Blocking Windows Update with Mikrotik & FlashStart

A measure that can lead to better network performance

1. Why block Windows Update on Mikrotik?

Blocking Windows Update on a network, a measure that can lead to better network performance, may be necessary in certain situations in order to maintain stability and bandwidth. Sometimes, Windows updates can consume a great deal of bandwidth and interfere with the use of business applications. Therefore, blocking Windows Update on Mikrotik can be a way to avoid problems and ensure that the network runs efficiently and stably. Additionally, blocking Windows Update also allows network administrators to control and monitor updates, which can be useful in terms of security and resource planning.

It is not a good practice to block Windows updates completely, as it could pose a security vector in a company in the case that its entire infrastructure is with Microsoft. However, a good practice for administrators is to plan for it. In this article, we will talk about how to achieve this with Mikrotik & FlashStart.

2. How to configure Mikrotik to block Windows Update

Mikrotik is a router with many security capabilities and features, and it is possible to create firewall rules to block Windows Update updates in a simple way. Microsoft uses the following hosts for updates on ports 80 and 443:

http://windowsupdate.microsoft.com 
http://*.windowsupdate.microsoft.com
https://*.windowsupdate.microsoft.com
http://*.update.microsoft.com
https://*.update.microsoft.com
http://*.windowsupdate.com
http://download.windowsupdate.com
http://download.microsoft.com
http://*.download.windowsupdate.com
http://wustat.windows.com
http://ntservicepack.microsoft.com
http://stats.microsoft.com
https://stats.microsoft.com

This list can be modified, in Mikrotik, we could use the “content” command for traffic on port 80, use the DNS proxy in Mikrotik, and create an entry to a local IP, as well as use TLS-HOST for traffic on port 443.

Block Windows Update with Mikrotik for port 443.

You can use the following rules to block Windows Update traffic with Mikrotik.

/ip firewall filter add action=drop chain=prerouting comment=”Blok Windows Update” protocol=tcp tls-host=windowsupdate.microsoft.com add action=drop chain=prerouting comment=”Blok Windows Update” protocol=tcp tls-host=download.microsoft.com add action=drop chain=prerouting comment=”Blok Windows Update” protocol=tcp tls-host=test.stats.update.microsoft.com add action=drop chain=prerouting comment=”Blok Windows Update” protocol=tcp tls-host=ntservicepack.microsoft.com add action=drop chain=prerouting comment=”Blok Windows Update” protocol=tcp tls-host=*.download.windowsupdate.com add action=drop chain=prerouting comment=”Blok Windows Update” protocol=tcp tls-host=*.update.microsoft.com add action=drop chain=prerouting comment=”Blok Windows Update” protocol=tcp tls-host=download.windowsupdate.com add action=drop chain=prerouting comment=”Blok Windows Update” protocol=tcp tls-host=*.windowsupdate.microsoft.com

You can also use RAW instead of filter/firewall.


>> FlashStart is the DNS filter for wifi attacks, malware, and undesirable contents ? Activate now your “Free trial”


3. Blocking by DNS

To do this using the Mikrotik DNS proxy, you can create the following rules in the IP/DNS section:

With Mikrotik DNS proxy, you can create the following rules in the IP/DNS section.
Click Static and add an entry of the type all hosts above. Here is an example, where all traffic is forwarded to a local server or non-existent IP.

2nd Mikrotik DNS proxy. You can create the following rules in the IP/DNS section

4. Why is it important to control updates in an enterprise network?

In an enterprise network, controlling updates is essential to ensure the stability and security of the network. Updates can correct security problems and add new features to systems and applications, but they can also cause problems, if the network does not have sufficient bandwidth or consumption is too high.

For example, in a network where there are critical systems and bandwidth is limited, we could lose access, for example, to resources on the internet, such as virtual machines in the cloud. For these reasons, it is important that upgrades are performed in a controlled manner and tested before being deployed throughout the network.

In this way, risks can be minimized and a reliable and secure user experience can be guaranteed.

5. How to ensure that your network is protected while blocking Windows Update

Although blocking Windows Update may be a temporary solution to prevent problems on your business network, it is important to ensure that your network is protected from other threats. Here are some steps you can take to ensure the security of your network while Windows Update is blocked:

» Keep anti-virus and anti-malware programs up-to-date on all devices on your network. Perform regular scans and monitor network activity for possible intrusions.
» Verify the security rules in the Firewall: A Firewall is a security system that allows or denies access to the network based on a set of rules. Configure strict rules to limit access to your network and protect it from potential threats.
» Maintain backups: Make regular backups of critical data on your network to ensure its recovery in case of technical failures or intrusions.
» Monitor and perform regular audits: Monitor your network for possible intrusions or anomalous behavior. Perform regular audits to detect and correct possible security vulnerabilities.

6. Alternatives to Mikrotik for blocking Windows Update

Mikrotik is a powerful firewall and router with very high capabilities, but do not forget that its main function is to manage the network and is not designed for traffic management. FlashStart is a powerful DNS filtering solution, integrated by artificial intelligence and low latency and can be seamlessly integrated into your Mikrotik router.

In case you create rules to block Windows Update with Mikrotik, and Microsoft makes any changes, you have to update them in the router. By using FlashStart, the management will be even simpler, because, thanks to its granular filters and constant updates, we will always have guaranteed blocking, without adding or modifying rules in our Mikrotik router.

FlashStart granular filters configuration

FlashStart has a special category called Updates. If we want to block only the Windows Update domain(s) with FlashStart, we can add it in the personal blacklist section.

FlashStart will help block updates and control your network. Also, the integration for blocking Windows Update will facilitate the work for an administrator.

However, that is not the only thing. As we have previously mentioned, blocking Windows Update completely on a network is not a good practice, since we could have an attack vector for a security bug in a software version. FlashStart offers us the ability to block scheduled updates; this means that we could block the updates during working hours and leave them active after hours, in this way we would take advantage of the bandwidth in a better way without impacting the usage. This is a really useful feature and without the complexity of other solutions.

7. Final tips and considerations on how to block Windows Update with Mikrotik.

When blocking Windows Update with Mikrotik, it is important to consider the following tips and factors:

» Test the configuration before deploying it network-wide: Before blocking Windows Update on all devices in your network, make sure the configuration works properly in a test environment.
» Keep critical systems and applications up to date: Even if you block Windows Update, be sure to keep critical systems and applications up-to-date in order to ensure their security and stability.
» Monitor important updates: Microsoft releases important updates, from time to time, which fix critical issues or security vulnerabilities. Monitor for these updates, and consider temporarily unblocking Windows Update in order to install them on your network.
» Plan for update management: Determine a plan for managing updates on your network, and make sure you have a strategy for handling important and critical updates. FlashStart offers scheduled blocks.

To sum it up, it is important to carefully consider the consequences of blocking Windows Update on Mikrotik and FlashStart and to remember to take steps to ensure the long-term security and stability of your network while optimizing bandwidth.


>> FlashStart quickly and consistently protects more than 25 million users against cyber risks ? Contact us!


You can activate the FlashStart® Cloud protection on any sort of Router and Firewall to secure desktop and mobile devices and IoT devices on local networks.

Reading time 3 min
Share this post:  
For information
click here
For a free trial
click here
For prices
click here
Follow us on
Linkedin | YouTube