Windows Update Exception through Windows Firewall
Yes, Go to Windows Firewall (control panel ->security ->firewall) click on advanced settings on the left. Create inbound/outbound rules. Alternatively you may be able to just add windows update as an app or feature (option above advanced settings on the left of the firewall screen).
Here is a link that goes into more detail about how to do it:http://www.howtogeek.com/112564/how-to-create-advanced-firewall-rules-in-the-windows-firewall/
one more thing just for clarity. It varies a little depending on your version of windows, but you probably need to add(in advanced setup):
c:\windows\System32\wuauclt.exe and be sure to add the service of "windows update"
and if that doesnt work try
Process - %SystemRoot%\System32\svchost.exe
Services - Windows Update
and(possibly needed)
Remote ports 80, 443
Process - %SystemRoot%\System32\svchost.exe
Service - BITS
Remote Ports 80, 443
Related videos on Youtube
![Copy Run Start](https://i.stack.imgur.com/z5bzy.jpg?s=256&g=1)
Copy Run Start
I'm the sole Network/Sys Admin for a design and media company of about 500 nodes. CCNP | MS-70-640 | MS-70-642
Updated on September 18, 2022Comments
-
Copy Run Start almost 2 years
We have a couple machines deployed to a retail environment and due to budget constraints, are limited to Windows Firewall as our firewall.
We inherently block all outgoing connections, and whitelist what we need. Unfortunately, whitelisting wuauserv service and svchost.exe is still blocking Windows Update from downloading updates, with error 80240438.
The firewall log shows the following:
2016-05-03 09:53:02 DROP TCP 192.168.10.21 134.170.58.121 49377 443 0 - 0 0 0 - - - SEND 2016-05-03 09:53:02 DROP TCP 192.168.10.21 65.55.138.126 49378 443 0 - 0 0 0 - - - SEND
Which I've verified are Microsoft IPs.
As far as I can tell, there is no way to whitelist the following hostnames in Windows Firewall.
http://windowsupdate.microsoft.com http://*.windowsupdate.microsoft.com https://*.windowsupdate.microsoft.com http://*.update.microsoft.com https://*.update.microsoft.com http://*.windowsupdate.com http://download.windowsupdate.com http://download.microsoft.com http://*.download.windowsupdate.com http://wustat.windows.com http://ntservicepack.microsoft.com
Is there anyway for Windows Update to work with Windows Firewall whitelisting?
I'm not specifically asking how to whitelist domain the names, more so asking how can I whitelist Windows Update as a whole.
-
Todd Wilcox about 8 yearsWhat's your question?
-
Copy Run Start about 8 years@Todd Wilcox Is there anyway for Windows Update to work with Windows Firewall whitelisting?
-
Lenniey about 8 yearsAs far as I know, with the out of the box Windows firewall this can't be done. You always have to use IPs / subnets.
-
-
Lenniey about 8 yearsOP is asking for whitelisting specific hosts, this cannot be done in the way you describe it.
-
theinvisibleduck about 8 yearsThe OP is asking if there is a way to get windows update to work with windows firewall white listing. The answer to this is yes. They are not asking if they can white list domains/hosts that is a different question.
-
Copy Run Start about 8 yearsAs you can see in my post, I already made rule for svchost and windows update service. This did not help.
-
theinvisibleduck about 8 yearsDid you include the ports and the bits service as well?
-
Luc almost 6 yearsAs of Windows 8.1, this is no longer sufficient. See social.technet.microsoft.com/Forums/windows/en-US/… (Uwe Bubeck's answer in particular) and social.technet.microsoft.com/Forums/windowsserver/en-US/… (Jani's answer about thread pools in particular).