SCCM 2107 : Configuring VPN Split tunneling to route traffic to Microsoft Updates services

We have configured split tunneling on VPN to connect to the internet without coming to the corporate network and so we have whitelisted the required urls in our PAC file and it worked for more than an year. But from last two months we have seen a huge traffic got hit to our VPN tunnel and while investigating we found a new urls got notified.

So, my question is do we have defined or standard urls ( both for software updates and MS365 ) that can be whitelisted or does it changes every time? I have been told this will keep changing every month if so that is more difficult to manage.

Following are the urls that we have whitelisted and please verify and let us know if any more is missing. Also would need if this should be a sub portion of this for wildcard match? Aka, akamai.odsp.cdn.office.net, odsp.cdn.office.net, cdn.office.net etc? This would be a great help. Thank You.

/* ——- Microsoft CDN ———- */
if (dnsDomainIs(host, “officecdn.microsoft.com”) ||
dnsDomainIs(host, “download.windowsupdate.com”) ||
dnsDomainIs(host, “emdl.ws.microsoft.com”) ||
dnsDomainIs(host, “akamai.net”) ||
dnsDomainIs(host, “llnwi.net”) ||
dnsDomainIs(host, “footprint.net “) ||
dnsDomainIs(host, “officecdn.microsoft.com “) ||
dnsDomainIs(host, “config.office.com “) ||
dnsDomainIs(host, “windowsupdate.microsoft.com”) ||
dnsDomainIs(host, “update.microsoft.com”) ||
dnsDomainIs(host, “windowsupdate.com”) ||
dnsDomainIs(host, “download.microsoft.com”) ||
dnsDomainIs(host, “test.stats.update.microsoft.com”) ||
dnsDomainIs(host, “ntservicepack.microsoft.com”) ||
dnsDomainIs(host, “prod.do.dsp.mp.microsoft.com”) ||
dnsDomainIs(host, “emdl.ws.microsoft.com”) ||
dnsDomainIs(host, “delivery.mp.microsoft.com”) ||
dnsDomainIs(host, “tsfe.trafficshaping.dsp.mp.microsoft.com”)
) return “DIRECT”;

New Addition:

statica.akamai.odsp.cdn.office.net