From d8f450c1868cb2de5322447ee0c4e8f21af92ea9 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Fri, 3 May 2019 08:39:32 -0700 Subject: [PATCH 01/33] Create manage-windows-19H1-endpoints.md --- .../privacy/manage-windows-19H1-endpoints.md | 492 ++++++++++++++++++ 1 file changed, 492 insertions(+) create mode 100644 windows/privacy/manage-windows-19H1-endpoints.md diff --git a/windows/privacy/manage-windows-19H1-endpoints.md b/windows/privacy/manage-windows-19H1-endpoints.md new file mode 100644 index 0000000000..211c59c07e --- /dev/null +++ b/windows/privacy/manage-windows-19H1-endpoints.md @@ -0,0 +1,492 @@ +--- +title: Connection endpoints for Windows 10, version 19H1 +description: Explains what Windows 10 endpoints are used for, how to turn off traffic to them, and the impact. +keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016 +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.localizationpriority: high +audience: ITPro +author: danihalfin +ms.author: v-medgar +manager: sanashar +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 5/3/2019 +--- +# Manage connection endpoints for Windows 10, version 1809 + +**Applies to** + +- Windows 10, version 19H1 + +Some Windows components, app, and related services transfer data to Microsoft network endpoints. Some examples include: + +- Connecting to Microsoft Office and Windows sites to download the latest app and security updates. +- Connecting to email servers to send and receive email. +- Connecting to the web for every day web browsing. +- Connecting to the cloud to store and access backups. +- Using your location to show a weather forecast. + +This article lists different endpoints that are available on a clean installation of Windows 10, version 1709 and later. +Details about the different ways to control traffic to these endpoints are covered in [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md). +Where applicable, each endpoint covered in this topic includes a link to specific details about how to control traffic to it. + +We used the following methodology to derive these network endpoints: + +1. Set up the latest version of Windows 10 on a test virtual machine using the default settings. +2. Leave the devices running idle for a week (that is, a user is not interacting with the system/device). +3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic. +4. Compile reports on traffic going to public IP addresses. +5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory. +6. All traffic was captured in our lab using a IPV4 network. Therefore no IPV6 traffic is reported here. + +> [!NOTE] +> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. + +## Windows 10 Enterprise connection endpoints + +## Apps + +The following endpoint is used to download updates to the Weather app Live Tile. +If you [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#live-tiles), no Live Tiles will be updated. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| explorer | HTTP | tile-service.weather.microsoft.com | +| | HTTP | blob.weather.microsoft.com | + +The following endpoint is used for OneNote Live Tile. +To turn off traffic for this endpoint, either uninstall OneNote or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). +If you disable the Microsoft store, other Store apps cannot be installed or updated. +Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTPS | cdn.onenote.net/livetile/?Language=en-US | + +The following endpoints are used for Twitter updates. +To turn off traffic for these endpoints, either uninstall Twitter or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). +If you disable the Microsoft store, other Store apps cannot be installed or updated. +Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTPS | wildcard.twimg.com | +| svchost.exe | | oem.twimg.com/windows/tile.xml | + +The following endpoint is used for Facebook updates. +To turn off traffic for this endpoint, either uninstall Facebook or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). +If you disable the Microsoft store, other Store apps cannot be installed or updated. +Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | star-mini.c10r.facebook.com | + +The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office Online. +To turn off traffic for this endpoint, either uninstall the Photos app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). +If you disable the Microsoft store, other Store apps cannot be installed or updated. +Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| WindowsApps\Microsoft.Windows.Photos | HTTPS | evoke-windowsservices-tas.msedge.net | + +The following endpoint is used for Candy Crush Saga updates. +To turn off traffic for this endpoint, either uninstall Candy Crush Saga or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). +If you disable the Microsoft store, other Store apps cannot be installed or updated. +Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | TLS v1.2 | candycrushsoda.king.com | + +The following endpoint is used for by the Microsoft Wallet app. +To turn off traffic for this endpoint, either uninstall the Wallet app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). +If you disable the Microsoft store, other Store apps cannot be installed or updated. +Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| system32\AppHostRegistrationVerifier.exe | HTTPS | wallet.microsoft.com | + +The following endpoint is used by the Groove Music app for update HTTP handler status. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-apps-for-websites), apps for websites won't work and customers who visit websites (such as mediaredirect.microsoft.com) that are registered with their associated app (such as Groove Music) will stay at the website and won't be able to directly launch the app. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| system32\AppHostRegistrationVerifier.exe | HTTPS | mediaredirect.microsoft.com | + +The following endpoints are used when using the Whiteboard app. +To turn off traffic for this endpoint [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTPS | wbd.ms | +| | HTTPS | int.whiteboard.microsoft.com | +| | HTTPS | whiteboard.microsoft.com | +| | HTTP / HTTPS | whiteboard.ms | + +## Cortana and Search + +The following endpoint is used to get images that are used for Microsoft Store suggestions. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), you will block images that are used for Microsoft Store suggestions. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| searchui | HTTPS |store-images.s-microsoft.com | + +The following endpoint is used to update Cortana greetings, tips, and Live Tiles. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), you will block updates to Cortana greetings, tips, and Live Tiles. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| backgroundtaskhost | HTTPS | www.bing.com/client | + +The following endpoint is used to configure parameters, such as how often the Live Tile is updated. It's also used to activate experiments. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), parameters would not be updated and the device would no longer participate in experiments. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| backgroundtaskhost | HTTPS | www.bing.com/proactive | + +The following endpoint is used by Cortana to report diagnostic and diagnostic data information. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), Microsoft won't be aware of issues with Cortana and won't be able to fix them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| searchui
backgroundtaskhost | HTTPS | www.bing.com/threshold/xls.aspx | + +## Certificates + +The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update), but that is not recommended because when root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. + +Additionally, it is used to download certificates that are publicly known to be fraudulent. +These settings are critical for both Windows security and the overall security of the Internet. +We do not recommend blocking this endpoint. +If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTP | ctldl.windowsupdate.com | + +## Device authentication + +The following endpoint is used to authenticate a device. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), the device will not be authenticated. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTPS | login.live.com/ppsecure | + +## Device metadata + +The following endpoint is used to retrieve device metadata. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-devinst), metadata will not be updated for the device. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | dmd.metaservices.microsoft.com.akadns.net | +| | HTTP | dmd.metaservices.microsoft.com | + +## Diagnostic Data + +The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | | cy2.vortex.data.microsoft.com.akadns.net | + +The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTPS | v10.vortex-win.data.microsoft.com/collect/v1 | + +The following endpoints are used by Windows Error Reporting. +To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| wermgr | | watson.telemetry.microsoft.com | +| | TLS v1.2 | modern.watson.data.microsoft.com.akadns.net | + +## Font streaming + +The following endpoints are used to download fonts on demand. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#font-streaming), you will not be able to download fonts on demand. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | | fs.microsoft.com | +| | | fs.microsoft.com/fs/windows/config.json | + +## Licensing + +The following endpoint is used for online activation and some app licensing. +To turn off traffic for this endpoint, disable the Windows License Manager Service. This will also block online activation and app licensing may not work. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| licensemanager | HTTPS | licensing.mp.microsoft.com/v7.0/licenses/content | + +## Location + +The following endpoint is used for location data. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-location), apps cannot use location data. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTP | location-inference-westus.cloudapp.net | +| | HTTPS | inference.location.live.net | + +## Maps + +The following endpoint is used to check for updates to maps that have been downloaded for offline use. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-offlinemaps), offline maps will not be updated. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTPS | *g.akamaiedge.net | + +## Microsoft account + +The following endpoints are used for Microsoft accounts to sign in. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-microsoft-account), users cannot sign in with Microsoft accounts. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | login.msa.akadns6.net | +| system32\Auth.Host.exe | HTTPS | auth.gfx.ms | +| | | us.configsvc1.live.com.akadns.net | + +## Microsoft Store + +The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#live-tiles), push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTPS | *.wns.windows.com | + +The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store. +To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTP | storecatalogrevocation.storequality.microsoft.com | + +The following endpoints are used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTPS | img-prod-cms-rt-microsoft-com.akamaized.net | +| backgroundtransferhost | HTTPS | store-images.microsoft.com | + +The following endpoints are used to communicate with Microsoft Store. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTP | storeedgefd.dsx.mp.microsoft.com | +| | HTTP \ HTTPS | pti.store.microsoft.com | +||TLS v1.2|cy2.\*.md.mp.microsoft.com.\*.| +| svchost | HTTPS | displaycatalog.mp.microsoft.com | + +## Network Connection Status Indicator (NCSI) + +Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-ncsi), NCSI won't be able to determine if the device is connected to the Internet and the network status tray icon will show a warning. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTP | www.msftconnecttest.com/connecttest.txt | + +## Office + +The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office Online. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US#BKMK_Portal-identity). +You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. +If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | *.a-msedge.net | +| hxstr | | *.c-msedge.net | +| | | *.e-msedge.net | +| | | *.s-msedge.net | +| | HTTPS | ocos-office365-s2s.msedge.net | +| | HTTPS | nexusrules.officeapps.live.com | +| | HTTPS | officeclient.microsoft.com | + +The following endpoint is used to connect to the Office 365 portal's shared infrastructure, including Office Online. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US#BKMK_Portal-identity). +You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. +If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| system32\Auth.Host.exe | HTTPS | outlook.office365.com | + +The following endpoint is OfficeHub traffic used to get the metadata of Office apps. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +|Windows Apps\Microsoft.Windows.Photos|HTTPS|client-office365-tas.msedge.net| + +The following endpoint is used to connect the Office To-Do app to it's cloud service. +To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| |HTTPS|to-do.microsoft.com| + +## OneDrive + +The following endpoint is a redirection service that’s used to automatically update URLs. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-onedrive), anything that relies on g.live.com to get updated URL information will no longer work. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| onedrive | HTTP \ HTTPS | g.live.com/1rewlive5skydrive/ODSUProduction | + +The following endpoint is used by OneDrive for Business to download and verify app updates. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US). +To turn off traffic for this endpoint, uninstall OneDrive for Business. In this case, your device will not able to get OneDrive for Business app updates. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| onedrive | HTTPS | oneclient.sfx.ms | + +## Settings + +The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| dmclient | | cy2.settings.data.microsoft.com.akadns.net | + +The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| dmclient | HTTPS | settings.data.microsoft.com | + +The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as Windows Connected User Experiences and Telemetry component and Windows Insider Program use it. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTPS | settings-win.data.microsoft.com | + +## Skype + +The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +|microsoft.windowscommunicationsapps.exe | HTTPS | config.edge.skype.com | +| | HTTPS | browser.pipe.aria.microsoft.com | +| | | skypeecs-prod-usw-0-b.cloudapp.net | + +## Windows Defender + +The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), the device will not use Cloud-based Protection. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | wdcp.microsoft.com | + +The following endpoints are used for Windows Defender definition updates. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), definitions will not be updated. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | definitionupdates.microsoft.com | +|MpCmdRun.exe|HTTPS|go.microsoft.com | + +The following endpoints are used for Windows Defender Smartscreen reporting and notifications. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender-smartscreen), Smartscreen notifications will no appear. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTPS | ars.smartscreen.microsoft.com | +| | HTTPS | unitedstates.smartscreen-prod.microsoft.com | +| | | smartscreen-sn3p.smartscreen.microsoft.com | + +## Windows Spotlight + +The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight), Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips will not be downloaded. For more information, see [Windows Spotlight](/windows/configuration/windows-spotlight). + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| backgroundtaskhost | HTTPS | arc.msn.com | +| backgroundtaskhost | | g.msn.com.nsatc.net | +| |TLS v1.2| *.search.msn.com | +| | HTTPS | ris.api.iris.microsoft.com | +| | HTTPS | query.prod.cms.rt.microsoft.com | + +## Windows Update + +The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates), Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTPS | *.prod.do.dsp.mp.microsoft.com | + +The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to download updates for the operating system. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTP | *.windowsupdate.com | +| svchost | HTTP | *.dl.delivery.mp.microsoft.com | + +The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTPS | *.update.microsoft.com | +| svchost | HTTPS | *.delivery.mp.microsoft.com | + +The following endpoint is used for content regulation. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly downloaded or not downloaded at all. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTPS | tsfe.trafficshaping.dsp.mp.microsoft.com | + + +## Microsoft forward link redirection service (FWLink) + +The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer. + +If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +|Various|HTTPS|go.microsoft.com| + +## Other Windows 10 editions + +To view endpoints for other versions of Windows 10 Enterprise, see: +- [Manage connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md) +- [Manage connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md) + +To view endpoints for non-Enterprise Windows 10 editions, see: +- [Windows 10, version 1809, connection endpoints for non-Enterprise editions](windows-endpoints-1809-non-enterprise-editions.md) +- [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md) +- [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md) + + +## Related links + +- [Office 365 URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US) +- [Network infrastructure requirements for Microsoft Intune](https://docs.microsoft.com/intune/get-started/network-infrastructure-requirements-for-microsoft-intune) From 3ca8fa560ee97febf256538e64c249e9bbaa23fd Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Fri, 3 May 2019 09:03:55 -0700 Subject: [PATCH 02/33] Update manage-windows-19H1-endpoints.md --- windows/privacy/manage-windows-19H1-endpoints.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-windows-19H1-endpoints.md b/windows/privacy/manage-windows-19H1-endpoints.md index 211c59c07e..8c7ac6dde4 100644 --- a/windows/privacy/manage-windows-19H1-endpoints.md +++ b/windows/privacy/manage-windows-19H1-endpoints.md @@ -14,7 +14,7 @@ ms.collection: M365-security-compliance ms.topic: article ms.date: 5/3/2019 --- -# Manage connection endpoints for Windows 10, version 1809 +# Manage connection endpoints for Windows 10, version 19H1 **Applies to** From 7a6fb2cc5e15c53934f2d0f9d27df7bc8b53feba Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Fri, 3 May 2019 09:17:11 -0700 Subject: [PATCH 03/33] Update manage-windows-19H1-endpoints.md --- .../privacy/manage-windows-19H1-endpoints.md | 552 ++++-------------- 1 file changed, 124 insertions(+), 428 deletions(-) diff --git a/windows/privacy/manage-windows-19H1-endpoints.md b/windows/privacy/manage-windows-19H1-endpoints.md index 8c7ac6dde4..57e41a1616 100644 --- a/windows/privacy/manage-windows-19H1-endpoints.md +++ b/windows/privacy/manage-windows-19H1-endpoints.md @@ -44,435 +44,131 @@ We used the following methodology to derive these network endpoints: > [!NOTE] > Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. -## Windows 10 Enterprise connection endpoints +## Windows 10 19H1 Enterprise connection endpoints + +| Area | Description | Protocol | Destination | + +|Apps|The following endpoints are used to download updates to the Weather app Live Tile. If you turn off traffic to this endpoint, no Live Tiles will be updated.|HTTP|blob.weather.microsoft.com +||The following endpoint is used to download updates to the Weather app Live Tile. If you turn off traffic to this endpoint, no Live Tiles will be updated.|HTTP|tile-service.weather.microsoft.com +||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. +||HTTPS|cdn.onenote.net/livetile/?Language=en-US +||The following endpoints are used for Twitter updates. To turn off traffic for these endpoints, either uninstall Twitter or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. +||HTTPS|*.twimg.com* +||The following endpoint is used for Facebook updates. To turn off traffic for this endpoint, either uninstall Facebook or disable the Microsoft Store. If you disable the Microsoft Store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. +|||star-mini.c10r.facebook.com +||The following endpoint is used for Candy Crush Saga updates. To turn off traffic for this endpoint, either uninstall Candy Crush Saga or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. +||TLS v1.2|candycrushsoda.king.com +||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office Online. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|evoke-windowsservices-tas.msedge.net +||The following endpoint is used for by the Microsoft Wallet app. To turn off traffic for this endpoint, either uninstall the Wallet app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. +||HTTPS|wallet.microsoft.com +||The following endpoint is used by the Groove Music app for update HTTP handler status. If you turn off traffic for this endpoint, apps for websites won't work and customers who visit websites (such as mediaredirect.microsoft.com) that are registered with their associated app (such as Groove Music) will stay at the website and won't be able to directly launch the app. +||HTTPS|mediaredirect.microsoft.com +||The following endpoints are used when using the Whiteboard app. To turn off traffic for this endpoint disable the Microsoft Store. +|HTTPS|int.whiteboard.microsoft.com| +|||HTTPS|wbd.ms +|||HTTPS|whiteboard.microsoft.com +|||HTTP / HTTPS|whiteboard.ms| +|Azure |The following endpoints are related to Azure. |HTTPS|wd-prod-*fe*.cloudapp.azure.com +|| |HTTPS|ris-prod-atm.trafficmanager.net +|| |HTTPS|validation-v2.sls.trafficmanager.net +|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible turn off traffic to this endpoint, but that is not recommended because when root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses.| +|Additionally, it is used to download certificates that are publicly known to be fraudulent. These settings are critical for both Windows security and the overall security of the Internet. We do not recommend blocking this endpoint. If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device.|HTTP|ctldl.windowsupdate.com +|Cortana and Search|The following endpoint is used to get images that are used for Microsoft Store suggestions. If you turn off traffic for this endpoint, you will block images that are used for Microsoft Store suggestions. +||HTTPS|store-images.*microsoft.com +|Cortana and Search2|The following endpoints are related to Cortana and Live Tiles. If you turn off traffic for this endpoint, you will block updates to Cortana greetings, tips, and Live Tiles.