can anybody help/advise what to check/where to start with Win update problems?
Customer runing 6400 cluster on R81, https inspection on,
enabled_blades fw vpn urlf av appi ips identityServer SSL_INSPECT anti_bot ThreatEmulation mon Scrub
Reporting the problem with direct winupdate, local wsus updates are fine. By them difference between nonCP subnet vs CP controlled subnet are:
-servers cannot find updates/cannot update download most of time,
-updates found after seveal tries sometime,
-time to find/download update 10times longer behind CP
as far as know Update services should be bypasses implicitly + HTTPS policy contains rules:

log not shows any Microsoft related connections processed by inspection / blocked (little bit wierd log from TE which is not enabled for this subnet..), but in result have no idea where to look more.
Thanks for tips here,