Windows

Windows Update Stuck at 0% with 0x800706D9? Turn the Firewall Service Back ON

Q: Still failing after the firewall service is on?

Check RpcSs/RpcEptMapper (above), then reset Windows Update components. If updates roll back after installing, see the "Undoing changes" fix.

Published June 10, 2026 · by The FixHub Team

Windows Update sits at 0% and never moves, eventually failing with 0x800706D9. This is especially common on Windows Server 2016, where BITS is the default download manager.

Why the popular advice makes it worse: a lot of “fix Windows Update” articles tell you to disable the firewall while troubleshooting. For this error that’s exactly backwards. 0x800706D9 is EPT_S_NOT_REGISTERED, and the most common verified cause is that the Windows Defender Firewall service (MpsSvc) is stopped or disabled — the Windows Update agent depends on that service for its network communication. Microsoft also states that stopping the Windows Firewall service is not supported. So the fix is to turn the service back on, not off.

0x800706D9 has a few documented causes (the firewall service is the common one; corrupted firewall registry keys, or the RpcSs / RpcEptMapper services not running, are others). Start with the firewall service.

The fix: re-enable the Windows Defender Firewall service

Run an elevated Command Prompt (or PowerShell):

sc config MpsSvc start= auto
sc start MpsSvc

(Note the space after start= — that’s required sc syntax.) Then retry Windows Update; the download should move past 0%.

Prefer the GUI?

Win + R → services.msc.
Find Windows Defender Firewall (service name MpsSvc).
Set Startup type → Automatic, click Start, OK.

You don’t have to leave firewall protection on every profile if your network policy differs — but the service itself must be running. Disabling the service to “rule out the firewall” is what causes this.

If the service won’t start or it’s still stuck

Confirm its dependencies are running too: Remote Procedure Call (RPC) = RpcSs, and RPC Endpoint Mapper = RpcEptMapper. Both should be Running / Automatic.
If MpsSvc errors on start, the firewall configuration may be corrupted — reset it: Windows Security → Firewall & network protection → Restore firewalls to default.
Only after the firewall service is healthy, fall back to a general update-cache reset (stop wuauserv, clear SoftwareDistribution).

FAQ

Doesn’t disabling the firewall speed up troubleshooting? Not here — it removes the very service the update agent relies on, which is how many people cause 0x800706D9 in the first place.

I’m on Server 2016 and it’s always at 0%. That’s the textbook case: BITS can’t talk out because the firewall service is down. Re-enable MpsSvc and the BITS download proceeds.

Still failing after the firewall service is on? Check RpcSs/RpcEptMapper (above), then reset Windows Update components. If updates roll back after installing, see the “Undoing changes” fix.

Sources: Microsoft Learn — Windows Update issues troubleshooting (0x800706D9 / firewall service), Microsoft Learn — Troubleshoot Windows Update error 0x800706D9