Sick and tired of Microsoft Server 2016 downloading Microsoft Updates and rebooting production servers whenever it damn well likes. Thinking of skipping trying to prevent this from the server itself, and just blocking access to those update servers at the firewall. Have an MX64 with the Advanced Security License - what is the best way to go about trying to block updates just for the server, while keeping them available for the desktops/laptops? My thinking is that whatever I use to block it on the router, I could just turn that off once a month when I choose to schedule the updates to be done.
Hi Warren
As you said one option is to block at the server level itself
https://social.technet.microsoft.com/Forums/lync/en-US/d3a2694c-32da-4158-943a-81c2904ffb3d/disable-...
In case you want to do this at MX Level. I have the following suggestion.
You may create a Group Policy (Network-wide->Group Policies) and apply the policy on the desired servers (Network-wide->Clients). You may also create a schedule to apply the policy.
In the Group Policy you may consider creating rules for
1. L7 Firewall -> Deny Software Updates
2. Blocked website categories->
Business and Economy
Computer and Internet Info
OR
Blocked Url patterns->
windowsupdate.microsoft.com
*.windowsupdate.microsoft.com
*.update.microsoft.com
*.windowsupdate.com
download.windowsupdate.com
download.microsoft.com
*.download.windowsupdate.com
wustat.windows.com
ntservicepack.microsoft.com
*.mp.microsoft.com
For complete information please check the following Url
Hope this helps.
Thanks Ajit. Seems pretty straight forward - I will give this a try.
Is there a way to see what's actually blocked by the "Deny Software Updates" rule? Is there a list of URLs or something we can look at to see what actually gets blocked if we apply that rule? I'm trying to figure out if it will break any other software that I might want to continue updating or not.
Thanks again!
I think it is a really bad idea to block Windows Updates ... you would be better off creating a group policy to change the servers to "prompt only" to do updates, rather than automatically download and install. Security Updates are usually fairly important.
I think this layer 7 firewall rule might do it as well.
I agree with @PhilipDAth as annoying as they can be sometimes you are better to change the Windows update settings than stop them completely. Security updates help prevent things like ransomware and the last thing you want is a ransomware attack to happen on your watch because you blocked security updates.
hi Gents is there a way we can schedule the windows update to run at night instead of during the day ?
There is probably a more sophisticated way of doing this - but this command line will make Windows scan for new updates, and then install them. So you can run this using task scheduler whenever you want.
wuauclt /detectnow /updatenow
thanks a lot big Bro