|HTTPS|www.bing.com/client +|| |HTTPS|www.bing.com +|||HTTPS|www.bing.com/proactive +|||HTTPS|www.bing.com/threshold/xls.aspx +|||HTTP|exo-ring.msedge.net +|||HTTP|fp.msedge.net +|||HTTP|fp-vp.azureedge.net +|||HTTP|odinvzc.azureedge.net +|||HTTP|spo-ring.msedge.net +|Device authentication +||The following endpoint is used to authenticate a device. If you turn off traffic for this endpoint, the device will not be authenticated.|HTTPS|login.live.com* +||The following endpoints are used to retrieve device metadata. If you turn off traffic for this endpoint, metadata will not be updated for the device.|HTTP|dmd.metaservices.microsoft.com +|Diagnostic Data +||The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft.|HTTP|v10.events.data.microsoft.com +|||HTTPS|v10.vortex-win.data.microsoft.com/collect/v1 +|||HTTP|www.microsoft.com +||The following endpoints are used by Windows Error Reporting. To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft.|HTTPS|co4.telecommand.telemetry.microsoft.com +|| |HTTP|cs11.wpc.v0cdn.net +|| |HTTPS|cs1137.wpc.gammacdn.net +|||TLS v1.2|modern.watson.data.microsoft.com* +|||HTTPS|watson.telemetry.microsoft.com +|Licensing|The following endpoint is used for online activation and some app licensing. To turn off traffic for this endpoint, disable the Windows License Manager Service. This will also block online activation and app licensing may not work. +||HTTPS|*licensing.mp.microsoft.com* +|Location|The following endpoint is used for location data. If you turn off traffic for this endpoint, apps cannot use location data.|HTTPS|inference.location.live.net +|||HTTP|location-inference-westus.cloudapp.net +|Maps|The following endpoint is used to check for updates to maps that have been downloaded for offline use. If you turn off traffic for this endpoint, offline maps will not be updated.|HTTPS|*g.akamaiedge.net +|| |HTTP|*maps.windows.com* +|Microsoft account|The following endpoints are used for Microsoft accounts to sign in. If you turn off traffic for these endpoints, users cannot sign in with Microsoft accounts. +||HTTP|login.msa.akadns6.net| +|||HTTP|us.configsvc1.live.com.akadns.net +|Microsoft Edge| This traffic is related to the Microsoft Edge browser.|HTTPS|iecvlist.microsoft.com +|Microsoft forward link redirection service (FWLink)|The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer. +|If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded.|HTTPS|go.microsoft.com +|Microsoft Store|The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way. If you turn off traffic for this endpoint, push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization.|HTTPS|*.wns.windows.com +||The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft Store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. +||HTTP|storecatalogrevocation.storequality.microsoft.com +||The following endpoints are used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). If you turn off traffic for these endpoints, the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTPS|img-prod-cms-rt-microsoft-com* +|||HTTPS|store-images.microsoft.com +||The following endpoints are used to communicate with Microsoft Store. If you turn off traffic for these endpoints, apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. +||TLS v1.2|*.md.mp.microsoft.com* +|||HTTPS|*displaycatalog.mp.microsoft.com +|||HTTP \ HTTPS|pti.store.microsoft.com +|||HTTP|storeedgefd.dsx.mp.microsoft.com +|| |HTTP|markets.books.microsoft.com +|| |HTTP |share.microsoft.com +|Network Connection Status Indicator (NCSI) +||Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet. If you turn off traffic for this endpoint, NCSI won't be able to determine if the device is connected to the Internet and the network status tray icon will show a warning.|HTTP|www.msftconnecttest.com*|Office +||Online. For more info, see Office 365 URLs and IP address ranges. You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents.|HTTP|*.c-msedge.net +|||HTTPS|*.e-msedge.net +|||HTTPS|*.s-msedge.net +|||HTTPS|nexusrules.officeapps.live.com +|||HTTPS|ocos-office365-s2s.msedge.net +|||HTTPS|officeclient.microsoft.com +|||HTTPS|outlook.office365.com +|||HTTPS|client-office365-tas.msedge.net +|| |HTTPS|www.office.com +|| |HTTPS|onecollector.cloudapp.aria +|| |HTTP|v10.events.data.microsoft.com/onecollector/1.0/ +|| |HTTPS|self.events.data.microsoft.com +||The following endpoint is used to connect the Office To-Do app to its cloud service. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. +|HTTPS|to-do.microsoft.com +|OneDrive|The following endpoints are related to OneDrive. If you turn off traffic for these endpoints, anything that relies on g.live.com to get updated URL information will no longer work.|HTTP \ HTTPS|g.live.com/1rewlive5skydrive/* +|| |HTTP|msagfx.live.com +|||HTTPS +||oneclient.sfx.ms +|Settings +||The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. If you turn off traffic for this endpoint, an app that uses this endpoint may stop working.||cy2.settings.data.microsoft.com.akadns.net +|||HTTPS|settings.data.microsoft.com +|||HTTPS|settings-win.data.microsoft.com +|Skype|The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTPS|browser.pipe.aria.microsoft.com +|||HTTP|config.edge.skype.com +|| |HTTP|s2s.config.skype.com +|||HTTPS|skypeecs-prod-usw-0-b.cloudapp.net +|Windows Defender|The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. If you turn off traffic for this endpoint, the device will not use Cloud-based Protection.|HTTPS|wdcp.microsoft.com +|||HTTPS|definitionupdates.microsoft.com| +|||HTTPS|go.microsoft.com +||The following endpoints are used for Windows Defender Smartscreen reporting and notifications. If you turn off traffic for these endpoints, Smartscreen notifications will not appear.|HTTPS|*smartscreen.microsoft.com +|||HTTPS|smartscreen-sn3p.smartscreen.microsoft.com| +|||HTTPS|unitedstates.smartscreen-prod.microsoft.com +|Windows Spotlight|The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips. If you turn off traffic for these endpoints, Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips will not be downloaded. For more information, see Windows Spotlight. +|TLS v1.2|*.search.msn.com +|||HTTPS|arc.msn.com +|||HTTPS|g.msn.com* +|||HTTPS|query.prod.cms.rt.microsoft.com +|||HTTPS|ris.api.iris.microsoft.com +|Windows Update|The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. If you turn off traffic for this endpoint, Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction.|HTTPS|*.prod.do.dsp.mp.microsoft.com +|| |HTTP|cs9.wac.phicdn.net +|| |HTTP|emdl.ws.microsoft.com +||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store. If you turn off traffic for these endpoints, the device will not be able to download updates for the operating system.|HTTP|*.dl.delivery.mp.microsoft.com +|||HTTP|*.windowsupdate.com* +||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. If you turn off traffic for these endpoints, the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store.|HTTPS|*.delivery.mp.microsoft.com +|||HTTPS|*.update.microsoft.com +||The following endpoint is used for content regulation. If you turn off traffic for this endpoint, the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly|HTTPS|tsfe.trafficshaping.dsp.mp.microsoft.com| -## Apps - -The following endpoint is used to download updates to the Weather app Live Tile. -If you [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#live-tiles), no Live Tiles will be updated. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| explorer | HTTP | tile-service.weather.microsoft.com | -| | HTTP | blob.weather.microsoft.com | - -The following endpoint is used for OneNote Live Tile. -To turn off traffic for this endpoint, either uninstall OneNote or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). -If you disable the Microsoft store, other Store apps cannot be installed or updated. -Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | HTTPS | cdn.onenote.net/livetile/?Language=en-US | - -The following endpoints are used for Twitter updates. -To turn off traffic for these endpoints, either uninstall Twitter or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). -If you disable the Microsoft store, other Store apps cannot be installed or updated. -Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | HTTPS | wildcard.twimg.com | -| svchost.exe | | oem.twimg.com/windows/tile.xml | - -The following endpoint is used for Facebook updates. -To turn off traffic for this endpoint, either uninstall Facebook or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). -If you disable the Microsoft store, other Store apps cannot be installed or updated. -Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | | star-mini.c10r.facebook.com | - -The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office Online. -To turn off traffic for this endpoint, either uninstall the Photos app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). -If you disable the Microsoft store, other Store apps cannot be installed or updated. -Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| WindowsApps\Microsoft.Windows.Photos | HTTPS | evoke-windowsservices-tas.msedge.net | - -The following endpoint is used for Candy Crush Saga updates. -To turn off traffic for this endpoint, either uninstall Candy Crush Saga or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). -If you disable the Microsoft store, other Store apps cannot be installed or updated. -Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | TLS v1.2 | candycrushsoda.king.com | - -The following endpoint is used for by the Microsoft Wallet app. -To turn off traffic for this endpoint, either uninstall the Wallet app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). -If you disable the Microsoft store, other Store apps cannot be installed or updated. -Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| system32\AppHostRegistrationVerifier.exe | HTTPS | wallet.microsoft.com | - -The following endpoint is used by the Groove Music app for update HTTP handler status. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-apps-for-websites), apps for websites won't work and customers who visit websites (such as mediaredirect.microsoft.com) that are registered with their associated app (such as Groove Music) will stay at the website and won't be able to directly launch the app. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| system32\AppHostRegistrationVerifier.exe | HTTPS | mediaredirect.microsoft.com | - -The following endpoints are used when using the Whiteboard app. -To turn off traffic for this endpoint [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | HTTPS | wbd.ms | -| | HTTPS | int.whiteboard.microsoft.com | -| | HTTPS | whiteboard.microsoft.com | -| | HTTP / HTTPS | whiteboard.ms | - -## Cortana and Search - -The following endpoint is used to get images that are used for Microsoft Store suggestions. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), you will block images that are used for Microsoft Store suggestions. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| searchui | HTTPS |store-images.s-microsoft.com | - -The following endpoint is used to update Cortana greetings, tips, and Live Tiles. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), you will block updates to Cortana greetings, tips, and Live Tiles. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| backgroundtaskhost | HTTPS | www.bing.com/client | - -The following endpoint is used to configure parameters, such as how often the Live Tile is updated. It's also used to activate experiments. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), parameters would not be updated and the device would no longer participate in experiments. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| backgroundtaskhost | HTTPS | www.bing.com/proactive | - -The following endpoint is used by Cortana to report diagnostic and diagnostic data information. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), Microsoft won't be aware of issues with Cortana and won't be able to fix them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| searchui
backgroundtaskhost | HTTPS | www.bing.com/threshold/xls.aspx | - -## Certificates - -The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update), but that is not recommended because when root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. - -Additionally, it is used to download certificates that are publicly known to be fraudulent. -These settings are critical for both Windows security and the overall security of the Internet. -We do not recommend blocking this endpoint. -If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| svchost | HTTP | ctldl.windowsupdate.com | - -## Device authentication - -The following endpoint is used to authenticate a device. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), the device will not be authenticated. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | HTTPS | login.live.com/ppsecure | - -## Device metadata - -The following endpoint is used to retrieve device metadata. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-devinst), metadata will not be updated for the device. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | | dmd.metaservices.microsoft.com.akadns.net | -| | HTTP | dmd.metaservices.microsoft.com | - -## Diagnostic Data - -The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| svchost | | cy2.vortex.data.microsoft.com.akadns.net | - -The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| svchost | HTTPS | v10.vortex-win.data.microsoft.com/collect/v1 | - -The following endpoints are used by Windows Error Reporting. -To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| wermgr | | watson.telemetry.microsoft.com | -| | TLS v1.2 | modern.watson.data.microsoft.com.akadns.net | - -## Font streaming - -The following endpoints are used to download fonts on demand. -If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#font-streaming), you will not be able to download fonts on demand. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| svchost | | fs.microsoft.com | -| | | fs.microsoft.com/fs/windows/config.json | - -## Licensing - -The following endpoint is used for online activation and some app licensing. -To turn off traffic for this endpoint, disable the Windows License Manager Service. This will also block online activation and app licensing may not work. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| licensemanager | HTTPS | licensing.mp.microsoft.com/v7.0/licenses/content | - -## Location - -The following endpoint is used for location data. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-location), apps cannot use location data. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | HTTP | location-inference-westus.cloudapp.net | -| | HTTPS | inference.location.live.net | - -## Maps - -The following endpoint is used to check for updates to maps that have been downloaded for offline use. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-offlinemaps), offline maps will not be updated. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| svchost | HTTPS | *g.akamaiedge.net | - -## Microsoft account - -The following endpoints are used for Microsoft accounts to sign in. -If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-microsoft-account), users cannot sign in with Microsoft accounts. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | | login.msa.akadns6.net | -| system32\Auth.Host.exe | HTTPS | auth.gfx.ms | -| | | us.configsvc1.live.com.akadns.net | - -## Microsoft Store - -The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#live-tiles), push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | HTTPS | *.wns.windows.com | - -The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store. -To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | HTTP | storecatalogrevocation.storequality.microsoft.com | - -The following endpoints are used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). -If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | HTTPS | img-prod-cms-rt-microsoft-com.akamaized.net | -| backgroundtransferhost | HTTPS | store-images.microsoft.com | - -The following endpoints are used to communicate with Microsoft Store. -If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | HTTP | storeedgefd.dsx.mp.microsoft.com | -| | HTTP \ HTTPS | pti.store.microsoft.com | -||TLS v1.2|cy2.\*.md.mp.microsoft.com.\*.| -| svchost | HTTPS | displaycatalog.mp.microsoft.com | - -## Network Connection Status Indicator (NCSI) - -Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-ncsi), NCSI won't be able to determine if the device is connected to the Internet and the network status tray icon will show a warning. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | HTTP | www.msftconnecttest.com/connecttest.txt | - -## Office - -The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office Online. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US#BKMK_Portal-identity). -You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. -If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | | *.a-msedge.net | -| hxstr | | *.c-msedge.net | -| | | *.e-msedge.net | -| | | *.s-msedge.net | -| | HTTPS | ocos-office365-s2s.msedge.net | -| | HTTPS | nexusrules.officeapps.live.com | -| | HTTPS | officeclient.microsoft.com | - -The following endpoint is used to connect to the Office 365 portal's shared infrastructure, including Office Online. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US#BKMK_Portal-identity). -You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. -If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| system32\Auth.Host.exe | HTTPS | outlook.office365.com | - -The following endpoint is OfficeHub traffic used to get the metadata of Office apps. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -|Windows Apps\Microsoft.Windows.Photos|HTTPS|client-office365-tas.msedge.net| - -The following endpoint is used to connect the Office To-Do app to it's cloud service. -To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| |HTTPS|to-do.microsoft.com| - -## OneDrive - -The following endpoint is a redirection service that’s used to automatically update URLs. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-onedrive), anything that relies on g.live.com to get updated URL information will no longer work. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| onedrive | HTTP \ HTTPS | g.live.com/1rewlive5skydrive/ODSUProduction | - -The following endpoint is used by OneDrive for Business to download and verify app updates. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US). -To turn off traffic for this endpoint, uninstall OneDrive for Business. In this case, your device will not able to get OneDrive for Business app updates. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| onedrive | HTTPS | oneclient.sfx.ms | - -## Settings - -The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| dmclient | | cy2.settings.data.microsoft.com.akadns.net | - -The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| dmclient | HTTPS | settings.data.microsoft.com | - -The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as Windows Connected User Experiences and Telemetry component and Windows Insider Program use it. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| svchost | HTTPS | settings-win.data.microsoft.com | - -## Skype - -The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -|microsoft.windowscommunicationsapps.exe | HTTPS | config.edge.skype.com | -| | HTTPS | browser.pipe.aria.microsoft.com | -| | | skypeecs-prod-usw-0-b.cloudapp.net | - -## Windows Defender - -The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), the device will not use Cloud-based Protection. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | | wdcp.microsoft.com | - -The following endpoints are used for Windows Defender definition updates. -If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), definitions will not be updated. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | | definitionupdates.microsoft.com | -|MpCmdRun.exe|HTTPS|go.microsoft.com | - -The following endpoints are used for Windows Defender Smartscreen reporting and notifications. -If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender-smartscreen), Smartscreen notifications will no appear. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | HTTPS | ars.smartscreen.microsoft.com | -| | HTTPS | unitedstates.smartscreen-prod.microsoft.com | -| | | smartscreen-sn3p.smartscreen.microsoft.com | - -## Windows Spotlight - -The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips. -If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight), Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips will not be downloaded. For more information, see [Windows Spotlight](/windows/configuration/windows-spotlight). - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| backgroundtaskhost | HTTPS | arc.msn.com | -| backgroundtaskhost | | g.msn.com.nsatc.net | -| |TLS v1.2| *.search.msn.com | -| | HTTPS | ris.api.iris.microsoft.com | -| | HTTPS | query.prod.cms.rt.microsoft.com | - -## Windows Update - -The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates), Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| svchost | HTTPS | *.prod.do.dsp.mp.microsoft.com | - -The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store. -If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to download updates for the operating system. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| svchost | HTTP | *.windowsupdate.com | -| svchost | HTTP | *.dl.delivery.mp.microsoft.com | - -The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. -If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| svchost | HTTPS | *.update.microsoft.com | -| svchost | HTTPS | *.delivery.mp.microsoft.com | - -The following endpoint is used for content regulation. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly downloaded or not downloaded at all. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| svchost | HTTPS | tsfe.trafficshaping.dsp.mp.microsoft.com | - - -## Microsoft forward link redirection service (FWLink) - -The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer. - -If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -|Various|HTTPS|go.microsoft.com| ## Other Windows 10 editions From 1e492c00a924c78d29efd9912856f8a0f89a92ec Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Fri, 3 May 2019 11:43:29 -0700 Subject: [PATCH 04/33] Update manage-windows-19H1-endpoints.md --- windows/privacy/manage-windows-19H1-endpoints.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/windows/privacy/manage-windows-19H1-endpoints.md b/windows/privacy/manage-windows-19H1-endpoints.md index 57e41a1616..2cea2a6414 100644 --- a/windows/privacy/manage-windows-19H1-endpoints.md +++ b/windows/privacy/manage-windows-19H1-endpoints.md @@ -46,7 +46,18 @@ We used the following methodology to derive these network endpoints: ## Windows 10 19H1 Enterprise connection endpoints +| Source process | Protocol | Destination | +|----------------|----------|------------| +| explorer | HTTP | tile-service.weather.microsoft.com | +| | HTTP | blob.weather.microsoft.com | + + + | Area | Description | Protocol | Destination | +|----------------|----------|------------| +| explorer | HTTP | tile-service.weather.microsoft.com | +| | HTTP | blob.weather.microsoft.com | + |Apps|The following endpoints are used to download updates to the Weather app Live Tile. If you turn off traffic to this endpoint, no Live Tiles will be updated.