MC1307636: Configuring firewall and proxies for smooth Windows updates
A new guide is here to help you troubleshoot connection issues with the Windows Update service. Some of these issues have to do with the embedded network security design. The key is in the configuration of your network endpoints for firewalls and proxies. When will this happen: While the solution isn’t new, new guidance is now published to help with ongoing troubleshooting. How this will affect your organization: By design, Windows Update doesn’t trust servers that don’t have TLS certificates issued by an actual Windows Update trust anchor. Your firewalls and proxies might block access to the trustworthy and necessary Windows Update service if your configuration is either intercepting TLS connections or isn’t passing TLS requests through for the necessary DNS subdomains. The new guide helps you diagnose and fix related issues. What you need to do to prepare: Diagnose connection issues by checking the Windows Update audit log. The article lists the recommended PowerShell command and four error codes that can confirm the issue. To remedy the situation, trust all the DNS hosts and subdomains related to wildcard FQDN for the connection to work properly. For example, a recommended DNS host name *.update.microsoft.com represents all the following hosts and subdomains:
- update.microsoft.com
- sls.update.microsoft.com
- tas02.sls.update.microsoft.com
Update your proxy and firewall configurations if any of these subdomains are missing. If your devices connect to an IT-managed Windows Server Update Services (WSUS) server, these exceptions aren’t necessary. Additional information: