Zero-day exploits (ZDE) are very difficult to defend against since they exploit unpatched vulnerabilities. Firewalls (port blocking, and ACLs) do not typically rely on vulnerability patching to enhance security posture, thus it is the correct answer. Windows Update will not necessarily help against ZDEs as patches are not available yet. Anti-virus (AV) also suffers from solutions not being available, though AV vendors may push out patches quicker than OS vendors. Advanced attackers also work to avoid AV. BIOS/UEFI passwords do not really impact ZDEs.
A zero-day (also known as 0-day) vulnerability is a computer-software vulnerability that is unknown to, or unaddressed by, those who should be interested in mitigating the vulnerability (including the vendor of the target software) Until the vulnerability is mitigated, hackers can exploit it to adversely affect computer programs, data, additional computers or a network An exploit directed at a zero-day is called a zero-day exploit, or zero-day attack The term "zero-day" originally referred to the number of days since a new piece of software was released to the public, so "zero-day" software was software that had been obtained by hacking into a developer's computer before release