Hello all,

I would like to restrict a group of clients to only have access to windows updates. They're all in the same network (nothing fancy or complex), behind a MikroTik router. I tried implementing various solutions (using regex, address lists with MS IPs & FQDNs, etc.) but there's always something that is needed and update search / download fails. I guess I should mention that AFTER above mentioned allow rules I placed a block rule for 0.0.0.0/0 via for TCP/80 & TCP/443 -> to block most of the web traffic, as those clients are not meant to have internet access at all times. Another thing worth mentioning is that I am pretty restricted when it comes to the software / hardware I get to use, the whole thing relies on a MikroTik router. Now, is this even doable in a clean way using MikroTik or would I need something else?

Your help would be appreciated!

Windows Update requires TCP port 80, 443, and 49152-65535 it's on the MS website.

The initial stuff is via the standard ports HTTP then it gets a server IP and one of those high ports to do the actual exchange.

Here's example https://youtu.be/VvP_F_v1wF4?si=Mchur6axg-rdtUum

Doing the opposite (whitelisting) is much harder than blacklisting. It's easy to break windows updates from functioning

Hm, I don't know. Need to think.

I used GPO, SCCM...

Anyone?