WSS Agent 7.4.1 users in multi-user mode (MCU=1) failing to get Windows updates
Users see that updates remaining at 0% progress for many days on machines
WSS agent 6.1.1 running Windows updates without any issues
WSS Agent 7.4.1 users in single user mode (MCU=0) get Windows updates successfully
Microsoft windows update process now running as a protected process where WSSA agent does not have access to all information
Application bypass was added to WSSA 7.x code base, and the need to identify process information to determine which tunnel to send traffic to was required (assuming multi-user mode). Without ability to do this, communications failed.
Protected processes in Windows can be applied to many different applications - including system processes, antivirus (SEP is actually a protected process), multimedia players (to help enforce DRM), etc. All that is required for a process to be protected is for it to be compiled with some additional attributes in its manifest.
The problem with protected processes lies in the fact that, in the above use case, WSSA is unable to read the executable or user information about those processes from the system and is unable to direct the traffic through the correct tunnel.
Single-tunnel mode addresses this limitation by sending all traffic through a single tunnel. However, when operating with multiple concurrent users, traffic still flows through multiple tunnels but unidentified traffic is blocked.