This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(243.2, 82%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EB%3C/text%3E%3C/svg%3E)
I want to accurately filter traffic for ms-updates in a business firewall. Microsoft only provides lists of domains with wildcards but many firewall appliances will not match wildcard addresses.
I have read through several similar threads and I fully understand the complexity of Microsoft's dns configuration and the fact that the addresses are subject to change. Telling me this will not fix the problem.
If I have a reliable source of windows update ip addresses or fqdns involving subdomains, I can easily automate a solution that will give me the information I need for whitelisting. This isn't a question about WSUS and suggesting that I use WSUS is not a solution.
I've read through the following thread:
This thread suggests: "Instead, we suggest either allowing all outbound connections to http & https ports or defining the DNS addresses as permitted destinations for traffic via the firewall."
Allowing all outbound http and https ports leaves my organization less secure and defining DNS addresses with wildcards is impossible with many firewalls. This is not a solution.
Many threads link to this page about wsus:
However, this is not a solution either as it requires wildcard masks.
Other threads have suggested using the MSFT ip address list found here:
https://www.microsoft.com/en-us/download/details.aspx?id=53602
However, I do not want to whitelist a bunch of azure webhosts that Microsoft has rented out to potentially malicious actors. This is not a solution either.
It's easy to find others complaining about this problem but not finding solutions. At least one of the threads I've read suggests that Microsoft does not publish this information for 'security reasons'. Microsoft insisting on using these wildcard masks without providing a means to get the data without wildcards shows that Microsoft is valuing it's own flexibility rather than the security needs of its customers as it results in environments either having faulty update traffic or allowing unwanted traffic.
Can anyone provide a way to find this information/
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(51.2, 56.00000000000001%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Very good question and request. This has long been an issue. I look forward to an answer.
I'm pretty confident you will never get the list - partly due to the fact they can change at will as part of the balancing and scaling abilities that is required to serve the global community for updates. This is why wildcard DNS is used in the documentation.
