Windows update service firewall
This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.
Asked by:
General discussion
Can anyone kindly give me a Windows Firewall rule that allows Windows Update? Assume I’m running MMC’s «Windows Firewall with Advanced Security» snap-in as Administrator. Note that a «solution» that takes down the outbound firewall is not acceptable.
===== Solution =====
Suppose that, as the default, you’ve set the outbound firewall to block (see To close the outbound firewall, below). In order for Windows Update to check whether an update is available and then to download the update files, you first need an outbound firewall allow-rule that allows the Windows Update service to pass through the outbound firewall.
Prerequisite: Knowledge of the Microsoft Management Console (MMC) and its «Windows Firewall with Advanced Security» plug-in.
What you will do: You will use the «Windows Firewall with Advanced Security» MMC plug-in to create an outbound firewall rule that allows ‘%SystemRoot%\System32\svchost.exe’ (the generic service driver) to pass through the outbound firewall on behalf of ‘wuauserv’ (the name of the specific service that performs the update).
Warning: If you don’t know what I’m writing about, get help.
Name: Allow Windows Update (. or any name you prefer — it doesn’t matter)
Group:
Profile: Public
Enabled: Yes
Action: Allow
Program: %SystemRoot%\System32\svchost.exe
Local Address: Any
Remote Address: Any
Protocol: Any
Local Port: Any
Remote Port: Any
Allowed Computers: Any
Status: OK
Service: wuauserv
Rule Source: Local Setting
Interface Type: All interface types
Excepted Computers: None
Description:
To open the outbound firewall:
More accurate wording would be
Outbound connections are allowed unless explicitly blocked by a rule.
If you look at the standard rules you will find no block-rules. That means that nothing is blocked, everything is allowed, and the outbound firewall is wide open.
To close the outbound firewall:
More accurate wording would be
Outbound connections are blocked unless explicitly allowed by a rule.
If you look at the standard rules you will find only allow-rules that have been crafted to allow the vital Windows connections to pass through the outbound firewall. To an informed observer it’s obvious that the firewall engineers crafted these allow-rules so that users who closed the outbound firewall wouldn’t have to write them. But the firewall engineers left out Windows Update.
What Firewall Rule(s) Will Allow Windows Update and ONLY Windows Update To Work
What Firewall Rules Will Allow Windows Update and ONLY Windows Update to Work For Windows 8.1? If that is not possible please provide the minimum rules necessary and the names of the additional program(s)/service(s) that must be granted access.
2 Answers 2
I debugged this problem for hours. In the end, to get Windows Update through Windows firewall you must allow svchost. You cannot narrow the protocol, scope, application packages or services.
So I have 0 inbound firewall rules, and 3 outbound firewall rules two of which are active at any point in time. Those rules are:
WFC — Core Networking — Dynamic Host Configuration Protocol (DHCP-out)
AND Other applications that require internet (i.e., your web browser)
To connect to the internet, I must turn on 1 and 3. After I can turn off 1 and 3 and turn on 2. If my internet is on, and I want to use windows update, I then disable 2 and enable 1. That means after I have connected to the internet and don’t plan on using windows update that the only weakness in my firewall is my browser assuming I haven’t added any other exceptions.
So far it doesn’t look like windows firewall actually performs the functions it offers, blocking individual services under the umbrella of the svchost. Microsoft releases windows updates every second Tuesday of each month give or take 24 hours or so. You could create a script that automatically enables svchost out each month, and one for every day for defender updates; (for 5-10 minutes) or do it manually.
Or, you could for example block everything, enable packet logging, monitor the ip addresses and ports for every windows update server connection, then only allow svchost out for those specific ip addresses, this will narrow it down to only allow windows update. If you use cidr format replacing the last 3 digits with .1/24, you will be able to reach every ips on that subnet if they change over time. After hammering this out enough, should you notice other ip’s pop up outside that scope, you will over time know its not windows update. I am not sure how one can detect exactly what program/service is operating under the svchost umbrella other than triggering it manually.
