Microsoft Windows Updates are not installing

Solutions ID:    KB3959
Version:    4.0
Status:    Published
Published date:    08/13/2010
Updated:    02/24/2014

Problem Description

I am trying to install Windows Updates, but the update application fails with an error.


The Windows Update application does not like to be proxied. The application has issues with the proxy's authentication, caching,  ICAP services, and SSL interception.

The main reasons why Windows Update cannot be cached at this time:

Dynamically-created filenames
Almost all Windows Updates are downloaded using dynamically-created temporary filenames – the proxy recognizes cache hits based on the requested URI – since this will be different for each client, it cannot determine if the object has been cached or not, therefore a new request is made. 

The main reason Microsoft does this is because most updates are tailored to the Operating System requesting the file. As a result, updates may differ from PC to PC and it should not be assumed that one patch will be ideal for all PC’s unless it’s a cumulative package downloaded from the MS Download Center for that particular patch.

Limited HTTP Range Support
Microsoft Update uses a BITS client (Background Intelligent Transfer) which can request partial file contents using the HTTP Range header, something the proxy cannot support at this time. The proxy can only recognize entire objects. 

Service Pack Dynamic Downloads
Large updates such as Service Packs are also tailored for the individual machine. (This is why the download size varies from machine to machine). The ProxySG cannot cache this as the file size will be different depending on what updates that particular file contains. The only way the proxy can reliably cache this is if the network installer is used (the complete Service Pack image), which will not be offered by Windows Update.



The following CPL disables the above proxy functions to the currently known Microsoft Update servers, as of this writing.

You should install this CPL into your Local Policy file exactly as it appears. If you continue to have issues with the Microsoft Updates after installing this CPL, please call your Blue Coat Support provider and be prepared to provide a policy trace and a client side packet capture.

<ssl-intercept> ssl.forward_proxy(no) ssl.forward_proxy(no)

server.certificate.hostname.substring="microsoft" ssl.forward_proxy(no)

<proxy> authenticate(no) bypass_cache(yes) authenticate(no) bypass_cache(yes) authenticate(no) bypass_cache(yes) authenticate(no) bypass_cache(yes) authenticate(no) bypass_cache(yes)

<cache> response.icap_service(no) response.icap_service(no) response.icap_service(no) response.icap_service(no) response.icap_service(no)





830Bytes • < 1 minute @ 56k, < 1 minute @ broadband

Rate this Page

Please take a moment to complete this form to help us better serve you.

Did this document help answer your question?
If you are finished providing feedback, please click the RATE CONTENT button. Otherwise, please add more detail in the following text box and then click RATE CONTENT.

Your response will be used to improve our document content.

Ask a Question