diff --git a/windows/deployment/update/how-windows-update-works.md b/windows/deployment/update/how-windows-update-works.md
index 833a2b655d..2cc0f94c7e 100644
--- a/windows/deployment/update/how-windows-update-works.md
+++ b/windows/deployment/update/how-windows-update-works.md
@@ -90,6 +90,15 @@ When users start scanning in Windows Update through the Settings panel, the foll
    - Windows Update uses the thread ID filtering to concentrate on one particular task. 
 
       ![Windows Update scan log 1.](images/update-scan-log-1.png)
+      
+#### Proxy Behavior
+For Windows Update (WU) scans URLs which are used for update detection ([MS-WUSP]: SimpleAuth Web Service | Microsoft Docs, [MS-WUSP]: Client Web Service | Microsoft Docs):
+- System proxy is attempted (set using the netsh command).
+- If WUA fails to reach the service due to a certain proxy, service, or authentication error code, then user proxy is attempted (generally it is the logged-in user) Note: For intranet WSUS update service URLs, we provide an option via Windows Update policy to select the proxy behavior.
+
+For WU URLs which are NOT used for update detection (download, reporting etc):
+- User proxy is attempted.
+- If WUA fails to reach the service due to certain proxy, service, or authentication error code, then the system proxy is attempted.
 
 #### Identifies service IDs