|HTTP|blob.weather.microsoft.com ||The following endpoint is used to download updates to the Weather app Live Tile. If you turn off traffic to this endpoint, no Live Tiles will be updated.|HTTP|tile-service.weather.microsoft.com From 3365319a053d60121ae02354a13ea09510b672c1 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Fri, 3 May 2019 11:44:16 -0700 Subject: [PATCH 05/33] Update manage-windows-19H1-endpoints.md --- windows/privacy/manage-windows-19H1-endpoints.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/privacy/manage-windows-19H1-endpoints.md b/windows/privacy/manage-windows-19H1-endpoints.md index 2cea2a6414..0e54f28d7c 100644 --- a/windows/privacy/manage-windows-19H1-endpoints.md +++ b/windows/privacy/manage-windows-19H1-endpoints.md @@ -54,6 +54,7 @@ We used the following methodology to derive these network endpoints: | Area | Description | Protocol | Destination | +| Source process | Protocol | Destination | |----------------|----------|------------| | explorer | HTTP | tile-service.weather.microsoft.com | | | HTTP | blob.weather.microsoft.com | From d1972eab4ad293b3188b6c32774bbaeb7e2fa834 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Fri, 3 May 2019 11:46:01 -0700 Subject: [PATCH 06/33] Update manage-windows-19H1-endpoints.md --- windows/privacy/manage-windows-19H1-endpoints.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/windows/privacy/manage-windows-19H1-endpoints.md b/windows/privacy/manage-windows-19H1-endpoints.md index 0e54f28d7c..05f810e388 100644 --- a/windows/privacy/manage-windows-19H1-endpoints.md +++ b/windows/privacy/manage-windows-19H1-endpoints.md @@ -53,7 +53,6 @@ We used the following methodology to derive these network endpoints: -| Area | Description | Protocol | Destination | | Source process | Protocol | Destination | |----------------|----------|------------| | explorer | HTTP | tile-service.weather.microsoft.com | @@ -198,3 +197,6 @@ To view endpoints for non-Enterprise Windows 10 editions, see: - [Office 365 URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US) - [Network infrastructure requirements for Microsoft Intune](https://docs.microsoft.com/intune/get-started/network-infrastructure-requirements-for-microsoft-intune) + + +| Area | Description | Protocol | Destination | From 239cdbaf7f96775c18f174580a6910c7943f375b Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Fri, 3 May 2019 11:56:28 -0700 Subject: [PATCH 07/33] Update manage-windows-19H1-endpoints.md --- .../privacy/manage-windows-19H1-endpoints.md | 19 ++++++------------- 1 file changed, 6 insertions(+), 13 deletions(-) diff --git a/windows/privacy/manage-windows-19H1-endpoints.md b/windows/privacy/manage-windows-19H1-endpoints.md index 05f810e388..8017f3a4eb 100644 --- a/windows/privacy/manage-windows-19H1-endpoints.md +++ b/windows/privacy/manage-windows-19H1-endpoints.md @@ -44,21 +44,15 @@ We used the following methodology to derive these network endpoints: > [!NOTE] > Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. +| Area | Protocol | Destination | +|----------------|----------|------------| +| explorer | HTTP | tile-service.weather.microsoft.com | + ## Windows 10 19H1 Enterprise connection endpoints -| Source process | Protocol | Destination | + +| Area | Protocol | Destination | |----------------|----------|------------| -| explorer | HTTP | tile-service.weather.microsoft.com | -| | HTTP | blob.weather.microsoft.com | - - - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| explorer | HTTP | tile-service.weather.microsoft.com | -| | HTTP | blob.weather.microsoft.com | - - |Apps|The following endpoints are used to download updates to the Weather app Live Tile. If you turn off traffic to this endpoint, no Live Tiles will be updated.|HTTP|blob.weather.microsoft.com ||The following endpoint is used to download updates to the Weather app Live Tile. If you turn off traffic to this endpoint, no Live Tiles will be updated.|HTTP|tile-service.weather.microsoft.com ||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. @@ -199,4 +193,3 @@ To view endpoints for non-Enterprise Windows 10 editions, see: - [Network infrastructure requirements for Microsoft Intune](https://docs.microsoft.com/intune/get-started/network-infrastructure-requirements-for-microsoft-intune) -| Area | Description | Protocol | Destination | From 955791a7d49eadacb73925da42d610b25a837ad0 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Fri, 3 May 2019 14:34:45 -0700 Subject: [PATCH 08/33] Update manage-windows-19H1-endpoints.md --- .../privacy/manage-windows-19H1-endpoints.md | 221 ++++++++---------- 1 file changed, 98 insertions(+), 123 deletions(-) diff --git a/windows/privacy/manage-windows-19H1-endpoints.md b/windows/privacy/manage-windows-19H1-endpoints.md index 8017f3a4eb..1bc006fe0b 100644 --- a/windows/privacy/manage-windows-19H1-endpoints.md +++ b/windows/privacy/manage-windows-19H1-endpoints.md @@ -44,137 +44,112 @@ We used the following methodology to derive these network endpoints: > [!NOTE] > Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. -| Area | Protocol | Destination | -|----------------|----------|------------| -| explorer | HTTP | tile-service.weather.microsoft.com | - ## Windows 10 19H1 Enterprise connection endpoints - -| Area | Protocol | Destination | -|----------------|----------|------------| -|Apps|The following endpoints are used to download updates to the Weather app Live Tile. If you turn off traffic to this endpoint, no Live Tiles will be updated.|HTTP|blob.weather.microsoft.com -||The following endpoint is used to download updates to the Weather app Live Tile. If you turn off traffic to this endpoint, no Live Tiles will be updated.|HTTP|tile-service.weather.microsoft.com -||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. -||HTTPS|cdn.onenote.net/livetile/?Language=en-US -||The following endpoints are used for Twitter updates. To turn off traffic for these endpoints, either uninstall Twitter or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. -||HTTPS|*.twimg.com* -||The following endpoint is used for Facebook updates. To turn off traffic for this endpoint, either uninstall Facebook or disable the Microsoft Store. If you disable the Microsoft Store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. -|||star-mini.c10r.facebook.com -||The following endpoint is used for Candy Crush Saga updates. To turn off traffic for this endpoint, either uninstall Candy Crush Saga or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. -||TLS v1.2|candycrushsoda.king.com -||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office Online. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|evoke-windowsservices-tas.msedge.net -||The following endpoint is used for by the Microsoft Wallet app. To turn off traffic for this endpoint, either uninstall the Wallet app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. -||HTTPS|wallet.microsoft.com -||The following endpoint is used by the Groove Music app for update HTTP handler status. If you turn off traffic for this endpoint, apps for websites won't work and customers who visit websites (such as mediaredirect.microsoft.com) that are registered with their associated app (such as Groove Music) will stay at the website and won't be able to directly launch the app. -||HTTPS|mediaredirect.microsoft.com -||The following endpoints are used when using the Whiteboard app. To turn off traffic for this endpoint disable the Microsoft Store. -|HTTPS|int.whiteboard.microsoft.com| -|||HTTPS|wbd.ms -|||HTTPS|whiteboard.microsoft.com +|Area|Description|Protocol|Destination| +|----------------|----------|----------|------------| +|Apps|The following endpoints are used to download updates to the Weather app Live Tile. If you turn off traffic to this endpoint, no Live Tiles will be updated.|HTTP|blob.weather.microsoft.com| +|||HTTP|tile-service.weather.microsoft.com +||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|cdn.onenote.net/livetile/?Language=en-US +||The following endpoints are used for Twitter updates. To turn off traffic for these endpoints, either uninstall Twitter or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|*.twimg.com*| +||The following endpoint is used for Candy Crush Saga updates. To turn off traffic for this endpoint, either uninstall Candy Crush Saga or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLS v1.2|candycrushsoda.king.com| +||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office Online. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|evoke-windowsservices-tas.msedge.net| +||The following endpoint is used for by the Microsoft Wallet app. To turn off traffic for this endpoint, either uninstall the Wallet app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|wallet.microsoft.com| +||The following endpoint is used by the Groove Music app for update HTTP handler status. If you turn off traffic for this endpoint, apps for websites won't work and customers who visit websites (such as mediaredirect.microsoft.com) that are registered with their associated app (such as Groove Music) will stay at the website and won't be able to directly launch the app.|HTTPS|mediaredirect.microsoft.com| +||The following endpoints are used when using the Whiteboard app. To turn off traffic for this endpoint disable the Microsoft Store.|HTTPS|int.whiteboard.microsoft.com| +|||HTTPS|wbd.ms| +|||HTTPS|whiteboard.microsoft.com| |||HTTP / HTTPS|whiteboard.ms| -|Azure |The following endpoints are related to Azure. |HTTPS|wd-prod-*fe*.cloudapp.azure.com -|| |HTTPS|ris-prod-atm.trafficmanager.net -|| |HTTPS|validation-v2.sls.trafficmanager.net -|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible turn off traffic to this endpoint, but that is not recommended because when root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses.| -|Additionally, it is used to download certificates that are publicly known to be fraudulent. These settings are critical for both Windows security and the overall security of the Internet. We do not recommend blocking this endpoint. If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device.|HTTP|ctldl.windowsupdate.com -|Cortana and Search|The following endpoint is used to get images that are used for Microsoft Store suggestions. If you turn off traffic for this endpoint, you will block images that are used for Microsoft Store suggestions. -||HTTPS|store-images.*microsoft.com -|Cortana and Search2|The following endpoints are related to Cortana and Live Tiles. If you turn off traffic for this endpoint, you will block updates to Cortana greetings, tips, and Live Tiles.|HTTPS|www.bing.com/client -|| |HTTPS|www.bing.com -|||HTTPS|www.bing.com/proactive -|||HTTPS|www.bing.com/threshold/xls.aspx -|||HTTP|exo-ring.msedge.net -|||HTTP|fp.msedge.net -|||HTTP|fp-vp.azureedge.net -|||HTTP|odinvzc.azureedge.net -|||HTTP|spo-ring.msedge.net -|Device authentication -||The following endpoint is used to authenticate a device. If you turn off traffic for this endpoint, the device will not be authenticated.|HTTPS|login.live.com* -||The following endpoints are used to retrieve device metadata. If you turn off traffic for this endpoint, metadata will not be updated for the device.|HTTP|dmd.metaservices.microsoft.com -|Diagnostic Data -||The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft.|HTTP|v10.events.data.microsoft.com -|||HTTPS|v10.vortex-win.data.microsoft.com/collect/v1 -|||HTTP|www.microsoft.com -||The following endpoints are used by Windows Error Reporting. To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft.|HTTPS|co4.telecommand.telemetry.microsoft.com -|| |HTTP|cs11.wpc.v0cdn.net -|| |HTTPS|cs1137.wpc.gammacdn.net -|||TLS v1.2|modern.watson.data.microsoft.com* -|||HTTPS|watson.telemetry.microsoft.com -|Licensing|The following endpoint is used for online activation and some app licensing. To turn off traffic for this endpoint, disable the Windows License Manager Service. This will also block online activation and app licensing may not work. -||HTTPS|*licensing.mp.microsoft.com* -|Location|The following endpoint is used for location data. If you turn off traffic for this endpoint, apps cannot use location data.|HTTPS|inference.location.live.net -|||HTTP|location-inference-westus.cloudapp.net -|Maps|The following endpoint is used to check for updates to maps that have been downloaded for offline use. If you turn off traffic for this endpoint, offline maps will not be updated.|HTTPS|*g.akamaiedge.net -|| |HTTP|*maps.windows.com* -|Microsoft account|The following endpoints are used for Microsoft accounts to sign in. If you turn off traffic for these endpoints, users cannot sign in with Microsoft accounts. -||HTTP|login.msa.akadns6.net| -|||HTTP|us.configsvc1.live.com.akadns.net -|Microsoft Edge| This traffic is related to the Microsoft Edge browser.|HTTPS|iecvlist.microsoft.com -|Microsoft forward link redirection service (FWLink)|The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer. -|If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded.|HTTPS|go.microsoft.com -|Microsoft Store|The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way. If you turn off traffic for this endpoint, push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization.|HTTPS|*.wns.windows.com -||The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft Store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. -||HTTP|storecatalogrevocation.storequality.microsoft.com -||The following endpoints are used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). If you turn off traffic for these endpoints, the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTPS|img-prod-cms-rt-microsoft-com* -|||HTTPS|store-images.microsoft.com -||The following endpoints are used to communicate with Microsoft Store. If you turn off traffic for these endpoints, apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. -||TLS v1.2|*.md.mp.microsoft.com* -|||HTTPS|*displaycatalog.mp.microsoft.com -|||HTTP \ HTTPS|pti.store.microsoft.com -|||HTTP|storeedgefd.dsx.mp.microsoft.com -|| |HTTP|markets.books.microsoft.com -|| |HTTP |share.microsoft.com -|Network Connection Status Indicator (NCSI) -||Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet. If you turn off traffic for this endpoint, NCSI won't be able to determine if the device is connected to the Internet and the network status tray icon will show a warning.|HTTP|www.msftconnecttest.com*|Office -||Online. For more info, see Office 365 URLs and IP address ranges. You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents.|HTTP|*.c-msedge.net -|||HTTPS|*.e-msedge.net -|||HTTPS|*.s-msedge.net -|||HTTPS|nexusrules.officeapps.live.com -|||HTTPS|ocos-office365-s2s.msedge.net -|||HTTPS|officeclient.microsoft.com -|||HTTPS|outlook.office365.com -|||HTTPS|client-office365-tas.msedge.net -|| |HTTPS|www.office.com -|| |HTTPS|onecollector.cloudapp.aria -|| |HTTP|v10.events.data.microsoft.com/onecollector/1.0/ -|| |HTTPS|self.events.data.microsoft.com -||The following endpoint is used to connect the Office To-Do app to its cloud service. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. -|HTTPS|to-do.microsoft.com -|OneDrive|The following endpoints are related to OneDrive. If you turn off traffic for these endpoints, anything that relies on g.live.com to get updated URL information will no longer work.|HTTP \ HTTPS|g.live.com/1rewlive5skydrive/* -|| |HTTP|msagfx.live.com -|||HTTPS -||oneclient.sfx.ms -|Settings -||The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. If you turn off traffic for this endpoint, an app that uses this endpoint may stop working.||cy2.settings.data.microsoft.com.akadns.net -|||HTTPS|settings.data.microsoft.com -|||HTTPS|settings-win.data.microsoft.com -|Skype|The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTPS|browser.pipe.aria.microsoft.com -|||HTTP|config.edge.skype.com -|| |HTTP|s2s.config.skype.com -|||HTTPS|skypeecs-prod-usw-0-b.cloudapp.net -|Windows Defender|The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. If you turn off traffic for this endpoint, the device will not use Cloud-based Protection.|HTTPS|wdcp.microsoft.com +|Azure |The following endpoints are related to Azure. |HTTPS|wd-prod-*fe*.cloudapp.azure.com| +|||HTTPS|ris-prod-atm.trafficmanager.net| +|||HTTPS|validation-v2.sls.trafficmanager.net| +|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible turn off traffic to this endpoint, but that is not recommended because when root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. Additionally, it is used to download certificates that are publicly known to be fraudulent. These settings are critical for both Windows security and the overall security of the Internet. We do not recommend blocking this endpoint. If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device.|HTTP|ctldl.windowsupdate.com| +|Cortana and Search|The following endpoint is used to get images that are used for Microsoft Store suggestions. If you turn off traffic for this endpoint, you will block images that are used for Microsoft Store suggestions. |HTTPS|store-images.*microsoft.com| +||The following endpoints are related to Cortana and Live Tiles. If you turn off traffic for this endpoint, you will block updates to Cortana greetings, tips, and Live Tiles.|HTTPS|www.bing.com/client| +|||HTTPS|www.bing.com| +|||HTTPS|www.bing.com/proactive| +|||HTTPS|www.bing.com/threshold/xls.aspx| +|||HTTP|exo-ring.msedge.net| +|||HTTP|fp.msedge.net| +|||HTTP|fp-vp.azureedge.net| +|||HTTP|odinvzc.azureedge.net| +|||HTTP|spo-ring.msedge.net| +|Device authentication| +||The following endpoint is used to authenticate a device. If you turn off traffic for this endpoint, the device will not be authenticated.|HTTPS|login.live.com*| +||The following endpoints are used to retrieve device metadata. If you turn off traffic for this endpoint, metadata will not be updated for the device.|HTTP|dmd.metaservices.microsoft.com| +|Diagnostic Data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft.|HTTP|v10.events.data.microsoft.com| +|||HTTPS|v10.vortex-win.data.microsoft.com/collect/v1| +|||HTTP|www.microsoft.com| +||The following endpoints are used by Windows Error Reporting. To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft.|HTTPS|co4.telecommand.telemetry.microsoft.com| +|||HTTP|cs11.wpc.v0cdn.net| +|||HTTPS|cs1137.wpc.gammacdn.net| +|||TLS v1.2|modern.watson.data.microsoft.com*| +|||HTTPS|watson.telemetry.microsoft.com| +|Licensing|The following endpoint is used for online activation and some app licensing. To turn off traffic for this endpoint, disable the Windows License Manager Service. This will also block online activation and app licensing may not work.|HTTPS|*licensing.mp.microsoft.com*| +|Location|The following endpoint is used for location data. If you turn off traffic for this endpoint, apps cannot use location data.|HTTPS|inference.location.live.net| +|||HTTP|location-inference-westus.cloudapp.net| +|Maps|The following endpoint is used to check for updates to maps that have been downloaded for offline use. If you turn off traffic for this endpoint, offline maps will not be updated.|HTTPS|*g.akamaiedge.net| +|||HTTP|*maps.windows.com*| +|Microsoft Account|The following endpoints are used for Microsoft accounts to sign in. If you turn off traffic for these endpoints, users cannot sign in with Microsoft accounts. |HTTP|login.msa.akadns6.net| +|||HTTP|us.configsvc1.live.com.akadns.net| +|Microsoft Edge|This traffic is related to the Microsoft Edge browser.|HTTPS|iecvlist.microsoft.com| +|Microsoft forward link redirection service (FWLink)|The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer. If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded.|HTTPS|go.microsoft.com| +|Microsoft Store|The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way. If you turn off traffic for this endpoint, push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization.|HTTPS|*.wns.windows.com| +||The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft Store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTP|storecatalogrevocation.storequality.microsoft.com| +||The following endpoints are used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). If you turn off traffic for these endpoints, the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTPS|img-prod-cms-rt-microsoft-com*|HTTPS|store-images.microsoft.com| +||The following endpoints are used to communicate with Microsoft Store. If you turn off traffic for these endpoints, apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|TLS v1.2|*.md.mp.microsoft.com*| +|||HTTPS|*displaycatalog.mp.microsoft.com| +|||HTTP \ HTTPS|pti.store.microsoft.com| +|||HTTP|storeedgefd.dsx.mp.microsoft.com| +|| |HTTP|markets.books.microsoft.com| +|| |HTTP |share.microsoft.com| +|Network Connection Status Indicator (NCSI)| +||Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet. If you turn off traffic for this endpoint, NCSI won't be able to determine if the device is connected to the Internet and the network status tray icon will show a warning.|HTTP|www.msftconnecttest.com*| +Office|Online. For more info, see Office 365 URLs and IP address ranges. You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents.|HTTP|*.c-msedge.net| +|||HTTPS|*.e-msedge.net| +|||HTTPS|*.s-msedge.net| +|||HTTPS|nexusrules.officeapps.live.com| +|||HTTPS|ocos-office365-s2s.msedge.net| +|||HTTPS|officeclient.microsoft.com| +|||HTTPS|outlook.office365.com| +|||HTTPS|client-office365-tas.msedge.net| +|||HTTPS|www.office.com| +|||HTTPS|onecollector.cloudapp.aria| +|||HTTP|v10.events.data.microsoft.com/onecollector/1.0/| +|||HTTPS|self.events.data.microsoft.com| +||The following endpoint is used to connect the Office To-Do app to its cloud service. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store.|HTTPS|to-do.microsoft.com +|OneDrive|The following endpoints are related to OneDrive. If you turn off traffic for these endpoints, anything that relies on g.live.com to get updated URL information will no longer work.|HTTP \ HTTPS|g.live.com/1rewlive5skydrive/*| +|||HTTP|msagfx.live.com| +|||HTTPS|oneclient.sfx.ms| +|Settings|The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. If you turn off traffic for this endpoint, an app that uses this endpoint may stop working.|HTTPS|cy2.settings.data.microsoft.com.akadns.net| +|||HTTPS|settings.data.microsoft.com| +|||HTTPS|settings-win.data.microsoft.com| +|Skype|The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTPS|browser.pipe.aria.microsoft.com| +|||HTTP|config.edge.skype.com| +|||HTTP|s2s.config.skype.com| +|||HTTPS|skypeecs-prod-usw-0-b.cloudapp.net| +|Windows Defender|The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. If you turn off traffic for this endpoint, the device will not use Cloud-based Protection.|HTTPS|wdcp.microsoft.com| |||HTTPS|definitionupdates.microsoft.com| -|||HTTPS|go.microsoft.com -||The following endpoints are used for Windows Defender Smartscreen reporting and notifications. If you turn off traffic for these endpoints, Smartscreen notifications will not appear.