From e3677d74c29c4d30b3a9b103bb1c8c3c3c61f396 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Mon, 24 Oct 2022 11:59:14 -0700 Subject: [PATCH 1/8] windows udpate security --- .../deployment/update/windows-update-security.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 windows/deployment/update/windows-update-security.md diff --git a/windows/deployment/update/windows-update-security.md b/windows/deployment/update/windows-update-security.md new file mode 100644 index 0000000000..cb75c32270 --- /dev/null +++ b/windows/deployment/update/windows-update-security.md @@ -0,0 +1,15 @@ +--- +title: Windows Update security +ms.reviewer: +manager: aaroncz +description: Overview of the security for Windows Update. +ms.prod: w10 +author: mestew +ms.author: mstewart +ms.collection: M365-analytics +ms.topic: article +ms.date: 10/25/2022 +--- + +# Windows Update security overview + From 917b1a0fd53992d518875f70bd0fb045352e67a1 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Mon, 24 Oct 2022 16:18:45 -0700 Subject: [PATCH 2/8] WinUpdate sec - 6960017 --- windows/deployment/TOC.yml | 2 ++ .../update/windows-update-security.md | 20 +++++++++++++++++++ 2 files changed, 22 insertions(+) diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml index c89317ccc0..6891986bec 100644 --- a/windows/deployment/TOC.yml +++ b/windows/deployment/TOC.yml @@ -299,6 +299,8 @@ href: update/safeguard-opt-out.md - name: Determine the source of Windows Updates href: ./update/how-windows-update-works.md + - name: Windows Update security + href: ./update/windows-update-security.md - name: Common Windows Update errors href: /troubleshoot/windows-client/deployment/common-windows-update-errors?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json - name: Windows Update error code reference diff --git a/windows/deployment/update/windows-update-security.md b/windows/deployment/update/windows-update-security.md index cb75c32270..838dd9380f 100644 --- a/windows/deployment/update/windows-update-security.md +++ b/windows/deployment/update/windows-update-security.md @@ -13,3 +13,23 @@ ms.date: 10/25/2022 # Windows Update security overview +The Windows Update (WU) system ensures devices are updated securely. Its end-to-end protection prevents manipulation of protocol exchanges and ensures only approved content is installed. Some protected environments may need to update firewall and proxy rules to ensure that Windows updates can be properly accessed. + +The Windows Update system distributes a multitude of content. Some examples of this content include: + +- Updates to the Windows operating system +- Microsoft 365 Apps updates (Office updates) +- Hardware drivers +- Antivirus definitions +- Microsoft Store apps + +This system is initiated when a user interacts with the Windows Update settings page or when an application makes a call into the [WU client service API](/windows/win32/api/_wua/). These calls may be made at various times by different parts of Windows and Microsoft applications, such as Microsoft 365 Apps, Microsoft Defender, and Plug and Play (PnP). + +When such interactions occur the Windows Update service running on the device will trigger a series of exchanges over the internet with Microsoft's Windows Update servers. The general workflow is that a Windows device makes multiple connections to Windows Update services using HTTPS (HTTP over TLS, TCP port 443). Update metadata is exchanged over these connections and results in a list of updates, apps, drivers, and other updates, which the device decides whether and when to download. + +Once the list of downloads has been decided, the actual update binary files are then downloaded. This is done via the Delivery Optimization component over a mix of standard HTTP calls (TCP port 80) and secure peer-to-peer network calls (TCP port 7680). Which method used is based on the device's configuration/group policies. + +When downloading updates using Delivery Optimization's peer-to-peer networking the content is integrity validated upon receipt from each peer. If the requested content is unavailable on the p2p network then the Delivery Optimization component will download it using HTTP. + +Regardless of which method is used to download the content, the resulting files are then validated through digital signatures and file hashes before they are installed. This validates that the download is what was intended, is verified as authentic and has not been tampered with. + From 86d74c1f8acdbcba2b57edffa85497c20e6cf165 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Tue, 25 Oct 2022 09:25:15 -0700 Subject: [PATCH 3/8] WinUpdate sec - 6960017 --- .../update/windows-update-security.md | 22 ++++++++++++++----- 1 file changed, 17 insertions(+), 5 deletions(-) diff --git a/windows/deployment/update/windows-update-security.md b/windows/deployment/update/windows-update-security.md index 838dd9380f..c78e8d2b5c 100644 --- a/windows/deployment/update/windows-update-security.md +++ b/windows/deployment/update/windows-update-security.md @@ -23,13 +23,25 @@ The Windows Update system distributes a multitude of content. Some examples of t - Antivirus definitions - Microsoft Store apps -This system is initiated when a user interacts with the Windows Update settings page or when an application makes a call into the [WU client service API](/windows/win32/api/_wua/). These calls may be made at various times by different parts of Windows and Microsoft applications, such