Strict Enforcement - System Updates

We have deployed ZIA using tunnel 1.0 using strict enforcement and the enforcement of policies have been working as expected. The issue is, as mentioned in another post, is that the system updates fail when a user is not logged into the system. I have worked with tech support and the response was to create PAC file exceptions for the list of sites requiring direct access which is a long list when it comes to Microsoft. I have added Operating and System Updates as an auth exempt as well but did not work. I did see in another post about a new client coming out, per my SE maybe this year, that will allow for creating exceptions to address the issue. I guess I am asking what is everyone else doing to resolve this issue when using strict enforcement with tunnel 1.0. Thanks

I’d be interested to hear what % of customers use strict enforcement. We do not so no first-hand experience to share.

If you are using Windows Update for Business, have you looked at enabling peer downloads (what MS refers to as Delivery Optimization)? This should allow machines to download updates from local peers that do have users logged in and already have the update cached locally.

If you are not using Strict Enforcement, how are you enforcing your users to use Zscaler?

Even without strict enforcement, ZCC users are pestered to login until they do. Most of my users rely on using ZPA and they need to login to ZCC for that anyway. Once logged in, you can prevent users from turning off ZIA or allow them to turn it off temporarily with a timer to automatically re-enable.

Hi @Scoobz Joe,

Have you tried this option in your ‘Forwarding Profile’ ?

System proxy to NONE should go ‘Default route’ (depending on your LAN config) when ‘On trusted’ and in our case it goes via the corporate firewalls which allows it.

Our default ‘Policy Token’ upon ZCC installs uses this but once the user enrols into ZCC it moves to another App/FWD Profile which ‘ENFORCE’ system proxy.