“Downloading updates 0%” Issue on Windows Server 2016 and Windows 10

I have come across an interesting “feature” or “bug” in Windows Update service on Windows Server 2016 (Windows 10 RTM). If you’re not using an internal WSUS server and your OS must be updated directly from Microsoft Update servers in the Internet, when you downloading the updates in Windows Server 2016 via a proxy server, the download process stucks at 0% (Downloading Updates 0%).

What is interesting, the Windows Update client has been able to send/download the updates metadata (the list of necessary updates has been formed successfully), but none of them could be downloaded.
Let’s create and open the WindowsUpdate.log using the Get-WindowsUpdateLog cmdlet.

2018/11/11 12:32:47.8312332 123 3542 DownloadManager BITS job initialized: JobId = {E3BB42A1C-42B4-221B-1320-8AB433CE1965E}
2018/11/11 12:32:47.8436054 123 3542 DownloadManager Downloading from http://download.windowsupdate.com/c/msdownload/update/software/defu/2017/09/nis_engine_1af0e4b80bf4028f8dac56ebf186b392e4e72486.exe to C:\Windows\SoftwareDistribution\Download\f71ddf93ec2d087c819cf75c55ddfda2\1af0e4b80bf4028f8dac56ebf186b392e4e72486 (full file)
2018/11/11 12:32:47.8452605 123 3542 DownloadManager New download job {E3BB42A1C-42B4-221B-1320-8AB433CE1965E} for UpdateId F608EDA4-2E84-433A-A8C9-8117411F91A8.200
2018/11/11 12:32:47.8545291 123 3542 DownloadManager Download job E3BB42A1C-42B4-221B-1320-8AB433CE1965E resumed.
2018/11/11 12:32:47.8734449 123 3542 DownloadManager Failed to connect to the DO service; (hr = 80040154)
2018/11/11 12:32:47.8734462 123 3542 DownloadManager GetDOManager() failed, hr=80246008, hrExtended=80040154
2018/11/11 12:32:47.8734472 123 3542 DownloadManager Failed creating DO job with hr 80246008
2018/11/11 12:32:47.8772521 123 3542 DownloadManager DO download failed with error 80246008[Extended: 80040154], falling back to BITS and retrying with new Download Job.

As you can see, BITS cannot download the files with the error 80246008 (SUS_E_DM_FAILTOCONNECTTOBITS – see the complete list of Windows update error codes).

As it turned out, the proxy server settings for the Internet Explorer in Windows Server 2016 RTM (10.0.14393) doesn’t work in the same way as in previous Windows versions. In order the Windows Update client can access the Internet through a proxy, you must force set the system proxy for winhttp.

Display the current proxy server settings for WinHTTP:

netsh winhttp show proxy

As you can see, the proxy settings for WinHTTP are not set. A proxy was configured in Internet Explorer on the User level but not in System level (WinHTTP). This configuration causes the connections to Windows Update to fail.

You can set the system proxy parameters for WinHTTP as follows:

netsh winhttp set proxy proxy-server="192.168.100.24:3128" bypass-list="*.woshub.com"

Or like this, by importing the settings from IE (proxy settings in the Internet Explorer must be set manually or configured using GPO in advance):

netsh winhttp import proxy source=ie

After changing the proxy settings, restart the Windows Update service:

Restart-service wuauserv

After a proxy for WinHTTP had been specified, Windows Server 2016 started to download updates from Microsoft Update servers.

The same problem is typical to RTM version of Windows 10 (RTM version of the Windows Update Agent – 10.0.14393.0).

Also, don’t forget that you won’t be able to get updates through proxy server that requires authentication, since Windows Update client doesn’t support proxy authentication (unlike PowerShell). In order Windows Update to work correctly, you must allow anonymous access to Microsoft Update servers on your proxy server. The list of URLs is given below:

• *.microsoft.com
• microsoft.com
• *.windowsupdate.com
• windowsupdate.com
• *.trafficmanager.net
• trafficmanager.net