What Firewall Rule(s) Will Allow Windows Update and ONLY Windows Update To Work
What Firewall Rules Will Allow Windows Update and ONLY Windows Update to Work For Windows 8.1? If that is not possible please provide the minimum rules necessary and the names of the additional program(s)/service(s) that must be granted access.
windows-8.1 windows-update windows-firewall
asked Oct 31 '15 at 13:43
RonRon
142
add a comment |
What Firewall Rules Will Allow Windows Update and ONLY Windows Update to Work For Windows 8.1? If that is not possible please provide the minimum rules necessary and the names of the additional program(s)/service(s) that must be granted access.
windows-8.1 windows-update windows-firewall
asked Oct 31 '15 at 13:43
RonRon
142
Are you trying to prevent loss of bandwidth from other apps doing their updates, i.e., prevent them from updating at all? If so, do you still want those apps to update, but at a different time? Or, do you want them to update from a different source? If any of these are true, seems to me that using firewalls might not be the best way. Are you also concerned with the system CPU/RAM impact of all these updaters running?
– DaaBoss
Oct 31 '15 at 14:36
Sorry for the confusion. I am blocking all traffic except what I specifically allow and need the rules to allow windows update to function. In 8.1 it requires more than just allowing the update service outbound traffic.
– Ron
Oct 31 '15 at 16:19
Narrowed it down a bit. I had a rule allowing update outbound traffic on TCP ports 80 and 443 but that did not work. I added a rule allowing all programs and services outbound traffic on TCP 80 and it works.
– Ron
Nov 1 '15 at 13:09
Last comment was incorrect. Narrowed it to: Allow all programs and services tcp port 80 outbound and all outbound traffic for the following services - appinfo, bits, dsmsvc, gpsvc, iphpsvc, lanmanserver, profsvc, schedule, sens, shellhwdetection, system events broker, themes, winmgmt, wuauserv.
– Ron
Nov 1 '15 at 18:31
add a comment |
What Firewall Rules Will Allow Windows Update and ONLY Windows Update to Work For Windows 8.1? If that is not possible please provide the minimum rules necessary and the names of the additional program(s)/service(s) that must be granted access.
windows-8.1 windows-update windows-firewall
asked Oct 31 '15 at 13:43
RonRon
142
What Firewall Rules Will Allow Windows Update and ONLY Windows Update to Work For Windows 8.1? If that is not possible please provide the minimum rules necessary and the names of the additional program(s)/service(s) that must be granted access.
windows-8.1 windows-update windows-firewall
windows-8.1 windows-update windows-firewall
asked Oct 31 '15 at 13:43
RonRon
142
asked Oct 31 '15 at 13:43
RonRon
142
asked Oct 31 '15 at 13:43
RonRon
142
asked Oct 31 '15 at 13:43
RonRon
142
asked Oct 31 '15 at 13:43
RonRon
142
142
Are you trying to prevent loss of bandwidth from other apps doing their updates, i.e., prevent them from updating at all? If so, do you still want those apps to update, but at a different time? Or, do you want them to update from a different source? If any of these are true, seems to me that using firewalls might not be the best way. Are you also concerned with the system CPU/RAM impact of all these updaters running?
– DaaBoss
Oct 31 '15 at 14:36
Sorry for the confusion. I am blocking all traffic except what I specifically allow and need the rules to allow windows update to function. In 8.1 it requires more than just allowing the update service outbound traffic.
– Ron
Oct 31 '15 at 16:19
Narrowed it down a bit. I had a rule allowing update outbound traffic on TCP ports 80 and 443 but that did not work. I added a rule allowing all programs and services outbound traffic on TCP 80 and it works.
– Ron
Nov 1 '15 at 13:09
Last comment was incorrect. Narrowed it to: Allow all programs and services tcp port 80 outbound and all outbound traffic for the following services - appinfo, bits, dsmsvc, gpsvc, iphpsvc, lanmanserver, profsvc, schedule, sens, shellhwdetection, system events broker, themes, winmgmt, wuauserv.
– Ron
Nov 1 '15 at 18:31
add a comment |
Are you trying to prevent loss of bandwidth from other apps doing their updates, i.e., prevent them from updating at all? If so, do you still want those apps to update, but at a different time? Or, do you want them to update from a different source? If any of these are true, seems to me that using firewalls might not be the best way. Are you also concerned with the system CPU/RAM impact of all these updaters running?
