Since Windows Vista I have always been using the Windows Firewall with "blocked outgoing traffic". As this is not the default setting, some basic windows services seem not to be included as firewall rules on the outgoing side.

My Problem is with the Windows Update:

On Windows Vista and 7 it was sufficient to create a rule for "wuauserv".

On Windows 8.1 however this seems not to be enough. The UI gives me error code 80240438 and the WindowsUpdate.log shows the following lines:

--------

2014-06-14    20:11:08:150     952    538    IdleTmr    WU operation (CAgentProtocolTalker::SyncUpdates_WithRecover) started; operation # 2044; does use network; is at background priority
2014-06-14    20:11:08:151     952    538    WS    WARNING: Nws Failure: errorCode=0x803d0010
2014-06-14    20:11:08:151     952    538    WS    WARNING: Original error code: 0x80072efd

2014-06-14    20:11:08:151     952    538    WS    WARNING: Fehler bei der Kommunikation mit dem Endpunkt bei "https://fe2.update.microsoft.com/v6/ClientWebService/client.asmx".
2014-06-14    20:11:08:151     952    538    WS    WARNING: Fehler beim Senden der HTTP-Anforderung.
2014-06-14    20:11:08:151     952    538    WS    WARNING: Der Remoteendpunkt konnte nicht erreicht werden.

(.... and a lot of similar WARNING lines)

2014-06-14    20:11:12:921     952    538    IdleTmr    WU operation (CAgentProtocolTalker::SyncUpdates_WithRecover, operation # 2044) stopped; does use network; is at background priority

--------

If I create a rule for the whole svchost.exe, the update works fine. Giving all services internet access is however not an option for me. Could you please tell me through which service(s) except wuauserv Windows Update performs its network activities?

I think the whole concept is not good. You should have "something" in between Internet and your PC, that is working like firewall.

Make sure that port 443 is transparrent for update. Log shows it is not...

Rgds

Milos

Thank you for your answer.

This is however the one standard answer you always receive whenever you mention application based firewalling and it does not answer my question. A regular protocol / port based firewall is already working fine inside my router. Nevertheless, I do have my reasons for implementing an application based firewall for outgoing traffic on one specific client.

I also know the log file says that windows update can not reach the update servers on port 443/https. Yet, it does not tell me the exact service names which reported the errors. That's why I would like to know through which windows services wuauserv communicates with the update servers.

Does anyone know the necessary services? As I said before: On Win7 and Vista wuauserv seemed to be the only service. Which ones are new for Windows Update?

Thanks in advance!

Hi,

Just some thoughts on this issue:

There are four services related to Windows Update:

Windows Module installer service

Cryptographic Services

Windows update services

BITS (Background intelligent transfer service)

And there's a new update service provider named 'Windows Store'.

Hi,

thanks a lot for the information. I have created rules for the following services you mentioned:

trustedinstaller (Windows Module installer service)

cryptsvc (Cryptographic Services)

wuauserv (Windows update services)

BITS (Background intelligent transfer service)

WSService (Windows Store)

Unfortunately it is still not enough. Additionally, I tested the Windows Store Connectivity (The app is granted access too).  Although I can browse online content in the store, the App-Updates do not work either. Maybe there is a common communication interface for both applications?

Thanks again! I guess we are getting closer to the solution.

Hi,

Just a thought, you can test in clean boot mode to see whats the result.

If this issue persists, I think we can review your windowsupdate.log to get more information.

Hi,

thanks again for your support. I finally found the time to try your suggestion. I tried clean boot mode (all non-windows-services and startup programs deactivated) and even safe mode. It did not make any difference in clean boot mode and in safe mode the update services are not even running and therefore cannot be tested.

I really think this issue can be solved with a simple firewall setting. It just may never have occurred before because most people do not limit outgoing traffic. As I said: If I create a rule for svchost.exe without any other limitations, it does work immediately.

My newest findings however are: If I create a rule for svchost.exe and check "only services" or "only app packages" it does not work. Even if I create general rules which allow all services or all app packages (without any limitation to svchost.exe), it does not work.

It looks like the problem lies somwhere inside the windows firewall. It must be the way how the windows firewall handles services or how the update services communicate with the internet. If I allow the svchost process, it works. If I allow all services running inside it, it does not work. I had hoped some developers at Microsoft would know how svchost and firewall play together.

That's really what a firewall set more securely ought to be do well, isn't it - block unwanted outbound connections while allowing wanted ones? 

I have been considering setting "Outbound connections that do not match a rule are blocked" myself.  But I wouldn't want to do without Windows Updates.

i'm replying here mostly because I want to watch this thread, and having posted in it whenever there's activity it will show up in my thread activity list.

Very interested to see the progress of this...

Are there really no other ideas how to get Windows Update working without allowing the whole svchost.exe?

I must admit that I am out of ideas right now. It seems completely irrellevant which services I allow. The only working option I found is allowing complete access for svchost.

At least I am not the only one who seems interested in the topic. Hopefully someone will find a solution for this.

Anyway: My thanks to all who have anserwed so far!

Same exact concerns/issue.  Even if I could open svchost to a specific services/range of destination addresses, it would be helpful.

I am hit by the same issue. On Windows 7 it was clear what service needs to be opened to permit Windows Updates, with Windows 8.1 there is a problem.

Please specify the minimum set of options to make Windows Update under Windows 8.1 work.

The 4 services that have been listed above + Windows Store service are still not enough to let Windows Update work.

