How do I allow Windows Updates / App Updates in Windows 10

HI Stevan , 

I would like to know if Malware scanning is referred as IPS policy or HTTPS SSL Decryption scanning . Now you would need to check if there is any drop in IPS fo your Windows 10 system . Check the log Viewer and Select IPS , filter the logs for your Workstation host address check for Source and Destination , If there is a Drop then check the signature and allow that signature in IPS policy applied on the Firewall rule . 

Secondly , if there is no drop on the IPS then may check if HTTPS decryption is the cause for your issue . If so then you would need to check the URLs your workstation on the web filter logs and bypass them by creating a Custom category and add in HTTPS scanning exceptions . 

You may refer the link https://community.sophos.com/kb/en-us/123360 

You can bypass the scanning of specific websites in the web category, by creating a separate custom web category of that website(s) from Protection > Web Protection > Custom Web Category or Objects > Content > Custom Web Category.

Hope this would resolve your issue 

Thanks and Regards 

Aditya Patel | Network and Security Engineer.

Thanks for your reply.  I am referring to the Malware Scanning section in my default rule that I have created for our organization.

Policies --> I edit the rule --> Malware Scanning --> Turn off HTTP and FTP (HTTPS is already off)

The problem with bypassing the "sites" is that I don't know which sites to bypass as there seems to be differing information on the internet as to the source of Windows Update for different versions of the Operating System.  It also seems that Windows 10 contacts other sites in order to update Apps from the Microsoft Store.

If you have any insight into the sites to bypass I would surely like to know which ones and where to put those bypass rules.

Thanks!

Thanks for your reply.  I am referring to the Malware Scanning section in my default rule that I have created for our organization.

Policies --> I edit the rule --> Malware Scanning --> Turn off HTTP and FTP (HTTPS is already off)

The problem with bypassing the "sites" is that I don't know which sites to bypass as there seems to be differing information on the internet as to the source of Windows Update for different versions of the Operating System.  It also seems that Windows 10 contacts other sites in order to update Apps from the Microsoft Store.

If you have any insight into the sites to bypass I would surely like to know which ones and where to put those bypass rules.

Thanks!

HI StevenGear , 

I have found some useful information that may help you with your issue. Otherwise , you may need to check the Web filter logs for the system during an event for an update to determine the URL used in your Workstation Windows 10.

To configure the firewall for software updates

I think this may have been fixed by fixing the other issue I was having with the General Business Category being blocked.  I will re-test and report back here.

Aditya,

I still continue to see our newly imaged computers trying to get windows and store updates have problems.  We do not utilize our WSUS server for these newly imaged machines until they join the domain.  I have also added the FQDN names you listed and that were referenced in the TechNet article.  This only seems to be a problem on our Windows 10 machines which makes me think it might have more to do with App updates from the store than windows updates.  I am unable to find any reliable information on what Windows 10 is trying to do when it is first turned on.  All I know is that behind the firewall they have issues and outside of the firewall they do not.  The only exception so far is if I turn off HTTP/FTP/HTTPS malware scanning in the firewall (which I don't want to do).

I was hoping that the Sophos Firewall would have a Windows Update Category in it that would allow the traffic.  If there is not, I need to find out ALL of the sites I need to bypass for this to work.

Hi Steven,

What is the firmware version residing in your XG device? We have a known issue reported under NC-13382 which is unresolved. 

The workaround is to configure a separate FW rule with destination zone defined with FQDN(s) suggested via Aditya in the previous post.

Thanks

We are running 15.01.0 MR3

This is still a problem as I don't know exactly which domains (fqdns) to allow.

Try to disable "Delivery Optimization" service in Windows 10.

Disabling that service does make the behavior on my test system stop after a restart and when I manually start the service again my cpu spikes.  Something is not getting out and is causing this service to use up my entire cpu to where the system is unusable.  Any idea how I can find where that service is trying to go?

Just to re-iterate this does not happen on the same machine connected to an outside network without a firewall in place.

Thanks!

Hi Steven,

Run Wireshark on your computer, you can download it from https://www.wireshark.org/

That will tell you where the data streams are going and can nail down what is happening. If you haven't used this tool before, please feel free to post screenshots of lines you don't understand :)

Emile

I my case it was not only CPU maxing out, but WAN bandwidth as well.

After you disable the service and run initial full Windows Update - workstation behaves as normal.

try to add alsi these website and becarefull that after every firmware upgraded the manual ecpetions are deleted.

officecdn.microsoft.com.edgekey.net
officecdn.microsoft.com.edgesuite.net
officecdn.microsoft.com