none
What IP's, domains or ports required for Windows 10 Upgrade tool download?

    Question

  • Hello,

    I am testing the Windows 10 upgrade tool that will take a Windows 10 machine up to the latest build (1703 Creators update) but I have to put my PC in our Webfilter's "BYPASS" IP list in order for this to download.  If I don't, I get error code 0x80190001 when the download begins.

    I would just like to put in the proper domain entries in our IT group in our Cisco IronPort webfilter.  This way I do not have to mess with using the bypass list (and potentially forget to take my IP out and then some other person gets that IP via DHCP in the future and runs unprotected).

    Thanks!

    Monday, April 10, 2017 12:49 PM

Answers

  • Joy-Qiao is correct with the URL's required, however even when adding them into our Webfilter, we still had issues regarding Windows Store being slow and the Media Creation tool not working to grab Windows 10 (either to install or create a bootable ISO / USB).

    The correct answer in our case for a Cisco IronPort S170 webfilter was to enable Range Request Download option.

    Rangerequestdownload allows the WSA (Web Security Appliance) to request an object in chunks versus trying to download the entire file each and every time the client makes a request for just a small portion of that entire file. When the WSA does not use rangerequestdownload and a pc requests to download a 1GB file the pc will actually request it in pieces. Now every time that request is made by the pc for another piece of the 1GB file the WSA will request the entire file rather than just the small part of the file that the PC has requested. This will actually either be very slow or can cause failure to download the file. The problem with enabling rangrequestdownload is that as the file is broken up into pieces it eliminates our ability to scan the file to determine if it has a virus / malware signature in it. This will increase the chances of malware or a virus slipping through the WSA unless WBRS scores the URL your trying to download the file from with a -6 or below thus blocking the download all together.

    Tuesday, April 25, 2017 12:29 PM

All replies

  • Hi,

    We could try to configure firewall to bypass the following website.

    http://windowsupdate.microsoft.com

    http://*.windowsupdate.microsoft.com

    https://*.windowsupdate.microsoft.com

    http://*.update.microsoft.com

    https://*.update.microsoft.com

    http://*.windowsupdate.com

    http://download.windowsupdate.com

    http://download.microsoft.com

    http://*.download.windowsupdate.com

    http://test.stats.update.microsoft.com

    http://ntservicepack.microsoft.com

    If you need more detailed information, please refer to the link below:

    How to Configure a Firewall for Software Updates

    https://technet.microsoft.com/en-us/library/bb693717.aspx

    In addition, we also could use Network Monitor tool to capture the network packets for detailed information.

    Network Monitor

    https://www.microsoft.com/en-us/download/details.aspx?id=4865

    Bests,

    Joy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, April 11, 2017 10:27 AM
    Moderator
  • Joy-Qiao is correct with the URL's required, however even when adding them into our Webfilter, we still had issues regarding Windows Store being slow and the Media Creation tool not working to grab Windows 10 (either to install or create a bootable ISO / USB).

    The correct answer in our case for a Cisco IronPort S170 webfilter was to enable Range Request Download option.

    Rangerequestdownload allows the WSA (Web Security Appliance) to request an object in chunks versus trying to download the entire file each and every time the client makes a request for just a small portion of that entire file. When the WSA does not use rangerequestdownload and a pc requests to download a 1GB file the pc will actually request it in pieces. Now every time that request is made by the pc for another piece of the 1GB file the WSA will request the entire file rather than just the small part of the file that the PC has requested. This will actually either be very slow or can cause failure to download the file. The problem with enabling rangrequestdownload is that as the file is broken up into pieces it eliminates our ability to scan the file to determine if it has a virus / malware signature in it. This will increase the chances of malware or a virus slipping through the WSA unless WBRS scores the URL your trying to download the file from with a -6 or below thus blocking the download all together.

    Tuesday, April 25, 2017 12:29 PM