Blocking Windows Update via Router


Recommended Posts

Hi guys,

We've got a bit of an issue at the moment, we're using DeepFreeze to lock down our PCs on the call floor, the issue is that they're all redownloading Windows Updates automatically every morning. Now I'm going to go around and disable this so we can manually do it once every few months but immediately we need to have Windows Update blocked as our internet connection is barely functioning right now.

Can anyone tell me what Domains / Ports etc Windows Update on Windows XP uses?

Thanks

Chris

Link to comment
https://www.neowin.net/forum/topic/984862-blocking-windows-update-via-router/
Share on other sites

i believe update.microsoft.com is the hostname of the windows update servers, not sure about the port though, leme see if i can track it down (Y)

edit: windows update services use port 80 and 443, lol

http://technet.microsoft.com/en-us/library/bb490846.aspx

Windows update uses the following DNS for updates;

update.microsoft.com

windowsupdate.microsoft.com

you could block these at the firewall if your router supports DNS blocking that would be the simple option i guess.

If you have a Windows Server you could implement a group policy?

EDIT: Riggers beat me to it

Hey guys,

Blocking those two hostnames seams to have done the job for now, well enough at least. I'll update these PCs manually in a few weeks then disable Windows Update on them.

Which group policy are you guys talking about?

They're hooked up to a Server 2008 R2 Domain Controller.

Through Group policy you can control Windows Update, ideally you would do this with WSUS (free) to give you a centralized control of updates allowing you to control what does and what does not get installed

Then when you want to apply an update you OK it in WSUS and all the machines will download it per the scheduling you have already laid out

  On 24/03/2011 at 14:23, Teebor said:

Through Group policy you can control Windows Update, ideally you would do this with WSUS (free) to give you a centralized control of updates allowing you to control what does and what does not get installed

Then when you want to apply an update you OK it in WSUS and all the machines will download it per the scheduling you have already laid out

This, also you can have deepfreeze thaw during a scheduled time period so that updates can be applied. Say between 3am to 5am on thrusdays for example (a time that usually no one is working).

Yeah, controlling Windows Update via Group Policy isn't really worth it, nor is WSUS, When we move to a Windows Multipoint Server base or move from XP to 7 then I'll worry about such things. These machines are used for a basic Java app and nothing else, so updates are barely important, they're even firewalled off from 99.9% of the web.

I'll just let them be and disable automatic updates soon as I get time.

Spending time fixing up PCs from the dark ages isn't my concern, ensuring it doesn't affect the productivity of the office is my concern. lol.

  On 24/03/2011 at 15:59, Vegetunks said:

Yeah, controlling Windows Update via Group Policy isn't really worth it, nor is WSUS, When we move to a Windows Multipoint Server base or move from XP to 7 then I'll worry about such things. These machines are used for a basic Java app and nothing else, so updates are barely important, they're even firewalled off from 99.9% of the web.

I'll just let them be and disable automatic updates soon as I get time.

Spending time fixing up PCs from the dark ages isn't my concern, ensuring it doesn't affect the productivity of the office is my concern. lol.

30 min gets you wsus and the appropriate group policies in place (even to disable windows updates for those specific machines, this would take 5 min if you have a domain). Dunno how it isnt worth it. Dunno how WSUS isn't worth free.

computer configuration

admin templates

windows components

windows update

Configure automatic updates

"If the status is set to Disabled, any updates that are available on Windows Update must be downloaded and installed manually. To do this, go to http://windowsupdate.microsoft.com or click Start, click Programs (or click All Programs), and then click Windows Update."

This is a computer setting so it applies only to computers, add the computers that you want to apply this gpo to not the users within the group policy management console in active directory.

On the Domain Controller, Start, Administrative tools, Group Policy Management Console.

Make a new group policy under the main domain name, edit the policy. I will provide screen shots in my next post, I will start getting them done now.

when you are in the group policy management console, you single click on the policy on right it displays scope tab, at the bottom of the scope tab there is security filtering. add computers in there. You will have to modify the object type to include computers to be able to add them.

then on a computer that is going to be effected by the group policy you can force it to apply by going to a command prompt and typing in:

gpupdate

to verify that this has been applied you can either use the gpresults command or going to start run rsop.msc and navigating to the windows update section. All pcs will follow suit within 15-45 min, you may want to schedule a one time thaw so that these updates can take place and be in there always, even after a reboot.

