Follow-up: configuring a proxy with DSC

While working on a custom DSC (Desired State Configuration) resource that forces the Windows Update Agent to opt-in to Microsoft Update, I found a major caveat with my previous blog post about configuring a proxy per machine with DSC.

My server wouldn’t opt-in to Microsoft Update (MU) and when it tried, it last ~20 seconds which is an excessive amount of time. Under my user account, the registration takes less than a second.

Here’s the code I’m using inside the DSC resource and at command prompt.

(New-Object -ComObject Microsoft.Update.ServiceManager).

I couldn’t understand why and started a procmon trace.

The WindowsUpdate.log file acknowledged that it lasts 20 seconds and indicated that it doesn’t use the proxy set per machine 😦

The procmon trace indicated that the Windows Update service was looking for the WinHttpSettings value and couldn’t find it

My bad 😦
That’s what I actually set in my DSC configuration as I set the WinHttpSetting as absent.

To fix it, I duplicated the DefaultConnectionSettings item and set the exact same value for the WinHttpSettings item

And now the registration is back to normal:

I also found a second problem while reading the verbose output when applying the DSC configuration 😦

[ Start Test ] [[Registry]ProxyAddressPerMachineDefaultConnectionSettings]
VERBOSE: [MyComputerName]: [[Registry]ProxyAddressPerMachineDefaultConnectionSettings] Registry key value ‘HKLM:\software\microsoft\windows\currentversion\internet settings\connections\DefaultConnectionSettings’ of type ‘Binary’ does not contain data ‘46000000040000000300000015…0’

The DSC Test-TargetResource function always returned false because the registry value set in the first place was somehow “autocorrected”.
The fact that the Test-TargetResource always returns false isn’t normal.

I recommended in my original post to extract the value from the registry like this:

$regkey = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections"
-join (
(Get-ItemProperty -Path  $regkey -Name DefaultConnectionSettings).DefaultConnectionSettings |
 Foreach-Object { '{0:X2}' -f $_ })

…which is the wrong way and the root cause of the above behavior I described.

My bad 😦 Sorry about that.

I fixed my issue by capturing correctly the hexadecimal value from the registry πŸ˜€

$regkey = "HKLM:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections"
-join (
(Get-ItemProperty -Path  $regkey -Name DefaultConnectionSettings).DefaultConnectionSettings |
 Foreach-Object { '{0:X1}' -f $_ })

2 thoughts on “Follow-up: configuring a proxy with DSC

  1. Hello Emin! I was having this exact issue with a binary string we were trying to use with DSC to set the recovery options for a service (restart on failure). However I noticed something odd;
    If I use the string returned by the ‘{0:X1}’ method, the Test-TargetResource will pass, but the Set-TargetResource writes a binary value that isn’t correct (doesn’t set the service to restart on failure). However, using the binary string returned by the ‘{0:X2}’ method correctly sets the value with Set-TargetResource, and the service has the right recovery settings, but the Test-TargetResource will fail.
    This is on a 2008 R2 system running WMF4, I haven’t tried 2012 R2 and/or WMF5 yet.
    Was just curious if this mirrors your experience.
    Thanks for your time, and awesome blog!

    • Hi,
      As far as I remember, it was on 2012 R2 with WMF4 and WMF5 previews.

      Working with binary registry values in DSC is quite hard.

      I’d wait for the RTM version of WMF 5 to be re-released for 2012R2 and 2008R2 and check if this is fixed. If not, it should be reported to Microsoft.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.