Windows 10 Updates killing the network

Question

I came across a post today and it mirrors my own experience with Windows 10 updates. 
 A single new Surface Pro killed our internet connection. 
 Whirlpool post https://forums.whirlpool.net.au/forum-replies.cfm?t=2530363 
 My original question https://community.sophos.com/products/xg-firewall/f/131/t/75586 
 Would love to know how to mitigate this.

DavidOkeyode · Accepted Answer

If you're on v16, you can resolve by doing the following: 
 Disable Anti-Virus Scanning for Windows 10 clients by using the option below 
 
 WebAdmin --> Protect --> Web --> Exceptions --> Microsoft Windows Update --> Set to "ON" 
 
 I'll write up how to create the same exception for v15.

FabioTerrone · Answer

Last weekend we had some problems with different client Win 10 Pro and a new XG firewall. Some details from client sides: the services responsable was netsvc.exe that involves windows update. 
 As we terminate that service the bandwidth will be free. 
 Currently the firewall has only one policy configured to allow the Internet navigation. 
 The workround that solved the congestion is: Inside Network rule, Section Malware Scanning we try to unflag Scan FTP and Scan HTTP . 
 As we unflagged that 2 option the traffic became normal. 
 I know that is not a secure solution but it works. 
 We have not other security policies as it is a new network. 
 So very interesting if this workaround could help to find the right solution to the issue. 
 If microsoft uses now htpp and zip file as seems from comments, and if I unflagged scan Http maybe the investigations could go what happens into firewall when is analyzed this kind of traffic or these recent updates. I can add that the log shows like 12 GB of download all coming from Microsoft but I think that impossible an update of 12 GB. So it is only a theory that updates is some way goes in loop and try to download more and more and the band is satured.

jak · Answer

Does this help reduce the load? 
 https://privacy.microsoft.com/en-US/windows-10-windows-update-delivery-optimization https://technet.microsoft.com/en-gb/itpro/windows/manage/waas-delivery-optimization

Murphdog · Answer

We had similar issues with Windows Updates on Win7 and Win 10 machines. Automatic updates would seem to get stuck and use 100's of GB in a day per machine and never update. Manual updates would fail also. I did add the exceptions seen in numerous threads in the forums. Even the Windows Update Exception that appeared with newer firmware did not work. After watching traffic on my firewall I saw two IP's that go to Verizon on behalf of Microsoft. I added one to my existing Protect>Web>exception rule. That allowed the update to start and not finish. The second IP allowed the update to finish. After adding those IP's all my sites now update. I'm sure it will break again :) Hope this helps your issue. 
 
 Here is what I have in Protect>Web>exception: 
 
 Matching URLs: 
 100.41.15.48 
 100.41.15.50 
 ^([A-Za-z0-9.-]*\.)?microsoft\.com/ 
 ^([A-Za-z0-9.-]*\.)?windows\.com/ 
 ^([A-Za-z0-9.-]*\.)?windowsupdate\.com/

FabioTerrone · Answer

Well I think that this is could be a solution in combination with the exclusion of Windows Update from Web, maybe not for all situations but currently seems to solve to my case. 
 XG 115 with last firmware with 10 Win10, suddendly yestarday the band (not so much 10/10 Mbps) was destroyed in downloading. Since Decemeber never killed in this way. 
 I start to disconnect each by eacy client PC win10 and the band was always killed. Finally the last one was the killing PC !!! 
 Please try this test if you have fews PC: it is the truth. Unplug cable of the right PC (or more than one) and Internet works fine. 
 
 So I checked how the windows update was set and I find " PCs on your local network and PCs on the Internet. " 
 Here&rsquo;s how to change: 
 
 Go to Start , then Settings  > Update & security > Windows Update , and then select Advanced options. 
 On the Advanced options page, select Choose how updates are delivered , and then use the toggle to turn Delivery Optimization off. When turned off, you'll still get updates and apps from Windows Update and from the Windows Store. 
 
