I am afraid POLICY may also block windows updates or wsus but I didn’t try, just set it to alert instead of block…
[root@server ~]# cat /etc/suricata/rules/ET-emerging-policy.rules | grep microsoft
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Win32/Sogou User-Agent (SOGOU_UPDATER)"; flow:established,to_server; content:"SOGOU_UPDATER"; nocase; http_user_agent; depth:13; isdataat:!1,relative; reference:url,doc.emergingthreats.net/2011719; reference:url,microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Program%3aWin32%2fSogou; classtype:trojan-activity; sid:2011719; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Suspicious Windows Executable WriteProcessMemory"; flow:established,to_client; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; content:"WriteProcessMemory"; nocase; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; reference:url,jessekornblum.livejournal.com/284641.html; reference:url,msdn.microsoft.com/en-us/library/windows/desktop/ms681674%28v=vs.85%29.aspx; classtype:misc-activity; sid:2015588; rev:5; metadata:created_at 2012_08_07, updated_at 2012_08_07;)
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Suspicious Windows Executable CreateRemoteThread"; flow:established,to_client; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; content:"CreateRemoteThread"; nocase; reference:url,sans.org/reading_room/whitepapers/malicious/rss_33649; reference:url,jessekornblum.livejournal.com/284641.html; reference:url,msdn.microsoft.com/en-us/library/windows/desktop/ms682437%28v=vs.85%29.aspx; classtype:misc-activity; sid:2015589; rev:5; metadata:created_at 2012_08_07, updated_at 2012_08_07;)
alert http $HOME_NET any -> [!134.170.0.0/16,$EXTERNAL_NET] any (msg:"ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5."; flow:established,to_server; content:" MSIE 5."; http_user_agent; fast_pattern; nocase; content:!".microsoft.com"; http_host; isdataat:!1,relative; content:!".trendmicro.com"; http_host; isdataat:!1,relative; content:!".sony.net"; http_host; isdataat:!1,relative; content:!".weather.com"; http_host; isdataat:!1,relative; content:!".yahoo.com"; http_host; isdataat:!1,relative; content:!".dellfix.com"; http_host; isdataat:!1,relative; content:!"GeoVision"; http_header; threshold: type limit,track by_src,count 2,seconds 60; classtype:policy-violation; sid:2016870; rev:12; metadata:created_at 2013_05_20, updated_at 2013_05_20;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Application Crash Report Sent to Microsoft"; flow:to_server,established; content:"MSDW"; depth:4; http_user_agent; content:"Host|3a 20|watson.microsoft.com|0d 0a|"; http_header; classtype:policy-violation; sid:2018170; rev:4; metadata:created_at 2014_02_24, updated_at 2014_02_24;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Office Document Download Containing AutoOpen Macro"; flow:established,to_client; file_data; content:!"oct8ne"; content:"A|00|u|00|t|00|o|00|O|00|p|00|e|00|n"; nocase; fast_pattern:only; reference:url,support.microsoft.com/kb/286310; classtype:policy-violation; sid:2019613; rev:3; metadata:created_at 2014_10_31, updated_at 2014_10_31;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Office Document Download Containing AutoExec Macro"; flow:established,to_client; file_data; content:"A|00|u|00|t|00|o|00|E|00|x|00|e|00|c"; nocase; fast_pattern:only; reference:url,support.microsoft.com/kb/286310; classtype:policy-violation; sid:2019614; rev:2; metadata:created_at 2014_10_31, updated_at 2014_10_31;)
alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET POLICY Office Document Containing AutoOpen Macro Via smtp"; flow:established,to_server; content:"QQB1AHQAbwBPAHAAZQBu"; reference:url,support.microsoft.com/kb/286310; classtype:policy-violation; sid:2019615; rev:2; metadata:created_at 2014_10_31, updated_at 2014_10_31;)
alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET POLICY Office Document Containing AutoOpen Macro Via smtp"; flow:established,to_server; content:"EAdQB0AG8ATwBwAGUAb"; reference:url,support.microsoft.com/kb/286310; classtype:policy-violation; sid:2019616; rev:2; metadata:created_at 2014_10_31, updated_at 2014_10_31;)
alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET POLICY Office Document Containing AutoOpen Macro Via smtp"; flow:established,to_server; content:"BAHUAdABvAE8AcABlAG"; reference:url,support.microsoft.com/kb/286310; classtype:policy-violation; sid:2019617; rev:2; metadata:created_at 2014_10_31, updated_at 2014_10_31;)
alert http $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET POLICY Office Document Containing AutoExec Macro Via smtp"; flow:established,to_server; content:"QQB1AHQAbwBFAHgAZQBj"; reference:url,support.microsoft.com/kb/286310; classtype:policy-violation; sid:2019618; rev:2; metadata:created_at 2014_10_31, updated_at 2014_10_31;)
alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS [25,587] (msg:"ET POLICY Office Document Containing AutoExec Macro Via smtp"; flow:established,to_server; content:"EAdQB0AG8ARQB4AGUAY"; reference:url,support.microsoft.com/kb/286310; classtype:policy-violation; sid:2019619; rev:2; metadata:created_at 2014_10_31, updated_at 2014_10_31;)
alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET POLICY Office Document Containing AutoExec Macro Via smtp"; flow:established,to_server; content:"BAHUAdABvAEUAeABlAG"; reference:url,support.microsoft.com/kb/286310; classtype:policy-violation; sid:2019620; rev:2; metadata:created_at 2014_10_31, updated_at 2014_10_31;)