From b5b3409bae7cb27964af42a1b4f0d65dbddbd109 Mon Sep 17 00:00:00 2001 From: VLG17 <41186174+VLG17@users.noreply.github.com> Date: Tue, 25 Jan 2022 13:18:03 +0200 Subject: [PATCH 01/32] Update BITS and Windows Update Security Descriptors https://github.com/MicrosoftDocs/windows-itpro-docs/issues/10076 --- windows/deployment/update/windows-update-resources.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/update/windows-update-resources.md b/windows/deployment/update/windows-update-resources.md index fedd94b39a..8173d6ca5b 100644 --- a/windows/deployment/update/windows-update-resources.md +++ b/windows/deployment/update/windows-update-resources.md @@ -84,8 +84,8 @@ If all else fails, try resetting the Windows Update Agent by running these comma ``` 2. Reset the **BITS service** and the **Windows Update service** to the default security descriptor. To do this, type the following commands at a command prompt. Press ENTER after you type each command. ``` console - sc.exe sdset bits D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU) - sc.exe sdset wuauserv D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU) + sc.exe sdset bits D:(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU) + sc.exe sdset wuauserv D:(A;;CCLCSWRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY) ``` 5. Type the following command at a command prompt, and then press ENTER: ``` console From 1184c8b7de1e61690792ef6bc24730ad77f82069 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi Date: Thu, 27 Jan 2022 12:08:46 +0530 Subject: [PATCH 02/32] CSP: LanguagePackManagement SV2 documentation update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Task 5695781: LanguagePackManagement SV2 documentation update as per instructions: Fix bitmap description of the providers node. Values for each representation are missing. Remove text "A separate CSP exists to allow provisioning of "optional FODs" (Handwriting recognition, Text-to-speech, and so on) associated with a language." Add documentation for "./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages //LanguageFeatures" node Add documentation for ./Device/Vendor/MSFT/LanguagePackManagement/Install//CopyToDeviceInternationalSettings" node Add documentation for ./Device/Vendor/MSFT/LanguagePackManagement/Install//EnableLanguageFeatureInstallations" node Update allowed Status node values to include "4 - Partially Succeeded" Change note​ "If IT admin has NOT set the policy of blocking cleanup of unused language packs, this command will fail." to indicate that the policies will be updated to block the cleanup of unused language packs rather than fail. --- .../mdm/Language-pack-management-csp.md | 55 +++++++++++++------ 1 file changed, 38 insertions(+), 17 deletions(-) diff --git a/windows/client-management/mdm/Language-pack-management-csp.md b/windows/client-management/mdm/Language-pack-management-csp.md index 0a1e9f72a4..68c5641b19 100644 --- a/windows/client-management/mdm/Language-pack-management-csp.md +++ b/windows/client-management/mdm/Language-pack-management-csp.md @@ -13,41 +13,62 @@ ms.date: 06/22/2021 # Language Pack Management CSP +The Language Pack Management CSP allows a direct way to provision language packs remotely in Windows 10 and Windows 10 X. MDMs like Intune can use management commands remotely to devices to configure language-related settings. -The Language Pack Management CSP allows a direct way to provision language packs remotely in Windows 10 and Windows 10 X. A separate CSP exists to allow provisioning of "optional FODs" (Handwriting recognition, Text-to-speech, and so on) associated with a language. MDMs like Intune can use management commands remotely to devices to configure language related settings. +1. Enumerate installed languages and features with GET command on the "InstalledLanguages" node. Below are the samples: -1. Enumerate installed languages with GET command on the "InstalledLanguages" node - **GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages** **GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/zh-CN/Providers** - **GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/ja-JP/Providers** + **GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/zh-CN/LanguageFeatures** + **GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/ja-JP/Providers** + **GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/ja-JP/LanguageFeatures** - The nodes under **InstalledLanguages** are the language tags of the installed languages. The **providers** node under language tag is the bit map representation of either "language pack (feature)" or [LXPs](https://www.microsoft.com/store/collections/localexperiencepacks?cat0=devices&rtc=1). - - Indicates the language pack installed is a System Language Pack (non-LXP) - - Indicates that the LXP is installed. - - Indicates that both are installed. + The nodes under **InstalledLanguages** are the language tags of the installed languages. The **providers** node under language tag is an integer representation of either language pack (features) or [LXPs](https://www.microsoft.com/store/collections/localexperiencepacks?cat0=devices&rtc=1). -2. Install language pack features with the EXECUTE command on the **StartInstall** node of the language. For example, + - **1**- Indicates the language pack installed is a System Language Pack (non-LXP) + - **2**- Indicates that the LXP is installed. + - **3**- Indicates that both are installed. - **ADD./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/** - **EXECUTE./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/StartInstallation** + The **LanguageFeatures** node is a bitmap representation of what Language Features are installed on a device: - The installation is an asynchronous operation. You can query the **Status** node by using the following commands: + - Basic Typing = 0x1 + - Fonts = 0x2 + - Handwriting = 0x4 + - Speech = 0x8 + - TextToSpeech = 0x10 + - OCR = 0x20 + - LocaleData = 0x40 + - SupplementFonts = 0x80 + +2. Install language pack and features with the EXECUTE command on the **StartInstall** node of the language. + + - Admins can optionally set the language as the System Preferred UI Language immediately after installation by using the REPLACE command on the "CopyToDeviceInternationalSettings" node of the language. 0 (default) will take no action; 1 will set the language as System PreferredUILanguage. + - Admins can optionally configure whether they want to install all available language features during installation using the REPLACE command on the "EnableLanguageFeatureInstallations" node of the language. 