|HTTPS|*smartscreen.microsoft.com +|||HTTPS|go.microsoft.com| +||The following endpoints are used for Windows Defender Smartscreen reporting and notifications. If you turn off traffic for these endpoints, Smartscreen notifications will not appear.|HTTPS|*smartscreen.microsoft.com| |||HTTPS|smartscreen-sn3p.smartscreen.microsoft.com| -|||HTTPS|unitedstates.smartscreen-prod.microsoft.com -|Windows Spotlight|The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips. If you turn off traffic for these endpoints, Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips will not be downloaded. For more information, see Windows Spotlight. -|TLS v1.2|*.search.msn.com -|||HTTPS|arc.msn.com -|||HTTPS|g.msn.com* -|||HTTPS|query.prod.cms.rt.microsoft.com -|||HTTPS|ris.api.iris.microsoft.com -|Windows Update|The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. If you turn off traffic for this endpoint, Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction.|HTTPS|*.prod.do.dsp.mp.microsoft.com -|| |HTTP|cs9.wac.phicdn.net -|| |HTTP|emdl.ws.microsoft.com -||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store. If you turn off traffic for these endpoints, the device will not be able to download updates for the operating system.|HTTP|*.dl.delivery.mp.microsoft.com -|||HTTP|*.windowsupdate.com* -||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. If you turn off traffic for these endpoints, the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store.|HTTPS|*.delivery.mp.microsoft.com -|||HTTPS|*.update.microsoft.com +|||HTTPS|unitedstates.smartscreen-prod.microsoft.com| +|Windows Spotlight|The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips. If you turn off traffic for these endpoints, Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips will not be downloaded. For more information, see Windows Spotlight.|TLS v1.2|*.search.msn.com| +|||HTTPS|arc.msn.com| +|||HTTPS|g.msn.com*| +|||HTTPS|query.prod.cms.rt.microsoft.com| +|||HTTPS|ris.api.iris.microsoft.com| +|Windows Update|The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. If you turn off traffic for this endpoint, Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction.|HTTPS|*.prod.do.dsp.mp.microsoft.com| +|||HTTP|cs9.wac.phicdn.net| +|||HTTP|emdl.ws.microsoft.com| +||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store. If you turn off traffic for these endpoints, the device will not be able to download updates for the operating system.|HTTP|*.dl.delivery.mp.microsoft.com| +|||HTTP|*.windowsupdate.com*| +||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. If you turn off traffic for these endpoints, the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store.|HTTPS|*.delivery.mp.microsoft.com| +|||HTTPS|*.update.microsoft.com| ||The following endpoint is used for content regulation. If you turn off traffic for this endpoint, the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly|HTTPS|tsfe.trafficshaping.dsp.mp.microsoft.com| + ## Other Windows 10 editions To view endpoints for other versions of Windows 10 Enterprise, see: From c393427dfa4550a6b03b458b1f144bbc9872f01a Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Fri, 3 May 2019 14:37:06 -0700 Subject: [PATCH 09/33] Update manage-windows-19H1-endpoints.md --- windows/privacy/manage-windows-19H1-endpoints.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-windows-19H1-endpoints.md b/windows/privacy/manage-windows-19H1-endpoints.md index 1bc006fe0b..fb5b96a836 100644 --- a/windows/privacy/manage-windows-19H1-endpoints.md +++ b/windows/privacy/manage-windows-19H1-endpoints.md @@ -139,7 +139,7 @@ Office|Online. For more info, see Office 365 URLs and IP address ranges. You can |||HTTPS|g.msn.com*| |||HTTPS|query.prod.cms.rt.microsoft.com| |||HTTPS|ris.api.iris.microsoft.com| -|Windows Update|The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. If you turn off traffic for this endpoint, Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction.|HTTPS|*.prod.do.dsp.mp.microsoft.com| +|Windows Update|The following endpoints are used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. If you turn off traffic for this endpoint, Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction.|HTTPS|*.prod.do.dsp.mp.microsoft.com| |||HTTP|cs9.wac.phicdn.net| |||HTTP|emdl.ws.microsoft.com| ||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store. If you turn off traffic for these endpoints, the device will not be able to download updates for the operating system.|HTTP|*.dl.delivery.mp.microsoft.com| From bb3e6d988c6d6798f707c70ba024e20c8683d1ac Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Fri, 3 May 2019 14:43:56 -0700 Subject: [PATCH 10/33] Update manage-windows-19H1-endpoints.md --- .../privacy/manage-windows-19H1-endpoints.md | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/windows/privacy/manage-windows-19H1-endpoints.md b/windows/privacy/manage-windows-19H1-endpoints.md index fb5b96a836..31c2253611 100644 --- a/windows/privacy/manage-windows-19H1-endpoints.md +++ b/windows/privacy/manage-windows-19H1-endpoints.md @@ -76,7 +76,7 @@ We used the following methodology to derive these network endpoints: |||HTTP|spo-ring.msedge.net| |Device authentication| ||The following endpoint is used to authenticate a device. If you turn off traffic for this endpoint, the device will not be authenticated.|HTTPS|login.live.com*| -||The following endpoints are used to retrieve device metadata. If you turn off traffic for this endpoint, metadata will not be updated for the device.|HTTP|dmd.metaservices.microsoft.com| +||The following endpoint is used to retrieve device metadata. If you turn off traffic for this endpoint, metadata will not be updated for the device.|HTTP|dmd.metaservices.microsoft.com| |Diagnostic Data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft.|HTTP|v10.events.data.microsoft.com| |||HTTPS|v10.vortex-win.data.microsoft.com/collect/v1| |||HTTP|www.microsoft.com| @@ -88,7 +88,7 @@ We used the following methodology to derive these network endpoints: |Licensing|The following endpoint is used for online activation and some app licensing. To turn off traffic for this endpoint, disable the Windows License Manager Service. This will also block online activation and app licensing may not work.|HTTPS|*licensing.mp.microsoft.com*| |Location|The following endpoint is used for location data. If you turn off traffic for this endpoint, apps cannot use location data.|HTTPS|inference.location.live.net| |||HTTP|location-inference-westus.cloudapp.net| -|Maps|The following endpoint is used to check for updates to maps that have been downloaded for offline use. If you turn off traffic for this endpoint, offline maps will not be updated.|HTTPS|*g.akamaiedge.net| +|Maps|The following endpoints are used to check for updates to maps that have been downloaded for offline use. If you turn off traffic for this endpoint, offline maps will not be updated.|HTTPS|*g.akamaiedge.net| |||HTTP|*maps.windows.com*| |Microsoft Account|The following endpoints are used for Microsoft accounts to sign in. If you turn off traffic for these endpoints, users cannot sign in with Microsoft accounts. |HTTP|login.msa.akadns6.net| |||HTTP|us.configsvc1.live.com.akadns.net| @@ -96,16 +96,16 @@ We used the following methodology to derive these network endpoints: |Microsoft forward link redirection service (FWLink)|The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer. If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded.|HTTPS|go.microsoft.com| |Microsoft Store|The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way. If you turn off traffic for this endpoint, push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization.|HTTPS|*.wns.windows.com| ||The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft Store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTP|storecatalogrevocation.storequality.microsoft.com| -||The following endpoints are used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). If you turn off traffic for these endpoints, the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTPS|img-prod-cms-rt-microsoft-com*|HTTPS|store-images.microsoft.com| +||The following endpoint is used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). If you turn off traffic for these endpoints, the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTPS|img-prod-cms-rt-microsoft-com*|HTTPS|store-images.microsoft.com| ||The following endpoints are used to communicate with Microsoft Store. If you turn off traffic for these endpoints, apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|TLS v1.2|*.md.mp.microsoft.com*| |||HTTPS|*displaycatalog.mp.microsoft.com| |||HTTP \ HTTPS|pti.store.microsoft.com| |||HTTP|storeedgefd.dsx.mp.microsoft.com| -|| |HTTP|markets.books.microsoft.com| -|| |HTTP |share.microsoft.com| +|||HTTP|markets.books.microsoft.com| +|||HTTP |share.microsoft.com| |Network Connection Status Indicator (NCSI)| ||Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet. If you turn off traffic for this endpoint, NCSI won't be able to determine if the device is connected to the Internet and the network status tray icon will show a warning.|HTTP|www.msftconnecttest.com*| -Office|Online. For more info, see Office 365 URLs and IP address ranges. You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents.|HTTP|*.c-msedge.net| +Office|The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office Online. For more info, see Office 365 URLs and IP address ranges. You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents.|HTTP|*.c-msedge.net| |||HTTPS|*.e-msedge.net| |||HTTPS|*.s-msedge.net| |||HTTPS|nexusrules.officeapps.live.com| @@ -139,14 +139,15 @@ Office|Online. For more info, see Office 365 URLs and IP address ranges. You can |||HTTPS|g.msn.com*| |||HTTPS|query.prod.cms.rt.microsoft.com| |||HTTPS|ris.api.iris.microsoft.com| -|Windows Update|The following endpoints are used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. If you turn off traffic for this endpoint, Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction.|HTTPS|*.prod.do.dsp.mp.microsoft.com| +|Windows Update|The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. If you turn off traffic for this endpoint, Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction.|HTTPS|*.prod.do.dsp.mp.microsoft.com| |||HTTP|cs9.wac.phicdn.net| |||HTTP|emdl.ws.microsoft.com| ||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store. If you turn off traffic for these endpoints, the device will not be able to download updates for the operating system.|HTTP|*.dl.delivery.mp.microsoft.com| |||HTTP|*.windowsupdate.com*| ||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. If you turn off traffic for these endpoints, the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store.|HTTPS|*.delivery.mp.microsoft.com| |||HTTPS|*.update.microsoft.com| -||The following endpoint is used for content regulation. If you turn off traffic for this endpoint, the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly|HTTPS|tsfe.trafficshaping.dsp.mp.microsoft.com| +||The following endpoint is used for content regulation. If you turn off traffic for this endpoint, the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly.|HTTPS|tsfe.trafficshaping.dsp.mp.microsoft.com| + From ddf0bd016b7174f81cead24b4fb591778ac0ce86 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Fri, 3 May 2019 14:44:53 -0700 Subject: [PATCH 11/33] Update manage-windows-19H1-endpoints.md --- windows/privacy/manage-windows-19H1-endpoints.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-windows-19H1-endpoints.md b/windows/privacy/manage-windows-19H1-endpoints.md index 31c2253611..6b9ec17db4 100644 --- a/windows/privacy/manage-windows-19H1-endpoints.md +++ b/windows/privacy/manage-windows-19H1-endpoints.md @@ -51,7 +51,7 @@ We used the following methodology to derive these network endpoints: |Apps|The following endpoints are used to download updates to the Weather app Live Tile. If you turn off traffic to this endpoint, no Live Tiles will be updated.|HTTP|blob.weather.microsoft.com| |||HTTP|tile-service.weather.microsoft.com ||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|cdn.onenote.net/livetile/?Language=en-US -||The following endpoints are used for Twitter updates. To turn off traffic for these endpoints, either uninstall Twitter or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|*.twimg.com*| +||The following endpoint is used for Twitter updates. To turn off traffic for these endpoints, either uninstall Twitter or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|*.twimg.com*| ||The following endpoint is used for Candy Crush Saga updates. To turn off traffic for this endpoint, either uninstall Candy Crush Saga or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLS v1.2|candycrushsoda.king.com| ||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office Online. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|evoke-windowsservices-tas.msedge.net| ||The following endpoint is used for by the Microsoft Wallet app. To turn off traffic for this endpoint, either uninstall the Wallet app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|wallet.microsoft.com| From 6cb4a435aaea4c3712b6abd8d236abdd228e2bc6 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Fri, 3 May 2019 14:47:18 -0700 Subject: [PATCH 12/33] Update manage-windows-19H1-endpoints.md --- windows/privacy/manage-windows-19H1-endpoints.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-windows-19H1-endpoints.md b/windows/privacy/manage-windows-19H1-endpoints.md index 6b9ec17db4..b213bc094d 100644 --- a/windows/privacy/manage-windows-19H1-endpoints.md +++ b/windows/privacy/manage-windows-19H1-endpoints.md @@ -86,7 +86,7 @@ We used the following methodology to derive these network endpoints: |||TLS v1.2|modern.watson.data.microsoft.com*| |||HTTPS|watson.telemetry.microsoft.com| |Licensing|The following endpoint is used for online activation and some app licensing. To turn off traffic for this endpoint, disable the Windows License Manager Service. This will also block online activation and app licensing may not work.|HTTPS|*licensing.mp.microsoft.com*| -|Location|The following endpoint is used for location data. If you turn off traffic for this endpoint, apps cannot use location data.|HTTPS|inference.location.live.net| +|Location|The following endpoints are used for location data. If you turn off traffic for this endpoint, apps cannot use location data.|HTTPS|inference.location.live.net| |||HTTP|location-inference-westus.cloudapp.net| |Maps|The following endpoints are used to check for updates to maps that have been downloaded for offline use. If you turn off traffic for this endpoint, offline maps will not be updated.|HTTPS|*g.akamaiedge.net| |||HTTP|*maps.windows.com*| From a2f4e5a593d9b703c7346db701bed920ad5dc240 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Fri, 3 May 2019 16:27:43 -0700 Subject: [PATCH 13/33] Update and rename manage-windows-19H1-endpoints.md to manage-windows-1903-endpoints.md --- ...19H1-endpoints.md => manage-windows-1903-endpoints.md} | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) rename windows/privacy/{manage-windows-19H1-endpoints.md => manage-windows-1903-endpoints.md} (98%) diff --git a/windows/privacy/manage-windows-19H1-endpoints.md b/windows/privacy/manage-windows-1903-endpoints.md similarity index 98% rename from windows/privacy/manage-windows-19H1-endpoints.md rename to windows/privacy/manage-windows-1903-endpoints.md index b213bc094d..6378fa5507 100644 --- a/windows/privacy/manage-windows-19H1-endpoints.md +++ b/windows/privacy/manage-windows-1903-endpoints.md @@ -1,5 +1,5 @@ --- -title: Connection endpoints for Windows 10, version 19H1 +title: Connection endpoints for Windows 10, version 1903 description: Explains what Windows 10 endpoints are used for, how to turn off traffic to them, and the impact. keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016 ms.prod: w10 @@ -14,11 +14,11 @@ ms.collection: M365-security-compliance ms.topic: article ms.date: 5/3/2019 --- -# Manage connection endpoints for Windows 10, version 19H1 +# Manage connection endpoints for Windows 10, version 1903 **Applies to** -- Windows 10, version 19H1 +- Windows 10, version 1903 Some Windows components, app, and related services transfer data to Microsoft network endpoints. Some examples include: @@ -44,7 +44,7 @@ We used the following methodology to derive these network endpoints: > [!NOTE] > Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. -## Windows 10 19H1 Enterprise connection endpoints +## Windows 10 1903 Enterprise connection endpoints |Area|Description|Protocol|Destination| |----------------|----------|----------|------------| From 16447d2b9dac76aed5074d143d5c2203c1702374 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Fri, 3 May 2019 16:29:08 -0700 Subject: [PATCH 14/33] Update manage-windows-1903-endpoints.md --- windows/privacy/manage-windows-1903-endpoints.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/privacy/manage-windows-1903-endpoints.md b/windows/privacy/manage-windows-1903-endpoints.md index 6378fa5507..c1ded7a689 100644 --- a/windows/privacy/manage-windows-1903-endpoints.md +++ b/windows/privacy/manage-windows-1903-endpoints.md @@ -154,6 +154,7 @@ Office|The following endpoints are used to connect to the Office 365 portal's sh ## Other Windows 10 editions To view endpoints for other versions of Windows 10 Enterprise, see: +- [Manage connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md) - [Manage connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md) - [Manage connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md) From c59973a405c7fca8cc68bcf2428ce0549fe918aa Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Fri, 3 May 2019 22:09:38 -0700 Subject: [PATCH 15/33] Update manage-windows-1903-endpoints.md --- windows/privacy/manage-windows-1903-endpoints.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/windows/privacy/manage-windows-1903-endpoints.md b/windows/privacy/manage-windows-1903-endpoints.md index c1ded7a689..f73b24241a 100644 --- a/windows/privacy/manage-windows-1903-endpoints.md +++ b/windows/privacy/manage-windows-1903-endpoints.md @@ -149,8 +149,6 @@ Office|The following endpoints are used to connect to the Office 365 portal's sh ||The following endpoint is used for content regulation. If you turn off traffic for this endpoint, the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly.|HTTPS|tsfe.trafficshaping.dsp.mp.microsoft.com| - - ## Other Windows 10 editions To view endpoints for other versions of Windows 10 Enterprise, see: From 64b22e58edf0dcbf33f1f178e42c21bb9d7f0497 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Tue, 7 May 2019 15:33:04 -0700 Subject: [PATCH 16/33] Added 19H1 policies --- .../policy-configuration-service-provider.md | 15 ++ .../mdm/policy-csp-windowslogon.md | 255 +++++++++++++++++- 2 files changed, 264 insertions(+), 6 deletions(-) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index a27926a537..70e8359000 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -3678,12 +3678,21 @@ The following diagram shows the Policy configuration service provider in tree fo ### WindowsLogon policies
+
+ WindowsLogon/AllowAutomaticRestartSignOn +
+
+ WindowsLogon/ConfigAutomaticRestartSignOn +
WindowsLogon/DisableLockScreenAppNotifications
WindowsLogon/DontDisplayNetworkSelectionUI
+
+ WindowsLogon/EnableFirstLogonAnimation +
WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers
@@ -4116,8 +4125,11 @@ The following diagram shows the Policy configuration service provider in tree fo - [System/BootStartDriverInitialization](./policy-csp-system.md#system-bootstartdriverinitialization) - [System/DisableSystemRestore](./policy-csp-system.md#system-disablesystemrestore) - [WindowsConnectionManager/ProhitConnectionToNonDomainNetworksWhenConnectedToDomainAuthenticatedNetwork](./policy-csp-windowsconnectionmanager.md#windowsconnectionmanager-prohitconnectiontonondomainnetworkswhenconnectedtodomainauthenticatednetwork) +- [WindowsLogon/AllowAutomaticRestartSignOn](./policy-csp-windowslogon.md#windowslogon-allowautomaticrestartsignon) +- [WindowsLogon/ConfigAutomaticRestartSignOn](./ - [WindowsLogon/DisableLockScreenAppNotifications](./policy-csp-windowslogon.md#windowslogon-disablelockscreenappnotifications) - [WindowsLogon/DontDisplayNetworkSelectionUI](./policy-csp-windowslogon.md#windowslogon-dontdisplaynetworkselectionui) +- [WindowsLogon/EnableFirstLogonAnimation](./policy-csp-windowslogon.md#windowslogon-enablefirstlogonanimation) - [WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers](./policy-csp-windowslogon.md#windowslogon-enumeratelocalusersondomainjoinedcomputers) - [WindowsLogon/SignInLastInteractiveUserAutomaticallyAfterASystemInitiatedRestart](./policy-csp-windowslogon.md#windowslogon-signinlastinteractiveuserautomaticallyafterasysteminitiatedrestart) - [WindowsPowerShell/TurnOnPowerShellScriptBlockLogging](./policy-csp-windowspowershell.md#windowspowershell-turnonpowershellscriptblocklogging) @@ -4975,8 +4987,11 @@ The following diagram shows the Policy configuration service provider in tree fo - [WindowsDefenderSecurityCenter/URL](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-url) - [WindowsInkWorkspace/AllowSuggestedAppsInWindowsInkWorkspace](./policy-csp-windowsinkworkspace.md#windowsinkworkspace-allowsuggestedappsinwindowsinkworkspace) - [WindowsInkWorkspace/AllowWindowsInkWorkspace](./policy-csp-windowsinkworkspace.md#windowsinkworkspace-allowwindowsinkworkspace) +- [WindowsLogon/AllowAutomaticRestartSignOn](./policy-csp-windowslogon.md#windowslogon-allowautomaticrestartsignon) +- [WindowsLogon/ConfigAutomaticRestartSignOn](./policy-csp-windowslogon.md#windowslogon-configautomaticrestartsignon) - [WindowsLogon/DisableLockScreenAppNotifications](./policy-csp-windowslogon.md#windowslogon-disablelockscreenappnotifications) - [WindowsLogon/DontDisplayNetworkSelectionUI](./policy-csp-windowslogon.md#windowslogon-dontdisplaynetworkselectionui) +- [WindowsLogon/EnableFirstLogonAnimation](./policy-csp-windowslogon.md#windowslogon-enablefirstlogonanimation) - [WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers](./policy-csp-windowslogon.md#windowslogon-enumeratelocalusersondomainjoinedcomputers) - [WindowsLogon/HideFastUserSwitching](./policy-csp-windowslogon.md#windowslogon-hidefastuserswitching) - [WindowsLogon/SignInLastInteractiveUserAutomaticallyAfterASystemInitiatedRestart](./policy-csp-windowslogon.md#windowslogon-signinlastinteractiveuserautomaticallyafterasysteminitiatedrestart) diff --git a/windows/client-management/mdm/policy-csp-windowslogon.md b/windows/client-management/mdm/policy-csp-windowslogon.md index e75a0cf6de..4b9da72e50 100644 --- a/windows/client-management/mdm/policy-csp-windowslogon.md +++ b/windows/client-management/mdm/policy-csp-windowslogon.md @@ -6,12 +6,13 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 07/12/2018 +ms.date: 05/07/2019 --- # Policy CSP - WindowsLogon - +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
@@ -19,12 +20,21 @@ ms.date: 07/12/2018 ## WindowsLogon policies
+
+ WindowsLogon/AllowAutomaticRestartSignOn +
+
+ WindowsLogon/ConfigAutomaticRestartSignOn +
