-2116446784%22%20id%3D%22toc-hId-2116446784%22%20id%3D%22toc-hId-2116446784%22%3EExample%202%3A%20Environment%20with%20many%20WSUS%20Servers%3C%2FH3%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3EIn%20this%20example%2C%20it%20is%20assumed%20that%20a%20phased%20approach%20will%20be%20required%20to%20configure%20all%20WSUS%20servers.%20In%20this%20case%2C%20a%20bottom-up%20approach%20should%20be%20leveraged.%20All%20downstream%20WSUS%20servers%20should%20be%20configured%20for%20HTTPS%20before%20their%20upstream%20WSUS%20server%20is%20configured%20to%20use%20HTTPS.%20After%20their%20upstream%20WSUS%20server%20is%20configured%20to%20use%20HTTPS%2C%20the%20WSUS%20setting%20%3CSTRONG%3EUse%20SSL%20when%20synchronizing%20update%20information%3C%2FSTRONG%3E%20on%20each%20downstream%20server%20can%20be%20enabled.%3C%2FP%3E%0A%3CH2%20style%3D%22margin-top%3A%2036px%3B%20margin-bottom%3A%2020px%3B%20font-family%3A%20'Segoe%20UI'%2C%20Segoe%2C%20Tahoma%2C%20Geneva%2C%20sans-serif%3B%20font-weight%3A%20600%3B%20font-size%3A%2020px%3B%20color%3A%20%23333333%3B%22%20id%3D%22toc-hId--515253877%22%20id%3D%22toc-hId--515253877%22%20id%3D%22toc-hId--515253877%22%20id%3D%22toc-hId--515253877%22%20id%3D%22toc-hId--515253877%22%20id%3D%22toc-hId--515253877%22%20id%3D%22toc-hId--515253877%22%20id%3D%22toc-hId--515253877%22%20id%3D%22toc-hId--515253877%22%20id%3D%22toc-hId--515253877%22%20id%3D%22toc-hId--515253877%22%20id%3D%22toc-hId--515253877%22%20id%3D%22toc-hId--515253877%22%20id%3D%22toc-hId--515253877%22%20id%3D%22toc-hId--515253877%22%20id%3D%22toc-hId--515253877%22%20id%3D%22toc-hId--515253877%22%20id%3D%22toc-hId--515253877%22%20id%3D%22toc-hId--515253877%22%20id%3D%22toc-hId--515253877%22%20id%3D%22toc-hId--515253877%22%20id%3D%22toc-hId--515253877%22%20id%3D%22toc-hId--515253877%22%20id%3D%22toc-hId--515253877%22%20id%3D%22toc-hId--515253877%22%20id%3D%22toc-hId--515253877%22%20id%3D%22toc-hId--515253877%22%20id%3D%22toc-hId--515253877%22%20id%3D%22toc-hId--515253877%22%20id%3D%22toc-hId--515253877%22%20id%3D%22toc-hId--515253877%22%20id%3D%22toc-hId--515253877%22%20id%3D%22toc-hId--515253877%22%20id%3D%22toc-hId--515253877%22%20id%3D%22toc-hId--515253877%22%20id%3D%22toc-hId--515253877%22%20id%3D%22toc-hId--515253877%22%20id%3D%22toc-hId--515253877%22%20id%3D%22toc-hId--515253877%22%20id%3D%22toc-hId--515253877%22%20id%3D%22toc-hId--515253877%22%20id%3D%22toc-hId--515253877%22%20id%3D%22toc-hId--515253877%22%20id%3D%22toc-hId--515253877%22%20id%3D%22toc-hId--515253877%22%20id%3D%22toc-hId--515253877%22%20id%3D%22toc-hId--515253877%22%20id%3D%22toc-hId--515253877%22%20id%3D%22toc-hId--515253877%22%20id%3D%22toc-hId--515253877%22%20id%3D%22toc-hId--515253877%22%20id%3D%22toc-hId--515253877%22%20id%3D%22toc-hId--515253877%22%20id%3D%22toc-hId--515253877%22%20id%3D%22toc-hId--515253877%22%20id%3D%22toc-hId--515253877%22%20id%3D%22toc-hId--515253877%22%20id%3D%22toc-hId--515253877%22%20id%3D%22toc-hId--515253877%22%20id%3D%22toc-hId--515253877%22%20id%3D%22toc-hId--515253877%22%20id%3D%22toc-hId--515253877%22%20id%3D%22toc-hId--515253877%22%20id%3D%22toc-hId--515253877%22%20id%3D%22toc-hId--515253877%22%20id%3D%22toc-hId--515253877%22%20id%3D%22toc-hId--515253877%22%20id%3D%22toc-hId--515253877%22%20id%3D%22toc-hId--515253877%22%20id%3D%22toc-hId--515253877%22%20id%3D%22toc-hId--515253877%22%20id%3D%22toc-hId--515253