What are the IP ranges for Microsofty Windows update?

Question

What are the IP Ranges for microsoft windows update? I know microsoft list the url to be allowed in the firewall for windows update for the wsus but the current firewall does not support url filtering. So IP Addresses are needed.

Answer 1

Windows Update requires TCP port 80, 443, and 49152-65535.

The IP address for the Windows Update web site constantly changes and it is not a fixed address. Also, there is no official publication of the IP addresses. We normally advise against defining IP addresses on the firewall for this purpose. Instead, we suggest either allowing all outbound connections to http & https ports or defining the DNS addresses as permitted destinations for traffic via the firewall.

For up-to-date information about the IP's being used by Windows Update, use the DNS system, as this is the only reliable up to date source of information. If you use DNS, make sure the following destination hosts are specified:

http://windowsupdate.microsoft.com
http://.windowsupdate.microsoft.com
https://.windowsupdate.microsoft.com
http://.update.microsoft.com
https://.update.microsoft.com
http://.windowsupdate.com
http://download.windowsupdate.com
http://download.microsoft.com
http://.download.windowsupdate.com
http://wustat.windows.com
http://ntservicepack.microsoft.com
http://stats.microsoft.com
https://stats.microsoft.com

Also check this similar case for a hint, the proposed reply is worthwhile to trying.

https://social.technet.microsoft.com/Forums/Lync/en-US/b596aa81-2775-496c-b159-dcfc5c5bf22d/windows-update-ip-addresses-range-and-subnet-mask-for-windows-server-2008?forum=winserversecurity

-------------------------------------------------------------------------------------

If the Answer is helpful, please click "Accept Answer" and upvote it.
Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

The advice to use DNS is all well and good, but when I need to put an exception into a Network Security Group in Azure to permit updates without permitting all web traffic the only options that I have are ip addresses or service tags (of which update is not one). So Microsoft are enforcing the ip address whitelisting, not me.

Answer 3

Hi @Janus Bariñan ,

For security purposes, the IP addresses of the Windows Update web site are not a fixed IP addresses, also the IP addresses could be subject to change, therefore Microsoft lists only URLs and not IP addresses.

DNS is the only reliable and up-to-date source of information for the Windows Update addresses.

----------

If the reply was helpful please don't forget to upvote and/or accept as answer, thank you!

Best regards,
Leon

Answer 4

I found this download from Microsoft that might help. It doesn't describe which IP address ranges are used for what purpose, but it is theoretically an exhaustive list of IP addresses owned by Microsoft: https://www.microsoft.com/en-us/download/details.aspx?id=53602 . If you need IP addresses, this could be useful. If you can support DNS lookups at the firewall then you'll be better off using the DNS list already provided.

Hope this helps someone else down the road.