https://live.paloaltonetworks.com/t5/general-topics/decrypt-cert-validation-while-performing-windows-update/m-p/296955#M78012 <P>Greetings ...</P><P>&nbsp;</P><P>Yes we are also seeing this.</P> Thu, 07 Nov 2019 07:46:03 GMT khanshahidnazir 2019-11-07T07:46:03Z https://live.paloaltonetworks.com/t5/general-topics/decrypt-cert-validation-while-performing-windows-update/m-p/287839#M76755 <P>Hey Guys ... I am doing a normal Windows Update and i am getting error.</P><P>While analysing the application type is ms-update and reason for session end is decrypt-cert-validation.</P><P>&nbsp;</P><P>Appreciate if you guys can support.</P> Wed, 11 Sep 2019 12:42:18 GMT https://live.paloaltonetworks.com/t5/general-topics/decrypt-cert-validation-while-performing-windows-update/m-p/287839#M76755 khanshahidnazir 2019-09-11T12:42:18Z https://live.paloaltonetworks.com/t5/general-topics/decrypt-cert-validation-while-performing-windows-update/m-p/287860#M76761 <P>FYI:</P><P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000boONCAY" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000boONCAY</A></P> Wed, 11 Sep 2019 14:03:56 GMT https://live.paloaltonetworks.com/t5/general-topics/decrypt-cert-validation-while-performing-windows-update/m-p/287860#M76761 myky 2019-09-11T14:03:56Z https://live.paloaltonetworks.com/t5/general-topics/decrypt-cert-validation-while-performing-windows-update/m-p/287885#M76763 <P>Hello,</P><P>Dont decrypt Microsoft updates. We have a no decrypt policy just for it.</P><P>&nbsp;</P><P>Regards,</P> Wed, 11 Sep 2019 16:15:12 GMT https://live.paloaltonetworks.com/t5/general-topics/decrypt-cert-validation-while-performing-windows-update/m-p/287885#M76763 OtakarKlier 2019-09-11T16:15:12Z https://live.paloaltonetworks.com/t5/general-topics/decrypt-cert-validation-while-performing-windows-update/m-p/287893#M76769 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/27580">@OtakarKlier</a>&nbsp;</P><P>&nbsp;</P><P>What does that no decrypt policy look like?&nbsp; &nbsp;You can't do no decrypt by application right? Thinking you have a destination list, or list of URL's you are triggering the no decrypt on?</P> Wed, 11 Sep 2019 16:36:13 GMT https://live.paloaltonetworks.com/t5/general-topics/decrypt-cert-validation-while-performing-windows-update/m-p/287893#M76769 Sec101 2019-09-11T16:36:13Z https://live.paloaltonetworks.com/t5/general-topics/decrypt-cert-validation-while-performing-windows-update/m-p/287904#M76772 <P>Hello,</P><P>Sorry for not clarifying earlier. A no decrypt policy is just a decryption policy with the action set to 'no-decrypt'. We use this for URL's and URL categories.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 684px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/21337i4BB8DEE77C724E8B/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 295px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/21336iC58DB726E8E733BA/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></P><P>&nbsp;</P><P>Regards,</P> Wed, 11 Sep 2019 16:43:05 GMT https://live.paloaltonetworks.com/t5/general-topics/decrypt-cert-validation-while-performing-windows-update/m-p/287904#M76772 OtakarKlier 2019-09-11T16:43:05Z https://live.paloaltonetworks.com/t5/general-topics/decrypt-cert-validation-while-performing-windows-update/m-p/288167#M76803 <P>Did you add those directly to your No decrypt policy, or where is that list getting populated from?&nbsp; - Just asking in reference to where the actual second screenshot resides on your firewall.&nbsp; Thank you for the quick reply!</P> Thu, 12 Sep 2019 20:57:20 GMT https://live.paloaltonetworks.com/t5/general-topics/decrypt-cert-validation-while-performing-windows-update/m-p/288167#M76803 Sec101 2019-09-12T20:57:20Z https://live.paloaltonetworks.com/t5/general-topics/decrypt-cert-validation-while-performing-windows-update/m-p/288169#M76804 <P>Hello,&nbsp;</P><P>Its a list we came up with when googling. Here is one just for wsus:</P><P><A href="https://docs.microsoft.com/en-us/windows-server/administration/windows-server-update-services/deploy/2-configure-wsus" target="_blank">https://docs.microsoft.com/en-us/windows-server/administration/windows-server-update-services/deploy/2-configure-wsus</A></P><P>&nbsp;</P><P><A href="https://kc.mcafee.com/corporate/index?page=content&amp;id=KB88947&amp;actp=null&amp;viewlocale=en_US&amp;showDraft=false&amp;platinum_status=false&amp;locale=en_US" target="_blank">https://kc.mcafee.com/corporate/index?page=content&amp;id=KB88947&amp;actp=null&amp;viewlocale=en_US&amp;showDraft=false&amp;platinum_status=false&amp;locale=en_US</A></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>The main issue we face at times is taht the update will fail since the firewall is blocking something. This is mainly due to the backend IP's and DNS changing at a faster rate than the PAN does. Not a knock against PAN, its just the backend MS Updates change and are not all documented.