Zero-day exploits (ZDE) are very difficult to defend against since they exploit unpatched vulnerabilities. Firewalls (port blocking, and ACLs) do not typically rely on vulnerability patching to enhance security posture, thus it is the correct answer. Windows Update will not necessarily help against ZDEs as patches are not available yet. Anti-virus (AV) also suffers from solutions not being available, though AV vendors may push out patches quicker than OS vendors. Advanced attackers also work to avoid AV. BIOS/UEFI passwords do not really impact ZDEs.
A zero-day (also known as zero-hour or 0-day) vulnerability is an undisclosed computer-software vulnerability that hackers can exploit to adversely affect computer programs, data, additional computers or a network.
It is known as a "zero-day" because it is not publicly reported or announced before becoming active, leaving the software's author with zero days in which to create patches or advise workarounds to mitigate its actions. In effect, zero time has passed since the exploitable bug's existence …