Windows Server Update Services Users Getting Proxy-Use Change This Month
Microsoft on Tuesday notified Windows Server Update Services (WSUS) users that it's no longer going to automatically support "user proxies" to get patches from Microsoft's content delivery networks (CDNs), starting with this month's cumulative update release.
Instead, Microsoft wants WSUS users to use "system proxies" to get patches. If an organization wants to have a user proxy as a fallback method, too, then they'll have to configure it themselves, starting this month.
This nuance builds on Microsoft's announcement back in September mandating the use of HTTPS for WSUS users tapping CDNs. At that time, Microsoft also explained that client proxies can be subject to man-in-the-middle tampering, so Microsoft doesn't recommend using them.
With the January cumulative updates for Windows 10, released this week, Microsoft is now changing this proxy behavior for WSUS users.
Here's how the announcement described the change:
- Scan with user proxy.
- If user proxy fails, attempt scan with system proxy.
New behavior as of the January 2021 cumulative update:
- Scan with system proxy.
- If system proxy fails, attempt scan with user proxy.
To avoid scanning failures, Microsoft is advising WSUS users to not enable user proxies. However, if that's not possible, then an option called, "Select the proxy behavior for Windows Update client for detecting updates," should get specified by IT pros.
The user proxy setting can be specified using Group Policy, Configuration Service Provider policy or via Microsoft Endpoint Configuration Manager, as described in the announcement.
Microsoft also recommended that WSUS users who connect to the CDN using TLS/HTTPS use certificate pinning "to get the highest level of security." However, the details weren't described.
With certificate pinning, certain certificates are specified beforehand as being valid for a particular Web site. However, things can go wrong with this approach. PKI solutions provider DigiCert flatly advised against using certificate pinning in this blog post, for instance.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.