WindowsLogon/DisableLockScreenAppNotifications
WindowsLogon/DontDisplayNetworkSelectionUI
+
+ WindowsLogon/EnableFirstLogonAnimation +
WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers
@@ -36,6 +46,159 @@ ms.date: 07/12/2018
+
+ + +**WindowsLogon/AllowAutomaticRestartSignOn** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark6check mark6check mark6check mark6check mark6
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting controls whether a device automatically signs in and locks the last interactive user after the system restarts or after a shutdown and cold boot. + +This occurs only if the last interactive user did not sign out before the restart or shutdown.​ + +If the device is joined to Active Directory or Azure Active Directory, this policy applies only to Windows Update restarts. Otherwise, this policy applies to both Windows Update restarts and user-initiated restarts and shutdowns.​ + +If you do not configure this policy setting, it is enabled by default. When the policy is enabled, the user is automatically signed in and the session is automatically locked with all lock screen apps configured for that user after the device boots.​ + +After enabling this policy, you can configure its settings through the [ConfigAutomaticRestartSignOn](#windowslogon-configautomaticrestartsignon) policy, which configures the mode of automatically signing in and locking the last interactive user after a restart or cold boot​. + +If you disable this policy setting, the device does not configure automatic sign in. The user’s lock screen apps are not restarted after the system restarts. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Sign-in and lock last interactive user automatically after a restart* +- GP name: *AutomaticRestartSignOn* +- GP path: *Windows Components/Windows Logon Options* +- GP ADMX file name: *WinLogon.admx* + + + + + + + + + + + + + +
+ + +**WindowsLogon/ConfigAutomaticRestartSignOn** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark6check mark6check mark6check mark6check mark6
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting controls the configuration under which an automatic restart, sign on, and lock occurs after a restart or cold boot. If you chose “Disabled” in the [AllowAutomaticRestartSignOn](#windowslogon-allowautomaticrestartsignon) policy, then automatic sign on does not occur and this policy need not be configured. + +If you enable this policy setting, you can choose one of the following two options: + +- "Enabled if BitLocker is on and not suspended": Specifies that automatic sign on and lock occurs only if BitLocker is active and not suspended during the reboot or shutdown. Personal data can be accessed on the device’s hard drive at this time if BitLocker is not on or suspended during an update. BitLocker suspension temporarily removes protection for system components and data but may be needed in certain circumstances to successfully update boot-critical components. +BitLocker is suspended during updates if: + - The device does not have TPM 2.0 and PCR7 + - The device does not use a TPM-only protector +- "Always Enabled": Specifies that automatic sign on happens even if BitLocker is off or suspended during reboot or shutdown. When BitLocker is not enabled, personal data is accessible on the hard drive. Automatic restart and sign on should only be run under this condition if you are confident that the configured device is in a secure physical location. + +If you disable or do not configure this setting, automatic sign on defaults to the “Enabled if BitLocker is on and not suspended” behavior. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure the mode of automatically signing in and locking last interactive user after a restart or cold boot* +- GP name: *ConfigAutomaticRestartSignOn* +- GP path: *Windows Components/Windows Logon Options* +- GP ADMX file name: *WinLogon.admx* + + + + + + + + + + + +
@@ -188,6 +351,84 @@ ADMX Info:
+ +**WindowsLogon/EnableFirstLogonAnimation** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark6check mark6check mark6check mark6
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting allows you to control whether users see the first sign-in animation when signing in to the computer for the first time. This applies to both the first user of the computer who completes the initial setup and users who are added to the computer later. It also controls if Microsoft account users are offered the opt-in prompt for services during their first sign-in. + +If you enable this policy setting, Microsoft account users see the opt-in prompt for services, and users with other accounts see the sign-in animation. + +If you disable this policy setting, users do not see the animation and Microsoft account users do not see the opt-in prompt for services. + +If you do not configure this policy setting, the user who completes the initial Windows setup see the animation during their first sign-in. If the first user had already completed the initial setup and this policy setting is not configured, users new to this computer do not see the animation. + +> [!NOTE] +> The first sign-in animation is not displayed on Server, so this policy has no effect. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Show first sign-in animation* +- GP name: *EnableFirstLogonAnimation* +- GP path: *System/Logon* +- GP ADMX file name: *Logon.admx* + + + +Supported values: +- false - disabled +- true - enabled + + + + + + + + + +
+ **WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers** @@ -374,14 +615,16 @@ ADMX Info: + + +
-Footnote: +Footnotes: - 1 - Added in Windows 10, version 1607. - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. - - - +- 5 - Added in Windows 10, version 1809. +- 6 - Added in Windows 10, version 1903. \ No newline at end of file From a4e67880ba9196aae3599b061c0988d4ba972c71 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Tue, 7 May 2019 15:49:05 -0700 Subject: [PATCH 17/33] Removed extra space --- windows/client-management/mdm/policy-csp-windowslogon.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-windowslogon.md b/windows/client-management/mdm/policy-csp-windowslogon.md index 4b9da72e50..885ae70ec7 100644 --- a/windows/client-management/mdm/policy-csp-windowslogon.md +++ b/windows/client-management/mdm/policy-csp-windowslogon.md @@ -34,7 +34,7 @@ ms.date: 05/07/2019
WindowsLogon/EnableFirstLogonAnimation -
+
WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers
From 6d337b5763f4a609a589efd5238cd8dd04ba0d58 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Wed, 8 May 2019 08:53:59 -0700 Subject: [PATCH 18/33] Minor update --- windows/client-management/mdm/policy-csp-windowslogon.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-windowslogon.md b/windows/client-management/mdm/policy-csp-windowslogon.md index 885ae70ec7..bdf911fd67 100644 --- a/windows/client-management/mdm/policy-csp-windowslogon.md +++ b/windows/client-management/mdm/policy-csp-windowslogon.md @@ -165,11 +165,11 @@ This policy setting controls the configuration under which an automatic restart, If you enable this policy setting, you can choose one of the following two options: -- "Enabled if BitLocker is on and not suspended": Specifies that automatic sign on and lock occurs only if BitLocker is active and not suspended during the reboot or shutdown. Personal data can be accessed on the device’s hard drive at this time if BitLocker is not on or suspended during an update. BitLocker suspension temporarily removes protection for system components and data but may be needed in certain circumstances to successfully update boot-critical components. +- Enabled if BitLocker is on and not suspended: Specifies that automatic sign on and lock occurs only if BitLocker is active and not suspended during the reboot or shutdown. Personal data can be accessed on the device’s hard drive at this time if BitLocker is not on or suspended during an update. BitLocker suspension temporarily removes protection for system components and data but may be needed in certain circumstances to successfully update boot-critical components. BitLocker is suspended during updates if: - The device does not have TPM 2.0 and PCR7 - The device does not use a TPM-only protector -- "Always Enabled": Specifies that automatic sign on happens even if BitLocker is off or suspended during reboot or shutdown. When BitLocker is not enabled, personal data is accessible on the hard drive. Automatic restart and sign on should only be run under this condition if you are confident that the configured device is in a secure physical location. +- Always Enabled: Specifies that automatic sign on happens even if BitLocker is off or suspended during reboot or shutdown. When BitLocker is not enabled, personal data is accessible on the hard drive. Automatic restart and sign on should only be run under this condition if you are confident that the configured device is in a secure physical location. If you disable or do not configure this setting, automatic sign on defaults to the “Enabled if BitLocker is on and not suspended” behavior. From 46d01547942cb2745ad5e2b75c9b5bb7e1def141 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Wed, 8 May 2019 18:52:53 -0700 Subject: [PATCH 19/33] Create windows-endpoints-non-enterprise-editions-1903.md --- ...-endpoints-non-enterprise-editions-1903.md | 163 ++++++++++++++++++ 1 file changed, 163 insertions(+) create mode 100644 windows/privacy/windows-endpoints-non-enterprise-editions-1903.md diff --git a/windows/privacy/windows-endpoints-non-enterprise-editions-1903.md b/windows/privacy/windows-endpoints-non-enterprise-editions-1903.md new file mode 100644 index 0000000000..b6be3b5acd --- /dev/null +++ b/windows/privacy/windows-endpoints-non-enterprise-editions-1903.md @@ -0,0 +1,163 @@ +--- +title: Windows 10, version 1809, connection endpoints for non-Enterprise editions +description: Explains what Windows 10 endpoints are used in non-Enterprise editions. +keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016 +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.localizationpriority: high +audience: ITPro +author: danihalfin +ms.author: daniha +manager: dansimp +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 6/26/2018 +--- +# Windows 10, version 1809, connection endpoints for non-Enterprise editions + + **Applies to** + +- Windows 10 Home, version 1809 +- Windows 10 Professional, version 1809 +- Windows 10 Education, version 1809 + +In addition to the endpoints listed for [Windows 10 Enterprise](manage-windows-1809-endpoints.md), the following endpoints are available on other editions of Windows 10, version 1809. + +We used the following methodology to derive these network endpoints: + +1. Set up the latest version of Windows 10 on a test virtual machine using the default settings. +2. Leave the devices running idle for a week (that is, a user is not interacting with the system/device). +3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic. +4. Compile reports on traffic going to public IP addresses. +5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory. +6. All traffic was captured in our lab using a IPV4 network. Therefore no IPV6 traffic is reported here. + +> [!NOTE] +> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. + +## Windows 10 Family + +| **Destination** | **Protocol** | **Description** | +| --- | --- | --- | +|\*.aria.microsoft.com\* | HTTPS | Office Telemetry +|\*.dl.delivery.mp.microsoft.com\* | HTTP | Enables connections to Windows Update. +|\*.download.windowsupdate.com\* | HTTP | Used to download operating system patches and updates. +|\*.g.akamai.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. +|\*.msn.com\* |TLSv1.2/HTTPS | Windows Spotlight related traffic +|\*.Skype.com | HTTP/HTTPS | Skype related traffic +|\*.smartscreen.microsoft.com\* | HTTPS | Windows Defender Smartscreen related traffic +|\*.telecommand.telemetry.microsoft.com\* | HTTPS | Used by Windows Error Reporting. +|\*cdn.onenote.net* | HTTP | OneNote related traffic +|\*displaycatalog.mp.microsoft.com\* | HTTPS | Used to communicate with Microsoft Store. +|\*emdl.ws.microsoft.com\* | HTTP | Windows Update related traffic +|\*geo-prod.do.dsp.mp.microsoft.com\* |TLSv1.2/HTTPS | Enables connections to Windows Update. +|\*hwcdn.net* | HTTP | Used by the Highwinds Content Delivery Network to perform Windows updates. +|\*img-prod-cms-rt-microsoft-com.akamaized.net* | HTTPS | Used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). +|\*maps.windows.com\* | HTTPS | Related to Maps application. +|\*msedge.net* | HTTPS | Used by OfficeHub to get the metadata of Office apps. +|\*nexusrules.officeapps.live.com\* | HTTPS | Office Telemetry +|\*photos.microsoft.com\* | HTTPS | Photos App related traffic +|\*prod.do.dsp.mp.microsoft.com\* |TLSv1.2/HTTPS | Used for Windows Update downloads of apps and OS updates. +|\*wac.phicdn.net* | HTTP | Windows Update related traffic +|\*windowsupdate.com\* | HTTP | Windows Update related traffic +|\*wns.windows.com\* | HTTPS, TLSv1.2 | Used for the Windows Push Notification Services (WNS). +|\*wpc.v0cdn.net* | | Windows Telemetry related traffic +|auth.gfx.ms/16.000.27934.1/OldConvergedLogin_PCore.js | | MSA related +|evoke-windowsservices-tas.msedge* | HTTPS | The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office Online. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. +|fe2.update.microsoft.com\* |TLSv1.2/HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. +|fe3.\*.mp.microsoft.com.\* |TLSv1.2/HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. +|fs.microsoft.com | | Font Streaming (in ENT traffic) +|g.live.com\* | HTTPS | Used by OneDrive +|iriscoremetadataprod.blob.core.windows.net | HTTPS | Windows Telemetry +|mscrl.microsoft.com | | Certificate Revocation List related traffic. +|ocsp.digicert.com\* | HTTP | CRL and OCSP checks to the issuing certificate authorities. +|officeclient.microsoft.com | HTTPS | Office related traffic. +|oneclient.sfx.ms* | HTTPS | Used by OneDrive for Business to download and verify app updates. +|purchase.mp.microsoft.com\* | HTTPS | Used to communicate with Microsoft Store. +|query.prod.cms.rt.microsoft.com\* | HTTPS | Used to retrieve Windows Spotlight metadata. +|ris.api.iris.microsoft.com\* |TLSv1.2/HTTPS | Used to retrieve Windows Spotlight metadata. +|ris-prod-atm.trafficmanager.net | HTTPS | Azure traffic manager +|settings.data.microsoft.com\* | HTTPS | Used for Windows apps to dynamically update their configuration. +|settings-win.data.microsoft.com\* | HTTPS | Used for Windows apps to dynamically update their configuration. +|sls.update.microsoft.com\* |TLSv1.2/HTTPS | Enables connections to Windows Update. +|store*.dsx.mp.microsoft.com\* | HTTPS | Used to communicate with Microsoft Store. +|storecatalogrevocation.storequality.microsoft.com\* | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. +|store-images.s-microsoft.com\* | HTTP | Used to get images that are used for Microsoft Store suggestions. +|tile-service.weather.microsoft.com\* | HTTP | Used to download updates to the Weather app Live Tile. +|tsfe.trafficshaping.dsp.mp.microsoft.com\* |TLSv1.2 | Used for content regulation. +|v10.events.data.microsoft.com | HTTPS | Diagnostic Data +|wdcp.microsoft.* |TLSv1.2 | Used for Windows Defender when Cloud-based Protection is enabled. +|wd-prod-cp-us-west-1-fe.westus.cloudapp.azure.com | HTTPS | Windows Defender related traffic. +|www.bing.com* | HTTP | Used for updates for Cortana, apps, and Live Tiles. + +## Windows 10 Pro + +| **Destination** | **Protocol** | **Description** | +| --- | --- | --- | +| *.e-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | +| *.g.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. | +| *.s-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | +| *.tlu.dl.delivery.mp.microsoft.com/* | HTTP | Enables connections to Windows Update. | +| *geo-prod.dodsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update. | +| arc.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. | +| au.download.windowsupdate.com/* | HTTP | Enables connections to Windows Update. | +| ctldl.windowsupdate.com/msdownload/update/* | HTTP | Used to download certificates that are publicly known to be fraudulent. | +| cy2.licensing.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | +| cy2.settings.data.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | +| dm3p.wns.notify.windows.com.akadns.net | HTTPS | Used for the Windows Push Notification Services (WNS) | +| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | +| g.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. | +| ipv4.login.msa.akadns6.net | HTTPS | Used for Microsoft accounts to sign in. | +| location-inference-westus.cloudapp.net | HTTPS | Used for location data. | +| modern.watson.data.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. | +| ocsp.digicert.com\* | HTTP | CRL and OCSP checks to the issuing certificate authorities. | +| ris.api.iris.microsoft.com.akadns.net | HTTPS | Used to retrieve Windows Spotlight metadata. | +| tile-service.weather.microsoft.com/* | HTTP | Used to download updates to the Weather app Live Tile. | +| tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. | +| vip5.afdorigin-prod-am02.afdogw.com | HTTPS | Used to serve office 365 experimentation traffic | + + +## Windows 10 Education + +| **Destination** | **Protocol** | **Description** | +| --- | --- | --- | +| *.b.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. | +| *.e-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | +| *.g.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. | +| *.s-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | +| *.telecommand.telemetry.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. | +| *.tlu.dl.delivery.mp.microsoft.com\* | HTTP | Enables connections to Windows Update. | +| *.windowsupdate.com\* | HTTP | Enables connections to Windows Update. | +| *geo-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. | +| au.download.windowsupdate.com\* | HTTP | Enables connections to Windows Update. | +| cdn.onenote.net/livetile/* | HTTPS | Used for OneNote Live Tile. | +| client-office365-tas.msedge.net/* | HTTPS | Used to connect to the Office 365 portal’s shared infrastructure, including Office Online. | +| config.edge.skype.com/* | HTTPS | Used to retrieve Skype configuration values.  | +| ctldl.windowsupdate.com/* | HTTP | Used to download certificates that are publicly known to be fraudulent. | +| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | +| cy2.licensing.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | +| cy2.settings.data.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | +| displaycatalog.mp.microsoft.com/* | HTTPS | Used to communicate with Microsoft Store. | +| download.windowsupdate.com/* | HTTPS | Enables connections to Windows Update. | +| emdl.ws.microsoft.com/* | HTTP | Used to download apps from the Microsoft Store. | +| fe2.update.microsoft.com/* | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | +| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | +| fe3.delivery.mp.microsoft.com/* | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | +| g.live.com/odclientsettings/* | HTTPS | Used by OneDrive for Business to download and verify app updates. | +| g.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. | +| ipv4.login.msa.akadns6.net | HTTPS | Used for Microsoft accounts to sign in. | +| licensing.mp.microsoft.com/* | HTTPS | Used for online activation and some app licensing. | +| maps.windows.com/windows-app-web-link | HTTPS | Link to Maps application | +| modern.watson.data.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. | +| ocos-office365-s2s.msedge.net/* | HTTPS | Used to connect to the Office 365 portal's shared infrastructure. | +| ocsp.digicert.com\* | HTTP | CRL and OCSP checks to the issuing certificate authorities. | +| oneclient.sfx.ms/* | HTTPS | Used by OneDrive for Business to download and verify app updates. | +| settings-win.data.microsoft.com/settings/* | HTTPS | Used as a way for apps to dynamically update their configuration. | +| sls.update.microsoft.com/* | HTTPS | Enables connections to Windows Update. | +| storecatalogrevocation.storequality.microsoft.com/* | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. | +| tile-service.weather.microsoft.com/* | HTTP | Used to download updates to the Weather app Live Tile. | +| tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. | +| vip5.afdorigin-prod-ch02.afdogw.com | HTTPS | Used to serve office 365 experimentation traffic. | +| watson.telemetry.microsoft.com/Telemetry.Request | HTTPS | Used by Windows Error Reporting. | +| bing.com/* | HTTPS | Used for updates for Cortana, apps, and Live Tiles. | From 7b1747d7eacafeaa4dbed1af7597007d098674c2 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Wed, 8 May 2019 18:53:54 -0700 Subject: [PATCH 20/33] Rename windows-endpoints-non-enterprise-editions-1903.md to windows-endpoints-1903-non-enterprise-editions.md --- ...-1903.md => windows-endpoints-1903-non-enterprise-editions.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename windows/privacy/{windows-endpoints-non-enterprise-editions-1903.md => windows-endpoints-1903-non-enterprise-editions.md} (100%) diff --git a/windows/privacy/windows-endpoints-non-enterprise-editions-1903.md b/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md similarity index 100% rename from windows/privacy/windows-endpoints-non-enterprise-editions-1903.md rename to windows/privacy/windows-endpoints-1903-non-enterprise-editions.md From 15912e19d6a7578482a8b56030f73e84a1f8163e Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Wed, 8 May 2019 19:03:08 -0700 Subject: [PATCH 21/33] Update windows-endpoints-1903-non-enterprise-editions.md --- ...-endpoints-1903-non-enterprise-editions.md | 128 +++++++++++------- 1 file changed, 78 insertions(+), 50 deletions(-) diff --git a/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md index b6be3b5acd..d17a7a9d77 100644 --- a/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md +++ b/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md @@ -40,56 +40,84 @@ We used the following methodology to derive these network endpoints: | **Destination** | **Protocol** | **Description** | | --- | --- | --- | -|\*.aria.microsoft.com\* | HTTPS | Office Telemetry -|\*.dl.delivery.mp.microsoft.com\* | HTTP | Enables connections to Windows Update. -|\*.download.windowsupdate.com\* | HTTP | Used to download operating system patches and updates. -|\*.g.akamai.