877%22%20id%3D%22toc-hId--515253877%22%20id%3D%22toc-hId--515253877%22%20id%3D%22toc-hId--515253877%22%20id%3D%22toc-hId--515253877%22%20id%3D%22toc-hId--515253877%22%20id%3D%22toc-hId--515253877%22%20id%3D%22toc-hId--515253877%22%20id%3D%22toc-hId--515253877%22%20id%3D%22toc-hId--515253877%22%20id%3D%22toc-hId--515253877%22%20id%3D%22toc-hId--515253877%22%3ECall%20to%20action%3C%2FH2%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3EWe%20recommend%20that%20you%20review%20the%20security%20of%20your%20WSUS%20infrastructure.%20If%20HTTPS%20is%20not%20currently%20in%20use%2C%20see%20%3CA%20href%3D%22https%3A%2F%2Fgo.microsoft.com%2Ffwlink%2F%3Flinkid%3D2137923%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ESecuring%20WSUS%3C%2FA%3E%20and%20follow%20the%20instructions%20in%20this%20article%20to%20achieve%20a%20greater%20level%20of%20security.%3C%2FP%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1587536%22%20slang%3D%22en-US%22%3E%3CP%3ELearn%20how%20to%20configure%20your%20WSUS%20servers%20to%20use%20HTTPS%20for%20greater%20protection%20against%20potential%20malware%20attacks.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22itpro12.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F212299i3904F4E5A241F8E1%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22itpro12.png%22%20alt%3D%22itpro12.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1587536%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EServicing%20and%20updates%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1588108%22%20slang%3D%22en-US%22%3ERe%3A%20Security%20best%20practices%20for%20Windows%20Server%20Update%20Services%20(WSUS)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1588108%22%20slang%3D%22en-US%22%3E%3CBLOCKQUOTE%3E%3CP%3EFor%20example%2C%20you%20can%20create%20a%20certificate%20request%20and%20send%20that%20request%20to%20a%20known%20certificate%20authority%20(CA)%2C%20such%20as%20Verisign%20or%20GeoTrust%3C%2FP%3E%3C%2FBLOCKQUOTE%3E%3CP%3ESuch%20a%20certificate%20isn't%20cheap.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThree%20years%20ago%2C%20I%20asked%20our%20manager%20to%20buy%20such%20a%20certificate.%20Upon%20seeing%20the%20price%2C%20they%20said%2C%20%22Define%20your%20security%20parameters.%20What%20exactly%20do%20we%20get%20if%20we%20move%20our%20Intranet%20traffic%20over%20HTTPS%3F%22%20I%20had%20nothing.%3C%2FP%3E%3CBLOCKQUOTE%3E%3CP%3ETo%20help%20provide%20additional%20protection%20from%20potential%20malware%20attacks%2C%20Microsoft%20recommends%20using%20HTTPS%20with%20Windows%20Server%20Update%20Services%20(WSUS).%3C%2FP%3E%3C%2FBLOCKQUOTE%3E%3CP%3EAlright%20same%20question%20here%3A%20Please%20define%20your%20security%20parameters.%20How%20does%20HTTPS%20exactly%20protect%20against%20malware%20attacks%20here%3F%20A%20decade%20ago%2C%20anyone%20inside%20Microsoft%20who%20proposed%20such%20a%20threat%20drew%20a%20diagram%20detailing%20the%20attack%20steps%20and%20explaining%20how%20HTTPS%20protects%20against%20it.%20I'm%20not%20exactly%20asking%20for%20a%20diagram%20here%2C%20but%20yes%2C%20I%20need%20those%20details.%20Managers%20ask%20me%20for%20them.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1589331%22%20slang%3D%22en-US%22%3ERe%3A%20Security%20best%20practices%20for%20Windows%20Server%20Update%20Services%20(WSUS)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1589331%22%20slang%3D%22en-US%22%3E%3CP%3EOh%20I%20forgot%20one%20important%20thing.%20IIS%20%22obtain%20certificate%20wizard%22%20that%20you%20outlined%20in%20the%20instructions%20will%20not%20show%20up%20your%20MS%20PKI%20CA%20if%20you%20are%20using%20a%20modern%20template%20for%20webserver.%20Only%20the%20default%20webserver%20template%20is%20recognized%20by%20this%20wizard.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2034967%22%20slang%3D%22zh-CN%22%3EResponse%3A%20Security%20best%20practices%20for%20Windows%20Server%20Update%20Services%20(WSUS)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2034967%22%20slang%3D%22zh-CN%22%3E%3CP%3Egood.nice%E3%80%82%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1589280%22%20slang%3D%22en-US%22%3ERe%3A%20Security%20best%20practices%20for%20Windows%20Server%20Update%20Services%20(WSUS)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1589280%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20can%20use%20a%20Microsoft%20PKI%20CA%20certificate%20which%20comes%20for%20free.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3EBut%3C%2FP%3E%3CP%3ESetting%20up%20a%20Microsoft%20PKI%20CA%20is%20not%20a%20click%20and%20point%20adventure%3C%2FP%3E%3CP%3E-%20all%20default%20templates%20are%20nuts%2C%20designed%20for%20maximum%20compatibility%20(down%20to%20Windows%202000!)%20not%20aimed%20for%20any%20security%20of%20todays%20standards.%3C%2FP%3E%3CP%3E-%20MS%20PKI%20CA%20still%20supports%20CSP%20for%20compatiblity%20but%20KSP%20should%20be%20used%2C%20reason%3A%20see%20above.%3C%2FP%3E%3CP%3E-%20you%20should%20not%20use%20RSA%20DH%202048%20and%20higher%20causes%20high%20response%20time%20and%20CPU%20load%2C%20Germany%20BSI%20recommends%20using%20EC%20methods%20instead.%26nbsp%3B%20512%20Keylenght%20are%20ok.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENow%20for%20the%20caveats%20in%20WSUS%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F399308%22%20target%3D%22_blank%22%3E%40Michael_Cureton%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20one%20does%20install%20WSUS%20on%20Server%20Core%20there%20are%20different%20issues%3A%3C%2FP%3E%3CP%3E-%20IIS%20certificate%20management%20is%20ugly%20via%20Powershell%3C%2FP%3E%3CP%3E-%20IIS%20Remote%20management%2C%20also%20secured%20by%20a%20MS%20PKI%20and%20limited%20to%20certain%20addresses%20is%20a%20good%20practice%3C%2FP%3E%3CP%3E-%20IIS%20Remote%20Management%20does%20not%20support%20any%20certificate%20management%3CBR%20%2F%3E-%20WAC%20does%20not%20offer%20any%20remote%20management%20IIS%20capabilities%20or%20WSUS%20capabilities%20for%20now%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3E%3CSTRONG%3EThe%20biggest%20bummer%20imho%3A%3C%2FSTRONG%3E%20If%20you%20follow%20the%20instructions%20to%20secure%20WSUS%2C%20this%20does%20not%20mean%20you%20are%20allowed%20to%20remove%20binding%20in%20IIS%20with%20Port%2080%2C%20as%20this%20will%20render%20clients%20contacting%20the%20WSUS%20sending%20no%20reports%20or%20not%20even%20showing%20up%20in%20WSUS%20with%20an%20error%20code%20on%20the%20client.%3C%2FP%3E%3CP%3Eeven%20if%20you%20specify%20both%20links%20in%20GPO%20to%20use%20https.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EThis%20means%3A%20whatever%20you%20do%20WSUS%20does%20utilize%20port%2080%20and%20need%20it.