Secret Windows Update Process?

[Bayer A.User]

No arguments about the what or when,Noel. With my setup Defender auto updates via Akamai too.  My question is the means that it gets through my firewall.  Only two possible ways.
#1 Default allow all outbound(Everything including WU) Not what i normally use.
#2 Block all outbound except for MY rules( i have to create a custom rule to allow Defender updates) The crazy thing is the custom rule was for "wuauserv" and it works !
Enabling wuauserv to get out does in fact allow Defender to update. Disabling this rule prevents Defender updates. No Doubt about it. As you and i both know,allowing WU out will/should result in a search-check for updates & either dwnld/install of them or the famous "your system is up to date" message.Not the case for me.  With my setup(dedicated rule for specific wuauserv) i get all the Defender virus & spyware defins which i DO want, and yet WU can NOT access the internet which i also want.All along WU is enabled and or running.  Having my cake and eating it too !

Your setup and mine probably like apples n oranges. Whats important is the end result.
NO surprise update/upgrades or restarts. Minimal autonomous online activity. 
We have control, not MSFT.

I'm convinced that they are transitioning to a new update process and eventually will scuttle the old wuauserv.   Just need to figure out "how"

[Techie007]

    Not sure if I'm following you completely, but I do know that wuauserv doesn't (and never has) downloaded updates.  Historically, updates have been downloaded by BITS, and now in Windows 10, they are downloaded by DoSvc.  wuauserv is just the coordinating brains behind update download scheduling.

[Bayer A.User]

Sept 17, 2016 10:48:37 GMT -6 Techie007 said:

    Not sure if I'm following you completely, but I do know that wuauserv doesn't (and never has) downloaded updates.  Historically, updates have been downloaded by BITS, and now in Windows 10, they are downloaded by DoSvc.  wuauserv is just the coordinating brains behind update download scheduling.

"transfering files in background" from the update servers.WU would never work at all without BITS. Sure Techie, I understand that.
But the Delivery optimization service isn't the only way that 10 gets it's updates. When DoSvc was first introduce there was a bug in the GUI that caused it to always default to ON/PC's on the internet. I never trusted it since then. Always completely removed it( and branchcache) from all my 10 installs.
Without it i never had any trouble getting any and all updates,KB's,cumulatives, version upgrades whenever i went to default allow all firewall and ran WU. More inplace version upgrades than i can count and never a problem.  Like i said Home,Pro,Enterprise were always consistent month after month with the exact same setup.

What puzzles me is that with my firewall the only problem i ever had was getting Defender to connect through it for updates. 10 months ago i said screw it and ran BitDefender and AVG for a while because i could easily create an outbound rule for their executables.

6months ago i created a generic outbound rule for wuauserv and it worked like a charm for getting Defender updates through the firewall, Yet the Win10 WU could NOT. Which as i've said is what i wanted in the first place.  Been doing it like this ever since.

[Noel]

The Sphinx firewall setup I have set up doesn't differentiate for the individual services.  So if there has been a change as to which service is actually doing the coordination or communications, my firewall setup would not care.  My experience has been that the Base Filtering Engine has some trouble differentiating between individual services, which may bear on this discussion and your findings.

The zone I have created to facilitate Windows Updates specifically allows svchost to contact the following.  Not all of these are contacted in any one update check, and it may be that some of these servers only provide data for older Windows systems (I use the same zone for Win 7, 8.1, and 10 systems):

• sls.update.microsoft.com
• fe2.update.microsoft.com
• fe2.ws.microsoft.com
• ds.download.windowsupdate.com
• download.windowsupdate.com
• fg.ds.download.windowsupdate.com
• v4.download.windowsupdaete.com
• au.v4.download.windowsupdate.com
• fg.v4.download.windowupdate.com
• officeclient.microsoft.com
  

Normally the above are not allowed, but I reconfigure the firewall's svchost "application" entry to temporarily point to this zone when I choose to initiate updates.

There are also several Microsoft servers I always allow to be contacted, as they are involved with ongoing secure communications and certificate verification operations:

• ctldl.windowsupdate.com
• crl.microsoft.com
• mscrl.microsoft.com
• ocsp.msocsp.com
  

Some possibly pertinent observations:

On Windows 10, I normally initiate an update check through the WUShowHide tool before actually requesting an update via the Settings App.  Then if I see important updates available, I consider whether initiate the activity to install them.  During the WUShowHide update check, the following sites are normally contacted:

• ctldl.windowsupdate.com
• sls.update.Microsoft.com
• fe2.update.microsoft.com
• ds.download.windowsupdate.com

Once I initiate an actual update via Settings, these same servers (and sometimes others, depending on available upates) are contacted.

I haven't seen evidence lately that Windows 10 contacts a different set of servers - or the same ones in a different way - than it has all along.  Frankly, the logged contacts during an update check seem the same.  That's not saying it's not implemented differently, but just that it doesn't look different to me given the tools I'm using.  I'm highly interested in this subject because like you I believe strongly that we need to know the details in order to maintain good control of our systems.

