Blocking Windows Update via Router


Recommended Posts

Hi guys,

We've got a bit of an issue at the moment, we're using DeepFreeze to lock down our PCs on the call floor, the issue is that they're all redownloading Windows Updates automatically every morning. Now I'm going to go around and disable this so we can manually do it once every few months but immediately we need to have Windows Update blocked as our internet connection is barely functioning right now.

Can anyone tell me what Domains / Ports etc Windows Update on Windows XP uses?

Thanks

Chris

Link to comment
https://www.neowin.net/forum/topic/984862-blocking-windows-update-via-router/
Share on other sites

i believe update.microsoft.com is the hostname of the windows update servers, not sure about the port though, leme see if i can track it down (Y)

edit: windows update services use port 80 and 443, lol

http://technet.microsoft.com/en-us/library/bb490846.aspx

Windows update uses the following DNS for updates;

update.microsoft.com

windowsupdate.microsoft.com

you could block these at the firewall if your router supports DNS blocking that would be the simple option i guess.

If you have a Windows Server you could implement a group policy?

EDIT: Riggers beat me to it

Hey guys,

Blocking those two hostnames seams to have done the job for now, well enough at least. I'll update these PCs manually in a few weeks then disable Windows Update on them.

Which group policy are you guys talking about?

They're hooked up to a Server 2008 R2 Domain Controller.

Through Group policy you can control Windows Update, ideally you would do this with WSUS (free) to give you a centralized control of updates allowing you to control what does and what does not get installed

Then when you want to apply an update you OK it in WSUS and all the machines will download it per the scheduling you have already laid out

  On 24/03/2011 at 14:23, Teebor said:

Through Group policy you can control Windows Update, ideally you would do this with WSUS (free) to give you a centralized control of updates allowing you to control what does and what does not get installed

Then when you want to apply an update you OK it in WSUS and all the machines will download it per the scheduling you have already laid out

This, also you can have deepfreeze thaw during a scheduled time period so that updates can be applied. Say between 3am to 5am on thrusdays for example (a time that usually no one is working).

Yeah, controlling Windows Update via Group Policy isn't really worth it, nor is WSUS, When we move to a Windows Multipoint Server base or move from XP to 7 then I'll worry about such things. These machines are used for a basic Java app and nothing else, so updates are barely important, they're even firewalled off from 99.9% of the web.

I'll just let them be and disable automatic updates soon as I get time.

Spending time fixing up PCs from the dark ages isn't my concern, ensuring it doesn't affect the productivity of the office is my concern. lol.

  On 24/03/2011 at 15:59, Vegetunks said:

Yeah, controlling Windows Update via Group Policy isn't really worth it, nor is WSUS, When we move to a Windows Multipoint Server base or move from XP to 7 then I'll worry about such things. These machines are used for a basic Java app and nothing else, so updates are barely important, they're even firewalled off from 99.9% of the web.

I'll just let them be and disable automatic updates soon as I get time.

Spending time fixing up PCs from the dark ages isn't my concern, ensuring it doesn't affect the productivity of the office is my concern. lol.

30 min gets you wsus and the appropriate group policies in place (even to disable windows updates for those specific machines, this would take 5 min if you have a domain). Dunno how it isnt worth it. Dunno how WSUS isn't worth free.

computer configuration

admin templates

windows components

windows update

Configure automatic updates

"If the status is set to Disabled, any updates that are available on Windows Update must be downloaded and installed manually. To do this, go to http://windowsupdate.microsoft.com or click Start, click Programs (or click All Programs), and then click Windows Update."

This is a computer setting so it applies only to computers, add the computers that you want to apply this gpo to not the users within the group policy management console in active directory.

On the Domain Controller, Start, Administrative tools, Group Policy Management Console.

Make a new group policy under the main domain name, edit the policy. I will provide screen shots in my next post, I will start getting them done now.

when you are in the group policy management console, you single click on the policy on right it displays scope tab, at the bottom of the scope tab there is security filtering. add computers in there. You will have to modify the object type to include computers to be able to add them.

then on a computer that is going to be effected by the group policy you can force it to apply by going to a command prompt and typing in:

gpupdate

to verify that this has been applied you can either use the gpresults command or going to start run rsop.msc and navigating to the windows update section. All pcs will follow suit within 15-45 min, you may want to schedule a one time thaw so that these updates can take place and be in there always, even after a reboot.

Very powerful the group policies are, I would suggest making group policies as granular as possible. They can really lock down a computer. The computer configuration section applies to computers, the user configuration section applies to users. If you change something to the computer configuration and try to apply that to users it will will not apply and if you change something in the user configuration and have that apply to computers it will not apply.

You can make groups and apply policies to groups (you can put computers in a group).

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • I'm old I guess, first thing I think of is just regular input/output.
    • Now, kids, Dan O'Dowd is what we call a professional hater.
    • Billionaire slams 'Tesla Cultists' for praising Robotaxi, says it's 5+ years behind Waymo by David Uzondu Image via Depositphotos.com The Tesla Robotaxi program has kicked off in Austin, Texas, and reactions are pouring in from all corners of the internet. A select group of investors and influencers have been invited to try the service, which operates within a limited area of South Austin for a price of $4.20. While the vehicles are operating without anyone in the driver's seat, the program has specific rules for this pilot phase, including a human "safety monitor" who rides along in the passenger seat just in case things go sideways. Of course, the launch did not go unnoticed by Tesla's most vocal and well-funded critic, Dan O'Dowd. O'Dowd is the billionaire founder of a group called The Dawn Project, which has dedicated itself to highlighting what it calls critical safety failures in Tesla's Full Self-Driving software. He refers to himself as an expert in creating "unhackable" software for military and aerospace clients, and ran for U.S. Senate back in 2022 on a single-issue platform: to "make computers safe for humanity" by banning Tesla's FSD. In 2023, He was banned from advertising on X after He made promoted posts that show Tesla FSD among other things, failing to stop at Stop signs. Last year, his group, The Dawn Project, paid for a Super Bowl ad, where a Tesla equipped with FSD did not act on a child-sized mannequin in the road. That commercial ends with a message, urging parents to "boycott Tesla to keep your kids safe." Today, O'Dowd took to X to slam the launch of the Robotaxi service, saying the "Tesla Cultists are celebrating victory" over a system he believes is years behind the competition (especially Waymo). He pointed out that with only fourteen cars operating for half the day, the system was already making significant errors, a rate he claims is consistent with community-tracked FSD data. The videos shared by the creators (Rob Maurer and Ed Niedermeyer), O'Dowd mentioned in his post, appear questionable, depending on your perspective. In Maurer's video, a trip that was otherwise smooth had a few unnerving seconds of the vehicle slightly swerving into the wrong lane, correcting itself, swerving again, correcting itself, and then finally settling. The other video from Ed Niedermeyer shows something entirely different. Niedermeyer captured a Tesla Robotaxi approaching an "extensive crime scene" with multiple police vehicles parked on the side of the road. On his personal Bluesky account (Ed stopped posting on X late last year, in protest of Musk), He claims the Tesla braked hard twice for no clear reason. In his commentary, Niedermeyer argued the car "shouldn't react to any of these police vehicles," and that it was concerning how it reacted to some but not others, before stopping in the "middle of the road instead of defaulting to a minimal risk condition."
    • Arch is now also using Wayland as the default session for Plasma 6.4, with X11 session becoming optional (so upgrading to Plasma 6.4 on X11 Arch might need manual intervention). It's been well over a decade in making, but I guess the time for Wayland to be the default is finally upon us.
  • Recent Achievements

    • Week One Done
      ravenmanNE earned a badge
      Week One Done
    • Conversation Starter
      Brett76 earned a badge
      Conversation Starter
    • One Month Later
      Miguel Batista earned a badge
      One Month Later
    • Dedicated
      moojay67 earned a badge
      Dedicated
    • One Month Later
      Jim Dugan earned a badge
      One Month Later
  • Popular Contributors

    1. 1
      +primortal
      662
    2. 2
      Michael Scrip
      229
    3. 3
      ATLien_0
      216
    4. 4
      Steven P.
      146
    5. 5
      Xenon
      141
  • Tell a friend

    Love Neowin? Tell a friend!