Using BatchPatch with an Enterprise Web Proxy

If your environment forces computers to make http connections through a corporate proxy of some kind, usually BatchPatch will work properly with no additional configuration. This is because in most environments where an outbound web proxy is already configured and running, the target systems will also already have been configured with all of the settings they need to successfully utilize the proxy to download Windows Updates from Microsoft. However, in some environments there could be additional configuration needed. Proxy configuration problems for BatchPatch users typically manifest in one of two ways:

Scenario 1: The Windows Update Agent on target computers is not configured to use the corporate proxy:

If your environment requires that outbound web requests be initiated through a proxy but your computers are not configured to utilize said proxy, BatchPatch will likely produce an error similar to one of the following. Note, the errors listed below are not the only possible manifestations of a proxy related issue. It’s possible that you have a proxy related issue and you are receiving a different error message or number:

-102: Failed to execute the search. HRESULT: -2147012866
-102: Failed to execute the search. HRESULT: -2147012867
-102: Failed to execute the search. HRESULT: -2147012894
-102: Failed to execute the search. HRESULT: -2145107924

When you see an error message like this, it is always a good idea to first examine the Windows Update log file (C:\Windows\WindowsUpdate.log) on the target computer to see if it has any other potentially relevant error codes or messages. Frequently the WindowsUpdate.log will contain additional errors or error text that can be useful to determine what the cause of the problem is.

In the BatchPatch Remote Agent Log errors listed above, the -102 is noted by BatchPatch to indicate that the target computer was not able to execute the search for updates. The HRESULT value is the decimal representation of the actual Windows error code, which we can use to learn *why* the search for updates failed.

Let’s start by converting the HRESULT decimal values to hex. There are many ways to accomplish this task, but a very simple one is with the method described here: how-to-convert-hresult-decimal-dec-values-to-hexadecimal-hex

In this case a quick Google search reveals what these errors mean (https://support2.microsoft.com/default.aspx?scid=836941):

-2147012866 => 0x80072EFE => ERROR_INTERNET_CONNECTION_ABORTED
-2147012867 => 0x80072EFD => ERROR_INTERNET_CANNOT_CONNECT
-2147012894 => 0x80072EE2 => ERROR_INTERNET_TIMEOUT
-2145107924 => 0x8024402c => WINHTTP_NAME_NOT_RESOLVED

Configuring target computers’ Windows Update Agents to utilize your corporate proxy for outbound connections:
Proxy Configuration for the Windows Update Agent – Microsoft

To summarize the link above, in order for the Windows Update Agent to utilize a proxy in your environment, it is *not* sufficient to simply configure the proxy settings in Internet Explorer or Control Panel Internet Options. Instead, the WinHTTP proxy settings must be configured using the NETSH tool or through the use of WPAD (Web Proxy Auto Detect). To set the WinHTTP proxy on each target computer, run the following command at an elevated command prompt, where proxyservername is the name of your proxy server, and portnumber is the port that it is listening on:

netsh winhttp set proxy proxyservername:portnumber

You can even use BatchPatch to execute the above NETSH command on your target computers. See the following links for assistance: Executing Remote Commands with BatchPatch and How to Hard-Code Your Own Custom Commands in the BatchPatch Actions Menu

Scenario 2: The Windows Update Agent on target computers is properly configured to use the corporate proxy, but the proxy requires authentication:

If your environment requires that outbound web requests be initiated through a proxy, and the proxy requires authentication, BatchPatch might produce an error similar to one of the following. Note, the errors listed below are not the only possible manifestations of a proxy related issue. It’s possible that you have a proxy related issue and you are receiving a different error message or number:

Download Result: Failed. HRESULT: -2145107941

Let’s start by converting the HRESULT decimal value to hex. There are many ways to accomplish this task, but a very simple one is through the use of an online tool such as this: http://www.rapidtables.com/convert/number/decimal-to-hex.htm

-2145107941=> 0x8024401B => WU_E_PT_HTTP_STATUS_PROXY_AUTH_REQ Same as HTTP status 407 - proxy authentication is required

So, if authentication is required by your proxy, and if you’re receiving an error message in BatchPatch or in the Windows Update log (C:\Windows\WindowsUpdate.log) on the target computer that indicates there is a proxy authentication issue or failure of some kind, you can resolve this problem by whitelisting the Windows Update / Microsoft Update websites in your proxy configuration. This way you allow target computers to bypass the corporate proxy when establishing connections to just these particular sites.

The domains to whitelist are:

http://download.windowsupdate.com
http://*.download.windowsupdate.com
http://download.microsoft.com
https://*.update.microsoft.com
http://*.update.microsoft.com
https://update.microsoft.com
http://update.microsoft.com
http://*.windowsupdate.com
http://*.windowsupdate.microsoft.com
http://windowsupdate.microsoft.com
https://*.windowsupdate.microsoft.com
http://ntservicepack.microsoft.com
http://wustat.windows.com
http://*.au.windowsupdate.com
http://*.tlu.dl.delivery.mp.microsoft.com

If you are using a wpad.dat file to configure your computers’ proxy settings, you can use the following syntax in the wpad.dat file to whitelist the Microsoft domains:

if ( shExpMatch ( url, "*.download.windowsupdate.com/*") ) { return "DIRECT"; }
if ( shExpMatch ( url, "*.download.microsoft.com/*") ) { return "DIRECT"; }
if ( shExpMatch ( url, "*.update.microsoft.com/*") ) { return "DIRECT"; }
if ( shExpMatch ( url, "*.windowsupdate.com/*") ) { return "DIRECT"; }
if ( shExpMatch ( url, "*.download.windowsupdate.com/*") ) { return "DIRECT"; }
if ( shExpMatch ( url, "*.windowsupdate.microsoft.com/*") ) { return "DIRECT"; }
if ( shExpMatch ( url, "*.ntservicepack.microsoft.com/*") ) { return "DIRECT"; }
if ( shExpMatch ( url, "*.wustat.windows.com/*") ) { return "DIRECT"; } 
if ( shExpMatch ( url, "*.au.windowsupdate.com/*") ) { return "DIRECT"; } 
if ( shExpMatch ( url, "*.tlu.dl.delivery.mp.microsoft.com/*") ) { return "DIRECT"; }
This entry was posted in Blog, General, Tutorials and tagged , , . Bookmark the permalink. Both comments and trackbacks are currently closed.