– DaaBoss
Oct 31 '15 at 14:36
Sorry for the confusion. I am blocking all traffic except what I specifically allow and need the rules to allow windows update to function. In 8.1 it requires more than just allowing the update service outbound traffic.
– Ron
Oct 31 '15 at 16:19
Narrowed it down a bit. I had a rule allowing update outbound traffic on TCP ports 80 and 443 but that did not work. I added a rule allowing all programs and services outbound traffic on TCP 80 and it works.
– Ron
Nov 1 '15 at 13:09
Last comment was incorrect. Narrowed it to: Allow all programs and services tcp port 80 outbound and all outbound traffic for the following services - appinfo, bits, dsmsvc, gpsvc, iphpsvc, lanmanserver, profsvc, schedule, sens, shellhwdetection, system events broker, themes, winmgmt, wuauserv.
– Ron
Nov 1 '15 at 18:31
Are you trying to prevent loss of bandwidth from other apps doing their updates, i.e., prevent them from updating at all? If so, do you still want those apps to update, but at a different time? Or, do you want them to update from a different source? If any of these are true, seems to me that using firewalls might not be the best way. Are you also concerned with the system CPU/RAM impact of all these updaters running?
– DaaBoss
Oct 31 '15 at 14:36
Are you trying to prevent loss of bandwidth from other apps doing their updates, i.e., prevent them from updating at all? If so, do you still want those apps to update, but at a different time? Or, do you want them to update from a different source? If any of these are true, seems to me that using firewalls might not be the best way. Are you also concerned with the system CPU/RAM impact of all these updaters running?
– DaaBoss
Oct 31 '15 at 14:36
Sorry for the confusion. I am blocking all traffic except what I specifically allow and need the rules to allow windows update to function. In 8.1 it requires more than just allowing the update service outbound traffic.
– Ron
Oct 31 '15 at 16:19
Sorry for the confusion. I am blocking all traffic except what I specifically allow and need the rules to allow windows update to function. In 8.1 it requires more than just allowing the update service outbound traffic.
– Ron
Oct 31 '15 at 16:19
Narrowed it down a bit. I had a rule allowing update outbound traffic on TCP ports 80 and 443 but that did not work. I added a rule allowing all programs and services outbound traffic on TCP 80 and it works.
– Ron
Nov 1 '15 at 13:09
Narrowed it down a bit. I had a rule allowing update outbound traffic on TCP ports 80 and 443 but that did not work. I added a rule allowing all programs and services outbound traffic on TCP 80 and it works.
– Ron
Nov 1 '15 at 13:09
Last comment was incorrect. Narrowed it to: Allow all programs and services tcp port 80 outbound and all outbound traffic for the following services - appinfo, bits, dsmsvc, gpsvc, iphpsvc, lanmanserver, profsvc, schedule, sens, shellhwdetection, system events broker, themes, winmgmt, wuauserv.
– Ron
Nov 1 '15 at 18:31
Last comment was incorrect. Narrowed it to: Allow all programs and services tcp port 80 outbound and all outbound traffic for the following services - appinfo, bits, dsmsvc, gpsvc, iphpsvc, lanmanserver, profsvc, schedule, sens, shellhwdetection, system events broker, themes, winmgmt, wuauserv.
– Ron
Nov 1 '15 at 18:31
add a comment |
2 Answers
2
active
oldest
votes
I debugged this problem for hours.
In the end, to get Windows Update through Windows firewall you must allow svchost. You cannot narrow the protocol, scope, application packages or services.
So I have 0 inbound firewall rules, and 3 outbound firewall rules two of which are active at any point in time. Those rules are:
Allow svchost
Block svchost
WFC - Core Networking - Dynamic Host Configuration Protocol (DHCP-out)
AND Other applications that require internet (i.e., your web browser)
To connect to the internet, I must turn on 1 and 3.
After I can turn off 1 and 3 and turn on 2.
If my internet is on, and I want to use windows update, I then disable 2 and enable 1. That means after I have connected to the internet and don't plan on using windows update that the only weakness in my firewall is my browser assuming I haven't added any other exceptions.
Windows PowerUser,
answered Apr 9 '17 at 17:48
AnynomousAnynomous
111
add a comment |
So far it doesn't look like windows firewall actually performs the functions it offers, blocking individual services under the umbrella of the svchost. Microsoft releases windows updates every second Tuesday of each month give or take 24 hours or so. You could create a script that automatically enables svchost out each month, and one for every day for defender updates; (for 5-10 minutes) or do it manually.
