I'll try to give a thorough rundown of the environment:
- anonymous proxy
- proxy must be set for Internet access
- 2 Squid proxies on RHEL8 behind an f5 - not caching
- 2 Windows AD DCs, both running 2019 Standard experiencing the issue. Both freshly installed
- have the following set in a whitelist (developed this list while watching the Squid access logs):
- .microsoft.com
- .windowsupdate.com
- .live.com
- .msftconnecttest.com
- .windows.com
- .azureedge.net
- .azure.com
- .visualstudio.com
- no WSUS set (double-checked via gpedit)
- setting the proxy both in IE settings & via
netsh - double-checked each instance locally to ensure that proxy settings were indeed being set (both via
netsh& by checking the IE settings) - attempts to update produce a
0x80072EE6error in the Windows Update Event Viewer logs when attempted locally, and via an Ansible playbook - playbook being run via WinRM connection w/NTLM auth using a domain admin acct
I can see successful connections such as the following with each attempt:
04/Aug/2022:15:59:29 -0400 864 10.200.138.253 TCP_TUNNEL/200 6321 CONNECT v10.events.data.microsoft.com:443 - HIER_DIRECT/v10.events.data.microsoft.com -
04/Aug/2022:15:59:47 -0400 353 10.200.138.253 TCP_TUNNEL/200 4060 CONNECT settings-win.data.microsoft.com:443 - HIER_DIRECT/settings-win.data.microsoft.com -
I can also see that other Windows instances on the network are actually downloading updates:
04/Aug/2022:15:36:20 -0400 674 10.200.138.253 TCP_MISS/206 66151 GET http://au.download.windowsupdate.com/d/msdownload/update/software/defu/2022/06/updateplatform_f7e39cbc74e49ac493f62d12e63f1f9df9453af1.exe - HIER_DIRECT/au.download.windowsupdate.com application/octet-stream
04/Aug/2022:15:36:21 -0400 56 10.200.138.253 TCP_MISS/206 918120 GET http://au.download.windowsupdate.com/d/msdownload/update/software/defu/2022/06/updateplatform_f7e39cbc74e49ac493f62d12e63f1f9df9453af1.exe - HIER_DIRECT/au.download.windowsupdate.com application/octet-stream
04/Aug/2022:15:36:21 -0400 23 10.200.138.253 TCP_MISS/206 348408 GET http://au.download.windowsupdate.com/d/msdownload/update/software/defu/2022/06/updateplatform_f7e39cbc74e49ac493f62d12e63f1f9df9453af1.exe - HIER_DIRECT/au.download.windowsupdate.com application/octet-stream
Ansible playbook uses the following plays:
- name: Configure IE to use explicit proxy host with port and without auto detection
community.windows.win_inet_proxy:
auto_detect: no
proxy: "{{ proxy_host }}:{{ proxy_port }}"
bypass: "{{ proxy_env.no_proxy }}"
- name: Set the proxy to be able to run Windows Updates
ansible.windows.win_command: netsh winhttp import proxy source=ie
- name: Install all security, critical, and rollup updates without a scheduled task
ansible.windows.win_updates:
category_names: "{{ win_update_categories }}"
reboot: yes
reboot_timeout: 3600
Playbook resulting error:
TASK [Install all security, critical, and rollup updates without a scheduled task] **********************************************************************************************************************************************************************************************************
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: at <ScriptBlock>, <No file>: line 753
fatal: [<hostname>]: FAILED! => changed=false
failed_update_count: 0
filtered_updates: {}
found_update_count: 0
installed_update_count: 0
msg: 'Searching for updates: Exception from HRESULT: 0x80072EE6 - Unknown WUA HRESULT 2147954406 (UNKNOWN 80072EE6)'
reboot_required: false
updates: {}
Finally, when I go back to check either of the instances again, the Updates UI reports "No updates available," & there's no sign of the error until I try it again.
Would love to know what's going on here.
