Domains and URLs to Allow for Windows Update Through a Firewall or Proxy

In corporate environments with firewalls, proxy servers, or web filtering, Windows Update will fail silently if it cannot reach the Microsoft servers it depends on. This article provides the complete list of domains and URLs you need to allow, plus configuration guidance for WSUS and proxy environments.

Required Ports

Windows Update uses the following protocols and ports:

Protocol	Port	Purpose
HTTPS	443	Metadata, authentication, and secure downloads
HTTP	80	Update payload delivery via CDN

Both ports must be open for outbound traffic from the client (or WSUS server) to the internet.

Core Windows Update Domains

These are the essential domains that must be allowed for Windows Update to function. Use wildcard rules where indicated.

Primary Update Services

*.windowsupdate.com
*.update.microsoft.com
*.windowsupdate.microsoft.com
windowsupdate.microsoft.com
update.microsoft.com

Delivery Optimization and CDN

*.delivery.mp.microsoft.com
*.download.windowsupdate.com
download.windowsupdate.com
download.microsoft.com
*.download.microsoft.com

Certificate Validation and Authentication

Windows Update validates code signing certificates using these endpoints:

ctldl.windowsupdate.com
*.digicert.com
*.globalsign.com
*.verisign.com

Microsoft Update (Office and Other Products)

If you use Microsoft Update (which extends Windows Update to include Office, SQL Server, and other Microsoft product updates):

*.update.microsoft.com
update.microsoft.com

Telemetry and Reporting

Windows Update reports status information to these endpoints. Blocking them may not prevent updates from installing, but can cause error reporting and diagnostics to fail:

*.microsoft.com/pkiops/*
settings-win.data.microsoft.com

Windows 10 / Windows 11 Specific

Modern Windows versions use additional endpoints:

*.prod.do.dsp.mp.microsoft.com
*.dl.delivery.mp.microsoft.com
*.emdl.ws.microsoft.com
emdl.ws.microsoft.com
tsfe.trafficshaping.dsp.mp.microsoft.com

Complete Allow List (Copy-Paste Ready)

Here is a consolidated list suitable for import into firewall rules or proxy allow lists:

# Windows Update core
*.windowsupdate.com
*.update.microsoft.com
*.windowsupdate.microsoft.com

# Download and delivery
*.delivery.mp.microsoft.com
*.download.windowsupdate.com
*.download.microsoft.com
download.windowsupdate.com
download.microsoft.com

# Delivery Optimization (P2P and CDN)
*.prod.do.dsp.mp.microsoft.com
*.dl.delivery.mp.microsoft.com
*.emdl.ws.microsoft.com

# Certificate validation
ctldl.windowsupdate.com

# Activation and licensing (required for feature updates)
activation.sls.microsoft.com
validation.sls.microsoft.com

# Telemetry / diagnostics
settings-win.data.microsoft.com

Proxy Server Configuration

The WinHTTP vs. WinINET Distinction

This is the most common cause of Windows Update failures in proxy environments. Windows Update uses the WinHTTP proxy stack, which is separate from the proxy settings configured in Internet Explorer / Windows Settings (which use WinINET).

Even if a user can browse the web through the proxy, Windows Update may not be able to reach Microsoft because WinHTTP has its own, independent proxy configuration.

Configuring the WinHTTP Proxy

Option 1: Import from Internet Explorer settings

netsh winhttp import proxy source=ie

Option 2: Set directly

netsh winhttp set proxy proxy-server="http://proxy.example.com:8080" bypass-list="*.local;10.*"

Option 3: View current settings

netsh winhttp show proxy

Option 4: Reset to direct (no proxy)

netsh winhttp reset proxy

Proxy Configuration via Group Policy (Windows 10/11, Server 2016+)

On modern Windows versions, you can configure the WinHTTP proxy through Group Policy:

1. Open Group Policy Editor (gpedit.msc or through GPMC for domain policies).
2. Navigate to Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds.
3. Enable Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service.

For a more comprehensive proxy configuration:

1. Navigate to Computer Configuration > Administrative Templates > Windows Components > Windows Update.
2. Use the policy Specify intranet Microsoft update service location if routing through WSUS.

Proxy Authentication

If your proxy requires authentication, be aware that:

• The SYSTEM account is typically used by the Windows Update service. It does not have user credentials.
• Configure your proxy to allow unauthenticated access to the Microsoft domains listed above, or use machine-certificate-based authentication.
• In Windows 10 version 1709 and later, you can use the Group Policy setting mentioned above to allow authenticated proxy usage for update traffic.

WSUS (Windows Server Update Services) Configuration

If your organization uses WSUS, the architecture changes significantly.

How WSUS Changes the Flow

With WSUS deployed:

• The WSUS server downloads updates from Microsoft (it needs access to the domains listed above).
• Client machines download updates from the WSUS server only. They do not contact Microsoft directly.

WSUS Server Firewall Requirements

The WSUS server needs outbound access to:

*.windowsupdate.com         (port 443)
*.update.microsoft.com      (port 443)
*.download.windowsupdate.com (port 80 and 443)
download.microsoft.com       (port 80 and 443)

Client-to-WSUS Firewall Requirements

Clients need access to the WSUS server on:

Protocol	Port	Notes
HTTP	8530	Default WSUS HTTP port
HTTPS	8531	Default WSUS HTTPS port

These ports are configurable during WSUS setup. Some organizations use ports 80/443 instead.

Configuring Clients via Group Policy

To point clients to your WSUS server:

1. Open Group Policy Management Console and create or edit a GPO linked to the appropriate OU.
2. Navigate to Computer Configuration > Administrative Templates > Windows Components > Windows Update.
3. Enable Specify intranet Microsoft update service location.
4. Set both values to your WSUS server URL:
   • Intranet update service: http://wsus-server:8530
   • Intranet statistics server: http://wsus-server:8530
5. Run gpupdate /force on a client to apply the policy immediately.

Verify with:

reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v WUServer

Troubleshooting Windows Update Connectivity

Test Basic Connectivity

From the client machine, verify that you can reach the Windows Update servers:

Test-NetConnection -ComputerName windowsupdate.microsoft.com -Port 443
Test-NetConnection -ComputerName download.windowsupdate.com -Port 80

Check the Windows Update Log

On Windows 10/11, the traditional WindowsUpdate.log file is no longer plain text. Generate a readable version:

Get-WindowsUpdateLog

This creates a WindowsUpdate.log file on your desktop. Search for errors containing “proxy”, “connection”, or “0x80” error codes.

Reset Windows Update Components

If Windows Update is in a broken state after proxy or firewall changes, reset it:

net stop wuauserv
net stop cryptSvc
net stop bits
net stop msiserver
ren C:\Windows\SoftwareDistribution SoftwareDistribution.old
ren C:\Windows\System32\catroot2 catroot2.old
net start wuauserv
net start cryptSvc
net start bits
net start msiserver

Verify Proxy Settings Are Applied

netsh winhttp show proxy

If this shows “Direct access (no proxy server)”, but your network requires a proxy, Windows Update will fail. Set the proxy as described in the proxy configuration section above.

Network Diagram Summary

Here is how the traffic flows in each scenario:

Direct (no WSUS):

Client --> Firewall (allow listed domains, ports 80/443) --> Microsoft CDN/Servers

With WSUS:

Client --> WSUS Server (port 8530/8531)
WSUS Server --> Firewall (allow listed domains, ports 80/443) --> Microsoft CDN/Servers

With Delivery Optimization (Windows 10/11):

Client --> Peers on local network (for cached content)
Client --> Firewall (allow listed domains, ports 80/443) --> Microsoft CDN (for uncached content)