I have begun setting up a new server for a branch office, and have decided to use Windows Server 2012 on it; thanks Software Assurance! This way I can utilize the new Hyper-V features when I’m ready, as well as virtualize a domain controller properly.
However, I ran into a problem with Windows Update on both the Host and Guest running Server 2012. Windows Update reported an error:
The windows update log located at %windir%/windowsupdate.log reported this:
+++++++++++ PT: Synchronizing server updates +++++++++++ + ServiceId = {9482F4B4-E343-43B6-B170-9A65BC822C77}, Server URL = https://fe1.update.microsoft.com/v6/ClientWebService/client.asmx WARNING: Nws Failure: errorCode=0x803d0014 WARNING: Original error code: 0x80072efe WARNING: There was an error communicating with the endpoint at 'https://fe1.update.microsoft.com/v6/ClientWebService/client.asmx'. WARNING: There was an error sending the HTTP request. WARNING: The connection with the remote endpoint was terminated. WARNING: The connection with the server was terminated abnormally WARNING: Web service call failed with hr = 80240440. WARNING: Current service auth scheme='None'. WARNING: Proxy List used: '(null)', Bypass List used: '(null)', Last Proxy used: '(null)', Last auth Schemes used: 'None'. FATAL: OnCallFailure(hrCall, m_error) failed with hr=0x80240440 WARNING: PTError: 0x80240440 WARNING: SyncUpdates_WithRecovery failed.: 0x80240440 WARNING: Sync of Updates: 0x80240440 WARNING: SyncServerUpdatesInternal failed: 0x80240440 WARNING: Failed to synchronize, error = 0x80240440 WARNING: Exit code = 0x80240440
At first I thought this may be related to the “Trusted Sites” within Internet Explorer. I have mine set through GPO, so I added “https://*.update.microsoft.com” to that GPO and then did a “gpupdate /force”, but the error remained.
Then I thought to look at my Sonicwall NSA 2400; we have the Application Control enabled, and this has been known to cause strange network connectivity issues even when not expected so I’ve just by default started checking here.
Unsurprisingly this turned out to be the problem. The strange thing is, the AppControl rule that was blocking the traffic isn’t visible in the list of applications; only through the logging did I find it.
If you navigate to the AppControl settings page, use the “Lookup Signature”, for signature # 6:
Click on the pencil icon, and you’ll see this screen:
Turns out the rule “Non-SSL Traffic over SSL port” is blocking this Windows Update traffic.
Setting the Block option to Disabled for this rule allows Windows Update to work properly.