You want to block Windows Update because:

Your internal policy does not allow each single host to go direct to the internet for Windows Update

Windows Update is done through Patch Management Server, so the client host is not allowed to go direct to the internet for Windows Update.

When Windows Updates are being blocked in the ProxySG, users may receive a message that resembles one of the following:

We couldn't get online to download your updates. We'll try again later, or you can check now. If it still doesn't work, make sure you're connected to the Internet.

Windows could not search for new updates: An error occurred while checking for new updates for your computer. Try again

Install the following CPL to block currently known Microsoft Update servers at the proxy level. This CPL also blocks the user-agent for Windows Update (the known user-agent as of this writing).

<proxy>

; client.address=<IP_address> Condition=Windows_Update ALLOW

; enable previous rule to allow specific host to perform Windows Update

Condition=Windows_Update DENY

define condition Windows_Update

url.domain=windowsupdate.com

url.domain=c.microsoft.com

url.domain=update.microsoft.com

url.domain=windowsupdate.microsoft.com

url.domain=download.windowsupdate.com

url.domain=ntservicepack.microsoft.com

url.domain=wustat.windows.com

url.domain=login.live.com ;(this is required if you have connected a Microsoft Account)

url.domain=mp.microsoft.com

url.domain=download.microsoft.com

request.header.User-Agent="Microsoft-CryptoAPI"

request.header.User-Agent="Windows-Update-Agent"

end

Microsoft may change these URLs. Please refer this article for the latest published list. You may need to add/remove domains to the above CPL accordingly.