0 will install only required features; 1 (default) will install all available features. + + Here are the sample commands to install French language with required features and set as the System Preferred UI Language: + + 1. **ADD ./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/** + 2. **REPLACE ./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/CopyToDeviceInternationalSettings(1) (optional)** + 3. **REPLACE ./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/EnableLanguageFeatureInstallations (0) (optional)** + 4. **EXECUTE ./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/StartInstallation** + + The installation is an asynchronous operation. You can query the **Status** node by using the following commands: **GET./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/Status** **GET./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/ErrorCode** - Status: 0 – not started; 1 – in process; 2 – succeeded; 3 – failed. ErrorCode is a HRESULT that could help diagnosis if the installation failed. + Status: 0 – not started; 1 – in process; 2 – succeeded; 3 – failed; 4 - partial success (A partial success indicates features may have gotten installed but there was an error installing the language pack or vice versa). ErrorCode is an HRESULT that could help diagnosis if the installation failed. > [!NOTE] - > If IT admin has NOT set the policy of blocking cleanup of unused language packs, this command will fail. + > These commands will set the policy to block cleanup of unused language packs and features on the device rather than fail. -3. Delete installed Language with the DELETE command on the installed language tag. The delete command is a fire and forget operation. The deletion will run in background. IT admin can query the installed language later and resend the command if needed. +3. Delete installed Language with the DELETE command on the installed language tag. The delete command is a fire and forget operation. The deletion will run in background. IT admin can query the installed language later and resend the command if needed.Below is a sample command to delete the zh-CN language. + **DELETE./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/zh-CN** - **DELETE./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/zh-CN(Delete command)** + > [!NOTE] + > The deletion will ignore the policy of block cleanup of unused language packs. 4. Get/Set System Preferred UI Language with GET or REPLACE command on the "SystemPreferredUILanguages" Node - **./Device/Vendor/MSFT/LanguagePackManagement/LanguageSettings/SystemPreferredUILanguages** From dc3285a563e2e24a1cb0126c8855f9caf92a7457 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi Date: Mon, 31 Jan 2022 11:42:25 +0530 Subject: [PATCH 03/32] Update as per received feedback --- .../mdm/Language-pack-management-csp.md | 23 +++++++++++-------- 1 file changed, 13 insertions(+), 10 deletions(-) diff --git a/windows/client-management/mdm/Language-pack-management-csp.md b/windows/client-management/mdm/Language-pack-management-csp.md index 68c5641b19..94ec9d6832 100644 --- a/windows/client-management/mdm/Language-pack-management-csp.md +++ b/windows/client-management/mdm/Language-pack-management-csp.md @@ -40,29 +40,32 @@ The Language Pack Management CSP allows a direct way to provision language packs - LocaleData = 0x40 - SupplementFonts = 0x80 -2. Install language pack and features with the EXECUTE command on the **StartInstall** node of the language. +2. Install language pack and features with the EXECUTE command on the **StartInstallation** node of the language. - - Admins can optionally set the language as the System Preferred UI Language immediately after installation by using the REPLACE command on the "CopyToDeviceInternationalSettings" node of the language. 0 (default) will take no action; 1 will set the language as System PreferredUILanguage. + > [!NOTE] + > If not previously set, installation will set the policy to block cleanup of unused language packs and features on the device to prevent unexpected deletion. + + - Admins can optionally set the language as the System Preferred UI Language immediately after installation by using the REPLACE command on the "CopyToDeviceInternationalSettings" node of the language. 0 (default) will take no action; 1 will set the following international settings to reflect the newly installed language: + - System Preferred UI Language + - System Locale + - Default settings for new users, such as Input Method (keyboard), Locale, Speech Recognizer, User Preferred Language List - Admins can optionally configure whether they want to install all available language features during installation using the REPLACE command on the "EnableLanguageFeatureInstallations" node of the language. 0 will install only required features; 1 (default) will install all available features. - Here are the sample commands to install French language with required features and set as the System Preferred UI Language: + Here are the sample commands to install French language with required features and copy to the devices international settings: 1. **ADD ./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/** - 2. **REPLACE ./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/CopyToDeviceInternationalSettings(1) (optional)** - 3. **REPLACE ./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/EnableLanguageFeatureInstallations (0) (optional)** + 2. **REPLACE ./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/CopyToDeviceInternationalSettings(1)** + 3. **REPLACE ./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/EnableLanguageFeatureInstallations (0)** 4. **EXECUTE ./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/StartInstallation** - The installation is an asynchronous operation. You can query the **Status** node by using the following commands: + The installation is an asynchronous operation. You can query the **Status** or **ErrorCode** nodes by using the following commands: **GET./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/Status** **GET./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/ErrorCode** Status: 0 – not started; 1 – in process; 2 – succeeded; 3 – failed; 4 - partial success (A partial success indicates features may have gotten installed but there was an error installing the language pack or vice versa). ErrorCode is an HRESULT that could help diagnosis if the installation failed. - > [!NOTE] - > These commands will set the policy to block cleanup of unused language packs and features on the device rather than fail. - -3. Delete installed Language with the DELETE command on the installed language tag. The delete command is a fire and forget operation. The deletion will run in background. IT admin can query the installed language later and resend the command if needed.Below is a sample command to delete the zh-CN language. +3. Delete installed Language with the DELETE command on the installed language tag. The delete command is a fire and forget operation. The deletion will run in background. IT admin can query the installed language later and resend the command if needed. Below is a sample command to delete the zh-CN language. **DELETE./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/zh-CN** From d3498261914b12786a2cee379f596eb024904a11 Mon Sep 17 00:00:00 2001 From: valemieux <98555474+valemieux@users.noreply.github.com> Date: Mon, 31 Jan 2022 13:22:41 -0800 Subject: [PATCH 04/32] Fixed Title to WDAC secure settings link --- .../windows-defender-application-control/TOC.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.yml b/windows/security/threat-protection/windows-defender-application-control/TOC.yml index 4bfabc7ffe..b142eb885e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/TOC.yml +++ b/windows/security/threat-protection/windows-defender-application-control/TOC.yml @@ -22,7 +22,7 @@ href: understand-windows-defender-application-control-policy-design-decisions.md - name: Understand WDAC policy rules and file rules href: select-types-of-rules-to-create.md - - name: Understand WDAC secure settings + - name: Understand WDAC policy rules and file rules href: understanding-wdac-policy-settings.md items: - name: Allow apps installed by a managed installer From 98f13fc36f77b77bdff73d99e87359de15434f2a Mon Sep 17 00:00:00 2001 From: valemieux <98555474+valemieux@users.noreply.github.com> Date: Mon, 31 Jan 2022 15:39:45 -0800 Subject: [PATCH 05/32] Change Title to Understand WDAC Policy Settings --- .../windows-defender-application-control/TOC.