< Knowledge Base

Blocking Windows Updates

Published On: Dec 19, 2017 

To prevent unawareness Windows updates, we can use the Firewall with URL filter and DNS filter to block client's access to Windows update server. The idea is to use the firewall to block the domains which are related to the Windows update service. This note demonstrates the configuration required.

1. Go to Objects Setting >> Keyword Object, click on an empty index to create a keyword object.

a screenshot of DrayOS

2. Name the profile and enter windowsupdate in Contents.

a screenshot of DrayOS

3. Repeat the step above to add keyword profiles to all the domains below:

  • windowsupdate
  • update.microsoft
  • download.microsoft
  • ws.microsoft
  • ntservicepack.microsoft
  • wustat.windows
a screenshot of DrayOS

4. Go to CSM >> URL Content Filter Profile, click on an empty profile index to create a new one.

a screenshot of DrayOS

5. Edit the profile as follows:

  • Enter a Profile Name
  • Check Enable URL Access Control
  • Select "Block" for Action
  • Click Edit, in the pop-out window, select all the keyword objects created in the previous steps
  • Click OK to close the pop-out window, then click OK to save the profile.
a screenshot of DrayOS

6. Go to CSM >> DNS Filter to add a profile as follows:

  • Enter a Profile Name
  • Select the profile created in the previous step for URL Content Filter (UCF)
  • Click OK to save
a screenshot of DrayOS

7. Go to Firewall >> Filter Setup >> Filter Set 2, click on an empty index number.

8. Edit the profile as follows:

  • Enable the Filter Rule
  • (Optional) Enter a Comments
  • Select "LAN/DMZ/RT/VPN -> WAN" for Direction
  • Select "Pass Immediately" for Filter
  • Select the profile created in the previous steps for URL Content Filter and DNS Filter
a screenshot of DrayOS

With the configuration above, the LAN clients will be blocked from the Windows update service.

1. Go to Objects Setting >> Keyword / DNS Object page >> DNS Object to create a object.

2. Enter the profile name, and add all the domains below into Member Table.

  • windowsupdate
  • update.microsoft
  • download.microsoft
  • ws.microsoft
  • ntservicepack.microsoft
  • wustat.windows

3. Go to Firewall >> Filter Setup page, add a Filter Group in IP Filter tab.

4. In the new filter group, click Add to create a new rule.

5. Edit the filter rule as follows:

  • Enter a Profile name
  • Check Enable
  • Select Block for Action
  • At Destination DNS Object, select the profile created in the previous step.
  • Click Apply to save

With the configuration above, the LAN clients will be blocked from Windows update service.

Was this helpful?     


Related Articles