Firewall Rules for Windows Updates: Required Hostnames and Ports for Secure WSUS Access


2 views

When configuring firewall rules for Windows Update servers, we need to consider both Microsoft's public Windows Update endpoints and any internal WSUS (Windows Server Update Services) infrastructure. The minimal required access should cover authentication, update metadata, and actual content delivery.

These are the critical endpoints that must be accessible through your firewall:

# Required FQDNs and ports:
*.update.microsoft.com:443
*.delivery.mp.microsoft.com:443
*.windowsupdate.com:443
*.download.windowsupdate.com:80,443
*.windowsupdate.microsoft.com:443
*.prod.do.dsp.mp.microsoft.com:443
*.dl.delivery.mp.microsoft.com:443
ctldl.windowsupdate.com:80,443

If you're using WSUS in your environment, these endpoints become necessary:

# WSUS-specific endpoints
<your-wsus-server-fqdn>:8530,8531
*.microsoft.com:443  # For certificate revocation checks

Here's a script to verify connectivity to essential endpoints:

function Test-WindowsUpdateConnectivity {
    $endpoints = @(
        "update.microsoft.com",
        "download.windowsupdate.com",
        "windowsupdate.microsoft.com",
        "ctldl.windowsupdate.com"
    )
    
    foreach ($endpoint in $endpoints) {
        try {
            $result = Test-NetConnection -ComputerName $endpoint -Port 443 -InformationLevel Quiet
            [PSCustomObject]@{
                Endpoint = $endpoint
                Port = 443
                Accessible = $result
            }
        } catch {
            Write-Warning "Failed to test $endpoint"
        }
    }
}

Test-WindowsUpdateConnectivity | Format-Table -AutoSize

For Windows Firewall, you can create rules using PowerShell:

# Create outbound firewall rules for Windows Update
$ruleParams = @{
    DisplayName = "Allow Windows Update HTTPS"
    Direction = "Outbound"
    Action = "Allow"
    Protocol = "TCP"
    RemotePort = "443"
    Program = "System"
    Enabled = "True"
}

New-NetFirewallRule @ruleParams

# Additional rule for HTTP fallback
$ruleParams.RemotePort = "80"
$ruleParams.DisplayName = "Allow Windows Update HTTP"
New-NetFirewallRule @ruleParams

If updates fail despite correct firewall rules:

  • Verify DNS resolution for all endpoints
  • Check for SSL inspection/interception by security appliances
  • Validate system time and time zone settings
  • Review Windows Update logs with Get-WindowsUpdateLog

For Windows servers to receive updates through WSUS or Microsoft Update, these are the critical endpoints that must be accessible:

*.update.microsoft.com:443 (Primary update service)
*.delivery.mp.microsoft.com:443 (Content delivery network)
*.download.windowsupdate.com:80/443 (Update binaries)
*.windowsupdate.com:80/443 (Legacy update system)
*.prod.do.dsp.mp.microsoft.com:443 (Delivery optimization)
*.dl.delivery.mp.microsoft.com:443 (Additional CDN path)
*.windowsupdate.microsoft.com:443 (Fallback endpoint)
tsfe.trafficshaping.dsp.mp.microsoft.com:443 (Traffic management)

If you're using WSUS in an enterprise environment, the firewall requirements differ:

WSUS_SERVER_FQDN:8530 (HTTP for WSUS)
WSUS_SERVER_FQDN:8531 (HTTPS for WSUS)
*.blob.core.windows.net:443 (For Azure-hosted WSUS)
*.azureedge.net:443 (Azure CDN for updates)

Here's a script to verify connectivity to critical endpoints:

$endpoints = @(
    "update.microsoft.com",
    "download.windowsupdate.com",
    "delivery.mp.microsoft.com"
)

foreach ($endpoint in $endpoints) {
    try {
        $test = Test-NetConnection -ComputerName $endpoint -Port 443
        if ($test.TcpTestSucceeded) {
            Write-Host "$endpoint:443 - SUCCESS" -ForegroundColor Green
        } else {
            Write-Host "$endpoint:443 - FAILED" -ForegroundColor Red
        }
    } catch {
        Write-Host "$endpoint:443 - ERROR: $_" -ForegroundColor Yellow
    }
}

When debugging update failures, use this Wireshark display filter to monitor Windows Update traffic:

(dns.qry.name contains "update.microsoft.com" || 
 dns.qry.name contains "windowsupdate.com" || 
 dns.qry.name contains "delivery.mp.microsoft.com") || 
(tcp.port == 443 && (ip.dst == 40.67.0.0/16 || ip.dst == 52.184.0.0/17))

For Azure environments, here's an ARM template snippet for NSG rules:

{
  "name": "AllowWindowsUpdates",
  "properties": {
    "protocol": "Tcp",
    "sourcePortRange": "*",
    "destinationPortRanges": ["80", "443"],
    "sourceAddressPrefix": "*",
    "destinationAddressPrefixes": [
      "40.67.0.0/16",
      "52.184.0.0/17",
      "104.40.0.0/13"
    ],
    "access": "Allow",
    "priority": 200,
    "direction": "Outbound"
  }
}

For environments using Microsoft's government cloud services or disconnected WSUS:

# For DoD networks:
*.update.microsoft.azure.us:443
*.download.microsoft.azure.us:80/443

# Export-Import WSUS PowerShell commands:
Export-WsusContent -ContentPath C:\WSUS_Export -UpdateApproval All
Import-WsusContent -ContentPath C:\WSUS_Import

This SQL query helps monitor update success rates in WSUS databases:

SELECT 
    COUNT(*) as TotalComputers,
    SUM(CASE WHEN LastReportedStatus = 2 THEN 1 ELSE 0 END) as UpToDate,
    SUM(CASE WHEN LastReportedStatus = 3 THEN 1 ELSE 0 END) as NeededUpdates,
    SUM(CASE WHEN LastReportedStatus IS NULL THEN 1 ELSE 0 END) as NeverReported
FROM 
    tbComputerTarget