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.yml b/windows/security/threat-protection/windows-defender-application-control/TOC.yml index b142eb885e..2a1262cda0 100644 --- a/windows/security/threat-protection/windows-defender-application-control/TOC.yml +++ b/windows/security/threat-protection/windows-defender-application-control/TOC.yml @@ -22,7 +22,7 @@ href: understand-windows-defender-application-control-policy-design-decisions.md - name: Understand WDAC policy rules and file rules href: select-types-of-rules-to-create.md - - name: Understand WDAC policy rules and file rules + - name: Understand WDAC policy settings href: understanding-wdac-policy-settings.md items: - name: Allow apps installed by a managed installer From 9be5c1c9df9e548dc1d8b2dec5a46448df53f7d6 Mon Sep 17 00:00:00 2001 From: valemieux <98555474+valemieux@users.noreply.github.com> Date: Mon, 31 Jan 2022 16:41:53 -0800 Subject: [PATCH 06/32] Moved "Understanding WDAC Policy Settings" to be child of "Understand WDAC Policy Rules and File Rules" --- .../windows-defender-application-control/TOC.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.yml b/windows/security/threat-protection/windows-defender-application-control/TOC.yml index 2a1262cda0..383ac38442 100644 --- a/windows/security/threat-protection/windows-defender-application-control/TOC.yml +++ b/windows/security/threat-protection/windows-defender-application-control/TOC.yml @@ -22,8 +22,6 @@ href: understand-windows-defender-application-control-policy-design-decisions.md - name: Understand WDAC policy rules and file rules href: select-types-of-rules-to-create.md - - name: Understand WDAC policy settings - href: understanding-wdac-policy-settings.md items: - name: Allow apps installed by a managed installer href: configure-authorized-apps-deployed-with-a-managed-installer.md @@ -37,6 +35,8 @@ href: manage-packaged-apps-with-windows-defender-application-control.md - name: Use WDAC to control specific plug-ins, add-ins, and modules href: use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md + - name: Understand WDAC policy settings + href: understanding-wdac-policy-settings.md - name: Use multiple WDAC policies href: deploy-multiple-windows-defender-application-control-policies.md - name: Create your WDAC policy From fa13a5ecc157776152081a1642d4b40bd1e2afbc Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Tue, 1 Feb 2022 19:38:18 +0530 Subject: [PATCH 07/32] Updated --- .../mdm/policy-csp-admx-errorreporting.md | 4 ++-- .../windowsdefenderapplicationguard-csp.md | 20 +++++++++---------- ...system-components-to-microsoft-services.md | 2 +- 3 files changed, 13 insertions(+), 13 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-errorreporting.md b/windows/client-management/mdm/policy-csp-admx-errorreporting.md index 6d41a7d0d3..cb39601404 100644 --- a/windows/client-management/mdm/policy-csp-admx-errorreporting.md +++ b/windows/client-management/mdm/policy-csp-admx-errorreporting.md @@ -1068,7 +1068,7 @@ If this policy setting is disabled or not configured, then the consent level def ADMX Info: -- GP English name: *Configure Default consent* +- GP Friendly name: *Configure Default consent* - GP name: *WerDefaultConsent_1* - GP path: *Windows Components\Windows Error Reporting\Consent* - GP ADMX file name: *ErrorReporting.admx* @@ -1166,7 +1166,7 @@ If you disable or do not configure this policy setting, the Turn off Windows Err ADMX Info: -- GP English name: *Disable Windows Error Reporting* +- GP Friendly name: *Disable Windows Error Reporting* - GP name: *WerDisable_1* - GP path: *Windows Components\Windows Error Reporting* - GP ADMX file name: *ErrorReporting.admx* diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md index cc5b2bff12..e489b9b6cd 100644 --- a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md +++ b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md @@ -67,7 +67,7 @@ The following list shows the supported values: ADMX Info: -- GP English name: *Configure Microsoft Defender Application Guard clipboard settings* +- GP Friendly name: *Configure Microsoft Defender Application Guard clipboard settings* - GP name: *AppHVSIClipboardFileType* - GP path: *Windows Components/Microsoft Defender Application Guard* - GP ADMX file name: *AppHVSI.admx* @@ -91,7 +91,7 @@ The following list shows the supported values: ADMX Info: -- GP English name: *Configure Microsoft Defender Application Guard clipboard settings* +- GP Friendly name: *Configure Microsoft Defender Application Guard clipboard settings* - GP name: *AppHVSIClipboardSettings* - GP path: *Windows Components/Microsoft Defender Application Guard* - GP ADMX file name: *AppHVSI.admx* @@ -124,7 +124,7 @@ The following list shows the supported values: ADMX Info: -- GP English name: *Configure Microsoft Defender Application Guard print settings* +- GP Friendly name: *Configure Microsoft Defender Application Guard print settings* - GP name: *AppHVSIPrintingSettings* - GP path: *Windows Components/Microsoft Defender Application Guard* - GP ADMX file name: *AppHVSI.admx* @@ -146,7 +146,7 @@ The following list shows the supported values: ADMX Info: -- GP English name: *Prevent enterprise websites from loading non-enterprise content in Microsoft Edge and Internet Explorer* +- GP Friendly name: *Prevent enterprise websites from loading non-enterprise content in Microsoft Edge and Internet Explorer* - GP name: *BlockNonEnterpriseContent* - GP path: *Windows Components/Microsoft Defender Application Guard* - GP ADMX file name: *AppHVSI.admx* @@ -165,7 +165,7 @@ The following list shows the supported values: ADMX Info: -- GP English name: *Allow data persistence for Microsoft Defender Application Guard* +- GP Friendly name: *Allow data persistence for Microsoft Defender Application Guard* - GP name: *AllowPersistence* - GP path: *Windows Components/Microsoft Defender Application Guard* - GP ADMX file name: *AppHVSI.admx* @@ -189,7 +189,7 @@ The following list shows the supported values: ADMX Info: -- GP English name: *Allow hardware-accelerated rendering for Microsoft Defender Application Guard* +- GP Friendly name: *Allow hardware-accelerated rendering for Microsoft Defender Application Guard* - GP name: *AllowVirtualGPU* - GP path: *Windows Components/Microsoft Defender Application Guard* - GP ADMX file name: *AppHVSI.admx* @@ -208,7 +208,7 @@ The following list shows the supported values: ADMX Info: -- GP English name: *Allow files to download and save to the host operating system from Microsoft Defender Application Guard* +- GP Friendly name: *Allow files to download and save to the host operating system from Microsoft Defender Application Guard* - GP name: *SaveFilesToHost* - GP path: *Windows Components/Microsoft Defender Application Guard* - GP ADMX file name: *AppHVSI.admx* @@ -230,7 +230,7 @@ If you disable or don’t configure this setting, certificates are not shared wi ADMX Info: -- GP English name: *Allow Microsoft Defender Application Guard to use Root Certificate Authorities from the user's device* +- GP Friendly name: *Allow Microsoft Defender Application Guard to use Root Certificate Authorities from the user's device* - GP name: *CertificateThumbprints* - GP path: *Windows Components/Microsoft Defender Application Guard* - GP ADMX file name: *AppHVSI.admx* @@ -259,7 +259,7 @@ The following list shows the supported values: ADMX Info: -- GP English name: *Allow camera and microphone access in Microsoft Defender Application Guard* +- GP Friendly name: *Allow camera and microphone access in Microsoft Defender Application Guard* - GP name: *AllowCameraMicrophoneRedirection* - GP path: *Windows Components/Microsoft Defender Application Guard* - GP ADMX file name: *AppHVSI.admx* @@ -317,7 +317,7 @@ The following list shows the supported values: ADMX Info: -- GP English name: *Allow auditing events in Microsoft Defender Application Guard* +- GP Friendly name: *Allow auditing events in Microsoft Defender Application Guard* - GP name: *AuditApplicationGuard* - GP path: *Windows Components/Microsoft Defender Application Guard* - GP ADMX file name: *AppHVSI.admx* diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index d4c8f8e591..b6b7503543 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -1884,7 +1884,7 @@ Most restricted value is 0. ADMX Info: -- GP English name: Allow Clipboard synchronization across devices
