Block Windows 10 P2P updates with a corporate firewall












5















I work for a small IT company that fix mostly Windows computers, and lately we have an huge issue with Windows 10 updates.



When a new computer enters our network and starts downloading updates, it block internet for every other PC.



I've read that this is because of the new P2P mode, and if I manually disable that, in fact, it works.



But I can't manually disable a setting on every client pc everytime a new customer brings his pc.



Is there a way to block this behaviour with a firewall? I'm running Ubuntu Server with FireHol to manage internet inside my network, and currently I didn't setup any QoS since we have plenty of bandwidth and when we download something on a computer we would like to do that at full speed.



Any thoughts?






networking windows-10 firewall windows-update iptables







share|improve this question























  • Some articles on the internet say that the service uses port 3544 and 7680 for the communication. Blocking those ports might work but it's not sure. If you allow just one client to take the full bandwidth, then the other clients won't have any. Are you sure the problem isn't there? P2P is mostly used for upload and not download.

    – Spokey
    Apr 8 '16 at 9:04











  • It blocks internet for every other PC? Looks like you may need to enable some additional QoS rules or bandwidth sharing / limiting rules so one computer cannot use all available bandwidth leaving the rest with none

    – Jeff
    Apr 8 '16 at 10:24













  • If they are connected to the network wirelessly, see this...lifehacker.com/…

    – Moab
    Apr 13 '16 at 17:22











  • @Jeff it blocks even internal network, literally everything. it's a pain. Fun fact: if a computer in my network starts torrent, i have not this issues. other PCs slows a bit, but still works

    – JohnKiller
    Apr 19 '16 at 8:57











  • @Moab i don't want to change settings on client computers. i want to change something at the router/gateway level.

    – JohnKiller
    Apr 19 '16 at 9:00
















5















I work for a small IT company that fix mostly Windows computers, and lately we have an huge issue with Windows 10 updates.



When a new computer enters our network and starts downloading updates, it block internet for every other PC.



I've read that this is because of the new P2P mode, and if I manually disable that, in fact, it works.



But I can't manually disable a setting on every client pc everytime a new customer brings his pc.



Is there a way to block this behaviour with a firewall? I'm running Ubuntu Server with FireHol to manage internet inside my network, and currently I didn't setup any QoS since we have plenty of bandwidth and when we download something on a computer we would like to do that at full speed.



Any thoughts?






networking windows-10 firewall windows-update iptables







share|improve this question























  • Some articles on the internet say that the service uses port 3544 and 7680 for the communication. Blocking those ports might work but it's not sure. If you allow just one client to take the full bandwidth, then the other clients won't have any. Are you sure the problem isn't there? P2P is mostly used for upload and not download.

    – Spokey
    Apr 8 '16 at 9:04











  • It blocks internet for every other PC? Looks like you may need to enable some additional QoS rules or bandwidth sharing / limiting rules so one computer cannot use all available bandwidth leaving the rest with none

    – Jeff
    Apr 8 '16 at 10:24













  • If they are connected to the network wirelessly, see this...lifehacker.com/…

    – Moab
    Apr 13 '16 at 17:22











  • @Jeff it blocks even internal network, literally everything. it's a pain. Fun fact: if a computer in my network starts torrent, i have not this issues. other PCs slows a bit, but still works

    – JohnKiller
    Apr 19 '16 at 8:57











  • @Moab i don't want to change settings on client computers. i want to change something at the router/gateway level.

    – JohnKiller
    Apr 19 '16 at 9:00














5












5








5








I work for a small IT company that fix mostly Windows computers, and lately we have an huge issue with Windows 10 updates.



When a new computer enters our network and starts downloading updates, it block internet for every other PC.



I've read that this is because of the new P2P mode, and if I manually disable that, in fact, it works.



But I can't manually disable a setting on every client pc everytime a new customer brings his pc.



