Forum Discussion

hauer94's avatar
hauer94
Copper Contributor
Sep 25, 2025

List with FQDNs and IPs for updates via proxy

Good day,   I am sorry if its the wrong subspace. I have a couple of Windows servers above or equal server 2016 that do download updates directly from the internet via a proxy. I can not find a web...
networking
Windows Server
kyazaferr's avatar
kyazaferr
MCT
Oct 07, 2025

Hi there,

You're in the right place — and this is a common question when Windows Update clients connect through a proxy.

Starting from Windows Server 2016 and later, Windows Update (WU) and Windows Update for Business (WUfB) communicate with multiple Microsoft endpoints, not just one set of IPs.
Microsoft does not publish a fixed IP list for Windows Update because the backend infrastructure is hosted on multiple CDN networks (Akamai, Azure Front Door, and others) that change dynamically.

Instead, Microsoft officially recommends using domain-based allow rules on your proxy/firewall.
Here are the required endpoints and ports:

TCP 80 (HTTP) and TCP 443 (HTTPS)

Required FQDNs to Allow (without SSL interception)

*.windowsupdate.microsoft.com
*.update.microsoft.com
*.windowsupdate.com
*.delivery.mp.microsoft.com
*.do.dsp.mp.microsoft.com
*.dl.delivery.mp.microsoft.com
*.emdl.ws.microsoft.com
fe2.update.microsoft.com
sls.update.microsoft.com
tsfe.trafficshaping.dsp.mp.microsoft.com

*.wdcp.microsoft.com
*.windowsupdate.com
*.delivery.mp.microsoft.com
*.microsoft.com

If your proxy performs SSL inspection, you must exclude these Microsoft update domains — otherwise, TLS validation will fail. Hope this helps.

Resources