Microsoft Windows Server 2012 Updates Fail to Install
search cancel

Microsoft Windows Server 2012 Updates Fail to Install


Article ID: 166709


Updated On:


ProxySG Software - SGOS


Applying the recommeneded CPL code in TECH242437 while bypassing SSL interception, ICAP service, authentication, and cache still prevents Windows Updates from installing on Windows 2012 server. This issue doesn't occur on Windows Server 2003/2008.


Windows Update fails on Windows 2012 server because the server connects to but the server certificate hostname from the Microsoft update server doesn't match the existing source conditions in the CPL code. For more details on existing CPL codes, see TECH242437.

There are two methods of resolving this issue:

  • Option 1:

Add a new source object for in the existing ssl-intercept policy

        <ssl-intercept> ssl.forward_proxy(no) ssl.forward_proxy(no) ssl.forward_proxy(no)

There are some machine requesting for, so if it is found in PCAP, please add additional line (or multiple lines if found additional domain destinations from Microsoft WindowsUpdates) to cater for this domain as below. ssl.forward_proxy(no)
  • Option 2:

Replace the trigger to server.certificate.hostname.substring (contains) from server.certificate.hostname (exact match) so that all transactions to * can match the condition.
        <ssl-intercept> ssl.forward_proxy(no)