blog.kaniski.eu I just wanna learn!

13Dec/1638

Windows Update, Windows Server 2016 and proxy

The dumbest thing… you are installing your brand new Windows Server 2016 machines and then you realize that Windows Update doesn’t work. It just gets stuck on Checking for updates/Downloading updates… for days.

image

Of course, you have some sort of proxy on your network, and you start troubleshooting this issue by testing on a proxy-free network… and without proxy, Windows Update works just as it should!

So, the next logical next step is to blame “those networking guys”, because updating your machine works fine, when not behind their “fancy proxy thing”.

But no.

You will soon realize that you have some “old” Windows Server 2012 R2 (or even Windows 10) machines, which are updating just fine… even through the “fancy proxy thing”.

And then you start asking yourself why.

You are checking the configuration of older machines by opening up Internet Explorer and double-checking proxy settings… and then you make sure that your new machines are having the same configuration – they have. Then you are just confused. It’s not networking, it’s not proxy settings… what could it be???

Still a bit confused, you have a great idea to check system proxy settings by running netsh winhttp show proxy – on older machines you’ll probably see something like this (which is probably OK, because you’ve just seen the Proxy Settings in IE, which are set to correct values):

image

So, you’re (naturally) configuring new machines accordingly. Still doesn’t work.

What next?

You can do further reading & testing, but the thing that helped in our case was setting the system (winhttp) proxy with netsh command, so that it actually imports IE proxy settings.

Basically, you need to run netsh winhttp import proxy source=ie (after you’ve set the right proxy settings through IE dialog, of course) or set your system proxy by using the netsh winhttp set proxy proxy.mydomain.com:8080 command.

After that, Windows Update starts working again!

So, remember – when using Windows Server 2016, set your system proxy settings by using the netsh command and everything will work just fine! Smile

Cheers!

P.S. Of course, if you have another trick to make it work, please comment. Smile

Comments (38) Trackbacks (0)
  1. Hallelujah! I was pulling my hair out trying to update Win 2016, until I found the solution on your blog. You saved my sanity. Hvala vam puno, Tomica!!

  2. Thank you, this was really helpful!

  3. didnt work for me 🙁

  4. Thanks!!!!!!

  5. Thank you, worked for me!

  6. Fantastic, that’s what I was missing – thank you!

  7. This looks like the problem we have, however when I import the ie changes and then check again, it has reset back to Direct Access. I am not aware of any policies that could be overriding this and I am local admin on the machine so would expect that I have permission to make this change permanent. Any thoughts about what might be blocking these changes?

  8. I’ll second that Hallelujah! Why the hell would MS do this? Thank you

  9. They now use the new style setting Panel.
    Start > Settings Cog > Network & Internet > Proxy menu item.

    Set what you need to set here and then retry windows update…. This way worked for me

  10. Thank you, thank you, thank you!

  11. If the proxy required basic authentification (no AD), the windows update hangs also, but in some cases an authentification window like IE comes, in some cases this comes not. The developer must spent 2 fields for user/pw combination.

    “The dumbest thing… you are installing your brand new Windows Server 2016 machines and then you realize that Windows Update doesn’t work.”

  12. Good tip. However it only works if the proxy doesn’t require authentication. If the proxy prompts for password, as it would be the case of patching workgroup computers, then to my knowledge there is no mechanism to pass credentials when system-level proxy is configured.

  13. This is great! Thanks for help

  14. Server 2016 Update slow:

    1) One CUMULATIVE did reset the WIndows CLient EDB Database and it has to rebuild
    2) One COMULATIVE in 6/2018 was 1.4 GB and yes this will take time due to extracing of the files.

    Complete wrong solution and ONLY a workaround:

    This is NOT the finall solution and if you do the same with W10 ENT 1709 you will get updates to 1803 one night EVEN you run WSUS inhouse and have all GPO set.
    The problem goes into direction if DUAL SCAN of the WSUS-CLient. Because Server 2016 1706 is LTSB it would not update to later version.

    Also keep in mind be enabling the PROXY with NETSH for the SYSTEM malware will easy find it’s way OUT to wan. That’s the reason why in enterprise you route that traffic which is not browser related direct to the FW with IPS filter. Notrmal browser traffic goes to the Proxy/Webgateway as example.

    Glad Server guys don’t make client Engnineering 😉


Leave a Reply

No trackbacks yet.