Microsoft updates blocked despite being excluded from web filtering - am I fixing this right?

no wrong!
ATTENTION!
that is not an "and" but an "or" link within the transparent-mode-skiplist.
The rules disable the proxy for all connections from "inside" (internal network) and create firewall rules for these connections.
So all your users reach unfiltered to all destinations.

the destination definitions don#t use domain-names .. .but the IP's behind the definition.
Please check .. only the IP's within the definition (mouse-over) are used. 

MS-updates are not so simple, because sometimes IP-Adresses are used - outside from every domain-definition.

Amodin's exception list could work for the latest updates.

no wrong!
ATTENTION!
that is not an "and" but an "or" link within the transparent-mode-skiplist.
The rules disable the proxy for all connections from "inside" (internal network) and create firewall rules for these connections.
So all your users reach unfiltered to all destinations.

the destination definitions don#t use domain-names .. .but the IP's behind the definition.
Please check .. only the IP's within the definition (mouse-over) are used. 

MS-updates are not so simple, because sometimes IP-Adresses are used - outside from every domain-definition.

Amodin's exception list could work for the latest updates.

I had the following exceptions, but they didn't work:

I also have the following, which itself should prevent block if I'm understanding things (and I may not bee since I'm new to sophos and it's not working)

Despite all the above the web filtering was blocking http://au.download.microsoff.com, reason="range", which is why I added http to the existing exception but that didn't fix it.

If I don't have the internal network in the skiplist, it doesn't work, but I did think it was an 'or", meaning I had just turned off web filtering.

I added the telemetry sites (thanks) but the block isn't one any of those sites...

The exception I have in Web Protection doesn't have any 'and' statements in them at all, they are just the listed sites I have in my screenshot, and no filter action for Microsoft for mine.  The only thing that comes to mind off hand is Country Blocking, and I had to make an exception for a while because one of my computers was trying to go to China for updates.  Ultimately, redoing the computer stopped that, haha.

Can you paste the log error from Web Protection logs?

the "and Going to websites tagged as..." was a suggestion I found searching in this forum to create a tag that points to microsoft.com and au.download.windowsupdate.com but as this isn't helping and is somewhat redundant anyway (already in at least 2 other places) I'll drop it.

I did try turning country blocking off but it didn't fix the problem. I had a bunch of log entries in a notepad window ready to post but then took the route of asking about skiplist and didn't save them so I'll have to get some new ones.

I'm going to start over and go back to basics capturing some fresh log entries to post here... tomorrow.... hopefully.

I don't have microsoft.com in the Skiplist, only the au FQDN which I bet i could have added to the Exception.

My relevant Exception is also simple:

Cheers - Bob
PS Just curious, do you pronounce your name in French or in English?

thanks. I'll mirror what you have.

why wouldn't the windowsupdate.com exception work? I'm starting to lose a bit of confidence. I have problems with zoom too and exceptions for that aren't working as expected either.

I pronounce my name in French, i.e. not "Gene" :-) 

Merci, Jean – maintenant, je connais aussi la bonne prononciation de Thibodeau. 

For Zoom, check out: https://community.sophos.com/utm-firewall/f/web-protection-web-filtering-application-visibility-control/46292/business-video-conference-site-blocked

Cheers - Bob