Windows Server update on IPv6-only network

ipv6windows-server-2016windows-update

We've just installed a fresh Windows Server 2016 without IPv4 connectivity. I can confirm that IPv6 works, but I am unable to install updates through Windows Update. The update process stops with the following error message:

We couldn't connect to the update service. We'll try again later, or you can check now. If it still doesn't work, make sure you're connected to the internet.

We do not run any local WSUS, but I was under the impression that Microsoft made their Windows Update service available on IPv6 as well. Am I mistaken and should I enable IPv4 in order to update, or is something else going on?

Best Answer

I only found some discussion from 2012-2013 on this issue, stating that on IPv6 only system:

Windows Update worked fine.

Converting to Microsoft Update did not.

Windows Activation does not work - cannot find the DNS entry for whatever system it uses. Biggest showstopper I think, as it requires v4 address, NAT64, or a phone call.

Time synchronization by default uses time.windows.com - NOT IPv6-enabled. Had to point this at another resource ( I chose X.pool.ntp.org and had no issues)

I find it both interesting and funny that (many) microsoft.com and windows.com URLs don't work with IPv6 - yet both Bing.com and Xbox.com have IPv6 capability enabled.

So I did some digging. Situation today, in 2017:

URL's that are needed by the Microsoft Update without WSUS:
- windowsupdate.microsoft.com doesn't have AAAA, not working.
- update.microsoft.com doesn't have AAAA, not working.
- windowsupdate.com not in use, no A / AAAA.
- download.windowsupdate.com has (via CNAMEs) AAAA, answers (only) HTTP on IPv6. OK!
- download.microsoft.com has HTTP/HTTPS on IPv6 (302 redirect to www). OK!
- test.stats.update.microsoft.com doesn't have AAAA, not working.
- Testing for wildcard subdomains is a bit impossible, so I'll leave it here.
Microsoft Activation uses www.microsoft.com, port 80/443: has AAAA, answers HTTP(S). OK!
NTP time.windows.com, still no IPv6, change to an IPv6 Time Server like 2.pool.ntp.org.

So it seems like the situation has't change much, at least not for all Microsoft services.

However, TechNet article IPv6 Support in Microsoft Products and Services claims that Windows Update has full IPv6 support and leads us to Connecting with IPv6 in Windows 8 blog post, that has more information:

Windows Update is a critical service providing ongoing support and updates to millions of users every day. More and more PCs are going to be connected to mobile broadband networks, where IPv6-only is a popular configuration. We have to make sure that downloads are reliably available to you on those networks.

For this reason the Windows Update service now supports both IPv6 and IPv4. Windows Update utilizes CDNs for worldwide distribution of updates and we are partnering with them to enable IPv6 support. Windows 8 will use IPv6, if available, to download Windows Updates so that users always get the best possible connectivity when downloading updates.

Windows Update SHOULD work on IPv6
you didn't mention how you have tested your IPv6 setup and
we do know that some of the *.microsoft.com sites answers HTTP(S) on IPv6,

you should try to visit the working sites above from the server.

For further diagnostics on the problem:

See if you have route: tracert -6 download.windowsupdate.com
The previous command also already gave you a hint, if you don't have working DNS on IPv6. In that condition tracert -6 2001:14b8:1800:300::3eb7:aa1a (or find the current AAAA on another computer with working DNS).
Try the same test on download.microsoft.com / its (current) AAAA 2a02:26f0:103:19d::e59

If you don't have working routing on your IPv6, e.g. if your IPv6 is only local setup, you could configure NAT64 and DNS64 with Forefront Unified Access Gateway (UAG) DirectAccess. It has been there since Windows Server 2012 and remains essentially unchanged through 2012 R2 to 2016.

Or... simply enable IPv4. You probably have capability, if you haven't yet declared IPv4 historic.

TL;DR:

Clear your C:\Windows\Temp directory and other Temp directories for good-measure - then it should install updates fine.

Explanation:

As this is an Azure VM, Microsoft's "Basic" support tier is available - granted it took 3 days to arrange a phone-call, but the support staff were able to find a workaround just today.

