What URLs must be in IE's Trusted Sites list to allow Windows Update?

Particularly for servers in which IE Enhanced Security Configuration is enabled, you need to have all the Windows Update/Microsoft Update URLs in your "Trusted Sites" list in order to use the site.

(Furthermore, for domain member servers where Group Policy enforces Internet Explorer's list of "Trusted Sites", you don't have the option to edit the Trusted Sites yourself... so all the necessary URLs should be listed in the GPO.)

So, what is the full list of URLs I'll need in IE's Trusted Sites? So far I have the following:

  • http(s)://*.update.microsoft.com
  • http://download.windowsupdate.com
  • http://windowsupdate.microsoft.com

I seem to remember there being several more...


KB836941 suggests these addresses:

http://*update.microsoft.com

https://*update.microsoft.com

http://download.windowsupdate.com

Better still:

http://*.microsoft.com
http://*.windowsupdate.com

I did a little more digging and found the following.

From KB836941 that @joequerty found:

  • http://*update.microsoft.com
  • https://*update.microsoft.com
  • http://download.windowsupdate.com

From an MS MVP's WSUS blog:

  • http://windowsupdate.microsoft.com
  • http://*.windowsupdate.microsoft.com
  • https://*.windowsupdate.microsoft.com
  • http://download.windowsupdate.com
  • http://*.download.windowsupdate.com
  • http://*.windowsupdate.com
  • http://wustat.windows.com
  • http://ntservicepack.microsoft.com

Not required for Windows Update, but could also be useful:

  • http://office.microsoft.com/officeupdate

Combined with the wildcard rules in KB184456, I get the following:

  • *://*update.microsoft.com
  • *://*.windowsupdate.com
  • http://wustat.windows.com
  • http://ntservicepack.microsoft.com
  • http://office.microsoft.com

Hope that helps someone out there!