as Microsoft 365 Apps, Microsoft Defender, and Plug and Play (PnP). +This system is initiated when a user interacts with the Windows Update settings page or when an application makes a call into the [WU client service API](/windows/win32/api/_wua/). These calls may be made at various times by different parts of Windows and Microsoft applications, such as [Microsoft 365 Apps](/officeupdates/update-history-microsoft365-apps-by-date), [Microsoft Defender](/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus), and [Plug and Play (PnP)](/windows-hardware/drivers/kernel/introduction-to-plug-and-play). -When such interactions occur the Windows Update service running on the device will trigger a series of exchanges over the internet with Microsoft's Windows Update servers. The general workflow is that a Windows device makes multiple connections to Windows Update services using HTTPS (HTTP over TLS, TCP port 443). Update metadata is exchanged over these connections and results in a list of updates, apps, drivers, and other updates, which the device decides whether and when to download. +When such interactions occur, the Windows Update service running on the device will trigger a series of exchanges over the internet with Microsoft's Windows Update servers. The general workflow is: -Once the list of downloads has been decided, the actual update binary files are then downloaded. This is done via the Delivery Optimization component over a mix of standard HTTP calls (TCP port 80) and secure peer-to-peer network calls (TCP port 7680). Which method used is based on the device's configuration/group policies. +1. A Windows device makes multiple connections to Windows Update services using HTTPS (HTTP over TLS, TCP port 443). +1. Update metadata is exchanged over these connections and results in a list of updates, apps, drivers, and other updates. +1. The device decides whether and when to download items from the resulting list. -When downloading updates using Delivery Optimization's peer-to-peer networking the content is integrity validated upon receipt from each peer. If the requested content is unavailable on the p2p network then the Delivery Optimization component will download it using HTTP. +Once the list of downloads has been decided, the actual update binary files are then downloaded. The download is done via the [Delivery Optimization](/windows/deployment/do/waas-delivery-optimization) component over a mix of standard HTTP calls (TCP port 80) and secure peer-to-peer network calls (TCP port 7680). Which method used is based on the device's configuration/group policies. -Regardless of which method is used to download the content, the resulting files are then validated through digital signatures and file hashes before they are installed. This validates that the download is what was intended, is verified as authentic and has not been tampered with. +When downloading updates using Delivery Optimization's peer-to-peer (P2P) networking, the content is integrity validated upon receipt from each peer. If the requested content is unavailable on the P2P network, then the Delivery Optimization component will download it using HTTP. +Regardless of which method is used to download the content, the resulting files are then validated through digital signatures and file hashes before they're installed. The validation confirms that the download is what was intended, is verified as authentic, and hasn't been tampered with. + +## Securing metadata connections + +When Windows Update scans for updates, it goes through a series of metadata exchanges between the device and Windows Update servers. This exchange is done using HTTPS (HTTP over TLS). These secured connections are certificate-pinned. Certificate pinning, ensures that not only is the TLS connection's server certificate validated (certificate trust, expiry, revocation, SAN entries, etc.) but the certificate's issuer is also validated as genuine Microsoft Windows Update. If the issuer is unexpected (not a valid Windows Update intermediate certificate), then the connection fails. This ensures that the device is connecting to legitimate Microsoft servers and prevents man-in-the-middle attacks. + +Since Windows Update TLS connections are certificate-pinned, it's important that TLS proxies pass these connections without interception. The full list of DNS names that require proxy/firewall exceptions can be found in the [Windows Update troubleshooting](/windows-client/deployment/windows-update-issues-troubleshooting?toc=%2Fwindows%2Fdeployment%2Ftoc.json&bc=%2Fwindows%2Fdeployment%2Fbreadcrumb%2Ftoc.json#device-cannot-access-update-files) article. + + +Microsoft doesn't provide IP addresses or IP ranges for these exceptions because they may differ over time as changes are made for purposes such as traffic load balancing. \ No newline at end of file From f77eddee6505767668a2e7666452b1230f88c414 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Tue, 25 Oct 2022 10:31:56 -0700 Subject: [PATCH 4/8] WinUpdate sec - 6960017 --- .../deployment/update/windows-update-security.md | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/windows/deployment/update/windows-update-security.md b/windows/deployment/update/windows-update-security.md index c78e8d2b5c..fd82e59a8d 100644 --- a/windows/deployment/update/windows-update-security.md +++ b/windows/deployment/update/windows-update-security.md @@ -39,9 +39,20 @@ Regardless of which