search cancel

Windows updates fail and remain at 0% progress with WSS agent 7.x running in multi user mode

book

Article ID: 229472

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

WSS Agent 7.4.1 users in multi-user mode (MCU=1) failing to get Windows updates

Users see that updates remaining at 0% progress for many days on machines

WSS agent 6.1.1 running Windows updates without any issues

WSS Agent 7.4.1 users in single user mode (MCU=0) get Windows updates successfully

 

Cause

Microsoft windows update process now running as a protected process where WSSA agent does not have access to all information

Application bypass was added to WSSA 7.x code base, and the need to identify process information to determine which tunnel to send traffic to was required (assuming multi-user mode). Without ability to do this, communications failed.

Resolution

Upgrade WSS agent to 7.5.1 or later.

If on older agent code, multiple workarounds exist:

  • run the WSSA 6.x code
  • install any pre WSSA 7.5.1 agents with MCU=0 parameter
  • bypass Windows update domains from WSS

Additional Information

Protected processes in Windows can be applied to many different applications - including system processes, antivirus (SEP is actually a protected process), multimedia players (to help enforce DRM), etc. All that is required for a process to be protected is for it to be compiled with some additional attributes in its manifest.

The problem with protected processes lies in the fact that, in the above use case, WSSA is unable to read the executable or user information about those processes from the system and is unable to direct the traffic through the correct tunnel.

Single-tunnel mode addresses this limitation by sending all traffic through a single tunnel. However, when operating with multiple concurrent users, traffic still flows through multiple tunnels but unidentified traffic is blocked.