What URLs must be in IE's Trusted Sites list to allow Windows Update?
Solution 1
I did a little more digging and found the following.
From KB836941 that @joequerty found:
http://*update.microsoft.comhttps://*update.microsoft.comhttp://download.windowsupdate.com
From an MS MVP's WSUS blog:
http://windowsupdate.microsoft.comhttp://*.windowsupdate.microsoft.comhttps://*.windowsupdate.microsoft.comhttp://download.windowsupdate.comhttp://*.download.windowsupdate.comhttp://*.windowsupdate.comhttp://wustat.windows.comhttp://ntservicepack.microsoft.com
Not required for Windows Update, but could also be useful:
http://office.microsoft.com/officeupdate
Combined with the wildcard rules in KB184456, I get the following:
*://*update.microsoft.com*://*.windowsupdate.comhttp://wustat.windows.comhttp://ntservicepack.microsoft.comhttp://office.microsoft.com
Hope that helps someone out there!
Solution 2
KB836941 suggests these addresses:
http://*update.microsoft.com
https://*update.microsoft.com
http://download.windowsupdate.com
Better still:
http://*.microsoft.com
http://*.windowsupdate.com
Related videos on Youtube
10 : 02
01 : 32
02 : 14
02 : 14
03 : 49
ewall
Updated on September 18, 2022Comments
-
ewall over 1 year
Particularly for servers in which IE Enhanced Security Configuration is enabled, you need to have all the Windows Update/Microsoft Update URLs in your "Trusted Sites" list in order to use the site.
(Furthermore, for domain member servers where Group Policy enforces Internet Explorer's list of "Trusted Sites", you don't have the option to edit the Trusted Sites yourself... so all the necessary URLs should be listed in the GPO.)
So, what is the full list of URLs I'll need in IE's Trusted Sites? So far I have the following:
- http(s)://*.update.microsoft.com
- http://download.windowsupdate.com
- http://windowsupdate.microsoft.com
I seem to remember there being several more...
-
ewall over 12 yearsAh,
*update.microsoft.cominstead of*.update.microsoft.com, which covers the windowsupdate.microsoft.com case as well as update.microsoft.com. Looks good to me, but I remember having to program more than these into UTM firewalls to keep them from messing with the traffic...? -
Admin over 11 yearsYah - except IE9 won't accept anything in the form alphanum, it requires a dot between "" and "alphanum" This is from the error message:- You have entered an invalid wildcard sequence. Examples of valid patterns: ://.microsoft.com http://*.microsoft.co.jp Examples of invalid patterns: microsoft.*.com ftp://* -
Huntrods over 10 yearsInteresting. On Server 2008R2, I removed all trusted zones and then added the two 'better still' ones you recommend. It took *.microsoft.com but would not take *.windowsupdate.com, stating in a message box that it was already in the trusted zone (but I don't see it which is also strange!)
-
Pierre.Vriens almost 8 yearsAre you sure ???
