Zero-day exploits (ZDE) are very difficult to defend against since they exploit unpatched vulnerabilities. Firewalls (port blocking, and ACLs) do not typically rely on vulnerability patching to enhance security posture, thus it is the correct answer. Windows Update will not necessarily help against ZDEs as patches are not available yet. Anti-virus (AV) also suffers from solutions not being available, though AV vendors may push out patches quicker than OS vendors. Advanced attackers also work to avoid AV. BIOS/UEFI passwords do not really impact ZDEs.
A zero-day (also known as 0-day) is a computer-software vulnerability either unknown to those who should be interested in its mitigation (including the vendor of the target software) or known and a patch has not been developed Until the vulnerability is mitigated, hackers can exploit it to adversely affect programs, data, additional computers or a network An exploit directed at a zero-day is called a zero-day exploit, or zero-day attack The term "zero-day" originally referred to the number of days since a new piece of software was released to the public, so "zero-day software" was obtained by hacking into a developer's computer before release