Windows Update Exception through Windows Firewall

Question

We have a couple machines deployed to a retail environment and due to budget constraints, are limited to Windows Firewall as our firewall.

We inherently block all outgoing connections, and whitelist what we need. Unfortunately, whitelisting wuauserv service and svchost.exe is still blocking Windows Update from downloading updates, with error 80240438.

The firewall log shows the following:

2016-05-03 09:53:02 DROP TCP 192.168.10.21 134.170.58.121 49377 443 0 - 0 0 0 - - - SEND
2016-05-03 09:53:02 DROP TCP 192.168.10.21 65.55.138.126 49378 443 0 - 0 0 0 - - - SEND

Which I've verified are Microsoft IPs.

As far as I can tell, there is no way to whitelist the following hostnames in Windows Firewall.

http://windowsupdate.microsoft.com
http://*.windowsupdate.microsoft.com
https://*.windowsupdate.microsoft.com
http://*.update.microsoft.com
https://*.update.microsoft.com
http://*.windowsupdate.com
http://download.windowsupdate.com
http://download.microsoft.com
http://*.download.windowsupdate.com
http://wustat.windows.com
http://ntservicepack.microsoft.com

Is there anyway for Windows Update to work with Windows Firewall whitelisting?

I'm not specifically asking how to whitelist domain the names, more so asking how can I whitelist Windows Update as a whole.

@Todd Wilcox Is there anyway for Windows Update to work with Windows Firewall whitelisting? — Copy Run Start, May 03 '16 at 15:31
As far as I know, with the out of the box Windows firewall this can't be done. You always have to use IPs / subnets. — Lenniey, May 03 '16 at 15:39

theinvisibleduck · Answer 1 · 2016-05-03T16:13:01.310

1

Yes, Go to Windows Firewall (control panel ->security ->firewall) click on advanced settings on the left. Create inbound/outbound rules. Alternatively you may be able to just add windows update as an app or feature (option above advanced settings on the left of the firewall screen).

Here is a link that goes into more detail about how to do it:http://www.howtogeek.com/112564/how-to-create-advanced-firewall-rules-in-the-windows-firewall/

one more thing just for clarity. It varies a little depending on your version of windows, but you probably need to add(in advanced setup): c:\windows\System32\wuauclt.exe and be sure to add the service of "windows update" and if that doesnt work try
Process - %SystemRoot%\System32\svchost.exe
Services - Windows Update
and(possibly needed)
Remote ports 80, 443
Process - %SystemRoot%\System32\svchost.exe
Service - BITS
Remote Ports 80, 443

edited May 03 '16 at 16:13

answered May 03 '16 at 15:36

theinvisibleduck

111
3

OP is asking for whitelisting specific hosts, this cannot be done in the way you describe it. – Lenniey May 03 '16 at 15:38
The OP is asking if there is a way to get windows update to work with windows firewall white listing. The answer to this is yes. They are not asking if they can white list domains/hosts that is a different question. – theinvisibleduck May 03 '16 at 15:59
As you can see in my post, I already made rule for svchost and windows update service. This did not help. – Copy Run Start May 03 '16 at 18:28
Did you include the ports and the bits service as well? – theinvisibleduck May 06 '16 at 15:35
1

As of Windows 8.1, this is no longer sufficient. See https://social.technet.microsoft.com/Forums/windows/en-US/27ded2ad-cc85-4c0a-9b41-c6b469a20aab/windows-firewall-and-windows-update-win-81 (Uwe Bubeck's answer in particular) and https://social.technet.microsoft.com/Forums/windowsserver/en-US/e1317d2a-c68a-4a53-88f4-694c1d467188/windows-10-firewall-with-windows-update-service (Jani's answer about thread pools in particular). – Luc Aug 13 '18 at 19:16

Windows Update Exception through Windows Firewall

1 Answers1