Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 11 replies
  • Subscribers 31 subscribers
  • Views 15762 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG and Windows 10 Anniversary Update

TareeqAli

Hi All,

I thought I would share this with anyone having an issue updating Windows 10 trying with the anniversary update.  I would get the following error code when trying to download and install the update; 0x80200013.  Looking into the issue I stumbled on this site which suggested the issue might be AV scanning.  I unchecked the malware scanning on http and ftp traffic on my XG config and temporarily set the web blocking policy to none (usually set to black malware) on my LAN > WAN policy. 

 

After the changes I had no issues with applying the update, if you happen to use the upgrade tool as well, you'll get a different error code; 0x80190001.  Hope this helps trying to figure out why the update wont apply. 



This thread was automatically locked due to age.
Parents
  • 0

    There are no changes to this in MR3 or in MR4 and there are no bugs known for this for MR5.  I don't think this area has changed since exceptions were introduced in 16.0. That being said, in v17 we made some changes that may have caused it to fail more explicitly.

    This is not a product issue.  You need to configure your box to allow the updates.

     

    But....  you think that the box should just allow them.  The problem is that there is something on the computer that is trying to a "range request" that is to download megabyte 3-4 out of a 100 megabyte file.  There is no way for the XG to virus scan that, so it blocks it.  As an admin, you need to be the one who chooses to turn off antivirus for downloads from Microsoft.  Sophos has a few out-of-the-box exceptions you can use to do that but if Microsoft decides one day to start using a different domain there is no way we can update customer XG's to include the additional domains - that would be overwriting the exception that you may have customized yourself.

    In v16 with the exception turned off if something asked microsoft.com for MB 3-4 of a 100 MB file, we actually gave them the whole 100MB file.  Which IIRC some updates would just try again, and again, using up bandwidth.  In v17 we explicitly deny them, which may cause more of a "download failed" error.  How MS treats the error is out of our control.

    I don't recall off the top of my head whether by default the exception is on or off - I thought by default it was turned on.  I don't know why it would be off on your box.
    If you trust downloads from Microsoft.com without virus scanning, turn on the exception.
    The Administrator is in control.

  • 0 in reply to Michael Dunn

    But that doesn't make sense why it would literally cripple all microsoft updates, including media downloads, etc.... why should it break that and require an exception? Why should I have to put an exception in for what was working up until v17...any why should I have to disable scanning to get them to work.... 

  • 0 in reply to cbunting

    I just checked - by default the Microsoft exception is on for all installations since v16.  If you initially installed v15 and upgraded then I am not sure what the default is.
    If you installed sometime after v16 and the exception is off, that means an administrator explicitly disabled it.   That's up to the admin - if they go to the exception called "Microsoft Windows Update" and turn it off, they live with the fact updates don't always work correctly.
     
    If you were running in v16 with the exception turned off, you probably had non-working updates - you just didn't know it.
    One of the way Microsoft works is that if you use Automatic Updates, it tries to download the update slowly bit by bit over the day.  If the exception is turned off, then these piecemeal downloads fail (in v16 and v17 they fail differently, but both fail).  However if the user goes to Windows Update and tries to update, it will download the update as a complete file and installs just fine.  In think that with the exception off in v16 Windows would never complain that automatic updates were failing, and anyone who went into Windows Update would just see "15 updates pending" and they would hit Install and it would work.  It may be (and I'm not sure here) that with v17 Windows may complains that automatic updates are failing.  Again, with v17 if you go into Windows Update and hit Install it would work.  The difference is that (maybe) Windows did not complain about failures in v16 and does complain about failures in v17.  But without the exception, it fails in both.
     
    In summary - in a default installation there is an exception for Microsoft that is turned on.  If an administrator turned it off then in v16 they had silent failures and in v17 they have noisy failures.  Which is probably a good thing, so that administrators turn the exception back on.
Reply
  • 0 in reply to cbunting

    I just checked - by default the Microsoft exception is on for all installations since v16.  If you initially installed v15 and upgraded then I am not sure what the default is.
    If you installed sometime after v16 and the exception is off, that means an administrator explicitly disabled it.   That's up to the admin - if they go to the exception called "Microsoft Windows Update" and turn it off, they live with the fact updates don't always work correctly.
     
    If you were running in v16 with the exception turned off, you probably had non-working updates - you just didn't know it.
    One of the way Microsoft works is that if you use Automatic Updates, it tries to download the update slowly bit by bit over the day.  If the exception is turned off, then these piecemeal downloads fail (in v16 and v17 they fail differently, but both fail).  However if the user goes to Windows Update and tries to update, it will download the update as a complete file and installs just fine.  In think that with the exception off in v16 Windows would never complain that automatic updates were failing, and anyone who went into Windows Update would just see "15 updates pending" and they would hit Install and it would work.  It may be (and I'm not sure here) that with v17 Windows may complains that automatic updates are failing.  Again, with v17 if you go into Windows Update and hit Install it would work.  The difference is that (maybe) Windows did not complain about failures in v16 and does complain about failures in v17.  But without the exception, it fails in both.
     
    In summary - in a default installation there is an exception for Microsoft that is turned on.  If an administrator turned it off then in v16 they had silent failures and in v17 they have noisy failures.  Which is probably a good thing, so that administrators turn the exception back on.
Children
  • 0 in reply to Michael Dunn

    I am the administrator, and I never disabled it. We've been upgraded through the version, I think 14 or 15 was out when I bought the firewalls. Either way, the updates would not work whatsoever with v17, in fact, I tried to download pretty much anything from microsoft and it would just hang... The exception fixed this... but again, why should I have to turn on an exception to get basic functionality to work? The firewall should be smart enough to allow updates from microsoft and ios without having to put in a special exception....

  • 0 in reply to cbunting

    Not only Microsoft hangs.  Adobe, Chrome, and other pretty famous troubles makers shall be handled by default out of the box.

     

    PJR