Well it turned out to be more complicated than just requiring that svchost->service rule. first of all, both Windows updates and daily Windows Security updates could be detected, but not able to download; they were getting stuck at 0% progress every time, and the frustrating part about it was that WFC was not providing notifications for connection attempts, even though that option is enabled. About a week ago I whittled down my ruleset significantly by deleting the default rules and building my own based both on what I knew I needed, as well as via WFC notifications. It seems I deleted some rule or rules that are required for updates to be downloaded. So I ended up importing a ruleset I saved before paring down my ruleset, and now all is good. There are several Windows apps default rules in that set that might be what's needed, but ofc I can only speculate at this time. Still, the most puzzling thing about the ordeal, besides the rule(s) required for the downloading of updates, is why didn't WFC present alerts when the updates were being blocked?