Normally, when I start Windows Update I do it like this:  I reconfigure the Windows Update from Disabled to Manual, manually Start it, then configure it back to Disabled.  That way after the reboot that always seems necessary after updates are installed it doesn't come back on.  Somehow I suspect this will still be effective in the future, though I can imagine possibly the specific service could be different.  If Microsoft merges it with another service that's needed full-time, in my case (and I suspect yours as well, Bayer) the firewall reconfiguration will still prevent updates.

In the past I have had to ALSO reconfigure the Windows Firewall service from Disabled to Manual and Start it, even though I have left no rules defined.  Normally I don't need the Windows Firewall at all, since Sphinx does the whole job, but some part of the Windows Update service seems to require it to be running.

Windows 10's Windows Update service, when started, MAY choose to initiate some communications - or it may wait until I initiate an update to start comms.  If I wait too long (e.g., > 5 minutes) to initiate the update check, I find the Windows Update service just stops itself.

This seems to be at odds with (or at least augments) your observations:  On my setup, when Windows Defender cannot update directly through Windows Update (i.e., because I have the service Disabled), I see it fall back to running the definitions download with its own component: C:\program files\windows defender\mpcmdrun.exe.  I see it do this roughly once a day.  For this I have defined a separate, specific zone that allows contact with these servers:

• go.microsoft.com
• www.microsoft.com
• definitionupdates.microsoft.com

In summary, I think these things are important in combination to maintain control of Win 10 updates:

• Use gpedit.msc to reconfigure this setting:
  
  Computer Configuration > Administrative Templates > Windows Components > Windows Update
  
      Configure Automatic Updates:  Disabled
  
  
• Disable the Windows Update service (and possibly other(s)?) when not initiating updates manually.
  
  
• Use the WUShowHide tool to check for updates without giving the system the green light to go ahead and install them, then vet them - even if they're cumulative.  There may still be occasions where hiding such updates may make sense.
  
  
• Reconfigure the firewall to disallow automatic updates between runs.  Depending on choice of firewall, this could be more or less difficult.  Sphinx (latest beta) now allows configuration of servers by name, so the fact that Microsoft uses content delivery networks doesn't make it difficult to be specific.
  

-Noel

[Bayer A.User]

Noel, you magnificent bastard I READ YOUR BOOK !apologies to george c scott/PATTON 
The plot thickens....
First this, We know 10 is a hodgepodge of old & new code. mostly 8.1,8, 7
As Techie007 has mentioned(i noticed it as well)  Win10 updates a lot faster.....
Example: MSE manual update in 7 would search,begin dwnld then search again, begin install and search again then finally finish updating definitions.
               Defender in 10 would search,dwnld, install defin updates in 3 seconds or so.

So, i disabled my custom outbound rule and created a new one for Defender updates.
C:\Program Files\Windows Defender\MpCmdRun.exe
Made note of the current Defender defins, then manually updated Defender.
Immediately the pop up box states there was a failure to connect/check internet connection.
I closed that and watched Defender search,find,begin dwnld then search again,begin install and finally complete the defin updates in a very similar way to 7.  Not the usual almost instantaneous way 10 always did.  

My setup otherwise was unchanged.  

I think this proves that the current version of 10 has an eclectic mix of old/new ways to connect and update AND "the left hand doesn't know what the right hand is doing"

[Noel]

>"the left hand doesn't know what the right hand is doing"

Amen to that, brother.

It occurs to me that there are probably big blocks of code in Windows that no one inside Microsoft knows how to work on. The traditional approach would be to re-engineer it from a new (and maybe even improved) design, but something tells me they don't have the talent for that.

-Noel

[Bayer A.User]

Here we go again.  14393.351 Home
My firewall rules, No Win10 updates unless i allow them.DoSvc(multiple source)updates disabled,The "mystery update" process with 10.....
More proof of the schizophrenic mix of old and new update mechanisms that run parallel  in Win10. "The left hand doesn't know what the right hand is doing" 
Defender updates it's definitions fine automatically or manually because i created a custom outbound rule in the firewall.
The system insists that defins could NOT be updated because of a lack of an internet connection which is obviously incorrect.
The system contradicts itself.

[Bayer A.User]

[Noel]

Ya, on my Win 7 system I regularly get these sequential event messages:

Microsoft Antimalware has encountered an error trying to update signatures.
New Signature Version:
Previous Signature Version: 1.231.1206.0
Update Source: Microsoft Update Server
Update Stage: Search
Source Path: Default URL
Signature Type: AntiVirus
Update Type: Full
User: NT AUTHORITY\SYSTEM
Current Engine Version:
Previous Engine Version: 1.1.13202.0
Error code: 0x80070422
Error description: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

-then-

Microsoft Antimalware signature version has been updated.
Current Signature Version: 1.231.1216.0
Previous Signature Version: 1.231.1206.0
Signature Type: AntiVirus
Update Type: Delta
User: NT AUTHORITY\NETWORK SERVICE
Current Engine Version: 1.1.13202.0
Previous Engine Version: 1.1.13202.0

-Noel