Summary #
The Windows Update auto-update process uses a service to do it’s downloads. Since it runs as a service, it does not have a user account to authenticate to the proxy server with. Additionally, it can have problems getting through to the servers that host the updates if you do not use Proxy Auto Detect, or manually set the proxy settings at a command prompt.
Note: While you can make Windows Update work on the workstations, the much better solution is to setup a Microsoft Windows Server Update Service server, or WSUS. This is included in Windows 2008 & 2012 Server, and is available as a download from Microsoft for Windows 2003 Server. Setting up a WSUS server has huge benefits for centrally managing and controlling updates, but the biggest one for most organizations is that all of your updates will come from a local server, instead of all the workstations downloading them over the Internet. This can flood your Internet connection, and cause browsing slowdowns during the update period. Setting up a WSUS server is fairly easy, and is well documented at http://technet.microsoft.com/en-us/wsus/default.aspx .
More Information #
The Windows Update service runs as a service, and does not provide a way to configure a username or password to authenticate to the proxy server with. In order to allow the updates to run, you need to create several authentication exceptions. Go to “Website Filtering” -> “Authentication Exceptions” -> “Add A Site” , and add the following sites:
- windowsupdate.com
- windows.com
- microsoft.com
Next, you need to add those sites as unfiltered sites for the filter set that authentication exceptions get sent to. The filter set should be noted in the teal colored box on the Authentication Exceptions tab.
Go to “Website Filtering” -> “Website Access” -> select the filter set that is used for authentication exceptions -> “Add A Site”. Add the following three sites as unfiltered:
- windowsupdate.com
- windows.com
- microsoft.com
Once you add the autentication exceptions and unfilter the sites, go to “Commit Changes” and restart.
If you are using Proxy Auto Detect (https://www.k12usa.com/docs/proxy-auto-detect-wpad/) you will not need to do the following and we always recomend using Proxy Auto Detect if possible. Otherwise on the PC, you need to configure the proxy settings for the update. For Windows XP, go to a command prompt and run:
proxycfg.exe -p xxx.xxx.xxx.xxx:yyyyFor Windows Vista or Windows 7, go to a command prompt that’s running as Administrator and run:
netsh winhttp set proxy xxx.xxx.xxx.xxx:yyyyreplacing xxx.xxx.xxx.xxx with the IP address of your SecureSchool appliance, and yyyy with the proxy port for SecureSchool (typically 8080).
