4 Replies Latest reply on Jun 12, 2012 3:21 PM by grandgroove

    Is Patch Manager impacted by Flame or the planned WSUS hardening?

    Andrew M

      Microsoft has announced new updates that will harden WSUS to help mitigate the effects of the recent Flame attacks. Will these changes affect Patch Manager and is SolarWinds planning any of its own changes to Patch Manager in light of the Flame threat?


      Update to Windows Update, WSUS Coming This Week - Microsoft Update Product Team Blog - Site Home - TechNet Blogs

        • Re: Is Patch Manager impacted by Flame or the planned WSUS hardening?

          BUMP!  We certainly need an official answer on this!

          • Re: Is Patch Manager impacted by Flame or the planned WSUS hardening?
            Lawrence Garvin

            Greetings Andrew.


            As the Product Manager for Patch Manager, and a Microsoft MVP (for WSUS), I'm monitoring this entire process with an eagle eye. My understanding of the coming "hardening" of the WSUS environment is an update to the Windows Update Agent that will cause it to significantly reduce the scope of Microsoft certificates that are trusted for detecting/downloading/installing Microsoft-published patches. It remains to be seen what impact will exist on the thousands of legacy updates already signed with older certificates. We do not believe there will be any impact on the local publishing functionality, since that is driven by locally generated certificates.


            Presumably, but I do not yet know this as fact, the WUAgent will be released as a package to be inserted into the ~/selfupdate virtual directory of the WSUS website. I do not know yet how that will actually be packaged and distributed -- whether a simple download and unzip, or an actual WSUS package.


            In the event it is not made available as an update to the 'selfupdate' feature, or where using 'selfupdate' is not possible or practical, such as would be necessary for Configuration Manager environments or where it may not be practical to update downstream servers with a new ~/selfupdate folder (such as where an organization has dozens or hundreds of downstream servers) -- there are tools in Patch Manager that can be used to deploy a Windows Update Agent update -- either from the Microsoft published download site, or from a local network-based copy. I'm working on a blog post to describe how this can be done with Patch Manager.


            I would also encourage you to use the Update Management tools in Patch Manager to distribute KB2718704 (Certificate Revocation List update) to ensure all systems are immunizied from the risks posed by the certificate defect.


            As far as the impact to Patch Manager itself, so far we do not expect there to be any impact at all. Patch Manager will continue to leverage the WSUS infrastructure in whatever form it takes. Our communication with the WSUS server is exclusively via the published WSUS API, and our communication with the Windows Update Agent is exclusively via the published WUAgent API -- and there's no indication that there will be any changes in those APIs.

            • Re: Is Patch Manager impacted by Flame or the planned WSUS hardening?

              For those that need it, please refer to Issues with latest WSUS update (wsus-kb2720211) for details on how to resolve this.