Block microsoft office from updating
I have a network with 10,000 workstations that are all currently trying to download SP3 and are flooding the network (this was do to an errant AD policy change).What is the best way to block this traffic at the network level with either firewalls, Web Content Filtering or inline IPS?Is there a good list of IP addresses out there that is current for Microsoft update servers?The trick is that we have to do this quickly since the network is flooded. Personally I like day to day workings of environment 4, with 3 handling the updates but getting them all from something like WSUS.2 and 1 are hack fixes not meant for more than trying to bandaid an outage cause until it is properly fixed.
As long as you haven't done something to disable periodic policy refresh, which happens every 90 to 120 minutes, by default, the clients will pick up the change w/o needing a reboot.If you have disabled background policy refresh or if you can't wait, break out a copy of "psexec" and start running "gpupdate /force" on clients after you make the above change.(Blocking background policy refresh seems like a really bad idea...) Blocking this at layer 3 is going to be difficult because the Windows Update service is DNS load-balanced.I don't know that you can easily get a list of IP addresses.