method is used to download the content, the resulting files ## Securing metadata connections -When Windows Update scans for updates, it goes through a series of metadata exchanges between the device and Windows Update servers. This exchange is done using HTTPS (HTTP over TLS). These secured connections are certificate-pinned. Certificate pinning, ensures that not only is the TLS connection's server certificate validated (certificate trust, expiry, revocation, SAN entries, etc.) but the certificate's issuer is also validated as genuine Microsoft Windows Update. If the issuer is unexpected (not a valid Windows Update intermediate certificate), then the connection fails. This ensures that the device is connecting to legitimate Microsoft servers and prevents man-in-the-middle attacks. +When Windows Update scans for updates, it goes through a series of metadata exchanges between the device and Windows Update servers. This exchange is done using HTTPS (HTTP over TLS). These secured connections are certificate-pinned, ensuring that: + +- The TLS connection's server certificate is validated (certificate trust, expiry, revocation, SAN entries, etc.) +- The certificate's issuer is validated as a genuine Microsoft Windows Update issuer + +The connection fails if the issuer is unexpected, or not a valid Windows Update intermediate certificate. Certificate pinning ensures that the device is connecting to legitimate Microsoft servers and prevents man-in-the-middle attacks. Since Windows Update TLS connections are certificate-pinned, it's important that TLS proxies pass these connections without interception. The full list of DNS names that require proxy/firewall exceptions can be found in the [Windows Update troubleshooting](/windows-client/deployment/windows-update-issues-troubleshooting?toc=%2Fwindows%2Fdeployment%2Ftoc.json&bc=%2Fwindows%2Fdeployment%2Fbreadcrumb%2Ftoc.json#device-cannot-access-update-files) article. +Microsoft doesn't provide IP addresses or IP ranges for these exceptions because they may differ over time as changes are made for purposes such as traffic load balancing. + +## Expected Windows Update server usage + +The Windows Update service's servers are used solely by WU components. There's no expectation that end users will be interacting with these remote endpoints. Therefore, these service endpoints may not resolve as expected in a web browser. A user casually browsing to these endpoints may notice a lack of adherence to the latest web browser expectations such as publicly trusted PKI, certificate transparency logging, or TLS requirements. This behavior is expected and doesn't limit or otherwise impact the safety and security of the Windows Update system. + +Users attempting to browse to the service endpoints may see security warnings and even content access failures. Again, this behavior is expected as the service endpoints aren't designed for web browser access or casual user consumption. -Microsoft doesn't provide IP addresses or IP ranges for these exceptions because they may differ over time as changes are made for purposes such as traffic load balancing. \ No newline at end of file From 5549236e078f7afaa2cd39b2c218385536474304 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Tue, 25 Oct 2022 10:55:06 -0700 Subject: [PATCH 5/8] WinUpdate sec - 6960017 --- windows/deployment/update/windows-update-security.md | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/windows/deployment/update/windows-update-security.md b/windows/deployment/update/windows-update-security.md index fd82e59a8d..9aab0ab093 100644 --- a/windows/deployment/update/windows-update-security.md +++ b/windows/deployment/update/windows-update-security.md @@ -23,7 +23,7 @@ The Windows Update system distributes a multitude of content. Some examples of t - Antivirus definitions - Microsoft Store apps -This system is initiated when a user interacts with the Windows Update settings page or when an application makes a call into the [WU client service API](/windows/win32/api/_wua/). These calls may be made at various times by different parts of Windows and Microsoft applications, such as [Microsoft 365 Apps](/officeupdates/update-history-microsoft365-apps-by-date), [Microsoft Defender](/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus), and [Plug and Play (PnP)](/windows-hardware/drivers/kernel/introduction-to-plug-and-play). +This system is initiated when a user interacts with the Windows Update settings page or when an application makes a call into the [WU client service API](/windows/win32/api/_wua/). These calls may be made at various times by Microsoft applications and different parts of Windows, such as [Microsoft 365 Apps](/officeupdates/update-history-microsoft365-apps-by-date), [Microsoft Defender](/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus), and [Plug and Play (PnP)](/windows-hardware/drivers/kernel/introduction-to-plug-and-play). When such interactions occur, the Windows Update service running on the device will trigger a series of exchanges over the internet with Microsoft's Windows Update servers. The general workflow is: @@ -56,3 +56,11 @@ The Windows Update service's servers are used solely by WU components. There's n Users attempting to browse to the service endpoints may see security warnings and even content access failures. Again, this behavior is expected as the service endpoints aren't designed for web browser access or casual user