%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20addition%20IIS%20on%20WSUS%2C%20and%20other%20IIS%2C%20should%20be%20hardened.%20There%20is%20no%20official%20MS%20tool%20to%20do%20so.%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fitops-talk-blog%2Fwindows-server-101-hardening-iis-via-security-control%2Fba-p%2F329979%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fitops-talk-blog%2Fwindows-server-101-hardening-iis-via-security-control%2Fba-p%2F329979%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EThis%20can%20be%20recommended%3A%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fwww.nartac.com%2FProducts%2FIISCrypto%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fwww.nartac.com%2FProducts%2FIISCrypto%2F%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3Eoffopic%3A%3C%2FSTRONG%3E%3CBR%20%2F%3EWSUS%20is%20a%20(not%20officially)%20deprecated%20product%20in%20many%20ways.%20%3CSTRONG%3EI%20strongly%20recommend%20moving%20on%20to%20WuFB%20and%20Delivery%20Optmization.%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EIf%20you%20setup%20a%20new%20WSUS%20server%20on%20Windows%20Server%202019%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-%20it%20will%20use%20an%20outdated%20local%20DB%20(SQL%202012)%20by%20default.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-%20will%20require%20lots%20of%20outdated%20stuff%20like%20Report%20Viewer%202012%20etc.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-%20Importing%20WSUS%20updates%20from%20update%20catalog%20only%20works%20if%20IE%20is%20your%20default%20browser%20on%20your%20remote%20place%20using%20Windows%20Updates%20MMC%2C%20or%20locally%20on%20the%20WSUS%20Server.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-%20the%20IIS%20App%20Pool%20settings%20are%20wrong%20and%20leading%20to%20malfunctions%20like%20crashing%20IIS.%20All%20of%20this%20is%20pretty%20much%20documented.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENo%20one%20at%20Microsoft%20does%20really%20maintenance%20WSUS%20anymore%20so%20the%20wizard%20would%20make%20a%20perfect%20and%20easy%20deployment.%20perhaps%20including%20all%20the%20Reportviewer%20etc%20in%20the%20wizard%20%2F%20dism%2C%20or%20use%20more%20recent%20ones.%20The%20fact%20WSUS%20does%20still%20exist%2C%20might%20me%20not%20the%20SMB%20but%20other%20things%20like%20MECM%20%2F%20ConfigMgr%20and%20other%20do%20use%20it%20as%20a%20base.%3CBR%20%2F%3E%3CBR%20%2F%3EIn%20fact%20till%20today%3C%2FP%3E%3CP%3E%3CBR%20%2F%3E-%20WSUS%20has%20a%20lot%20of%20issues%2C%20MS%20call%20by%20design%2C%20just%20like%20not%20being%20able%20to%20seperate%201903%20from%201909%20machines.%20AJtek%20WSUS%20script%20(paid)%20will%20fix%20this%20and%20many%20other%20things%2C%20but%20leaves%20the%20taste%20why%20MS%20is%20not%20doing%20this%20anymore%20-%20even%20saying%20it%20is%20by%20design%2C%20when%20it%20can%20be%20fixed%20by%20others.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDo%20not%20expect%20any%20better%3A%20vServer%20Next%20will%20have%20no%20GUI%20based%20fixes%20or%20improvements.%20Citing%20Jeff%20Woosley%20(WAC%20team).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20please%20consider%20this%2C%20if%20you%20really%20want%20to%20use%20WSUS%2C%20before%20investing%20into%20potential%20security.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Version history
Last update:
‎Aug 13 2020 01:22 PM
Updated by: