Security and Privacy for Software Updates in Configuration Manager


Updated: May 14, 2015

Applies To: System Center 2012 Configuration Manager, System Center 2012 Configuration Manager SP1, System Center 2012 Configuration Manager SP2, System Center 2012 R2 Configuration Manager, System Center 2012 R2 Configuration Manager SP1

This topic contains security and privacy information for software updates in System Center 2012 Configuration Manager.

Security Best Practices for Software Updates

Use the following security best practices when you deploy software updates to clients:

Security best practice

More information

Do not change the default permissions on software update packages.

By default, software update packages are set to allow administrators Full Control and users to have Read access. If you change these permissions, it might allow an attacker to add, remove, or delete software updates.

Control access to the download location for software updates.

The computer accounts for the SMS Provider, the site server, and the administrative user who will actually download the software updates to the download location require Write access to the download location. Restrict access to the download location to reduce the risk of attackers tampering with the software updates source files in the download location.

In addition, if you use a UNC share for the download location, secure the network channel by using IPsec or SMB signing to prevent tampering of the software updates source files when they are transferred over the network.

Use UTC for evaluating deployment times.

If you use local time instead of UTC, users could potentially delay installation of software updates by changing the time zone on their computers

Enable SSL on WSUS and follow the best practices for securing Windows Server Update Services (WSUS).

Identify and follow the security best practices for the version of WSUS that you use with Configuration Manager.


If you configure the software update point to enable SSL communications for the WSUS server, you must configure virtual roots for SSL on the WSUS server.

Enable CRL checking.

By default, Configuration Manager does not check the certificate revocation list (CRL) to verify the signature on software updates before they are deployed to computers. Checking the CRL each time a certificate is used offers more security against using a certificate that has been revoked, but it introduces a connection delay and incurs additional processing on the computer performing the CRL check.

For more information about how to enable CRL checking for software updates, see How to Enable CRL Checking for Software Updates.

Configure WSUS to use a custom website.

When you install WSUS on the software update point, you have the option to use the existing IIS Default Web site or to create a custom WSUS website. Create a custom website for WSUS so that IIS hosts the WSUS services in a dedicated virtual website instead of sharing the same web site that is used by the other Configuration Manager site systems or other applications.

For more information, see the Configure WSUS to Use a Custom Web Site section in the Planning for Software Updates in Configuration Manager topic.

Network Access Protection (NAP): Do not rely on NAP to secure a network from malicious users.

Network Access Protection is designed to help administrators maintain the health of the computers on the network, which in turn helps maintain the network’s overall integrity. For example, if a computer has all the software updates required by the Configuration Manager NAP policy, the computer is considered compliant, and it will be granted the appropriate access to the network. Network Access Protection does not prevent an authorized user with a compliant computer from uploading a malicious program to the network or disabling the NAP agent.

Network Access Protection (NAP): Do not use DHCP NAP enforcement in a production environment.

Use DHCP NAP in a secured, testing environment or for monitoring purposes only. When you use DHCP NAP, attackers can modify the statement of health packets between the client and the NAP health policy server, and users can circumvent the NAP process.

Network Access Protection (NAP): Use consistent NAP policies throughout the hierarchy to minimize confusion.

Misconfigured NAP policy could result in clients accessing the network when they should be restricted or valid clients being erroneously restricted. The more complicated your NAP policy design, the higher the risk of misconfiguration. Configure the Configuration Manager NAP client agent and Configuration Manager System Health Validator points to use the same settings throughout the hierarchy, or through additional hierarchies in the organization if clients might roam between them.


If a Configuration Manager client with the Network Access Protection client agent enabled roams into a different Configuration Manager hierarchy and has its client statement of health validated by a System Health Validator point from outside its hierarchy, the validation process will fail the site check. This will result in a client health state of unknown, which by default is configured on the NAP health policy server as non-compliant. If the NAP health policy server has network policies configured for limited network access, these clients cannot be remediated and risk being unable to access the full network. An exemption policy on the NAP health policy server could give Configuration Manager clients that roam outside their Configuration Manager hierarchy unrestricted network access.

Network Access Protection (NAP): Do not enable Network Access Protection as a client setting immediately on new Configuration Manager sites.

Although the site servers publish the Configuration Manager health state reference to a domain controller when Configuration Manager NAP policies are modified, this new data might not be immediately available for retrieval by the System Health Validator point until Active Directory replication has completed. If you enable Network Access Protection on Configuration Manager clients before replication has completed, and if your NAP health policy server will give noncompliant clients limited network access, you can potentially cause a denial of service attack against yourself.

Network Access Protection (NAP): If you store the health state reference in a designated forest, specify two different accounts for publishing and retrieving the health state reference.

When you designate an Active Directory forest to store the health state reference, specify two different accounts because they require different sets of permissions:

  • The Health State Reference Publishing Account requires Read, Write, and Create permissions to the Active Directory forest that stores the health state reference.

  • The Health State Reference Querying Account requires only Read permission to the Active Directory forest that stores the health state reference. Do not grant this account interactive logon rights.

Network Access Protection (NAP): Do not rely on Network Access Protection as an instantaneous or real-time enforcement mechanism.

There are inherent delays in the NAP enforcement mechanism. While NAP helps keep computers compliant over the long run, typical enforcement delays may be on the order of several hours or more due to a variety of factors, including the settings of various configuration parameters.

Privacy Information for Software Updates

Software updates scans your client computers to determine which software updates you require, and then sends that information back to the site database. During the software updates process, Configuration Manager might transmit information between clients and servers that identify the computer and logon accounts.

Configuration Manager maintains state information about the software deployment process. State information is not encrypted during transmission or storage. State information is stored in the Configuration Manager database and it is deleted by the database maintenance tasks. No state information is sent to Microsoft.

The use of Configuration Manager software updates to install software updates on client computers might be subject to software license terms for those updates, which is separate from the Software License Terms for Microsoft System Center 2012 Configuration Manager. Always review and agree to the Software Licensing Terms prior to installing the software updates by using Configuration Manager.

Configuration Manager does not implement software updates by default and requires several configuration steps before information is collected.

Before you configure software updates, consider your privacy requirements.