none
Windows Firewall and Windows Update (Win 8.1) RRS feed

  • Question

  • Since Windows Vista I have always been using the Windows Firewall with "blocked outgoing traffic". As this is not the default setting, some basic windows services seem not to be included as firewall rules on the outgoing side.

    My Problem is with the Windows Update:

    On Windows Vista and 7 it was sufficient to create a rule for "wuauserv".

    On Windows 8.1 however this seems not to be enough. The UI gives me error code 80240438 and the WindowsUpdate.log shows the following lines:

    --------

    2014-06-14    20:11:08:150     952    538    IdleTmr    WU operation (CAgentProtocolTalker::SyncUpdates_WithRecover) started; operation # 2044; does use network; is at background priority
    2014-06-14    20:11:08:151     952    538    WS    WARNING: Nws Failure: errorCode=0x803d0010
    2014-06-14    20:11:08:151     952    538    WS    WARNING: Original error code: 0x80072efd

    2014-06-14    20:11:08:151     952    538    WS    WARNING: Fehler bei der Kommunikation mit dem Endpunkt bei "https://fe2.update.microsoft.com/v6/ClientWebService/client.asmx".
    2014-06-14    20:11:08:151     952    538    WS    WARNING: Fehler beim Senden der HTTP-Anforderung.
    2014-06-14    20:11:08:151     952    538    WS    WARNING: Der Remoteendpunkt konnte nicht erreicht werden.

    (.... and a lot of similar WARNING lines)

    2014-06-14    20:11:12:921     952    538    IdleTmr    WU operation (CAgentProtocolTalker::SyncUpdates_WithRecover, operation # 2044) stopped; does use network; is at background priority

    --------

    If I create a rule for the whole svchost.exe, the update works fine. Giving all services internet access is however not an option for me. Could you please tell me through which service(s) except wuauserv Windows Update performs its network activities?

    Saturday, June 14, 2014 11:05 PM

All replies

  • I think the whole concept is not good. You should have "something" in between Internet and your PC, that is working like firewall.

    Make sure that port 443 is transparrent for update. Log shows it is not...

    Rgds

    Milos

    Sunday, June 15, 2014 3:30 PM
  • Thank you for your answer.

    This is however the one standard answer you always receive whenever you mention application based firewalling and it does not answer my question. A regular protocol / port based firewall is already working fine inside my router. Nevertheless, I do have my reasons for implementing an application based firewall for outgoing traffic on one specific client.

    I also know the log file says that windows update can not reach the update servers on port 443/https. Yet, it does not tell me the exact service names which reported the errors. That's why I would like to know through which windows services wuauserv communicates with the update servers.

    Does anyone know the necessary services? As I said before: On Win7 and Vista wuauserv seemed to be the only service. Which ones are new for Windows Update?

    Thanks in advance!

    Sunday, June 15, 2014 10:07 PM
  • Hi,

    Just some thoughts on this issue:

    There are four services related to Windows Update:

    Windows Module installer service

    Cryptographic Services

    Windows update services

    BITS (Background intelligent transfer service)

    And there's a new update service provider named 'Windows Store'.


    Alex Zhao
    TechNet Community Support

    Monday, June 16, 2014 12:11 PM
    Moderator
  • Hi,

    thanks a lot for the information. I have created rules for the following services you mentioned:

    trustedinstaller (Windows Module installer service)

    cryptsvc (Cryptographic Services)

    wuauserv (Windows update services)

    BITS (Background intelligent transfer service)

    WSService (Windows Store)

    Unfortunately it is still not enough. Additionally, I tested the Windows Store Connectivity (The app is granted access too).  Although I can browse online content in the store, the App-Updates do not work either. Maybe there is a common communication interface for both applications?

    Thanks again! I guess we are getting closer to the solution.

    Monday, June 16, 2014 4:09 PM
  • Hi,

    Just a thought, you can test in clean boot mode to see what’s the result.

    If this issue persists, I think we can review your windowsupdate.log to get more information.


    Alex Zhao
    TechNet Community Support

    Friday, June 20, 2014 2:41 AM
    Moderator
  • Hi,

    thanks again for your support. I finally found the time to try your suggestion. I tried clean boot mode (all non-windows-services and startup programs deactivated) and even safe mode. It did not make any difference in clean boot mode and in safe mode the update services are not even running and therefore cannot be tested.

