sync office 365 updates with wsus … and a very strict firewall ruleset

sync office 365 updates with wsus … and a very strict firewall ruleset

So, i was hunting this bug today, that popped up for quite a while now in our sccm logs.

The important piece of information is that our servers have no internet connection – we block all external traffic with a firewall. The SCCM server has a special ruleset to allow downloading of wsus updates. the ruleset consists of two parts. First, the firewall allows the „ms-update“ layer-7 protocol. Second, the http and https protocols are allowed, but only to specific microsoft update urls. The url list contains:

  • update.microsoft.com
  • windowsupdate.microsoft.com
  • windowsupdate.com
  • download.microsoft.com
  • officecdn.microsoft.com
  • officecdn.microsoft.com.edgesuite.net

(and all *.xxxx variants)

These urls are no big secret and can be found by reading the documentation or googling forums, reddit, etc… Strangely enough, everything was working fine for many month, win 10 updates synced as well as server 2016 updates, and also office 365 updates were downloaded correctly and so on. But suddenly, some specific updates stopped syncing correctly:

Synchronizing update f1fe6a6b-f554-4ad0-8eb5-27ee707ea001 – Office 365 Client Update – Semi-annual Channel Version 1705 for x86 based Edition (Build 8201.2294)
ProcessFileManifest() failed to process O365 file manifest. Caught exception: System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a send…[snip]
Skipped update f1fe6a6b-f554-4ad0-8eb5-27ee707ea001 – Office 365 Client Update – Semi-annual Channel Version 1705 for x86 based Edition (Build 8201.2294) because it failed to sync.

 

Patchdownloader.log shows no information about the failed updates, only those that were successful. So it was impossible to determine what additional / new url the server tried to access. The problem is also reported in this reddit post, but the solutions did not apply to our case. So what next?

After enabling in-depth url tracking on a temporary rule on our firewall, we noticed this log entry:

 

Uhm….. config.office.com ?! what the…. thats something new. A quick google search revealed this: https://techcommunity.microsoft.com/t5/Deployment/Configuration-Manager-1806-integrates-config-office-com-for/td-p/221225. Alright. Nice that sccm now has this new „feature“. Not nice that this silently breaks automatic patching……

So the fix was rather easy: add config.office.com to the url set on the firewall, resync updates (disable o365 category, sync, enable it again, sync again). If you are also keeping your firewall rulesets tight like we do, then hopefully this post helps.

Happy patching!

Robert Rostek
robert.rostek@strong-it.at

We shall never surrender



Cookie Consent mit Real Cookie Banner