Re: ISDB to block server updates
but irrespective of when you can contact the public Microsoft update site to download updates, your server will still install those updates and reboot if it's settings allow it to, at some random-ish length of time. So locking updates to a time doesn't guarantee that's when the servers would reboot.
This isn't a firewall problem. As others have said, this is a server management issue. You must control this properly outside the firewall. You should be looking at group policy to control active hours and when the server can install and reboot for updates. So you have 150 AD domains; that just means creating appropriate policies and applying them, not creating 150 WSUS servers. Heck, if you're controlling this via 1 firewall, only 1 WSUS server is needed...
But to be clear - the only way you'll get control of this is at a Windows level, not the firewall.