For Windows Updates, use Group Policy «Delivery Optimization» Download Mode, set to 99, (meaning no P2P or cloud services, just microsofts servers alone; so you don’t get 1,000,000,000 different ips) Then you must create a blacklist for each ip that comes up through svchost that does not involve windows update.
Remote addresses: 65.55.163.1/24,13.74.179.1/24,191.232.139.1/24,20.36.222.1/24,20.42.23.1/24,191.232.139.2/24,20.36.218.1/24,95.101.0.1/24,95.101.1.1/24,13.78.168.1/24,93.184.221.1/24,13.83.184.1/24,13.107.4.1/24,13.83.148.1/24
This worked for me. [Using WFC a Windows Defender Firewall Front End GUI]
Windows update service firewall
This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.
Asked by:
Question
Since Windows Vista I have always been using the Windows Firewall with «blocked outgoing traffic». As this is not the default setting, some basic windows services seem not to be included as firewall rules on the outgoing side.
My Problem is with the Windows Update:
On Windows Vista and 7 it was sufficient to create a rule for «wuauserv».
On Windows 8.1 however this seems not to be enough. The UI gives me error code 80240438 and the WindowsUpdate.log shows the following lines:
2014-06-14 20:11:08:150 952 538 IdleTmr WU operation (CAgentProtocolTalker::SyncUpdates_WithRecover) started; operation # 2044; does use network; is at background priority
2014-06-14 20:11:08:151 952 538 WS WARNING: Nws Failure: errorCode=0x803d0010
2014-06-14 20:11:08:151 952 538 WS WARNING: Original error code: 0x80072efd
2014-06-14 20:11:08:151 952 538 WS WARNING: Fehler bei der Kommunikation mit dem Endpunkt bei «https://fe2.update.microsoft.com/v6/ClientWebService/client.asmx».
2014-06-14 20:11:08:151 952 538 WS WARNING: Fehler beim Senden der HTTP-Anforderung.
2014-06-14 20:11:08:151 952 538 WS WARNING: Der Remoteendpunkt konnte nicht erreicht werden.
(. and a lot of similar WARNING lines)
2014-06-14 20:11:12:921 952 538 IdleTmr WU operation (CAgentProtocolTalker::SyncUpdates_WithRecover, operation # 2044) stopped; does use network; is at background priority
If I create a rule for the whole svchost.exe, the update works fine. Giving all services internet access is however not an option for me. Could you please tell me through which service(s) except wuauserv Windows Update performs its network activities?
All replies
I think the whole concept is not good. You should have «something» in between Internet and your PC, that is working like firewall.
Make sure that port 443 is transparrent for update. Log shows it is not.
Thank you for your answer.
This is however the one standard answer you always receive whenever you mention application based firewalling and it does not answer my question. A regular protocol / port based firewall is already working fine inside my router. Nevertheless, I do have my reasons for implementing an application based firewall for outgoing traffic on one specific client.
I also know the log file says that windows update can not reach the update servers on port 443/https. Yet, it does not tell me the exact service names which reported the errors. That’s why I would like to know through which windows services wuauserv communicates with the update servers.
Does anyone know the necessary services? As I said before: On Win7 and Vista wuauserv seemed to be the only service. Which ones are new for Windows Update?
Thanks in advance!
Just some thoughts on this issue:
There are four services related to Windows Update:
Windows Module installer service
Windows update services
BITS (Background intelligent transfer service)
And there’s a new update service provider named ‘Windows Store’.
Alex Zhao
TechNet Community Support
thanks a lot for the information. I have created rules for the following services you mentioned:
trustedinstaller (Windows Module installer service)
cryptsvc (Cryptographic Services)
wuauserv (Windows update services)
BITS (Background intelligent transfer service)
WSService (Windows Store)
Unfortunately it is still not enough. Additionally, I tested the Windows Store Connectivity (The app is granted access too). Although I can browse online content in the store, the App-Updates do not work either. Maybe there is a common communication interface for both applications?
Thanks again! I guess we are getting closer to the solution.
Just a thought, you can test in clean boot mode to see what’s the result.
If this issue persists, I think we can review your windowsupdate.log to get more information.
Alex Zhao
TechNet Community Support
thanks again for your support. I finally found the time to try your suggestion. I tried clean boot mode (all non-windows-services and startup programs deactivated) and even safe mode. It did not make any difference in clean boot mode and in safe mode the update services are not even running and therefore cannot be tested.
I really think this issue can be solved with a simple firewall setting. It just may never have occurred before because most people do not limit outgoing traffic. As I said: If I create a rule for svchost.exe without any other limitations, it does work immediately.
My newest findings however are: If I create a rule for svchost.exe and check «only services» or «only app packages» it does not work. Even if I create general rules which allow all services or all app packages (without any limitation to svchost.exe), it does not work.
It looks like the problem lies somwhere inside the windows firewall. It must be the way how the windows firewall handles services or how the update services communicate with the internet. If I allow the svchost process, it works. If I allow all services running inside it, it does not work. I had hoped some developers at Microsoft would know how svchost and firewall play together.
That’s really what a firewall set more securely ought to be do well, isn’t it — block unwanted outbound connections while allowing wanted ones?
I have been considering setting «Outbound connections that do not match a rule are blocked » myself. But I wouldn’t want to do without Windows Updates.
i’m replying here mostly because I want to watch this thread, and having posted in it whenever there’s activity it will show up in my thread activity list.
Very interested to see the progress of this.
Detailed how-to in my eBooks:
Are there really no other ideas how to get Windows Update working without allowing the whole svchost.exe?
I must admit that I am out of ideas right now. It seems completely irrellevant which services I allow. The only working option I found is allowing complete access for svchost.
At least I am not the only one who seems interested in the topic. Hopefully someone will find a solution for this.
Anyway: My thanks to all who have anserwed so far!
Same exact concerns/issue. Even if I could open svchost to a specific services/range of destination addresses, it would be helpful.
I am hit by the same issue. On Windows 7 it was clear what service needs to be opened to permit Windows Updates, with Windows 8.1 there is a problem.
Please specify the minimum set of options to make Windows Update under Windows 8.1 work.
The 4 services that have been listed above + Windows Store service are still not enough to let Windows Update work.
I’m having similar problems. My solution was to allow svchost.exe (apply to all programs and services) for TCP ports 80,443 and these IPs: 131.253.61.0/24 157.55.240.0/24 65.55.138.0/24 217.212.252.0/24 62.115.255.0/24 157.66.77.0/24
This should be enough for Windows Update and Windows Store. Of course they might change at any time, but they’re at least working as of today. I haven’t checked the blocks if they’re actually /24, but they’re sufficient for me.
It seems to be a bug in the firewall and has been around since introduction of Windows 8.. Hope MS would fix it.
Thanks for this good suggestion. IP-range settings seem the only usable fall-back solution there is. However, if I remember correctly there are loads of different update servers which are subject to natural changes (like moving to other ip-ranges etc.). They may also differ from region to region. So this solution may not prove as stable as a simple application or service based rule.
What bothers me most is that even on the official Microsoft Technet forum there is no one who can explain how such a rule can be created or why it is impossible. Are there no Microsoft developers out there who are willing to explain the changes made to the update services since Win7? Or is this really a firewall «bug»? Other rules for services like the time update W32Time seem to work just fine.
Yes, the IP ranges are likely to vary between the regions. I’m based in Northern Europe..
I agree with your second point.. But it’s a common problem with big companies. The knowledge of first-line support is limited, and it’s difficult to get in touch with people with insight. There’s just too much demand for them.
