Using Squid and getting TAG_NONE on sls.update.microsoft.com and several other domains?
The problem is certificate related. These domains use Microsoft Root Certificate Authority 2011 which is not publicly trusted. It is trusted by Windows, but not in general.
Install Microsoft Root Certificate Authority 2011. Caveat: you are now trusting a CA cert for everything that isn't publicly trusted.
The included script, squid_allow_windows_updates.sh, downloads the CA certificate from Microsoft and adds it to your trust store on Amazon Linux 2 / CentOS 6+ / RHEL 6+.
An Amazon Linux 2 Squid web proxy with a SASL-authenticated Postfix Implicit TLS for SMTP Submission relay to Amazon SES built with Packer and Terraform is documented as Squid and Postfix SES Relay