Is there a way to block this behaviour with a firewall? I'm running Ubuntu Server with FireHol to manage internet inside my network, and currently I didn't setup any QoS since we have plenty of bandwidth and when we download something on a computer we would like to do that at full speed.



Any thoughts?






networking windows-10 firewall windows-update iptables







share|improve this question














I work for a small IT company that fix mostly Windows computers, and lately we have an huge issue with Windows 10 updates.



When a new computer enters our network and starts downloading updates, it block internet for every other PC.



I've read that this is because of the new P2P mode, and if I manually disable that, in fact, it works.



But I can't manually disable a setting on every client pc everytime a new customer brings his pc.



Is there a way to block this behaviour with a firewall? I'm running Ubuntu Server with FireHol to manage internet inside my network, and currently I didn't setup any QoS since we have plenty of bandwidth and when we download something on a computer we would like to do that at full speed.



Any thoughts?






networking windows-10 firewall windows-update iptables




networking windows-10 firewall windows-update iptables






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Apr 8 '16 at 8:10









JohnKillerJohnKiller

11311




11311













  • Some articles on the internet say that the service uses port 3544 and 7680 for the communication. Blocking those ports might work but it's not sure. If you allow just one client to take the full bandwidth, then the other clients won't have any. Are you sure the problem isn't there? P2P is mostly used for upload and not download.

    – Spokey
    Apr 8 '16 at 9:04











  • It blocks internet for every other PC? Looks like you may need to enable some additional QoS rules or bandwidth sharing / limiting rules so one computer cannot use all available bandwidth leaving the rest with none

    – Jeff
    Apr 8 '16 at 10:24













  • If they are connected to the network wirelessly, see this...lifehacker.com/…

    – Moab
    Apr 13 '16 at 17:22











  • @Jeff it blocks even internal network, literally everything. it's a pain. Fun fact: if a computer in my network starts torrent, i have not this issues. other PCs slows a bit, but still works

    – JohnKiller
    Apr 19 '16 at 8:57











  • @Moab i don't want to change settings on client computers. i want to change something at the router/gateway level.

    – JohnKiller
    Apr 19 '16 at 9:00



















  • Some articles on the internet say that the service uses port 3544 and 7680 for the communication. Blocking those ports might work but it's not sure. If you allow just one client to take the full bandwidth, then the other clients won't have any. Are you sure the problem isn't there? P2P is mostly used for upload and not download.

    – Spokey
    Apr 8 '16 at 9:04











  • It blocks internet for every other PC? Looks like you may need to enable some additional QoS rules or bandwidth sharing / limiting rules so one computer cannot use all available bandwidth leaving the rest with none

    – Jeff
    Apr 8 '16 at 10:24













  • If they are connected to the network wirelessly, see this...lifehacker.com/…

    – Moab
    Apr 13 '16 at 17:22











  • @Jeff it blocks even internal network, literally everything. it's a pain. Fun fact: if a computer in my network starts torrent, i have not this issues. other PCs slows a bit, but still works

    – JohnKiller
    Apr 19 '16 at 8:57











  • @Moab i don't want to change settings on client computers. i want to change something at the router/gateway level.

    – JohnKiller
    Apr 19 '16 at 9:00

















Some articles on the internet say that the service uses port 3544 and 7680 for the communication. Blocking those ports might work but it's not sure. If you allow just one client to take the full bandwidth, then the other clients won't have any. Are you sure the problem isn't there? P2P is mostly used for upload and not download.

– Spokey
Apr 8 '16 at 9:04





Some articles on the internet say that the service uses port 3544 and 7680 for the communication. Blocking those ports might work but it's not sure. If you allow just one client to take the full bandwidth, then the other clients won't have any. Are you sure the problem isn't there? P2P is mostly used for upload and not download.

