Windows Server Update Services Users Getting Proxy-Use Change This Month

Microsoft on Tuesday notified Windows Server Update Services (WSUS) users that it's no longer going to automatically support "user proxies" to get patches from Microsoft's content delivery networks (CDNs), starting with this month's cumulative update release.

Instead, Microsoft wants WSUS users to use "system proxies" to get patches. If an organization wants to have a user proxy as a fallback method, too, then they'll have to configure it themselves, starting this month.

This nuance builds on Microsoft's announcement back in September mandating the use of HTTPS for WSUS users tapping CDNs. At that time, Microsoft also explained that client proxies can be subject to man-in-the-middle tampering, so Microsoft doesn't recommend using them.

With the January cumulative updates for Windows 10, released this week, Microsoft is now changing this proxy behavior for WSUS users.

Here's how the announcement described the change:

Old behavior:

  • Scan with user proxy.
  • If user proxy fails, attempt scan with system proxy.

New behavior as of the January 2021 cumulative update:

  • Scan with system proxy.
  • If system proxy fails, attempt scan with user proxy.

To avoid scanning failures, Microsoft is advising WSUS users to not enable user proxies. However, if that's not possible, then an option called, "Select the proxy behavior for Windows Update client for detecting updates," should get specified by IT pros.

The user proxy setting can be specified using Group Policy, Configuration Service Provider policy or via Microsoft Endpoint Configuration Manager, as described in the announcement.

Microsoft also recommended that WSUS users who connect to the CDN using TLS/HTTPS use certificate pinning "to get the highest level of security." However, the details weren't described.

With certificate pinning, certain certificates are specified beforehand as being valid for a particular Web site. However, things can go wrong with this approach. PKI solutions provider DigiCert flatly advised against using certificate pinning in this blog post, for instance.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


  • Weird Blue Tunnel Graphic

    Microsoft Goes Deep on 'Solorigate' Secondary Attack Methods

    Microsoft on Wednesday published an analysis of the second-stage "Solorigate" attack methods used by an advanced persistent threat (APT) attack group.

  • Microsoft Talks Teams and SharePoint at Modern Workplace Event

    It's a hybrid world, but remote work is here to stay, according to Microsoft's Teams and SharePoint head Jeff Teper.

  • Malwarebytes Affirms Other APT Attack Methods Used Besides 'Solorigate'

    Security solutions company Malwarebytes affirmed on Monday that alternative methods besides tainted SolarWinds Orion software were used in the recent "Solorigate" advanced persistent threat (APT) attacks.

  • How To Fix the Hyper-V Read Only Disk Problem

    DOS might seem like a relic now, but sometimes it's the only way to fix a problem that Windows seems ill-equipped to deal with -- like this one.

comments powered by Disqus