consumption. +## Securing content delivery + +The process of downloading update binaries is secured at a layer above the transport. Even though content may be downloaded through standard HTTP (TCP port 80), the content goes through a rigorous security validation process. + +Downloads are load balanced through Content Delivery Networks (CDN), so using TLS would break their Microsoft chain-of-custody. The chain would break because a TLS connection to a caching CDN terminates at the CDN, not Microsoft, thus TLS certificates aren't Microsoft specific. This means that the WU client can't prove the trustworthiness of the CDN (Microsoft doesn't control CDN TLS certificates). Additionally, a TLS connection to a CDN doesn't prove content hasn't been manipulated within the CDN's caching network. Therefore, TLS doesn't offer any of the security promises to the end-to-end Windows Update workflow that it otherwise provides. + +Regardless of how the content is delivered, once it has been downloaded, it's properly validated for trust, integrity, and intention using various techniques including digital signature validation and file hash checks, among others. This level of content validation provides even more layers of security than TLS alone. + From ad24db285572801c14fd472e215318f1fada92aa Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Tue, 25 Oct 2022 12:37:22 -0700 Subject: [PATCH 6/8] WinUpdate sec - 6960017 --- .../update/windows-update-security.md | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/windows/deployment/update/windows-update-security.md b/windows/deployment/update/windows-update-security.md index 9aab0ab093..32f7ade39f 100644 --- a/windows/deployment/update/windows-update-security.md +++ b/windows/deployment/update/windows-update-security.md @@ -42,11 +42,11 @@ Regardless of which method is used to download the content, the resulting files When Windows Update scans for updates, it goes through a series of metadata exchanges between the device and Windows Update servers. This exchange is done using HTTPS (HTTP over TLS). These secured connections are certificate-pinned, ensuring that: - The TLS connection's server certificate is validated (certificate trust, expiry, revocation, SAN entries, etc.) -- The certificate's issuer is validated as a genuine Microsoft Windows Update issuer +- The certificate's issuer is validated as genuine Microsoft Windows Update The connection fails if the issuer is unexpected, or not a valid Windows Update intermediate certificate. Certificate pinning ensures that the device is connecting to legitimate Microsoft servers and prevents man-in-the-middle attacks. -Since Windows Update TLS connections are certificate-pinned, it's important that TLS proxies pass these connections without interception. The full list of DNS names that require proxy/firewall exceptions can be found in the [Windows Update troubleshooting](/windows-client/deployment/windows-update-issues-troubleshooting?toc=%2Fwindows%2Fdeployment%2Ftoc.json&bc=%2Fwindows%2Fdeployment%2Fbreadcrumb%2Ftoc.json#device-cannot-access-update-files) article. +Since Windows Update TLS connections are certificate-pinned, it's important that TLS proxies pass these connections without interception. The full list of DNS names that require proxy/firewall exceptions can be found in the [Windows Update troubleshooting](/troubleshoot/windows-client/deployment/windows-update-issues-troubleshooting?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#device-cannot-access-update-files) article. Microsoft doesn't provide IP addresses or IP ranges for these exceptions because they may differ over time as changes are made for purposes such as traffic load balancing. @@ -60,7 +60,16 @@ Users attempting to browse to the service endpoints may see security warnings an The process of downloading update binaries is secured at a layer above the transport. Even though content may be downloaded through standard HTTP (TCP port 80), the content goes through a rigorous security validation process. -Downloads are load balanced through Content Delivery Networks (CDN), so using TLS would break their Microsoft chain-of-custody. The chain would break because a TLS connection to a caching CDN terminates at the CDN, not Microsoft, thus TLS certificates aren't Microsoft specific. This means that the WU client can't prove the trustworthiness of the CDN (Microsoft doesn't control CDN TLS certificates). Additionally, a TLS connection to a CDN doesn't prove content hasn't been manipulated within the CDN's caching network. Therefore, TLS doesn't offer any of the security promises to the end-to-end Windows Update workflow that it otherwise provides. +Downloads are load balanced through Content Delivery Networks (CDN), so using TLS would break their Microsoft chain-of-custody. Because a TLS connection to a caching CDN terminates at the CDN, not Microsoft, TLS certificates aren't Microsoft specific. This means that the WU client can't prove the trustworthiness of the CDN as Microsoft doesn't control CDN TLS certificates. Additionally, a TLS connection to a CDN doesn't prove content hasn't been manipulated within the CDN's caching network. Therefore, TLS doesn't offer any of the security promises to the end-to-end Windows Update workflow that it otherwise provides. -Regardless of how the content is delivered, once it has been downloaded, it's properly validated for trust, integrity, and intention using various techniques