– Spokey
Apr 8 '16 at 9:04













It blocks internet for every other PC? Looks like you may need to enable some additional QoS rules or bandwidth sharing / limiting rules so one computer cannot use all available bandwidth leaving the rest with none

– Jeff
Apr 8 '16 at 10:24







It blocks internet for every other PC? Looks like you may need to enable some additional QoS rules or bandwidth sharing / limiting rules so one computer cannot use all available bandwidth leaving the rest with none

– Jeff
Apr 8 '16 at 10:24















If they are connected to the network wirelessly, see this...lifehacker.com/…

– Moab
Apr 13 '16 at 17:22





If they are connected to the network wirelessly, see this...lifehacker.com/…

– Moab
Apr 13 '16 at 17:22













@Jeff it blocks even internal network, literally everything. it's a pain. Fun fact: if a computer in my network starts torrent, i have not this issues. other PCs slows a bit, but still works

– JohnKiller
Apr 19 '16 at 8:57





@Jeff it blocks even internal network, literally everything. it's a pain. Fun fact: if a computer in my network starts torrent, i have not this issues. other PCs slows a bit, but still works

– JohnKiller
Apr 19 '16 at 8:57













@Moab i don't want to change settings on client computers. i want to change something at the router/gateway level.

– JohnKiller
Apr 19 '16 at 9:00





@Moab i don't want to change settings on client computers. i want to change something at the router/gateway level.

– JohnKiller
Apr 19 '16 at 9:00










1 Answer
1






active

oldest

votes


















0














If it downloads via non SSL connection you can setup a proxy cache like squid.



Then you have a local server that won't go through the internet.
Hopefully you have gigabit locally so it won't bog down your local network.




Second if you can place your client PC's on their own subnet then:



iptables -i eth0 (or etc) -s 192.168.100.1 -d ip/ms server name -j DROP




Setup your own PC with P2P for Windows 10 updates on so that it fetches updates from there instead of going to the internet. You can use iptables IP/port forwarding to forceable re-direct said update traffic to your local Windows 10 PC with P2P turned on.




If you have separate subnets for clients/work PC you can QoS just the appropriate subnet or just QoS the microsoft update server.






share|improve this answer























    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "3"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1062923%2fblock-windows-10-p2p-updates-with-a-corporate-firewall%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    0














    If it downloads via non SSL connection you can setup a proxy cache like squid.



    Then you have a local server that won't go through the internet.
    Hopefully you have gigabit locally so it won't bog down your local network.




    Second if you can place your client PC's on their own subnet then:



    iptables -i eth0 (or etc) -s 192.168.100.1 -d ip/ms server name -j DROP




    Setup your own PC with P2P for Windows 10 updates on so that it fetches updates from there instead of going to the internet. You can use iptables IP/port forwarding to forceable re-direct said update traffic to your local Windows 10 PC with P2P turned on.




    If you have separate subnets for clients/work PC you can QoS just the appropriate subnet or just QoS the microsoft update server.






    share|improve this answer




























      0














      If it downloads via non SSL connection you can setup a proxy cache like squid.



      Then you have a local server that won't go through the internet.
      Hopefully you have gigabit locally so it won't bog down your local network.




      Second if you can place your client PC's on their own subnet then:



      iptables -i eth0 (or etc) -s 192.168.100.1 -d ip/ms server name -j DROP




      Setup your own PC with P2P for Windows 10 updates on so that it fetches updates from there instead of going to the internet. You can use iptables IP/port forwarding to forceable re-direct said update traffic to your local Windows 10 PC with P2P turned on.




      If you have separate subnets for clients/work PC you can QoS just the appropriate subnet or just QoS the microsoft update server.






      share|improve this answer


























        0












        0








        0







        If it downloads via non SSL connection you can setup a proxy cache like squid.



        Then you have a local server that won't go through the internet.
        Hopefully you have gigabit locally so it won't bog down your local network.




