Hot!ISDB to block server updates

Author
MattyG2787
New Member
  • Total Posts : 9
  • Scores: -2
  • Reward points: 0
  • Joined: 2019/12/23 03:50:33
  • Status: offline
2020/08/09 22:17:54 (permalink) 6.0
1 (1)

ISDB to block server updates

Hey Everyone,
 
Our projects team are having issues stopping server 2016/2019 from updating automatically during the day and they have turned to networking.
 
I've tried creating a deny policy with the destination as Microsoft-Microsoft.Update and it's showing log violations but Updates are still able to download with Microsoft Updates. (server 2019)
 
Anyone had any luck trying to do something like this? Unfortunatley, a manual address list with Microsoft is too broad as we can't block Office 365 and other similar services.
 
Thanks
#1

4 Replies Related Threads

    James_G
    Gold Member
    • Total Posts : 247
    • Scores: 11
    • Reward points: 0
    • Joined: 2016/02/28 02:55:47
    • Status: offline
    Re: ISDB to block server updates 2020/08/10 01:38:18 (permalink)
    0
    This is a server management issue and not a networking issue, none of our 2016/2019 servers update randomly during the day even tho they have access to the WSUS server 24/7
    #2
    MattyG2787
    New Member
    • Total Posts : 9
    • Scores: -2
    • Reward points: 0
    • Joined: 2019/12/23 03:50:33
    • Status: offline
    Re: ISDB to block server updates 2020/08/10 19:33:27 (permalink)
    0
    WSUS gives you access to control the update times. Installing a WSUS for 150 different AD's would be extremely costly to clients.
     
    I simply asked if anyone knew of a way to block this via Firewall to stop automatic updates
    #3
    rohitchoudhary1978@gmail.com
    Bronze Member
    • Total Posts : 31
    • Scores: 0
    • Reward points: 0
    • Joined: 2016/11/30 23:07:36
    • Status: offline
    Re: ISDB to block server updates 2020/08/11 00:04:24 (permalink)
    0
    Hi, It can be stopped from application control. You can make 2 policies which will be clone but with 2 different schedule(Night and day) and allow or deny updates as desired but through application control. This is what we do 
     
    Thanks
    Rohit k
    #4
    poundy
    Silver Member
    • Total Posts : 61
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/06/13 20:58:45
    • Status: offline
    Re: ISDB to block server updates 2020/08/12 16:02:35 (permalink)
    0
    but irrespective of when you can contact the public Microsoft update site to download updates, your server will still install those updates and reboot if it's settings allow it to, at some random-ish length of time. So locking updates to a time doesn't guarantee that's when the servers would reboot.
     
    This isn't a firewall problem. As others have said, this is a server management issue. You must control this properly outside the firewall. You should be looking at group policy to control active hours and when the server can install and reboot for updates. So you have 150 AD domains; that just means creating appropriate policies and applying them, not creating 150 WSUS servers. Heck, if you're controlling this via 1 firewall, only 1 WSUS server is needed... 
     
    But to be clear - the only way you'll get control of this is at a Windows level, not the firewall. 
    #5
    Jump to:
    © 2020 APG vNext Commercial Version 5.5