cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to block Windows Updates?

Highlighted
Here to help

How to block Windows Updates?

Sick and tired of Microsoft Server 2016 downloading Microsoft Updates and rebooting production servers whenever it damn well likes. Thinking of skipping trying to prevent this from the server itself, and just blocking access to those update servers at the firewall. Have an MX64 with the Advanced Security License - what is the best way to go about trying to block updates just for the server, while keeping them available for the desktops/laptops? My thinking is that whatever I use to block it on the router, I could just turn that off once a month when I choose to schedule the updates to be done.

5 REPLIES 5
Highlighted
Head in the Cloud

Re: How to block Windows Updates?

Hi Warren

As you said one option is to block at the server level itself
https://social.technet.microsoft.com/Forums/lync/en-US/d3a2694c-32da-4158-943a-81c2904ffb3d/disable-...

In case you want to do this at MX Level. I have the following suggestion.
You may create a Group Policy (Network-wide->Group Policies) and apply the policy on the desired servers (Network-wide->Clients). You may also create a schedule to apply the policy. 
 
In the Group Policy you may consider creating rules for
1. L7 Firewall -> Deny Software Updates

2. Blocked website categories->
    Business and Economy
    Computer and Internet Info

 

OR

Blocked Url patterns->
    windowsupdate.microsoft.com
    *.windowsupdate.microsoft.com
    *.update.microsoft.com
    *.windowsupdate.com
    download.windowsupdate.com
    download.microsoft.com
    *.download.windowsupdate.com
    wustat.windows.com
    ntservicepack.microsoft.com
    *.mp.microsoft.com

 

For complete information please check the following Url

https://documentation.meraki.com/MR/Group_Policies_and_Blacklisting/Creating_and_Applying_Group_Poli...

 

Hope this helps.

Regards
Ajit
ajitsnw@gmail.com
Here to help

Re: How to block Windows Updates?

Thanks Ajit. Seems pretty straight forward - I will give this a try.

 

Is there a way to see what's actually blocked by the "Deny Software Updates" rule? Is there a list of URLs or something we can look at to see what actually gets blocked if we apply that rule? I'm trying to figure out if it will break any other software that I might want to continue updating or not.

 

Thanks again!

Highlighted
Head in the Cloud

Re: How to block Windows Updates?

Hi Warren
I am not very sure. I believe the event logs shall capture this information.
Regards
Ajit
ajitsnw@gmail.com
Highlighted
Kind of a big deal

Re: How to block Windows Updates?

I think it is a really bad idea to block Windows Updates ... you would be better off creating a group policy to change the servers to "prompt only" to do updates, rather than automatically download and install.  Security Updates are usually fairly important.

 

I think this layer 7 firewall rule might do it as well.

 

Screenshot from 2018-08-26 19-58-06.png

Highlighted
Kind of a big deal

Re: How to block Windows Updates?

I agree with @PhilipDAth as annoying as they can be sometimes you are better to change the Windows update settings than stop them completely. Security updates help prevent things like ransomware and the last thing you want is a ransomware attack to happen on your watch because you blocked security updates. 

Meraki CMNO, Ruckus WISE, Sonicwall CSSA, Allied Telesis CASE & CAI
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.