Avatar of muff
Flag for Australia asked on

Block Windows Updates at Firewall


Does anyone know where I can get a comprehensive list of the servers that are accessed for Windows Updates?

I have a situation where I need to limit access to Windows Update to a single device among hundreds from a firewall at the edge of the network.  As I understand it Windows Update traffic is all port 80.

Realistically, I only need to block the servers enough to stop the update happening, not necessarily every single server.

I think it is likely that MS is using Akamai or some other service to manage its update load so the solution needs to *only* block Window Update.

Yeah, I realise there are countless more strategic ways to lock this down than a block rule on a firewall but this is what I need to do, so don't feel you have to list alternatives that don't include some sort of rules  on a firewall :)


Software FirewallsWindows OS

Avatar of undefined
Last Comment

8/22/2022 - Mon

Why dont you try setting the group policy how the updates should happen.  
You can have your own WSUS and within the SUS create different groups to manage update settings.  
If you dont approve the updates it will never get deployed on all machines | unwanted patches | machine groups.  

Hello Fayaz

Did you see this paragraph in the question?

"Yeah, I realise there are countless more strategic ways to lock this down than a block rule on a firewall but this is what I need to do, so don't feel you have to list alternatives that don't include some sort of rules  on a firewall :)"

I can think of a couple of really simple ways to do this (much simpler than what you're asking).
Not sure why someone who can't solve their own problem would restrict the volunteer Experts in the ways to help them.

If you change your mind and decide that you actually want a solution, let us know.
Your help has saved me hundreds of hours of internet surfing.

Well that is the second response that doesn't actually address the question.  I do my utmost to be as clear as possible in defining the problem space and solution space so that people don't waste their time or mine with pointless point seeking answers.  Yours is not even an attempt to approach the question.

This is not a forum, it is a method for finding answers to the questions asked, so unless you have something to contribute toward answering the question, please try to avoid getting involved.  If you wish to discuss the merits of the question, then we can do that elsewhere if you like.

Not all people who come here "cannot solve their own problems", but are simply looking for information that other may have uncovered, as is the case in this situation. Adding patronising responses to questions does not serve anyones interests but your own.

As I said, and even re-iterated.  I am fully aware of more strategic solutions, but this is what I need to do.  Explaining why I need to do it serves no purpose to the question and will not take us any closer to the answer. But I would have obviously taken a simpler approach if that was an option available.

However, I will explain to a degree, as it may help you in the future.  There are many different types of environment, and In larger and complex environments, separation of duty is often introduced to ensure that checks and balances in change management are assured.  This means that different people or even organisations have different and purposely limited responsibilities. Equally, for any given problem there are tactical and strategic solutions that can be employed.

In this instance, I need a tactical solution, and I need it at the firewall.  And the information I need is simply a list of IP addresses.

If this particular approach cannot work for any reason, then we will move on to alternatives ,and those alternatives are already defined - however if any issues arise with the alternatives, I will perhaps raise another question here.

All I need right now is someone to answer the question asked.  I am not restricting the volunteer experts (of which I am one of course) answers - the situation is, and I would have thought that was obvious.  You may have a "simpler" solution, but if is it not applicable to the situation at hand it is irrelevant.

If you wish to answer a different question to the one asked here, then there are literally thousands of others you can choose from.

MS does use a distributed server network to deploy its updates.  

I would block the following dns addresses:

Does your firewall support dns names in its rules?  I'd worry about those domains not being limited to single IP addresses.

If not, you can try doing a dns lookup to find all the mapped IP addresses of the 2 domains above.


View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.