Hi, It can be stopped from application control. You can make 2 policies which will be clone but with 2 different schedule(Night and day) and allow or deny updates as desired but through application control. This is what we do
but irrespective of when you can contact the public Microsoft update site to download updates, your server will still install those updates and reboot if it's settings allow it to, at some random-ish length of time. So locking updates to a time doesn't guarantee that's when the servers would reboot.
This isn't a firewall problem. As others have said, this is a server management issue. You must control this properly outside the firewall. You should be looking at group policy to control active hours and when the server can install and reboot for updates. So you have 150 AD domains; that just means creating appropriate policies and applying them, not creating 150 WSUS servers. Heck, if you're controlling this via 1 firewall, only 1 WSUS server is needed...
But to be clear - the only way you'll get control of this is at a Windows level, not the firewall.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.