Microsoft updates blocked despite being excluded from web filtering - am I fixing this right?

You should have an exception already in place by default for UTM under Web Protection > Filtering Options.  

You might have a problem with downloading if you have Country Blocking enabled, I've run into that before.  I even have a block list for the telemetry in my UTM, and I am not having any issues:

vortex.data.microsoft.com
vortex-win.data.microsoft.com
telecommand.telemetry.microsoft.com
telecommand.telemetry.microsoft.com.nsatc.net
oca.telemetry.microsoft.com
oca.telemetry.microsoft.com.nsatc.net
sqm.telemetry.microsoft.com
sqm.telemetry.microsoft.com.nsatc.net
watson.telemetry.microsoft.com
watson.telemetry.microsoft.com.nsatc.net
redir.metaservices.microsoft.com
choice.microsoft.com
choice.microsoft.com.nsatc.net
df.telemetry.microsoft.com
reports.wes.df.telemetry.microsoft.com
wes.df.telemetry.microsoft.com
services.wes.df.telemetry.microsoft.com
sqm.df.telemetry.microsoft.com
telemetry.microsoft.com
watson.ppe.telemetry.microsoft.com
telemetry.appex.bing.net
telemetry.urs.microsoft.com
telemetry.appex.bing.net:443
settings-sandbox.data.microsoft.com
vortex-sandbox.data.microsoft.com
survey.watson.microsoft.com
watson.live.com
watson.microsoft.com
statsfe2.ws.microsoft.com
corpext.msitadfs.glbdns2.microsoft.com
compatexchange.cloudapp.net
cs1.wpc.v0cdn.net
a-0001.a-msedge.net
statsfe2.update.microsoft.com.akadns.net
sls.update.microsoft.com.akadns.net
fe2.update.microsoft.com.akadns.net
diagnostics.support.microsoft.com
corp.sts.microsoft.com
statsfe1.ws.microsoft.com
pre.footprintpredict.com
i1.services.social.microsoft.com
i1.services.social.microsoft.com.nsatc.net
feedback.windows.com
feedback.microsoft-hohm.com
feedback.search.microsoft.com
rad.msn.com
preview.msn.com
ad.doubleclick.net
ads.msn.com
ads1.msads.net
ads1.msn.com
a.ads1.msn.com
a.ads2.msn.com
adnexus.net
adnxs.com
aidps.atdmt.com
apps.skype.com
az361816.vo.msecnd.net
az512334.vo.msecnd.net
a.rad.msn.com
a.ads2.msads.net
ac3.msn.com
aka-cdn-ns.adtech.de
b.rad.msn.com
b.ads2.msads.net
b.ads1.msn.com
bs.serving-sys.com
c.msn.com
cdn.atdmt.com
cds26.ams9.msecn.net
c.atdmt.com
db3aqu.atdmt.com
ec.atdmt.com
flex.msn.com
g.msn.com
h1.msn.com
live.rads.msn.com
msntest.serving-sys.com
m.adnxs.com
m.hotmail.com
pricelist.skype.com
rad.live.com
secure.flashtalking.com
static.2mdn.net
s.gateway.messenger.live.com
secure.adnxs.com
so.2mdn.net
ui.skype.com
www.msftncsi.com
msftncsi.com
view.atdmt.com
msnbot-65-55-108-23.search.msn.com
schemas.microsoft.akadns.net
a-0002.a-msedge.net
a-0003.a-msedge.net
a-0004.a-msedge.net
a-0005.a-msedge.net
a-0006.a-msedge.net
a-0007.a-msedge.net
a-0008.a-msedge.net
a-0009.a-msedge.net
msedge.net
a-msedge.net
lb1.www.ms.akadns.net
vortex-bn2.metron.live.com.nsatc.net
vortex-cy2.metron.live.com.nsatc.net
ssw.live.com

no wrong!
ATTENTION!
that is not an "and" but an "or" link within the transparent-mode-skiplist.
The rules disable the proxy for all connections from "inside" (internal network) and create firewall rules for these connections.
So all your users reach unfiltered to all destinations.

the destination definitions don#t use domain-names .. .but the IP's behind the definition.
Please check .. only the IP's within the definition (mouse-over) are used. 

MS-updates are not so simple, because sometimes IP-Adresses are used - outside from every domain-definition.

Amodin's exception list could work for the latest updates.

I had the following exceptions, but they didn't work:

I also have the following, which itself should prevent block if I'm understanding things (and I may not bee since I'm new to sophos and it's not working)

Despite all the above the web filtering was blocking http://au.download.microsoff.com, reason="range", which is why I added http to the existing exception but that didn't fix it.

If I don't have the internal network in the skiplist, it doesn't work, but I did think it was an 'or", meaning I had just turned off web filtering.

I added the telemetry sites (thanks) but the block isn't one any of those sites...

The exception I have in Web Protection doesn't have any 'and' statements in them at all, they are just the listed sites I have in my screenshot, and no filter action for Microsoft for mine.  The only thing that comes to mind off hand is Country Blocking, and I had to make an exception for a while because one of my computers was trying to go to China for updates.  Ultimately, redoing the computer stopped that, haha.

Can you paste the log error from Web Protection logs?

the "and Going to websites tagged as..." was a suggestion I found searching in this forum to create a tag that points to microsoft.com and au.download.windowsupdate.com but as this isn't helping and is somewhat redundant anyway (already in at least 2 other places) I'll drop it.

I did try turning country blocking off but it didn't fix the problem. I had a bunch of log entries in a notepad window ready to post but then took the route of asking about skiplist and didn't save them so I'll have to get some new ones.

I'm going to start over and go back to basics capturing some fresh log entries to post here... tomorrow.... hopefully.

I don't have microsoft.com in the Skiplist, only the au FQDN which I bet i could have added to the Exception.

My relevant Exception is also simple:

Cheers - Bob
PS Just curious, do you pronounce your name in French or in English?

thanks. I'll mirror what you have.

why wouldn't the windowsupdate.com exception work? I'm starting to lose a bit of confidence. I have problems with zoom too and exceptions for that aren't working as expected either.

I pronounce my name in French, i.e. not "Gene" :-) 

Merci, Jean – maintenant, je connais aussi la bonne prononciation de Thibodeau. 

For Zoom, check out: https://community.sophos.com/utm-firewall/f/web-protection-web-filtering-application-visibility-control/46292/business-video-conference-site-blocked

Cheers - Bob