WSUS scan issues with Http connection

Question

This can impact almost all our environments after Sep 2020 patching

https://techcommunity.microsoft.com/t5/windows-it-pro-blog/changes-to-improve-security-for-windows-devices-scanning-wsus/ba-p/1645547

When you use WSUS or Configuration Manager to manage your organization’s updates, the update metadata travels from Microsoft servers to your devices via a chain of connections.

Each one of these connections needs to be protected against malicious attacks.

Your WSUS server connects with Windows Update servers and receives update metadata.

This connection always uses HTTPS, and the HTTPS security features guard the metadata against tampering. If you have multiple WSUS servers arranged in a hierarchy, the downstream servers receive metadata from the upstream servers.

Here, you have a choice: you can use HTTP or HTTPS for these metadata connections. Using HTTP; however, can be very dangerous as it breaks the chain of trust and can leave you vulnerable to attack.

Using HTTPS enables the WSUS server to prove that it trusts the metadata it receives from the upstream WSUS server.

This connection always uses HTTPS, and the HTTPS security features guard the metadata against tampering. If you have multiple WSUS servers arranged in a hierarchy, the downstream servers receive metadata from the upstream servers.

solved 0
Anoop C Nair 1 month 1 Answer 124 views 0

Leave an answer

Sorry, you do not have a permission to answer to this question .