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. -|\*.msn.com\* |TLSv1.2/HTTPS | Windows Spotlight related traffic -|\*.Skype.com | HTTP/HTTPS | Skype related traffic -|\*.smartscreen.microsoft.com\* | HTTPS | Windows Defender Smartscreen related traffic -|\*.telecommand.telemetry.microsoft.com\* | HTTPS | Used by Windows Error Reporting. -|\*cdn.onenote.net* | HTTP | OneNote related traffic -|\*displaycatalog.mp.microsoft.com\* | HTTPS | Used to communicate with Microsoft Store. -|\*emdl.ws.microsoft.com\* | HTTP | Windows Update related traffic -|\*geo-prod.do.dsp.mp.microsoft.com\* |TLSv1.2/HTTPS | Enables connections to Windows Update. -|\*hwcdn.net* | HTTP | Used by the Highwinds Content Delivery Network to perform Windows updates. -|\*img-prod-cms-rt-microsoft-com.akamaized.net* | HTTPS | Used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). -|\*maps.windows.com\* | HTTPS | Related to Maps application. -|\*msedge.net* | HTTPS | Used by OfficeHub to get the metadata of Office apps. -|\*nexusrules.officeapps.live.com\* | HTTPS | Office Telemetry -|\*photos.microsoft.com\* | HTTPS | Photos App related traffic -|\*prod.do.dsp.mp.microsoft.com\* |TLSv1.2/HTTPS | Used for Windows Update downloads of apps and OS updates. -|\*wac.phicdn.net* | HTTP | Windows Update related traffic -|\*windowsupdate.com\* | HTTP | Windows Update related traffic -|\*wns.windows.com\* | HTTPS, TLSv1.2 | Used for the Windows Push Notification Services (WNS). -|\*wpc.v0cdn.net* | | Windows Telemetry related traffic -|auth.gfx.ms/16.000.27934.1/OldConvergedLogin_PCore.js | | MSA related -|evoke-windowsservices-tas.msedge* | HTTPS | The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office Online. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. -|fe2.update.microsoft.com\* |TLSv1.2/HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. -|fe3.\*.mp.microsoft.com.\* |TLSv1.2/HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. -|fs.microsoft.com | | Font Streaming (in ENT traffic) -|g.live.com\* | HTTPS | Used by OneDrive -|iriscoremetadataprod.blob.core.windows.net | HTTPS | Windows Telemetry -|mscrl.microsoft.com | | Certificate Revocation List related traffic. -|ocsp.digicert.com\* | HTTP | CRL and OCSP checks to the issuing certificate authorities. -|officeclient.microsoft.com | HTTPS | Office related traffic. -|oneclient.sfx.ms* | HTTPS | Used by OneDrive for Business to download and verify app updates. -|purchase.mp.microsoft.com\* | HTTPS | Used to communicate with Microsoft Store. -|query.prod.cms.rt.microsoft.com\* | HTTPS | Used to retrieve Windows Spotlight metadata. -|ris.api.iris.microsoft.com\* |TLSv1.2/HTTPS | Used to retrieve Windows Spotlight metadata. -|ris-prod-atm.trafficmanager.net | HTTPS | Azure traffic manager -|settings.data.microsoft.com\* | HTTPS | Used for Windows apps to dynamically update their configuration. -|settings-win.data.microsoft.com\* | HTTPS | Used for Windows apps to dynamically update their configuration. -|sls.update.microsoft.com\* |TLSv1.2/HTTPS | Enables connections to Windows Update. -|store*.dsx.mp.microsoft.com\* | HTTPS | Used to communicate with Microsoft Store. -|storecatalogrevocation.storequality.microsoft.com\* | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. -|store-images.s-microsoft.com\* | HTTP | Used to get images that are used for Microsoft Store suggestions. -|tile-service.weather.microsoft.com\* | HTTP | Used to download updates to the Weather app Live Tile. -|tsfe.trafficshaping.dsp.mp.microsoft.com\* |TLSv1.2 | Used for content regulation. -|v10.events.data.microsoft.com | HTTPS | Diagnostic Data -|wdcp.microsoft.* |TLSv1.2 | Used for Windows Defender when Cloud-based Protection is enabled. -|wd-prod-cp-us-west-1-fe.westus.cloudapp.azure.com | HTTPS | Windows Defender related traffic. -|www.bing.com* | HTTP | Used for updates for Cortana, apps, and Live Tiles. +|\*.aria.microsoft.com*|HTTPS|Microsoft Office Telemetry +|\*.b.akamai*.net|HTTPS|Used to check for updates to Maps that have been downloaded for offline use +|\*.c-msedge.net|HTTP|Microsoft Office +|\*.dl.delivery.mp.microsoft.com*|HTTP|Enables connections to Windows Update +|\*.download.windowsupdate.com*|HTTP|Used to download operating system patches and updates +|\*.g.akamai*.net|HTTPS|Used to check for updates to Maps that have been downloaded for offline use +|\*.login.msa.*.net|HTTPS|Microsoft Account related +|\*.msn.com*|TLSv1.2/HTTPS|Windows Spotlight +|\*.skype.com|HTTP/HTTPS|Skype +|\*.smartscreen.microsoft.com*|HTTPS|Windows Defender Smartscreen +|\*.telecommand.telemetry.microsoft.com*|HTTPS|Used by Windows Error Reporting +|*cdn.onenote.net*|HTTP|OneNote +|*displaycatalog.*mp.microsoft.com*|HTTPS|Used to communicate with Microsoft Store +|*emdl.ws.microsoft.com*|HTTP|Windows Update +|*geo-prod.do.dsp.mp.microsoft.com*|TLSv1.2/HTTPS|Enables connections to Windows Update +|*hwcdn.net*|HTTP|Highwinds Content Delivery Network / Windows updates +|*img-prod-cms-rt-microsoft-com.*|HTTPS|Microsoft Store or Inbox MSN Apps image download +|*licensing.*mp.microsoft.com*|HTTPS|Licensing +|*maps.windows.com*|HTTPS|Related to Maps application +|*msedge.net*|HTTPS|Used by Microsoft OfficeHub to get the metadata of Microsoft Office apps +|*nexusrules.officeapps.live.com*|HTTPS|Microsoft Office Telemetry +|*photos.microsoft.com*|HTTPS|Photos App +|*prod.do.dsp.mp.microsoft.com*|TLSv1.2/HTTPS|Used for Windows Update downloads of apps and OS updates +|*purchase.md.mp.microsoft.com.akadns.net|HTTPS|Used to communicate with Microsoft Store +|*settings.data.microsoft.com.akadns.net|HTTPS|Used for Windows apps to dynamically update their configuration +|*wac.phicdn.net*|HTTP|Windows Update +|*windowsupdate.com*|HTTP|Windows Update +|*wns.*windows.com*|TLSv1.2/HTTPS|Used for the Windows Push Notification Services (WNS) +|*wpc.v0cdn.net*|HTTP|Windows Telemetry +|arc.msn.com|HTTPS|Spotlight +|auth.gfx.ms*|HTTPS|MSA related +|cdn.onenote.net|HTTPS|OneNote Live Tile +|dmd.metaservices.microsoft.com*|HTTP|Device Authentication +|e-0009.e-msedge.net|HTTPS|Microsoft Office +|e10198.b.akamaiedge.net|HTTPS|Maps application +|evoke-windowsservices-tas.msedge*|HTTPS|Photos app +|fe2.update.microsoft.com*|TLSv1.2/HTTPS|Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store +|fe3.*.mp.microsoft.com.*|TLSv1.2/HTTPS|Windows Update, Microsoft Update, and Microsoft Store services +|g.live.com*|HTTPS|OneDrive +|go.microsoft.com|HTTP|Windows Defender +|iriscoremetadataprod.blob.core.windows.net|HTTPS|Windows Telemetry +|login.live.com|HTTPS|Device Authentication +|msagfx.live.com|HTTP|OneDrive +|ocsp.digicert.com*|HTTP|CRL and OCSP checks to the issuing certificate authorities +|officeclient.microsoft.com|HTTPS|Microsoft Office +|oneclient.sfx.ms*|HTTPS|Used by OneDrive for Business to download and verify app updates +|onecollector.cloudapp.aria.akadns.net|HTTPS|Microsoft Office +|ow1.res.office365.com|HTTP|Microsoft Office +|pti.store.microsoft.com|HTTPS|Microsoft Store +|purchase.mp.microsoft.com*|HTTPS|Used to communicate with Microsoft Store +|query.prod.cms.rt.microsoft.com*|HTTPS|Used to retrieve Windows Spotlight metadata +|ris.api.iris.microsoft.com*|TLSv1.2/HTTPS|Used to retrieve Windows Spotlight metadata +|ris-prod-atm.trafficmanager.net|HTTPS|Azure traffic manager +|s-0001.s-msedge.net|HTTPS|Microsoft Office +|self.events.data.microsoft.com|HTTPS|Microsoft Office +|settings.data.microsoft.com*|HTTPS|Used for Windows apps to dynamically update their configuration +|settings-win.data.microsoft.com*|HTTPS|Used for Windows apps to dynamically update their configuration +|share.microsoft.com|HTTPS|Microsoft Store +|skypeecs-prod-usw-0.cloudapp.net|HTTPS|Microsoft Store +|sls.update.microsoft.com*|TLSv1.2/HTTPS|Enables connections to Windows Update +|slscr.update.microsoft.com*|HTTPS|Enables connections to Windows Update +|store*.dsx.mp.microsoft.com*|HTTPS|Used to communicate with Microsoft Store +|storecatalogrevocation.storequality.microsoft.com|HTTPS|Microsoft Store +|storecatalogrevocation.storequality.microsoft.com*|HTTPS|Used to revoke licenses for malicious apps on the Microsoft Store +|store-images.*microsoft.com*|HTTP|Used to get images that are used for Microsoft Store suggestions +|storesdk.dsx.mp.microsoft.com|HTTP|Microsoft Store +|tile-service.weather.microsoft.com*|HTTP|Used to download updates to the Weather app Live Tile +|time.windows.com|HTTP|Microsoft Windows Time related +|tsfe.trafficshaping.dsp.mp.microsoft.com*|TLSv1.2/HTTPS|Used for content regulation +|v10.events.data.microsoft.com|HTTPS|Diagnostic Data +|watson.telemetry.microsoft.com|HTTPS|Diagnostic Data +|wdcp.microsoft.*|TLSv1.2, HTTPS|Used for Windows Defender when Cloud-based Protection is enabled +|wd-prod-cp-us-west-1-fe.westus.cloudapp.azure.com|HTTPS|Windows Defender +|wusofficehome.msocdn.com|HTTPS|Microsoft Office +|www.bing.com*|HTTP|Used for updates for Cortana, apps, and Live Tiles +|www.msftconnecttest.com|HTTP|Network Connection (NCSI) +|www.office.com|HTTPS|Microsoft Office + ## Windows 10 Pro From ec9c3676fce744d81cd501ddacd0bb7d334b2fe4 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Wed, 8 May 2019 19:04:42 -0700 Subject: [PATCH 22/33] Update windows-endpoints-1903-non-enterprise-editions.md --- .../privacy/windows-endpoints-1903-non-enterprise-editions.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md index d17a7a9d77..2d162078d9 100644 --- a/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md +++ b/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md @@ -56,7 +56,7 @@ We used the following methodology to derive these network endpoints: |*emdl.ws.microsoft.com*|HTTP|Windows Update |*geo-prod.do.dsp.mp.microsoft.com*|TLSv1.2/HTTPS|Enables connections to Windows Update |*hwcdn.net*|HTTP|Highwinds Content Delivery Network / Windows updates -|*img-prod-cms-rt-microsoft-com.*|HTTPS|Microsoft Store or Inbox MSN Apps image download +|*img-prod-cms-rt-microsoft-com*|HTTPS|Microsoft Store or Inbox MSN Apps image download |*licensing.*mp.microsoft.com*|HTTPS|Licensing |*maps.windows.com*|HTTPS|Related to Maps application |*msedge.net*|HTTPS|Used by Microsoft OfficeHub to get the metadata of Microsoft Office apps From 294d08f16e964c2721de6689a6f59fee058d40cf Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Wed, 8 May 2019 19:19:17 -0700 Subject: [PATCH 23/33] Update windows-endpoints-1903-non-enterprise-editions.md --- ...-endpoints-1903-non-enterprise-editions.md | 91 ++++++++++++++----- 1 file changed, 70 insertions(+), 21 deletions(-) diff --git a/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md index 2d162078d9..25dd51cf33 100644 --- a/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md +++ b/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md @@ -123,27 +123,76 @@ We used the following methodology to derive these network endpoints: | **Destination** | **Protocol** | **Description** | | --- | --- | --- | -| *.e-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| *.g.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. | -| *.s-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| *.tlu.dl.delivery.mp.microsoft.com/* | HTTP | Enables connections to Windows Update. | -| *geo-prod.dodsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update. | -| arc.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. | -| au.download.windowsupdate.com/* | HTTP | Enables connections to Windows Update. | -| ctldl.windowsupdate.com/msdownload/update/* | HTTP | Used to download certificates that are publicly known to be fraudulent. | -| cy2.licensing.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | -| cy2.settings.data.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | -| dm3p.wns.notify.windows.com.akadns.net | HTTPS | Used for the Windows Push Notification Services (WNS) | -| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | -| g.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. | -| ipv4.login.msa.akadns6.net | HTTPS | Used for Microsoft accounts to sign in. | -| location-inference-westus.cloudapp.net | HTTPS | Used for location data. | -| modern.watson.data.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. | -| ocsp.digicert.com\* | HTTP | CRL and OCSP checks to the issuing certificate authorities. | -| ris.api.iris.microsoft.com.akadns.net | HTTPS | Used to retrieve Windows Spotlight metadata. | -| tile-service.weather.microsoft.com/* | HTTP | Used to download updates to the Weather app Live Tile. | -| tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. | -| vip5.afdorigin-prod-am02.afdogw.com | HTTPS | Used to serve office 365 experimentation traffic | +|\*.cloudapp.azure.com|HTTPS|Azure +|\*.delivery.dsp.mp.microsoft.com.nsatc.net|HTTPS|Windows Update, Microsoft Update, and Microsoft Store services +|\*.displaycatalog.md.mp.microsoft.com.akadns.net|HTTPS|Microsoft Store +|\*.dl.delivery.mp.microsoft.com*|HTTP|Enables connections to Windows Update +|\*.e-msedge.net|HTTPS|Used by OfficeHub to get the metadata of Office apps +|\*.g.akamaiedge.net|HTTPS|Used to check for updates to maps that have been downloaded for offline use +|\*.s-msedge.net|HTTPS|Used by OfficeHub to get the metadata of Office apps +|\*.windowsupdate.com*|HTTP|Enables connections to Windows Update +|\*.wns.notify.windows.com.akadns.net|HTTPS|Used for the Windows Push Notification Services (WNS) +|\*dsp.mp.microsoft.com.nsatc.net|HTTPS|Enables connections to Windows Update +|\*c-msedge.net|HTTP|Office +|a1158.g.akamai.net|HTTP|Maps application +|arc.msn.com*|HTTP / HTTPS|Used to retrieve Windows Spotlight metadata +|blob.mwh01prdstr06a.store.core.windows.net|HTTPS|Microsoft Store +|browser.pipe.aria.microsoft.com|HTTPS|Microsoft Office +|bubblewitch3mobile.king.com|HTTPS|Bubble Witch application +|candycrush.king.com|HTTPS|Candy Crush application +|cdn.onenote.net|HTTP|Microsoft OneNote +|cds.p9u4n2q3.hwcdn.net|HTTP|Highwinds Content Delivery Network traffic for Windows updates +|client.wns.windows.com|HTTPS|Winddows Notification System +|co4.telecommand.telemetry.microsoft.com.akadns.net|HTTPS|Windows Error Reporting +|config.edge.skype.com|HTTPS|Microsoft Skype +|cs11.wpc.v0cdn.net|HTTP|Windows Telemetry +|cs9.wac.phicdn.net|HTTP|Windows Update +|cy2.licensing.md.mp.microsoft.com.akadns.net|HTTPS|Used to communicate with Microsoft Store +|cy2.purchase.md.mp.microsoft.com.akadns.net|HTTPS|Used to communicate with Microsoft Store +|cy2.settings.data.microsoft.com.akadns.net|HTTPS|Used to communicate with Microsoft Store +|dmd.metaservices.microsoft.com.akadns.net|HTTP|Device Authentication +|e-0009.e-msedge.net|HTTPS|Microsoft Office +|e10198.b.akamaiedge.net|HTTPS|Maps application +|fe3.update.microsoft.com|HTTPS|Windows Update +|g.live.com|HTTPS|Microsoft OneDrive +|g.msn.com.nsatc.net|HTTPS|Used to retrieve Windows Spotlight metadata +|geo-prod.do.dsp.mp.microsoft.com|HTTPS|Windows Update +|go.microsoft.com|HTTP|Windows Defender +|iecvlist.microsoft.com|HTTPS|Microsoft Edge +|img-prod-cms-rt-microsoft-com.akamaized.net|HTTP / HTTPS|Microsoft Store +|ipv4.login.msa.akadns6.net|HTTPS|Used for Microsoft accounts to sign in +|licensing.mp.microsoft.com|HTTP|Licensing +|location-inference-westus.cloudapp.net|HTTPS|Used for location data +|login.live.com|HTTP|Device Authentication +|maps.windows.com|HTTP|Maps application +|modern.watson.data.microsoft.com.akadns.net|HTTPS|Used by Windows Error Reporting +|msagfx.live.com|HTTP|OneDrive +|nav.smartscreen.microsoft.com|HTTPS|Windows Defender +|ocsp.digicert.com*|HTTP|CRL and OCSP checks to the issuing certificate authorities +|oneclient.sfx.ms|HTTP|OneDrive +|pti.store.microsoft.com|HTTPS|Microsoft Store +|ris.api.iris.microsoft.com.akadns.net|HTTPS|Used to retrieve Windows Spotlight metadata +|ris-prod-atm.trafficmanager.net|HTTPS|Azure +|s2s.config.skype.com|HTTP|Microsoft Skype +|settings-win.data.microsoft.com|HTTPS|Application settings +|share.microsoft.com|HTTPS|Microsoft Store +|skypeecs-prod-usw-0.cloudapp.net|HTTPS|Microsoft Skype +|slscr.update.microsoft.com|HTTPS|Windows Update +|storecatalogrevocation.storequality.microsoft.com|HTTPS|Microsoft Store +|store-images.microsoft.com|HTTPS|Microsoft Store +|tile-service.weather.microsoft.com/*|HTTP|Used to download updates to the Weather app Live Tile +|time.windows.com|HTTP|Windows time +|tsfe.trafficshaping.dsp.mp.microsoft.com|HTTPS|Used for content regulation +|v10.events.data.microsoft.com*|HTTPS|Microsoft Office +|vip5.afdorigin-prod-am02.afdogw.com|HTTPS|Used to serve office 365 experimentation traffic +|watson.telemetry.microsoft.com|HTTPS|Telemetry +|wdcp.microsoft.com|HTTPS|Windows Defender +|wusofficehome.msocdn.com|HTTPS|Microsoft Office +|www.bing.com|HTTPS|Cortana and Search +|www.microsoft.com|HTTP|Diagnostic +|www.msftconnecttest.com|HTTP|Network connection +|www.office.com|HTTPS|Microsoft Office + ## Windows 10 Education From 2d64996a22c8185a3d1b3325628fb04622f37aec Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Wed, 8 May 2019 19:31:51 -0700 Subject: [PATCH 24/33] Update windows-endpoints-1903-non-enterprise-editions.md --- ...-endpoints-1903-non-enterprise-editions.md | 109 +++++++++++------- 1 file changed, 70 insertions(+), 39 deletions(-) diff --git a/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md index 25dd51cf33..44fadd939e 100644 --- a/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md +++ b/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md @@ -199,42 +199,73 @@ We used the following methodology to derive these network endpoints: | **Destination** | **Protocol** | **Description** | | --- | --- | --- | -| *.b.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. | -| *.e-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| *.g.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. | -| *.s-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| *.telecommand.telemetry.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. | -| *.tlu.dl.delivery.mp.microsoft.com\* | HTTP | Enables connections to Windows Update. | -| *.windowsupdate.com\* | HTTP | Enables connections to Windows Update. | -| *geo-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. | -| au.download.windowsupdate.com\* | HTTP | Enables connections to Windows Update. | -| cdn.onenote.net/livetile/* | HTTPS | Used for OneNote Live Tile. | -| client-office365-tas.msedge.net/* | HTTPS | Used to connect to the Office 365 portal’s shared infrastructure, including Office Online. | -| config.edge.skype.com/* | HTTPS | Used to retrieve Skype configuration values.  | -| ctldl.windowsupdate.com/* | HTTP | Used to download certificates that are publicly known to be fraudulent. | -| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | -| cy2.licensing.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | -| cy2.settings.data.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | -| displaycatalog.mp.microsoft.com/* | HTTPS | Used to communicate with Microsoft Store. | -| download.windowsupdate.com/* | HTTPS | Enables connections to Windows Update. | -| emdl.ws.microsoft.com/* | HTTP | Used to download apps from the Microsoft Store. | -| fe2.update.microsoft.com/* | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | -| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | -| fe3.delivery.mp.microsoft.com/* | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | -| g.live.com/odclientsettings/* | HTTPS | Used by OneDrive for Business to download and verify app updates. | -| g.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. | -| ipv4.login.msa.akadns6.net | HTTPS | Used for Microsoft accounts to sign in. | -| licensing.mp.microsoft.com/* | HTTPS | Used for online activation and some app licensing. | -| maps.windows.com/windows-app-web-link | HTTPS | Link to Maps application | -| modern.watson.data.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. | -| ocos-office365-s2s.msedge.net/* | HTTPS | Used to connect to the Office 365 portal's shared infrastructure. | -| ocsp.digicert.com\* | HTTP | CRL and OCSP checks to the issuing certificate authorities. | -| oneclient.sfx.ms/* | HTTPS | Used by OneDrive for Business to download and verify app updates. | -| settings-win.data.microsoft.com/settings/* | HTTPS | Used as a way for apps to dynamically update their configuration. | -| sls.update.microsoft.com/* | HTTPS | Enables connections to Windows Update. | -| storecatalogrevocation.storequality.microsoft.com/* | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. | -| tile-service.weather.microsoft.com/* | HTTP | Used to download updates to the Weather app Live Tile. | -| tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. | -| vip5.afdorigin-prod-ch02.afdogw.com | HTTPS | Used to serve office 365 experimentation traffic. | -| watson.telemetry.microsoft.com/Telemetry.Request | HTTPS | Used by Windows Error Reporting. | -| bing.com/* | HTTPS | Used for updates for Cortana, apps, and Live Tiles. | +|\*.b.akamaiedge.net|HTTPS|Used to check for updates to maps that have been downloaded for offline use +|\*.c-msedge.net|HTTP|Used by OfficeHub to get the metadata of Office apps +|\*.dl.delivery.mp.microsoft.com*|HTTP|Windows Update +|\*.e-msedge.net|HTTPS|Used by OfficeHub to get the metadata of Office apps +|\*.g.akamaiedge.net|HTTPS|Used to check for updates to Maps that have been downloaded for offline use +|\*.licensing.md.mp.microsoft.com.akadns.net|HTTPS|Microsoft Store +|\*.settings.data.microsoft.com.akadns.net|HTTPS|Microsoft Store +|\*.skype.com*|HTTPS|Used to retrieve Skype configuration values +|\*.smartscreen*.microsoft.com|HTTPS|Windows Defender +|\*.s-msedge.net|HTTPS|Used by OfficeHub to get the metadata of Office apps +|\*.telecommand.telemetry.microsoft.com*|HTTPS|Used by Windows Error Reporting +|\*.wac.phicdn.net|HTTP|Windows Update +|\*.windowsupdate.com*|HTTP|Windows Update +|\*.wns.windows.com|HTTPS|Windows Notifications Service +|\*.wpc.