    I really think this issue can be solved with a simple firewall setting. It just may never have occurred before because most people do not limit outgoing traffic. As I said: If I create a rule for svchost.exe without any other limitations, it does work immediately.

    My newest findings however are: If I create a rule for svchost.exe and check "only services" or "only app packages" it does not work. Even if I create general rules which allow all services or all app packages (without any limitation to svchost.exe), it does not work.

    It looks like the problem lies somwhere inside the windows firewall. It must be the way how the windows firewall handles services or how the update services communicate with the internet. If I allow the svchost process, it works. If I allow all services running inside it, it does not work. I had hoped some developers at Microsoft would know how svchost and firewall play together.

    Monday, June 23, 2014 7:16 PM
  • That's really what a firewall set more securely ought to be do well, isn't it - block unwanted outbound connections while allowing wanted ones? 

    I have been considering setting "Outbound connections that do not match a rule are blocked" myself.  But I wouldn't want to do without Windows Updates.

    i'm replying here mostly because I want to watch this thread, and having posted in it whenever there's activity it will show up in my thread activity list.

    Very interested to see the progress of this...

     

    -Noel


    Detailed how-to in my eBooks:  

    Configure The Windows 7 "To Work" Options
    Configure The Windows 8 "To Work" Options

    Monday, June 23, 2014 11:10 PM
  • Are there really no other ideas how to get Windows Update working without allowing the whole svchost.exe?

    I must admit that I am out of ideas right now. It seems completely irrellevant which services I allow. The only working option I found is allowing complete access for svchost.

    At least I am not the only one who seems interested in the topic. Hopefully someone will find a solution for this.

    Anyway: My thanks to all who have anserwed so far!

    Sunday, June 29, 2014 9:39 AM
  • Same exact concerns/issue.  Even if I could open svchost to a specific services/range of destination addresses, it would be helpful.

    Dave




    Thursday, July 24, 2014 3:18 AM
  • I am hit by the same issue. On Windows 7 it was clear what service needs to be opened to permit Windows Updates, with Windows 8.1 there is a problem.

    Please specify the minimum set of options to make Windows Update under Windows 8.1 work.

    The 4 services that have been listed above + Windows Store service are still not enough to let Windows Update work.

    Saturday, August 2, 2014 1:03 PM
  • I'm having similar problems. My solution was to allow svchost.exe (apply to all programs and services) for TCP ports 80,443 and these IPs: 131.253.61.0/24 157.55.240.0/24 65.55.138.0/24 217.212.252.0/24 62.115.255.0/24 157.66.77.0/24

    This should be enough for Windows Update and Windows Store. Of course they might change at any time, but they're at least working as of today. I haven't checked the blocks if they're actually /24, but they're sufficient for me.

    It seems to be a bug in the firewall and has been around since introduction of Windows 8.. Hope MS would fix it.

    • Edited by Jani, Sunday, August 3, 2014 1:02 PM Added last paragraph
    • Proposed as answer by Jani, Tuesday, August 5, 2014 6:28 AM
    Sunday, August 3, 2014 1:00 PM
  • Thanks for this good suggestion. IP-range settings seem the only usable fall-back solution there is. However, if I remember correctly there are loads of different update servers which are subject to natural changes (like moving to other ip-ranges etc.). They may also differ from region to region. So this solution may not prove as stable as a simple application or service based rule....

    What bothers me most is that even on the official Microsoft Technet forum there is no one who can explain how such a rule can be created or why it is impossible. Are there no Microsoft developers out there who are willing to explain the changes made to the update services since Win7? Or is this really a firewall "bug"? Other rules for services like the time update W32Time seem to work just fine.

    Sunday, August 3, 2014 9:09 PM
  • Yes, the IP ranges are likely to vary between the regions. I'm based in Northern Europe..

    I agree with your second point.. But it's a common problem with big companies. The knowledge of first-line support is limited, and it's difficult to get in touch with people with insight. There's just too much demand for them.

    Shibboleet (http://xkcd.com/806/, can't post links yet).


    • Edited by Jani, Wednesday, August 6, 2014 5:11 PM Typo
    Tuesday, August 5, 2014 6:28 AM
  • Jani,

    Thanks for taking the time to post those IP ranges as they did work, and at least it lowers the security exposure.  I had been enabling/disabling rule as needed because I was really concerned with that exposure and only updating once or twice a year because of that, but with those ranges all being class C I feel confident to leave that firewall rule enabled.

