Meraki

Community

How to block Windows Updates?

WarrenG
Getting noticed
‎Aug 25 2018 5:24 PM
‎Aug 25 2018 5:24 PM

How to block Windows Updates?

Sick and tired of Microsoft Server 2016 downloading Microsoft Updates and rebooting production servers whenever it damn well likes. Thinking of skipping trying to prevent this from the server itself, and just blocking access to those update servers at the firewall. Have an MX64 with the Advanced Security License - what is the best way to go about trying to block updates just for the server, while keeping them available for the desktops/laptops? My thinking is that whatever I use to block it on the router, I could just turn that off once a month when I choose to schedule the updates to be done.

0 Kudos
8 Replies 8
AjitKumar
Head in the Cloud
‎Aug 25 2018 7:16 PM
‎Aug 25 2018 7:16 PM

Hi Warren

As you said one option is to block at the server level itself
https://social.technet.microsoft.com/Forums/lync/en-US/d3a2694c-32da-4158-943a-81c2904ffb3d/disable-...

In case you want to do this at MX Level. I have the following suggestion.
You may create a Group Policy (Network-wide->Group Policies) and apply the policy on the desired servers (Network-wide->Clients). You may also create a schedule to apply the policy. 
 
In the Group Policy you may consider creating rules for
1. L7 Firewall -> Deny Software Updates

2. Blocked website categories->
    Business and Economy
    Computer and Internet Info

 

OR

Blocked Url patterns->
    windowsupdate.microsoft.com
    *.windowsupdate.microsoft.com
    *.update.microsoft.com
    *.windowsupdate.com
    download.windowsupdate.com
    download.microsoft.com
    *.download.windowsupdate.com
    wustat.windows.com
    ntservicepack.microsoft.com
    *.mp.microsoft.com

 

For complete information please check the following Url

https://documentation.meraki.com/MR/Group_Policies_and_Blacklisting/Creating_and_Applying_Group_Poli...

 

Hope this helps.

Regards,
Ajit
AjitsNW@gmail.com
www.ajit.network
0 Kudos
In response to AjitKumar
WarrenG
Getting noticed
‎Aug 25 2018 7:32 PM
‎Aug 25 2018 7:32 PM

Thanks Ajit. Seems pretty straight forward - I will give this a try.

 

Is there a way to see what's actually blocked by the "Deny Software Updates" rule? Is there a list of URLs or something we can look at to see what actually gets blocked if we apply that rule? I'm trying to figure out if it will break any other software that I might want to continue updating or not.

 

Thanks again!

0 Kudos
In response to WarrenG
AjitKumar
Head in the Cloud
‎Aug 25 2018 8:30 PM
‎Aug 25 2018 8:30 PM

Hi Warren
I am not very sure. I believe the event logs shall capture this information.
Regards,
Ajit
AjitsNW@gmail.com
www.ajit.network
0 Kudos
In response to AjitKumar
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Aug 26 2018 1:00 AM
‎Aug 26 2018 1:00 AM

I think it is a really bad idea to block Windows Updates ... you would be better off creating a group policy to change the servers to "prompt only" to do updates, rather than automatically download and install.  Security Updates are usually fairly important.

 

I think this layer 7 firewall rule might do it as well.

 

Screenshot from 2018-08-26 19-58-06.png

In response to PhilipDAth
BlakeRichardson
Kind of a big deal
Kind of a big deal
‎Aug 26 2018 2:06 PM
‎Aug 26 2018 2:06 PM

I agree with @PhilipDAth as annoying as they can be sometimes you are better to change the Windows update settings than stop them completely. Security updates help prevent things like ransomware and the last thing you want is a ransomware attack to happen on your watch because you blocked security updates. 

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
In response to PhilipDAth
Donald1
Comes here often
‎Jun 3 2022 1:30 AM
‎Jun 3 2022 1:30 AM

hi Gents is there a way we can schedule the windows update to run at night instead of during the day  ?

0 Kudos
In response to Donald1
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jun 3 2022 6:06 PM
‎Jun 3 2022 6:06 PM

There is probably a more sophisticated way of doing this - but this command line will make Windows scan for new updates, and then install them.  So you can run this using task scheduler whenever you want.

 

wuauclt /detectnow /updatenow
Donald1
Comes here often
‎Jun 5 2022 10:59 PM
‎Jun 5 2022 10:59 PM

thanks a lot big Bro

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.