+- GP Friendly name: Allow Clipboard synchronization across devices
- GP name: AllowCrossDeviceClipboard
- GP path: System/OS Policies
- GP ADMX file name: OSPolicy.admx
From a2c00ce2194a415404ba7bd9cbc02c354edba0e4 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi Date: Thu, 3 Feb 2022 11:12:16 +0530 Subject: [PATCH 08/32] Updated again as per review comments --- .../mdm/Language-pack-management-csp.md | 32 +++++++++++-------- 1 file changed, 19 insertions(+), 13 deletions(-) diff --git a/windows/client-management/mdm/Language-pack-management-csp.md b/windows/client-management/mdm/Language-pack-management-csp.md index 94ec9d6832..4c10dc0ad9 100644 --- a/windows/client-management/mdm/Language-pack-management-csp.md +++ b/windows/client-management/mdm/Language-pack-management-csp.md @@ -13,7 +13,7 @@ ms.date: 06/22/2021 # Language Pack Management CSP -The Language Pack Management CSP allows a direct way to provision language packs remotely in Windows 10 and Windows 10 X. MDMs like Intune can use management commands remotely to devices to configure language-related settings. +The Language Pack Management CSP allows a direct way to provision languages remotely in Windows. MDMs like Intune can use management commands remotely to devices to configure language-related settings for System and new users. 1. Enumerate installed languages and features with GET command on the "InstalledLanguages" node. Below are the samples: @@ -23,13 +23,13 @@ The Language Pack Management CSP allows a direct way to provision language packs **GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/ja-JP/Providers** **GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/ja-JP/LanguageFeatures** - The nodes under **InstalledLanguages** are the language tags of the installed languages. The **providers** node under language tag is an integer representation of either language pack (features) or [LXPs](https://www.microsoft.com/store/collections/localexperiencepacks?cat0=devices&rtc=1). + The nodes under **InstalledLanguages** are the language tags of the installed languages. The **providers** node under language tag is an integer representation of either [language pack](/windows-hardware/manufacture/desktop/available-language-packs-for-windows?view=windows-11&preserve-view=true) or [LXPs](https://www.microsoft.com/store/collections/localexperiencepacks?cat0=devices&rtc=1). - - **1**- Indicates the language pack installed is a System Language Pack (non-LXP) - - **2**- Indicates that the LXP is installed. + - **1**- Indicates that only the Language Pack cab is installed. + - **2**- Indicates that only the LXP is installed. - **3**- Indicates that both are installed. - The **LanguageFeatures** node is a bitmap representation of what Language Features are installed on a device: + The **LanguageFeatures** node is a bitmap representation of what [Language Features](/windows-hardware/manufacture/desktop/features-on-demand-language-fod?view=windows-11&preserve-view=true) are installed for a language on a device: - Basic Typing = 0x1 - Fonts = 0x2 @@ -40,22 +40,26 @@ The Language Pack Management CSP allows a direct way to provision language packs - LocaleData = 0x40 - SupplementFonts = 0x80 -2. Install language pack and features with the EXECUTE command on the **StartInstallation** node of the language. +2. Install language pack and features with the EXECUTE command on the **StartInstallation** node of the language. The language installation will try to install the best matched language packs and features for the provided language. > [!NOTE] > If not previously set, installation will set the policy to block cleanup of unused language packs and features on the device to prevent unexpected deletion. - - Admins can optionally set the language as the System Preferred UI Language immediately after installation by using the REPLACE command on the "CopyToDeviceInternationalSettings" node of the language. 0 (default) will take no action; 1 will set the following international settings to reflect the newly installed language: + - Admins can optionally copy the language to the device’s international settings immediately after installation by using the REPLACE command on the "CopyToDeviceInternationalSettings" node of the language. false (default)- will take no action; true- will set the following international settings to reflect the newly installed language: - System Preferred UI Language - System Locale - - Default settings for new users, such as Input Method (keyboard), Locale, Speech Recognizer, User Preferred Language List - - Admins can optionally configure whether they want to install all available language features during installation using the REPLACE command on the "EnableLanguageFeatureInstallations" node of the language. 0 will install only required features; 1 (default) will install all available features. + - Default settings for new users + - Input Method (keyboard) + - Locale + - Speech Recognizer + - User Preferred Language List + - Admins can optionally configure whether they want to install all available language features during installation using the REPLACE command on the "EnableLanguageFeatureInstallations" node of the language. false- will install only required features; true (default)- will install all available features. - Here are the sample commands to install French language with required features and copy to the devices international settings: + Here are the sample commands to install French language with required features and copy to the device's international settings: 1. **ADD ./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/** - 2. **REPLACE ./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/CopyToDeviceInternationalSettings(1)** - 3. **REPLACE ./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/EnableLanguageFeatureInstallations (0)** + 2. **REPLACE ./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/CopyToDeviceInternationalSettings (true)** + 3. **REPLACE ./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/EnableLanguageFeatureInstallations (false)** 4. **EXECUTE ./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/StartInstallation** The installation is an asynchronous operation. You can query the **Status** or **ErrorCode** nodes by using the following commands: @@ -63,7 +67,9 @@ The Language Pack Management CSP allows a direct way to provision language packs **GET./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/Status** **GET./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/ErrorCode** - Status: 0 – not started; 1 – in process; 2 – succeeded; 3 – failed; 4 - partial success (A partial success indicates features may have gotten installed but there was an error installing the language pack or vice versa). ErrorCode is an HRESULT that could help diagnosis if the installation failed. + Status: 0 – not started; 1 – in progress; 2 – succeeded; 3 – failed; 4 - partial success (A partial success indicates not all the provisioning operations succeeded, for example, there was an error installing the language pack or features). + + ErrorCode: An HRESULT that could help diagnosis if the installation failed or partially failed. 3. Delete installed Language with the DELETE command on the installed language tag. The delete command is a fire and forget operation. The deletion will run in background. IT admin can query the installed language later and resend the command if needed. Below is a sample command to delete the zh-CN language. From a5fad2aef5f664ebab07de6963245ba8f2cbbd66 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi Date: Fri, 4 Feb 2022 11:17:50 +0530 Subject: [PATCH 09/32] PRIVACY: Removed topics related to older versions --- ...tial-services-and-connected-experiences.md | 2 - .../privacy/manage-windows-11-endpoints.md | 2 - .../privacy/manage-windows-1709-endpoints.md | 7 +- .../privacy/manage-windows-1803-endpoints.md | 4 +- .../privacy/manage-windows-1809-endpoints.md | 4 +- .../privacy/manage-windows-1903-endpoints.md | 5 +- .../privacy/manage-windows-1909-endpoints.md | 5 +- .../privacy/manage-windows-2004-endpoints.md | 5 +- .../privacy/manage-windows-20H2-endpoints.md | 3 +- .../privacy/manage-windows-21H1-endpoints.md | 3 +- .../privacy/manage-windows-21h2-endpoints.md | 3 +- windows/privacy/toc.yml | 4 - ...-endpoints-1709-non-enterprise-editions.md | 295 ------------------ ...-endpoints-1803-non-enterprise-editions.md | 166 ---------- 14 files changed, 17 insertions(+), 491 deletions(-) delete mode 100644 windows/privacy/windows-endpoints-1709-non-enterprise-editions.md delete mode 100644 windows/privacy/windows-endpoints-1803-non-enterprise-editions.md diff --git a/windows/privacy/essential-services-and-connected-experiences.md b/windows/privacy/essential-services-and-connected-experiences.md index eceb613db4..76a1f065e6 100644 --- a/windows/privacy/essential-services-and-connected-experiences.md +++ b/windows/privacy/essential-services-and-connected-experiences.md @@ -121,5 +121,3 @@ To view endpoints for non-Enterprise Windows editions, see: - [Windows 10, version 1909, connection endpoints for non-Enterprise editions](windows-endpoints-1909-non-enterprise-editions.md) - [Windows 10, version 1903, connection endpoints for non-Enterprise editions](windows-endpoints-1903-non-enterprise-editions.md) - [Windows 10, version 1809, connection endpoints for non-Enterprise editions](windows-endpoints-1809-non-enterprise-editions.md) -- [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md) -- [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md) \ No newline at end of file diff --git a/windows/privacy/manage-windows-11-endpoints.md b/windows/privacy/manage-windows-11-endpoints.md index f17e78125e..ed77595e83 100644 --- a/windows/privacy/manage-windows-11-endpoints.md +++ b/windows/privacy/manage-windows-11-endpoints.md @@ -151,8 +151,6 @@ To view endpoints for non-Enterprise Windows 10 editions, see: - [Windows 10, version 1909, connection endpoints for non-Enterprise editions](windows-endpoints-1909-non-enterprise-editions.md) - [Windows 10, version 1903, connection endpoints for non-Enterprise editions](windows-endpoints-1903-non-enterprise-editions.md) - [Windows 10, version 1809, connection endpoints for non-Enterprise editions](windows-endpoints-1809-non-enterprise-editions.md) -- [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md) -- [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md) ## Related links diff --git a/windows/privacy/manage-windows-1709-endpoints.md b/windows/privacy/manage-windows-1709-endpoints.md index f3bc7923bd..574d7ec82d 100644 --- a/windows/privacy/manage-windows-1709-endpoints.md +++ b/windows/privacy/manage-windows-1709-endpoints.md @@ -438,7 +438,7 @@ If you [turn off traffic for this endpoint](manage-connections-from-windows-oper The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer. -If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded. +If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updatable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded. | Source process | Protocol | Destination | |----------------|----------|------------| @@ -447,12 +447,13 @@ If you disable this endpoint, Windows Defender won't be able to update its malwa ## Other Windows 10 versions and editions To view endpoints for other versions of Windows 10 enterprise, see: + - [Manage connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md) - [Manage connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md) To view endpoints for non-Enterprise Windows 10 editions, see: -- [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md) -- [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md) + +- [Windows 10, version 21H1, connection endpoints for non-Enterprise editions](windows-endpoints-21H1-non-enterprise-editions.md) ## Related links diff --git a/windows/privacy/manage-windows-1803-endpoints.md b/windows/privacy/manage-windows-1803-endpoints.md index fdc72f92e7..4fad481b53 100644 --- a/windows/privacy/manage-windows-1803-endpoints.md +++ b/windows/privacy/manage-windows-1803-endpoints.md @@ -456,8 +456,8 @@ To view endpoints for other versions of Windows 10 enterprise, see: - [Manage connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md) To view endpoints for non-Enterprise Windows 10 editions, see: -- [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md) -- [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md) + +- [Windows 10, version 21H1, connection endpoints for non-Enterprise editions](windows-endpoints-21H1-non-enterprise-editions.md) ## Related links diff --git a/windows/privacy/manage-windows-1809-endpoints.md b/windows/privacy/manage-windows-1809-endpoints.md index f2b61aed53..2b7cd033a1 100644 --- a/windows/privacy/manage-windows-1809-endpoints.md +++ b/windows/privacy/manage-windows-1809-endpoints.md @@ -491,9 +491,9 @@ To view endpoints for other versions of Windows 10 Enterprise, see: - [Manage connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md) To view endpoints for non-Enterprise Windows 10 editions, see: + - [Windows 10, version 1809, connection endpoints for non-Enterprise editions](windows-endpoints-1809-non-enterprise-editions.md) -- [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md) -- [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md) +- [Windows 10, version 21H1, connection endpoints for non-Enterprise editions](windows-endpoints-21H1-non-enterprise-editions.md) ## Related links diff --git a/windows/privacy/manage-windows-1903-endpoints.md b/windows/privacy/manage-windows-1903-endpoints.md index f4254b905d..caa5542551 100644 --- a/windows/privacy/manage-windows-1903-endpoints.md +++ b/windows/privacy/manage-windows-1903-endpoints.md @@ -180,10 +180,9 @@ To view endpoints for other versions of Windows 10 Enterprise, see: - [Manage connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md) To view endpoints for non-Enterprise Windows 10 editions, see: -- [Windows 10, version 1809, connection endpoints for non-Enterprise editions](windows-endpoints-1809-non-enterprise-editions.md) -- [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md) -- [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md) +- [Windows 10, version 1809, connection endpoints for non-Enterprise editions](windows-endpoints-1809-non-enterprise-editions.md) +- [Windows 10, version 21H1, connection endpoints for non-Enterprise editions](windows-endpoints-21H1-non-enterprise-editions.md) ## Related links diff --git a/windows/privacy/manage-windows-1909-endpoints.md b/windows/privacy/manage-windows-1909-endpoints.md index 4209d8bafd..9e9116e24b 100644 --- a/windows/privacy/manage-windows-1909-endpoints.md +++ b/windows/privacy/manage-windows-1909-endpoints.md @@ -129,11 +129,10 @@ To view endpoints for other versions of Windows 10 Enterprise, see: - [Manage connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md) To view endpoints for non-Enterprise Windows 10 editions, see: + +- [Windows 10, version 21H1, connection endpoints for non-Enterprise editions](windows-endpoints-21H1-non-enterprise-editions.md) - [Windows 10, version 1903, connection endpoints for non-Enterprise editions](windows-endpoints-1903-non-enterprise-editions.md) - [Windows 10, version 1809, connection endpoints for non-Enterprise editions](windows-endpoints-1809-non-enterprise-editions.md) -- [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md) -- [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md) - ## Related links diff --git a/windows/privacy/manage-windows-2004-endpoints.md b/windows/privacy/manage-windows-2004-endpoints.md index f701bc0e8d..755a48556c 100644 --- a/windows/privacy/manage-windows-2004-endpoints.md +++ b/windows/privacy/manage-windows-2004-endpoints.md @@ -129,12 +129,11 @@ To view endpoints for other versions of Windows 10 Enterprise, see: - [Manage connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md) To view endpoints for non-Enterprise Windows 10 editions, see: + +- [Windows 10, version 21H1, connection endpoints for non-Enterprise editions](windows-endpoints-21H1-non-enterprise-editions.md) - [Windows 10, version 1909, connection endpoints for non-Enterprise editions](windows-endpoints-1909-non-enterprise-editions.md) - [Windows 10, version 1903, connection endpoints for non-Enterprise editions](windows-endpoints-1903-non-enterprise-editions.md) - [Windows 10, version 1809, connection endpoints for non-Enterprise editions](windows-endpoints-1809-non-enterprise-editions.md) -- [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md) -- [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md) - ## Related links diff --git a/windows/privacy/manage-windows-20H2-endpoints.md b/windows/privacy/manage-windows-20H2-endpoints.md index f891d0bf27..888f475761 100644 --- a/windows/privacy/manage-windows-20H2-endpoints.md +++ b/windows/privacy/manage-windows-20H2-endpoints.md @@ -147,12 +147,11 @@ To view endpoints for other versions of Windows 10 Enterprise, see: To view endpoints for non-Enterprise Windows 10 editions, see: +- [Windows 10, version 21H1, connection endpoints for non-Enterprise editions](windows-endpoints-21H1-non-enterprise-editions.md) - [Windows 10, version 2004, connection endpoints for non-Enterprise editions](windows-endpoints-2004-non-enterprise-editions.md) - [Windows 10, version 1909, connection endpoints for non-Enterprise editions](windows-endpoints-1909-non-enterprise-editions.md) - [Windows 10, version 1903, connection endpoints for non-Enterprise editions](windows-endpoints-1903-non-enterprise-editions.md) - [Windows 10, version 1809, connection endpoints for non-Enterprise editions](windows-endpoints-1809-non-enterprise-editions.md) -- [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md) -- [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md) ## Related links diff --git a/windows/privacy/manage-windows-21H1-endpoints.md b/windows/privacy/manage-windows-21H1-endpoints.md index 51e80aa248..13ef58f4a6 100644 --- a/windows/privacy/manage-windows-21H1-endpoints.md +++ b/windows/privacy/manage-windows-21H1-endpoints.md @@ -145,12 +145,11 @@ To view endpoints for other versions of Windows 10 Enterprise, see: To view endpoints for non-Enterprise Windows 10 editions, see: +- [Windows 10, version 21H1, connection endpoints for non-Enterprise editions](windows-endpoints-21H1-non-enterprise-editions.md) - [Windows 10, version 2004, connection endpoints for non-Enterprise editions](windows-endpoints-2004-non-enterprise-editions.md) - [Windows 10, version 1909, connection endpoints for non-Enterprise editions](windows-endpoints-1909-non-enterprise-editions.md) - [Windows 10, version 1903, connection endpoints for non-Enterprise editions](windows-endpoints-1903-non-enterprise-editions.md) - [Windows 10, version 1809, connection endpoints for non-Enterprise editions](windows-endpoints-1809-non-enterprise-editions.md) -- [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md) -- [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md) ## Related links diff --git a/windows/privacy/manage-windows-21h2-endpoints.md b/windows/privacy/manage-windows-21h2-endpoints.md index 6dc79e13de..bd2e54060d 100644 --- a/windows/privacy/manage-windows-21h2-endpoints.md +++ b/windows/privacy/manage-windows-21h2-endpoints.md @@ -145,12 +145,11 @@ To view endpoints for other versions of Windows 10 Enterprise, see: To view endpoints for non-Enterprise Windows 10 editions, see: +- [Windows 10, version 21H1, connection endpoints for non-Enterprise editions](windows-endpoints-21H1-non-enterprise-editions.md) - [Windows 10, version 2004, connection endpoints for non-Enterprise editions](windows-endpoints-2004-non-enterprise-editions.md) - [Windows 10, version 1909, connection endpoints for non-Enterprise editions](windows-endpoints-1909-non-enterprise-editions.md) - [Windows 10, version 1903, connection endpoints for non-Enterprise editions](windows-endpoints-1903-non-enterprise-editions.md) - [Windows 10, version 1809, connection endpoints for non-Enterprise editions](windows-endpoints-1809-non-enterprise-editions.md) -- [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md) -- [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md) ## Related links diff --git a/windows/privacy/toc.yml b/windows/privacy/toc.yml index 56331c2e27..d7a8de4c65 100644 --- a/windows/privacy/toc.yml +++ b/windows/privacy/toc.yml @@ -79,7 +79,3 @@ href: windows-endpoints-1903-non-enterprise-editions.md - name: Connection endpoints for non-Enterprise editions of Windows 10, version 1809 href: windows-endpoints-1809-non-enterprise-editions.md - - name: Connection endpoints for non-Enterprise editions of Windows 10, version 1803 - href: windows-endpoints-1803-non-enterprise-editions.md - - name: Connection endpoints for non-Enterprise editions of Windows 10, version 1709 - href: windows-endpoints-1709-non-enterprise-editions.md diff --git a/windows/privacy/windows-endpoints-1709-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1709-non-enterprise-editions.md deleted file mode 100644 index b3c1cee7bb..0000000000 --- a/windows/privacy/windows-endpoints-1709-non-enterprise-editions.md +++ /dev/null @@ -1,295 +0,0 @@ ---- -title: Windows 10, version 1709, connection endpoints for non-Enterprise editions -description: Explains what Windows 10 endpoints are used in non-Enterprise editions. Specific to Windows 10, version 1709. -keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016 -ms.prod: m365-security -ms.mktglfcycl: manage -ms.sitesec: library -ms.localizationpriority: high -audience: ITPro -author: dansimp -ms.author: dansimp -manager: dansimp -ms.collection: M365-security-compliance -ms.topic: article -ms.date: 12/01/2021 -ms.reviewer: -ms.technology: privacy ---- -# Windows 10, version 1709, connection endpoints for non-Enterprise editions - - **Applies to** - -- Windows 10 Home, version 1709 -- Windows 10 Professional, version 1709 -- Windows 10 Education, version 1709 - -In addition to the endpoints listed for [Windows 10 Enterprise](./manage-connections-from-windows-operating-system-components-to-microsoft-services.md), the following endpoints are available on other editions of Windows 10, version 1709. - -We used the following methodology to derive these network endpoints: - -1. Set up the latest version of Windows 10 on a test virtual machine using the default settings. -2. Leave the devices running idle for a week (that is, a user is not interacting with the system/device). -3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic. -4. Compile reports on traffic going to public IP addresses. -5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory. -6. All traffic was captured in our lab using a IPV4 network. Therefore no IPV6 traffic is reported here. - -> [!NOTE] -> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. - -## Windows 10 Home - -| **Destination** | **Protocol** | **Description** | -| --- | --- | --- | -| *.tlu.