I was wondering if you were aware of the following solution to the firewall being unable to identify the windows update service:

1. Create a copy (or hardlink) of svchost.exe, called e.g. wusvc.exe
2. Change ImagePath in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv to use wusvc.exe
3. Restart Windows Update Service, e.g. sc stop wuauserv then sc start wuauserv

Now you can whitelist wusvc.exe. This seems like it might be a better solution than having to maintain a list of IP ranges, and could be implemented in code easily.

Just wanted to make sure you knew about this.