 If you&rsquo;d just like to stop downloading updates and apps from PCs on the Internet, select just PCs on my local network . 
 Also to check if there is some update (also very smal) that doesn't successfully complete. 
 But I also add the exception inside Firewall regarding Windows update but not sure who was responsable of the solution like temporal sequence. 
 
 So check how the Windows update run and in any case add exclusion inside Firewall. 
 I add also another idea: as the windows update could have "peer-to-peer functionality of Delivery Optimization" if we have some rule that block peer-to-peer that could hang the windows update process and the windows update start agian and again. Take a look also to the graphics use of the band I had continuous full trottle for like 10 minutes after 1-2 minute of relax and again start for about 10 miunte full use of the band. This could be a process of updating that start and when should fineshed it stop and strat again.

Tony John · Answer

Many people like me have got fed up with auto updates of Windows 10. In earlier version, we used to get an option to turn off Windows updates and can set it as per our choice whenever we want to install updates. But I don't why Microsoft had done this with Windows 10. 
 
 I got help from this website to disable automatic Windows update http://www.howali.com/2017/06/how-to-disable-turn-off-stop-windows-10-automatic-updates.html 
 
 Check if it works for you. 
 
 Regards, 
 Tony John

sachingurung · Answer

Hi David, 
 If the windows or microsoft updates are still bothering you, try to configure Application based QoS policy and apply it in the Firewall Rule. Please refer: https://community.sophos.com/kb/en-US/123062 . 
 Thanks

DavidOkeyode · Answer

DavidMcLaughlin1 Arjan deJongste ChrisMeyers - This looks more like a Windows 10 issue than an XG firewall issue. Any reasons why you're not using the option to get updates from local PCs on your network in Windows 10? Start --> Settings --> Update and Security --> Windows Updates --> Advanced Options --> Choose how updates are delivered --> PCs on my local network 
 Also, if indeed Microsoft has removed the option to throttle Windows update traffic using BITS, and you're not using WSUS for bandwidth management, then you can follow the documentation that Sachin provided to create a traffic shaping policy - https://community.sophos.com/kb/en-US/123062 
 i. Verify that an application list exists for Microsoft Updates already 
 Object --> Content --> Application List --> Microsoft Updates ii. Create a new traffic shaping policy to apply the limits that you want Object --> Policies --> Traffic Shaping Policy Association --> Application Rule Type --> Limit Priority --> Lowest or whatever you want to set Bandwidth --> Set the percentage of the bandwidth that you want Bandwidth Usage Type --> Most likely Shared iii. Apply the traffic shaping policy to an application Object --> Policies --> Global App Traffic Shaping Expand Software Updates --> Look for Microsoft Updates --> Edit it and apply the newly created policy iv. Apply the traffic shaping policy to the Internet Access security policy Edit the security policy In the "Policy for User Applications" section, Change Application Control to "Allow All" and Select the option to "Apply Application-based Traffic Shaping Policy"

sachingurung · Answer

Hi Bruno, 
 Thanks for the information. Can you capture some information and write down to support asap. 
 Information needed for QoS: 
 
 system diagnostics utilities connections v4 show dest_ip <IP> --> This shows the bandwidth id, pls note what bw id is applied for the connection 
 Screenshot of Packet capture on GUI. Refer : https://community.sophos.com/kb/en-us/123189 
 System --> System Services --> Traffic shaping settings -- Both the configuration and the Bandwidth usage info 
 ipset -L bandwidthset -- Shows if ipsets are create 
 
 Verify whether the QoS services are UP and running. Take SSH to XG and go to Advance Shell, execute the command: service bwm: status -ds nosync 
 After capturing the described information, please write to support and ask an escalation on the case. This is enough information for an escalation and you can reference them to the community post as well. 
 Thanks

Sunita Kumari · Answer

But simple updating the network adapter driver can relieve you from the pain.

Aditya Patel · Answer

HI All, 
 Have you tried this , 
 In application filter , you would need to block application BITS . If you check your Reports you would notice that BITS would take a large bandwidth . 
 Hope this would help ,.