Windows Update, Windows Server 2016 and proxy

The dumbest thing… you are installing your brand new Windows Server 2016 machines and then you realize that Windows Update doesn’t work. It just gets stuck on Checking for updates/Downloading updates… for days.

image

Of course, you have some sort of proxy on your network, and you start troubleshooting this issue by testing on a proxy-free network… and without proxy, Windows Update works just as it should!

So, the next logical next step is to blame “those networking guys”, because updating your machine works fine, when not behind their “fancy proxy thing”.

But no.

You will soon realize that you have some “old” Windows Server 2012 R2 (or even Windows 10) machines, which are updating just fine… even through the “fancy proxy thing”.

And then you start asking yourself why.

You are checking the configuration of older machines by opening up Internet Explorer and double-checking proxy settings… and then you make sure that your new machines are having the same configuration – they have. Then you are just confused. It’s not networking, it’s not proxy settings… what could it be???

Still a bit confused, you have a great idea to check system proxy settings by running netsh winhttp show proxy – on older machines you’ll probably see something like this (which is probably OK, because you’ve just seen the Proxy Settings in IE, which are set to correct values):

image

So, you’re (naturally) configuring new machines accordingly. Still doesn’t work.

What next?

You can do further reading & testing, but the thing that helped in our case was setting the system (winhttp) proxy with netsh command, so that it actually imports IE proxy settings.

Basically, you need to run netsh winhttp import proxy source=ie (after you’ve set the right proxy settings through IE dialog, of course) or set your system proxy by using the netsh winhttp set proxy proxy.mydomain.com:8080 command.

After that, Windows Update starts working again!

So, remember – when using Windows Server 2016, set your system proxy settings by using the netsh command and everything will work just fine! Smile

Cheers!

P.S. Of course, if you have another trick to make it work, please comment. Smile

58 Comments

  1. Hallelujah! I was pulling my hair out trying to update Win 2016, until I found the solution on your blog. You saved my sanity. Hvala vam puno, Tomica!!

    Reply
  2. This looks like the problem we have, however when I import the ie changes and then check again, it has reset back to Direct Access. I am not aware of any policies that could be overriding this and I am local admin on the machine so would expect that I have permission to make this change permanent. Any thoughts about what might be blocking these changes?

    Reply
  3. They now use the new style setting Panel.
    Start > Settings Cog > Network & Internet > Proxy menu item.

    Set what you need to set here and then retry windows update…. This way worked for me

    Reply
  4. If the proxy required basic authentification (no AD), the windows update hangs also, but in some cases an authentification window like IE comes, in some cases this comes not. The developer must spent 2 fields for user/pw combination.

    “The dumbest thing… you are installing your brand new Windows Server 2016 machines and then you realize that Windows Update doesn’t work.”

    Reply
  5. Good tip. However it only works if the proxy doesn’t require authentication. If the proxy prompts for password, as it would be the case of patching workgroup computers, then to my knowledge there is no mechanism to pass credentials when system-level proxy is configured.

    Reply
  6. Server 2016 Update slow:

    1) One CUMULATIVE did reset the WIndows CLient EDB Database and it has to rebuild
    2) One COMULATIVE in 6/2018 was 1.4 GB and yes this will take time due to extracing of the files.

    Complete wrong solution and ONLY a workaround:

    This is NOT the finall solution and if you do the same with W10 ENT 1709 you will get updates to 1803 one night EVEN you run WSUS inhouse and have all GPO set.
    The problem goes into direction if DUAL SCAN of the WSUS-CLient. Because Server 2016 1706 is LTSB it would not update to later version.

    Also keep in mind be enabling the PROXY with NETSH for the SYSTEM malware will easy find it’s way OUT to wan. That’s the reason why in enterprise you route that traffic which is not browser related direct to the FW with IPS filter. Notrmal browser traffic goes to the Proxy/Webgateway as example.

    Glad Server guys don’t make client Engnineering 😉

    Reply
  7. Not sure why people are being hostile to Tomica for offering a solution, even if it is not perfect for every environment. In our case it was a PERFECT solution, and not a “workaround.” I am managing a Server 2016 terminal server session host golden image which is an Amazon AWS EC2 instance in a strict PCI zone with a proxy as they only way to the internet. The golden images are not domain joined and all I need to do is patch them every month and recreate the AMI at Amazon. This solution works perfectly. Once the AMI is launched as an actual domain joined session host, WSUS and group policy take over.

    Reply
  8. If you have a in-house WSUS server you need to add the server address to the proxy bypass list on client computer. Otherwise no updates will be available when using specific wsus server via registry.

    Reply
  9. Is there any workaround to bypass or for the credential windows to appear and key the proxy server password?

    Reply
    • Well, you can try setting your proxy in IE (with authentication) and then maybe importing it with “netsh winhttp import proxy source=ie” (didn’t try it though).

      Reply
  10. Wish I had found this first, but I didn’t know exactly what I was looking for (keywords) until I stumbled across someone else’s experiences. This laid it out much clearer. Thank you!

    Reply

Leave a Comment.