One of the best solutions so far is to force everyone on the network to use a dns resolver you control and block the dns request for this domain.

/ip firewall nat

add action=dst-nat chain=dstnat dst-address=!<dns-server> dst-port=53 \
protocol=udp to-addresses=<dns-server> to-ports=53
add action=dst-nat chain=dstnat dst-address=!<dns-server> dst-port=53 \
protocol=tcp to-addresses=<dns-server> to-ports=53

Then either create a static dns entry for download.windowsupdate.com pointing to 127.0.0.1 or use the layer7 filter to identify and drop the request.