Two things I’ve always wanted to do is figure out how to cache windows updates on my local network without an enterprise windows install, and how to block windows updates by sinkholing domains and/or ip addresses (I work in IT security).
Set up SOCKS5 proxy (e.g. github.com/rofl0r/microsocks) on the nearest router and configure router's firewall to drop all outgoing packets whose TTL is near 128 (Windows). Then configure FoxyProxy in Firefox or Chrome to use your SOCKS5 proxy. Windows will think it's offline, browser and other apps which are aware of your proxy will work fine.
The nuke-it-from-orbit approach works for me but ymmv: a default-deny firewall for the Windows IP on the default gateway with external squid proxy for Firefox. netstat -on | grep $PID to add rules to allow access per process for things that just have to get through.
I'm surprised "in-home router-level network caching" hasn't become a thing, really. Lets say you have a family of 4, all with iphones that need updating, windows updates, downloading same games from steam, app store, etc. It could be significantly sped up for whole house to download file 1 time instead of 4.
I believe Microsoft use BitTorrent to distribute updates. It took me a while to realise that many Linux distros use unencrypted http to enable caching, using signature checks to verify file integrity
Sometimes Windows installs an upgrade that insists I must connect my user account to a Microsoft account. It will not let me boot the OS if I don't. Only hell if I know what my Microsoft account is. I never use it. I need to use my web browser to find out. But I can't, because I need to set up my Microsoft account first. So I have to use another computer which will let me use it even without a Microsoft account, and then try to figure out my Microsoft account password. Then boot into Windows, let it connect the accounts, go into account options and try to find the hidden dialog to separate them again because hell fucking no I don't want Microsoft to associate my user account with my email address.
Being shafted like this every now and then has eroded my trust for Windows' updates.
Remember that security vulnerabilities in Windows are discovered all the time, so it's dangerous to use Windows without installing the updates. If you (rightfully) don't want to install the updates, then you should switch to an OS that actually respects your freedom instead, like Linux.
Because working in security sometimes I want to test malware on outdated AV, blocking full internet causes command and control failures, creating a weird spot to analyse traffic. Disabling Defender is not persistent (it seems to switch itself on, etc).
Would you like to describe your standard practice? I am interested in implementing this after windows updates have killed our workstations multiple times.
Is there a nice description / workflow / tutorial / script / community where I can learn how to do that?
I did not find any recommended workflow for this by Microsoft itself, but maybe I was searching for the wrong things - windows updates are generally a bad thing to research anything related for. I expected to find some standard workflow description plus tools on some MS website, but no success. Does that exist?
You are looking for WSUS (Windows Server Update Services). If you have Windows Server somewhere, you can add WSUS role to it and use group policies to point your clients to it for updates.
Then, in WSUS console, you set up approvals for updates and then the updates will be offered to clients only once you approve them. You can divide the clients into groups and manage the approvals for these groups individually, so you can have a separate testing group.
Can anyone give any tips on either of these?