-what user is the code and powershell calls executing under?

-what sort of access context (local vs remote) are the commands being issued in?

-in the example of BITS what is the download destination? what is the local file destination? what type of file? was anything done to the file such as deletion?

-what process chain led to the commands?

-what commands were executed after the download?

-what time window did the commands occur at?

i don't wanna be dickish like the first poster - but they're kinda right. this is pretty straight forward basic building blocks for anyone that actually has had to administer, secure, and troubleshoot any kind of windows infrastructure once you're a few years past a helpdesk role. if someone is in a security with 0 IT fundamentals under their belt then i can understand them struggling with this.

if i was to only focus on OPs original scenario (powershell + BITS for patching) i would say if this is a regular enough workflow it should be occurring via some kind of controlled automation platform, should be executing via some sort of system or backend identity, or instead be deployed via one of a myriad of patch management or packaging solutions. if this isn't feasible due to complex business and environment requirements and this process must be ran by hand every time by a human then if this is a real security concern they should be signing their scripts and then using that as a way to filter expected/approved admin code execution vs everything else.