*.net|HTTP|Diagnostic Data +|\*displaycatalog.md.mp.microsoft.com.akadns.net|HTTPS|Microsoft Store +|\*dsp.mp.microsoft.com|HTTPS|Windows Update +|a1158.g.akamai.net|HTTP|Maps +|a122.dscg3.akamai.net|HTTP|Maps +|a767.dscg3.akamai.net|HTTP|Maps +|au.download.windowsupdate.com*|HTTP|Windows Update +|bing.com/*|HTTPS|Used for updates for Cortana, apps, and Live Tiles +|blob.dz5prdstr01a.store.core.windows.net|HTTPS|Microsoft Store +|browser.pipe.aria.microsoft.com|HTTP|Used by OfficeHub to get the metadata of Office apps +|cdn.onenote.net/livetile/*|HTTPS|Used for OneNote Live Tile +|cds.p9u4n2q3.hwcdn.net|HTTP|Used by the Highwinds Content Delivery Network to perform Windows updates +|client-office365-tas.msedge.net/*|HTTPS|Office 365 porta and Office Online +|ctldl.windowsupdate.com*|HTTP|Used to download certificates that are publicly known to be fraudulent +|displaycatalog.mp.microsoft.com/*|HTTPS|Microsoft Store +|dmd.metaservices.microsoft.com*|HTTP|Device Authentication +|download.windowsupdate.com*|HTTPS|Windows Update +|emdl.ws.microsoft.com/*|HTTP|Used to download apps from the Microsoft Store +|evoke-windowsservices-tas.msedge.net|HTTPS|Photo app +|fe2.update.microsoft.com*|HTTPS|Windows Update, Microsoft Update, Microsoft Store services +|fe3.delivery.dsp.mp.microsoft.com.nsatc.net|HTTPS|Windows Update, Microsoft Update, Microsoft Store services +|fe3.delivery.mp.microsoft.com*|HTTPS|Windows Update, Microsoft Update, Microsoft Store services +|g.live.com*|HTTPS|Used by OneDrive for Business to download and verify app updates +|g.msn.com.nsatc.net|HTTPS|Used to retrieve Windows Spotlight metadata +|go.microsoft.com|HTTP|Windows Defender +|iecvlist.microsoft.com|HTTPS|Microsoft Edge browser +|ipv4.login.msa.akadns6.net|HTTPS|Used for Microsoft accounts to sign in +|licensing.mp.microsoft.com*|HTTPS|Used for online activation and some app licensing +|login.live.com|HTTPS|Device Authentication +|maps.windows.com/windows-app-web-link|HTTPS|Maps application +|modern.watson.data.microsoft.com.akadns.net|HTTPS|Used by Windows Error Reporting +|msagfx.live.com|HTTPS|OneDrive +|ocos-office365-s2s.msedge.net/*|HTTPS|Used to connect to the Office 365 portal's shared infrastructure +|ocsp.digicert.com*|HTTP|CRL and OCSP checks to the issuing certificate authorities +|oneclient.sfx.ms/*|HTTPS|Used by OneDrive for Business to download and verify app updates +|onecollector.cloudapp.aria.akadns.net|HTTPS|Microsoft Office +|pti.store.microsoft.com|HTTPS|Microsoft Store +|settings-win.data.microsoft.com/settings/*|HTTPS|Used as a way for apps to dynamically update their configuration +|share.microsoft.com|HTTPS|Microsoft Store +|skypeecs-prod-usw-0.cloudapp.net|HTTPS|Skype +|sls.update.microsoft.com*|HTTPS|Windows Update +|storecatalogrevocation.storequality.microsoft.com*|HTTPS|Used to revoke licenses for malicious apps on the Microsoft Store +|tile-service.weather.microsoft.com*|HTTP|Used to download updates to the Weather app Live Tile +|tsfe.trafficshaping.dsp.mp.microsoft.com|HTTPS|Windows Update +|v10.events.data.microsoft.com*|HTTPS|Diagnostic Data +|vip5.afdorigin-prod-ch02.afdogw.com|HTTPS|Used to serve Office 365 experimentation traffic +|watson.telemetry.microsoft.com*|HTTPS|Used by Windows Error Reporting +|wdcp.microsoft.com|HTTPS|Windows Defender +|wd-prod-cp-us-east-1-fe.eastus.cloudapp.azure.com|HTTPS|Azure +|wusofficehome.msocdn.com|HTTPS|Microsoft Office +|www.bing.com|HTTPS|Cortana and Search +|www.microsoft.com|HTTP|Diagnostic Data +|www.microsoft.com/pkiops/certs/*|HTTP|CRL and OCSP checks to the issuing certificate authorities +|www.msftconnecttest.com|HTTP|Network Connection +|www.office.com|HTTPS|Microsoft Office + From 816a1c8e5f6eec2f02e5ba213a5e039f24508c76 Mon Sep 17 00:00:00 2001 From: KC Cross Date: Wed, 8 May 2019 20:58:21 -0700 Subject: [PATCH 25/33] Trailing slash required for docset --- acrolinx-config.edn | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acrolinx-config.edn b/acrolinx-config.edn index 7f639efb92..b235e443b5 100644 --- a/acrolinx-config.edn +++ b/acrolinx-config.edn @@ -1,3 +1,3 @@ {:allowed-branchname-matches ["master"] - :allowed-filename-matches ["windows"] + :allowed-filename-matches ["windows/"] } From 7c9ffa815bda413ae78dbe8839a96c00e0cea23f Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Thu, 9 May 2019 10:09:13 -0700 Subject: [PATCH 26/33] Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md --- ...perating-system-components-to-microsoft-services.md | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 923bfedcb3..9b76bb4c29 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -194,7 +194,7 @@ See the following table for a summary of the management settings for Windows Ser See the following table for a summary of the management settings for Windows Server 2016 Server Core. | Setting | Group Policy | Registry | Command line | -| - | :-: | :-: | :-: | :-: | :-: | +| - | :-: | :-: | :-: | | [1. Automatic Root Certificates Update](#automatic-root-certificates-update) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [3. Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [6. Font streaming](#font-streaming) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | @@ -209,7 +209,7 @@ See the following table for a summary of the management settings for Windows Ser See the following table for a summary of the management settings for Windows Server 2016 Nano Server. | Setting | Registry | Command line | -| - | :-: | :-: | :-: | :-: | :-: | +| - | :-: | :-: | | [1. Automatic Root Certificates Update](#automatic-root-certificates-update) | ![Check mark](images/checkmark.png) | | | [3. Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | | | [22. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | @@ -634,6 +634,8 @@ To disable the Microsoft Account Sign-In Assistant: - Apply the Accounts/AllowMicrosoftAccountSignInAssistant MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is turned off and 1 is turned on. + -or- + - Change the **Start** REG_DWORD registry setting in **HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\wlidsvc** to a value of **4**. @@ -1857,10 +1859,6 @@ You can disconnect from the Microsoft Antimalware Protection Service. - Use the registry to set the REG_DWORD value **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows Defender\\Spynet\\SpyNetReporting** to **0 (zero)**. - -and- - -- Delete the registry setting **named** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Updates**. - -OR- - For Windows 10 only, apply the Defender/AllowClouldProtection MDM policy from the [Defender CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). From b1c2f37f09e2717000d94b5995359a47b1745293 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Thu, 9 May 2019 10:25:14 -0700 Subject: [PATCH 27/33] Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md --- ...-system-components-to-microsoft-services.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 9b76bb4c29..58d06760a9 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -508,11 +508,11 @@ To turn off Insider Preview builds for Windows 10: | Registry Key | Registry path | |------------------------------------------------------|-----------------------------------------------------------------------------------------------------| -| Turn on Suggested Sites| HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Suggested Sites
REG_DWORD: Enabled
**Set Value to: 0**| -| Allow Microsoft services to provide enhanced suggestions as the user types in the Address Bar | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer
REG_DWORD: AllowServicePoweredQSA
**Set Value to: 0**| -| Turn off the auto-complete feature for web addresses | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\CurrentVersion\\Explorer\\AutoComplete
REG_SZ: AutoSuggest
Set Value to: **no** | -| Turn off browser geolocation | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Geolocation
REG_DWORD: PolicyDisableGeolocation
**Set Value to: 1** | -| Prevent managing SmartScreen filter | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\PhishingFilter
REG_DWORD: EnabledV9
**Set Value to: 0** | +| Turn on Suggested Sites| HKLM\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Suggested Sites
REG_DWORD: Enabled
**Set Value to: 0**| +| Allow Microsoft services to provide enhanced suggestions as the user types in the Address Bar | HKLM\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer
REG_DWORD: AllowServicePoweredQSA
**Set Value to: 0**| +| Turn off the auto-complete feature for web addresses |HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\CurrentVersion\\Explorer\\AutoComplete
REG_SZ: AutoSuggest
Set Value to: **no** | +| Turn off browser geolocation | HKLM\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Geolocation
REG_DWORD: PolicyDisableGeolocation
**Set Value to: 1** | +| Prevent managing SmartScreen filter | HKLM\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\PhishingFilter
REG_DWORD: EnabledV9
**Set Value to: 0** | There are more Group Policy objects that are used by Internet Explorer: @@ -527,10 +527,10 @@ You can also use Registry keys to set these policies. | Registry Key | Registry path | |------------------------------------------------------|-----------------------------------------------------------------------------------------------------| -| Choose whether employees can configure Compatibility View. | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\BrowserEmulation
REG_DWORD: DisableSiteListEditing
**Set Value to 1**| -| Turn off the flip ahead with page prediction feature | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\FlipAhead
REG_DWORD: Enabled
**Set Value to 0**| -| Turn off background synchronization for feeds and Web Slices | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Feeds
REG_DWORD: BackgroundSyncStatus
**Set Value to 0**| -| Allow Online Tips | HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer
REG_DWORD: AllowOnlineTips
**Set Value to 0 (zero)**| +| Choose whether employees can configure Compatibility View. | HKLM\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\BrowserEmulation
REG_DWORD: DisableSiteListEditing
**Set Value to 1**| +| Turn off the flip ahead with page prediction feature | HKLM\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\FlipAhead
REG_DWORD: Enabled
**Set Value to 0**| +| Turn off background synchronization for feeds and Web Slices | HKLM\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Feeds
REG_DWORD: BackgroundSyncStatus
**Set Value to 0**| +| Allow Online Tips | HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer
REG_DWORD: AllowOnlineTips
**Set Value to 0**| To turn off the home page, **Enable** the Group Policy: **User Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer** > **Disable changing home page settings**, and set it to **about:blank**. From 99097ab1dc0ff506314811efce4107d2e9d7d74e Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Thu, 9 May 2019 11:38:39 -0700 Subject: [PATCH 28/33] Delete manage-windows-1903-endpoints.md --- .../privacy/manage-windows-1903-endpoints.md | 170 ------------------ 1 file changed, 170 deletions(-) delete mode 100644 windows/privacy/manage-windows-1903-endpoints.md diff --git a/windows/privacy/manage-windows-1903-endpoints.md b/windows/privacy/manage-windows-1903-endpoints.md deleted file mode 100644 index f73b24241a..0000000000 --- a/windows/privacy/manage-windows-1903-endpoints.md +++ /dev/null @@ -1,170 +0,0 @@ ---- -title: Connection endpoints for Windows 10, version 1903 -description: Explains what Windows 10 endpoints are used for, how to turn off traffic to them, and the impact. -keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016 -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.localizationpriority: high -audience: ITPro -author: danihalfin -ms.author: v-medgar -manager: sanashar -ms.collection: M365-security-compliance -ms.topic: article -ms.date: 5/3/2019 ---- -# Manage connection endpoints for Windows 10, version 1903 - -**Applies to** - -- Windows 10, version 1903 - -Some Windows components, app, and related services transfer data to Microsoft network endpoints. Some examples include: - -- Connecting to Microsoft Office and Windows sites to download the latest app and security updates. -- Connecting to email servers to send and receive email. -- Connecting to the web for every day web browsing. -- Connecting to the cloud to store and access backups. -- Using your location to show a weather forecast. - -This article lists different endpoints that are available on a clean installation of Windows 10, version 1709 and later. -Details about the different ways to control traffic to these endpoints are covered in [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md). -Where applicable, each endpoint covered in this topic includes a link to specific details about how to control traffic to it. - -We used the following methodology to derive these network endpoints: - -1. Set up the latest version of Windows 10 on a test virtual machine using the default settings. -2. Leave the devices running idle for a week (that is, a user is not interacting with the system/device). -3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic. -4. Compile reports on traffic going to public IP addresses. -5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory. -6. All traffic was captured in our lab using a IPV4 network. Therefore no IPV6 traffic is reported here. - -> [!NOTE] -> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. - -## Windows 10 1903 Enterprise connection endpoints - -|Area|Description|Protocol|Destination| -|----------------|----------|----------|------------| -|Apps|The following endpoints are used to download updates to the Weather app Live Tile. If you turn off traffic to this endpoint, no Live Tiles will be updated.|HTTP|blob.weather.microsoft.com| -|||HTTP|tile-service.weather.microsoft.com -||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|cdn.onenote.net/livetile/?Language=en-US -||The following endpoint is used for Twitter updates. To turn off traffic for these endpoints, either uninstall Twitter or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|*.twimg.com*| -||The following endpoint is used for Candy Crush Saga updates. To turn off traffic for this endpoint, either uninstall Candy Crush Saga or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLS v1.2|candycrushsoda.king.com| -||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office Online. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|evoke-windowsservices-tas.msedge.net| -||The following endpoint is used for by the Microsoft Wallet app. To turn off traffic for this endpoint, either uninstall the Wallet app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|wallet.microsoft.com| -||The following endpoint is used by the Groove Music app for update HTTP handler status. If you turn off traffic for this endpoint, apps for websites won't work and customers who visit websites (such as mediaredirect.microsoft.com) that are registered with their associated app (such as Groove Music) will stay at the website and won't be able to directly launch the app.|HTTPS|mediaredirect.microsoft.com| -||The following endpoints are used when using the Whiteboard app. To turn off traffic for this endpoint disable the Microsoft Store.|HTTPS|int.whiteboard.microsoft.com| -|||HTTPS|wbd.ms| -|||HTTPS|whiteboard.microsoft.com| -|||HTTP / HTTPS|whiteboard.ms| -|Azure |The following endpoints are related to Azure. |HTTPS|wd-prod-*fe*.cloudapp.azure.com| -|||HTTPS|ris-prod-atm.trafficmanager.net| -|||HTTPS|validation-v2.sls.trafficmanager.net| -|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible turn off traffic to this endpoint, but that is not recommended because when root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. Additionally, it is used to download certificates that are publicly known to be fraudulent. These settings are critical for both Windows security and the overall security of the Internet. We do not recommend blocking this endpoint. If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device.|HTTP|ctldl.windowsupdate.com| -|Cortana and Search|The following endpoint is used to get images that are used for Microsoft Store suggestions. If you turn off traffic for this endpoint, you will block images that are used for Microsoft Store suggestions. |HTTPS|store-images.*microsoft.com| -||The following endpoints are related to Cortana and Live Tiles. If you turn off traffic for this endpoint, you will block updates to Cortana greetings, tips, and Live Tiles.|HTTPS|www.bing.com/client| -|||HTTPS|www.bing.com| -|||HTTPS|www.bing.com/proactive| -|||HTTPS|www.bing.com/threshold/xls.aspx| -|||HTTP|exo-ring.msedge.net| -|||HTTP|fp.msedge.net| -|||HTTP|fp-vp.azureedge.net| -|||HTTP|odinvzc.azureedge.net| -|||HTTP|spo-ring.msedge.net| -|Device authentication| -||The following endpoint is used to authenticate a device. If you turn off traffic for this endpoint, the device will not be authenticated.|HTTPS|login.live.com*| -||The following endpoint is used to retrieve device metadata. If you turn off traffic for this endpoint, metadata will not be updated for the device.|HTTP|dmd.metaservices.microsoft.com| -|Diagnostic Data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft.|HTTP|v10.events.data.microsoft.com| -|||HTTPS|v10.vortex-win.data.microsoft.com/collect/v1| -|||HTTP|www.microsoft.com| -||The following endpoints are used by Windows Error Reporting. To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft.|HTTPS|co4.telecommand.telemetry.microsoft.com| -|||HTTP|cs11.wpc.v0cdn.net| -|||HTTPS|cs1137.wpc.gammacdn.net| -|||TLS v1.2|modern.watson.data.microsoft.com*| -|||HTTPS|watson.telemetry.microsoft.com| -|Licensing|The following endpoint is used for online activation and some app licensing. To turn off traffic for this endpoint, disable the Windows License Manager Service. This will also block online activation and app licensing may not work.|HTTPS|*licensing.mp.microsoft.com*| -|Location|The following endpoints are used for location data. If you turn off traffic for this endpoint, apps cannot use location data.|HTTPS|inference.location.live.net| -|||HTTP|location-inference-westus.cloudapp.net| -|Maps|The following endpoints are used to check for updates to maps that have been downloaded for offline use. If you turn off traffic for this endpoint, offline maps will not be updated.|HTTPS|*g.akamaiedge.net| -|||HTTP|*maps.windows.com*| -|Microsoft Account|The following endpoints are used for Microsoft accounts to sign in. If you turn off traffic for these endpoints, users cannot sign in with Microsoft accounts. |HTTP|login.msa.akadns6.net| -|||HTTP|us.configsvc1.live.com.akadns.net| -|Microsoft Edge|This traffic is related to the Microsoft Edge browser.|HTTPS|iecvlist.microsoft.com| -|Microsoft forward link redirection service (FWLink)|The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer. If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded.|HTTPS|go.microsoft.com| -|Microsoft Store|The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way. If you turn off traffic for this endpoint, push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization.|HTTPS|*.wns.windows.com| -||The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft Store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTP|storecatalogrevocation.storequality.microsoft.com| -||The following endpoint is used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). If you turn off traffic for these endpoints, the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTPS|img-prod-cms-rt-microsoft-com*|HTTPS|store-images.microsoft.com| -||The following endpoints are used to communicate with Microsoft Store. If you turn off traffic for these endpoints, apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|TLS v1.2|*.md.mp.microsoft.com*| -|||HTTPS|*displaycatalog.mp.microsoft.com| -|||HTTP \ HTTPS|pti.store.microsoft.com| -|||HTTP|storeedgefd.dsx.mp.microsoft.com| -|||HTTP|markets.books.microsoft.com| -|||HTTP |share.microsoft.com| -|Network Connection Status Indicator (NCSI)| -||Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet. If you turn off traffic for this endpoint, NCSI won't be able to determine if the device is connected to the Internet and the network status tray icon will show a warning.|HTTP|www.msftconnecttest.com*| -Office|The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office Online. For more info, see Office 365 URLs and IP address ranges. You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents.|HTTP|*.c-msedge.net| -|||HTTPS|*.e-msedge.net| -|||HTTPS|*.s-msedge.net| -|||HTTPS|nexusrules.officeapps.live.com| -|||HTTPS|ocos-office365-s2s.msedge.net| -|||HTTPS|officeclient.microsoft.com| -|||HTTPS|outlook.office365.com| -|||HTTPS|client-office365-tas.msedge.net| -|||HTTPS|www.office.com| -|||HTTPS|onecollector.cloudapp.aria| -|||HTTP|v10.events.data.microsoft.com/onecollector/1.0/| -|||HTTPS|self.events.data.microsoft.com| -||The following endpoint is used to connect the Office To-Do app to its cloud service. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store.|HTTPS|to-do.microsoft.com -|OneDrive|The following endpoints are related to OneDrive. If you turn off traffic for these endpoints, anything that relies on g.live.com to get updated URL information will no longer work.|HTTP \ HTTPS|g.live.com/1rewlive5skydrive/*| -|||HTTP|msagfx.live.com| -|||HTTPS|oneclient.sfx.ms| -|Settings|The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. If you turn off traffic for this endpoint, an app that uses this endpoint may stop working.|HTTPS|cy2.settings.data.microsoft.com.akadns.net| -|||HTTPS|settings.data.microsoft.com| -|||HTTPS|settings-win.data.microsoft.com| -|Skype|The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTPS|browser.pipe.aria.microsoft.com| -|||HTTP|config.edge.skype.com| -|||HTTP|s2s.config.skype.com| -|||HTTPS|skypeecs-prod-usw-0-b.cloudapp.net| -|Windows Defender|The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. If you turn off traffic for this endpoint, the device will not use Cloud-based Protection.|HTTPS|wdcp.microsoft.com| -|||HTTPS|definitionupdates.microsoft.com| -|||HTTPS|go.microsoft.com| -||The following endpoints are used for Windows Defender Smartscreen reporting and notifications. If you turn off traffic for these endpoints, Smartscreen notifications will not appear.|HTTPS|*smartscreen.microsoft.com| -|||HTTPS|smartscreen-sn3p.smartscreen.microsoft.com| -|||HTTPS|unitedstates.smartscreen-prod.microsoft.com| -|Windows Spotlight|The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips. If you turn off traffic for these endpoints, Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips will not be downloaded. For more information, see Windows Spotlight.|TLS v1.2|*.search.msn.com| -|||HTTPS|arc.msn.com| -|||HTTPS|g.msn.com*| -|||HTTPS|query.prod.cms.rt.microsoft.com| -|||HTTPS|ris.api.iris.microsoft.com| -|Windows Update|The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. If you turn off traffic for this endpoint, Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction.|HTTPS|*.prod.do.dsp.mp.microsoft.com| -|||HTTP|cs9.wac.phicdn.net| -|||HTTP|emdl.ws.microsoft.com| -||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store. If you turn off traffic for these endpoints, the device will not be able to download updates for the operating system.|HTTP|*.dl.delivery.mp.microsoft.com| -|||HTTP|*.windowsupdate.com*| -||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. If you turn off traffic for these endpoints, the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store.|HTTPS|*.delivery.mp.microsoft.com| -|||HTTPS|*.update.microsoft.com| -||The following endpoint is used for content regulation. If you turn off traffic for this endpoint, the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly.|HTTPS|tsfe.trafficshaping.dsp.mp.microsoft.com| - - -## Other Windows 10 editions - -To view endpoints for other versions of Windows 10 Enterprise, see: -- [Manage connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md) -- [Manage connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md) -- [Manage connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md) - -To view endpoints for non-Enterprise Windows 10 editions, see: -- [Windows 10, version 1809, connection endpoints for non-Enterprise editions](windows-endpoints-1809-non-enterprise-editions.md) -- [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md) -- [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md) - - -## Related links - -- [Office 365 URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US) -- [Network infrastructure requirements for Microsoft Intune](https://docs.microsoft.com/intune/get-started/network-infrastructure-requirements-for-microsoft-intune) - - From 89813ad60b70028b7888dde35b9011e4bdda5b49 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Thu, 9 May 2019 11:56:31 -0700 Subject: [PATCH 29/33] Delete windows-endpoints-1903-non-enterprise-editions.md --- ...