Hello,
Instead of opening all ports 80 & 443, you can refine the rules to allow only specific Microsoft update related URLs. The URLs are different depending on the type of update.
Launch Windows Firewall.
Click on “Outbound Rules” and then “New Rule”.
Select “Custom” and click on “Next”.
In “Programs”, select “This program path” then navigate to %SystemRoot%\system32\svchost.exe or %SystemRoot%\system32\wuapp.exe, click “Next”
In “Services”, choose “Apply to this service” then select “windows update” and “Background Intelligent Transfer Service” in the dropdown list, click “Next”
In “Protocol and Ports”, choose “TCP” and add “Specific remote ports” as 80, 443, click “Next”
In “Scope”, under “remote IP addresses” click “Add” and put in these addresses:
http://windowsupdate.microsoft.com
http://*.windowsupdate.microsoft.com
https://*.windowsupdate.microsoft.com
https://*.update.microsoft.com
http://download.windowsupdate.com
http://*.download.windowsupdate.com
http://ntservicepack.microsoft.com
http://dl.delivery.mp.microsoft.com
Click “Next”
In “Action”, select “Allow the connection”, and click “Next”.
In “Profile”, choose when to apply this rule. It could be domain, private, public or all these, click “Next”
Finally, give the rule a name and optional description, and finish the setup by clicking “Finish”.
Remember Firewall rules are often applied from the top down, so ensure your new rule is at the top of your firewall rule list.
Please note that Windows Firewall does not have URL-based filtering. The IP addresses could change dynamically. It might be a challenge managing those in Windows Firewall. Using a more advanced firewall system that is capable of URL filtering may be more appropriate for more granular control.
Best Regards,
Hania Lian
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.