880d73f7-f3fb-4958-90c9-41510adccf88-export.txt<\/a> (723 Bytes)<\/p>","upvoteCount":1,"datePublished":"2023-08-17T06:28:35.000Z","url":"https://community.spiceworks.com/t/allow-windows-updates/957312/18","author":{"@type":"Person","name":"richardgibb","url":"https://community.spiceworks.com/u/richardgibb"}},{"@type":"Answer","text":"I think from all the comments etc, WSUS is the correct solution for you here, it takes any requirement for the endpoints to connect to the internet out of the picture.<\/p>","upvoteCount":1,"datePublished":"2023-08-17T07:21:08.000Z","url":"https://community.spiceworks.com/t/allow-windows-updates/957312/19","author":{"@type":"Person","name":"Kenny8416","url":"https://community.spiceworks.com/u/Kenny8416"}},{"@type":"Answer","text":"\n\n
<\/div>\n
Kenny8416:<\/div>\n
\nI think from all the comments etc, WSUS is the correct solution for you here, it takes any requirement for the endpoints to connect to the internet out of the picture.<\/p>\n<\/blockquote>\n<\/aside>\n
This is exactly what we do in the same situation. When dealing with vendors I enjoying seeing the reaction to the information that I manage more computers that have 0 internet access than do.<\/p>","upvoteCount":0,"datePublished":"2023-08-17T07:40:47.000Z","url":"https://community.spiceworks.com/t/allow-windows-updates/957312/20","author":{"@type":"Person","name":"leonardpothier","url":"https://community.spiceworks.com/u/leonardpothier"}}]}}
Roddy7703
August 15, 2023, 12:31pm
1
I have Pc’s on the shop floor that I block access to the internet using ESET cloud protect policy. I need to allow the Pc’s to update ESET and Windows. The ESET bit is easy, just add the ESET update servers to the Allow list in Web access Protection.
On the windows update side however I found a list of windows update server online and added all these to the allow list as well as allowing services DoSvc & wuauserv to communicate through the firewall.
I can only assume that the windows update server are many and varied and may change from time to time
Anyone else tried and succeed in this ?
I tried ESET support and got the reply back
"Thank you for contacting ESET Technical Support.
Unfortunately, the requirements for specific Windows features falls outside the remit of our support."
35 Spice ups
You could look into using a proxy server where you configure your pc’s to access the internet only through his server, then set up the server to allow specific URLs. You may also want to look into utilizing WSUS it would fetch updates from and internal server rather than directly from microsoft.
10 Spice ups
Roddy7703
August 15, 2023, 1:17pm
3
We are looking at ESET’s patch management and vulnerability functions just now rather than WSUS as it brings a lot of things under the same window.
" set up the server to allow specific URLs" - this is the bit that is stumping me
Windows updates seem to come from a vast array of different servers, I will see if I can find an up to date list and apply them to my exceptions rule in the policy
2 Spice ups
foo
August 15, 2023, 3:58pm
4
Yes, and that list will change based on a great many things.
The best solutions you have already mentioned, would be use a WSUS server, allow access to it. Or use third party patch management products.
I do not think you would ever be able to list them all or be assured they will not change on the fly. This is why a great many firewalls pass all microsoft.com traffic (which is infinitely abusable) I do not advocate that.
6 Spice ups
This article is about WSUS, but it would apply to any other system that needs access to Windows Update: Step 2 - Configure WSUS | Microsoft Learn
I am surprised to hear ESET support thinks it’s not their problem to solve!
Here is a list:
http://windowsupdate.microsoft.com
http://*.windowsupdate.microsoft.com
https://*.windowsupdate.microsoft.com
http://*.update.microsoft.com
https://*.update.microsoft.com
http://*.windowsupdate.com
http://download.windowsupdate.com
https://download.microsoft.com
http://*.download.windowsupdate.com
http://wustat.windows.com
http://go.microsoft.com
http://dl.delivery.mp.microsoft.com
https://dl.delivery.mp.microsoft.com
http://*.delivery.mp.microsoft.com
https://*.delivery.mp.microsoft.com
8 Spice ups
foo
August 16, 2023, 12:08pm
6
So though I get this is a need, it is a need that is being attacked from the wrong angle IMHO, and will likely end in two places, misery, or concession.
The problem with that, is that list is not comprehensive, especially depending on edition. If you search TechNet and other sources, you will find references to several others, then it can further depend on applications (windows updates more than windows) like forefrontdl.microsoft.com , or dependent on CDN’s / global load balancers like like update.microsoft.com.akadns.net that are not directly MS servers.