Or, you could for example block everything, enable packet logging, monitor the ip addresses and ports for every windows update server connection, then only allow svchost out for those specific ip addresses, this will narrow it down to only allow windows update. If you use cidr format replacing the last 3 digits with .1/24, you will be able to reach every ips on that subnet if they change over time. After hammering this out enough, should you notice other ip's pop up outside that scope, you will over time know its not windows update. I am not sure how one can detect exactly what program/service is operating under the svchost umbrella other than triggering it manually.
For Windows Updates, use Group Policy "Delivery Optimization" Download Mode, set to 99, (meaning no P2P or cloud services, just microsofts servers alone; so you don't get 1,000,000,000 different ips) Then you must create a blacklist for each ip that comes up through svchost that does not involve windows update.
Remote addresses: 65.55.163.1/24,13.74.179.1/24,191.232.139.1/24,20.36.222.1/24,20.42.23.1/24,191.232.139.2/24,20.36.218.1/24,95.101.0.1/24,95.101.1.1/24,13.78.168.1/24,93.184.221.1/24,13.83.184.1/24,13.107.4.1/24,13.83.148.1/24
This worked for me. [Using WFC a Windows Defender Firewall Front End GUI]
answered Jan 29 at 12:08
BojaBoja
214
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f994306%2fwhat-firewall-rules-will-allow-windows-update-and-only-windows-update-to-work%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
I debugged this problem for hours.
In the end, to get Windows Update through Windows firewall you must allow svchost. You cannot narrow the protocol, scope, application packages or services.
So I have 0 inbound firewall rules, and 3 outbound firewall rules two of which are active at any point in time. Those rules are:
Allow svchost
Block svchost
WFC - Core Networking - Dynamic Host Configuration Protocol (DHCP-out)
AND Other applications that require internet (i.e., your web browser)
To connect to the internet, I must turn on 1 and 3.
After I can turn off 1 and 3 and turn on 2.
If my internet is on, and I want to use windows update, I then disable 2 and enable 1. That means after I have connected to the internet and don't plan on using windows update that the only weakness in my firewall is my browser assuming I haven't added any other exceptions.
Windows PowerUser,
answered Apr 9 '17 at 17:48
AnynomousAnynomous
111
add a comment |
I debugged this problem for hours.
In the end, to get Windows Update through Windows firewall you must allow svchost. You cannot narrow the protocol, scope, application packages or services.
So I have 0 inbound firewall rules, and 3 outbound firewall rules two of which are active at any point in time. Those rules are:
Allow svchost
Block svchost
WFC - Core Networking - Dynamic Host Configuration Protocol (DHCP-out)
AND Other applications that require internet (i.e., your web browser)
To connect to the internet, I must turn on 1 and 3.
After I can turn off 1 and 3 and turn on 2.
If my internet is on, and I want to use windows update, I then disable 2 and enable 1. That means after I have connected to the internet and don't plan on using windows update that the only weakness in my firewall is my browser assuming I haven't added any other exceptions.
Windows PowerUser,
answered Apr 9 '17 at 17:48
AnynomousAnynomous
111
add a comment |
I debugged this problem for hours.
In the end, to get Windows Update through Windows firewall you must allow svchost. You cannot narrow the protocol, scope, application packages or services.
So I have 0 inbound firewall rules, and 3 outbound firewall rules two of which are active at any point in time. Those rules are:
Allow svchost
Block svchost
WFC - Core Networking - Dynamic Host Configuration Protocol (DHCP-out)
AND Other applications that require internet (i.e., your web browser)
To connect to the internet, I must turn on 1 and 3.
After I can turn off 1 and 3 and turn on 2.
If my internet is on, and I want to use windows update, I then disable 2 and enable 1. That means after I have connected to the internet and don't plan on using windows update that the only weakness in my firewall is my browser assuming I haven't added any other exceptions.
Windows PowerUser,
answered Apr 9 '17 at 17:48
AnynomousAnynomous
111
I debugged this problem for hours.
In the end, to get Windows Update through Windows firewall you must allow svchost. You cannot narrow the protocol, scope, application packages or services.