    Just a FYI - I do pick up a virus every now and then, and when I do I want it to have problems sending my information back out.  That is why I do use outbound firewall.


    Dave




    Wednesday, August 6, 2014 3:39 PM
  • Dan, a different strategy, not involving the firewall, for reducing virus exposure is to use the MVPS hosts file, which has the effect of locally resolving a rather large list of "bad" web site names to 0.0.0.0.  In practical terms, this hammers most advertisements and if malware gets onto your computer and tries to reach its home base by accessing a site by name that name may well be in the list of "parasite" web sites.

    It's an idea worth considering.  I use their hosts file.

    http://winhelp2002.mvps.org/hosts.htm

       

    -Noel


    Detailed how-to in my eBooks:  

    Configure The Windows 7 "To Work" Options
    Configure The Windows 8 "To Work" Options

    Friday, August 8, 2014 12:36 AM
  • Hi, I'm sorry I don't have an answer for you, but I just wanted to say that I have the exact same problem. In Windows 7 I had a firewall rule for svchost.exe limited to Windows Update service, and that was enough. Since I don't install new apps very often, blocking outbound traffic by default isn't a big inconvenience at all.

    It would have been ideal if Microsoft included a premade outbound rule for Windows Update.

    I'll keep watching this thread for updates.

    Monday, August 11, 2014 8:18 PM
  • I've got the exact same issue on Windows 8.1. Very annoying. @MS: care to fix your bugs? Thx
    Wednesday, August 13, 2014 1:40 PM
  • Sadly it is pretty clear that this one is not a bug(issue of this magnitude would have never gone trough internal testing). I think that microsoft just dont want customers to limit what svchost does. Basically they are just saying either get your updates and send all the data we want or get nothing.

    Also it is a security risk to allow svchost trough without binding it to a service(s) because any 3rd party program can use svchost to send data to the interwebs and override firewall rules.

    Saturday, November 1, 2014 1:14 AM
  • One of Hewlett-Packard printer services behaves the same, and that's on Windows 7 as well. Haven't tested on Vista, but it wouldn't surprise me that the same problem exists.

    Thursday, January 1, 2015 6:46 PM
  • Windows 8 upgraded to 8.1 on a Gateway SX2370.  Purchased Sep. 2013. 

    As of Dec. 28, 2014 I have not gotten ANY windows defender updates and windows update has not been working at all. When I go to my start screen and type "update" Windows update still shows in the list, only now when I click on it, it brings up a blank window and can only be closed by right clicking the tab on the taskbar. I cannot max or minimize the window either.

    Up until Dec. 28th it was working perfectly, notifying me when updates were available, almost everyday for windows defender.

    I have tried everything I could find to fix this, even a complete restore, with recovery media made for Win 8.1 and Win 8. Still no windows updates, of anything. To top it off as of Jan. 22, 2015 the Diagnostic Policy Service has stopped and I am denied access when I try restarting it.

    Windows XP was great until MS stopped support. Vista sucked, near as bad as Millenium or 2000. I never tried windows 7 instead going for windows 8, being the most recent version when I could afford a new PC. Adapting to win 8-8.1 was no easy task.

    I'm not a tech guru, but I've owned & used windows from Dos 6.0, '95, '98, '98SE, Millenium, XP, XP home & Pro (sp1-2 & 3) and still have the installation/restore CDs for all of them. Even taught myself how to write the recovery console directly from the hard drive of XP, OEM or full MS versions without using the CDs & now I'm using Windows 8 - 8.1. Getting rid of the recovery console was a BIG mistake in my opinion.

    At one time I had a multi-boot system of win.95, 98, 98SE, Mill., XP home sp2 and XP Pro sp3 on a 1.5 TB self built system. Microsoft told me it was impossible, until I allowed two tech support reps remote access for 5 min.. Which also lead to me being blocked from most MS websites &?suggestions windows forums for 3 years.

    But so far, this failure of windows updates and the Diagnostic policy Service in Windows 8.1 has got me stumped. Can ANYONE give me a quick simple way to correct this? Please?

    Thanks for reading this and any help or suggestions anyone has to offer. GOD bless you all and my thanks to every military person, their families and veterans for my freedom. 


    • Edited by A G S 2018 Tuesday, March 3, 2015 10:51 AM
    Tuesday, March 3, 2015 10:46 AM
  • Have you tried checking/repairing the servicing database?