Very powerful the group policies are, I would suggest making group policies as granular as possible. They can really lock down a computer. The computer configuration section applies to computers, the user configuration section applies to users. If you change something to the computer configuration and try to apply that to users it will will not apply and if you change something in the user configuration and have that apply to computers it will not apply.

You can make groups and apply policies to groups (you can put computers in a group).

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • Is it though?  I built a new rig a few months ago and it was literally impossible to get one without RGB, but within 10 minutes of setting it up, I turned all that crap off.  It was REALLY distracting, and who needs additional heat INSIDE a PC? It's popular on YouTube for sure, it's neat looking and whatnot, but it's about as practical as a coffee cup with a hole in it. As for the price, a non-enthusiast would just see something priced way above what they can get from a retailer brand new...
    • RollBack Rx Pro 12.9 Build 2710971022 by Razvan Serea RollBack Rx is a robust system restore utility that enables home users and IT professionals to easily restore a PC to a time before certain events occurred. In essence, it turns your PC into a Instant Time Machine. Regardless of what happens to your PC your can quickly and easily restore your PC to a previous time. Making it easy to rescue you from any PC disaster - saving time, money and PC trouble. Windows System Restore only restores Windows system files and some program files. In addition, if Windows crashes to a point were Windows itself can not boot up (ie. BSOD*) you would not be able to access your Windows System Restore points. In contrast, the RollBack Rx technology works at the sector level of the hard drive and restores everything! - right down to the last byte of data. It sits below Windows. So even if Windows crashes, there’s a sub-console (mini OS) that boots prior to windows. This allows you to access Rollback Rx and go back to a point in time when your system was working trouble-free. Key Features Go back to any previous point in time within seconds. Go back minutes, hours, days, weeks, or even months to any previous snapshot. Does not affect computer performance, uses minimal system resources. Supports unlimited snapshots. Creates a complete system snapshot without having to restart the system. Reverse any system crash within seconds (even if Windows cannot startup). Back out of any failed program, OS updates, and botched updates. Recover from any malware or virus attack within seconds. Works with VMWare and Virtual Machines, both as a host or within the virtual machine as a client. Supports Multi-boot, Multi OS workstations. Lock snapshots to prevent deletion. Intuitive GUI based snapshot manager. Explore, browse, and retrieve files and folders from any snapshot. Drag and drop them into your active system. Roll backwards as well as forwards to any available system snapshot. Allows users to safely test any software. Fast, 100% complete uninstaller. Retrieve files from a crashed PC, even if Windows cannot boot. Access control – manage levels of multiple user and administrative privileges. Automatically schedule snapshots to be taken on a fixed schedule or upon execution of specific files (ie. setup.exe) as well as manually. 256 bit AES snapshot encryption. Prevent unauthorized data theft in case of a stolen laptop. Group Management and Enterprise Network Administration Control (FREE utility). Comes with Stealth Mode where you can hide the RollBack Rx tray icon and splash screen (seen during bootup) Change the startup hotkey for sub-console access (default is HOME). Built-in snapshot defragmenter which will optimize system resources and recover free space. Option to keep files and folders unchanged when you roll-back. Advanced setup configuration wizard for system administrators which will set deployment options and predefined RollBack Rx settings. Offers detailed program operation logging. Supports all industry-standard deployment options including silent installations and pre-installation configuration. Explore RollBack Rx Pro with a 14-day trial, fully functional on Windows 11, 10, 8, and Windows 7 SP1** (32 and 64-bit). RollBack Rx Pro 12.9 Build 2710971022 changelog: General Add PnpLockdown in shieldm.inf Fix registry exclusion problem in Windows 11 24H2 release Add detailed logging for file filter driver Add detailed logging for Windows update Add time stamp to kernel drivers Change kernel