So I have 0 inbound firewall rules, and 3 outbound firewall rules two of which are active at any point in time. Those rules are:
Allow svchost
Block svchost
WFC - Core Networking - Dynamic Host Configuration Protocol (DHCP-out)
AND Other applications that require internet (i.e., your web browser)
To connect to the internet, I must turn on 1 and 3.
After I can turn off 1 and 3 and turn on 2.
If my internet is on, and I want to use windows update, I then disable 2 and enable 1. That means after I have connected to the internet and don't plan on using windows update that the only weakness in my firewall is my browser assuming I haven't added any other exceptions.
Windows PowerUser,
answered Apr 9 '17 at 17:48
AnynomousAnynomous
111
answered Apr 9 '17 at 17:48
AnynomousAnynomous
111
answered Apr 9 '17 at 17:48
AnynomousAnynomous
111
answered Apr 9 '17 at 17:48
AnynomousAnynomous
111
111
add a comment |
add a comment |
So far it doesn't look like windows firewall actually performs the functions it offers, blocking individual services under the umbrella of the svchost. Microsoft releases windows updates every second Tuesday of each month give or take 24 hours or so. You could create a script that automatically enables svchost out each month, and one for every day for defender updates; (for 5-10 minutes) or do it manually.
Or, you could for example block everything, enable packet logging, monitor the ip addresses and ports for every windows update server connection, then only allow svchost out for those specific ip addresses, this will narrow it down to only allow windows update. If you use cidr format replacing the last 3 digits with .1/24, you will be able to reach every ips on that subnet if they change over time. After hammering this out enough, should you notice other ip's pop up outside that scope, you will over time know its not windows update. I am not sure how one can detect exactly what program/service is operating under the svchost umbrella other than triggering it manually.
For Windows Updates, use Group Policy "Delivery Optimization" Download Mode, set to 99, (meaning no P2P or cloud services, just microsofts servers alone; so you don't get 1,000,000,000 different ips) Then you must create a blacklist for each ip that comes up through svchost that does not involve windows update.
Remote addresses: 65.55.163.1/24,13.74.179.1/24,191.232.139.1/24,20.36.222.1/24,20.42.23.1/24,191.232.139.2/24,20.36.218.1/24,95.101.0.1/24,95.101.1.1/24,13.78.168.1/24,93.184.221.1/24,13.83.184.1/24,13.107.4.1/24,13.83.148.1/24
This worked for me. [Using WFC a Windows Defender Firewall Front End GUI]
answered Jan 29 at 12:08
BojaBoja
214
add a comment |
So far it doesn't look like windows firewall actually performs the functions it offers, blocking individual services under the umbrella of the svchost. Microsoft releases windows updates every second Tuesday of each month give or take 24 hours or so. You could create a script that automatically enables svchost out each month, and one for every day for defender updates; (for 5-10 minutes) or do it manually.
Or, you could for example block everything, enable packet logging, monitor the ip addresses and ports for every windows update server connection, then only allow svchost out for those specific ip addresses, this will narrow it down to only allow windows update. If you use cidr format replacing the last 3 digits with .1/24, you will be able to reach every ips on that subnet if they change over time. After hammering this out enough, should you notice other ip's pop up outside that scope, you will over time know its not windows update. I am not sure how one can detect exactly what program/service is operating under the svchost umbrella other than triggering it manually.
For Windows Updates, use Group Policy "Delivery Optimization" Download Mode, set to 99, (meaning no P2P or cloud services, just microsofts servers alone; so you don't get 1,000,000,000 different ips) Then you must create a blacklist for each ip that comes up through svchost that does not involve windows update.
Remote addresses: 65.55.163.1/24,13.74.179.1/24,191.232.139.1/24,20.36.222.1/24,20.42.23.1/24,191.232.139.2/24,20.36.218.1/24,95.101.0.1/24,95.101.1.1/24,13.78.168.1/24,93.184.221.1/24,13.83.184.1/24,13.107.4.1/24,13.83.148.1/24
This worked for me. [Using WFC a Windows Defender Firewall Front End GUI]
answered Jan 29 at 12:08
BojaBoja
214
add a comment |
So far it doesn't look like windows firewall actually performs the functions it offers, blocking individual services under the umbrella of the svchost. Microsoft releases windows updates every second Tuesday of each month give or take 24 hours or so. You could create a script that automatically enables svchost out each month, and one for every day for defender updates; (for 5-10 minutes) or do it manually.
