question

CarlaBradley-5221 avatar image
0 Votes"
CarlaBradley-5221 asked RitaHu-MSFT commented

WSUS Server digital signature evidence

In the Microsoft documentation, it states... "Microsoft reduces the risk of sending update files over an unencrypted channel by signing each update. In addition, a hash is computed and sent together with the metadata for each update. When an update is downloaded, WSUS checks the digital signature and hash. If the update has been changed, it is not installed."

How can I obtain evidence from our WSUS server that this is occurring for an audit?

windows-serverwindows-server-update-services
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@CarlaBradley-5221
Thanks for your posting on Q&A.

In order to help me research further, please consider sharing the related link first.

Thanks for your understanding and cooperation.

Regards,
Rita

0 Votes 0 ·

Thanks, Rita! The link is below. Basically, we use our WSUS server to push Microsoft updates to our servers and workstations, and I just need some sort of verification that this hash compare is taking place successfully.

2-configure-wsus


0 Votes 0 ·

1 Answer

RitaHu-MSFT avatar image
0 Votes"
RitaHu-MSFT answered RitaHu-MSFT commented

@m0chi87
Thanks for your posting on Q&A.

Here is a related link about SHA-2 Code for your reference.

Reference picture:
96530-18.png

Regards,
Rita


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


18.png (13.7 KiB)
· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you. That's helpful. Is there a log or some other way to show that this happening successfully?

1 Vote 1 ·

@CarlaBradley-5221
I'm not sure whether there is a log file for reference to confirm. I will do more research further and inform you in time if there is one.

According to the above link, the WSUS already supports SHA-2-signed updates starting with WSUS 4.0. So it is OK if you have already deployed the updates for the clients on WSUS 4.0 or later.

Thanks for your time.

Regards,
Rita

0 Votes 0 ·

Did you ever find anything?

0 Votes 0 ·
Show more comments