Every available update for Windows 10 and 11 is highly recommended for immediate installation, as Microsoft frequently introduces various fixes and even new features for the operating system through these updates.
However, it’s no secret that sometimes these updates can be problematic, causing issues like boot failures, blue screens, or even data loss, as seen in past incidents. While this might not be a big issue for personal devices, companies often manage Windows Updates via Microsoft Intune to ensure smooth deployment across all managed devices before a full rollout.
So, is there a way to manage and block Windows Updates from the network without using Microsoft Intune? Absolutely! You can follow the steps outlined on the following page, which include using Group Edit Policy and tweaking the Registry.
Also Read: How to Block Specific Updates in Windows 10
If you have a Mikrotik device at home or work, blocking Windows Updates is surprisingly straightforward. There are several methods you can use, such as applying Firewall Filters, utilizing RAW, or leveraging Layer 7 Protocol.
If you’re curious, here’s how you can block Windows Updates using Mikrotik.
Step 1. First, ensure you have access to your Mikrotik. For tools, I recommend using WinBox, which you can download from the following page.
Step 2. Next, log in to your Mikrotik device and navigate to IP > Firewall > RAW.
Step 3. Click Add > General > In the “Chain” field, enter prerouting.
In the Advanced tab, fill in the Content section with the following URL:
In the Actions tab, select Drop.
Click OK to save your changes, and repeat this process for all the URLs mentioned above. For a quicker method, you can use the following command in the terminal:
Once done, Windows Update should no longer be able to download, as access has been blocked via the network. You won’t even be able to access the URLs you’ve added.
Similar to the previous steps, you can also add these URLs to the Firewall Filter Rule.
Step 1. First, go to IP > Firewall > Filter Rule > Add.
Step 2. In the window that opens, under the chain section in the general tab, set it to forward.
Next, in the advanced tab, fill in the content field with the URLs mentioned above.
In the Action tab, set it to reject, and in the reject with section, choose icmp network unreachable.
Don’t forget to add a comment to help you remember these changes. Then, repeat the same steps for all the quoted URLs.
For a faster approach, you can use the following command in the WinBox terminal:
After this, both Windows Update and the URLs added earlier will no longer be accessible.
As shown in the image above, Windows Update will continuously check for updates but will never complete the process. This is because access to the URLs has been blocked by Mikrotik.
Aside from these two methods, you can also use a third technique involving Layer7 Protocol. However, this will likely be covered in a separate article, so stay tuned for that.
Just remember, only apply these steps if you genuinely don’t want Windows Update to run or if you never plan to access the mentioned URLs. With these rules active, not only will Windows Update stop working, but other Microsoft services on Windows 10 and 11 might also be affected.
Nevertheless, this is worth trying, especially for devices and networks where Windows Update is entirely unnecessary.
Do you have another method or a better solution? Share it in the comments below.
Give it a try, and I hope this proves useful for you.
Reference: Mikrotik
