Windows Update fail 0x80072EFE

Question

Using a newly deployed Windows 10 LTSC (1809) with DoD STIGs applied, Windows Update is failing.

The problem is well described in
https://social.technet.microsoft.com/Forums/en-US/e884854d-fef1-4146-a23f-b4f954ec07bf/windows-update-not-working?forum=win10itprogeneral
However the answer at in my case was not helpful.

Using PowerShell Get-WindowsUpdateLog to retrieve the logs:

2021/04/12 11:02:24.4503135 27944 31088 SLS Making request with URL HTTPS://sls.update.microsoft.com/SLS/{9482F4B4-E343-43B6-B170-9A65BC822C77}/x64/10.0.17763.1823/0?CH=829&L=en-US&P=&PT=0x7d&WUA=10.0.17763.1817&MK=To+be+filled+by+O.E.M.&MD=To+be+filled+by+O.E.M. and send SLS events.
2021/04/12 11:02:24.6070057 27944 31088 Misc FAILED [80072EFE] Send request
2021/04/12 11:02:24.6070139 27944 31088 Misc FAILED [80072EFE] WinHttp: SendRequestToServerForFileInformation (retrying with default proxy)
2021/04/12 11:02:24.7498285 27944 31088 Misc FAILED [80072EFE] Send request

When using Edge to open the URL at sls.update.microsoft.com, I get a certificate transparency error. NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED

I found that by removing 'SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002\EccCurves' (configured by GroupPolicy 'Administrative Templates\Network\SSL Configuration Settings\ECC Curve Order' and mandated by DoD STIG V-74413 in Windows Client 10-2.1) I could get Windows Update to work.

So my question is: What EccCurves are required for Windows Update to work?

Answer 1

I think I've answered my own question - Windows Update succeeds when the default ECC curves are enabled
curve25519
NistP256
NistP384

So the missing ECC curve from STIG V-220805 (legacy ID V-74413) is 'curve25519'.