    At an elevated command prompt, these commands could repair things for you.  I encourage you to research what they do before typing them...

    DISM /Online /Cleanup-Image /RestoreHealth

    SFC /ScanNow

    Good luck!

    -Noel


    Detailed how-to in my eBooks:  

    Configure The Windows 7 "To Work" Options
    Configure The Windows 8 "To Work" Options

    Tuesday, March 3, 2015 8:27 PM
  • Windows 10 inherited this problem. I allow svchost.exe with Windows Update, Cryptographic Services, Background Intelligent Transfer, and Windows Store services. Update still doesn't work unless I allow svchost.exe with no other limitations.

    Please tell me someone figured it out in the 2 years since this thread was started.

    Monday, May 9, 2016 9:00 PM
  • I never did and it sucks.  Someone posted a list of IP subnets that was decent and so I could only leave svchost open to those, and that worked, but a bad work-around and they eventually were not all inclusive of all the updates I needed, etc.  I now have an additional rule for svchost and have to allow svcshost out to everywhere to do windows updates, and then I go back and disable that rule

    Dave



    Monday, May 9, 2016 9:04 PM
  • I figured out a way to do this: in a nutshell, my idea is to run select services in a separate clone of svchost and whitelist that one in the firewall.

    More precisely:

    1. Give yourself full permissions to svchost.exe in explorer (make a screenshot first, so you can restore original permissions later).

    2. Create a symbolic link of svchost in an administrative command prompt:
        mklink /H mysvchost.exe svchost.exe

    3. Restore original permissions to svchost.exe and make sure mysvchost has the same permissions.

    4. In the registry at HKLM\SYSTEM\CurrentControlSet\Services\, choose the services that you want to be able to access the internet. For each desired service, change the key ImagePath by replacing svchost.exe with mysvchost.exe.

    5. Add a firewall rule to allow outgoing traffic for mysvchost.exe.

    6. Restart the affected services or reboot.

    I'm not completly sure what happens when svchost.exe is itself updated. Might be a good idea to occasionally check the file dates of svchost.exe and mysvchost.exe and recreate the symlink if necessary.

    Cheers,
    Uwe

    Tuesday, June 13, 2017 7:19 AM
  • Brilliant! Thank you Uwe Bubeck!
    Sunday, October 1, 2017 4:26 AM
  • Thanks Uwe Bubeck!

    After moving wuauserv to `mysvchost.exe`, whitelisting `mysvchost.exe` for any TCP port, and whitelisting `svchost.exe` for TCP port 80, it works.

    Only moving the windows update service to mysvchost is not enough, then it finds a few updates but gets stuck on downloading at 0%. I also tried whitelisting the trustedinstaller service (in %systemroot%\servicing) and moving the cryptographic services service to mysvchost, but that did not work either. I could not find the aforementioned 'windows store service' under the short or long name (also not as 'store service' or other likely variants). Instead of whitelisting svchost for TCP/80, one can probably move one service to mysvchost instead, but I do not know which.

    We're slowly getting to a solution! We just have to figure out which service is responsible for downloading...


    • Edited by lucb1e Monday, August 13, 2018 7:14 PM
    Monday, August 13, 2018 7:04 PM
  • Found service, that need to download updates along with `wuauserv`. It is `DoSvc`. Works perfect with Uwe Bubeck's solution on Windows 10 Update 1809, may work with Windows 8.1 as well.

    Services to download apps from Microsoft Store - `vlidsvc`, `InstallService` and UWP application `Microsoft Store` itself.

    Monday, February 4, 2019 1:59 PM
  • Firewall Block Inbound, Block Outbound with Windows Update working in 8.1 Embedded Industry Enterprise.

    1. Use the above idea : copy svchost.exe svchostnet.exe
    2. Whitelist svchostnet.exe in Windows Firewall.
    3. regedit (admin) HKLM\SYSTEM\CurrentControlSet\Services\
    4. BITS ImagePath change svchost.exe to svchostnet.exe
    5. SSDPSRV ImagePath change svchost.exe to svchostnet.exe
    6. wuauserv ImagePath change svchost.exe to svchostnet.exe
    7. wuauserv Type change 0x00000020 to 0x00000010

    Before running Windows Update, download and apply following update files manually from http://wu.krelay.de/en/


    Wednesday, April 3, 2019 5:56 PM