About 10 years ago it was found out that using #WSUS over clear text HTTP is a bad idea: It's trivial to get SYSTEM on the servers if you get in a privileged network position. This is presented as "WSUSpect: Compromising the Windows Enterprise via Windows Update" at Black Hat 2015. There's plenty of mature tooling for pulling this attack off.

So, you'd think that #Microsoft would promote secure configuration in all their documentation in regards of deploying WSUS, right? Unfortunately, this is not the case. You can easily end up reading this document:

https://learn.microsoft.com/en-us/windows/deployment/update/waas-manage-updates-wsus

Examples use http:// url, and there is no recommendation to use HTTPS, and no warnings on how this will create a wholly insecure configuration.

However, if you're lucky you will locate the good documentation that mentions the importance of using HTTPS: https://learn.microsoft.com/en-us/windows-server/administration/windows-server-update-services/deploy/2-configure-wsus#23-secure-wsus-with-the-secure-sockets-layer-protocol

PowerShell – WMF5 (including PowerShell) 5 can be deployed using WSUS again, but there is a catch … http://dlvr.it/TJ5Pcz via PlanetPowerShell #PowerShell #WMF5 #WSUS #WindowsManagementFramework

Automatically update PowerShell 7.4 with WSUS or SCCM http://dlvr.it/TH9nH3 via PlanetPowerShell #PowerShell #WSUS #SCCM #Microsoft

@shwalsh13 Hardest ch was the last. Trying to manage #WSUS in #PowerShell 7. The WSUS team could not have shipped such a ore Powershell unfriendly module and object model if that was their aim. Even the RSAT tool feature name is different to ALL the rest. And I suspect MSFT will never revise it to use more modern protocol and support #.NET. Still with #Powershell7 there are ways around this