Windows 11 No outside connection after an update

Likely cause​

Error 5 (Access is denied) when starting Windows Defender Firewall (MpsSvc) and DNS Client (Dnscache) almost always points to broken service permissions/ACLs (often tied to Base Filtering Engine/BFE) or a network filter from third‑party AV/VPN. Fix the service security first, then repair the image.

Do this in order​

1) Basic network resets (elevated CMD)

• netsh winsock reset
• netsh int ip reset
• ipconfig /flushdns
• sc query bfe
• sc query mpssvc
• sc query dnscache
  If BFE is not RUNNING or any start attempt gives error 5, continue below.

2) Reset service security descriptors (fixes many “error 5” cases)

• In an elevated Command Prompt:
  • secedit /configure /cfg %windir%\inf\defltbase.inf /db defltbase.sdb /verbose
• Reboot, then try to start the services:
  • sc config bfe start= auto && sc start bfe
  • sc config mpssvc start= auto && sc start mpssvc
  • sc config dnscache start= auto && sc start dnscache
    If any still fail with error 5, open regedit and check:
• HKLM\SYSTEM\CurrentControlSet\Services\BFE → Permissions → ensure “NT SERVICE\BFE” has Full Control.
• HKLM\SYSTEM\CurrentControlSet\Services\MpsSvc → ensure “NT SERVICE\MpsSvc” has Read.
  Apply to this key and subkeys, OK, reboot, retest.

3) Remove blockers and clean boot

• Fully uninstall any third‑party antivirus, firewall, endpoint protection, or VPN (these often add NDIS/LWF filters that can break BFE/DNS). Reboot.
• Clean boot: msconfig → Services → Hide all Microsoft → Disable all; Startup (Task Manager) → Disable third‑party items; reboot and retest services.

4) Get DNS working (temporary)
If name resolution is still down, set explicit DNS on the active adapter:

• Settings → Network → your adapter → Hardware properties → Edit DNS → Manual → IPv4 → 1.1.1.1 and 8.8.8.8. Test nslookup microsoft.com and mapping by FQDN.

5) DISM correctly with a matching ISO
Your “source not found” usually means the ISO build/language doesn’t match or you pointed to install.esd without the right index.

• Find the index that matches Windows 11 Home:
  • Dism /Get-WimInfo /WimFile:X:\sources\install.esd
• Then run (replace INDEX with the Home index number):
  • Dism /Online /Cleanup-Image /RestoreHealth /Source:esd:X:\sources\install.esd:INDEX /LimitAccess
• Follow with:
  • sfc /scannow

6) If repair install still fails (SAFE_OS MIGRATE_DATA)

• Disconnect all non‑essential USB devices.
• Ensure BitLocker is suspended (if used).
• Uninstall AV/VPN completely.
• Free 20+ GB on C: and run chkdsk /scan.
• Run Microsoft SetupDiag after the failure to pinpoint the blocking driver/app; post the summary here so we can read it:
  • Run SetupDiag.exe (from Microsoft) and share the found issue it reports.

Info that will help us zero in​

• What exact Windows 11 version/build (winver) and language?
• Do you have or did you have any third‑party AV/firewall/VPN?
• After step 2, what are the results of:
  • sc query bfe
  • sc query mpssvc
  • sc query dnscache
• If you ran SetupDiag, what failure it reports?

If you prefer, start with step 2 (secedit) and report back—if BFE starts cleanly afterward, DNS and Firewall usually come back to life and DISM/repair install proceed without the SAFE_OS error.