The dumbest thing… you are installing your brand new Windows Server 2016 machines and then you realize that Windows Update doesn’t work. It just gets stuck on Checking for updates/Downloading updates… for days.
Of course, you have some sort of proxy on your network, and you start troubleshooting this issue by testing on a proxy-free network… and without proxy, Windows Update works just as it should!
So, the next logical next step is to blame “those networking guys”, because updating your machine works fine, when not behind their “fancy proxy thing”.
But no.
You will soon realize that you have some “old” Windows Server 2012 R2 (or even Windows 10) machines, which are updating just fine… even through the “fancy proxy thing”.
And then you start asking yourself why.
You are checking the configuration of older machines by opening up Internet Explorer and double-checking proxy settings… and then you make sure that your new machines are having the same configuration – they have. Then you are just confused. It’s not networking, it’s not proxy settings… what could it be???
Still a bit confused, you have a great idea to check system proxy settings by running netsh winhttp show proxy – on older machines you’ll probably see something like this (which is probably OK, because you’ve just seen the Proxy Settings in IE, which are set to correct values):
So, you’re (naturally) configuring new machines accordingly. Still doesn’t work.
What next?
You can do further reading & testing, but the thing that helped in our case was setting the system (winhttp) proxy with netsh command, so that it actually imports IE proxy settings.
Basically, you need to run netsh winhttp import proxy source=ie (after you’ve set the right proxy settings through IE dialog, of course) or set your system proxy by using the netsh winhttp set proxy proxy.mydomain.com:8080 command.
After that, Windows Update starts working again!
So, remember – when using Windows Server 2016, set your system proxy settings by using the netsh command and everything will work just fine!
Cheers!
P.S. Of course, if you have another trick to make it work, please comment.
Hallelujah! I was pulling my hair out trying to update Win 2016, until I found the solution on your blog. You saved my sanity. Hvala vam puno, Tomica!!
You’re welcome! 🙂
Thank you, this was really helpful!
Glad it helped! 🙂
didnt work for me 🙁
Sorry to hear that… what is happening in your case? Do you get any errors?
clean install solve the problem 😛
Oh, glad it’s solved then! 🙂
Thanks!!!!!!
You’re welcome! 🙂
Thank you, worked for me!
Glead it did (and thanks for the feedback)!
Fantastic, that’s what I was missing – thank you!
Glad it helped!
Yeah Boy!!
?
This looks like the problem we have, however when I import the ie changes and then check again, it has reset back to Direct Access. I am not aware of any policies that could be overriding this and I am local admin on the machine so would expect that I have permission to make this change permanent. Any thoughts about what might be blocking these changes?
This one sounds interesting – can you try to set it up manually by using the command (run as administrator, of course) netsh winhttp set proxy “proxy_server:port”?
Happened to me too. Maybe its due to that we use a pac file for IE?
Had to use
netsh winhttp set proxy “proxy_server:port”
I don’t think it’s pac file related.
That might be above my knowledge. But I wonder how MS will put a 500 lines pac file into a netsh winhttp command.
Just came across this in depth article. It seems like PAC files are not supported at all.
https://blogs.msdn.microsoft.com/ieinternals/2013/10/11/understanding-web-proxy-configuration/
“netsh.exe … only support fixed proxy settings (not autodetection or PAC script URLs) “
I’ll second that Hallelujah! Why the hell would MS do this? Thank you
As for why, I don’t know… but I’m glad it helped! 🙂
They now use the new style setting Panel.
Start > Settings Cog > Network & Internet > Proxy menu item.
Set what you need to set here and then retry windows update…. This way worked for me
Will try. Thanks for sharing!
Thank you, thank you, thank you!
You’re welcome. 🙂
If the proxy required basic authentification (no AD), the windows update hangs also, but in some cases an authentification window like IE comes, in some cases this comes not. The developer must spent 2 fields for user/pw combination.
“The dumbest thing… you are installing your brand new Windows Server 2016 machines and then you realize that Windows Update doesn’t work.”
Good point! Maybe it will get fixed in the future, who knows.
Good tip. However it only works if the proxy doesn’t require authentication. If the proxy prompts for password, as it would be the case of patching workgroup computers, then to my knowledge there is no mechanism to pass credentials when system-level proxy is configured.
Good point – thank you!
This is great! Thanks for help
Thanks! 🙂
Thank you
Server 2016 Update slow:
1) One CUMULATIVE did reset the WIndows CLient EDB Database and it has to rebuild
2) One COMULATIVE in 6/2018 was 1.4 GB and yes this will take time due to extracing of the files.
Complete wrong solution and ONLY a workaround:
This is NOT the finall solution and if you do the same with W10 ENT 1709 you will get updates to 1803 one night EVEN you run WSUS inhouse and have all GPO set.
The problem goes into direction if DUAL SCAN of the WSUS-CLient. Because Server 2016 1706 is LTSB it would not update to later version.
Also keep in mind be enabling the PROXY with NETSH for the SYSTEM malware will easy find it’s way OUT to wan. That’s the reason why in enterprise you route that traffic which is not browser related direct to the FW with IPS filter. Notrmal browser traffic goes to the Proxy/Webgateway as example.
Glad Server guys don’t make client Engnineering 😉
Well, ok – it is a workaround. Thanks for commenting! 🙂
Not sure why people are being hostile to Tomica for offering a solution, even if it is not perfect for every environment. In our case it was a PERFECT solution, and not a “workaround.” I am managing a Server 2016 terminal server session host golden image which is an Amazon AWS EC2 instance in a strict PCI zone with a proxy as they only way to the internet. The golden images are not domain joined and all I need to do is patch them every month and recreate the AMI at Amazon. This solution works perfectly. Once the AMI is launched as an actual domain joined session host, WSUS and group policy take over.
Thank you! Glad it helped! 🙂
If you have a in-house WSUS server you need to add the server address to the proxy bypass list on client computer. Otherwise no updates will be available when using specific wsus server via registry.
Thanks for the feedback!
Thanks for your article, it worked!
Glad it worked! And thank you for the feedback!
Is there any workaround to bypass or for the credential windows to appear and key the proxy server password?
Well, you can try setting your proxy in IE (with authentication) and then maybe importing it with “netsh winhttp import proxy source=ie” (didn’t try it though).
It did the trick. Thanks from Argentina.
Glad it helped! Thanks! 🙂
My Windows Server 2016 is stuck on Downloading updates 0%
what would be causing that?
Proxy settings?
Why, if the entire network has no need for any proxy?
Well, if you don’t need it, OK. 🙂
Worked like a charm, thanks from Argentina
Glad it did… from Croatia! 😃
Wish I had found this first, but I didn’t know exactly what I was looking for (keywords) until I stumbled across someone else’s experiences. This laid it out much clearer. Thank you!
Glad it helped, Brad! (wish you’ve found it sooner :))
Tom
Worked for me, thank you.
Glad it did! And… thx for info!
T.