• State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 21 subscribers
  • Views 436 views
  • Users 0 members are here
Options
Related
This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Is Patch Manager impacted by Flame or the planned WSUS hardening?

andrewm.

Microsoft has announced new updates that will harden WSUS to help mitigate the effects of the recent Flame attacks. Will these changes affect Patch Manager and is SolarWinds planning any of its own changes to Patch Manager in light of the Flame threat?

Update to Windows Update, WSUS Coming This Week - Microsoft Update Product Team Blog - Site Home - TechNet Blogs

  • 0

    BUMP!  We certainly need an official answer on this!

  • 0

    Greetings Andrew.

    As the Product Manager for Patch Manager, and a Microsoft MVP (for WSUS), I'm monitoring this entire process with an eagle eye. My understanding of the coming "hardening" of the WSUS environment is an update to the Windows Update Agent that will cause it to significantly reduce the scope of Microsoft certificates that are trusted for detecting/downloading/installing Microsoft-published patches. It remains to be seen what impact will exist on the thousands of legacy updates already signed with older certificates. We do not believe there will be any impact on the local publishing functionality, since that is driven by locally generated certificates.

    Presumably, but I do not yet know this as fact, the WUAgent will be released as a package to be inserted into the ~/selfupdate virtual directory of the WSUS website. I do not know yet how that will actually be packaged and distributed -- whether a simple download and unzip, or an actual WSUS package.

    In the event it is not made available as an update to the 'selfupdate' feature, or where using 'selfupdate' is not possible or practical, such as would be necessary for Configuration Manager environments or where it may not be practical to update downstream servers with a new ~/selfupdate folder (such as where an organization has dozens or hundreds of downstream servers) -- there are tools in Patch Manager that can be used to deploy a Windows Update Agent update -- either from the Microsoft published download site, or from a local network-based copy. I'm working on a blog post to describe how this can be done with Patch Manager.

    I would also encourage you to use the Update Management tools in Patch Manager to distribute KB2718704 (Certificate Revocation List update) to ensure all systems are immunizied from the risks posed by the certificate defect.

    As far as the impact to Patch Manager itself, so far we do not expect there to be any impact at all. Patch Manager will continue to leverage the WSUS infrastructure in whatever form it takes. Our communication with the WSUS server is exclusively via the published WSUS API, and our communication with the Windows Update Agent is exclusively via the published WUAgent API -- and there's no indication that there will be any changes in those APIs.

  • 0 in reply to LGarvin

    Excellent reply!  I appreciate your effort and praise your work!  I will certainly be doing my research on the patch you mentioned.  Thank you for the tip!

  • 0

    For those that need it, please refer to for details on how to resolve this.

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.