I'm having similar problems. My solution was to allow svchost.exe (apply to all programs and services) for TCP ports 80,443 and these IPs: 131.253.61.0/24 157.55.240.0/24 65.55.138.0/24 217.212.252.0/24 62.115.255.0/24 157.66.77.0/24

This should be enough for Windows Update and Windows Store. Of course they might change at any time, but they're at least working as of today. I haven't checked the blocks if they're actually /24, but they're sufficient for me.

It seems to be a bug in the firewall and has been around since introduction of Windows 8.. Hope MS would fix it.

• Edited by Jani, Sunday, August 03, 2014 1:02 PM Added last paragraph
• Proposed as answer by Jani, Tuesday, August 05, 2014 6:28 AM

Thanks for this good suggestion. IP-range settings seem the only usable fall-back solution there is. However, if I remember correctly there are loads of different update servers which are subject to natural changes (like moving to other ip-ranges etc.). They may also differ from region to region. So this solution may not prove as stable as a simple application or service based rule....

What bothers me most is that even on the official Microsoft Technet forum there is no one who can explain how such a rule can be created or why it is impossible. Are there no Microsoft developers out there who are willing to explain the changes made to the update services since Win7? Or is this really a firewall "bug"? Other rules for services like the time update W32Time seem to work just fine.

Yes, the IP ranges are likely to vary between the regions. I'm based in Northern Europe..

I agree with your second point.. But it's a common problem with big companies. The knowledge of first-line support is limited, and it's difficult to get in touch with people with insight. There's just too much demand for them.

Shibboleet (http://xkcd.com/806/, can't post links yet).

• Edited by Jani, Wednesday, August 06, 2014 5:11 PM Typo

Jani,

Thanks for taking the time to post those IP ranges as they did work, and at least it lowers the security exposure.  I had been enabling/disabling rule as needed because I was really concerned with that exposure and only updating once or twice a year because of that, but with those ranges all being class C I feel confident to leave that firewall rule enabled.

Just a FYI - I do pick up a virus every now and then, and when I do I want it to have problems sending my information back out.  That is why I do use outbound firewall.

Dan, a different strategy, not involving the firewall, for reducing virus exposure is to use the MVPS hosts file, which has the effect of locally resolving a rather large list of "bad" web site names to 0.0.0.0.  In practical terms, this hammers most advertisements and if malware gets onto your computer and tries to reach its home base by accessing a site by name that name may well be in the list of "parasite" web sites.

It's an idea worth considering.  I use their hosts file.

http://winhelp2002.mvps.org/hosts.htm

Hi, I'm sorry I don't have an answer for you, but I just wanted to say that I have the exact same problem. In Windows 7 I had a firewall rule for svchost.exe limited to Windows Update service, and that was enough. Since I don't install new apps very often, blocking outbound traffic by default isn't a big inconvenience at all.

It would have been ideal if Microsoft included a premade outbound rule for Windows Update.

I'll keep watching this thread for updates.

Sadly it is pretty clear that this one is not a bug(issue of this magnitude would have never gone trough internal testing). I think that microsoft just dont want customers to limit what svchost does. Basically they are just saying either get your updates and send all the data we want or get nothing.

Also it is a security risk to allow svchost trough without binding it to a service(s) because any 3rd party program can use svchost to send data to the interwebs and override firewall rules.

One of Hewlett-Packard printer services behaves the same, and that's on Windows 7 as well. Haven't tested on Vista, but it wouldn't surprise me that the same problem exists.

Windows 8 upgraded to 8.1 on a Gateway SX2370.  Purchased Sep. 2013. 

As of Dec. 28, 2014 I have not gotten ANY windows defender updates and windows update has not been working at all. When I go to my start screen and type "update" Windows update still shows in the list, only now when I click on it, it brings up a blank window and can only be closed by right clicking the tab on the taskbar. I cannot max or minimize the window either.

Up until Dec. 28th it was working perfectly, notifying me when updates were available, almost everyday for windows defender.

I have tried everything I could find to fix this, even a complete restore, with recovery media made for Win 8.1 and Win 8. Still no windows updates, of anything. To top it off as of Jan. 22, 2015 the Diagnostic Policy Service has stopped and I am denied access when I try restarting it.

Windows XP was great until MS stopped support. Vista sucked, near as bad as Millenium or 2000. I never tried windows 7 instead going for windows 8, being the most recent version when I could afford a new PC. Adapting to win 8-8.1 was no easy task.

I'm not a tech guru, but I've owned & used windows from Dos 6.0, '95, '98, '98SE, Millenium, XP, XP home & Pro (sp1-2 & 3) and still have the installation/restore CDs for all of them. Even taught myself how to write the recovery console directly from the hard drive of XP, OEM or full MS versions without using the CDs & now I'm using Windows 8 - 8.1. Getting rid of the recovery console was a BIG mistake in my opinion.

At one time I had a multi-boot system of win.95, 98, 98SE, Mill., XP home sp2 and XP Pro sp3 on a 1.5 TB self built system. Microsoft told me it was impossible, until I allowed two tech support reps remote access for 5 min.. Which also lead to me being blocked from most MS websites &?suggestions windows forums for 3 years.

But so far, this failure of windows updates and the Diagnostic policy Service in Windows 8.1 has got me stumped. Can ANYONE give me a quick simple way to correct this? Please?

Thanks for reading this and any help or suggestions anyone has to offer. GOD bless you all and my thanks to every military person, their families and veterans for my freedom. 

• Edited by Gnojuan Tuesday, March 03, 2015 10:51 AM

Have you tried checking/repairing the servicing database?

At an elevated command prompt, these commands could repair things for you.  I encourage you to research what they do before typing them...

DISM /Online /Cleanup-Image /RestoreHealth

SFC /ScanNow

Good luck!

-Noel