Windows Server Update Services Users Getting Proxy-Use Change This Month -- Redmondmag.com

Windows Server Update Services Users Getting Proxy-Use Change This Month

By Kurt Mackie
01/13/2021

Microsoft on Tuesday notified Windows Server Update Services (WSUS) users that it's no longer going to automatically support "user proxies" to get patches from Microsoft's content delivery networks (CDNs), starting with this month's cumulative update release.

Instead, Microsoft wants WSUS users to use "system proxies" to get patches. If an organization wants to have a user proxy as a fallback method, too, then they'll have to configure it themselves, starting this month.

This nuance builds on Microsoft's announcement back in September mandating the use of HTTPS for WSUS users tapping CDNs. At that time, Microsoft also explained that client proxies can be subject to man-in-the-middle tampering, so Microsoft doesn't recommend using them.

With the January cumulative updates for Windows 10, released this week, Microsoft is now changing this proxy behavior for WSUS users.

Here's how the announcement described the change:

Old behavior:

Scan with user proxy.

If user proxy fails, attempt scan with system proxy.

New behavior as of the January 2021 cumulative update:

Scan with system proxy.

If system proxy fails, attempt scan with user proxy.

To avoid scanning failures, Microsoft is advising WSUS users to not enable user proxies. However, if that's not possible, then an option called, "Select the proxy behavior for Windows Update client for detecting updates," should get specified by IT pros.

The user proxy setting can be specified using Group Policy, Configuration Service Provider policy or via Microsoft Endpoint Configuration Manager, as described in the announcement.

Microsoft also recommended that WSUS users who connect to the CDN using TLS/HTTPS use certificate pinning "to get the highest level of security." However, the details weren't described.

With certificate pinning, certain certificates are specified beforehand as being valid for a particular Web site. However, things can go wrong with this approach. PKI solutions provider DigiCert flatly advised against using certificate pinning in this blog post, for instance.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

Featured

Multi-Tenant Organization Hooks Released for Microsoft 365

Microsoft Entra ID's new multi-tenant organization capabilities have reached general availability (GA).
Real-World Ransomware Recovery

Here's how I was (mostly) successful in recovering a family PC infected with malware.
Microsoft Launches Small AI Models Family Phi-3

Recognizing that bigger isn't always better, Microsoft has released its smallest open AI models to date, Phi-3.
Microsoft and OpenAI Continue Global AI Expansions

Microsoft and OpenAI each continued their global expansion this month, with the announcements of new infrastructure investments and service rollouts in new regions, like Asia and the Middle East.
Cisco Warns of Brute Force Attacks Targeting VPNs and Firewalls

Cisco has revealed that a global increase in brute force attacks targeting Virtual Private Networks (VPNs) and other devices is currently taking place.