What port/ports does Automatic Updates use?

[bdoub1eu]

Hi guys! I was wondering what port Automatic Updates uses...I read it uses 80 and 443, right?

The reason I ask is because we recently installed a proxy server into our network. Once we added the proxy settings into each users machine, I blocked port 80 outbound on the firewall so that if someone unchecked "use proxy server" in Internet explorer and tried to bypass the proxy/web monitoring, they would not be able to access the internet. But I think this renders AU useless because now nobody is getting prompted for any updates...I have also looked into SUS...

Here's the question though...A couple of XP SP2 machines have begun to get their updates even though port 80 is still blocked...In SP2, does AU use the IE proxy settings to access the interent?

Thanks in advance!

 

[bcastner]

Port 443, and if uPnP is installed a wide range of ports are possible.

Have you considered:

. In Group Policy you can block access to Windows Update
. In Group Policy you an prevent user changes to your Proxy Settings:
Start, Run, gpedit.msc
Navigate to the policy:
User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Disable the Connections page

Right-click on this policy, click on Properties, and check the Enabled box. Now no one will be able to remove the proxy settings.

. A better choice is to install the freeware SUS (now WUS) to handle Windows Update. See:

http://www.susserver.com/

 

[bdoub1eu]

I guess my question is in the past, Automatic Updates would not use IE proxy settings...It would just try to go straight out to the internet to get updates. Recently since SP 2 was installed, it seems that AU has been getting updates from the Internet even though 443 is being blocked outbound...That's why I was wondering if SP2 changed Automatic Updates to use IE proxy settings...

 

[bcastner]

You can stop, or configure, the Windows Update service in a lot of ways through Group Policy.

Or directly:
Start, Run, services.msc
Stop the Automatic Update Service. Set its startup to disabled.

The issue you raise is a pre-SP2 one. Automatic Windows Update will be blocked if you have a non-transparent web proxy between you and the Windows Update site. This is because AWU does not take account of any proxy settings which may be required, so it fails to connect to the update server. It doesn't log the failed attempt.

Running 'Windows Update' manually works because it runs within IE, and hence uses IE's proxy settings.

The only workaround I am aware of is to install Software Update Services (SUS, see my links above) on a machine which can be accessed without going through a proxy (e.g a server on the local network). SUS allows configuration of proxy settings for its own use.

 

[bdoub1eu]

Thanks bcastner! You said:

The issue you raise is a pre-SP2 one. Automatic Windows Update will be blocked if you have a non-transparent web proxy between you and the Windows Update site.

Does that mean that post-SP2, Automatic updates won't be blocked if we have a non-transparent proxy between us and the windows update site? Does SP2 Automatic updates use IE proxy settings?

 

[bcastner]

No, only that you have a richer GPO enviornment.

 

[karlisi]

There is a non-documented issue about AU trough proxy server. AU uses default user's proxy settings "Automatically detect settings". There is fast workaround for Windows XP only with registry changes (I dont tried it so I dont know if it works) and another one a little complicated, but more universal solution, for both Windows XP and Windows 2000, I am using. For this you need DNS server and web server, (can be not in your LAN but must be accessible without proxy). I can post it here, but it is quite long article, so I will do it only if someone need it.

===
Karlis
ECDL; MCP