Recently at a client site, I setup a new Windows 10 1809 VM to use as a Citrix XenDesktop template. Based on the OU the VM was in, it had a GPO configured to make it use WSUS (Windows Server Update Services) for updates. And I could see according to the WSUS console that the VM was 100% patched. But in Windows 10, when I would go to Windows Update, Windows 10 was insisting there are still updates to install, but the updates would always fail within a minute or so with an error code of 0x80244018. I even manually downloaded the updates from the MS Catalog Website and installed them using WUSA, and yet the updates still appeared as required in Windows Update, and it would still fail with an error code of 0x80244018. I won’t mention the several swear words that followed each time it occurred during my troubleshooting!
As most IT admins know by now, Microsoft got rid of logging Windows Updates to C:\Windows\WindowsUpdate.log and switched to using trace files. This method of logging is virtually impossible to read in it’s native format. However, Microsoft has create a PowerShell command that will allow you to export those trace files to a good old fashion text file. You just need to run Get-WindowsUpdateLog and it will spit out all those trace files to a new plain text file on your desktop called WindowsUpdate.log.
So once I had exported the trace files and opened WindowsUpdate.log with Notepad++, I found this (note – I replaced http with hxxp because WordPress loves to auto-convert to URLs without notice):
2019/07/31 08:44:35.0072804 9140 2220 DownloadManager DO job {CD46C84C-73C5-4002-8EC7-B4ACCE3140E2}, updateId = 9B908E38-BA5D-4462-81E6-C52E06A94B1A.1 failed on HTTP 403 error after retries
2019/07/31 08:44:35.0073096 9140 2220 DownloadManager DO job {CD46C84C-73C5-4002-8EC7-B4ACCE3140E2} failed, updateId = 9B908E38-BA5D-4462-81E6-C52E06A94B1A.1, hr = 0x80190193. File URL = hxxp://tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/63b17f3e-3249-4b95-a9a1-3f1ca42120ae?P1=1564574112&P2=402&P3=2&P4=hqIxtfL%2f07gwB6yrYcABiDi81z9v%2bBdWhjLyxABoWb6%2fexPpEJOzWczl1UJG03oAbamU3tsIvh50mHrSB1ltlg%3d%3d, local path = C:\Windows\SoftwareDistribution\Download\42dbab2cf910a424dffa836a33879dc0\DesktopDeployment.cab, The response headers = HTTP/1.0 403 Forbidden: body content-type denied Content-Type: text/html; charset=iso-8859-1″ “
So Windows Update was ignoring WSUS and connecting directly to MS, even though the GPO was set to use my WSUS server – which is troubling to me, but not the the focal point of this writing today.
I took the File URL and pasted it into IE on the Windows 10 VM and got the following error:
Ok… Now I’ve got the real reason for the 403 error. So we are using a WatchGuard M370 cluster for this customer, and have an HTTP Proxy configured – which incidentally is blocking Windows CAB files (which it does by default). So it was simply matter of adding *.microsoft.com to the HTTP Proxy Exceptions.
After saving the updated configuration to the cluster, and rebooting the VM, Windows Update successfully downloaded the two outstanding updates and installed them.
So while this doesn’t address why Windows 10 felt the need to pull these updates down directly from the Microsoft servers instead of WSUS, at least now I’m no longer getting error 0x80244018, and I can roll it out to the XenDesktop users.
Bits & Other Bytes 