Windows Update bypassing server as download source

0

I have a Windows Server 2008 R2 SP1 machine that is isolated in a DMZ. Historically it has not had issues but everything works before it breaks. The port 8530 is open on the firewall appliance and I can telnet from the client to the server which proves the site is ready and open.

This machine is not attached to the domain so WSUS server is set in the registry. So under HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate I have

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"WUServer"="http://kanwsus2k16:8530"
"WUStatusServer"="http://kanwsus2k16:8530"
"DoNotConnectToWindowsUpdateInternetLocations"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
"UseWUServer"=dword:00000001

The windowsupdate.log corroborates this. I would like to try and include only what is required to try and keep the post length down. The client reaches out to the server and see that it has X available updates. However it fails to download those. The log shows entries like this:

2018-05-07  11:05:19:960     668    47c DnldMgr BITS job {7835096F-E02C-4B66-AD0F-3D71EF17C73B} hit a transient error, updateId = {3FD57624-1808-41C7-979D-8606CA1229B6}.202, error = 0x80072EE2
... output truncated ....
2018-05-07  11:05:40:963     668    47c Misc    WARNING: SendRequest failed with hr = 80072ee2. Proxy List used: <(null)> Bypass List used : <(null)> Auth Schemes used : <>
2018-05-07  11:05:40:963     668    47c Misc    WARNING: WinHttp: SendRequestUsingProxy failed for <http://wsus.ds.download.windowsupdate.com/d/msdownload/update/software/secu/2018/04/windows6.1-kb4093118-x64-express_c1473ce4b149cf34239c364a9787030447e376ca.cab>. error 0x80072ee2

With regards to the SendRequestUsingProxy failed, that should fail. The server does not have access to Microsoft websites so it will be blocked from being able to go there. What I can't figure out is why it isnt getting the updates from the WSUS server directly. We do not use a proxy nor is one configured.

On the WSUS Server side of things I see that it get a download failed status for each of the updates. So in short the communication is there but the client is trying to download the updates from externally. It is a 2k16 server and reading the logs with Get-WindwosUpdateLog has not proven useful.

This is the only external server I have to the network so I do not have any comparison systems to know exactly where the system is.

In an attempt to testing connectivity to the server I try to browse to http://kanwsus2k16:8530/selfupdate/wuident.cab which is met with page cannot be displayed on the client server. (That link works fine on the internal network)

Why is my Windows Update client not honoring the WSUS path for updates and instead attempting to go externally for Microsoft?

Other things I have tried:

  • System Update Readiness Tool for Windows Server 2008 R2 x64 Edition
  • Clearing BITS Queue
  • Renaming SoftwareDistribution folder
  • Verified nothing is being blocked from the networking side going to WSUS server on port 8530
  • Added DoNotConnectToWindowsUpdateInternetLocations equal to 1 in HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
windows-server-2008-r2
windows-server-2016
wsus
windows-update
asked on Server Fault May 7, 2018 by Matt • edited May 8, 2018 by Matt

3 Answers

0

I don't think you should fiddle with the registry in this case. There are too many registry entries to think about and the possibility of making a mistake is relatively high. If I were you, I would use local policy instead.

I have a server that is in a similar situation to yours--located in a DMZ, not connected to a domain, and receiving updates from an internal WSUS server. This server receiving updates just fine. I am using local policy to configure the server's windows update settings, which I think is more desirable than changing registry settings directly.

Open gpedit.msc as an administrator on the command line.

Navigate to Computer Configuration/Administrative Templates/Windows Components/Windows Update

Change the following settings:

  • Configure Automatic Updates: ENABLED
    • Set to "Auto download and notify for install"
  • Specify Intranet Microsoft Update Service Location: ENABLED
  • (Optional) Allow Automatic Update Immediate Installation: DISABLED
  • (Optional) Enable Client-side Targeting: ENABLED
    • Specify the name of the computer group you want to place the server in

As far as firewall settings, make sure that port 8530 is open from the DMZ server to the WSUS server. Also, if you are using internal DNS to resolve the WSUS server name, make sure that that port 53 is open between the DMZ server and the internal DNS server.

answered on Server Fault May 8, 2018 by wrieedx • edited Jul 12, 2018 by wrieedx
0

You've not set the needed registry to highlight that Windows Update will be downloaded through WSUS.

Please set the following registry at the path HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU:

Value name: UseWUServer
Value data: Set this value to 1 to configure Automatic Updates 
      to use a server that is running Software Update Services instead of Windows Update.
Registry Value Type: Reg_DWORD

Other things are in place. Please also pay attention to the points suggested by wrieedx in the other answer above, especially the point to manage such things using gpedit.msc, instead of the change in the registry.

answered on Server Fault May 8, 2018 by Am_I_Helpful
0

I would use Local Group Policy to set everything and walk through the settings that @Redwizard000 provided at https://serverfault.com/a/940236/557131. It is talking about Server 2016, but the policies are available to be set in older operating systems. This fixed an identical problem for me. If nothing else, he provides some command line to see if this is your problem before you put the effort into changing local policy or the registry.

answered on Server Fault Feb 27, 2020 by C C

User contributions licensed under CC BY-SA 3.0