driver and Win32 IRP structure Other small bug fixes / typos reported through tech support Endpoint Manager Add client report dashboard Add sound effect when receiving a EPM message. Keep EPM message history Fix bug that oversized Windows symbol files cannot be downloaded Download: RollBack Rx Pro 12.9 | 61.0 MB (Shareware) View: RollBack Rx Home Page Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • Universal Media Server 14.12.1 by Razvan Serea Universal Media Server is a DLNA-compliant UPnP Media Server. UMS was started by SubJunk, an official developer of PMS, in order to ensure greater stability and file-compatibility. The program streams or transcodes many different media formats with little or no configuration. It is powered by MEncoder, FFmpeg, tsMuxeR, AviSynth, MediaInfo and more, which combine to offer support for a wide range of media formats. Because it is written in Java, Universal Media Server supports all major operating systems, with versions for Windows, Linux and Mac OS X. To see a comparison of popular media servers, click here. Universal Media Server 14.12.1 changelog: General Added status page to readme Fixed videos not being marked as fully played (#5373) (thanks, @Fredo1650!) Fixed adding YouTube channels from handle URLs (URLs with @ in them) Fixed handling special characters on Linux (#5100) (thanks, @LaTeteDansLesEtoiles!) Fixed directory browsing crash (#5189) (thanks, @jt-gilkeson!) Fixed FFmpeg on Linux x86_64 and arm64 (#5465) (thanks, @KanjiMonster!) Fixed logspam like "Could not hydrate device or its services from descriptor" (#5292) (thanks, MTOakey!) Fixed broken YouTube video playback Fixed web interface E2E testing on CI using outdated code because of overeager caching Fixed broken video playback when burning subtitles to H.265 via FFmpeg (#5486) Improved logging Translation updates via Crowdin Chinese (Simplified) (59%) (thanks, 無情天!) Dutch (41%) (thanks, Matthias!) Hungarian (86%) (thanks, Zoltán Rózsa!) Japanese (69%) (thanks, Yukihuru!) Download: Universal Media Server 14.12.1 | 203.0 MB (Open Source) Download: Other operating systems View: Universal Media Server Website | Screenshot Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • You sign your rights to reddit when you write on their platform. Free labour for them to make money. The AI companies should also take advantage of that free labour.
    • Brave 1.79.123 by Razvan Serea Brave Browser is a lightning-fast, secure web browser that stands out from the competition with its focus on privacy, security, and speed. With features like HTTPS Everywhere and built-in tracker blocking, Brave keeps your online activities safe from prying eyes. Brave is one of the safest browsers on the market today. It blocks third-party data storage. It protects from browser fingerprinting. And it does all this by default. Speed - Brave is built on Chromium, the same technology that powers Google Chrome, and is optimized for speed, providing a fast and responsive browsing experience. Brave Browser also features Brave Rewards, a system that rewards users with Basic Attention Tokens (BAT) for viewing opt-in ads. This innovative system provides an alternative revenue model for content creators and a way to support the Brave community. Brave 1.79.123 changelog: Leo Improved citation UI. (#45761) General [Security] Fixed missing DDNS navigation throttle for subframes as reported on HackerOne by newfunction. (#46703) Fixed crash which occurred when clicking on the “View site information” icon in the address bar while having “Don’t allow sites to scroll and zoom shared tabs” enabled. (#46566) Fixed crash which occurred with the “Save autofill” prompt in certain cases. (#45546) Upgraded Chromium to 137.0.7151.104. (#46712) (Changelog for 137.0.7151.104) Download: Brave Browser 64-bit | 1.2 MB (Freeware) Download: Brave Browser 32-bit View: Brave Homepage | Offline Installers | Screenshot Get alerted to all of our Software updates on Twitter at @NeowinSoftware
  • Recent Achievements

    • Week One Done
      somar86 earned a badge
      Week One Done
    • One Month Later
      somar86 earned a badge
      One Month Later
    • Apprentice
      Adrian Williams went up a rank
      Apprentice
    • Reacting Well
      BashOrgRu earned a badge
      Reacting Well
    • Collaborator
      CHUNWEI earned a badge
      Collaborator
  • Popular Contributors

    1. 1
      +primortal
      516
    2. 2
      ATLien_0
      260
    3. 3
      +Edouard
      191
    4. 4
      +FloatingFatMan
      175
    5. 5
      snowy owl
      133
  • Tell a friend

    Love Neowin? Tell a friend!