diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index f505c1d9de..1c4202d44b 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -19306,6 +19306,31 @@ "source_path": "windows/privacy/license-terms-windows-diagnostic-data-for-powershell.md", "redirect_url": "/legal/windows/license-terms-windows-diagnostic-data-for-powershell", "redirect_document_id": false + }, + { + "source_path": "windows/privacy/windows-endpoints-1709-non-enterprise-editions.md", + "redirect_url": "/windows/privacy/windows-endpoints-21h1-non-enterprise-editions", + "redirect_document_id": true + }, + { + "source_path": "windows/privacy/windows-endpoints-1803-non-enterprise-editions.md", + "redirect_url": "/windows/privacy/windows-endpoints-21h1-non-enterprise-editions", + "redirect_document_id": false + }, + { + "source_path": "windows/privacy/manage-windows-1709-endpoints.md", + "redirect_url": "/windows/privacy/manage-windows-21h2-endpoints", + "redirect_document_id": true + }, + { + "source_path": "windows/privacy/manage-windows-1803-endpoints.md", + "redirect_url": "/windows/privacy/manage-windows-21h2-endpoints", + "redirect_document_id": false + }, + { + "source_path": "windows/whats-new/windows-11-whats-new.md", + "redirect_url": "/windows/whats-new/windows-11-overview", + "redirect_document_id": false } ] } diff --git a/education/windows/windows-11-se-overview.md b/education/windows/windows-11-se-overview.md index 32f5f7795d..e0d992618e 100644 --- a/education/windows/windows-11-se-overview.md +++ b/education/windows/windows-11-se-overview.md @@ -37,27 +37,37 @@ Windows 11 SE is only available preinstalled on devices from OEMs. The OEM insta Windows 11 SE comes with some preinstalled apps. The following apps can also run on Windows 11 SE, and are deployed using the [Intune for Education portal](https://intuneeducation.portal.azure.com). For more information, see [Manage devices running Windows 11 SE](/intune-education/windows-11-se-overview). ---- -| Application | Min version | Vendor | -| --- | --- | --- | -| Chrome | 95.0.4638.54 | Google | -| Dragon Assistant | 3.2.98.061 | Nuance Communications | -| Dragon Professional Individual | 15.00.100 | Nuance Communications | -| e-Speaking Voice and Speech recognition | 4.4.0.8 | e-speaking | -| Free NaturalReader | 16.1.2 | Natural Soft | -| Jaws for Windows | 2022.2109.84 ILM | Freedom Scientific | -| Kite Student Portal | 8.0.1 | Dynamic Learning Maps | -| NextUp Talker | 1.0.49 | NextUp Technologies, LLC. | -| NonVisual Desktop Access | 2021.2 | NV Access | -| Read and Write | 12.0.71 | Texthelp Systems Ltd. | -| SuperNova Magnifier & Screen Reader | 20.03 | Dolphin Computer Access | -| SuperNova Magnifier & Speech | 20.03 | Dolphin Computer Access | -| Text Aloud | 4.0.64 | Nextup.com | -| Zoom | 5.8.3 (1581) | Zoom Inc | -| Zoomtext Fusion by AiSquared | 2022.2109.10 | ORF Fusion | -| ZoomText Magnifier/Reader | 2022.2109.25ILM | AI Squared | ---- +| Application | Supported version | Vendor | +| --- | --- | --- | +|Blub Digital Portoflio |0.0.7.0 |bulb| +|CA Secure Browser |14.0.0 |Cambium Development| +|Cisco Umbrella |3.0.110.0 |Cisco| +|Dragon Professional Individual |15.00.100 |Nuance Communications| +|DRC INSIGHT Online Assessments |12.0.0.0 |DRC| +|e-Speaking Voice and Speech recognition|4.4.0.8 |e-speaking| +|Free NaturalReader |16.1.2 |Natural Soft| +|GoGuardian |1.4.4 |GoGuardian| +|Google Chrome |97.0.4692.71 |Google| +|Jaws for Windows |2022.2112.24 ILM|Freedom Scientific| +|Kite Student Portal |8.0.1|Dynamic Learning Maps| +|Kortext |2.3.418.0 |Kortext| +|LanSchool |9.1.0.46 |Stoneware| +|Lightspeed Smart Agent |1.9.1 |Lightspeed Systems| +|Mozilla Firefox |96.0.2 |Mozilla| +|NextUp Talker |1.0.49 |NextUp Technologies| +|NonVisual Desktop Access |2021.3.1 |NV Access| +|NWEA Secure Testing Browser |5.4.300.0 |NEWA| +|Read&Write for Windows (US English) |12.0.60.0 |Texthelp Ltd.| +|Safe Exam Broswer |3.3.1 |Safe Exam Broswer| +|Secure Browser |4.8.3.376 |Questar, Inc| +|SuperNova Magnifier & Screen Reader | 20.03 |Dolphin Computer Access| +|SuperNova Magnifier & Speech | 20.03 |Dolphin Computer Access| +|Respondus Lockdown Browser |2.0.8.03 |Respondus| +|TestNav |1.10.2.0 |Pearson Education Inc| +|SecureBrowser |14.0.0 |Cambium Development| +|Zoom |5.9.1 (2581) |Zoom| +|ZoomText Magnifier/Reader |2022.2109.25ILM | AI Squared| ### Enabled apps diff --git a/windows/client-management/mdm/Language-pack-management-csp.md b/windows/client-management/mdm/Language-pack-management-csp.md index 0a1e9f72a4..4c10dc0ad9 100644 --- a/windows/client-management/mdm/Language-pack-management-csp.md +++ b/windows/client-management/mdm/Language-pack-management-csp.md @@ -13,41 +13,71 @@ ms.date: 06/22/2021 # Language Pack Management CSP +The Language Pack Management CSP allows a direct way to provision languages remotely in Windows. MDMs like Intune can use management commands remotely to devices to configure language-related settings for System and new users. -The Language Pack Management CSP allows a direct way to provision language packs remotely in Windows 10 and Windows 10 X. A separate CSP exists to allow provisioning of "optional FODs" (Handwriting recognition, Text-to-speech, and so on) associated with a language. MDMs like Intune can use management commands remotely to devices to configure language related settings. +1. Enumerate installed languages and features with GET command on the "InstalledLanguages" node. Below are the samples: -1. Enumerate installed languages with GET command on the "InstalledLanguages" node - **GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages** **GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/zh-CN/Providers** - **GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/ja-JP/Providers** + **GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/zh-CN/LanguageFeatures** + **GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/ja-JP/Providers** + **GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/ja-JP/LanguageFeatures** - The nodes under **InstalledLanguages** are the language tags of the installed languages. The **providers** node under language tag is the bit map representation of either "language pack (feature)" or [LXPs](https://www.microsoft.com/store/collections/localexperiencepacks?cat0=devices&rtc=1). - - Indicates the language pack installed is a System Language Pack (non-LXP) - - Indicates that the LXP is installed. - - Indicates that both are installed. + The nodes under **InstalledLanguages** are the language tags of the installed languages. The **providers** node under language tag is an integer representation of either [language pack](/windows-hardware/manufacture/desktop/available-language-packs-for-windows?view=windows-11&preserve-view=true) or [LXPs](https://www.microsoft.com/store/collections/localexperiencepacks?cat0=devices&rtc=1). -2. Install language pack features with the EXECUTE command on the **StartInstall** node of the language. For example, + - **1**- Indicates that only the Language Pack cab is installed. + - **2**- Indicates that only the LXP is installed. + - **3**- Indicates that both are installed. - **ADD./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/** - **EXECUTE./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/StartInstallation** + The **LanguageFeatures** node is a bitmap representation of what [Language Features](/windows-hardware/manufacture/desktop/features-on-demand-language-fod?view=windows-11&preserve-view=true) are installed for a language on a device: - The installation is an asynchronous operation. You can query the **Status** node by using the following commands: + - Basic Typing = 0x1 + - Fonts = 0x2 + - Handwriting = 0x4 + - Speech = 0x8 + - TextToSpeech = 0x10 + - OCR = 0x20 + - LocaleData = 0x40 + - SupplementFonts = 0x80 + +2. Install language pack and features with the EXECUTE command on the **StartInstallation** node of the language. The language installation will try to install the best matched language packs and features for the provided language. + + > [!NOTE] + > If not previously set, installation will set the policy to block cleanup of unused language packs and features on the device to prevent unexpected deletion. + + - Admins can optionally copy the language to the device’s international settings immediately after installation by using the REPLACE command on the "CopyToDeviceInternationalSettings" node of the language. false (default)- will take no action; true- will set the following international settings to reflect the newly installed language: + - System Preferred UI Language + - System Locale + - Default settings for new users + - Input Method (keyboard) + - Locale + - Speech Recognizer + - User Preferred Language List + - Admins can optionally configure whether they want to install all available language features during installation using the REPLACE command on the "EnableLanguageFeatureInstallations" node of the language. false- will install only required features; true (default)- will install all available features. + + Here are the sample commands to install French language with required features and copy to the device's international settings: + + 1. **ADD ./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/** + 2. **REPLACE ./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/CopyToDeviceInternationalSettings (true)** + 3. **REPLACE ./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/EnableLanguageFeatureInstallations (false)** + 4. **EXECUTE ./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/StartInstallation** + + The installation is an asynchronous operation. You can query the **Status** or **ErrorCode** nodes by using the following commands: **GET./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/Status** **GET./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/ErrorCode** - Status: 0 – not started; 1 – in process; 2 – succeeded; 3 – failed. ErrorCode is a HRESULT that could help diagnosis if the installation failed. + Status: 0 – not started; 1 – in progress; 2 – succeeded; 3 – failed; 4 - partial success (A partial success indicates not all the provisioning operations succeeded, for example, there was an error installing the language pack or features). - > [!NOTE] - > If IT admin has NOT set the policy of blocking cleanup of unused language packs, this command will fail. + ErrorCode: An HRESULT that could help diagnosis if the installation failed or partially failed. -3. Delete installed Language with the DELETE command on the installed language tag. The delete command is a fire and forget operation. The deletion will run in background. IT admin can query the installed language later and resend the command if needed. +3. Delete installed Language with the DELETE command on the installed language tag. The delete command is a fire and forget operation. The deletion will run in background. IT admin can query the installed language later and resend the command if needed. Below is a sample command to delete the zh-CN language. + **DELETE./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/zh-CN** - **DELETE./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/zh-CN(Delete command)** + > [!NOTE] + > The deletion will ignore the policy of block cleanup of unused language packs. 4. Get/Set System Preferred UI Language with GET or REPLACE command on the "SystemPreferredUILanguages" Node - **./Device/Vendor/MSFT/LanguagePackManagement/LanguageSettings/SystemPreferredUILanguages** diff --git a/windows/client-management/mdm/policy-csp-admx-errorreporting.md b/windows/client-management/mdm/policy-csp-admx-errorreporting.md index 6d41a7d0d3..cb39601404 100644 --- a/windows/client-management/mdm/policy-csp-admx-errorreporting.md +++ b/windows/client-management/mdm/policy-csp-admx-errorreporting.md @@ -1068,7 +1068,7 @@ If this policy setting is disabled or not configured, then the consent level def ADMX Info: -- GP English name: *Configure Default consent* +- GP Friendly name: *Configure Default consent* - GP name: *WerDefaultConsent_1* - GP path: *Windows Components\Windows Error Reporting\Consent* - GP ADMX file name: *ErrorReporting.admx* @@ -1166,7 +1166,7 @@ If you disable or do not configure this policy setting, the Turn off Windows Err ADMX Info: -- GP English name: *Disable Windows Error Reporting* +- GP Friendly name: *Disable Windows Error Reporting* - GP name: *WerDisable_1* - GP path: *Windows Components\Windows Error Reporting* - GP ADMX file name: *ErrorReporting.admx* diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md index cc5b2bff12..e489b9b6cd 100644 --- a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md +++ b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md @@ -67,7 +67,7 @@ The following list shows the supported values: ADMX Info: -- GP English name: *Configure Microsoft Defender Application Guard clipboard settings* +- GP Friendly name: *Configure Microsoft Defender Application Guard clipboard settings* - GP name: *AppHVSIClipboardFileType* - GP path: *Windows Components/Microsoft Defender Application Guard* - GP ADMX file name: *AppHVSI.admx* @@ -91,7 +91,7 @@ The following list shows the supported values: ADMX Info: -- GP English name: *Configure Microsoft Defender Application Guard clipboard settings* +- GP Friendly name: *Configure Microsoft Defender Application Guard clipboard settings* - GP name: *AppHVSIClipboardSettings* - GP path: *Windows Components/Microsoft Defender Application Guard* - GP ADMX file name: *AppHVSI.admx* @@ -124,7 +124,7 @@ The following list shows the supported values: ADMX Info: -- GP English name: *Configure Microsoft Defender Application Guard print settings* +- GP Friendly name: *Configure Microsoft Defender Application Guard print settings* - GP name: *AppHVSIPrintingSettings* - GP path: *Windows Components/Microsoft Defender Application Guard* - GP ADMX file name: *AppHVSI.admx* @@ -146,7 +146,7 @@ The following list shows the supported values: ADMX Info: -- GP English name: *Prevent enterprise websites from loading non-enterprise content in Microsoft Edge and Internet Explorer* +- GP Friendly name: *Prevent enterprise websites from loading non-enterprise content in Microsoft Edge and Internet Explorer* - GP name: *BlockNonEnterpriseContent* - GP path: *Windows Components/Microsoft Defender Application Guard* - GP ADMX file name: *AppHVSI.admx* @@ -165,7 +165,7 @@ The following list shows the supported values: ADMX Info: -- GP English name: *Allow data persistence for Microsoft Defender Application Guard* +- GP Friendly name: *Allow data persistence for Microsoft Defender Application Guard* - GP name: *AllowPersistence* - GP path: *Windows Components/Microsoft Defender Application Guard* - GP ADMX file name: *AppHVSI.admx* @@ -189,7 +189,7 @@ The following list shows the supported values: ADMX Info: -- GP English name: *Allow hardware-accelerated rendering for Microsoft Defender Application Guard* +- GP Friendly name: *Allow hardware-accelerated rendering for Microsoft Defender Application Guard* - GP name: *AllowVirtualGPU* - GP path: *Windows Components/Microsoft Defender Application Guard* - GP ADMX file name: *AppHVSI.admx* @@ -208,7 +208,7 @@ The following list shows the supported values: ADMX Info: -- GP English name: *Allow files to download and save to the host operating system from Microsoft Defender Application Guard* +- GP Friendly name: *Allow files to download and save to the host operating system from Microsoft Defender Application Guard* - GP name: *SaveFilesToHost* - GP path: *Windows Components/Microsoft Defender Application Guard* - GP ADMX file name: *AppHVSI.admx* @@ -230,7 +230,7 @@ If you disable or don’t configure this setting, certificates are not shared wi ADMX Info: -- GP English name: *Allow Microsoft Defender Application Guard to use Root Certificate Authorities from the user's device* +- GP Friendly name: *Allow Microsoft Defender Application Guard to use Root Certificate Authorities from the user's device* - GP name: *CertificateThumbprints* - GP path: *Windows Components/Microsoft Defender Application Guard* - GP ADMX file name: *AppHVSI.admx* @@ -259,7 +259,7 @@ The following list shows the supported values: ADMX Info: -- GP English name: *Allow camera and microphone access in Microsoft Defender Application Guard* +- GP Friendly name: *Allow camera and microphone access in Microsoft Defender Application Guard* - GP name: *AllowCameraMicrophoneRedirection* - GP path: *Windows Components/Microsoft Defender Application Guard* - GP ADMX file name: *AppHVSI.admx* @@ -317,7 +317,7 @@ The following list shows the supported values: ADMX Info: -- GP English name: *Allow auditing events in Microsoft Defender Application Guard* +- GP Friendly name: *Allow auditing events in Microsoft Defender Application Guard* - GP name: *AuditApplicationGuard* - GP path: *Windows Components/Microsoft Defender Application Guard* - GP ADMX file name: *AppHVSI.admx* diff --git a/windows/client-management/troubleshoot-tcpip-port-exhaust.md b/windows/client-management/troubleshoot-tcpip-port-exhaust.md index 7cdbf400e9..638044c3aa 100644 --- a/windows/client-management/troubleshoot-tcpip-port-exhaust.md +++ b/windows/client-management/troubleshoot-tcpip-port-exhaust.md @@ -7,7 +7,7 @@ ms.topic: troubleshooting author: dansimp ms.localizationpriority: medium ms.author: dansimp -ms.date: 12/06/2018 +ms.date: 02/07/2022 ms.reviewer: manager: dansimp ms.collection: highpri @@ -22,9 +22,9 @@ There are two types of ports: - *Ephemeral ports*, which are usually dynamic ports, are the set of ports that every machine by default will have them to make an outbound connection. - *Well-known ports* are the defined port for a particular application or service. For example, file server service is on port 445, HTTPS is 443, HTTP is 80, and RPC is 135. Custom application will also have their defined port numbers. -Clients when connecting to an application or service will make use of an ephemeral port from its machine to connect to a well-known port defined for that application or service. A browser on a client machine will use an ephemeral port to connect to https://www.microsoft.com on port 443. +When connecting to an application or service, client devices use an ephemeral port from the device to connect to a well-known port defined for that application or service. A browser on a client machine will use an ephemeral port to connect to `https://www.microsoft.com` on port 443. -In a scenario where the same browser is creating a lot of connections to multiple website, for any new connection that the browser is attempting, an ephemeral port is used. After some time, you will notice that the connections will start to fail and one high possibility for this would be because the browser has used all the available ports to make connections outside and any new attempt to establish a connection will fail as there are no more ports available. When all the ports are on a machine are used, we term it as *port exhaustion*. +In a scenario where the same browser is creating a lot of connections to multiple websites, for any new connection that the browser is attempting, an ephemeral port is used. After some time, you will notice that the connections will start to fail and one high possibility for this would be because the browser has used all the available ports to make connections outside and any new attempt to establish a connection will fail as there are no more ports available. When all the ports on a machine are used, we term it as *port exhaustion*. ## Default dynamic port range for TCP/IP @@ -95,16 +95,16 @@ If you suspect that the machine is in a state of port exhaustion: ![Screenshot of netstate command output.](images/tcp-ts-20.png) - After a graceful closure or an abrupt closure of a session, after a period of 4 minutes (default), the port used the process or application would be released back to the available pool. During this 4 minutes, the TCP connection state will be TIME_WAIT state. In a situation where you suspect port exhaustion, an application or process will not be able to release all the ports that it has consumed and will remain in the TIME_WAIT state. + After a graceful closure or an abrupt closure of a session, after a period of 4 minutes (default), the port used by the process or application would be released back to the available pool. During this 4 minutes, the TCP connection state will be TIME_WAIT state. In a situation where you suspect port exhaustion, an application or process will not be able to release all the ports that it has consumed and will remain in the TIME_WAIT state. - You may also see CLOSE_WAIT state connections in the same output, however CLOSE_WAIT state is a state when one side of the TCP peer has no more data to send (FIN sent) but is able to receive data from the other end. This state does not necessarily indicate port exhaustion. + You might also see CLOSE_WAIT state connections in the same output; however, CLOSE_WAIT state is a state when one side of the TCP peer has no more data to send (FIN sent) but is able to receive data from the other end. This state does not necessarily indicate port exhaustion. - >[!Note] - >Having huge connections in TIME_WAIT state does not always indicate that the server is currently out of ports unless the first two points are verified. Having lot of TIME_WAIT connections does indicate that the process is creating lot of TCP connections and may eventually lead to port exhaustion. + > [!Note] + > Having huge connections in TIME_WAIT state does not always indicate that the server is currently out of ports unless the first two points are verified. Having lot of TIME_WAIT connections does indicate that the process is creating lot of TCP connections and may eventually lead to port exhaustion. > - >Netstat has been updated in Windows 10 with the addition of the **-Q** switch to show ports that have transitioned out of time wait as in the BOUND state. An update for Windows 8.1 and Windows Server 2012 R2 has been released that contains this functionality. The PowerShell cmdlet `Get-NetTCPConnection` in Windows 10 also shows these BOUND ports. + > Netstat has been updated in Windows 10 with the addition of the **-Q** switch to show ports that have transitioned out of time wait as in the BOUND state. An update for Windows 8.1 and Windows Server 2012 R2 has been released that contains this functionality. The PowerShell cmdlet `Get-NetTCPConnection` in Windows 10 also shows these BOUND ports. > - >Until 10/2016, netstat was inaccurate. Fixes for netstat, back-ported to 2012 R2, allowed Netstat.exe and Get-NetTcpConnection to correctly report TCP or UDP port usage in Windows Server 2012 R2. See [Windows Server 2012 R2: Ephemeral ports hotfixes](https://support.microsoft.com/help/3123245/update-improves-port-exhaustion-identification-in-windows-server-2012) to learn more. + > Until 10/2016, netstat was inaccurate. Fixes for netstat, back-ported to 2012 R2, allowed Netstat.exe and Get-NetTcpConnection to correctly report TCP or UDP port usage in Windows Server 2012 R2. See [Windows Server 2012 R2: Ephemeral ports hotfixes](https://support.microsoft.com/help/3123245/update-improves-port-exhaustion-identification-in-windows-server-2012) to learn more. 4. Open a command prompt in admin mode and run the below command @@ -164,7 +164,7 @@ Steps to use Process explorer: Finally, if the above methods did not help you isolate the process, we suggest you collect a complete memory dump of the machine in the issue state. The dump will tell you which process has the maximum handles. -As a workaround, rebooting the computer will get the it back in normal state and would help you resolve the issue for the time being. However, when a reboot is impractical, you can also consider increasing the number of ports on the machine using the below commands: +As a workaround, rebooting the computer will get it back in normal state and would help you resolve the issue for the time being. However, when a reboot is impractical, you can also consider increasing the number of ports on the machine using the below commands: ```console netsh int ipv4 set dynamicport tcp start=10000 num=1000 diff --git a/windows/deployment/update/windows-update-resources.md b/windows/deployment/update/windows-update-resources.md index fedd94b39a..8173d6ca5b 100644 --- a/windows/deployment/update/windows-update-resources.md +++ b/windows/deployment/update/windows-update-resources.md @@ -84,8 +84,8 @@ If all else fails, try resetting the Windows Update Agent by running these comma ``` 2. Reset the **BITS service** and the **Windows Update service** to the default security descriptor. To do this, type the following commands at a command prompt. Press ENTER after you type each command. ``` console - sc.exe sdset bits D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU) - sc.exe sdset wuauserv D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU) + sc.exe sdset bits D:(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU) + sc.exe sdset wuauserv D:(A;;CCLCSWRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY) ``` 5. Type the following command at a command prompt, and then press ENTER: ``` console diff --git a/windows/hub/index.yml b/windows/hub/index.yml index cd0a734c01..278064b469 100644 --- a/windows/hub/index.yml +++ b/windows/hub/index.yml @@ -44,10 +44,10 @@ productDirectory: summary: Learn more about what's new, what's updated, and what you get in Windows 11 # < 160 chars (optional) items: # Card - - title: What's new in Windows 11 + - title: Windows 11 overview imageSrc: /windows/resources/images/winlogo.svg summary: Get more information about features and improvements that are important to admins - url: /windows/whats-new/windows-11-whats-new + url: /windows/whats-new/windows-11-overview - title: Windows 11 requirements imageSrc: /windows/resources/images/winlogo.svg summary: See the system requirements for Windows 11, including running Windows 11 on a virtual machine @@ -80,9 +80,9 @@ conceptualContent: # card - title: Overview links: - - url: /windows/whats-new/windows-11-whats-new + - url: /windows/whats-new/windows-11-overview itemType: overview - text: What's new in Windows 11 + text: Windows 11 overview - url: /windows/whats-new/windows-11-plan itemType: overview text: Plan for Windows 11 diff --git a/windows/privacy/essential-services-and-connected-experiences.md b/windows/privacy/essential-services-and-connected-experiences.md index eceb613db4..b84bda7733 100644 --- a/windows/privacy/essential-services-and-connected-experiences.md +++ b/windows/privacy/essential-services-and-connected-experiences.md @@ -106,12 +106,11 @@ To view endpoints for Windows Enterprise, see: - [Manage connection endpoints for Windows 11](manage-windows-11-endpoints.md) - [Manage connection endpoints for Windows 10, version 21H1](manage-windows-21H1-endpoints.md) +- [Manage connection endpoints for Windows 10, version 21H2](manage-windows-21H2-endpoints.md) - [Manage connection endpoints for Windows 10, version 20H2](manage-windows-20h2-endpoints.md) - [Manage connection endpoints for Windows 10, version 1909](manage-windows-1909-endpoints.md) - [Manage connection endpoints for Windows 10, version 1903](manage-windows-1903-endpoints.md) - [Manage connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md) -- [Manage connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md) -- [Manage connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md) To view endpoints for non-Enterprise Windows editions, see: @@ -121,5 +120,3 @@ To view endpoints for non-Enterprise Windows editions, see: - [Windows 10, version 1909, connection endpoints for non-Enterprise editions](windows-endpoints-1909-non-enterprise-editions.md) - [Windows 10, version 1903, connection endpoints for non-Enterprise editions](windows-endpoints-1903-non-enterprise-editions.md) - [Windows 10, version 1809, connection endpoints for non-Enterprise editions](windows-endpoints-1809-non-enterprise-editions.md) -- [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md) -- [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md) \ No newline at end of file diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index d4c8f8e591..b6b7503543 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -1884,7 +1884,7 @@ Most restricted value is 0. ADMX Info: -- GP English name: Allow Clipboard synchronization across devices
+- GP Friendly name: Allow Clipboard synchronization across devices
- GP name: AllowCrossDeviceClipboard
- GP path: System/OS Policies
- GP ADMX file name: OSPolicy.admx
diff --git a/windows/privacy/manage-windows-11-endpoints.md b/windows/privacy/manage-windows-11-endpoints.md index f17e78125e..d2770a3edf 100644 --- a/windows/privacy/manage-windows-11-endpoints.md +++ b/windows/privacy/manage-windows-11-endpoints.md @@ -137,12 +137,11 @@ The following methodology was used to derive these network endpoints: To view endpoints for other versions of Windows 10 Enterprise, see: - [Manage connection endpoints for Windows 10, version 21H1](manage-windows-21H1-endpoints.md) +- [Manage connection endpoints for Windows 10, version 21H2](manage-windows-21H2-endpoints.md) - [Manage connection endpoints for Windows 10, version 2004](manage-windows-2004-endpoints.md) - [Manage connection endpoints for Windows 10, version 1909](manage-windows-1909-endpoints.md) - [Manage connection endpoints for Windows 10, version 1903](manage-windows-1903-endpoints.md) - [Manage connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md) -- [Manage connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md) -- [Manage connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md) To view endpoints for non-Enterprise Windows 10 editions, see: @@ -151,8 +150,6 @@ To view endpoints for non-Enterprise Windows 10 editions, see: - [Windows 10, version 1909, connection endpoints for non-Enterprise editions](windows-endpoints-1909-non-enterprise-editions.md) - [Windows 10, version 1903, connection endpoints for non-Enterprise editions](windows-endpoints-1903-non-enterprise-editions.md) - [Windows 10, version 1809, connection endpoints for non-Enterprise editions](windows-endpoints-1809-non-enterprise-editions.md) -- [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md) -- [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md) ## Related links diff --git a/windows/privacy/manage-windows-1709-endpoints.md b/windows/privacy/manage-windows-1709-endpoints.md deleted file mode 100644 index f3bc7923bd..0000000000 --- a/windows/privacy/manage-windows-1709-endpoints.md +++ /dev/null @@ -1,460 +0,0 @@ ---- -title: Connection endpoints for Windows 10 Enterprise, version 1709 -description: Explains what Windows 10 endpoints are used for, how to turn off traffic to them, and the impact. Specific to Windows 10 Enterprise, version 1709. -keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016 -ms.prod: m365-security -ms.mktglfcycl: manage -ms.sitesec: library -ms.localizationpriority: high -audience: ITPro -author: dansimp -ms.author: dansimp -manager: dansimp -ms.collection: M365-security-compliance -ms.topic: article -ms.date: 11/29/2021 -ms.reviewer: -ms.technology: privacy ---- -# Manage connection endpoints for Windows 10 Enterprise, version 1709 - -**Applies to** - -- Windows 10 Enterprise, version 1709 - -Some Windows components, app, and related services transfer data to Microsoft network endpoints. Some examples include: - -- Connecting to Microsoft Office and Windows sites to download the latest app and security updates. -- Connecting to email servers to send and receive email. -- Connecting to the web for every day web browsing. -- Connecting to the cloud to store and access backups. -- Using your location to show a weather forecast. - -This article lists different endpoints that are available on a clean installation of Windows 10, version 1709 and later. -Details about the different ways to control traffic to these endpoints are covered in [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md). -Where applicable, each endpoint covered in this article includes a link to specific details about how to control traffic to it. - -We used the following methodology to derive these network endpoints: - -1. Set up the latest version of Windows 10 on a test virtual machine using the default settings. -2. Leave the devices running idle for a week (that is, a user isn't interacting with the system/device). -3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic. -4. Compile reports on traffic going to public IP addresses. -5. The test virtual machine was logged in using a local account and wasn't joined to a domain or Azure Active Directory. -6. All traffic was captured in our lab using a IPV4 network. As such no IPV6 traffic is reported here. - -> [!NOTE] -> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. - -## Windows 10 Enterprise connection endpoints - -## Apps - -The following endpoint is used to download updates to the Weather app Live Tile. -If you [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#live-tiles), no Live Tiles will be updated. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| explorer | HTTP | tile-service.weather.microsoft.com | - -The following endpoint is used for OneNote Live Tile. -To turn off traffic for this endpoint, either uninstall OneNote or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). -If you disable the Microsoft store, other Store apps cannot be installed or updated. -Additionally, the Microsoft Store can't revoke malicious Store apps and users can still open them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | HTTPS | cdn.onenote.net/livetile/?Language=en-US | - -The following endpoints are used for Twitter updates. -To turn off traffic for these endpoints, either uninstall Twitter or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). -If you disable the Microsoft store, other Store apps cannot be installed or updated. -Additionally, the Microsoft Store can't revoke malicious Store apps and users can still open them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | HTTPS | wildcard.twimg.com | -| svchost.exe | | oem.twimg.com/windows/tile.xml | - -The following endpoint is used for Facebook updates. -To turn off traffic for this endpoint, either uninstall Facebook or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). -If you disable the Microsoft store, other Store apps cannot be installed or updated. -Additionally, the Microsoft Store can't revoke malicious Store apps and users can still open them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | | star-mini.c10r.facebook.com | - -The following endpoint is used by the Photos app to download configuration files, and to connect to the Microsoft 365 admin center's shared infrastructure, including Office. -To turn off traffic for this endpoint, either uninstall the Photos app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). -If you disable the Microsoft store, other Store apps cannot be installed or updated. -Additionally, the Microsoft Store can't revoke malicious Store apps and users can still open them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| WindowsApps\Microsoft.Windows.Photos | HTTPS | evoke-windowsservices-tas.msedge.net | - -The following endpoint is used for Candy Crush Saga updates. -To turn off traffic for this endpoint, either uninstall Candy Crush Saga or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). -If you disable the Microsoft store, other Store apps cannot be installed or updated. -Additionally, the Microsoft Store can't revoke malicious Store apps and users can still open them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | TLS v1.2 | candycrushsoda.king.com | - -The following endpoint is used for by the Microsoft Wallet app. -To turn off traffic for this endpoint, either uninstall the Wallet app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). -If you disable the Microsoft store, other Store apps cannot be installed or updated. -Additionally, the Microsoft Store can't revoke malicious Store apps and users can still open them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| system32\AppHostRegistrationVerifier.exe | HTTPS | wallet.microsoft.com | - -The following endpoint is used by the Groove Music app for update HTTP handler status. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-apps-for-websites), apps for websites won't work and customers who visit websites (such as mediaredirect.microsoft.com) that are registered with their associated app (such as Groove Music) will stay at the website and can't directly launch the app. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| system32\AppHostRegistrationVerifier.exe | HTTPS | mediaredirect.microsoft.com | - -## Cortana and Search - -The following endpoint is used to get images that are used for Microsoft Store suggestions. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), you'll block images that are used for Microsoft Store suggestions. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| searchui | HTTPS |store-images.s-microsoft.com | - -The following endpoint is used to update Cortana greetings, tips, and Live Tiles. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), you'll block updates to Cortana greetings, tips, and Live Tiles. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| backgroundtaskhost | HTTPS | www.bing.com/client | - -The following endpoint is used to configure parameters, such as how often the Live Tile is updated. It's also used to activate experiments. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), parameters wouldn't be updated and the device would no longer participate in experiments. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| backgroundtaskhost | HTTPS | www.bing.com/proactive | - -The following endpoint is used by Cortana to report diagnostic and diagnostic data information. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), Microsoft won't be aware of issues with Cortana and can't fix them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| searchui
backgroundtaskhost | HTTPS | www.bing.com/threshold/xls.aspx | - -## Certificates - -The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It's possible to [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update), but that isn't recommended because when root certificates are updated over time, applications and websites may stop working because they didn't receive an updated root certificate the application uses. - -Additionally, it's used to download certificates that are publicly known to be fraudulent. -These settings are critical for both Windows security and the overall security of the Internet. -We don't recommend blocking this endpoint. -If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| svchost | HTTP | ctldl.windowsupdate.com | - -## Device authentication - -The following endpoint is used to authenticate a device. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), the device will not be authenticated. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | HTTPS | login.live.com/ppsecure | - -## Device metadata - -The following endpoint is used to retrieve device metadata. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-devinst), metadata will not be updated for the device. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | | dmd.metaservices.microsoft.com.akadns.net | - -## Diagnostic Data - -The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| svchost | | cy2.vortex.data.microsoft.com.akadns.net | - -The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| svchost | | v10.vortex-win.data.microsoft.com/collect/v1 | - -The following endpoints are used by Windows Error Reporting. -To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| wermgr | | watson.telemetry.microsoft.com | -| | TLS v1.2 | modern.watson.data.microsoft.com.akadns.net | - -## Font streaming - -The following endpoints are used to download fonts on demand. -If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#font-streaming), you will not be able to download fonts on demand. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| svchost | | fs.microsoft.com | -| | | fs.microsoft.com/fs/windows/config.json | - -## Licensing - -The following endpoint is used for online activation and some app licensing. -To turn off traffic for this endpoint, disable the Windows License Manager Service. This will also block online activation and app licensing may not work. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| licensemanager | HTTPS | licensing.mp.microsoft.com/v7.0/licenses/content | - -## Location - -The following endpoint is used for location data. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-location), apps cannot use location data. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | HTTP | location-inference-westus.cloudapp.net | - -## Maps - -The following endpoint is used to check for updates to maps that have been downloaded for offline use. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-offlinemaps), offline maps will not be updated. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| svchost | HTTPS | *g.akamaiedge.net | - -## Microsoft account - -The following endpoints are used for Microsoft accounts to sign in. -If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-microsoft-account), users cannot sign in with Microsoft accounts. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | | login.msa.akadns6.net | -| system32\Auth.Host.exe | HTTPS | auth.gfx.ms | - -## Microsoft Store - -The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#live-tiles), push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | | *.wns.windows.com | - -The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store. -To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | HTTP | storecatalogrevocation.storequality.microsoft.com | - -The following endpoints are used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). -If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | HTTPS | img-prod-cms-rt-microsoft-com.akamaized.net | - -The following endpoints are used to communicate with Microsoft Store. -If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | HTTP | storeedgefd.dsx.mp.microsoft.com | -| | HTTP | pti.store.microsoft.com | -||TLS v1.2|cy2.\*.md.mp.microsoft.com.\*.| - -## Network Connection Status Indicator (NCSI) - -Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-ncsi), NCSI won't be able to determine if the device is connected to the Internet and the network status tray icon will show a warning. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | HTTP | www.msftconnecttest.com/connecttest.txt | - -## Office - -The following endpoints are used to connect to the Microsoft 365 admin center's shared infrastructure, including Office. For more info, see [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges). -You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. -If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | | *.a-msedge.net | -| hxstr | | *.c-msedge.net | -| | | *.e-msedge.net | -| | | *.s-msedge.net | - -The following endpoint is used to connect to the Microsoft 365 admin center's shared infrastructure, including Office. For more info, see [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges). -You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. -If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| system32\Auth.Host.exe | HTTPS | outlook.office365.com | - -The following endpoint is OfficeHub traffic used to get the metadata of Office apps. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -|Windows Apps\Microsoft.Windows.Photos|HTTPS|client-office365-tas.msedge.net| - -## OneDrive - -The following endpoint is a redirection service that’s used to automatically update URLs. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-onedrive), anything that relies on g.live.com to get updated URL information will no longer work. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| onedrive | HTTP \ HTTPS | g.live.com/1rewlive5skydrive/ODSUProduction | - -The following endpoint is used by OneDrive for Business to download and verify app updates. For more info, see [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges). -To turn off traffic for this endpoint, uninstall OneDrive for Business. In this case, your device will not able to get OneDrive for Business app updates. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| onedrive | HTTPS | oneclient.sfx.ms | - -## Settings - -The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| dmclient | | cy2.settings.data.microsoft.com.akadns.net | - -The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| dmclient | HTTPS | settings.data.microsoft.com | - -The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as Windows Connected User Experiences and Telemetry component and Windows Insider Program use it. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| svchost | HTTPS | settings-win.data.microsoft.com | - -## Skype - -The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -|microsoft.windowscommunicationsapps.exe | HTTPS | config.edge.skype.com | - - - -## Windows Defender - -The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), the device will not use Cloud-based Protection. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | | wdcp.microsoft.com | - -The following endpoints are used for Windows Defender definition updates. -If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), definitions will not be updated. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | | definitionupdates.microsoft.com | -|MpCmdRun.exe|HTTPS|go.microsoft.com | - -## Windows Spotlight - -The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips. -If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight), Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips will not be downloaded. For more information, see [Windows Spotlight](/windows/configuration/windows-spotlight). - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| backgroundtaskhost | HTTPS | arc.msn.com | -| backgroundtaskhost | | g.msn.com.nsatc.net | -| |TLS v1.2| *.search.msn.com | -| | HTTPS | ris.api.iris.microsoft.com | -| | HTTPS | query.prod.cms.rt.microsoft.com | - -## Windows Update - -The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates), Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| svchost | HTTPS | *.prod.do.dsp.mp.microsoft.com | - -The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store. -If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to download updates for the operating system. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| svchost | HTTP | *.windowsupdate.com | -| svchost | HTTP | *.dl.delivery.mp.microsoft.com | - -The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. -If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| svchost | HTTPS | *.update.microsoft.com | -| svchost | HTTPS | *.delivery.mp.microsoft.com | - -These are dependent on enabling: -- [Device authentication](manage-windows-1709-endpoints.md#device-authentication) -- [Microsoft account](manage-windows-1709-endpoints.md#microsoft-account) - -The following endpoint is used for content regulation. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly downloaded or not downloaded at all. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| svchost | HTTPS | tsfe.trafficshaping.dsp.mp.microsoft.com | - -## Microsoft forward link redirection service (FWLink) - -The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer. - -If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -|Various|HTTPS|go.microsoft.com| - -## Other Windows 10 versions and editions - -To view endpoints for other versions of Windows 10 enterprise, see: -- [Manage connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md) -- [Manage connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md) - -To view endpoints for non-Enterprise Windows 10 editions, see: -- [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md) -- [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md) - -## Related links - -- [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges) -- [Network infrastructure requirements for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints) \ No newline at end of file diff --git a/windows/privacy/manage-windows-1803-endpoints.md b/windows/privacy/manage-windows-1803-endpoints.md deleted file mode 100644 index fdc72f92e7..0000000000 --- a/windows/privacy/manage-windows-1803-endpoints.md +++ /dev/null @@ -1,465 +0,0 @@ ---- -title: Connection endpoints for Windows 10, version 1803 -description: Explains what Windows 10 endpoints are used for, how to turn off traffic to them, and the impact. Specific to Windows 10 Enterprise, version 1803. -keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016 -ms.prod: m365-security -ms.mktglfcycl: manage -ms.sitesec: library -ms.localizationpriority: high -audience: ITPro -author: dansimp -ms.author: dansimp -manager: dansimp -ms.collection: M365-security-compliance -ms.topic: article -ms.date: 11/29/2021 -ms.reviewer: -ms.technology: privacy ---- -# Manage connection endpoints for Windows 10 Enterprise, version 1803 - -**Applies to** - -- Windows 10 Enterprise, version 1803 - -Some Windows components, app, and related services transfer data to Microsoft network endpoints. Some examples include: - -- Connecting to Microsoft Office and Windows sites to download the latest app and security updates. -- Connecting to email servers to send and receive email. -- Connecting to the web for every day web browsing. -- Connecting to the cloud to store and access backups. -- Using your location to show a weather forecast. - -This article lists different endpoints that are available on a clean installation of Windows 10, version 1709 and later. -Details about the different ways to control traffic to these endpoints are covered in [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md). -Where applicable, each endpoint covered in this article includes a link to specific details about how to control traffic to it. - -We used the following methodology to derive these network endpoints: - -1. Set up the latest version of Windows 10 on a test virtual machine using the default settings. -2. Leave the devices running idle for a week (that is, a user isn't interacting with the system/device). -3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic. -4. Compile reports on traffic going to public IP addresses. -5. The test virtual machine was logged in using a local account and wasn't joined to a domain or Azure Active Directory. -6. All traffic was captured in our lab using a IPV4 network. As such no IPV6 traffic is reported here. - -> [!NOTE] -> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. - -## Windows 10 Enterprise connection endpoints - -## Apps - -The following endpoint is used to download updates to the Weather app Live Tile. -If you [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#live-tiles), no Live Tiles will be updated. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| explorer | HTTP | tile-service.weather.microsoft.com | -| | HTTP | blob.weather.microsoft.com | - -The following endpoint is used for OneNote Live Tile. -To turn off traffic for this endpoint, either uninstall OneNote or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). -If you disable the Microsoft store, other Store apps cannot be installed or updated. -Additionally, the Microsoft Store can't revoke malicious Store apps and users will can still open them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | HTTPS | cdn.onenote.net/livetile/?Language=en-US | - -The following endpoints are used for Twitter updates. -To turn off traffic for these endpoints, either uninstall Twitter or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). -If you disable the Microsoft store, other Store apps cannot be installed or updated. -Additionally, the Microsoft Store can't revoke malicious Store apps and users will can still open them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | HTTPS | wildcard.twimg.com | -| svchost.exe | | oem.twimg.com/windows/tile.xml | - -The following endpoint is used for Facebook updates. -To turn off traffic for this endpoint, either uninstall Facebook or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). -If you disable the Microsoft store, other Store apps cannot be installed or updated. -Additionally, the Microsoft Store can't revoke malicious Store apps and users will can still open them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | | star-mini.c10r.facebook.com | - -The following endpoint is used by the Photos app to download configuration files, and to connect to the Microsoft 365 admin center's shared infrastructure, including Office. -To turn off traffic for this endpoint, either uninstall the Photos app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). -If you disable the Microsoft store, other Store apps cannot be installed or updated. -Additionally, the Microsoft Store can't revoke malicious Store apps and users can still open them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| WindowsApps\Microsoft.Windows.Photos | HTTPS | evoke-windowsservices-tas.msedge.net | - -The following endpoint is used for Candy Crush Saga updates. -To turn off traffic for this endpoint, either uninstall Candy Crush Saga or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). -If you disable the Microsoft store, other Store apps cannot be installed or updated. -Additionally, the Microsoft Store can't revoke malicious Store apps and users can still open them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | TLS v1.2 | candycrushsoda.king.com | - -The following endpoint is used for by the Microsoft Wallet app. -To turn off traffic for this endpoint, either uninstall the Wallet app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). -If you disable the Microsoft store, other Store apps cannot be installed or updated. -Additionally, the Microsoft Store can't revoke malicious Store apps and users can still open them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| system32\AppHostRegistrationVerifier.exe | HTTPS | wallet.microsoft.com | - -The following endpoint is used by the Groove Music app for update HTTP handler status. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-apps-for-websites), apps for websites won't work and customers who visit websites (such as mediaredirect.microsoft.com) that are registered with their associated app (such as Groove Music) will stay at the website and can't directly launch the app. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| system32\AppHostRegistrationVerifier.exe | HTTPS | mediaredirect.microsoft.com | - -## Cortana and Search - -The following endpoint is used to get images that are used for Microsoft Store suggestions. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), you'll block images that are used for Microsoft Store suggestions. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| searchui | HTTPS |store-images.s-microsoft.com | - -The following endpoint is used to update Cortana greetings, tips, and Live Tiles. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), you'll block updates to Cortana greetings, tips, and Live Tiles. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| backgroundtaskhost | HTTPS | www.bing.com/client | - -The following endpoint is used to configure parameters, such as how often the Live Tile is updated. It's also used to activate experiments. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), parameters wouldn't be updated and the device would no longer participate in experiments. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| backgroundtaskhost | HTTPS | www.bing.com/proactive | - -The following endpoint is used by Cortana to report diagnostic and diagnostic data information. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), Microsoft won't be aware of issues with Cortana and can't fix them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| searchui
backgroundtaskhost | HTTPS | www.bing.com/threshold/xls.aspx | - -## Certificates - -The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It's possible to [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update), but that isn't recommended because when root certificates are updated over time, applications and websites may stop working because they didn't receive an updated root certificate the application uses. - -Additionally, it's used to download certificates that are publicly known to be fraudulent. -These settings are critical for both Windows security and the overall security of the Internet. -We don't recommend blocking this endpoint. -If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| svchost | HTTP | ctldl.windowsupdate.com | - -## Device authentication - -The following endpoint is used to authenticate a device. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), the device won't be authenticated. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | HTTPS | login.live.com/ppsecure | - -## Device metadata - -The following endpoint is used to retrieve device metadata. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-devinst), metadata won't be updated for the device. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | | dmd.metaservices.microsoft.com.akadns.net | -| | HTTP | dmd.metaservices.microsoft.com | - -## Diagnostic Data - -The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, won't be sent back to Microsoft. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| svchost | | cy2.vortex.data.microsoft.com.akadns.net | - -The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| svchost | | v10.vortex-win.data.microsoft.com/collect/v1 | - -The following endpoints are used by Windows Error Reporting. -To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| wermgr | | watson.telemetry.microsoft.com | -| | TLS v1.2 | modern.watson.data.microsoft.com.akadns.net | - -## Font streaming - -The following endpoints are used to download fonts on demand. -If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#font-streaming), you will not be able to download fonts on demand. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| svchost | | fs.microsoft.com | -| | | fs.microsoft.com/fs/windows/config.json | - -## Licensing - -The following endpoint is used for online activation and some app licensing. -To turn off traffic for this endpoint, disable the Windows License Manager Service. This will also block online activation and app licensing may not work. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| licensemanager | HTTPS | licensing.mp.microsoft.com/v7.0/licenses/content | - -## Location - -The following endpoint is used for location data. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-location), apps cannot use location data. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | HTTP | location-inference-westus.cloudapp.net | - -## Maps - -The following endpoint is used to check for updates to maps that have been downloaded for offline use. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-offlinemaps), offline maps will not be updated. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| svchost | HTTPS | *g.akamaiedge.net | - -## Microsoft account - -The following endpoints are used for Microsoft accounts to sign in. -If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-microsoft-account), users cannot sign in with Microsoft accounts. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | | login.msa.akadns6.net | -| system32\Auth.Host.exe | HTTPS | auth.gfx.ms | - -## Microsoft Store - -The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#live-tiles), push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | | *.wns.windows.com | - -The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store. -To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | HTTP | storecatalogrevocation.storequality.microsoft.com | - -The following endpoints are used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). -If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | HTTPS | img-prod-cms-rt-microsoft-com.akamaized.net | -| backgroundtransferhost | HTTPS | store-images.microsoft.com | - -The following endpoints are used to communicate with Microsoft Store. -If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | HTTP | storeedgefd.dsx.mp.microsoft.com | -| | HTTP | pti.store.microsoft.com | -||TLS v1.2|cy2.\*.md.mp.microsoft.com.\*.| -| svchost | HTTPS | displaycatalog.mp.microsoft.com | - -## Network Connection Status Indicator (NCSI) - -Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-ncsi), NCSI won't be able to determine if the device is connected to the Internet and the network status tray icon will show a warning. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | HTTP | www.msftconnecttest.com/connecttest.txt | - -## Office - -The following endpoints are used to connect to the Microsoft 365 admin center's shared infrastructure, including Office. For more info, see [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges). -You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. -If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | | *.a-msedge.net | -| hxstr | | *.c-msedge.net | -| | | *.e-msedge.net | -| | | *.s-msedge.net | -| | HTTPS | ocos-office365-s2s.msedge.net | - -The following endpoint is used to connect to the Microsoft 365 admin center's shared infrastructure, including Office. For more info, see [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges). -You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. -If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| system32\Auth.Host.exe | HTTPS | outlook.office365.com | - -The following endpoint is OfficeHub traffic used to get the metadata of Office apps. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -|Windows Apps\Microsoft.Windows.Photos|HTTPS|client-office365-tas.msedge.net| - -## OneDrive - -The following endpoint is a redirection service that’s used to automatically update URLs. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-onedrive), anything that relies on g.live.com to get updated URL information will no longer work. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| onedrive | HTTP \ HTTPS | g.live.com/1rewlive5skydrive/ODSUProduction | - -The following endpoint is used by OneDrive for Business to download and verify app updates. For more info, see [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges). -To turn off traffic for this endpoint, uninstall OneDrive for Business. In this case, your device will not able to get OneDrive for Business app updates. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| onedrive | HTTPS | oneclient.sfx.ms | - -## Settings - -The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| dmclient | | cy2.settings.data.microsoft.com.akadns.net | - -The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| dmclient | HTTPS | settings.data.microsoft.com | - -The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as Windows Connected User Experiences and Telemetry component and Windows Insider Program use it. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| svchost | HTTPS | settings-win.data.microsoft.com | - -## Skype - -The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -|microsoft.windowscommunicationsapps.exe | HTTPS | config.edge.skype.com | - - - -## Windows Defender - -The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), the device will not use Cloud-based Protection. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | | wdcp.microsoft.com | - -The following endpoints are used for Windows Defender definition updates. -If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), definitions will not be updated. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | | definitionupdates.microsoft.com | -|MpCmdRun.exe|HTTPS|go.microsoft.com | - -## Windows Spotlight - -The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips. -If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight), Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips will not be downloaded. For more information, see [Windows Spotlight](/windows/configuration/windows-spotlight). - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| backgroundtaskhost | HTTPS | arc.msn.com | -| backgroundtaskhost | | g.msn.com.nsatc.net | -| |TLS v1.2| *.search.msn.com | -| | HTTPS | ris.api.iris.microsoft.com | -| | HTTPS | query.prod.cms.rt.microsoft.com | - -## Windows Update - -The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates), Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| svchost | HTTPS | *.prod.do.dsp.mp.microsoft.com | - -The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store. -If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to download updates for the operating system. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| svchost | HTTP | *.windowsupdate.com | -| svchost | HTTP | *.dl.delivery.mp.microsoft.com | - -The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. -If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| svchost | HTTPS | *.update.microsoft.com | -| svchost | HTTPS | *.delivery.mp.microsoft.com | - -These are dependent on enabling: -- [Device authentication](manage-windows-1803-endpoints.md#device-authentication) -- [Microsoft account](manage-windows-1803-endpoints.md#microsoft-account) - -The following endpoint is used for content regulation. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly downloaded or not downloaded at all. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| svchost | HTTPS | tsfe.trafficshaping.dsp.mp.microsoft.com | - -## Microsoft forward link redirection service (FWLink) - -The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer. - -If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -|Various|HTTPS|go.microsoft.com| - -## Other Windows 10 editions - -To view endpoints for other versions of Windows 10 enterprise, see: -- [Manage connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md) -- [Manage connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md) - -To view endpoints for non-Enterprise Windows 10 editions, see: -- [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md) -- [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md) - -## Related links - -- [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges) -- [Network infrastructure requirements for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints) \ No newline at end of file diff --git a/windows/privacy/manage-windows-1809-endpoints.md b/windows/privacy/manage-windows-1809-endpoints.md index f2b61aed53..1b459257be 100644 --- a/windows/privacy/manage-windows-1809-endpoints.md +++ b/windows/privacy/manage-windows-1809-endpoints.md @@ -487,13 +487,13 @@ If you disable this endpoint, Windows Defender won't be able to update its malwa ## Other Windows 10 editions To view endpoints for other versions of Windows 10 Enterprise, see: -- [Manage connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md) -- [Manage connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md) + +- [Manage connection endpoints for Windows 10, version 21H2](manage-windows-21H2-endpoints.md) To view endpoints for non-Enterprise Windows 10 editions, see: + - [Windows 10, version 1809, connection endpoints for non-Enterprise editions](windows-endpoints-1809-non-enterprise-editions.md) -- [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md) -- [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md) +- [Windows 10, version 21H1, connection endpoints for non-Enterprise editions](windows-endpoints-21H1-non-enterprise-editions.md) ## Related links diff --git a/windows/privacy/manage-windows-1903-endpoints.md b/windows/privacy/manage-windows-1903-endpoints.md index f4254b905d..7c2bf27999 100644 --- a/windows/privacy/manage-windows-1903-endpoints.md +++ b/windows/privacy/manage-windows-1903-endpoints.md @@ -175,15 +175,14 @@ The following methodology was used to derive these network endpoints: ## Other Windows 10 editions To view endpoints for other versions of Windows 10 Enterprise, see: + +- [Manage connection endpoints for Windows 10, version 21H2](manage-windows-21H2-endpoints.md) - [Manage connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md) -- [Manage connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md) -- [Manage connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md) To view endpoints for non-Enterprise Windows 10 editions, see: -- [Windows 10, version 1809, connection endpoints for non-Enterprise editions](windows-endpoints-1809-non-enterprise-editions.md) -- [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md) -- [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md) +- [Windows 10, version 21H1, connection endpoints for non-Enterprise editions](windows-endpoints-21H1-non-enterprise-editions.md) +- [Windows 10, version 1809, connection endpoints for non-Enterprise editions](windows-endpoints-1809-non-enterprise-editions.md) ## Related links diff --git a/windows/privacy/manage-windows-1909-endpoints.md b/windows/privacy/manage-windows-1909-endpoints.md index 4209d8bafd..da29e4f457 100644 --- a/windows/privacy/manage-windows-1909-endpoints.md +++ b/windows/privacy/manage-windows-1909-endpoints.md @@ -123,17 +123,16 @@ The following methodology was used to derive these network endpoints: ## Other Windows 10 editions To view endpoints for other versions of Windows 10 Enterprise, see: + +- [Manage connection endpoints for Windows 10, version 21H2](manage-windows-21H2-endpoints.md) - [Manage connection endpoints for Windows 10, version 1903](manage-windows-1903-endpoints.md) - [Manage connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md) -- [Manage connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md) -- [Manage connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md) To view endpoints for non-Enterprise Windows 10 editions, see: + +- [Windows 10, version 21H1, connection endpoints for non-Enterprise editions](windows-endpoints-21H1-non-enterprise-editions.md) - [Windows 10, version 1903, connection endpoints for non-Enterprise editions](windows-endpoints-1903-non-enterprise-editions.md) - [Windows 10, version 1809, connection endpoints for non-Enterprise editions](windows-endpoints-1809-non-enterprise-editions.md) -- [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md) -- [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md) - ## Related links diff --git a/windows/privacy/manage-windows-2004-endpoints.md b/windows/privacy/manage-windows-2004-endpoints.md index f701bc0e8d..48879ed467 100644 --- a/windows/privacy/manage-windows-2004-endpoints.md +++ b/windows/privacy/manage-windows-2004-endpoints.md @@ -122,19 +122,18 @@ The following methodology was used to derive these network endpoints: ## Other Windows 10 editions To view endpoints for other versions of Windows 10 Enterprise, see: + +- [Manage connection endpoints for Windows 10, version 21H2](manage-windows-21H2-endpoints.md) - [Manage connection endpoints for Windows 10, version 1909](manage-windows-1909-endpoints.md) - [Manage connection endpoints for Windows 10, version 1903](manage-windows-1903-endpoints.md) - [Manage connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md) -- [Manage connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md) -- [Manage connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md) To view endpoints for non-Enterprise Windows 10 editions, see: + +- [Windows 10, version 21H1, connection endpoints for non-Enterprise editions](windows-endpoints-21H1-non-enterprise-editions.md) - [Windows 10, version 1909, connection endpoints for non-Enterprise editions](windows-endpoints-1909-non-enterprise-editions.md) - [Windows 10, version 1903, connection endpoints for non-Enterprise editions](windows-endpoints-1903-non-enterprise-editions.md) - [Windows 10, version 1809, connection endpoints for non-Enterprise editions](windows-endpoints-1809-non-enterprise-editions.md) -- [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md) -- [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md) - ## Related links diff --git a/windows/privacy/manage-windows-20H2-endpoints.md b/windows/privacy/manage-windows-20H2-endpoints.md index f891d0bf27..8035ebc8d5 100644 --- a/windows/privacy/manage-windows-20H2-endpoints.md +++ b/windows/privacy/manage-windows-20H2-endpoints.md @@ -138,21 +138,19 @@ The following methodology was used to derive these network endpoints: To view endpoints for other versions of Windows 10 Enterprise, see: +- [Manage connection endpoints for Windows 10, version 21H2](manage-windows-21H2-endpoints.md) - [Manage connection endpoints for Windows 10, version 2004](manage-windows-2004-endpoints.md) - [Manage connection endpoints for Windows 10, version 1909](manage-windows-1909-endpoints.md) - [Manage connection endpoints for Windows 10, version 1903](manage-windows-1903-endpoints.md) - [Manage connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md) -- [Manage connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md) -- [Manage connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md) To view endpoints for non-Enterprise Windows 10 editions, see: +- [Windows 10, version 21H1, connection endpoints for non-Enterprise editions](windows-endpoints-21H1-non-enterprise-editions.md) - [Windows 10, version 2004, connection endpoints for non-Enterprise editions](windows-endpoints-2004-non-enterprise-editions.md) - [Windows 10, version 1909, connection endpoints for non-Enterprise editions](windows-endpoints-1909-non-enterprise-editions.md) - [Windows 10, version 1903, connection endpoints for non-Enterprise editions](windows-endpoints-1903-non-enterprise-editions.md) - [Windows 10, version 1809, connection endpoints for non-Enterprise editions](windows-endpoints-1809-non-enterprise-editions.md) -- [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md) -- [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md) ## Related links diff --git a/windows/privacy/manage-windows-21H1-endpoints.md b/windows/privacy/manage-windows-21H1-endpoints.md index 51e80aa248..940115bae8 100644 --- a/windows/privacy/manage-windows-21H1-endpoints.md +++ b/windows/privacy/manage-windows-21H1-endpoints.md @@ -136,21 +136,19 @@ The following methodology was used to derive these network endpoints: To view endpoints for other versions of Windows 10 Enterprise, see: +- [Manage connection endpoints for Windows 10, version 21H2](manage-windows-21H2-endpoints.md) - [Manage connection endpoints for Windows 10, version 2004](manage-windows-2004-endpoints.md) - [Manage connection endpoints for Windows 10, version 1909](manage-windows-1909-endpoints.md) - [Manage connection endpoints for Windows 10, version 1903](manage-windows-1903-endpoints.md) - [Manage connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md) -- [Manage connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md) -- [Manage connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md) To view endpoints for non-Enterprise Windows 10 editions, see: +- [Windows 10, version 21H1, connection endpoints for non-Enterprise editions](windows-endpoints-21H1-non-enterprise-editions.md) - [Windows 10, version 2004, connection endpoints for non-Enterprise editions](windows-endpoints-2004-non-enterprise-editions.md) - [Windows 10, version 1909, connection endpoints for non-Enterprise editions](windows-endpoints-1909-non-enterprise-editions.md) - [Windows 10, version 1903, connection endpoints for non-Enterprise editions](windows-endpoints-1903-non-enterprise-editions.md) - [Windows 10, version 1809, connection endpoints for non-Enterprise editions](windows-endpoints-1809-non-enterprise-editions.md) -- [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md) -- [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md) ## Related links diff --git a/windows/privacy/manage-windows-21h2-endpoints.md b/windows/privacy/manage-windows-21h2-endpoints.md index 6dc79e13de..f8bf449d07 100644 --- a/windows/privacy/manage-windows-21h2-endpoints.md +++ b/windows/privacy/manage-windows-21h2-endpoints.md @@ -140,17 +140,14 @@ To view endpoints for other versions of Windows 10 Enterprise, see: - [Manage connection endpoints for Windows 10, version 1909](manage-windows-1909-endpoints.md) - [Manage connection endpoints for Windows 10, version 1903](manage-windows-1903-endpoints.md) - [Manage connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md) -- [Manage connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md) -- [Manage connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md) To view endpoints for non-Enterprise Windows 10 editions, see: +- [Windows 10, version 21H1, connection endpoints for non-Enterprise editions](windows-endpoints-21H1-non-enterprise-editions.md) - [Windows 10, version 2004, connection endpoints for non-Enterprise editions](windows-endpoints-2004-non-enterprise-editions.md) - [Windows 10, version 1909, connection endpoints for non-Enterprise editions](windows-endpoints-1909-non-enterprise-editions.md) - [Windows 10, version 1903, connection endpoints for non-Enterprise editions](windows-endpoints-1903-non-enterprise-editions.md) - [Windows 10, version 1809, connection endpoints for non-Enterprise editions](windows-endpoints-1809-non-enterprise-editions.md) -- [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md) -- [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md) ## Related links diff --git a/windows/privacy/toc.yml b/windows/privacy/toc.yml index 56331c2e27..ef92db9493 100644 --- a/windows/privacy/toc.yml +++ b/windows/privacy/toc.yml @@ -61,10 +61,6 @@ href: manage-windows-1903-endpoints.md - name: Connection endpoints for Windows 10, version 1809 href: manage-windows-1809-endpoints.md - - name: Connection endpoints for Windows 10, version 1803 - href: manage-windows-1803-endpoints.md - - name: Connection endpoints for Windows 10, version 1709 - href: manage-windows-1709-endpoints.md - name: Connection endpoints for non-Enterprise editions of Windows 11 href: windows-11-endpoints-non-enterprise-editions.md - name: Connection endpoints for non-Enterprise editions of Windows 10, version 21H1 @@ -79,7 +75,3 @@ href: windows-endpoints-1903-non-enterprise-editions.md - name: Connection endpoints for non-Enterprise editions of Windows 10, version 1809 href: windows-endpoints-1809-non-enterprise-editions.md - - name: Connection endpoints for non-Enterprise editions of Windows 10, version 1803 - href: windows-endpoints-1803-non-enterprise-editions.md - - name: Connection endpoints for non-Enterprise editions of Windows 10, version 1709 - href: windows-endpoints-1709-non-enterprise-editions.md diff --git a/windows/privacy/windows-endpoints-1709-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1709-non-enterprise-editions.md deleted file mode 100644 index b3c1cee7bb..0000000000 --- a/windows/privacy/windows-endpoints-1709-non-enterprise-editions.md +++ /dev/null @@ -1,295 +0,0 @@ ---- -title: Windows 10, version 1709, connection endpoints for non-Enterprise editions -description: Explains what Windows 10 endpoints are used in non-Enterprise editions. Specific to Windows 10, version 1709. -keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016 -ms.prod: m365-security -ms.mktglfcycl: manage -ms.sitesec: library -ms.localizationpriority: high -audience: ITPro -author: dansimp -ms.author: dansimp -manager: dansimp -ms.collection: M365-security-compliance -ms.topic: article -ms.date: 12/01/2021 -ms.reviewer: -ms.technology: privacy ---- -# Windows 10, version 1709, connection endpoints for non-Enterprise editions - - **Applies to** - -- Windows 10 Home, version 1709 -- Windows 10 Professional, version 1709 -- Windows 10 Education, version 1709 - -In addition to the endpoints listed for [Windows 10 Enterprise](./manage-connections-from-windows-operating-system-components-to-microsoft-services.md), the following endpoints are available on other editions of Windows 10, version 1709. - -We used the following methodology to derive these network endpoints: - -1. Set up the latest version of Windows 10 on a test virtual machine using the default settings. -2. Leave the devices running idle for a week (that is, a user is not interacting with the system/device). -3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic. -4. Compile reports on traffic going to public IP addresses. -5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory. -6. All traffic was captured in our lab using a IPV4 network. Therefore no IPV6 traffic is reported here. - -> [!NOTE] -> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. - -## Windows 10 Home - -| **Destination** | **Protocol** | **Description** | -| --- | --- | --- | -| *.tlu.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. | -| *.wac.phicdn.net | HTTP | Used by the Verizon Content Delivery Network to perform Windows updates. | -| *.1.msftsrvcs.vo.llnwi.net | HTTP | Used for Windows Update downloads of apps and OS updates. | -| *.c-msedge.net | HTTP | Used by OfficeHub to get the metadata of Office apps. | -| *.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. | -| *.dscd.akamai.net | HTTP | Used to download content. | -| *.dspg.akamaiedge.net | HTTP | Used to check for updates to maps that have been downloaded for offline use. | -| *.hwcdn.net | HTTP | Used by the Highwinds Content Delivery Network to perform Windows updates. | -| *.m1-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. | -| *.search.msn.com | TLSv1.2 | Used to retrieve Windows Spotlight metadata. | -| *.wac.edgecastcdn.net | TLSv1.2 | Used by the Verizon Content Delivery Network to perform Windows updates. | -| *.wns.windows.com | TLSv1.2 | Used for the Windows Push Notification Services (WNS). | -| *prod.do.dsp.mp.microsoft.com | TLSv1.2\/HTTPS | Used for Windows Update downloads of apps and OS updates. | -| .g.akamaiedge.net | HTTP | Used to check for updates to maps that have been downloaded for offline use. | -| 2.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. | -| 2.tlu.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. | -| arc.msn.com | HTTPS | Used to retrieve Windows Spotlight metadata. | -| arc.msn.com.nsatc.net | TLSv1.2 | Used to retrieve Windows Spotlight metadata. | -| a-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| au.download.windowsupdate.com | HTTP | Used to download operating system patches and updates. | -| b-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| candycrushsoda.king.com | TLSv1.2 | Used for Candy Crush Saga updates. | -| cdn.content.prod.cms.msn.com | HTTP | Used to retrieve Windows Spotlight metadata. | -| cdn.onenote.net | HTTP | Used for OneNote Live Tile. | -| client-office365-tas.msedge.net | HTTP | Used to connect to the Microsoft 365 admin center’s shared infrastructure, including Office. | -| config.edge.skype.com | HTTP | Used to retrieve Skype configuration values. | -| ctldl.windowsupdate.com | HTTP | Used to download certificates that are publicly known to be fraudulent. | -| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. | -| cy2.licensing.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. | -| cy2.purchase.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. | -| cy2.settings.data.microsoft.com.akadns.net | TLSv1.2 | Used as a way for apps to dynamically update their configuration. | -| cy2.vortex.data.microsoft.com.akadns.net | TLSv1.2 | Used to retrieve Windows Insider Preview builds. | -| definitionupdates.microsoft.com | HTTPS | Used for Windows Defender definition updates. | -| displaycatalog.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. | -| dl.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update. | -| dual-a-0001.a-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. | -| fe2.update.microsoft.com | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | -| fe2.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | -| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2\/HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | -| fg.download.windowsupdate.com.c.footprint.net | HTTP | Used to download operating system patches and updates. | -| fp.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| g.live.com/1rewlive5skydrive/ | HTTPS | Used by a redirection service to automatically update URLs. | -| g.msn.com.nsatc.net | HTTP | Used to retrieve Windows Spotlight metadata. | -| geo-prod.do.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. | -| go.microsoft.com | HTTPS | Used by a redirection service to automatically update URLs. | -| img-prod-cms-rt-microsoft-com.akamaized.net | HTTPS | Used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). | -| *.login.msa.akadns6.net | TLSv1.2 | Used for Microsoft accounts to sign in. | -| licensing.mp.microsoft.com | HTTPS | Used for online activation and some app licensing. | -| location-inference-westus.cloudapp.net | TLSv1.2 | Used for location data. | -| login.live.com | HTTPS | Used to authenticate a device. | -| mediaredirect.microsoft.com | HTTPS | Used by the Groove Music app to update HTTP handler status. | -| modern.watson.data.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. | -| msftsrvcs.vo.llnwd.net | HTTP | Enables connections to Windows Update. | -| msnbot-*.search.msn.com | TLSv1.2 | Used to retrieve Windows Spotlight metadata. | -| oem.twimg.com | HTTPS | Used for the Twitter Live Tile. | -| oneclient.sfx.ms | HTTPS | Used by OneDrive for Business to download and verify app updates. | -| peer4-wst.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| pti.store.microsoft.com | HTTPS | Used to communicate with Microsoft Store. | -| pti.store.microsoft.com.unistore.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. | -| purchase.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. | -| ris.api.iris.microsoft.com.akadns.net | TLSv1.2\/HTTPS | Used to retrieve Windows Spotlight metadata. | -| settings-win.data.microsoft.com | HTTPS | Used for Windows apps to dynamically update their configuration. | -| sls.update.microsoft.com.nsatc.net | TLSv1.2\/HTTPS | Enables connections to Windows Update. | -| star-mini.c10r.facebook.com | TLSv1.2 | Used for the Facebook Live Tile. | -| storecatalogrevocation.storequality.microsoft.com | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. | -| storeedgefd.dsx.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. | -| store-images.s-microsoft.com | HTTP | Used to get images that are used for Microsoft Store suggestions. | -| tile-service.weather.microsoft.com | HTTP | Used to download updates to the Weather app Live Tile. | -| tsfe.trafficshaping.dsp.mp.microsoft.com | TLSv1.2 | Used for content regulation. | -| v10.vortex-win.data.microsoft.com | HTTPS | Used to retrieve Windows Insider Preview builds. | -| wallet.microsoft.com | HTTPS | Used by the Microsoft Wallet app. | -| wallet-frontend-prod-westus.cloudapp.net | TLSv1.2 | Used by the Microsoft Wallet app. | -| *.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. | -| ceuswatcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | -| ceuswatcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | -| eaus2watcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | -| eaus2watcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | -| weus2watcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | -| weus2watcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | -| wdcp.microsoft.akadns.net | TLSv1.2 | Used for Windows Defender when Cloud-based Protection is enabled. | -| wildcard.twimg.com | TLSv1.2 | Used for the Twitter Live Tile. | -| www.bing.com | HTTP | Used for updates for Cortana, apps, and Live Tiles. | -| www.facebook.com | HTTPS | Used for the Facebook Live Tile. | -| [www.microsoft.com](https://www.microsoft.com/) | HTTPS | Used for updates for Cortana, apps, and Live Tiles. | - -## Windows 10 Pro - -| **Destination** | **Protocol** | **Description** | -| --- | --- | --- | -| *.*.akamai.net | HTTP | Used to download content. | -| *.*.akamaiedge.net | TLSv1.2\/HTTP | Used to check for updates to maps that have been downloaded for offline use. | -| *.a-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. | -| *.blob.core.windows.net | HTTPS | Used by Windows Update to update words used for language input methods. | -| *.c-msedge.net | HTTP | Used by OfficeHub to get the metadata of Office apps. | -| *.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. | -| *.dspb.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. | -| *.dspg.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. | -| *.e-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. | -| *.login.msa.akadns6.net | TLSv1.2 | Used for Microsoft accounts to sign in. | -| *.s-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. | -| *.telecommand.telemetry.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. | -| *.wac.edgecastcdn.net | TLSv1.2 | Used by the Verizon Content Delivery Network to perform Windows updates. | -| *.wac.phicdn.net | HTTP | Used by the Verizon Content Delivery Network to perform Windows updates. | -| *.wns.windows.com | TLSv1.2 | Used for the Windows Push Notification Services (WNS). | -| *prod.do.dsp.mp.microsoft.com | TLSv1.2\/HTTPS | Used for Windows Update downloads of apps and OS updates. | -| 3.dl.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update. | -| 3.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. | -| 3.tlu.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. | -| 3.tlu.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. | -| arc.msn.com | HTTPS | Used to retrieve Windows Spotlight metadata. | -| arc.msn.com.nsatc.net | TLSv1.3 | Used to retrieve Windows Spotlight metadata. | -| au.download.windowsupdate.com | HTTPS | Used to download operating system patches and updates. | -| b-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| candycrushsoda.king.com | HTTPS | Used for Candy Crush Saga updates. | -| cdn.content.prod.cms.msn.com | HTTP | Used to retrieve Windows Spotlight metadata. | -| cdn.onenote.net | HTTPS | Used for OneNote Live Tile. | -| client-office365-tas.msedge.net | HTTPS | Used to connect to the Microsoft 365 admin center’s shared infrastructure, including Office. | -| config.edge.skype.com | HTTPS | Used to retrieve Skype configuration values. | -| ctldl.windowsupdate.com | HTTP | Used to download certificates that are publicly known to be fraudulent. | -| cs12.wpc.v0cdn.net | HTTP | Used by the Verizon Content Delivery Network to download content for Windows upgrades with Wireless Planning and Coordination (WPC). | -| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. | -| cy2.settings.data.microsoft.com.akadns.net | TLSv1.2 | Used as a way for apps to dynamically update their configuration. | -| cy2.vortex.data.microsoft.com.akadns.net | TLSv1.2 | Used to retrieve Windows Insider Preview builds. | -| definitionupdates.microsoft.com | HTTPS | Used for Windows Defender definition updates. | -| displaycatalog.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. | -| download.windowsupdate.com | HTTP | Enables connections to Windows Update. | -| evoke-windowsservices-tas.msedge.net | HTTPS | Used by the Photos app to download configuration files, and to connect to the Microsoft 365 admin center’s shared infrastructure, including Office. | -| fe2.update.microsoft.com | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | -| fe2.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | -| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2\/HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | -| fe3.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | -| fg.download.windowsupdate.com.c.footprint.net | HTTP | Used to download operating system patches and updates. | -| fp.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| fs.microsoft.com | HTTPS | Used to download fonts on demand | -| g.live.com | HTTP | Used by a redirection service to automatically update URLs. | -| g.msn.com | HTTPS | Used to retrieve Windows Spotlight metadata. | -| g.msn.com.nsatc.net | TLSv1.2 | Used to retrieve Windows Spotlight metadata. | -| geo-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. | -| geover-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. | -| go.microsoft.com | HTTPS | Used by a redirection service to automatically update URLs. | -| gpla1.wac.v2cdn.net | HTTP | Used for Baltimore CyberTrust Root traffic. . | -| img-prod-cms-rt-microsoft-com.akamaized.net | HTTPS | Used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). | -| licensing.mp.microsoft.com | HTTPS | Used for online activation and some app licensing. | -| location-inference-westus.cloudapp.net | TLSv1.2 | Used for location data. | -| login.live.com | HTTPS | Used to authenticate a device. | -| l-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| mediaredirect.microsoft.com | HTTPS | Used by the Groove Music app to update HTTP handler status. | -| modern.watson.data.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. | -| msnbot-*.search.msn.com | TLSv1.2 | Used to retrieve Windows Spotlight metadata. | -| oem.twimg.com | HTTP | Used for the Twitter Live Tile. | -| oneclient.sfx.ms | HTTP | Used by OneDrive for Business to download and verify app updates. | -| peer1-wst.msedge.net | HTTP | Used by OfficeHub to get the metadata of Office apps. | -| pti.store.microsoft.com | HTTPS | Used to communicate with Microsoft Store. | -| pti.store.microsoft.com.unistore.akadns.net | HTTPS | Used to communicate with Microsoft Store. | -| purchase.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. | -| ris.api.iris.microsoft.com | HTTPS | Used to retrieve Windows Spotlight metadata. | -| settings-win.data.microsoft.com | HTTPS | Used for Windows apps to dynamically update their configuration. | -| sls.update.microsoft.com | HTTPS | Enables connections to Windows Update. | -| storecatalogrevocation.storequality.microsoft.com | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. | -| storeedgefd.dsx.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. | -| store-images.s-microsoft.com | HTTPS | Used to get images that are used for Microsoft Store suggestions. | -| store-images.s-microsoft.com | HTTPS | Used to get images that are used for Microsoft Store suggestions. | -| *.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. | -| ceuswatcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | -| ceuswatcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | -| eaus2watcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | -| eaus2watcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | -| weus2watcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | -| weus2watcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | -| tile-service.weather.microsoft.com | HTTP | Used to download updates to the Weather app Live Tile. | -| tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. | -| v10.vortex-win.data.microsoft.com | HTTPS | Used to retrieve Windows Insider Preview builds. | -| wallet.microsoft.com | HTTPS | Used by the Microsoft Wallet app. | -| wdcp.microsoft.akadns.net | HTTPS | Used for Windows Defender when Cloud-based Protection is enabled. | -| wildcard.twimg.com | TLSv1.2 | Used for the Twitter Live Tile. | -| www.bing.com | TLSv1.2 | Used for updates for Cortana, apps, and Live Tiles. | -| www.facebook.com | HTTPS | Used for the Facebook Live Tile. | -| [www.microsoft.com](https://www.microsoft.com/) | HTTPS | Used for updates for Cortana, apps, and Live Tiles. | - -## Windows 10 Education - -| **Destination** | **Protocol** | **Description** | -| --- | --- | --- | -| *.a-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. | -| *.b.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. | -| *.c-msedge.net | HTTP | Used by OfficeHub to get the metadata of Office apps. | -| *.dscb1.akamaiedge.net | HTTP | Used to check for updates to maps that have been downloaded for offline use. | -| *.dscd.akamai.net | HTTP | Used to download content. | -| *.dspb.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. | -| *.dspw65.akamai.net | HTTP | Used to download content. | -| *.e-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. | -| *.g.akamai.net | HTTP | Used to download content. | -| *.g.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. | -| *.l.windowsupdate.com | HTTP | Enables connections to Windows Update. | -| *.s-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. | -| *.wac.phicdn.net | HTTP | Used by the Verizon Content Delivery Network to perform Windows updates | -| *.wns.windows.com | TLSv1.2 | Used for the Windows Push Notification Services (WNS). | -| *prod.do.dsp.mp.microsoft.com | TLSv1.2 | Used for Windows Update downloads of apps and OS updates. | -| *prod.do.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Used for Windows Update downloads of apps and OS updates. | -| 3.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. | -| 3.tlu.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. | -| a-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| au.download.windowsupdate.com | HTTP | Used to download operating system patches and updates. | -| cdn.onenote.net | HTTPS | Used for OneNote Live Tile. | -| cds.*.hwcdn.net | HTTP | Used by the Highwinds Content Delivery Network to perform Windows updates. | -| co4.telecommand.telemetry.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. | -| config.edge.skype.com | HTTPS | Used to retrieve Skype configuration values. | -| ctldl.windowsupdate.com | HTTP | Used to download certificates that are publicly known to be fraudulent. | -| cs12.wpc.v0cdn.net | HTTP | Used by the Verizon Content Delivery Network to download content for Windows upgrades with Wireless Planning and Coordination (WPC). | -| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. | -| cy2.settings.data.microsoft.com.akadns.net | TLSv1.2 | Used as a way for apps to dynamically update their configuration. | -| cy2.vortex.data.microsoft.com.akadns.net | TLSv1.2 | Used to retrieve Windows Insider Preview builds. | -| dl.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update. | -| download.windowsupdate.com | HTTP | Enables connections to Windows Update. | -| evoke-windowsservices-tas.msedge.net/ab | HTTPS | Used by the Photos app to download configuration files, and to connect to the Microsoft 365 admin center’s shared infrastructure, including Office. | -| fe2.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | -| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. | -| fg.download.windowsupdate.com.c.footprint.net | HTTP | Used to download operating system patches and updates. | -| fp.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| g.msn.com.nsatc.net | TLSv1.2\/HTTP | Used to retrieve Windows Spotlight metadata. | -| geo-prod.do.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. | -| geover-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. | -| go.microsoft.com | HTTPS | Used by a redirection service to automatically update URLs. | -| gpla1.wac.v2cdn.net | HTTP | Used for Baltimore CyberTrust Root traffic. . | -| ipv4.login.msa.akadns6.net | TLSv1.2 | Used for Microsoft accounts to sign in. | -| licensing.mp.microsoft.com | HTTPS | Used for online activation and some app licensing. | -| location-inference-westus.cloudapp.net | TLSv1.2 | Used for location data. | -| login.live.com/* | HTTPS | Used to authenticate a device. | -| l-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| mediaredirect.microsoft.com | HTTPS | Used by the Groove Music app to update HTTP handler status. | -| modern.watson.data.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. | -| msftconnecttest.com/* | HTTP | Used by Network Connection Status Indicator (NCSI) to detect Internet connectivity and corporate network connectivity status. | -| msnbot-65-52-108-198.search.msn.com | TLSv1.2 | Used to retrieve Windows Spotlight metadata. | -| oneclient.sfx.ms | HTTP | Used by OneDrive for Business to download and verify app updates. | -| peer1-wst.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| pti.store.microsoft.com.unistore.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. | -| settings-win.data.microsoft.com | HTTPS | Used for Windows apps to dynamically update their configuration. | -| sls.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. | -| store-images.s-microsoft.com | HTTPS | Used to get images that are used for Microsoft Store suggestions. | -| tile-service.weather.microsoft.com | HTTP | Used to download updates to the Weather app Live Tile. | -| *.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. | -| ceuswatcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | -| ceuswatcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | -| eaus2watcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | -| eaus2watcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | -| weus2watcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | -| weus2watcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | -| tsfe.trafficshaping.dsp.mp.microsoft.com | TLSv1.2 | Used for content regulation. | -| wallet.microsoft.com | HTTPS | Used by the Microsoft Wallet app. | -| wdcp.microsoft.akadns.net | TLSv1.2 | Used for Windows Defender when Cloud-based Protection is enabled. | -| www.bing.com | HTTPS | Used for updates for Cortana, apps, and Live Tiles. | \ No newline at end of file diff --git a/windows/privacy/windows-endpoints-1803-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1803-non-enterprise-editions.md deleted file mode 100644 index b3ec01bc64..0000000000 --- a/windows/privacy/windows-endpoints-1803-non-enterprise-editions.md +++ /dev/null @@ -1,166 +0,0 @@ ---- -title: Windows 10, version 1803, connection endpoints for non-Enterprise editions -description: Explains what Windows 10 endpoints are used in non-Enterprise editions. Specific to Windows 10, version 1803. -keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016 -ms.prod: m365-security -ms.mktglfcycl: manage -ms.sitesec: library -ms.localizationpriority: high -audience: ITPro -author: dansimp -ms.author: dansimp -manager: dansimp -ms.collection: M365-security-compliance -ms.topic: article -ms.date: 12/01/2021 -ms.reviewer: -ms.technology: privacy ---- -# Windows 10, version 1803, connection endpoints for non-Enterprise editions - - **Applies to** - -- Windows 10 Home, version 1803 -- Windows 10 Professional, version 1803 -- Windows 10 Education, version 1803 - -In addition to the endpoints listed for [Windows 10 Enterprise](./manage-windows-1803-endpoints.md), the following endpoints are available on other editions of Windows 10, version 1803. - -We used the following methodology to derive these network endpoints: - -1. Set up the latest version of Windows 10 on a test virtual machine using the default settings. -2. Leave the devices running idle for a week (that is, a user is not interacting with the system/device). -3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic. -4. Compile reports on traffic going to public IP addresses. -5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory. -6. All traffic was captured in our lab using a IPV4 network. Therefore no IPV6 traffic is reported here. - -> [!NOTE] -> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. - -## Windows 10 Family - -| **Destination** | **Protocol** | **Description** | -| --- | --- | --- | -| *.e-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| *.g.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. | -| *.s-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| *.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/ | HTTP | Enables connections to Windows Update. | -| arc.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. | -| arc.msn.com/v3/Delivery/Placement | HTTPS | Used to retrieve Windows Spotlight metadata. | -| client-office365-tas.msedge.net* | HTTPS | Used to connect to the Microsoft 365 admin center’s shared infrastructure, including Office. | -| config.edge.skype.com/config/* | HTTPS | Used to retrieve Skype configuration values. | -| ctldl.windowsupdate.com/msdownload/update* | HTTP | Used to download certificates that are publicly known to be fraudulent. | -| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | -| cy2.licensing.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | -| cy2.settings.data.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | -| displaycatalog.mp.microsoft.com* | HTTPS | Used to communicate with Microsoft Store. | -| dm3p.wns.notify.windows.com.akadns.net | HTTPS | Used for the Windows Push Notification Services (WNS). | -| fe2.update.microsoft.com* | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | -| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | -| fe3.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | -| g.live.com/odclientsettings/Prod | HTTPS | Used by OneDrive for Business to download and verify app updates. | -| g.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. | -| geo-prod.dodsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update. | -| ip5.afdorigin-prod-am02.afdogw.com | HTTPS | Used to serve office 365 experimentation traffic. | -| ipv4.login.msa.akadns6.net | HTTPS | Used for Microsoft accounts to sign in. | -| licensing.mp.microsoft.com/v7.0/licenses/content | HTTPS | Used for online activation and some app licensing. | -| location-inference-westus.cloudapp.net | HTTPS | Used for location data. | -| maps.windows.com/windows-app-web-link | HTTPS | Link to Maps application. | -| modern.watson.data.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. | -| ocos-office365-s2s.msedge.net* | HTTPS | Used to connect to the Microsoft 365 admin center's shared infrastructure. | -| ocsp.digicert.com* | HTTP | CRL and OCSP checks to the issuing certificate authorities. | -| oneclient.sfx.ms* | HTTPS | Used by OneDrive for Business to download and verify app updates. | -| onecollector.cloudapp.aria.akadns.net | HTTPS | Office Telemetry | -| prod.nexusrules.live.com.akadns.net | HTTPS | Office Telemetry | -| query.prod.cms.rt.microsoft.com* | HTTPS | Used to retrieve Windows Spotlight metadata. | -| ris.api.iris.microsoft.com* | HTTPS | Used to retrieve Windows Spotlight metadata. | -| settings.data.microsoft.com/settings/v2.0/* | HTTPS | Used for Windows apps to dynamically update their configuration. | -| settings-win.data.microsoft.com/settings/* | HTTPS | Used as a way for apps to dynamically update their configuration.  | -| share.microsoft.com/windows-app-web-link | HTTPS | Traffic related to Books app | -| sls.update.microsoft.com* | HTTPS | Enables connections to Windows Update. | -| storecatalogrevocation.storequality.microsoft.com* | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. | -| storeedgefd.dsx.mp.microsoft.com* | HTTPS | Used to communicate with Microsoft Store. | -| tile-service.weather.microsoft.com* | HTTP | Used to download updates to the Weather app Live Tile. | -| tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. | -| us.configsvc1.live.com.akadns.net | HTTPS | Microsoft Office configuration related traffic | -| watson.telemetry.microsoft.com/Telemetry.Request | HTTPS | Used by Windows Error Reporting. | -| wd-prod-cp-us-east-2-fe.eastus.cloudapp.azure.com | HTTPS | Azure front end traffic | - - -## Windows 10 Pro -| **Destination** | **Protocol** | **Description** | -| --- | --- | --- | -| *.e-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| *.g.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. | -| *.s-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| *.tlu.dl.delivery.mp.microsoft.com/* | HTTP | Enables connections to Windows Update. | -| *geo-prod.dodsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update. | -| arc.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. | -| au.download.windowsupdate.com/* | HTTP | Enables connections to Windows Update. | -| ctldl.windowsupdate.com/msdownload/update/* | HTTP | Used to download certificates that are publicly known to be fraudulent. | -| cy2.licensing.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | -| cy2.settings.data.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | -| dm3p.wns.notify.windows.com.akadns.net | HTTPS | Used for the Windows Push Notification Services (WNS) | -| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | -| flightingservicewus.cloudapp.net | HTTPS | Insider Program | -| g.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. | -| ipv4.login.msa.akadns6.net | HTTPS | Used for Microsoft accounts to sign in. | -| location-inference-westus.cloudapp.net | HTTPS | Used for location data. | -| modern.watson.data.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. | -| ocsp.digicert.com* | HTTP | CRL and OCSP checks to the issuing certificate authorities. | -| onecollector.cloudapp.aria.akadns.net | HTTPS | Office Telemetry | -| ris.api.iris.microsoft.com.akadns.net | HTTPS | Used to retrieve Windows Spotlight metadata. | -| tile-service.weather.microsoft.com/* | HTTP | Used to download updates to the Weather app Live Tile. | -| tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. | -| vip5.afdorigin-prod-am02.afdogw.com | HTTPS | Used to serve office 365 experimentation traffic | - - -## Windows 10 Education - -| **Destination** | **Protocol** | **Description** | -| --- | --- | --- | -| *.b.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. | -| *.e-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| *.g.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. | -| *.s-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| *.telecommand.telemetry.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. | -| *.tlu.dl.delivery.mp.microsoft.com* | HTTP | Enables connections to Windows Update. | -| *.windowsupdate.com* | HTTP | Enables connections to Windows Update. | -| *geo-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. | -| au.download.windowsupdate.com* | HTTP | Enables connections to Windows Update. | -| cdn.onenote.net/livetile/* | HTTPS | Used for OneNote Live Tile. | -| client-office365-tas.msedge.net/* | HTTPS | Used to connect to the Microsoft 365 admin center’s shared infrastructure, including Office. | -| cloudtile.photos.microsoft.com.akadns.net | HTTPS | Photos App in MS Store -| config.edge.skype.com/* | HTTPS | Used to retrieve Skype configuration values.  | -| ctldl.windowsupdate.com/* | HTTP | Used to download certificates that are publicly known to be fraudulent. | -| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | -| cy2.licensing.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | -| cy2.settings.data.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | -| displaycatalog.mp.microsoft.com/* | HTTPS | Used to communicate with Microsoft Store. | -| download.windowsupdate.com/* | HTTPS | Enables connections to Windows Update. | -| emdl.ws.microsoft.com/* | HTTP | Used to download apps from the Microsoft Store. | -| fe2.update.microsoft.com/* | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | -| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | -| fe3.delivery.mp.microsoft.com/* | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | -| flightingservicewus.cloudapp.net | HTTPS | Insider Program | -| g.live.com/odclientsettings/* | HTTPS | Used by OneDrive for Business to download and verify app updates. | -| g.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. | -| ipv4.login.msa.akadns6.net | HTTPS | Used for Microsoft accounts to sign in. | -| licensing.mp.microsoft.com/* | HTTPS | Used for online activation and some app licensing. | -| maps.windows.com/windows-app-web-link | HTTPS | Link to Maps application | -| modern.watson.data.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. | -| ocos-office365-s2s.msedge.net/* | HTTPS | Used to connect to the Microsoft 365 admin center's shared infrastructure. | -| ocsp.digicert.com* | HTTP | CRL and OCSP checks to the issuing certificate authorities. | -| oneclient.sfx.ms/* | HTTPS | Used by OneDrive for Business to download and verify app updates. | -| onecollector.cloudapp.aria.akadns.net | HTTPS | Office telemetry | -| settings-win.data.microsoft.com/settings/* | HTTPS | Used as a way for apps to dynamically update their configuration. | -| share.microsoft.com/windows-app-web-link | HTTPS | Traffic related to Books app | -| sls.update.microsoft.com/* | HTTPS | Enables connections to Windows Update. | -| storecatalogrevocation.storequality.microsoft.com/* | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. | -| tile-service.weather.microsoft.com/* | HTTP | Used to download updates to the Weather app Live Tile. | -| tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. | -| vip5.afdorigin-prod-ch02.afdogw.com | HTTPS | Used to serve office 365 experimentation traffic. | -| watson.telemetry.microsoft.com/Telemetry.Request | HTTPS | Used by Windows Error Reporting. | -| wd-prod-cp-us-west-3-fe.westus.cloudapp.azure.com | HTTPS | Azure front end traffic | -| www.bing.com/* | HTTPS | Used for updates for Cortana, apps, and Live Tiles. | \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.yml b/windows/security/threat-protection/windows-defender-application-control/TOC.yml index 4bfabc7ffe..383ac38442 100644 --- a/windows/security/threat-protection/windows-defender-application-control/TOC.yml +++ b/windows/security/threat-protection/windows-defender-application-control/TOC.yml @@ -22,8 +22,6 @@ href: understand-windows-defender-application-control-policy-design-decisions.md - name: Understand WDAC policy rules and file rules href: select-types-of-rules-to-create.md - - name: Understand WDAC secure settings - href: understanding-wdac-policy-settings.md items: - name: Allow apps installed by a managed installer href: configure-authorized-apps-deployed-with-a-managed-installer.md @@ -37,6 +35,8 @@ href: manage-packaged-apps-with-windows-defender-application-control.md - name: Use WDAC to control specific plug-ins, add-ins, and modules href: use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md + - name: Understand WDAC policy settings + href: understanding-wdac-policy-settings.md - name: Use multiple WDAC policies href: deploy-multiple-windows-defender-application-control-policies.md - name: Create your WDAC policy diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md index e00de62409..47d1c3fb7d 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md @@ -14,7 +14,7 @@ audience: ITPro ms.collection: M365-security-compliance author: jsuther1974 ms.reviewer: isbrahm -ms.date: 08/12/2021 +ms.date: 02/10/2022 ms.technology: windows-sec --- @@ -42,7 +42,7 @@ For example, to create a WDAC policy allowing **addin1.dll** and **addin2.dll** ```powershell $rule = New-CIPolicyRule -DriverFilePath '.\temp\addin1.dll' -Level FileName -AppID '.\ERP1.exe' -$rule += New-CIPolicyRule -DriverFilePath '.\temp\addin2.dll' -Level FileName -AppID '.\ERP2.exe' +$rule += New-CIPolicyRule -DriverFilePath '.\temp\addin2.dll' -Level FileName -AppID '.\ERP1.exe' New-CIPolicy -Rules $rule -FilePath ".\AllowERPAddins.xml" -UserPEs ``` diff --git a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md index ebdec42441..6d4c993655 100644 --- a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md +++ b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md @@ -69,7 +69,7 @@ There are several ways to get and use security baselines: ## Community -[![Microsoft Security Guidance Blog.](./../images/community.png)](/archive/blogs/secguide/) +[![Microsoft Security Guidance Blog.](./../images/community.png)](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/bg-p/Microsoft-Security-Baselines) ## Related Videos diff --git a/windows/whats-new/TOC.yml b/windows/whats-new/TOC.yml index 176668f48e..9e25d09647 100644 --- a/windows/whats-new/TOC.yml +++ b/windows/whats-new/TOC.yml @@ -3,8 +3,8 @@ - name: Windows 11 expanded: true items: - - name: What's new in Windows 11 - href: windows-11-whats-new.md + - name: Windows 11 overview + href: windows-11-overview.md - name: Windows 11 requirements href: windows-11-requirements.md - name: Plan for Windows 11 diff --git a/windows/whats-new/index.yml b/windows/whats-new/index.yml index 459aec5b4f..2df276a567 100644 --- a/windows/whats-new/index.yml +++ b/windows/whats-new/index.yml @@ -30,8 +30,8 @@ landingContent: linkLists: - linkListType: overview links: - - text: What's new - url: windows-11-whats-new.md + - text: Windows 11 overview + url: windows-11-overview.md - text: Windows 11 requirements url: windows-11-requirements.md - text: Plan for Windows 11 diff --git a/windows/whats-new/windows-11-whats-new.md b/windows/whats-new/windows-11-overview.md similarity index 98% rename from windows/whats-new/windows-11-whats-new.md rename to windows/whats-new/windows-11-overview.md index fbe9e7108d..daac49c8c5 100644 --- a/windows/whats-new/windows-11-whats-new.md +++ b/windows/whats-new/windows-11-overview.md @@ -1,11 +1,11 @@ --- -title: Windows 11, what's new and overview for administrators -description: Learn more about what's new in Windows 11. Read about the features IT professionals and administrators should know about Windows 11, including security, using apps, using Android apps, the new desktop, and deploying and servicing PCs. +title: Windows 11 overview for administrators +description: Learn more about Windows 11. Read about the features IT professionals and administrators should know about Windows 11, including security, using apps, using Android apps, the new desktop, and deploying and servicing PCs. ms.reviewer: manager: dougeby ms.audience: itpro -author: MandiOhlinger -ms.author: mandia +author: greg-lindsay +ms.author: greglin ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -16,7 +16,7 @@ ms.collection: highpri ms.custom: intro-overview --- -# What's new in Windows 11 +# Windows 11 overview **Applies to**: