The Windows Update service holds a hard-coded list of valid certificates that it will accept.  When SSL Inspection is enabled in WebTitan it provides it's own certificates which triggers an error in the Windows Update service.  The solution to this issue is to exempt the Windows Update domains from SSL Inspection. 

  1. Go to Filtering > SSL Inspection
  2. Change the "Inspect" setting to "all except selected domains"
  3. Add the following domains to the exception list:
  • windowsupdate.microsoft.com 
  • update.microsoft.com 
  • download.windowsupdate.com 
  • redir.metaservices.microsoft.com 
  • images.metaservices.microsoft.com 
  • c.microsoft.com 
  • www.download.windowsupdate.com 
  • wustat.windows.com 
  • crl.microsoft.com


Test Windows Update to ensure it is working as intended.



http://security.stackexchange.com/questions/31861/windows-update-interception