A still not comprehensive list here for windows 10.
And here for windows 11
As well as MS’s own statement “The CDNs in use by Microsoft are always subject to change and in many cases there are multiple CDN partners configured in the event one is unavailable.”
What setting the above short list do for instance is open a many of vectors for attack.
Similar tactics work on many other blanket passes, like *facebook, *twitter, etc. BUT since updates are so broad and misunderstood, they seldom get audited that granularly. So though while not an exclusive MS problem, the breadth of MS updates and the obscure content delivery pool, make it a virtual impossibility to get into and get it consistently correct. Likewise, it is by far not a secret, there is malware that abuses this very fact as well.
So if you are in a position to need to get this granular on a firewall (which is what justifies this detail of why it likely will not work the way you think) then you are likely in a position to need better patch management or a central update server. as it lowers your egress potential to 1^vectors, not clients^vectors because all of this does not even address the chatty windows outside update infrastructure. OIr the fact as client count grows there is more to an update server / patch management solution that security, hundreds of computers all pulling independent updates direct from the internet is a massive resource drain. So the list goes on and on and on.
3 Spice ups
Not sure on the exacts but if Group Policy is in use then creating an OU specifically for the shop floor workstations and allow updates. The state agency I work for now has it set to default to allowing updates for user workstations but blocking updates to instrument workstations since vendor-specific software is dependent on what version of Windows is being ran. Just a thought/option.
2 Spice ups
Mike400
August 16, 2023, 12:17pm
8
Use a local WSUS server and escalate the issue to ESET’s senior management.
6 Spice ups
foo
August 16, 2023, 12:20pm
9
@chrisdavis8 That is a good solution for a lot of use cases, but it manipulates the client’s tendency to check/process, not the firewall’s permission to allow it to pass. And it implies they have internet access where the OP said they did not and were trying to open it for this purpose specifically.
Good point - offering options isn’t my best suit when I’m only on coffee cup #1 …
foo
August 16, 2023, 2:07pm
11
Oh its still a good suggestion if the OP decides they way they are attacking that is not they way they eventually want to go. I cannot count the times I came to the table with a determined question and left with an alternate solution!
Another possibility is to use PDQ Deploy to push out the monthly security updates along with any other program updates you need. You can monitor computers to make sure they are up to date with PDQ Inventory. These programs sure have made my life easier.
3 Spice ups
andrew-pdq
August 16, 2023, 3:53pm
13
That would work @christianrickman . I’ve included an article on using our products on air-gapped networks and on installing updates with PDQ Deploy. Hope that helps!
2 Spice ups
foo
August 16, 2023, 4:18pm
14
I’ll upvote that!
2 Spice ups
Roddy7703
August 17, 2023, 5:02am
15
So in summary
I would be fighting a losing battle trying to make exception in my ESET firewall to allow windows updates. I think WSUS is probably the way to go
Thanks for all your suggestions
1 Spice up
Hi, had similar woes with shop floor PC’s, you may also find that without WSUS, even if you got the firewall to allow updates the PC users on shop floor wont have rights to install them. It’s a PITA, basically you are forced into using WSUS. But should the users have admin rights then the easiest solution would be to put the block policy on a schedule, so that weekends there is internet access and updates could happen. Haven’t done this myself, the scrotes on the shop floor would probably be mining crypto all night if they had admin rights
Roddy7703
August 17, 2023, 6:26am
17
“the scrotes on the shop floor”
BigPercy - So you have met the shopfloor workers at my place
Unfortunately we are pretty much 24/7 so there is not quiet time to allow internet access.
At the moment, I move the PC from a policy in ESET that blocks internet access to one that allows it, connect to the PC via TightVNC and run the updates.
The PC’s are solely used for time recording so I can safely connect without upsetting anyone
2 Spice ups
Attached is a list I’ve used with Eset and it seems to work. You should be able to import it into Eset
880d73f7-f3fb-4958-90c9-41510adccf88-export.txt (723 Bytes)
1 Spice up
Kenny8416
August 17, 2023, 7:21am
19
I think from all the comments etc, WSUS is the correct solution for you here, it takes any requirement for the endpoints to connect to the internet out of the picture.
1 Spice up
This is exactly what we do in the same situation. When dealing with vendors I enjoying seeing the reaction to the information that I manage more computers that have 0 internet access than do.
