We use a Balance ONE.
I have to think many admins have tackled something like this before, so I figured I would post and maybe not have to reinvent the wheel.
We have a Windows 11 PC on a VLAN by itself, and it is to be used only to access a single website. We also still need for it to communicate with Microsoft for logging in, as well as Windows Update, Microsoft Intune and Defender for Endpoint.
Anyone been down this road?
Thanks,
Ralph
Hi Ralph,
you want to block everything, but not Windows Update and Mircrosoft Itune and Defender?
did you have a look here?
BR
Dennis
Thanks, Dennis. That still wouldn’t do it. We want to set just the one PC, on a VLAN all by itself, so that it can only communicate with Windows Update and Microsoft Intune and Defender, and nothing else except one other website. We also don’t want to affect what our other PCs, on the primary VLAN, can and cannot get to.
We ended up using Internet Settings in Windows and directing all web traffic to 127.0.0.1, and adding exceptions for Microsoft and the one other site that it needs. So although it would’ve been nice to accomplish it with our Balance, I don’t think it’s possible.
BR,
Ralph
I have done this before for naughty customers who forget to pay.
Rather than disable the service completely, I turn on captive portal and set the redirect page to a page on our knowledgebase that explains they have an accounting problem and need to call us. Then any attempt to access any website redirects them to the KB article.
Remember to put the target page in the allowed networks list, along with a long list of domains for windows update and defender etc and you should be good to go.
Or, if you manage the windows pc and can lock it down, you could use a web proxy on the machine itself to block all but the sites you want it to access…
You could first run a DNS logger on the Win11 pc to see the domains and subdomains needed for Windows Update. I suggest this free program
Then set Outbound Firewall rules keyed off the one PC or its VLAN that allow the Windows Update domains/subdomains.
Then set an Outbound Firewall rule that allows the one website, again based on domain.
Finally, set an Outbound Firewall rule that blocks everything else from the VLAN or from the one PC
After logging all the phoning home that Windows does, you will be glad to block most of it.
