deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-19 04:13:41 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

WinUpdate sec - 6960017

Browse Source
This commit is contained in:
Meghan Stewart
2022-10-25 10:55:06 -07:00
parent f77eddee65
commit 5549236e07
1 changed files with 9 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
windows/deployment/update/windows-update-security.md
View File

@ -23,7 +23,7 @@ The Windows Update system distributes a multitude of content. Some examples of t
- Antivirus definitions
- Microsoft Store apps
This system is initiated when a user interacts with the Windows Update settings page or when an application makes a call into the [WU client service API](/windows/win32/api/_wua/). These calls may be made at various times by different parts of Windows and Microsoft applications, such as [Microsoft 365 Apps](/officeupdates/update-history-microsoft365-apps-by-date), [Microsoft Defender](/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus), and [Plug and Play (PnP)](/windows-hardware/drivers/kernel/introduction-to-plug-and-play).
This system is initiated when a user interacts with the Windows Update settings page or when an application makes a call into the [WU client service API](/windows/win32/api/_wua/). These calls may be made at various times by Microsoft applications and different parts of Windows, such as [Microsoft 365 Apps](/officeupdates/update-history-microsoft365-apps-by-date), [Microsoft Defender](/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus), and [Plug and Play (PnP)](/windows-hardware/drivers/kernel/introduction-to-plug-and-play).
When such interactions occur, the Windows Update service running on the device will trigger a series of exchanges over the internet with Microsoft's Windows Update servers. The general workflow is:
@ -56,3 +56,11 @@ The Windows Update service's servers are used solely by WU components. There's n
Users attempting to browse to the service endpoints may see security warnings and even content access failures. Again, this behavior is expected as the service endpoints aren't designed for web browser access or casual user consumption.
## Securing content delivery
The process of downloading update binaries is secured at a layer above the transport. Even though content may be downloaded through standard HTTP (TCP port 80), the content goes through a rigorous security validation process.
Downloads are load balanced through Content Delivery Networks (CDN), so using TLS would break their Microsoft chain-of-custody. The chain would break because a TLS connection to a caching CDN terminates at the CDN, not Microsoft, thus TLS certificates aren't Microsoft specific. This means that the WU client can't prove the trustworthiness of the CDN (Microsoft doesn't control CDN TLS certificates). Additionally, a TLS connection to a CDN doesn't prove content hasn't been manipulated within the CDN's caching network. Therefore, TLS doesn't offer any of the security promises to the end-to-end Windows Update workflow that it otherwise provides.
Regardless of how the content is delivered, once it has been downloaded, it's properly validated for trust, integrity, and intention using various techniques including digital signature validation and file hash checks, among others. This level of content validation provides even more layers of security than TLS alone.