Best way to block Windows Workstations from receiving Microsoft updates

Sounds like you don't test your group policy changes in a lab first, eh?

Create a GPO with settings the "Configure Automatic Updates" setting in the "Windows Update" node of the "Windows Components" node of "Administrative Templates" set to "Disabled". As long as you haven't done something to disable periodic policy refresh, which happens every 90 to 120 minutes, by default, the clients will pick up the change w/o needing a reboot.

If you have disabled background policy refresh or if you can't wait, break out a copy of "psexec" and start running "gpupdate /force" on clients after you make the above change. (Blocking background policy refresh seems like a really bad idea...)

Blocking this at layer 3 is going to be difficult because the Windows Update service is DNS load-balanced. I don't know that you can easily get a list of IP addresses.

You might get by with creating DNS zones "windowsupdate.com" and "update.microsoft.com" in the DNS servers your clients use with no records in it. Clients with cached DNS lookup results will be unaffected.

Alternatively, break out a copy of "psexec" and execute a little script on each client to stop the "wuauserv" service and mark it "Disabled". That'll stop it, too.

You really should be using WSUS, BTW.

Assuming a list of computer names in "computers.txt" (which you can get by exporting the results of a "Find..." operation from Active Directory Users and Computers to a file and cleaning it up w/ Notepad):

@echo off
for /f %%i in (computers.txt) do (
 start sc \\%%i stop wuauserv
 start sc \\%%i config wuauserv start= disabled
)

This is a persisent change to PCs, but you can undo it with "Services" settings in a GPO later.

With that many PCs, one would assume that they're broken down into many geographic areas. You should probably distribute running such a script across servers that are located in the geographic areas closest to groups of computers.

If you wanted to get fancy you could use dsquery or Joe Richards' (http://www.joeware.net) adfind to export the lists of computers from AD. (You could also export lists of computers out of DHCP servers using the Support Tool dhcpcmd, if that was a better way to get geographic lists...)

Have users on a VLAN that doesn't route directly to the internet and use ISA or your open source caching server of choice.

Faster less intrusive options:

• Update AD so that computers don't auto update
• Temporary update to the dns server so that their download doesn't resolve
• Temporary update to kill requests to the windows update server at the firewall

Fastest to slowest

1. Firewall rule
2. DNS change
3. Update AD settings so that updates don't self install
4. Isolate users from internet with routing so that they have to use a proxy server.

Personally I like day to day workings of environment 4, with 3 handling the updates but getting them all from something like WSUS. 2 and 1 are hack fixes not meant for more than trying to bandaid an outage cause until it is properly fixed.

Possible domains to try and block

• windowsupdate.microsoft.com
• windowsupdate.microsoft.com
• v4.windowsupdate
• www.windowsupdate.com
• download.windowsupdate
• wustat.windows.com
• officeupdate.microsoft.com
• office.microsoft.com
• crl.microsoft.com
• download.microsoft.com

That list is probably not complete, I'd recommend you do a port mirror of a trunk or user vlan into a laptop running wireshark and you filter for DNS requests or the filename in question.

Get the IP addresses associated with the dns records and block them at the firewall. This will probably cause issues with some peoples work, but it will let your WAN/Inet connection be usable again for the many that don't need those sites. If you have a firewall that supports blocking by DNS instead of IP all the better. Your IPS may support responding to the file requests on a per domain basis, if so that would also work.

This is definitely NOT something I would ever suggest someone do when not requiring network triage, ever.

If AD policies still work, you can either point workstations to WSUS or block windows or auto updates through GPO.

Also, MS has Windows Service Pack Blocker Tool Kit which can block SPs downloading.

If that is not an option - start with blocking *.windowsupdate.microsoft.com at the firewall. Do not remember all the addresses, not too many - 3 or 5.

above script tweaked when using

net view > c:\temp\comps.txt

for /f "skip=3 tokens=1 delims= " %%i in (c:\temp\comps.txt) do ( start sc %%i stop wuauserv start sc %%i config wuauserv start= disabled )

you could even use .... %%i in ('net view') ( ...

and it will work. ( i use file pipe method rather as i usually edit out a few stations )

we used this to temporarily stop WSUS server connections while troubleshooting.

ran here on a 250 station network and it took about 30 seconds.

good luck

ps. Now if Adobe would move to a service based update process i would die happy.. the registry hacking to stop adobe from updating is silly.

Change the group policy setting to do nothing for Automatic Updates.