← Back
Configuring firewall and proxies for smooth Windows updates
MC1307636 · build prod-20251231-200323
Category
stayInformed
Severity
normal
Major change
False
Last modified
2026-05-11 17:05:11
Summary source
Azure OpenAI (gpt-4.1)
Action by (Graph)
Action by (AI)
Services
Windows
Tags
Admin impact
Master tags
Admin, Network
Roadmap IDs

One-line summary

New guidance helps troubleshoot Windows Update connection issues caused by network endpoint/firewall misconfiguration; update proxy/firewall settings to allow required subdomains.

Similar updates

More like this
MC1150664 Action Required: Update firewall configurations to include new network endpoints
Action Required: Update firewall configurations to include new network endpoints Starting December 2, 2025, Intune and Basic Mobility endpoints will use Azure Front Door IPs; update firewall allowlists to include AzureFrontDoor.MicrosoftSecurity ranges. As part of Microsoft’s ongoing Secure Future Initiative (SFI) , starting on or shortly after .
MC1183282 Reminder: Update firewall configurations to include new network endpoints
Reminder: Update firewall configurations to include new network endpoints Starting December 2, 2025, Intune network endpoints will use Azure Front Door IPs; update firewall allowlists to include 'AzureFrontDoor.MicrosoftSecurity' tag for continued connectivity. As mentioned in MC1150664, as part of Microsoft’s ongoing Secure Future Initiative.
MC1113050 (Updated) Security hardening for Microsoft RPC Netlogon protocol
(Updated) Security hardening for Microsoft RPC Netlogon protocol Netlogon RPC protocol hardening blocks anonymous requests by default on Windows Server (May/July 2025 updates); admins must review dependencies and update affected services like Samba. (Update: This post was updated to clarify that the change was Enabled by Default on Windows Server.
MC1193628 The December 2025 Windows security update is now available
The December 2025 Windows security update is now available December 2025 security update for Windows addresses security issues, Copilot and File Explorer bugs, and network adapter fixes; install promptly as no non-security preview update this month. The December 2025 security update is now available for all supported versions of Windows. We.
MC1199746 Take Action: Out-of-band update to address MSMQ service issues leading to queue operations and resource-related errors
...resource-related errors An issue with MSMQ after the Dec 2025 Windows security update affects enterprise environments; an out-of-band fix is available via Microsoft UpdateMicrosoft has identified an issue affecting Message Queuing (MSMQ) functionality in some enterprise environments after installing the December 2025 Windows security update.
MC1184889 The November 2025 Windows security update is now available
The November 2025 Windows security update is now available November 2025 security update for Windows is now available, addressing security issues and device-specific bugs; admins should install promptly to stay protected. The November 2025 security update is now available for all supported versions of Windows. We recommend that you install these.

Details

Body (from Message Center)

A new guide is here to help you troubleshoot connection issues with the Windows Update service. Some of these issues have to do with the embedded network security design. The key is in the configuration of your network endpoints for firewalls and proxies.  
 
When will this happen: 
While the solution isn’t new, new guidance is now published to help with ongoing troubleshooting. 
 
How this will affect your organization: 
By design, Windows Update doesn’t trust servers that don’t have TLS certificates issued by an actual Windows Update trust anchor. Your firewalls and proxies might block access to the trustworthy and necessary Windows Update service if your configuration is either intercepting TLS connections or isn’t passing TLS requests through for the necessary DNS subdomains. The new guide helps you diagnose and fix related issues. 

What you need to do to prepare: 
Diagnose connection issues by checking the Windows Update audit logThe article lists the recommended PowerShell command and four error codes that can confirm the issue.  
To remedy the situation, trust all the DNS hosts and subdomains related to wildcard FQDN for the connection to work properly. For example, a recommended DNS host name *.update.microsoft.com represents all the following hosts and subdomains: 
  • update.microsoft.com 
  • sls.update.microsoft.com 
  • tas02.sls.update.microsoft.com 

Update your proxy and firewall configurations if any of these subdomains are missing. If your devices connect to an IT-managed Windows Server Update Services (WSUS) server, these exceptions aren’t necessary. 
 
Additional information: 

Raw JSON (for debugging)

Expand/collapse the full payload below.
Show/hide raw 
{
  "snapshot_item": {
    "action_required_by": null,
    "ai_action_required_by": null,
    "ai_actions": [
      "Review new troubleshooting guide",
      "Check Windows Update audit log",
      "Update proxy and firewall to allow required subdomains"
    ],
    "ai_master_tags": [
      "Admin",
      "Network"
    ],
    "ai_model": "gpt-4.1",
    "ai_summary": "New guidance helps troubleshoot Windows Update connection issues caused by network endpoint/firewall misconfiguration; update proxy/firewall settings to allow required subdomains.",
    "ai_topics": [
      "Windows"
    ],
    "category": "stayInformed",
    "details_map": {},
    "id": "MC1307636",
    "importance": 0,
    "is_major_change": false,
    "last_modified": "2026-05-11T17:05:11Z",
    "ms_products": [
      "Windows"
    ],
    "platforms": null,
    "roadmap_ids": [],
    "services": [
      "Windows"
    ],
    "severity": "normal",
    "tags": [
      "Admin impact"
    ],
    "title": "Configuring firewall and proxies for smooth Windows updates"
  }
}