including digital signature validation and file hash checks, among others. This level of content validation provides even more layers of security than TLS alone. +Regardless of how the content is delivered, once it has been downloaded, it's properly validated. Content is validated for trust, integrity, and intention using various techniques such as digital signature validation and file hash checks. This level of content validation provides even more layers of security than TLS alone. +## Windows Server Update Services (WSUS) + +Enterprises using WSUS have a similar workflow. However, the client devices connect to their enterprise's WSUS server instead of over the internet to Microsoft's servers. It's up to the enterprise to decide whether to use HTTP or TLS (HTTPS) connections for the metadata exchange. Microsoft strongly advises using TLS connections and configuring client devices with appropriate TLS certificate pinning configurations for metadata exchange with WSUS. For more information about WSUS TLS certificate-pinning, see: + +- [Windows IT Pro Blog: Changes to improve security for Windows devices scanning WSUS](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/changes-to-improve-security-for-windows-devices-scanning-wsus/ba-p/1645547) +- [Windows IT Pro Blog: Scan changes and certificates add security for Windows devices using WSUS for updates](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/scan-changes-and-certificates-add-security-for-windows-devices/ba-p/2053668) +- [Configuration Manager: Configure a software update point to use TLS](/mem/configmgr/sum/get-started/software-update-point-ssl) + +When a WSUS server [updates its own update catalog](/windows-server/administration/windows-server-update-services/manage/setting-up-update-synchronizations), it connects to Microsoft's server sync services and scans for updates. The WSUS server synchronization process is similar to the [metadata exchange process](#securing-metadata-connections) for client devices connecting to Windows Update. The WSUS-to-Microsoft connection is over TLS and is verified by Microsoft certificate, similar to the WU client's TLS certificate-pinning. From 248cede1508e1680be5356721ac8f6cfcd0f5540 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Tue, 25 Oct 2022 14:12:08 -0700 Subject: [PATCH 7/8] WinUpdate sec - 6960017 --- windows/deployment/update/windows-update-security.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/deployment/update/windows-update-security.md b/windows/deployment/update/windows-update-security.md index 32f7ade39f..1994f5b009 100644 --- a/windows/deployment/update/windows-update-security.md +++ b/windows/deployment/update/windows-update-security.md @@ -70,6 +70,5 @@ Enterprises using WSUS have a similar workflow. However, the client devices conn - [Windows IT Pro Blog: Changes to improve security for Windows devices scanning WSUS](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/changes-to-improve-security-for-windows-devices-scanning-wsus/ba-p/1645547) - [Windows IT Pro Blog: Scan changes and certificates add security for Windows devices using WSUS for updates](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/scan-changes-and-certificates-add-security-for-windows-devices/ba-p/2053668) -- [Configuration Manager: Configure a software update point to use TLS](/mem/configmgr/sum/get-started/software-update-point-ssl) When a WSUS server [updates its own update catalog](/windows-server/administration/windows-server-update-services/manage/setting-up-update-synchronizations), it connects to Microsoft's server sync services and scans for updates. The WSUS server synchronization process is similar to the [metadata exchange process](#securing-metadata-connections) for client devices connecting to Windows Update. The WSUS-to-Microsoft connection is over TLS and is verified by Microsoft certificate, similar to the WU client's TLS certificate-pinning. From c4e21f9f0420b596211d7b69b444e78dde0521fd Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Tue, 25 Oct 2022 15:30:56 -0700 Subject: [PATCH 8/8] WinUpdate sec - 6960017 --- windows/deployment/update/windows-update-security.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/windows/deployment/update/windows-update-security.md b/windows/deployment/update/windows-update-security.md index 1994f5b009..c8d0f452a3 100644 --- a/windows/deployment/update/windows-update-security.md +++ b/windows/deployment/update/windows-update-security.md @@ -11,9 +11,11 @@ ms.topic: article ms.date: 10/25/2022 --- -# Windows Update security overview +# Windows Update security -The Windows Update (WU) system ensures devices are updated securely. Its end-to-end protection prevents manipulation of protocol exchanges and ensures only approved content is installed. Some protected environments may need to update firewall and proxy rules to ensure that Windows updates can be properly accessed. +The Windows Update (WU) system ensures devices are updated securely. Its end-to-end protection prevents manipulation of protocol exchanges and ensures only approved content is installed. Some protected environments may need to update firewall and proxy rules to ensure that Windows updates can be properly accessed. This article provides an overview of the security features of Windows Update. + +## Windows Update security overview The Windows Update system distributes a multitude of content. Some examples of this content include: