Cloud SWG admin reports that Windows Update fails on some Windows 11 machines when the WSS Agent is installed.

According to IT logs, the update file is successfully downloaded but fails during hash verification, appearing as unrecognized and blocked by the WSS Agent.

Removing the WSS Agent allows Windows Update to complete successfully.

The issue occurs in multiple locations (APAC, EMEA and US).

Not all machines appear to have the issue.

Issue not yet verified on Windows 10.

Cloud Secure Web Gateway - Cloud SWG.
Windows 11.
WSS Agent 9.7.1 and 9.8.3.

Windows update has certificate pinning but Windows update requests were SSL intercepted.

Disabled SSL interception for sls.update.microsoft.com domain.

With 24H2 updates, the Windows update downloads were from slscr.update.microsoft.com which had been SSL intercepted.

With 25H2 updates, the download domain the WIndows updates were retrieved from was changed to sls.update.microsoft.com.

Looking at the Windows update logs, we clearly see a CA certificate failure, triggered by the SSL interception.

2025/11/02 08:24:47.1364128 43280 35832 SLS             Retrieving SLS response from server...
2025/11/02 08:24:47.1570617 43280 35832 SLS             Making request with URL HTTPS://######.sls.update.microsoft.com/SLS/{################}/x64/10.0.26100.6899/0?CH=###&L=en-US&P=&PT=0x4&WUA=1####&MK=###&MD=### and send SLS events, cV=####.0.1.0.0.2.
2025/11/02 08:24:48.1179327 43280 35832 Misc            Cert chain length check failed, length=4
2025/11/02 08:24:48.1179357 43280 35832 WebServices     Certificate failed SSL intermediate CA check.