Share via

Can Microsoft Defender update downloads come from third-party CDN addresses?

KinghornAdmin 0 Reputation points
2026-04-28T01:44:08.2933333+00:00

I observed several Windows devices receiving Microsoft Defender Security Intelligence updates around the same dates that my network monitor reported executable downloads from external content-delivery addresses.

Could Microsoft confirm whether Defender or Windows Update content may legitimately be served from partner CDN or edge-network IP addresses rather than directly from microsoft.com domains?

I am trying to distinguish normal update traffic from traffic that needs investigation. The IP range I am concerned about 173.46.83.200/29 used for Microsoft update or Defender content delivery?

With thanks

Microsoft Security | Microsoft Defender | Other
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Konstantinos Lianos 425 Reputation points Student Ambassador
    2026-05-06T11:34:09.1166667+00:00

    Hi @KinghornAdmin ,

    Yes, Microsoft update content can legitimately be delivered through CDN/edge infrastructure rather than from an IP range that looks directly owned by Microsoft. Microsoft’s Windows Update security documentation says downloads are load-balanced through CDNs, and Microsoft does not provide fixed IP addresses or IP ranges for Windows Update exceptions because they can change over time.

    For Microsoft Defender Antivirus specifically, security intelligence and platform updates are delivered through Windows Update, and Defender can be configured to use sources such as Microsoft Update, WSUS, Configuration Manager, UNC share, or Microsoft security intelligence updates depending on your fallback order.

    So the answer is: third-party CDN delivery can be normal, but I would not validate it by IP address alone. For the specific range 173.46.83.200/29, I would not assume it is legitimate just because it appeared during Defender updates. Instead, check the full context:

    Which process initiated the download: Windows Update / Delivery Optimization / Defender

    The requested hostname, URL, SNI, or proxy log destination

    Whether the downloaded file is Microsoft-signed

    Whether the activity lines up with Defender update events and KB2267602/security intelligence update timing

    If you need strict egress control, it is better to allow the documented Microsoft/Windows Update/Defender endpoints or use WSUS/Configuration Manager as the controlled update source, rather than trying to maintain static CDN IP allowlists. Microsoft’s documentation explicitly warns that IP ranges can change due to load balancing/CDN behavior

    Was this answer helpful?

    3 people found this answer helpful.
    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.