Windows Updates
=====================

To only allow Windows Updates you can use a DNS Network Object.
Create the Network Object with the following DNS Names:

- windowsupdate.microsoft.com (Exact Match)
- *.windowsupdate.microsoft.com (Direct Subdomains)
- *.update.microsoft.com (Direct Subdomains)
- *.windowsupdate.com (Direct Subdomains)
- download.windowsupdate.com (Exact Match)
- download.microsoft.com (Exact Match)
- *.download.windowsupdate.com (Direct Subdomains)
- wustat.windows.com (Exact Match)
- ntservicepack.microsoft.com (Exact Match)
- go.microsoft.com (Exact Match)
- dl.delivery.mp.microsoft.com (Exact Match)

You can use the Network Object in a Firewall Rule as Destination.
Please also make sure to disable IPS in the rule under the advanced settings.