How to block Windows Updates?

WarrenG
Getting noticed

How to block Windows Updates?

Sick and tired of Microsoft Server 2016 downloading Microsoft Updates and rebooting production servers whenever it damn well likes. Thinking of skipping trying to prevent this from the server itself, and just blocking access to those update servers at the firewall. Have an MX64 with the Advanced Security License - what is the best way to go about trying to block updates just for the server, while keeping them available for the desktops/laptops? My thinking is that whatever I use to block it on the router, I could just turn that off once a month when I choose to schedule the updates to be done.

8 REPLIES 8
AjitKumar
Head in the Cloud

Hi Warren

As you said one option is to block at the server level itself
https://social.technet.microsoft.com/Forums/lync/en-US/d3a2694c-32da-4158-943a-81c2904ffb3d/disable-...

In case you want to do this at MX Level. I have the following suggestion.
You may create a Group Policy (Network-wide->Group Policies) and apply the policy on the desired servers (Network-wide->Clients). You may also create a schedule to apply the policy. 
 
In the Group Policy you may consider creating rules for
1. L7 Firewall -> Deny Software Updates

2. Blocked website categories->
    Business and Economy
    Computer and Internet Info

 

OR

Blocked Url patterns->
    windowsupdate.microsoft.com
    *.windowsupdate.microsoft.com
    *.update.microsoft.com
    *.windowsupdate.com
    download.windowsupdate.com
    download.microsoft.com
    *.download.windowsupdate.com
    wustat.windows.com
    ntservicepack.microsoft.com
    *.mp.microsoft.com

 

For complete information please check the following Url

https://documentation.meraki.com/MR/Group_Policies_and_Blacklisting/Creating_and_Applying_Group_Poli...

 

Hope this helps.

Regards,
Ajit
AjitsNW@gmail.com
www.ajit.network

Thanks Ajit. Seems pretty straight forward - I will give this a try.

 

Is there a way to see what's actually blocked by the "Deny Software Updates" rule? Is there a list of URLs or something we can look at to see what actually gets blocked if we apply that rule? I'm trying to figure out if it will break any other software that I might want to continue updating or not.

 

Thanks again!

AjitKumar
Head in the Cloud

Hi Warren
I am not very sure. I believe the event logs shall capture this information.
Regards,
Ajit
AjitsNW@gmail.com
www.ajit.network

I think it is a really bad idea to block Windows Updates ... you would be better off creating a group policy to change the servers to "prompt only" to do updates, rather than automatically download and install.  Security Updates are usually fairly important.

 

I think this layer 7 firewall rule might do it as well.

 

Screenshot from 2018-08-26 19-58-06.png

I agree with @PhilipDAth as annoying as they can be sometimes you are better to change the Windows update settings than stop them completely. Security updates help prevent things like ransomware and the last thing you want is a ransomware attack to happen on your watch because you blocked security updates. 

hi Gents is there a way we can schedule the windows update to run at night instead of during the day  ?

PhilipDAth
Kind of a big deal
Kind of a big deal

There is probably a more sophisticated way of doing this - but this command line will make Windows scan for new updates, and then install them.  So you can run this using task scheduler whenever you want.

 

wuauclt /detectnow /updatenow
Donald1
Comes here often

thanks a lot big Bro

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels