deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-15 18:33:43 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge pull request #251 from MicrosoftDocs/medgarmedgar-1903

Browse Source 
Medgarmedgar 1903
This commit is contained in:
Dani Halfin
2019-05-21 13:15:34 -07:00
committed by GitHub
parent eed67dc16b 43938191f9
commit 98e7ba7379
5 changed files with 839 additions and 545 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
windows/privacy/TOC.md
View File

@ -18,10 +18,14 @@
### [Windows 10, version 1709 and newer diagnostic data for the Full level](windows-diagnostic-data.md)
### [Windows 10, version 1703 diagnostic data for the Full level](windows-diagnostic-data-1703.md)
## Manage Windows 10 connection endpoints
### [Connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md)
### [Connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md)
### [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
### [Manage connections from Windows operating system components to Microsoft services using MDM](manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md)
### [Connection endpoints for Windows 10, version 1903](manage-windows-1903-endpoints.md)
### [Connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md)
### [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md)
### [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md)
### [Windows 10, version 1809, connection endpoints for non-Enterprise editions](windows-endpoints-1809-non-enterprise-editions.md)
## [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
### [Connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md)
### [Connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md)
### [Connection endpoints for non-Enterprise editions of Windows 10, version 1903](windows-endpoints-1903-non-enterprise-editions.md)
### [Connection endpoints for non-Enterprise editions of Windows 10, version 1809](windows-endpoints-1809-non-enterprise-editions.md)
### [Connection endpoints for non-Enterprise editions of Windows 10, version 1803](windows-endpoints-1803-non-enterprise-editions.md)
### [Connection endpoints for non-Enterprise editions of Windows 10, version 1709](windows-endpoints-1709-non-enterprise-editions.md)

135
windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md Normal file
View File

@ -0,0 +1,135 @@
---
title: Manage connections from Windows operating system components to Microsoft services using Microsoft Intune MDM Server
description: Use MDM CSPs to minimize connections from Windows to Microsoft services, or to configure particular privacy settings.
ms.assetid: ACCEB0DD-BC6F-41B1-B359-140B242183D9
keywords: privacy, manage connections to Microsoft, Windows 10
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.localizationpriority: medium
author: medgarmedgar
ms.author: v-medgar
ms.date: 3/1/2019
---
# Manage connections from Windows operating system components to Microsoft services using Microsoft Intune MDM Server
**Applies to**
- Windows 10 Enterprise 1903 version and newer
You can use Microsoft InTune with MDM CSPs and custom [OMA URIs](https://docs.microsoft.com/en-us/intune/custom-settings-windows-10) to minimize connections from Windows to Microsoft services, or to configure particular privacy settings. You can configure diagnostic data at the lowest level for your edition of Windows, and also evaluate which other connections Windows makes to Microsoft services you want to turn off in your environment from the list in this article.
To ensure CSPs take priority over Group Policies in case of conflicts, use the [ControlPolicyConflict](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy.
You can configure diagnostic data at the Security/Basic level, turn off Windows Defender diagnostic data and MSRT reporting, and turn off all other connections to Microsoft network endpoints as described in this article to help prevent Windows from sending any data to Microsoft. There are many reasons why these communications are enabled by default, such as updating malware definitions and maintain current certificate revocation lists, which is why we strongly recommend against this. This data helps us deliver a secure, reliable, and more delightful personalized experience.
Note, there is some traffic which is required (i.e. "whitelisted") for the operation of Windows and the Microsoft InTune based management. This traffic includes CRL and OCSP network traffic which will show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of them, but there are many others, such as DigiCert, Thawte, Google, Symantec, and VeriSign. Additional whitelisted traffic specifically for MDM managed devices includes Windows Notification Service related traffic as well as some specific Microsoft InTune and Windows Update related traffic.
For more information on Microsoft InTune please see [Transform IT service delivery for your modern workplace](https://www.microsoft.com/en-us/enterprise-mobility-security/microsoft-intune?rtc=1) and [Microsoft Intune documentation](https://docs.microsoft.com/en-us/intune/).
For detailed information about managing network connections to Microsoft services using Registries, Group Policies, or UI see [Manage connections from Windows operating system components to Microsoft services](https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services).
The endpoints for the MDM “whitelisted” traffic are in the [Whitelisted Traffic](#bkmk-mdm-whitelist).
### Settings for Windows 10 Enterprise edition 1903 and newer
The following table lists management options for each setting.
For Windows 10, the following MDM policies are available in the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx).
| Setting | MDM Policy | Description |
| --- | --- | --- |
| 1. Automatic Root Certificates Update | There is intentionally no MDM available for Automatic Root Certificate Update. | This MDM does not exist since it would prevent the operation and management of MDM management of devices.
| 2. Cortana and Search | [Experience/AllowCortana](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-allowcortana) | Choose whether to let Cortana install and run on the device. **Set to 0 (zero)**
| | [Search/AllowSearchToUseLocation](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-search#search-allowsearchtouselocation) | Choose whether Cortana and Search can provide location-aware search results. **Set to 0 (zero)**
| 3. Date & Time | [Settings/AllowDateTime](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-settings#settings-allowdatetime)| Allows the user to change date and time settings. **Set to 0 (zero)**
| 4. Device metadata retrieval | [DeviceInstallation/PreventDeviceMetadataFromNetwork](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-preventdevicemetadatafromnetwork) | Choose whether to prevent Windows from retrieving device metadata from the Internet. **Set to Enabled**
| 5. Find My Device | [Experience/AllowFindMyDevice](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-allowfindmydevice)| This policy turns on Find My Device. **Set to 0 (zero)**
| 6. Font streaming | [System/AllowFontProviders](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-system#system-allowfontproviders) | Setting that determines whether Windows is allowed to download fonts and font catalog data from an online font provider. **Set to 0 (zero)**
| 7. Insider Preview builds | [System/AllowBuildPreview](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-system#system-allowbuildpreview) | This policy setting determines whether users can access the Insider build controls in the Advanced Options for Windows Update. **Set to 0 (zero)**
| 8. Internet Explorer | The following Microsoft Internet Explorer MDM policies are available in the [Internet Explorer CSP](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-internetexplorer) |
| | [InternetExplorer/AllowSuggestedSites](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-internetexplorer#internetexplorer-allowsuggestedsites) | Recommends websites based on the users browsing activity. **Set to Disabled**
| | [InternetExplorer/PreventManagingSmartScreenFilter]( https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-internetexplorer#internetexplorer-preventmanagingsmartscreenfilter) | Prevents the user from managing SmartScreen Filter, which warns the user if the website being visited is known for fraudulent attempts to gather personal information through "phishing," or is known to host malware. **Set to Enabled**
| | [InternetExplorer/DisableFlipAheadFeature]( https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-internetexplorer#internetexplorer-disableflipaheadfeature) | Determines whether a user can swipe across a screen or click Forward to go to the next pre-loaded page of a website. **Set to Enabled**
| | [InternetExplorer/DisableHomePageChange]( https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-internetexplorer#internetexplorer-disablehomepagechange) | Determines whether users can change the default Home Page or not. **Set to Enabled**
| | [InternetExplorer/DisableFirstRunWizard]( https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-internetexplorer#internetexplorer-disablefirstrunwizard) | Prevents Internet Explorer from running the First Run wizard the first time a user starts the browser after installing Internet Explorer or Windows. **Set to Enabled**
| 9. Live Tiles | [Notifications/DisallowTileNotification](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-notifications)| This policy setting turns off tile notifications. If you enable this policy setting applications and system features will not be able to update their tiles and tile badges in the Start screen. **Set to Enabled**
| 10. Mail synchronization | [Accounts/AllowMicrosoftAccountConnection](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-accounts#accounts-allowmicrosoftaccountconnection) | Specifies whether the user is allowed to use an MSA account for non-email related connection authentication and services. **Set to 0 (zero)**
| 11. Microsoft Account | [Accounts/AllowMicrosoftAccountSignInAssistant](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-accounts#accounts-allowmicrosoftaccountsigninassistant) | Disable the Microsoft Account Sign-In Assistant. **Set to 0 (zero)**
| 12. Microsoft Edge | | The following Microsoft Edge MDM policies are available in the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). For a complete list of the Microsoft Edge policies, see [Available policies for Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/available-policies).
| | [Browser/AllowAutoFill](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowautofill) | Choose whether employees can use autofill on websites. **Set to 0 (zero)**
| | [Browser/AllowDoNotTrack](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowdonottrack) | Choose whether employees can send Do Not Track headers. **Set to 0 (zero)**
| | [Browser/AllowMicrosoftCompatbilityList](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowmicrosoftcompatibilitylist) | Specify the Microsoft compatibility list in Microsoft Edge. **Set to 0 (zero)**
| | [Browser/AllowPasswordManager](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowpasswordmanager) | Choose whether employees can save passwords locally on their devices. **Set to 0 (zero)**
| | [Browser/AllowSearchSuggestionsinAddressBar](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowsearchsuggestionsinaddressbar) | Choose whether the Address Bar shows search suggestions. **Set to 0 (zero)**
| | [Browser/AllowSmartScreen](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowsmartscreen) | Choose whether SmartScreen is turned on or off. **Set to 0 (zero)**
| 13. Network Connection Status Indicator | [Connectivity/DisallowNetworkConnectivityActiveTests](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-connectivity#connectivity-disallownetworkconnectivityactivetests) | Note: After you apply this policy you must restart the device for the policy setting to take effect. **Set to 1 (one)**
| 14. Offline maps | [AllowOfflineMapsDownloadOverMeteredConnection](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-maps)|Allows the download and update of map data over metered connections. <br /> **Set to 0 (zero)**
| | [EnableOfflineMapsAutoUpdate](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-maps#maps-enableofflinemapsautoupdate)|Disables the automatic download and update of map data. **Set to 0 (zero)**
| 15. OneDrive | [DisableOneDriveFileSync](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-system#system-disableonedrivefilesync)| Allows IT Admins to prevent apps and features from working with files on OneDrive. **Set to 1 (one)**
| 16. Preinstalled apps | N/A | N/A
| 17. Privacy settings | | Except for the Feedback & Diagnostics page, these settings must be configured for every user account that signs into the PC.
| 17.1 General | [TextInput/AllowLinguisticDataCollection](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-textinput#textinput-allowlinguisticdatacollection) | This policy setting controls the ability to send inking and typing data to Microsoft. **Set to 0 (zero)**
| 17.2 Location | [System/AllowLocation](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-system#system-allowlocation) | Specifies whether to allow app access to the Location service. **Set to 0 (zero)**
| 17.3 Camera | [Camera/AllowCamera](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-camera#camera-allowcamera) | Disables or enables the camera. **Set to 0 (zero)**
| 17.4 Microphone | [Privacy/LetAppsAccessMicrophone](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessmicrophone) | Specifies whether Windows apps can access the microphone. **Set to 2 (two)**
| 17.5 Notifications | [Notifications/DisallowCloudNotification](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-notifications#notifications-disallowcloudnotification) | Turn off notifications network usage. **DO NOT TURN OFF WNS Notifications if you want manage your device(s) using Microsoft InTune**
| | [Privacy/LetAppsAccessNotifications](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessnotifications) | Specifies whether Windows apps can access notifications. **Set to 2 (two)**
| | [Settings/AllowOnlineTips]( https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-settings#settings-allowonlinetips) | Enables or disables the retrieval of online tips and help for the Settings app. **Set to Disabled**
| 17.6 Speech, Inking, & Typing | [Privacy/AllowInputPersonalization](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-allowinputpersonalization) | This policy specifies whether users on the device have the option to enable online speech recognition. **Set to 0 (zero)**
| | [TextInput/AllowLinguisticDataCollection](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-textinput#textinput-allowlinguisticdatacollection)| This policy setting controls the ability to send inking and typing data to Microsoft **Set to 0 (zero)**
| 17.7 Account info | [Privacy/LetAppsAccessAccountInfo](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessaccountinfo) | Specifies whether Windows apps can access account information. **Set to 2 (two)**
| 17.8 Contacts | [Privacy/LetAppsAccessContacts](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccesscontacts) | Specifies whether Windows apps can access contacts. **Set to 2 (two)**
| 17.9 Calendar | [Privacy/LetAppsAccessCalendar](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccesscalendar) | Specifies whether Windows apps can access the calendar. **Set to 2 (two)**
| 17.10 Call history | [Privacy/LetAppsAccessCallHistory](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccesscallhistory) | Specifies whether Windows apps can access account information. **Set to 2 (two)**
| 17.11 Email | [Privacy/LetAppsAccessEmail](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessemail) | Specifies whether Windows apps can access email. **Set to 2 (two)**
| 17.12 Messaging | [Privacy/LetAppsAccessMessaging](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessmessaging) | Specifies whether Windows apps can read or send messages (text or MMS). **Set to 2 (two)**
| 17.13 Phone calls | [Privacy/LetAppsAccessPhone](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessphone) | Specifies whether Windows apps can make phone calls. **Set to 2 (two)**
| 17.14 Radios | [Privacy/LetAppsAccessRadios](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessradios) | Specifies whether Windows apps have access to control radios. **Set to 2 (two)**
| 17.15 Other devices | [Privacy/LetAppsSyncWithDevices](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappssyncwithdevices) | Specifies whether Windows apps can sync with devices. **Set to 2 (two)**
| | [Privacy/LetAppsAccessTrustedDevices](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccesstrusteddevices) | Specifies whether Windows apps can access trusted devices. **Set to 2 (two)**
| 17.16 Feedback & diagnostics | [System/AllowTelemetry](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-system#system-allowtelemetry) | Allow the device to send diagnostic and usage telemetry data, such as Watson. **Set to 0 (zero)**
| | [Experience/DoNotShowFeedbackNotifications](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-donotshowfeedbacknotifications)| Prevents devices from showing feedback questions from Microsoft. **Set to 1 (one)**
| 17.17 Background apps | [Privacy/LetAppsRunInBackground](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsruninbackground) | Specifies whether Windows apps can run in the background. **Set to 2 (two)**
| 17.18 Motion | [Privacy/LetAppsAccessMotion](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessmotion) | Specifies whether Windows apps can access motion data. **Set to 2 (two)**
| 17.19 Tasks | [Privacy/LetAppsAccessTasks](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccesstasks) | Turn off the ability to choose which apps have access to tasks. **Set to 2 (two)**
| 17.20 App Diagnostics | [Privacy/LetAppsGetDiagnosticInfo](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsgetdiagnosticinfo) | Force allow, force deny or give user control of apps that can get diagnostic information about other running apps. **Set to 2 (two)**
| 18. Software Protection Platform | [Licensing/DisallowKMSClientOnlineAVSValidation](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-licensing#licensing-disallowkmsclientonlineavsvalidation) | Opt out of sending KMS client activation data to Microsoft automatically. **Set to 1 (one)**
| 19. Storage Health | [Storage/AllowDiskHealthModelUpdates](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-storage#storage-allowdiskhealthmodelupdates) | Allows disk health model updates. **Set to 0 (zero)**
| 20. Sync your settings | [Experience/AllowSyncMySettings](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-allowsyncmysettings) | Control whether your settings are synchronized. **Set to 0 (zero)**
| 21. Teredo | No MDM needed | Teredo is **Off by default**. Delivery Optimization (DO) can turn on Teredo, but DO itself is turned Off via MDM.
| 22. Wi-Fi Sense | No MDM needed | Wi-Fi Sense is no longer available from Windows 10 version 1803 and newer.
| 23. Windows Defender | [Defender/AllowCloudProtection](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-allowcloudprotection) | Disconnect from the Microsoft Antimalware Protection Service. **Set to 0 (zero)**
| | [Defender/SubmitSamplesConsent](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-submitsamplesconsent) | Stop sending file samples back to Microsoft. **Set to 2 (two)**
| 23.1 Windows Defender Smartscreen | [Browser/AllowSmartScreen](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowsmartscreen) | Disable Windows Defender Smartscreen. **Set to 0 (zero)**
| 23.2 Windows Defender Smartscreen EnableAppInstallControl | [SmartScreen/EnableAppInstallControl](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-smartscreen#smartscreen-enableappinstallcontrol) | Controls whether users are allowed to install apps from places other than the Microsoft Store. **Set to 0 (zero)**
| 24. Windows Spotlight | [Experience/AllowWindowsSpotlight](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-allowwindowsspotlight) | Disable Windows Spotlight. **Set to 0 (zero)**
| 25. Microsoft Store | [ApplicationManagement/DisableStoreOriginatedApps](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-applicationmanagement#applicationmanagement-disablestoreoriginatedapps)| Boolean value that disables the launch of all apps from Microsoft Store that came pre-installed or were downloaded. **Set to 1 (one)**
| | [ApplicationManagement/AllowAppStoreAutoUpdate](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-applicationmanagement#applicationmanagement-allowappstoreautoupdate)| Specifies whether automatic update of apps from Microsoft Store are allowed. **Set to 0 (zero)**
| 25.1 Apps for websites | [ApplicationDefaults/EnableAppUriHandlers](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-applicationdefaults#applicationdefaults-enableappurihandlers) | This policy setting determines whether Windows supports web-to-app linking with app URI handlers. **Set to 0 (zero)**
| 26. Windows Update Delivery Optimization | | The following Delivery Optimization MDM policies are available in the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx).
| | [DeliveryOptimization/DODownloadMode](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deliveryoptimization#deliveryoptimization-dodownloadmode)| Lets you choose where Delivery Optimization gets or sends updates and apps. **Set to 100 (one hundred)**
| 27. Windows Update | [Update/AllowAutoUpdate](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#update-allowautoupdate) | Control automatic updates. **Set to 5 (five)**
### <a href="" id="bkmk-mdm-whitelist"></a> Allowed traffic ("Whitelisted traffic") for Microsoft InTune / MDM configurations
|**Allowed traffic endpoints** |
| --- |
|ctldl.windowsupdate.com|
|cdn.onenote.net|
|r.manage.microsoft.com|
|tile-service.weather.microsoft.com|
|settings-win.data.microsoft.com|
|client.wns.windows.com|
|dm3p.wns.windows.com|
|crl.microsoft.com/pki/crl/*|
|*microsoft.com/pkiops/crl/**|
|activation-v2.sls.microsoft.com/*|
|ocsp.digicert.com/*|

787
windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
View File

File diff suppressed because it is too large Load Diff

172
windows/privacy/manage-windows-1903-endpoints.md Normal file
View File

@ -0,0 +1,172 @@
---
title: Connection endpoints for Windows 10 Enterprise, version 1903
description: Explains what Windows 10 endpoints are used for, how to turn off traffic to them, and the impact.
keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.localizationpriority: high
audience: ITPro
author: danihalfin
ms.author: v-medgar
manager: sanashar
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 5/3/2019
---
# Manage connection endpoints for Windows 10 Enterprise, version 1903
**Applies to**
- Windows 10 Enterprise, version 1903
Some Windows components, app, and related services transfer data to Microsoft network endpoints. Some examples include:
- Connecting to Microsoft Office and Windows sites to download the latest app and security updates.
- Connecting to email servers to send and receive email.
- Connecting to the web for every day web browsing.
- Connecting to the cloud to store and access backups.
- Using your location to show a weather forecast.
This article lists different endpoints that are available on a clean installation of Windows 10, version 1709 and later.
Details about the different ways to control traffic to these endpoints are covered in [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md).
Where applicable, each endpoint covered in this topic includes a link to the specific details on how to control that traffic.
The following methodology was used to derive these network endpoints:
1. Set up the latest version of Windows 10 on a test virtual machine using the default settings.
2. Leave the device(s) running idle for a week ("idle" means a user is not interacting with the system/device).
3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
4. Compile reports on traffic going to public IP addresses.
5. The test virtual machine(s) was logged into using a local account, and was not joined to a domain or Azure Active Directory.
6. All traffic was captured in our lab using a IPV4 network. Therefore, no IPV6 traffic is reported here.
7. These tests were conducted in an approved Microsoft lab. It's possible your results may be different.
8. These tests were conducted for one week, but if you capture traffic for longer you may have different results.
> [!NOTE]
> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time.
## Windows 10 1903 Enterprise connection endpoints
|Area|Description|Protocol|Destination|
|----------------|----------|----------|------------|
|Apps|The following endpoints are used to download updates to the Weather app Live Tile. If you turn off traffic to this endpoint, no Live Tiles will be updated.|HTTP|blob.weather.microsoft.com|
|||HTTP|tile-service.weather.microsoft.com
||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|cdn.onenote.net/livetile/?Language=en-US
||The following endpoint is used for Twitter updates. To turn off traffic for these endpoints, either uninstall Twitter or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|*.twimg.com*|
||The following endpoint is used for Candy Crush Saga updates. To turn off traffic for this endpoint, either uninstall Candy Crush Saga or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLS v1.2|candycrushsoda.king.com|
||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office Online. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|evoke-windowsservices-tas.msedge.net|
||The following endpoint is used for by the Microsoft Wallet app. To turn off traffic for this endpoint, either uninstall the Wallet app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|wallet.microsoft.com|
||The following endpoint is used by the Groove Music app for update HTTP handler status. If you turn off traffic for this endpoint, apps for websites won't work and customers who visit websites (such as mediaredirect.microsoft.com) that are registered with their associated app (such as Groove Music) will stay at the website and won't be able to directly launch the app.|HTTPS|mediaredirect.microsoft.com|
||The following endpoints are used when using the Whiteboard app. To turn off traffic for this endpoint disable the Microsoft Store.|HTTPS|int.whiteboard.microsoft.com|
|||HTTPS|wbd.ms|
|||HTTPS|whiteboard.microsoft.com|
|||HTTP / HTTPS|whiteboard.ms|
|Azure |The following endpoints are related to Azure. |HTTPS|wd-prod-*fe*.cloudapp.azure.com|
|||HTTPS|ris-prod-atm.trafficmanager.net|
|||HTTPS|validation-v2.sls.trafficmanager.net|
|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible turn off traffic to this endpoint, but that is not recommended because when root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. Additionally, it is used to download certificates that are publicly known to be fraudulent. These settings are critical for both Windows security and the overall security of the Internet. We do not recommend blocking this endpoint. If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device.|HTTP|ctldl.windowsupdate.com|
|Cortana and Search|The following endpoint is used to get images that are used for Microsoft Store suggestions. If you turn off traffic for this endpoint, you will block images that are used for Microsoft Store suggestions. |HTTPS|store-images.*microsoft.com|
||The following endpoints are related to Cortana and Live Tiles. If you turn off traffic for this endpoint, you will block updates to Cortana greetings, tips, and Live Tiles.|HTTPS|www.bing.com/client|
|||HTTPS|www.bing.com|
|||HTTPS|www.bing.com/proactive|
|||HTTPS|www.bing.com/threshold/xls.aspx|
|||HTTP|exo-ring.msedge.net|
|||HTTP|fp.msedge.net|
|||HTTP|fp-vp.azureedge.net|
|||HTTP|odinvzc.azureedge.net|
|||HTTP|spo-ring.msedge.net|
|Device authentication|
||The following endpoint is used to authenticate a device. If you turn off traffic for this endpoint, the device will not be authenticated.|HTTPS|login.live.com*|
||The following endpoint is used to retrieve device metadata. If you turn off traffic for this endpoint, metadata will not be updated for the device.|HTTP|dmd.metaservices.microsoft.com|
|Diagnostic Data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft.|HTTP|v10.events.data.microsoft.com|
|||HTTPS|v10.vortex-win.data.microsoft.com/collect/v1|
|||HTTP|www.microsoft.com|
||The following endpoints are used by Windows Error Reporting. To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft.|HTTPS|co4.telecommand.telemetry.microsoft.com|
|||HTTP|cs11.wpc.v0cdn.net|
|||HTTPS|cs1137.wpc.gammacdn.net|
|||TLS v1.2|modern.watson.data.microsoft.com*|
|||HTTPS|watson.telemetry.microsoft.com|
|Licensing|The following endpoint is used for online activation and some app licensing. To turn off traffic for this endpoint, disable the Windows License Manager Service. This will also block online activation and app licensing may not work.|HTTPS|*licensing.mp.microsoft.com*|
|Location|The following endpoints are used for location data. If you turn off traffic for this endpoint, apps cannot use location data.|HTTPS|inference.location.live.net|
|||HTTP|location-inference-westus.cloudapp.net|
|Maps|The following endpoints are used to check for updates to maps that have been downloaded for offline use. If you turn off traffic for this endpoint, offline maps will not be updated.|HTTPS|*g.akamaiedge.net|
|||HTTP|*maps.windows.com*|
|Microsoft Account|The following endpoints are used for Microsoft accounts to sign in. If you turn off traffic for these endpoints, users cannot sign in with Microsoft accounts. |HTTP|login.msa.akadns6.net|
|||HTTP|us.configsvc1.live.com.akadns.net|
|Microsoft Edge|This traffic is related to the Microsoft Edge browser.|HTTPS|iecvlist.microsoft.com|
|Microsoft forward link redirection service (FWLink)|The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer. If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded.|HTTPS|go.microsoft.com|
|Microsoft Store|The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way. If you turn off traffic for this endpoint, push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization.|HTTPS|*.wns.windows.com|
||The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft Store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTP|storecatalogrevocation.storequality.microsoft.com|
||The following endpoint is used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). If you turn off traffic for these endpoints, the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTPS|img-prod-cms-rt-microsoft-com*|HTTPS|store-images.microsoft.com|
||The following endpoints are used to communicate with Microsoft Store. If you turn off traffic for these endpoints, apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|TLS v1.2|*.md.mp.microsoft.com*|
|||HTTPS|*displaycatalog.mp.microsoft.com|
|||HTTP \ HTTPS|pti.store.microsoft.com|
|||HTTP|storeedgefd.dsx.mp.microsoft.com|
|||HTTP|markets.books.microsoft.com|
|||HTTP |share.microsoft.com|
|Network Connection Status Indicator (NCSI)|
||Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet. If you turn off traffic for this endpoint, NCSI won't be able to determine if the device is connected to the Internet and the network status tray icon will show a warning.|HTTP|www.msftconnecttest.com*|
Office|The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office Online. For more info, see Office 365 URLs and IP address ranges. You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents.|HTTP|*.c-msedge.net|
|||HTTPS|*.e-msedge.net|
|||HTTPS|*.s-msedge.net|
|||HTTPS|nexusrules.officeapps.live.com|
|||HTTPS|ocos-office365-s2s.msedge.net|
|||HTTPS|officeclient.microsoft.com|
|||HTTPS|outlook.office365.com|
|||HTTPS|client-office365-tas.msedge.net|
|||HTTPS|www.office.com|
|||HTTPS|onecollector.cloudapp.aria|
|||HTTP|v10.events.data.microsoft.com/onecollector/1.0/|
|||HTTPS|self.events.data.microsoft.com|
||The following endpoint is used to connect the Office To-Do app to its cloud service. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store.|HTTPS|to-do.microsoft.com
|OneDrive|The following endpoints are related to OneDrive. If you turn off traffic for these endpoints, anything that relies on g.live.com to get updated URL information will no longer work.|HTTP \ HTTPS|g.live.com/1rewlive5skydrive/*|
|||HTTP|msagfx.live.com|
|||HTTPS|oneclient.sfx.ms|
|Settings|The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. If you turn off traffic for this endpoint, an app that uses this endpoint may stop working.|HTTPS|cy2.settings.data.microsoft.com.akadns.net|
|||HTTPS|settings.data.microsoft.com|
|||HTTPS|settings-win.data.microsoft.com|
|Skype|The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTPS|browser.pipe.aria.microsoft.com|
|||HTTP|config.edge.skype.com|
|||HTTP|s2s.config.skype.com|
|||HTTPS|skypeecs-prod-usw-0-b.cloudapp.net|
|Windows Defender|The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. If you turn off traffic for this endpoint, the device will not use Cloud-based Protection.|HTTPS|wdcp.microsoft.com|
|||HTTPS|definitionupdates.microsoft.com|
|||HTTPS|go.microsoft.com|
||The following endpoints are used for Windows Defender Smartscreen reporting and notifications. If you turn off traffic for these endpoints, Smartscreen notifications will not appear.|HTTPS|*smartscreen.microsoft.com|
|||HTTPS|smartscreen-sn3p.smartscreen.microsoft.com|
|||HTTPS|unitedstates.smartscreen-prod.microsoft.com|
|Windows Spotlight|The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips. If you turn off traffic for these endpoints, Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips will not be downloaded. For more information, see Windows Spotlight.|TLS v1.2|*.search.msn.com|
|||HTTPS|arc.msn.com|
|||HTTPS|g.msn.com*|
|||HTTPS|query.prod.cms.rt.microsoft.com|
|||HTTPS|ris.api.iris.microsoft.com|
|Windows Update|The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. If you turn off traffic for this endpoint, Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction.|HTTPS|*.prod.do.dsp.mp.microsoft.com|
|||HTTP|cs9.wac.phicdn.net|
|||HTTP|emdl.ws.microsoft.com|
||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store. If you turn off traffic for these endpoints, the device will not be able to download updates for the operating system.|HTTP|*.dl.delivery.mp.microsoft.com|
|||HTTP|*.windowsupdate.com*|
||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. If you turn off traffic for these endpoints, the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store.|HTTPS|*.delivery.mp.microsoft.com|
|||HTTPS|*.update.microsoft.com|
||The following endpoint is used for content regulation. If you turn off traffic for this endpoint, the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly.|HTTPS|tsfe.trafficshaping.dsp.mp.microsoft.com|
## Other Windows 10 editions
To view endpoints for other versions of Windows 10 Enterprise, see:
- [Manage connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md)
- [Manage connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md)
- [Manage connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md)
To view endpoints for non-Enterprise Windows 10 editions, see:
- [Windows 10, version 1809, connection endpoints for non-Enterprise editions](windows-endpoints-1809-non-enterprise-editions.md)
- [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md)
- [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md)
## Related links
- [Office 365 URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US)
- [Network infrastructure requirements for Microsoft Intune](https://docs.microsoft.com/intune/get-started/network-infrastructure-requirements-for-microsoft-intune)

274
windows/privacy/windows-endpoints-1903-non-enterprise-editions.md Normal file
View File

@ -0,0 +1,274 @@
---
title: Windows 10, version 1903, connection endpoints for non-Enterprise editions
description: Explains what Windows 10 endpoints are used in non-Enterprise editions.
keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.localizationpriority: high
audience: ITPro
author: mikeedgar
ms.author: v-medgar
manager: sanashar
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 5/9/2019
---
# Windows 10, version 1903, connection endpoints for non-Enterprise editions
**Applies to**
- Windows 10 Home, version 1903
- Windows 10 Professional, version 1903
- Windows 10 Education, version 1903
In addition to the endpoints listed for [Windows 10 Enterprise](manage-windows-1903-endpoints.md), the following endpoints are available on other non-Enterprise editions of Windows 10, version 1903.
The following methodology was used to derive the network endpoints:
1. Set up the latest version of Windows 10 on a test virtual machine using the default settings.
2. Leave the device(s) running idle for a week ("idle" means a user is not interacting with the system/device).
3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
4. Compile reports on traffic going to public IP addresses.
5. The test virtual machine(s) was logged into using a local account, and was not joined to a domain or Azure Active Directory.
6. All traffic was captured in our lab using a IPV4 network. Therefore, no IPV6 traffic is reported here.
7. These tests were conducted in an approved Microsoft lab. It's possible your results may be different.
8. These tests were conducted for one week, but if you capture traffic for longer you may have different results.
> [!NOTE]
> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time.
## Windows 10 Family
| **Destination** | **Protocol** | **Description** |
| --- | --- | --- |
|\*.aria.microsoft.com*|HTTPS|Microsoft Office Telemetry
|\*.b.akamai*.net|HTTPS|Used to check for updates to Maps that have been downloaded for offline use
|\*.c-msedge.net|HTTP|Microsoft Office
|\*.dl.delivery.mp.microsoft.com*|HTTP|Enables connections to Windows Update
|\*.download.windowsupdate.com*|HTTP|Used to download operating system patches and updates
|\*.g.akamai*.net|HTTPS|Used to check for updates to Maps that have been downloaded for offline use
|\*.login.msa.*.net|HTTPS|Microsoft Account related
|\*.msn.com*|TLSv1.2/HTTPS|Windows Spotlight
|\*.skype.com|HTTP/HTTPS|Skype
|\*.smartscreen.microsoft.com*|HTTPS|Windows Defender Smartscreen
|\*.telecommand.telemetry.microsoft.com*|HTTPS|Used by Windows Error Reporting
|*cdn.onenote.net*|HTTP|OneNote
|*displaycatalog.*mp.microsoft.com*|HTTPS|Used to communicate with Microsoft Store
|*emdl.ws.microsoft.com*|HTTP|Windows Update
|*geo-prod.do.dsp.mp.microsoft.com*|TLSv1.2/HTTPS|Enables connections to Windows Update
|*hwcdn.net*|HTTP|Highwinds Content Delivery Network / Windows updates
|*img-prod-cms-rt-microsoft-com*|HTTPS|Microsoft Store or Inbox MSN Apps image download
|*licensing.*mp.microsoft.com*|HTTPS|Licensing
|*maps.windows.com*|HTTPS|Related to Maps application
|*msedge.net*|HTTPS|Used by Microsoft OfficeHub to get the metadata of Microsoft Office apps
|*nexusrules.officeapps.live.com*|HTTPS|Microsoft Office Telemetry
|*photos.microsoft.com*|HTTPS|Photos App
|*prod.do.dsp.mp.microsoft.com*|TLSv1.2/HTTPS|Used for Windows Update downloads of apps and OS updates
|*purchase.md.mp.microsoft.com.akadns.net|HTTPS|Used to communicate with Microsoft Store
|*settings.data.microsoft.com.akadns.net|HTTPS|Used for Windows apps to dynamically update their configuration
|*wac.phicdn.net*|HTTP|Windows Update
|*windowsupdate.com*|HTTP|Windows Update
|*wns.*windows.com*|TLSv1.2/HTTPS|Used for the Windows Push Notification Services (WNS)
|*wpc.v0cdn.net*|HTTP|Windows Telemetry
|arc.msn.com|HTTPS|Spotlight
|auth.gfx.ms*|HTTPS|MSA related
|cdn.onenote.net|HTTPS|OneNote Live Tile
|dmd.metaservices.microsoft.com*|HTTP|Device Authentication
|e-0009.e-msedge.net|HTTPS|Microsoft Office
|e10198.b.akamaiedge.net|HTTPS|Maps application
|evoke-windowsservices-tas.msedge*|HTTPS|Photos app
|fe2.update.microsoft.com*|TLSv1.2/HTTPS|Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store
|fe3.*.mp.microsoft.com.*|TLSv1.2/HTTPS|Windows Update, Microsoft Update, and Microsoft Store services
|g.live.com*|HTTPS|OneDrive
|go.microsoft.com|HTTP|Windows Defender
|iriscoremetadataprod.blob.core.windows.net|HTTPS|Windows Telemetry
|login.live.com|HTTPS|Device Authentication
|msagfx.live.com|HTTP|OneDrive
|ocsp.digicert.com*|HTTP|CRL and OCSP checks to the issuing certificate authorities
|officeclient.microsoft.com|HTTPS|Microsoft Office
|oneclient.sfx.ms*|HTTPS|Used by OneDrive for Business to download and verify app updates
|onecollector.cloudapp.aria.akadns.net|HTTPS|Microsoft Office
|ow1.res.office365.com|HTTP|Microsoft Office
|pti.store.microsoft.com|HTTPS|Microsoft Store
|purchase.mp.microsoft.com*|HTTPS|Used to communicate with Microsoft Store
|query.prod.cms.rt.microsoft.com*|HTTPS|Used to retrieve Windows Spotlight metadata
|ris.api.iris.microsoft.com*|TLSv1.2/HTTPS|Used to retrieve Windows Spotlight metadata
|ris-prod-atm.trafficmanager.net|HTTPS|Azure traffic manager
|s-0001.s-msedge.net|HTTPS|Microsoft Office
|self.events.data.microsoft.com|HTTPS|Microsoft Office
|settings.data.microsoft.com*|HTTPS|Used for Windows apps to dynamically update their configuration
|settings-win.data.microsoft.com*|HTTPS|Used for Windows apps to dynamically update their configuration
|share.microsoft.com|HTTPS|Microsoft Store
|skypeecs-prod-usw-0.cloudapp.net|HTTPS|Microsoft Store
|sls.update.microsoft.com*|TLSv1.2/HTTPS|Enables connections to Windows Update
|slscr.update.microsoft.com*|HTTPS|Enables connections to Windows Update
|store*.dsx.mp.microsoft.com*|HTTPS|Used to communicate with Microsoft Store
|storecatalogrevocation.storequality.microsoft.com|HTTPS|Microsoft Store
|storecatalogrevocation.storequality.microsoft.com*|HTTPS|Used to revoke licenses for malicious apps on the Microsoft Store
|store-images.*microsoft.com*|HTTP|Used to get images that are used for Microsoft Store suggestions
|storesdk.dsx.mp.microsoft.com|HTTP|Microsoft Store
|tile-service.weather.microsoft.com*|HTTP|Used to download updates to the Weather app Live Tile
|time.windows.com|HTTP|Microsoft Windows Time related
|tsfe.trafficshaping.dsp.mp.microsoft.com*|TLSv1.2/HTTPS|Used for content regulation
|v10.events.data.microsoft.com|HTTPS|Diagnostic Data
|watson.telemetry.microsoft.com|HTTPS|Diagnostic Data
|wdcp.microsoft.*|TLSv1.2, HTTPS|Used for Windows Defender when Cloud-based Protection is enabled
|wd-prod-cp-us-west-1-fe.westus.cloudapp.azure.com|HTTPS|Windows Defender
|wusofficehome.msocdn.com|HTTPS|Microsoft Office
|www.bing.com*|HTTP|Used for updates for Cortana, apps, and Live Tiles
|www.msftconnecttest.com|HTTP|Network Connection (NCSI)
|www.office.com|HTTPS|Microsoft Office
## Windows 10 Pro
| **Destination** | **Protocol** | **Description** |
| --- | --- | --- |
|\*.cloudapp.azure.com|HTTPS|Azure
|\*.delivery.dsp.mp.microsoft.com.nsatc.net|HTTPS|Windows Update, Microsoft Update, and Microsoft Store services
|\*.displaycatalog.md.mp.microsoft.com.akadns.net|HTTPS|Microsoft Store
|\*.dl.delivery.mp.microsoft.com*|HTTP|Enables connections to Windows Update
|\*.e-msedge.net|HTTPS|Used by OfficeHub to get the metadata of Office apps
|\*.g.akamaiedge.net|HTTPS|Used to check for updates to maps that have been downloaded for offline use
|\*.s-msedge.net|HTTPS|Used by OfficeHub to get the metadata of Office apps
|\*.windowsupdate.com*|HTTP|Enables connections to Windows Update
|\*.wns.notify.windows.com.akadns.net|HTTPS|Used for the Windows Push Notification Services (WNS)
|\*dsp.mp.microsoft.com.nsatc.net|HTTPS|Enables connections to Windows Update
|\*c-msedge.net|HTTP|Office
|a1158.g.akamai.net|HTTP|Maps application
|arc.msn.com*|HTTP / HTTPS|Used to retrieve Windows Spotlight metadata
|blob.mwh01prdstr06a.store.core.windows.net|HTTPS|Microsoft Store
|browser.pipe.aria.microsoft.com|HTTPS|Microsoft Office
|bubblewitch3mobile.king.com|HTTPS|Bubble Witch application
|candycrush.king.com|HTTPS|Candy Crush application
|cdn.onenote.net|HTTP|Microsoft OneNote
|cds.p9u4n2q3.hwcdn.net|HTTP|Highwinds Content Delivery Network traffic for Windows updates
|client.wns.windows.com|HTTPS|Winddows Notification System
|co4.telecommand.telemetry.microsoft.com.akadns.net|HTTPS|Windows Error Reporting
|config.edge.skype.com|HTTPS|Microsoft Skype
|cs11.wpc.v0cdn.net|HTTP|Windows Telemetry
|cs9.wac.phicdn.net|HTTP|Windows Update
|cy2.licensing.md.mp.microsoft.com.akadns.net|HTTPS|Used to communicate with Microsoft Store
|cy2.purchase.md.mp.microsoft.com.akadns.net|HTTPS|Used to communicate with Microsoft Store
|cy2.settings.data.microsoft.com.akadns.net|HTTPS|Used to communicate with Microsoft Store
|dmd.metaservices.microsoft.com.akadns.net|HTTP|Device Authentication
|e-0009.e-msedge.net|HTTPS|Microsoft Office
|e10198.b.akamaiedge.net|HTTPS|Maps application
|fe3.update.microsoft.com|HTTPS|Windows Update
|g.live.com|HTTPS|Microsoft OneDrive
|g.msn.com.nsatc.net|HTTPS|Used to retrieve Windows Spotlight metadata
|geo-prod.do.dsp.mp.microsoft.com|HTTPS|Windows Update
|go.microsoft.com|HTTP|Windows Defender
|iecvlist.microsoft.com|HTTPS|Microsoft Edge
|img-prod-cms-rt-microsoft-com.akamaized.net|HTTP / HTTPS|Microsoft Store
|ipv4.login.msa.akadns6.net|HTTPS|Used for Microsoft accounts to sign in
|licensing.mp.microsoft.com|HTTP|Licensing
|location-inference-westus.cloudapp.net|HTTPS|Used for location data
|login.live.com|HTTP|Device Authentication
|maps.windows.com|HTTP|Maps application
|modern.watson.data.microsoft.com.akadns.net|HTTPS|Used by Windows Error Reporting
|msagfx.live.com|HTTP|OneDrive
|nav.smartscreen.microsoft.com|HTTPS|Windows Defender
|ocsp.digicert.com*|HTTP|CRL and OCSP checks to the issuing certificate authorities
|oneclient.sfx.ms|HTTP|OneDrive
|pti.store.microsoft.com|HTTPS|Microsoft Store
|ris.api.iris.microsoft.com.akadns.net|HTTPS|Used to retrieve Windows Spotlight metadata
|ris-prod-atm.trafficmanager.net|HTTPS|Azure
|s2s.config.skype.com|HTTP|Microsoft Skype
|settings-win.data.microsoft.com|HTTPS|Application settings
|share.microsoft.com|HTTPS|Microsoft Store
|skypeecs-prod-usw-0.cloudapp.net|HTTPS|Microsoft Skype
|slscr.update.microsoft.com|HTTPS|Windows Update
|storecatalogrevocation.storequality.microsoft.com|HTTPS|Microsoft Store
|store-images.microsoft.com|HTTPS|Microsoft Store
|tile-service.weather.microsoft.com/*|HTTP|Used to download updates to the Weather app Live Tile
|time.windows.com|HTTP|Windows time
|tsfe.trafficshaping.dsp.mp.microsoft.com|HTTPS|Used for content regulation
|v10.events.data.microsoft.com*|HTTPS|Microsoft Office
|vip5.afdorigin-prod-am02.afdogw.com|HTTPS|Used to serve office 365 experimentation traffic
|watson.telemetry.microsoft.com|HTTPS|Telemetry
|wdcp.microsoft.com|HTTPS|Windows Defender
|wusofficehome.msocdn.com|HTTPS|Microsoft Office
|www.bing.com|HTTPS|Cortana and Search
|www.microsoft.com|HTTP|Diagnostic
|www.msftconnecttest.com|HTTP|Network connection
|www.office.com|HTTPS|Microsoft Office
## Windows 10 Education
| **Destination** | **Protocol** | **Description** |
| --- | --- | --- |
|\*.b.akamaiedge.net|HTTPS|Used to check for updates to maps that have been downloaded for offline use
|\*.c-msedge.net|HTTP|Used by OfficeHub to get the metadata of Office apps
|\*.dl.delivery.mp.microsoft.com*|HTTP|Windows Update
|\*.e-msedge.net|HTTPS|Used by OfficeHub to get the metadata of Office apps
|\*.g.akamaiedge.net|HTTPS|Used to check for updates to Maps that have been downloaded for offline use
|\*.licensing.md.mp.microsoft.com.akadns.net|HTTPS|Microsoft Store
|\*.settings.data.microsoft.com.akadns.net|HTTPS|Microsoft Store
|\*.skype.com*|HTTPS|Used to retrieve Skype configuration values
|\*.smartscreen*.microsoft.com|HTTPS|Windows Defender
|\*.s-msedge.net|HTTPS|Used by OfficeHub to get the metadata of Office apps
|\*.telecommand.telemetry.microsoft.com*|HTTPS|Used by Windows Error Reporting
|\*.wac.phicdn.net|HTTP|Windows Update
|\*.windowsupdate.com*|HTTP|Windows Update
|\*.wns.windows.com|HTTPS|Windows Notifications Service
|\*.wpc.*.net|HTTP|Diagnostic Data
|\*displaycatalog.md.mp.microsoft.com.akadns.net|HTTPS|Microsoft Store
|\*dsp.mp.microsoft.com|HTTPS|Windows Update
|a1158.g.akamai.net|HTTP|Maps
|a122.dscg3.akamai.net|HTTP|Maps
|a767.dscg3.akamai.net|HTTP|Maps
|au.download.windowsupdate.com*|HTTP|Windows Update
|bing.com/*|HTTPS|Used for updates for Cortana, apps, and Live Tiles
|blob.dz5prdstr01a.store.core.windows.net|HTTPS|Microsoft Store
|browser.pipe.aria.microsoft.com|HTTP|Used by OfficeHub to get the metadata of Office apps
|cdn.onenote.net/livetile/*|HTTPS|Used for OneNote Live Tile
|cds.p9u4n2q3.hwcdn.net|HTTP|Used by the Highwinds Content Delivery Network to perform Windows updates
|client-office365-tas.msedge.net/*|HTTPS|Office 365 porta and Office Online
|ctldl.windowsupdate.com*|HTTP|Used to download certificates that are publicly known to be fraudulent
|displaycatalog.mp.microsoft.com/*|HTTPS|Microsoft Store
|dmd.metaservices.microsoft.com*|HTTP|Device Authentication
|download.windowsupdate.com*|HTTPS|Windows Update
|emdl.ws.microsoft.com/*|HTTP|Used to download apps from the Microsoft Store
|evoke-windowsservices-tas.msedge.net|HTTPS|Photo app
|fe2.update.microsoft.com*|HTTPS|Windows Update, Microsoft Update, Microsoft Store services
|fe3.delivery.dsp.mp.microsoft.com.nsatc.net|HTTPS|Windows Update, Microsoft Update, Microsoft Store services
|fe3.delivery.mp.microsoft.com*|HTTPS|Windows Update, Microsoft Update, Microsoft Store services
|g.live.com*|HTTPS|Used by OneDrive for Business to download and verify app updates
|g.msn.com.nsatc.net|HTTPS|Used to retrieve Windows Spotlight metadata
|go.microsoft.com|HTTP|Windows Defender
|iecvlist.microsoft.com|HTTPS|Microsoft Edge browser
|ipv4.login.msa.akadns6.net|HTTPS|Used for Microsoft accounts to sign in
|licensing.mp.microsoft.com*|HTTPS|Used for online activation and some app licensing
|login.live.com|HTTPS|Device Authentication
|maps.windows.com/windows-app-web-link|HTTPS|Maps application
|modern.watson.data.microsoft.com.akadns.net|HTTPS|Used by Windows Error Reporting
|msagfx.live.com|HTTPS|OneDrive
|ocos-office365-s2s.msedge.net/*|HTTPS|Used to connect to the Office 365 portal's shared infrastructure
|ocsp.digicert.com*|HTTP|CRL and OCSP checks to the issuing certificate authorities
|oneclient.sfx.ms/*|HTTPS|Used by OneDrive for Business to download and verify app updates
|onecollector.cloudapp.aria.akadns.net|HTTPS|Microsoft Office
|pti.store.microsoft.com|HTTPS|Microsoft Store
|settings-win.data.microsoft.com/settings/*|HTTPS|Used as a way for apps to dynamically update their configuration
|share.microsoft.com|HTTPS|Microsoft Store
|skypeecs-prod-usw-0.cloudapp.net|HTTPS|Skype
|sls.update.microsoft.com*|HTTPS|Windows Update
|storecatalogrevocation.storequality.microsoft.com*|HTTPS|Used to revoke licenses for malicious apps on the Microsoft Store
|tile-service.weather.microsoft.com*|HTTP|Used to download updates to the Weather app Live Tile
|tsfe.trafficshaping.dsp.mp.microsoft.com|HTTPS|Windows Update
|v10.events.data.microsoft.com*|HTTPS|Diagnostic Data
|vip5.afdorigin-prod-ch02.afdogw.com|HTTPS|Used to serve Office 365 experimentation traffic
|watson.telemetry.microsoft.com*|HTTPS|Used by Windows Error Reporting
|wdcp.microsoft.com|HTTPS|Windows Defender
|wd-prod-cp-us-east-1-fe.eastus.cloudapp.azure.com|HTTPS|Azure
|wusofficehome.msocdn.com|HTTPS|Microsoft Office
|www.bing.com|HTTPS|Cortana and Search
|www.microsoft.com|HTTP|Diagnostic Data
|www.microsoft.com/pkiops/certs/*|HTTP|CRL and OCSP checks to the issuing certificate authorities
|www.msftconnecttest.com|HTTP|Network Connection
|www.office.com|HTTPS|Microsoft Office