WinHTTP Proxy Settings deployed by GPO


Hello everyone! Dante here, once again, trying to help you get a new trick to be delighted.
Have you ever wondered how would you configure the proxy for Windows components such Windows Update, the NCSI and others? You probably know you can do that manually on each machine you need, which is very cool, but what happens when you have more than 100 servers you need to configure for this feature?
Don't worry, you don't need to hire slave-script-writers monkeys, just need to know 3 things:

  • Where do I configure the proxy for Windows components?
  • Where is this configuration stored?
  • How can I massively deploy that information?

Let's start for the beginning. Windows has 2 places where you can configure the proxy:

  • Internet Settings Control Panel (or inetcpl.cpl for you guys who are advanced users)
  • WinHTTP Windows Services.

The main difference between them is that the Internet Settings Control Panel works at the User level, while the WinHTTP Windows Component works globally at the computer level. In this note you can see how to deploy the Internet Settings Control Panel configurations for Proxy for the latest versions by GPO. That's amazing, but will only apply at the user level.

In some scenarios, you would love to have your Windows servers use a proxy to contact Windows Update services to download the updates, instead of the direct contact to the internet, since it will let you have more control of your traffic. If you don't have a Proxy server configured in the WinHTTP Services, your machine will try to directly contact the internet for any web traffic coming, for example, from the Windows Update service, so you will have no control on such communications. For Windows Update management and centralization in enterprise environment we highly recommend using WSUS instead of the normal Windows Update service, but that depends on you.

Now, coming back to our topic, how can I configure the proxy for the WinHTTP Services?

There is a simple way to do that, by issuing the following command on a command prompt with elevated privileges:

netsh winhttp set proxy <server IP or FQDN>:<Port> "<Exclusion list, separated by ";">"

As an example, this command will configure the address proxy.contoso.com in port 8080, with the exclusion of "localhost" and "contoso.com" domain:

netsh winhttp set proxy proxy.contoso.com:8080 "localhost;*.contoso.com"

Looking at the help of the command will show you some other parameters that can be used:

C:\WINDOWS\system32>netsh winhttp set proxy ?
Usage:  set proxy [proxy-server=]<server name> [bypass-list=]<hosts list>
Parameters:
 Tag             Value
  proxy-server  -  proxy server for use for http and/or https protocol
  bypass-list   -  a list of sites that should be visited bypassing the
                   proxy (use "<local>" to bypass all short name hosts)

Examples:

  set proxy myproxy
  set proxy myproxy:80 "<local>;bar"
  set proxy proxy-server="http=myproxy;https=sproxy:88" bypass-list="*.foo.com"

You can also import the settings from the Internet Settings Control Panel, but bear in mind the WinHTTP Services do not support the use of Scripts (like PAC or DAT files). For such behavior you can use following command:

netsh winhttp import proxy source=ie

Again, this works only for the manual section of the Internet Settings Control Panel proxy configuration, does not work for the automatic detection or the scripts.

The last part would be to check and ensure your proxy settings got properly applied to the WinHTTP Services. You can achieve that by issuing the following command:

netsh winhttp show proxy

Depending on the configuration, the output will look like this if nothing got applied:

C:\WINDOWS\system32>netsh winhttp sh proxy

Current WinHTTP proxy settings:

    Direct access (no proxy server).

Or something like this if you had your proxy settings properly updated:

C:\WINDOWS\system32>netsh winhttp sh proxy

Current WinHTTP proxy settings:

    Proxy Server(s) :  proxy.contoso.com:8080
    Bypass List     :  localhost;*.contoso.com

If you have everything properly set up and want to get back to direct connection, you'll need to issue the following command:

netsh winhttp reset proxy

Alright, I totally understood how all this WinHTTP proxy stuff works but, where is all that data stored in Windows?

That's a great question! Since you now know how to configure your proxy at system level, you now need to know where to look for that information.
All those configurations are stored in a registry key located in the following path:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections

Under the following Key name:

Key Name: WinHttpSettings
Type: Binary
Value (for Direct Access or No Proxy): 1800000000000000010000000000000000000000

When you modify the actual settings, and look for the new value, in the registry it will look like this:


Perfect! I already know how to configure it and where it is stored. Thank you! Now... What do I do with this information?

Now you already have the proper proxy configuration and the registry key, the only thing you need to do is to deploy these settings through a Group Policy Preference (or GPP)!
Let's begin with the process. I encourage you to do this from a simple workstation that will not affect your production environment. Doing this in a Domain Controller, for example, may get you in serious trouble, and saying this I totally disclose any responsibility in you 🙂

First Step: Open a Group Policy Management Console (or gpmc.msc from the command prompt) and create a new Group Policy Object with a name (I will do it as TestWinhttpProxy)

Second Step: Edit the GPO and locate the following path: Computer Configuration > Preferences > Windows Settings > Registry

Third Step: Right Click on the Registry item and select "New > Registry Item"

Fourth Step: In General tab leave action as "Update" and browse for your local WinHttpSettings registry key.

Fifth Step: Hit OK and Close the editor. You should see something like this (mine is showing the No Proxy configuration):

Sixth and last Step: Link the GPO to the desired OU.

Once you have all of this already setup you can just wait in your comfortable chair drinking a cup of coffe until the GPO applies or simply go to a target machine and execute a GPUPDATE /FORCE to make it happen NOW!

If everything went as we expect you should see the new configuration in place by doing the "show proxy" Network Shell command for WinHTTP.

Hope you enjoyed this entry and see you soon!


Comments (2)
  1. bigkevgray says:

    Great article Dante, Thanks

    I’ve got a few questions:

    1: Is it possible to add subnets to the bypass list, we like a lot of orgs use this capability in PAC files to bypass/avoid traffic for internal traffic using private subnets (suspect the answer is No, but I live in hope)
    2: If the defined proxies arent available how does it behave …in other words does it give up or does it try a direct connection
    3: Can Web browsers use alternative proxy settings e.g. proxy defined via internet settings including use of PAC file?

    1. Hello Kev and thanks a lot for your feedback! Regarding your questions:
      1- You can use subnets as in Internet Explorer by using asterisks as wildcard, in the proxy exclusions section… Bear in mind it will not be as effective as with PACs… For example 192.168.1.* will bypass anything in the subnet 192.168.1.0.
      2- It works exactly like the IE… unfortunately it will fail the connection.
      3- Yes and also do that the WinHTTP, but can only be achieved by the recommended proxy configuration in every Windows system: WPAD + Automatically detect settings. Using WPAD you can have your PAC files and all your custom logic detected automatically and applied as required. It only needs an http server where you store the wpad.dat file with the script and a DNS A Record called “wpad” pointing to that HTTP server.

      Hope this helped to clarify!

Comments are closed.

Skip to main content