Applying the recommeneded CPL code in TECH242437 while bypassing SSL interception, ICAP service, authentication, and cache still prevents Windows Updates from installing on Windows 2012 server. This issue doesn't occur on Windows Server 2003/2008.
Windows Update fails on Windows 2012 server because the server connects to fe1.update.microsoft.com but the server certificate hostname from the Microsoft update server doesn't match the existing source conditions in the CPL code. For more details on existing CPL codes, see TECH242437.
There are two methods of resolving this issue:
Add a new source object for fe1.update.microsoft.com in the existing ssl-intercept policy