-endpoints-1903-non-enterprise-editions.md | 271 ------------------ 1 file changed, 271 deletions(-) delete mode 100644 windows/privacy/windows-endpoints-1903-non-enterprise-editions.md diff --git a/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md deleted file mode 100644 index 44fadd939e..0000000000 --- a/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md +++ /dev/null @@ -1,271 +0,0 @@ ---- -title: Windows 10, version 1809, connection endpoints for non-Enterprise editions -description: Explains what Windows 10 endpoints are used in non-Enterprise editions. -keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016 -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.localizationpriority: high -audience: ITPro -author: danihalfin -ms.author: daniha -manager: dansimp -ms.collection: M365-security-compliance -ms.topic: article -ms.date: 6/26/2018 ---- -# Windows 10, version 1809, connection endpoints for non-Enterprise editions - - **Applies to** - -- Windows 10 Home, version 1809 -- Windows 10 Professional, version 1809 -- Windows 10 Education, version 1809 - -In addition to the endpoints listed for [Windows 10 Enterprise](manage-windows-1809-endpoints.md), the following endpoints are available on other editions of Windows 10, version 1809. - -We used the following methodology to derive these network endpoints: - -1. Set up the latest version of Windows 10 on a test virtual machine using the default settings. -2. Leave the devices running idle for a week (that is, a user is not interacting with the system/device). -3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic. -4. Compile reports on traffic going to public IP addresses. -5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory. -6. All traffic was captured in our lab using a IPV4 network. Therefore no IPV6 traffic is reported here. - -> [!NOTE] -> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. - -## Windows 10 Family - -| **Destination** | **Protocol** | **Description** | -| --- | --- | --- | -|\*.aria.microsoft.com*|HTTPS|Microsoft Office Telemetry -|\*.b.akamai*.net|HTTPS|Used to check for updates to Maps that have been downloaded for offline use -|\*.c-msedge.net|HTTP|Microsoft Office -|\*.dl.delivery.mp.microsoft.com*|HTTP|Enables connections to Windows Update -|\*.download.windowsupdate.com*|HTTP|Used to download operating system patches and updates -|\*.g.akamai*.net|HTTPS|Used to check for updates to Maps that have been downloaded for offline use -|\*.login.msa.*.net|HTTPS|Microsoft Account related -|\*.msn.com*|TLSv1.2/HTTPS|Windows Spotlight -|\*.skype.com|HTTP/HTTPS|Skype -|\*.smartscreen.microsoft.com*|HTTPS|Windows Defender Smartscreen -|\*.telecommand.telemetry.microsoft.com*|HTTPS|Used by Windows Error Reporting -|*cdn.onenote.net*|HTTP|OneNote -|*displaycatalog.*mp.microsoft.com*|HTTPS|Used to communicate with Microsoft Store -|*emdl.ws.microsoft.com*|HTTP|Windows Update -|*geo-prod.do.dsp.mp.microsoft.com*|TLSv1.2/HTTPS|Enables connections to Windows Update -|*hwcdn.net*|HTTP|Highwinds Content Delivery Network / Windows updates -|*img-prod-cms-rt-microsoft-com*|HTTPS|Microsoft Store or Inbox MSN Apps image download -|*licensing.*mp.microsoft.com*|HTTPS|Licensing -|*maps.windows.com*|HTTPS|Related to Maps application -|*msedge.net*|HTTPS|Used by Microsoft OfficeHub to get the metadata of Microsoft Office apps -|*nexusrules.officeapps.live.com*|HTTPS|Microsoft Office Telemetry -|*photos.microsoft.com*|HTTPS|Photos App -|*prod.do.dsp.mp.microsoft.com*|TLSv1.2/HTTPS|Used for Windows Update downloads of apps and OS updates -|*purchase.md.mp.microsoft.com.akadns.net|HTTPS|Used to communicate with Microsoft Store -|*settings.data.microsoft.com.akadns.net|HTTPS|Used for Windows apps to dynamically update their configuration -|*wac.phicdn.net*|HTTP|Windows Update -|*windowsupdate.com*|HTTP|Windows Update -|*wns.*windows.com*|TLSv1.2/HTTPS|Used for the Windows Push Notification Services (WNS) -|*wpc.v0cdn.net*|HTTP|Windows Telemetry -|arc.msn.com|HTTPS|Spotlight -|auth.gfx.ms*|HTTPS|MSA related -|cdn.onenote.net|HTTPS|OneNote Live Tile -|dmd.metaservices.microsoft.com*|HTTP|Device Authentication -|e-0009.e-msedge.net|HTTPS|Microsoft Office -|e10198.b.akamaiedge.net|HTTPS|Maps application -|evoke-windowsservices-tas.msedge*|HTTPS|Photos app -|fe2.update.microsoft.com*|TLSv1.2/HTTPS|Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store -|fe3.*.mp.microsoft.com.*|TLSv1.2/HTTPS|Windows Update, Microsoft Update, and Microsoft Store services -|g.live.com*|HTTPS|OneDrive -|go.microsoft.com|HTTP|Windows Defender -|iriscoremetadataprod.blob.core.windows.net|HTTPS|Windows Telemetry -|login.live.com|HTTPS|Device Authentication -|msagfx.live.com|HTTP|OneDrive -|ocsp.digicert.com*|HTTP|CRL and OCSP checks to the issuing certificate authorities -|officeclient.microsoft.com|HTTPS|Microsoft Office -|oneclient.sfx.ms*|HTTPS|Used by OneDrive for Business to download and verify app updates -|onecollector.cloudapp.aria.akadns.net|HTTPS|Microsoft Office -|ow1.res.office365.com|HTTP|Microsoft Office -|pti.store.microsoft.com|HTTPS|Microsoft Store -|purchase.mp.microsoft.com*|HTTPS|Used to communicate with Microsoft Store -|query.prod.cms.rt.microsoft.com*|HTTPS|Used to retrieve Windows Spotlight metadata -|ris.api.iris.microsoft.com*|TLSv1.2/HTTPS|Used to retrieve Windows Spotlight metadata -|ris-prod-atm.trafficmanager.net|HTTPS|Azure traffic manager -|s-0001.s-msedge.net|HTTPS|Microsoft Office -|self.events.data.microsoft.com|HTTPS|Microsoft Office -|settings.data.microsoft.com*|HTTPS|Used for Windows apps to dynamically update their configuration -|settings-win.data.microsoft.com*|HTTPS|Used for Windows apps to dynamically update their configuration -|share.microsoft.com|HTTPS|Microsoft Store -|skypeecs-prod-usw-0.cloudapp.net|HTTPS|Microsoft Store -|sls.update.microsoft.com*|TLSv1.2/HTTPS|Enables connections to Windows Update -|slscr.update.microsoft.com*|HTTPS|Enables connections to Windows Update -|store*.dsx.mp.microsoft.com*|HTTPS|Used to communicate with Microsoft Store -|storecatalogrevocation.storequality.microsoft.com|HTTPS|Microsoft Store -|storecatalogrevocation.storequality.microsoft.com*|HTTPS|Used to revoke licenses for malicious apps on the Microsoft Store -|store-images.*microsoft.com*|HTTP|Used to get images that are used for Microsoft Store suggestions -|storesdk.dsx.mp.microsoft.com|HTTP|Microsoft Store -|tile-service.weather.microsoft.com*|HTTP|Used to download updates to the Weather app Live Tile -|time.windows.com|HTTP|Microsoft Windows Time related -|tsfe.trafficshaping.dsp.mp.microsoft.com*|TLSv1.2/HTTPS|Used for content regulation -|v10.events.data.microsoft.com|HTTPS|Diagnostic Data -|watson.telemetry.microsoft.com|HTTPS|Diagnostic Data -|wdcp.microsoft.*|TLSv1.2, HTTPS|Used for Windows Defender when Cloud-based Protection is enabled -|wd-prod-cp-us-west-1-fe.westus.cloudapp.azure.com|HTTPS|Windows Defender -|wusofficehome.msocdn.com|HTTPS|Microsoft Office -|www.bing.com*|HTTP|Used for updates for Cortana, apps, and Live Tiles -|www.msftconnecttest.com|HTTP|Network Connection (NCSI) -|www.office.com|HTTPS|Microsoft Office - - -## Windows 10 Pro - -| **Destination** | **Protocol** | **Description** | -| --- | --- | --- | -|\*.cloudapp.azure.com|HTTPS|Azure -|\*.delivery.dsp.mp.microsoft.com.nsatc.net|HTTPS|Windows Update, Microsoft Update, and Microsoft Store services -|\*.displaycatalog.md.mp.microsoft.com.akadns.net|HTTPS|Microsoft Store -|\*.dl.delivery.mp.microsoft.com*|HTTP|Enables connections to Windows Update -|\*.e-msedge.net|HTTPS|Used by OfficeHub to get the metadata of Office apps -|\*.g.akamaiedge.net|HTTPS|Used to check for updates to maps that have been downloaded for offline use -|\*.s-msedge.net|HTTPS|Used by OfficeHub to get the metadata of Office apps -|\*.windowsupdate.com*|HTTP|Enables connections to Windows Update -|\*.wns.notify.windows.com.akadns.net|HTTPS|Used for the Windows Push Notification Services (WNS) -|\*dsp.mp.microsoft.com.nsatc.net|HTTPS|Enables connections to Windows Update -|\*c-msedge.net|HTTP|Office -|a1158.g.akamai.net|HTTP|Maps application -|arc.msn.com*|HTTP / HTTPS|Used to retrieve Windows Spotlight metadata -|blob.mwh01prdstr06a.store.core.windows.net|HTTPS|Microsoft Store -|browser.pipe.aria.microsoft.com|HTTPS|Microsoft Office -|bubblewitch3mobile.king.com|HTTPS|Bubble Witch application -|candycrush.king.com|HTTPS|Candy Crush application -|cdn.onenote.net|HTTP|Microsoft OneNote -|cds.p9u4n2q3.hwcdn.net|HTTP|Highwinds Content Delivery Network traffic for Windows updates -|client.wns.windows.com|HTTPS|Winddows Notification System -|co4.telecommand.telemetry.microsoft.com.akadns.net|HTTPS|Windows Error Reporting -|config.edge.skype.com|HTTPS|Microsoft Skype -|cs11.wpc.v0cdn.net|HTTP|Windows Telemetry -|cs9.wac.phicdn.net|HTTP|Windows Update -|cy2.licensing.md.mp.microsoft.com.akadns.net|HTTPS|Used to communicate with Microsoft Store -|cy2.purchase.md.mp.microsoft.com.akadns.net|HTTPS|Used to communicate with Microsoft Store -|cy2.settings.data.microsoft.com.akadns.net|HTTPS|Used to communicate with Microsoft Store -|dmd.metaservices.microsoft.com.akadns.net|HTTP|Device Authentication -|e-0009.e-msedge.net|HTTPS|Microsoft Office -|e10198.b.akamaiedge.net|HTTPS|Maps application -|fe3.update.microsoft.com|HTTPS|Windows Update -|g.live.com|HTTPS|Microsoft OneDrive -|g.msn.com.nsatc.net|HTTPS|Used to retrieve Windows Spotlight metadata -|geo-prod.do.dsp.mp.microsoft.com|HTTPS|Windows Update -|go.microsoft.com|HTTP|Windows Defender -|iecvlist.microsoft.com|HTTPS|Microsoft Edge -|img-prod-cms-rt-microsoft-com.akamaized.net|HTTP / HTTPS|Microsoft Store -|ipv4.login.msa.akadns6.net|HTTPS|Used for Microsoft accounts to sign in -|licensing.mp.microsoft.com|HTTP|Licensing -|location-inference-westus.cloudapp.net|HTTPS|Used for location data -|login.live.com|HTTP|Device Authentication -|maps.windows.com|HTTP|Maps application -|modern.watson.data.microsoft.com.akadns.net|HTTPS|Used by Windows Error Reporting -|msagfx.live.com|HTTP|OneDrive -|nav.smartscreen.microsoft.com|HTTPS|Windows Defender -|ocsp.digicert.com*|HTTP|CRL and OCSP checks to the issuing certificate authorities -|oneclient.sfx.ms|HTTP|OneDrive -|pti.store.microsoft.com|HTTPS|Microsoft Store -|ris.api.iris.microsoft.com.akadns.net|HTTPS|Used to retrieve Windows Spotlight metadata -|ris-prod-atm.trafficmanager.net|HTTPS|Azure -|s2s.config.skype.com|HTTP|Microsoft Skype -|settings-win.data.microsoft.com|HTTPS|Application settings -|share.microsoft.com|HTTPS|Microsoft Store -|skypeecs-prod-usw-0.cloudapp.net|HTTPS|Microsoft Skype -|slscr.update.microsoft.com|HTTPS|Windows Update -|storecatalogrevocation.storequality.microsoft.com|HTTPS|Microsoft Store -|store-images.microsoft.com|HTTPS|Microsoft Store -|tile-service.weather.microsoft.com/*|HTTP|Used to download updates to the Weather app Live Tile -|time.windows.com|HTTP|Windows time -|tsfe.trafficshaping.dsp.mp.microsoft.com|HTTPS|Used for content regulation -|v10.events.data.microsoft.com*|HTTPS|Microsoft Office -|vip5.afdorigin-prod-am02.afdogw.com|HTTPS|Used to serve office 365 experimentation traffic -|watson.telemetry.microsoft.com|HTTPS|Telemetry -|wdcp.microsoft.com|HTTPS|Windows Defender -|wusofficehome.msocdn.com|HTTPS|Microsoft Office -|www.bing.com|HTTPS|Cortana and Search -|www.microsoft.com|HTTP|Diagnostic -|www.msftconnecttest.com|HTTP|Network connection -|www.office.com|HTTPS|Microsoft Office - - - -## Windows 10 Education - -| **Destination** | **Protocol** | **Description** | -| --- | --- | --- | -|\*.b.akamaiedge.net|HTTPS|Used to check for updates to maps that have been downloaded for offline use -|\*.c-msedge.net|HTTP|Used by OfficeHub to get the metadata of Office apps -|\*.dl.delivery.mp.microsoft.com*|HTTP|Windows Update -|\*.e-msedge.net|HTTPS|Used by OfficeHub to get the metadata of Office apps -|\*.g.akamaiedge.net|HTTPS|Used to check for updates to Maps that have been downloaded for offline use -|\*.licensing.md.mp.microsoft.com.akadns.net|HTTPS|Microsoft Store -|\*.settings.data.microsoft.com.akadns.net|HTTPS|Microsoft Store -|\*.skype.com*|HTTPS|Used to retrieve Skype configuration values -|\*.smartscreen*.microsoft.com|HTTPS|Windows Defender -|\*.s-msedge.net|HTTPS|Used by OfficeHub to get the metadata of Office apps -|\*.telecommand.telemetry.microsoft.com*|HTTPS|Used by Windows Error Reporting -|\*.wac.phicdn.net|HTTP|Windows Update -|\*.windowsupdate.com*|HTTP|Windows Update -|\*.wns.windows.com|HTTPS|Windows Notifications Service -|\*.wpc.*.net|HTTP|Diagnostic Data -|\*displaycatalog.md.mp.microsoft.com.akadns.net|HTTPS|Microsoft Store -|\*dsp.mp.microsoft.com|HTTPS|Windows Update -|a1158.g.akamai.net|HTTP|Maps -|a122.dscg3.akamai.net|HTTP|Maps -|a767.dscg3.akamai.net|HTTP|Maps -|au.download.windowsupdate.com*|HTTP|Windows Update -|bing.com/*|HTTPS|Used for updates for Cortana, apps, and Live Tiles -|blob.dz5prdstr01a.store.core.windows.net|HTTPS|Microsoft Store -|browser.pipe.aria.microsoft.com|HTTP|Used by OfficeHub to get the metadata of Office apps -|cdn.onenote.net/livetile/*|HTTPS|Used for OneNote Live Tile -|cds.p9u4n2q3.hwcdn.net|HTTP|Used by the Highwinds Content Delivery Network to perform Windows updates -|client-office365-tas.msedge.net/*|HTTPS|Office 365 porta and Office Online -|ctldl.windowsupdate.com*|HTTP|Used to download certificates that are publicly known to be fraudulent -|displaycatalog.mp.microsoft.com/*|HTTPS|Microsoft Store -|dmd.metaservices.microsoft.com*|HTTP|Device Authentication -|download.windowsupdate.com*|HTTPS|Windows Update -|emdl.ws.microsoft.com/*|HTTP|Used to download apps from the Microsoft Store -|evoke-windowsservices-tas.msedge.net|HTTPS|Photo app -|fe2.update.microsoft.com*|HTTPS|Windows Update, Microsoft Update, Microsoft Store services -|fe3.delivery.dsp.mp.microsoft.com.nsatc.net|HTTPS|Windows Update, Microsoft Update, Microsoft Store services -|fe3.delivery.mp.microsoft.com*|HTTPS|Windows Update, Microsoft Update, Microsoft Store services -|g.live.com*|HTTPS|Used by OneDrive for Business to download and verify app updates -|g.msn.com.nsatc.net|HTTPS|Used to retrieve Windows Spotlight metadata -|go.microsoft.com|HTTP|Windows Defender -|iecvlist.microsoft.com|HTTPS|Microsoft Edge browser -|ipv4.login.msa.akadns6.net|HTTPS|Used for Microsoft accounts to sign in -|licensing.mp.microsoft.com*|HTTPS|Used for online activation and some app licensing -|login.live.com|HTTPS|Device Authentication -|maps.windows.com/windows-app-web-link|HTTPS|Maps application -|modern.watson.data.microsoft.com.akadns.net|HTTPS|Used by Windows Error Reporting -|msagfx.live.com|HTTPS|OneDrive -|ocos-office365-s2s.msedge.net/*|HTTPS|Used to connect to the Office 365 portal's shared infrastructure -|ocsp.digicert.com*|HTTP|CRL and OCSP checks to the issuing certificate authorities -|oneclient.sfx.ms/*|HTTPS|Used by OneDrive for Business to download and verify app updates -|onecollector.cloudapp.aria.akadns.net|HTTPS|Microsoft Office -|pti.store.microsoft.com|HTTPS|Microsoft Store -|settings-win.data.microsoft.com/settings/*|HTTPS|Used as a way for apps to dynamically update their configuration -|share.microsoft.com|HTTPS|Microsoft Store -|skypeecs-prod-usw-0.cloudapp.net|HTTPS|Skype -|sls.update.microsoft.com*|HTTPS|Windows Update -|storecatalogrevocation.storequality.microsoft.com*|HTTPS|Used to revoke licenses for malicious apps on the Microsoft Store -|tile-service.weather.microsoft.com*|HTTP|Used to download updates to the Weather app Live Tile -|tsfe.trafficshaping.dsp.mp.microsoft.com|HTTPS|Windows Update -|v10.events.data.microsoft.com*|HTTPS|Diagnostic Data -|vip5.afdorigin-prod-ch02.afdogw.com|HTTPS|Used to serve Office 365 experimentation traffic -|watson.telemetry.microsoft.com*|HTTPS|Used by Windows Error Reporting -|wdcp.microsoft.com|HTTPS|Windows Defender -|wd-prod-cp-us-east-1-fe.eastus.cloudapp.azure.com|HTTPS|Azure -|wusofficehome.msocdn.com|HTTPS|Microsoft Office -|www.bing.com|HTTPS|Cortana and Search -|www.microsoft.com|HTTP|Diagnostic Data -|www.microsoft.com/pkiops/certs/*|HTTP|CRL and OCSP checks to the issuing certificate authorities -|www.msftconnecttest.com|HTTP|Network Connection -|www.office.com|HTTPS|Microsoft Office - From c63815f124bc8b66304f82edc668bd8b22ddb836 Mon Sep 17 00:00:00 2001 From: KC Cross Date: Thu, 9 May 2019 13:36:06 -0700 Subject: [PATCH 30/33] Removed extra line in acro config --- acrolinx-config.edn | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/acrolinx-config.edn b/acrolinx-config.edn index b235e443b5..92f0d843c1 100644 --- a/acrolinx-config.edn +++ b/acrolinx-config.edn @@ -1,3 +1,2 @@ {:allowed-branchname-matches ["master"] - :allowed-filename-matches ["windows/"] - } + :allowed-filename-matches ["windows/"]} From de10cb9abc00e333906b1f07e0cd121b5c0ad9b9 Mon Sep 17 00:00:00 2001 From: Liza Poggemeyer Date: Thu, 9 May 2019 14:03:32 -0700 Subject: [PATCH 31/33] renamed acrolinx file --- acrolinx-config.edn => .acrolinx-config.edn | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename acrolinx-config.edn => .acrolinx-config.edn (100%) diff --git a/acrolinx-config.edn b/.acrolinx-config.edn similarity index 100% rename from acrolinx-config.edn rename to .acrolinx-config.edn From 8cd5b6f62b596ab2308375f28e5094d5473341bd Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Thu, 9 May 2019 15:23:44 -0700 Subject: [PATCH 32/33] Updated with dev comments --- .../policy-configuration-service-provider.md | 8 +- .../mdm/policy-csp-windowslogon.md | 75 +------------------ 2 files changed, 3 insertions(+), 80 deletions(-) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 70e8359000..785873969f 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -3699,10 +3699,7 @@ The following diagram shows the Policy configuration service provider in tree fo
WindowsLogon/HideFastUserSwitching
-
- WindowsLogon/SignInLastInteractiveUserAutomaticallyAfterASystemInitiatedRestart -
-
+ ### WindowsPowerShell policies @@ -4129,9 +4126,7 @@ The following diagram shows the Policy configuration service provider in tree fo - [WindowsLogon/ConfigAutomaticRestartSignOn](./ - [WindowsLogon/DisableLockScreenAppNotifications](./policy-csp-windowslogon.md#windowslogon-disablelockscreenappnotifications) - [WindowsLogon/DontDisplayNetworkSelectionUI](./policy-csp-windowslogon.md#windowslogon-dontdisplaynetworkselectionui) -- [WindowsLogon/EnableFirstLogonAnimation](./policy-csp-windowslogon.md#windowslogon-enablefirstlogonanimation) - [WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers](./policy-csp-windowslogon.md#windowslogon-enumeratelocalusersondomainjoinedcomputers) -- [WindowsLogon/SignInLastInteractiveUserAutomaticallyAfterASystemInitiatedRestart](./policy-csp-windowslogon.md#windowslogon-signinlastinteractiveuserautomaticallyafterasysteminitiatedrestart) - [WindowsPowerShell/TurnOnPowerShellScriptBlockLogging](./policy-csp-windowspowershell.md#windowspowershell-turnonpowershellscriptblocklogging) @@ -4994,7 +4989,6 @@ The following diagram shows the Policy configuration service provider in tree fo - [WindowsLogon/EnableFirstLogonAnimation](./policy-csp-windowslogon.md#windowslogon-enablefirstlogonanimation) - [WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers](./policy-csp-windowslogon.md#windowslogon-enumeratelocalusersondomainjoinedcomputers) - [WindowsLogon/HideFastUserSwitching](./policy-csp-windowslogon.md#windowslogon-hidefastuserswitching) -- [WindowsLogon/SignInLastInteractiveUserAutomaticallyAfterASystemInitiatedRestart](./policy-csp-windowslogon.md#windowslogon-signinlastinteractiveuserautomaticallyafterasysteminitiatedrestart) - [WindowsPowerShell/TurnOnPowerShellScriptBlockLogging](./policy-csp-windowspowershell.md#windowspowershell-turnonpowershellscriptblocklogging) - [WirelessDisplay/AllowProjectionToPC](./policy-csp-wirelessdisplay.md#wirelessdisplay-allowprojectiontopc) - [WirelessDisplay/RequirePinForPairing](./policy-csp-wirelessdisplay.md#wirelessdisplay-requirepinforpairing) diff --git a/windows/client-management/mdm/policy-csp-windowslogon.md b/windows/client-management/mdm/policy-csp-windowslogon.md index bdf911fd67..e307f8f433 100644 --- a/windows/client-management/mdm/policy-csp-windowslogon.md +++ b/windows/client-management/mdm/policy-csp-windowslogon.md @@ -41,9 +41,6 @@ ms.date: 05/07/2019
WindowsLogon/HideFastUserSwitching
-
- WindowsLogon/SignInLastInteractiveUserAutomaticallyAfterASystemInitiatedRestart -
@@ -399,21 +396,15 @@ If you do not configure this policy setting, the user who completes the initial > The first sign-in animation is not displayed on Server, so this policy has no effect. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - + ADMX Info: - GP English name: *Show first sign-in animation* - GP name: *EnableFirstLogonAnimation* - GP path: *System/Logon* - GP ADMX file name: *Logon.admx* - + Supported values: - false - disabled @@ -554,68 +545,6 @@ To validate on Desktop, do the following: -
- - -**WindowsLogon/SignInLastInteractiveUserAutomaticallyAfterASystemInitiatedRestart** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcross markcross mark
- - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -This policy setting controls whether a device will automatically sign-in the last interactive user after Windows Update restarts the system. - -If you enable or do not configure this policy setting, the device securely saves the user's credentials (including the user name, domain and encrypted password) to configure automatic sign-in after a Windows Update restart. After the Windows Update restart, the user is automatically signed-in and the session is automatically locked with all the lock screen apps configured for that user. - -If you disable this policy setting, the device does not store the user's credentials for automatic sign-in after a Windows Update restart. The users' lock screen apps are not restarted after the system restarts. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Sign-in last interactive user automatically after a system-initiated restart* -- GP name: *AutomaticRestartSignOn* -- GP path: *Windows Components/Windows Logon Options* -- GP ADMX file name: *WinLogon.admx* - - - -
From fa02b615b06626780481a69292efeb2a4c65456b Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Thu, 9 May 2019 15:43:52 -0700 Subject: [PATCH 33/33] Corrected bookmark --- .../mdm/policy-configuration-service-provider.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 785873969f..4913c03360 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -4123,7 +4123,7 @@ The following diagram shows the Policy configuration service provider in tree fo - [System/DisableSystemRestore](./policy-csp-system.md#system-disablesystemrestore) - [WindowsConnectionManager/ProhitConnectionToNonDomainNetworksWhenConnectedToDomainAuthenticatedNetwork](./policy-csp-windowsconnectionmanager.md#windowsconnectionmanager-prohitconnectiontonondomainnetworkswhenconnectedtodomainauthenticatednetwork) - [WindowsLogon/AllowAutomaticRestartSignOn](./policy-csp-windowslogon.md#windowslogon-allowautomaticrestartsignon) -- [WindowsLogon/ConfigAutomaticRestartSignOn](./ +- [WindowsLogon/ConfigAutomaticRestartSignOn](./policy-csp-windowslogon.md#windowslogon-configautomaticrestartsignon) - [WindowsLogon/DisableLockScreenAppNotifications](./policy-csp-windowslogon.md#windowslogon-disablelockscreenappnotifications) - [WindowsLogon/DontDisplayNetworkSelectionUI](./policy-csp-windowslogon.md#windowslogon-dontdisplaynetworkselectionui) - [WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers](./policy-csp-windowslogon.md#windowslogon-enumeratelocalusersondomainjoinedcomputers)