diff --git a/solutions/secure-hybrid-network/nestedtemplates/azure-network-azuredeploy.bicep b/solutions/secure-hybrid-network/nestedtemplates/azure-network-azuredeploy.bicep
index 27e2448f..cb4a9d03 100644
--- a/solutions/secure-hybrid-network/nestedtemplates/azure-network-azuredeploy.bicep
+++ b/solutions/secure-hybrid-network/nestedtemplates/azure-network-azuredeploy.bicep
@@ -533,22 +533,12 @@ resource azureFirewallResource 'Microsoft.Network/azureFirewalls@2024-05-01' = {
           }
           rules: [
             {
-              name: 'all-internet'
-              protocols: [
-                {
-                  protocolType: 'Http'
-                  port: 80
-                }
-                {
-                  protocolType: 'Https'
-                  port: 443
-                }
-              ]
-              targetFqdns: [
-                '*'
+              name: 'windows-update'
+              fqdnTags: [
+                'WindowsUpdate'
               ]
               sourceAddresses: [
-                '*'
+                spokeNetwork.addressPrefix
               ]
             }
           ]
diff --git a/solutions/secure-hybrid-network/nestedtemplates/azure-network-azuredeploy.json b/solutions/secure-hybrid-network/nestedtemplates/azure-network-azuredeploy.json
index 8cb3aed7..e19726a5 100644
--- a/solutions/secure-hybrid-network/nestedtemplates/azure-network-azuredeploy.json
+++ b/solutions/secure-hybrid-network/nestedtemplates/azure-network-azuredeploy.json
@@ -628,22 +628,12 @@
                             },
                             "rules": [
                                 {
-                                    "name": "all-internet",
-                                    "protocols": [
-                                        {
-                                            "protocolType": "Http",
-                                            "port": 80
-                                        },
-                                        {
-                                            "protocolType": "Https",
-                                            "port": 443
-                                        }
-                                    ],
-                                    "targetFqdns": [
-                                        "*"
+                                    "name": "windows-update",
+                                    "fqdnTags": [
+                                        "WindowsUpdate"
                                     ],
                                     "sourceAddresses": [
-                                        "*"
+                                        "[parameters('spokeNetwork').addressPrefix]"
                                     ]
                                 }
                             ]