Shibboleet (http://xkcd.com/806/, can’t post links yet).
Thanks for taking the time to post those IP ranges as they did work, and at least it lowers the security exposure. I had been enabling/disabling rule as needed because I was really concerned with that exposure and only updating once or twice a year because of that, but with those ranges all being class C I feel confident to leave that firewall rule enabled.
Just a FYI — I do pick up a virus every now and then, and when I do I want it to have problems sending my information back out. That is why I do use outbound firewall.
Dan, a different strategy, not involving the firewall, for reducing virus exposure is to use the MVPS hosts file, which has the effect of locally resolving a rather large list of «bad» web site names to 0.0.0.0. In practical terms, this hammers most advertisements and if malware gets onto your computer and tries to reach its home base by accessing a site by name that name may well be in the list of «parasite» web sites.
It’s an idea worth considering. I use their hosts file.
Detailed how-to in my eBooks:
Hi, I’m sorry I don’t have an answer for you, but I just wanted to say that I have the exact same problem. In Windows 7 I had a firewall rule for svchost.exe limited to Windows Update service, and that was enough. Since I don’t install new apps very often, blocking outbound traffic by default isn’t a big inconvenience at all.
It would have been ideal if Microsoft included a premade outbound rule for Windows Update.
I’ll keep watching this thread for updates.
Sadly it is pretty clear that this one is not a bug(issue of this magnitude would have never gone trough internal testing). I think that microsoft just dont want customers to limit what svchost does. Basically they are just saying either get your updates and send all the data we want or get nothing.
Also it is a security risk to allow svchost trough without binding it to a service(s) because any 3rd party program can use svchost to send data to the interwebs and override firewall rules.
One of Hewlett-Packard printer services behaves the same, and that’s on Windows 7 as well. Haven’t tested on Vista, but it wouldn’t surprise me that the same problem exists.
Windows 8 upgraded to 8.1 on a Gateway SX2370. Purchased Sep. 2013.
As of Dec. 28, 2014 I have not gotten ANY windows defender updates and windows update has not been working at all. When I go to my start screen and type «update» Windows update still shows in the list, only now when I click on it, it brings up a blank window and can only be closed by right clicking the tab on the taskbar. I cannot max or minimize the window either.
Up until Dec. 28th it was working perfectly, notifying me when updates were available, almost everyday for windows defender.
I have tried everything I could find to fix this, even a complete restore, with recovery media made for Win 8.1 and Win 8. Still no windows updates, of anything. To top it off as of Jan. 22, 2015 the Diagnostic Policy Service has stopped and I am denied access when I try restarting it.
Windows XP was great until MS stopped support. Vista sucked, near as bad as Millenium or 2000. I never tried windows 7 instead going for windows 8, being the most recent version when I could afford a new PC. Adapting to win 8-8.1 was no easy task.
I’m not a tech guru, but I’ve owned & used windows from Dos 6.0, ’95, ’98, ’98SE, Millenium, XP, XP home & Pro (sp1-2 & 3) and still have the installation/restore CDs for all of them. Even taught myself how to write the recovery console directly from the hard drive of XP, OEM or full MS versions without using the CDs & now I’m using Windows 8 — 8.1. Getting rid of the recovery console was a BIG mistake in my opinion.
At one time I had a multi-boot system of win.95, 98, 98SE, Mill., XP home sp2 and XP Pro sp3 on a 1.5 TB self built system. Microsoft told me it was impossible, until I allowed two tech support reps remote access for 5 min.. Which also lead to me being blocked from most MS websites &?suggestions windows forums for 3 years.
But so far, this failure of windows updates and the Diagnostic policy Service in Windows 8.1 has got me stumped. Can ANYONE give me a quick simple way to correct this? Please?
Thanks for reading this and any help or suggestions anyone has to offer. GOD bless you all and my thanks to every military person, their families and veterans for my freedom.