Or, you could for example block everything, enable packet logging, monitor the ip addresses and ports for every windows update server connection, then only allow svchost out for those specific ip addresses, this will narrow it down to only allow windows update. If you use cidr format replacing the last 3 digits with .1/24, you will be able to reach every ips on that subnet if they change over time. After hammering this out enough, should you notice other ip's pop up outside that scope, you will over time know its not windows update. I am not sure how one can detect exactly what program/service is operating under the svchost umbrella other than triggering it manually.
For Windows Updates, use Group Policy "Delivery Optimization" Download Mode, set to 99, (meaning no P2P or cloud services, just microsofts servers alone; so you don't get 1,000,000,000 different ips) Then you must create a blacklist for each ip that comes up through svchost that does not involve windows update.
Remote addresses: 65.55.163.1/24,13.74.179.1/24,191.232.139.1/24,20.36.222.1/24,20.42.23.1/24,191.232.139.2/24,20.36.218.1/24,95.101.0.1/24,95.101.1.1/24,13.78.168.1/24,93.184.221.1/24,13.83.184.1/24,13.107.4.1/24,13.83.148.1/24
This worked for me. [Using WFC a Windows Defender Firewall Front End GUI]
answered Jan 29 at 12:08
BojaBoja
214
So far it doesn't look like windows firewall actually performs the functions it offers, blocking individual services under the umbrella of the svchost. Microsoft releases windows updates every second Tuesday of each month give or take 24 hours or so. You could create a script that automatically enables svchost out each month, and one for every day for defender updates; (for 5-10 minutes) or do it manually.
Or, you could for example block everything, enable packet logging, monitor the ip addresses and ports for every windows update server connection, then only allow svchost out for those specific ip addresses, this will narrow it down to only allow windows update. If you use cidr format replacing the last 3 digits with .1/24, you will be able to reach every ips on that subnet if they change over time. After hammering this out enough, should you notice other ip's pop up outside that scope, you will over time know its not windows update. I am not sure how one can detect exactly what program/service is operating under the svchost umbrella other than triggering it manually.
For Windows Updates, use Group Policy "Delivery Optimization" Download Mode, set to 99, (meaning no P2P or cloud services, just microsofts servers alone; so you don't get 1,000,000,000 different ips) Then you must create a blacklist for each ip that comes up through svchost that does not involve windows update.
Remote addresses: 65.55.163.1/24,13.74.179.1/24,191.232.139.1/24,20.36.222.1/24,20.42.23.1/24,191.232.139.2/24,20.36.218.1/24,95.101.0.1/24,95.101.1.1/24,13.78.168.1/24,93.184.221.1/24,13.83.184.1/24,13.107.4.1/24,13.83.148.1/24
This worked for me. [Using WFC a Windows Defender Firewall Front End GUI]
answered Jan 29 at 12:08
BojaBoja
214
answered Jan 29 at 12:08
BojaBoja
214
answered Jan 29 at 12:08
BojaBoja
214
answered Jan 29 at 12:08
BojaBoja
214
214
add a comment |
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f994306%2fwhat-firewall-rules-will-allow-windows-update-and-only-windows-update-to-work%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Are you trying to prevent loss of bandwidth from other apps doing their updates, i.e., prevent them from updating at all? If so, do you still want those apps to update, but at a different time? Or, do you want them to update from a different source? If any of these are true, seems to me that using firewalls might not be the best way. Are you also concerned with the system CPU/RAM impact of all these updaters running?
– DaaBoss
Oct 31 '15 at 14:36
Sorry for the confusion. I am blocking all traffic except what I specifically allow and need the rules to allow windows update to function. In 8.1 it requires more than just allowing the update service outbound traffic.
– Ron
Oct 31 '15 at 16:19
Narrowed it down a bit. I had a rule allowing update outbound traffic on TCP ports 80 and 443 but that did not work. I added a rule allowing all programs and services outbound traffic on TCP 80 and it works.
– Ron
Nov 1 '15 at 13:09
Last comment was incorrect. Narrowed it to: Allow all programs and services tcp port 80 outbound and all outbound traffic for the following services - appinfo, bits, dsmsvc, gpsvc, iphpsvc, lanmanserver, profsvc, schedule, sens, shellhwdetection, system events broker, themes, winmgmt, wuauserv.
– Ron
Nov 1 '15 at 18:31