3

We have a 2012 domain controller in an environment where we are running a web proxy auto discovery (WPAD) setup for client devices, and that proxy server requires authentication. However windows update does not support proxy servers requiring authentication.

So we want to prevent windows update on our servers from using the WPAD proxy settings. On a domain member server we can log in to the local administrator account (not domain admin) and un-tick the the "Auto detect proxy settings" in IE internet options and that fixes the issue on those servers. But a domain controller does not have a local admin account, as that account is the domain admin account. Doing this to the domain admin account on the DC does not prevent it from using WPAD.

Our whole purpose of running a proxy server that requires authentication is so we can identify what the users on our session based remote desktop servers are doing on the internet.

See this MS KB Article for some info about Windows update and proxy servers
"How the Windows Update client determines which proxy server to use to connect to the Windows Update Web site" - http://support.microsoft.com/kb/900935

BeowulfNode42
  • 2,595
  • 2
  • 18
  • 32
  • It looks like it's not as easy as I thought it was in W2K12. You have to use GP Preferences under User Configuration and then make the proxy settings machine wide under Computer Configuration. I'm going to delete my answer as I think I may have led you astray. Apologies. – joeqwerty Oct 18 '13 at 04:59
  • A bit of an aside, but WSUS does let you specify Proxy server credentials. In doing so, it would be able to authenticate into your Proxy server and download updates for your servers and workstations. Plus it has the added bonus of only downloading the updates once if you choose to let WSUS handle downloads.. – MikeAWood Oct 22 '13 at 00:03
  • @MikeAWood that's fine at head office where we have the required storage, but the satellite branches do not have the storage space for a wsus repository, so this is why I am wanting a method for the client's WU to avoid using our WPAD that does require authentication. Also at the satellite branches having each device download just the updates it needs is actually less bandwidth than a WSUS server downloading all the updates we need to approve company wide. – BeowulfNode42 Oct 24 '13 at 02:23
  • That's the great part about wsus... You can tell the clients to download the updates as needed but centrally manage the updates... – MikeAWood Oct 29 '13 at 00:47

1 Answers1

1

I had the same issue on Windows 2008 R2 with WPAD record. To fit it we add fake DNS record to hosts file like 1.1.1.1 WPAD and after restart the update client it stop using proxy. In some cases the Server needs to be rebooted after WPAD block.

Cheers, Andrey

andrey
  • 11
  • 1