In the CBS.log file he spotted this line (trimmed and tidied-up by me):

2016-08-16 20:26:50, Error                 CSI    00000006@2016/8/16:20:26:50.808 (F) CMIADAPTER: Inner Error Message from AI HRESULT = 8004402f [Error,Facility=FACILITY_ITF,Code=16431 (0x402f)]
[
[210]"Parsing MOF file: C:\Windows\system32\wbem\NetTCPIP.mof
Error 80 in Function CMofLexer::CMofLexer line 614
C:\Windows\system32\wbem\NetTCPIP.mof (1): error SYNTAX 0X8004402f: Error creating temporary file"
]
[gle=0x80004005]

The important bit being this error:

Error creating temporary file

He instructed me to change the default environment-variables: TEMP and TMP in both System and User definitions to C:\TEMP and to ensure Everyone had Full Access to C:\TEMP.

After rebooting the clogged-up updates installed without any further issues.

After installing those updates fine I then deleted all of the files in the original C:\Windows\Temp directory (which took 5+ minutes, there were a lot of deeply nested files). I then reset the TMP and TEMP environment variables back to C:\Windows\Temp and rebooted.

Two new updates were then ready to install and installation completed without any problems.

So I think the problem was bad data in the Temp directory that prevented the updates from doing anything.

Update in Mid-2017: I had a similar incident on a Windows 10 laptop recently with the same error code. I immediately went to the C:\Windows\Temp directory and saw it had a lot files in it (about 16,000 files and folders), including deeply-nested folders too. After I deleted everything in the directory and rebooted I was able to install the updates again.

WSUS – Windows Server 2016 Not Updating Through WSUS

Ok, after spending 3 weeks with Microsoft's technical support department we have solved the problem.

The problem is with Dual Scan trying to connect to Windows Update (online) and failing. When it fails the system just stops trying and refuses to connect to WSUS.

The added problem is the server install media has a bug in it which prevents the Dual Scan from changing. It just ignores the policy and keeps the default update source Windows Update.

Here is what you have to do to fix it: Run the following commands in Powershell on the offending server

$MUSM = New-Object -ComObject "Microsoft.Update.ServiceManager"
$MUSM.Services | select Name, IsDefaultAUService

You will get something back like this:

Windows Update Standalone Installer - False   
Windows Server Update Service - False   
Windows Update - True

If it says "Windows Update - True" Then that is your default source, no matter what your GPO says...

The first thing you have to do is make sure the following patches are installed on your server.

kb4103720 and kb4462928

You need them BOTH. They are both huge, they both take forever and a day to install and they both require a server reboot.

These KBs fix the dual scan issue so the server will respond to the GPO telling it which default source to use.

Now you need to configure Group Policy to tell the server to only use the WSUS server. Per Microsoft these are the required settings (I am dubious on some of them, but I haven't tested each one... I am just happy the thing is finally working)

Computer Configuration > Policies > Administrative Templates > System > Device Installation

Specify the search server for device driver source locations

Set to "Enabled"  
Select search order: "Do not search Windows Update"

Specify the search server for device driver updates

Set to "Enabled"  
Select Update Server: "Search Managed Server"

Computer Configuration > Policies > Administrative Templates > System > Internet Communication Management > Internet Communication Settings

Turn off access to all Windows Update features (In Microsoftspeak that means their online server, not 'make so it can't get updates')

Set to "Enabled"

Turn off access to the Store

Set to "Enabled"

Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update

Do not allow update deferral policies to cause scans against Windows Update

Set to "Enabled"

No auto-restart with logged on users for scheduled automatic updates installations

Set to "Enabled"

Specify intranet Microsoft update service location

Set to "Enabled"  
Set the intranet update service for detecting updates: "http://[YOUR SERVER]:8530"  
Set the intranet statistics server:"http://[YOUR SERVER]:8530"  
Set the alternate download server: "http://[YOUR SERVER]:8530"  
Uncheck the box Download files with no Url in the metadata if alternate download server is set

Move your servers into an OU with this GPO enabled. I created a separate OU in my Servers OU just for 2016 server and linked this GPO to it.

Run the above powershell commands again.

It should now say

 Name                                   IsDefaultAUService    
-------                                 --------------------------  
Windows Server Update Service              True  
Windows Update                             False

If you get "Windows Server Update Service" True, then it should work!

I hope this helps someone else. This has certainly been a frustrating issue...

I accept donations in unmarked bills, gold bars and scotch.

Best Answer

Related Solutions

Windows Update 800F0922

TL;DR:

Explanation:

WSUS – Windows Server 2016 Not Updating Through WSUS

Related Topic