        Second if you can place your client PC's on their own subnet then:



        iptables -i eth0 (or etc) -s 192.168.100.1 -d ip/ms server name -j DROP




        Setup your own PC with P2P for Windows 10 updates on so that it fetches updates from there instead of going to the internet. You can use iptables IP/port forwarding to forceable re-direct said update traffic to your local Windows 10 PC with P2P turned on.




        If you have separate subnets for clients/work PC you can QoS just the appropriate subnet or just QoS the microsoft update server.






        share|improve this answer













        If it downloads via non SSL connection you can setup a proxy cache like squid.



        Then you have a local server that won't go through the internet.
        Hopefully you have gigabit locally so it won't bog down your local network.




        Second if you can place your client PC's on their own subnet then:



        iptables -i eth0 (or etc) -s 192.168.100.1 -d ip/ms server name -j DROP




        Setup your own PC with P2P for Windows 10 updates on so that it fetches updates from there instead of going to the internet. You can use iptables IP/port forwarding to forceable re-direct said update traffic to your local Windows 10 PC with P2P turned on.




        If you have separate subnets for clients/work PC you can QoS just the appropriate subnet or just QoS the microsoft update server.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Jan 22 at 17:53









        cybernardcybernard

        10.4k31628




        10.4k31628






























            draft saved

            draft discarded




















































            Thanks for contributing an answer to Super User!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1062923%2fblock-windows-10-p2p-updates-with-a-corporate-firewall%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            -

            Popular posts from this blog

            Paul Cézanne

            Image
            Pour l’article ayant un titre homophone, voir Sézanne. Paul Cézanne.mw-parser-output .entete.artiste{background-image:url("//upload.wikimedia.org/wikipedia/commons/f/f3/Picto_infobox_artiste.png")} Autoportrait vers 1861 Naissance 19 janvier 1839 Aix-en-Provence (France) Décès 22 octobre 1906 (à 67 ans) Aix-en-Provence (France) Nationalité Française Activité Peintre Formation Académie de Charles Suisse Maître Joseph Gilbert, Antoine Guillemet, Camille Pissarro Mouvement Impressionnisme postimpressionnisme Influencé par Eugène Delacroix, Gustave Courbet, Véronèse A influencé Braque, Picasso, Matisse Conjoint Hortense Fiquet (depuis 1886) Enfant Paul Cézanne  ( d ) Œuvres principales La Montagne Sainte-Victoire, Portrait de madame Cézanne signature modifier - modifier le code - modifier Wikidata Paul Cézanne , né le 19 janvier 1839 à Aix-en-Provence et mort le 22 octobre 1906 dans la mê...
            Read more

            UIScrollView CustomStickyHeader Resize height generates problems when scroll is too fast

            Image
            0 I have been trying for a while to create a UIViewController that has a CustomStickyHeader and a UITableView. The idea I have been following is use the UITableView scrolling for changing the header view with the value of the contentOffset. The layout for the ViewController (AlbumsViewController) looks like: The UItableView Scrolling functions from the delegate are implemented like that: func scrollViewDidScroll(_ scrollView: UIScrollView) { let endReached = contentTableView.contentOffset.y >= (contentTableView.contentSize.height - contentTableView.frame.size.height) let isUP = lastContentOffset > scrollView.contentOffset.y if scrollView.contentOffset.y < 0 { headerHeightConstraint.constant += abs(scrollView.contentOffset.y) } else{ if !endReached{ ...
            Read more

            Angular material date-picker (MatDatepicker) auto completes the date on focus out

            Image
            3 3 I am using angular material/mat-datepicker in my project and whenever the user enters one digit inside of it, and goes out of focus - the date picker is auto completing with a random date. Example Just enter 1 and go out of focus, or enter 5/5/20 The date picker is adding date automatically Update : Also I am using reactive forms and I'm validating the input with that approach Can I disable this ? angular datepicker angular-material angular6 angular-material-datetimepicker share | improve this question edited Nov 20 '18 at 13:21 ...
            Read more