This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

decrypt-cert-validation while performing windows update

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

decrypt-cert-validation while performing windows update

khanshahidnazir
L1 Bithead

‎09-11-2019 05:42 AM

Hey Guys ... I am doing a normal Windows Update and i am getting error.

While analysing the application type is ms-update and reason for session end is decrypt-cert-validation.

 

Appreciate if you guys can support.

0 Likes Likes
12 REPLIES 12

OtakarKlier
Cyber Elite
Cyber Elite
In response to myky

‎09-11-2019 09:15 AM

Hello,

Dont decrypt Microsoft updates. We have a no decrypt policy just for it.

 

Regards,

Sec101
L4 Transporter
In response to OtakarKlier

‎09-11-2019 09:36 AM

@OtakarKlier 

 

What does that no decrypt policy look like?   You can't do no decrypt by application right? Thinking you have a destination list, or list of URL's you are triggering the no decrypt on?

0 Likes Likes

OtakarKlier
Cyber Elite
Cyber Elite
In response to Sec101

‎09-11-2019 09:43 AM

Hello,

Sorry for not clarifying earlier. A no decrypt policy is just a decryption policy with the action set to 'no-decrypt'. We use this for URL's and URL categories.

image.png

image.png

 

Regards,

Sec101
L4 Transporter
In response to OtakarKlier

‎09-12-2019 01:56 PM - edited ‎09-12-2019 01:57 PM

Did you add those directly to your No decrypt policy, or where is that list getting populated from?  - Just asking in reference to where the actual second screenshot resides on your firewall.  Thank you for the quick reply!

0 Likes Likes

OtakarKlier
Cyber Elite
Cyber Elite
In response to Sec101

‎09-12-2019 02:07 PM

Hello, 

Its a list we came up with when googling. Here is one just for wsus:

https://docs.microsoft.com/en-us/windows-server/administration/windows-server-update-services/deploy...

 

https://kc.mcafee.com/corporate/index?page=content&id=KB88947&actp=null&viewlocale=en_US&showDraft=f...

 

 

 

The main issue we face at times is taht the update will fail since the firewall is blocking something. This is mainly due to the backend IP's and DNS changing at a faster rate than the PAN does. Not a knock against PAN, its just the backend MS Updates change and are not all documented.

 

Regards,

 

0 Likes Likes

khanshahidnazir
L1 Bithead
In response to OtakarKlier

‎09-16-2019 01:17 AM

Greetings ... 

Thanks a lot for your inputs and suggestions.

I followed your screenshot and added all URL's but i am still not able to update windows.

I am also sharing my Decryption Profile screenshot.

Decryp.jpg

0 Likes Likes

charlesk
L1 Bithead
In response to khanshahidnazir

‎11-06-2019 10:14 AM

@khanshahidnazir   We are also experiencing this.  We have found that MS Store will intermittently update and download, but the full blown WIN10 updates don't work.  

We are using a custom URL Category pushed from the panorama to populate a decryption bypass list of addresses that will not get decrypted.  We are seeing this manifest in the logs with a session end reason of: decrypt-cert-validation.  Is that what you were seeing? 

0 Likes Likes

khanshahidnazir
L1 Bithead
In response to charlesk

‎11-06-2019 11:46 PM

Greetings ...

 

Yes we are also seeing this.

0 Likes Likes

OtakarKlier
Cyber Elite
Cyber Elite
In response to khanshahidnazir

‎11-07-2019 09:11 AM

Hello,

If these are windows 10 1903 systems and use the distributed model for updates. You'll need to add the following to your whitelist to allow and not decrypt these domains:

 

•*.do.dsp.mp.microsoft.com
*.delivery.mp.microsoft.com
*.prod.do.dsp.mp.microsoft.com

https://docs.microsoft.com/en-us/windows/privacy/manage-windows-1903-endpoints

 

Regards,

charlesk
L1 Bithead
In response to OtakarKlier

‎11-07-2019 09:46 AM

We already have the *.mp.microsoft.com whitelisted and have for some time.  

0 Likes Likes

OtakarKlier
Cyber Elite
Cyber Elite
In response to charlesk

‎11-07-2019 10:11 AM

Hello,

So did we and it was getting blocked. That is why we had to add the additional domains I listed previously :(.

Regards,

  • 11054 Views
  • 12 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks