Firewall rules for updates

w1010 0 Reputation points
2024-08-07T07:05:27.78+00:00

Hello, what outbound rules in firewall is necessary to allow download windows updates?

That PC has default blocked Inbound and Outbound connections.

Outbound rules:

  1. Allow for %SystemRoot%\system32\svchost.exe and service Delivery Optimization
  2. Allow for %SystemRoot%\system32\svchost.exe and service Background Intelligent Transfer Service
  3. Allow for %SystemRoot%\system32\svchost.exe and service Windows Update

Updater start works but does not download.

Finnally only adding rule with allowed ports 80 and 443 (without specification Programs and Services) works to download updates.

How to change it? How to change/add rule where updates will works but firewall will not allow all connections for ports 80 and 443.

Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
11,684 questions
Windows 10 Network
Windows 10 Network
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Network: A group of devices that communicate either wirelessly or via a physical connection.
2,361 questions
Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,924 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Hania Lian 17,026 Reputation points Microsoft Vendor
    2024-08-08T03:20:40.4933333+00:00

    Hello,

    Instead of opening all ports 80 & 443, you can refine the rules to allow only specific Microsoft update related URLs. The URLs are different depending on the type of update.

    Launch Windows Firewall.

    Click on “Outbound Rules” and then “New Rule”.

    Select “Custom” and click on “Next”.

    In “Programs”, select “This program path” then navigate to %SystemRoot%\system32\svchost.exe or %SystemRoot%\system32\wuapp.exe, click “Next”

    In “Services”, choose “Apply to this service” then select “windows update” and “Background Intelligent Transfer Service” in the dropdown list, click “Next”

    In “Protocol and Ports”, choose “TCP” and add “Specific remote ports” as 80, 443, click “Next”

    In “Scope”, under “remote IP addresses” click “Add” and put in these addresses:

    http://windowsupdate.microsoft.com

    http://*.windowsupdate.microsoft.com

    https://*.windowsupdate.microsoft.com

    http://*.update.microsoft.com

    https://*.update.microsoft.com

    http://*.windowsupdate.com

    http://download.windowsupdate.com

    http://download.microsoft.com

    http://*.download.windowsupdate.com

    http://wustat.windows.com

    http://ntservicepack.microsoft.com

    http://go.microsoft.com

    http://dl.delivery.mp.microsoft.com

    Click “Next”

    In “Action”, select “Allow the connection”, and click “Next”.

    In “Profile”, choose when to apply this rule. It could be domain, private, public or all these, click “Next”

    Finally, give the rule a name and optional description, and finish the setup by clicking “Finish”.

    Remember Firewall rules are often applied from the top down, so ensure your new rule is at the top of your firewall rule list.

    Please note that Windows Firewall does not have URL-based filtering. The IP addresses could change dynamically. It might be a challenge managing those in Windows Firewall. Using a more advanced firewall system that is capable of URL filtering may be more appropriate for more granular control.

    Best Regards,

    Hania Lian

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.