22.1. Windows Updates

To only allow Windows Updates you can use a DNS Network Object. Create the Network Object with the following DNS Names:

• windowsupdate.microsoft.com (Exact Match)

• *.windowsupdate.microsoft.com (Direct Subdomains)

• *.update.microsoft.com (Direct Subdomains)

• *.windowsupdate.com (Direct Subdomains)

• download.windowsupdate.com (Exact Match)

• download.microsoft.com (Exact Match)

• *.download.windowsupdate.com (Direct Subdomains)

• wustat.windows.com (Exact Match)

• ntservicepack.microsoft.com (Exact Match)

• go.microsoft.com (Exact Match)

• dl.delivery.mp.microsoft.com (Exact Match)

You can use the Network Object in a Firewall Rule as Destination. Please also make sure to disable IPS in the rule under the advanced settings.