SSL decryption issue for Windows Store

Showing results for 
Search instead for 
Did you mean: 

SSL decryption issue for Windows Store

L4 Transporter



After enabling SSL Decryption, we cannot download from Windows store. Getting error below.

Tried excluding hostname with Microsoft but no luck. How to fix this issue?





Thanks in advance.


Accepted Solutions

Cyber Elite
Cyber Elite

I am not sure if these are still all required exceptions but it is worth a try:


View solution in original post


Cyber Elite
Cyber Elite

I am not sure if these are still all required exceptions but it is worth a try:


L1 Bithead  is another.

what is the reason we need to allow all the hosts?

if we allow * why does it not work then?

Curious to know the reason behind this?


We (PA support) tested * in url category and a policy.  That did not work.

We then added * to the ssl decryption exception list.  Still no joy.

We then added the specific url.  And Success.

@MP18 this is actually a goos question. From my side I can only say, that I did not test with * as the requirement was to configure exceptions as accurate as possible.


Unfortunetely with these exact URLs there is the downside that - as we found out - they change with (not all) new microsoft versions of windows 10.

I have seen this behaviour with other websites where fix for us was to exempt  the source IP for decryption.

Seems *.url does not work in ssl exclusion  list.


This was not with single urls many urls and end devices were servers in data centre.


Hello there,

Would you mind to tell me the fix for the same if there is any changed recently to the same url. As I am being reported continuously for the store problem as you mentioned.

I will be waiting for your reply.


Hi @TahirA 


We created the Decryption policy based on Source IP as exclusion list was not working on our PAN OS 8.1.9.

I do not know if PA has fixed this in newer PAN OS version.




L0 Member

I just ran into this same issue and came across this thread.  Instead of just adding all of the FQDNs listed in the accepted solution, I took a packet capture and found connections to both of these FQDNS were having issues :



I added the following wildcard FQDNs, which resolved the issue:

  • *
  • *

Of course this could change in the future, but hopefully this helps someone.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!