3

This is specific to windows 10 !!!

I need windows firewall to block all outgoing (and incoming) traffic EXCEPT for windows update but when I block the outgoing traffic --> windows update fails

I already tried allowing svchost completely as well as a lot of other services but still no windows update!!

It seems it only works when outgoing traffic is allowed :-(

Thank you, Lionel

Lionel
  • 31
  • 1
  • 1
  • 2
  • The paid version of this software will allow you to do this much easier...http://www.binisoft.org/wfc.php – Moab May 03 '16 at 16:50

2 Answers2

3

It's almost useless blocking outgoing ports as applications need to send an initial response first to check the server's there (of which no reply will be recieved since the incoming port is blocked).

To only allow Windows Update to communicate, you need to block all incoming ports except the following domains and subdomains:

  • windowsupdate.microsoft.com
  • *.windowsupdate.microsoft.com
  • *.windowsupdate.microsoft.com
  • *.update.microsoft.com
  • *.update.microsoft.com
  • *.windowsupdate.com
  • download.windowsupdate.com
  • download.microsoft.com
  • *.download.windowsupdate.com
  • wustat.windows.com
  • ntservicepack.microsoft.com

You may be able to use the localhost file to block the above domains, by following the instructions here.

The above are not specific to any Windows version (although the TechNet page is for Windows Server 2003 and XP, this solution works with all modern Windows versions too), so it'll work on Windows versions other than Windows 10.

Community
  • 1
AStopher
  • 2,343
  • 8
  • 37
  • 68
  • "you need to block everything except the following domains and subdomains" How do I block everything without blocking outgoing traffic? – Lionel May 03 '16 at 14:19
  • Also, how do you add domains to the windows firewall, it seems to only accept ip-addresses.. thank you for helping me... – Lionel May 03 '16 at 14:25
  • @Lionel Please see my edit. – AStopher May 03 '16 at 15:54
  • Thank you but I'm trying to block everything EXCEPT windows update! I know I could use hostfiles but not to block all traffic though... – Lionel May 04 '16 at 11:32
0

In your scenario Windows 10 , Allow wuauserv -IN rule, Allow wuauserv -OUT rule, another rule , Allow BFE - Out rule (this on make windows defender SmartScreen )

Main-main
  • 1
  • This question is 5 years old. When answering to old questions, please keep in mind that the original poster may have solved or vanished. Moreover, your answer should be more detailed (for instance, explain what is the "another rule"...). – AndrewQ May 12 '21 at 21:17