</P><P>&nbsp;</P><P>Regards,</P><P>&nbsp;</P> Thu, 12 Sep 2019 21:07:42 GMT https://live.paloaltonetworks.com/t5/general-topics/decrypt-cert-validation-while-performing-windows-update/m-p/288169#M76804 OtakarKlier 2019-09-12T21:07:42Z https://live.paloaltonetworks.com/t5/general-topics/decrypt-cert-validation-while-performing-windows-update/m-p/288525#M76854 <P>Greetings ...&nbsp;</P><P>Thanks a lot for your inputs and suggestions.</P><P>I followed your screenshot and added all URL's but i am still not able to update windows.</P><P>I am also sharing my Decryption Profile screenshot.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Decryp.jpg" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/21451i263A409AF5DA78F1/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Decryp.jpg" alt="Decryp.jpg" /></span></P> Mon, 16 Sep 2019 08:17:10 GMT https://live.paloaltonetworks.com/t5/general-topics/decrypt-cert-validation-while-performing-windows-update/m-p/288525#M76854 khanshahidnazir 2019-09-16T08:17:10Z https://live.paloaltonetworks.com/t5/general-topics/decrypt-cert-validation-while-performing-windows-update/m-p/296792#M78000 <P><SPAN><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/121188">@khanshahidnazir</a>&nbsp;&nbsp;</SPAN> We are also experiencing this.&nbsp; We have found that MS Store will intermittently update and download, but the full blown WIN10 updates don't work.&nbsp;&nbsp;</P><P>We are using a custom URL Category pushed from the panorama to populate a decryption bypass list of addresses that will not get decrypted.&nbsp; We are seeing this manifest in the logs with a session end reason of: decrypt-cert-validation.&nbsp; Is that what you were seeing?&nbsp;</P> Wed, 06 Nov 2019 18:14:11 GMT https://live.paloaltonetworks.com/t5/general-topics/decrypt-cert-validation-while-performing-windows-update/m-p/296792#M78000 charlesk 2019-11-06T18:14:11Z https://live.paloaltonetworks.com/t5/general-topics/decrypt-cert-validation-while-performing-windows-update/m-p/296955#M78012 <P>Greetings ...</P><P>&nbsp;</P><P>Yes we are also seeing this.</P> Thu, 07 Nov 2019 07:46:03 GMT https://live.paloaltonetworks.com/t5/general-topics/decrypt-cert-validation-while-performing-windows-update/m-p/296955#M78012 khanshahidnazir 2019-11-07T07:46:03Z https://live.paloaltonetworks.com/t5/general-topics/decrypt-cert-validation-while-performing-windows-update/m-p/297087#M78024 <P>Hello,</P><P>If these are windows 10 1903 systems and use the distributed model for updates. You'll need to add the following to your whitelist to allow and not decrypt these domains:</P><P>&nbsp;</P><P>•*.do.dsp.mp.microsoft.com<BR />*.delivery.mp.microsoft.com<BR />*.prod.do.dsp.mp.microsoft.com</P><P><A href="https://docs.microsoft.com/en-us/windows/privacy/manage-windows-1903-endpoints" target="_blank">https://docs.microsoft.com/en-us/windows/privacy/manage-windows-1903-endpoints</A></P><P>&nbsp;</P><P>Regards,</P> Thu, 07 Nov 2019 17:11:45 GMT https://live.paloaltonetworks.com/t5/general-topics/decrypt-cert-validation-while-performing-windows-update/m-p/297087#M78024 OtakarKlier 2019-11-07T17:11:45Z https://live.paloaltonetworks.com/t5/general-topics/decrypt-cert-validation-while-performing-windows-update/m-p/297093#M78027 <P>We already have the *.mp.microsoft.com whitelisted and have for some time.&nbsp;&nbsp;</P> Thu, 07 Nov 2019 17:46:16 GMT https://live.paloaltonetworks.com/t5/general-topics/decrypt-cert-validation-while-performing-windows-update/m-p/297093#M78027 charlesk 2019-11-07T17:46:16Z https://live.paloaltonetworks.com/t5/general-topics/decrypt-cert-validation-while-performing-windows-update/m-p/297101#M78028 <P>Hello,</P><P>So did we and it was getting blocked. That is why we had to add the additional domains I listed previously :(.</P><P>Regards,</P> Thu, 07 Nov 2019 18:11:34 GMT https://live.paloaltonetworks.com/t5/general-topics/decrypt-cert-validation-while-performing-windows-update/m-p/297101#M78028 OtakarKlier 2019-11-07T18:11:34Z