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. | -| *.wac.phicdn.net | HTTP | Used by the Verizon Content Delivery Network to perform Windows updates. | -| *.1.msftsrvcs.vo.llnwi.net | HTTP | Used for Windows Update downloads of apps and OS updates. | -| *.c-msedge.net | HTTP | Used by OfficeHub to get the metadata of Office apps. | -| *.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. | -| *.dscd.akamai.net | HTTP | Used to download content. | -| *.dspg.akamaiedge.net | HTTP | Used to check for updates to maps that have been downloaded for offline use. | -| *.hwcdn.net | HTTP | Used by the Highwinds Content Delivery Network to perform Windows updates. | -| *.m1-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. | -| *.search.msn.com | TLSv1.2 | Used to retrieve Windows Spotlight metadata. | -| *.wac.edgecastcdn.net | TLSv1.2 | Used by the Verizon Content Delivery Network to perform Windows updates. | -| *.wns.windows.com | TLSv1.2 | Used for the Windows Push Notification Services (WNS). | -| *prod.do.dsp.mp.microsoft.com | TLSv1.2\/HTTPS | Used for Windows Update downloads of apps and OS updates. | -| .g.akamaiedge.net | HTTP | Used to check for updates to maps that have been downloaded for offline use. | -| 2.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. | -| 2.tlu.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. | -| arc.msn.com | HTTPS | Used to retrieve Windows Spotlight metadata. | -| arc.msn.com.nsatc.net | TLSv1.2 | Used to retrieve Windows Spotlight metadata. | -| a-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| au.download.windowsupdate.com | HTTP | Used to download operating system patches and updates. | -| b-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| candycrushsoda.king.com | TLSv1.2 | Used for Candy Crush Saga updates. | -| cdn.content.prod.cms.msn.com | HTTP | Used to retrieve Windows Spotlight metadata. | -| cdn.onenote.net | HTTP | Used for OneNote Live Tile. | -| client-office365-tas.msedge.net | HTTP | Used to connect to the Microsoft 365 admin center’s shared infrastructure, including Office. | -| config.edge.skype.com | HTTP | Used to retrieve Skype configuration values. | -| ctldl.windowsupdate.com | HTTP | Used to download certificates that are publicly known to be fraudulent. | -| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. | -| cy2.licensing.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. | -| cy2.purchase.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. | -| cy2.settings.data.microsoft.com.akadns.net | TLSv1.2 | Used as a way for apps to dynamically update their configuration. | -| cy2.vortex.data.microsoft.com.akadns.net | TLSv1.2 | Used to retrieve Windows Insider Preview builds. | -| definitionupdates.microsoft.com | HTTPS | Used for Windows Defender definition updates. | -| displaycatalog.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. | -| dl.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update. | -| dual-a-0001.a-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. | -| fe2.update.microsoft.com | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | -| fe2.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | -| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2\/HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | -| fg.download.windowsupdate.com.c.footprint.net | HTTP | Used to download operating system patches and updates. | -| fp.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| g.live.com/1rewlive5skydrive/ | HTTPS | Used by a redirection service to automatically update URLs. | -| g.msn.com.nsatc.net | HTTP | Used to retrieve Windows Spotlight metadata. | -| geo-prod.do.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. | -| go.microsoft.com | HTTPS | Used by a redirection service to automatically update URLs. | -| img-prod-cms-rt-microsoft-com.akamaized.net | HTTPS | Used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). | -| *.login.msa.akadns6.net | TLSv1.2 | Used for Microsoft accounts to sign in. | -| licensing.mp.microsoft.com | HTTPS | Used for online activation and some app licensing. | -| location-inference-westus.cloudapp.net | TLSv1.2 | Used for location data. | -| login.live.com | HTTPS | Used to authenticate a device. | -| mediaredirect.microsoft.com | HTTPS | Used by the Groove Music app to update HTTP handler status. | -| modern.watson.data.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. | -| msftsrvcs.vo.llnwd.net | HTTP | Enables connections to Windows Update. | -| msnbot-*.search.msn.com | TLSv1.2 | Used to retrieve Windows Spotlight metadata. | -| oem.twimg.com | HTTPS | Used for the Twitter Live Tile. | -| oneclient.sfx.ms | HTTPS | Used by OneDrive for Business to download and verify app updates. | -| peer4-wst.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| pti.store.microsoft.com | HTTPS | Used to communicate with Microsoft Store. | -| pti.store.microsoft.com.unistore.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. | -| purchase.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. | -| ris.api.iris.microsoft.com.akadns.net | TLSv1.2\/HTTPS | Used to retrieve Windows Spotlight metadata. | -| settings-win.data.microsoft.com | HTTPS | Used for Windows apps to dynamically update their configuration. | -| sls.update.microsoft.com.nsatc.net | TLSv1.2\/HTTPS | Enables connections to Windows Update. | -| star-mini.c10r.facebook.com | TLSv1.2 | Used for the Facebook Live Tile. | -| storecatalogrevocation.storequality.microsoft.com | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. | -| storeedgefd.dsx.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. | -| store-images.s-microsoft.com | HTTP | Used to get images that are used for Microsoft Store suggestions. | -| tile-service.weather.microsoft.com | HTTP | Used to download updates to the Weather app Live Tile. | -| tsfe.trafficshaping.dsp.mp.microsoft.com | TLSv1.2 | Used for content regulation. | -| v10.vortex-win.data.microsoft.com | HTTPS | Used to retrieve Windows Insider Preview builds. | -| wallet.microsoft.com | HTTPS | Used by the Microsoft Wallet app. | -| wallet-frontend-prod-westus.cloudapp.net | TLSv1.2 | Used by the Microsoft Wallet app. | -| *.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. | -| ceuswatcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | -| ceuswatcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | -| eaus2watcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | -| eaus2watcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | -| weus2watcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | -| weus2watcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | -| wdcp.microsoft.akadns.net | TLSv1.2 | Used for Windows Defender when Cloud-based Protection is enabled. | -| wildcard.twimg.com | TLSv1.2 | Used for the Twitter Live Tile. | -| www.bing.com | HTTP | Used for updates for Cortana, apps, and Live Tiles. | -| www.facebook.com | HTTPS | Used for the Facebook Live Tile. | -| [www.microsoft.com](https://www.microsoft.com/) | HTTPS | Used for updates for Cortana, apps, and Live Tiles. | - -## Windows 10 Pro - -| **Destination** | **Protocol** | **Description** | -| --- | --- | --- | -| *.*.akamai.net | HTTP | Used to download content. | -| *.*.akamaiedge.net | TLSv1.2\/HTTP | Used to check for updates to maps that have been downloaded for offline use. | -| *.a-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. | -| *.blob.core.windows.net | HTTPS | Used by Windows Update to update words used for language input methods. | -| *.c-msedge.net | HTTP | Used by OfficeHub to get the metadata of Office apps. | -| *.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. | -| *.dspb.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. | -| *.dspg.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. | -| *.e-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. | -| *.login.msa.akadns6.net | TLSv1.2 | Used for Microsoft accounts to sign in. | -| *.s-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. | -| *.telecommand.telemetry.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. | -| *.wac.edgecastcdn.net | TLSv1.2 | Used by the Verizon Content Delivery Network to perform Windows updates. | -| *.wac.phicdn.net | HTTP | Used by the Verizon Content Delivery Network to perform Windows updates. | -| *.wns.windows.com | TLSv1.2 | Used for the Windows Push Notification Services (WNS). | -| *prod.do.dsp.mp.microsoft.com | TLSv1.2\/HTTPS | Used for Windows Update downloads of apps and OS updates. | -| 3.dl.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update. | -| 3.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. | -| 3.tlu.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. | -| 3.tlu.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. | -| arc.msn.com | HTTPS | Used to retrieve Windows Spotlight metadata. | -| arc.msn.com.nsatc.net | TLSv1.3 | Used to retrieve Windows Spotlight metadata. | -| au.download.windowsupdate.com | HTTPS | Used to download operating system patches and updates. | -| b-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| candycrushsoda.king.com | HTTPS | Used for Candy Crush Saga updates. | -| cdn.content.prod.cms.msn.com | HTTP | Used to retrieve Windows Spotlight metadata. | -| cdn.onenote.net | HTTPS | Used for OneNote Live Tile. | -| client-office365-tas.msedge.net | HTTPS | Used to connect to the Microsoft 365 admin center’s shared infrastructure, including Office. | -| config.edge.skype.com | HTTPS | Used to retrieve Skype configuration values. | -| ctldl.windowsupdate.com | HTTP | Used to download certificates that are publicly known to be fraudulent. | -| cs12.wpc.v0cdn.net | HTTP | Used by the Verizon Content Delivery Network to download content for Windows upgrades with Wireless Planning and Coordination (WPC). | -| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. | -| cy2.settings.data.microsoft.com.akadns.net | TLSv1.2 | Used as a way for apps to dynamically update their configuration. | -| cy2.vortex.data.microsoft.com.akadns.net | TLSv1.2 | Used to retrieve Windows Insider Preview builds. | -| definitionupdates.microsoft.com | HTTPS | Used for Windows Defender definition updates. | -| displaycatalog.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. | -| download.windowsupdate.com | HTTP | Enables connections to Windows Update. | -| evoke-windowsservices-tas.msedge.net | HTTPS | Used by the Photos app to download configuration files, and to connect to the Microsoft 365 admin center’s shared infrastructure, including Office. | -| fe2.update.microsoft.com | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | -| fe2.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | -| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2\/HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | -| fe3.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | -| fg.download.windowsupdate.com.c.footprint.net | HTTP | Used to download operating system patches and updates. | -| fp.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| fs.microsoft.com | HTTPS | Used to download fonts on demand | -| g.live.com | HTTP | Used by a redirection service to automatically update URLs. | -| g.msn.com | HTTPS | Used to retrieve Windows Spotlight metadata. | -| g.msn.com.nsatc.net | TLSv1.2 | Used to retrieve Windows Spotlight metadata. | -| geo-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. | -| geover-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. | -| go.microsoft.com | HTTPS | Used by a redirection service to automatically update URLs. | -| gpla1.wac.v2cdn.net | HTTP | Used for Baltimore CyberTrust Root traffic. . | -| img-prod-cms-rt-microsoft-com.akamaized.net | HTTPS | Used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). | -| licensing.mp.microsoft.com | HTTPS | Used for online activation and some app licensing. | -| location-inference-westus.cloudapp.net | TLSv1.2 | Used for location data. | -| login.live.com | HTTPS | Used to authenticate a device. | -| l-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| mediaredirect.microsoft.com | HTTPS | Used by the Groove Music app to update HTTP handler status. | -| modern.watson.data.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. | -| msnbot-*.search.msn.com | TLSv1.2 | Used to retrieve Windows Spotlight metadata. | -| oem.twimg.com | HTTP | Used for the Twitter Live Tile. | -| oneclient.sfx.ms | HTTP | Used by OneDrive for Business to download and verify app updates. | -| peer1-wst.msedge.net | HTTP | Used by OfficeHub to get the metadata of Office apps. | -| pti.store.microsoft.com | HTTPS | Used to communicate with Microsoft Store. | -| pti.store.microsoft.com.unistore.akadns.net | HTTPS | Used to communicate with Microsoft Store. | -| purchase.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. | -| ris.api.iris.microsoft.com | HTTPS | Used to retrieve Windows Spotlight metadata. | -| settings-win.data.microsoft.com | HTTPS | Used for Windows apps to dynamically update their configuration. | -| sls.update.microsoft.com | HTTPS | Enables connections to Windows Update. | -| storecatalogrevocation.storequality.microsoft.com | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. | -| storeedgefd.dsx.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. | -| store-images.s-microsoft.com | HTTPS | Used to get images that are used for Microsoft Store suggestions. | -| store-images.s-microsoft.com | HTTPS | Used to get images that are used for Microsoft Store suggestions. | -| *.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. | -| ceuswatcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | -| ceuswatcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | -| eaus2watcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | -| eaus2watcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | -| weus2watcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | -| weus2watcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | -| tile-service.weather.microsoft.com | HTTP | Used to download updates to the Weather app Live Tile. | -| tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. | -| v10.vortex-win.data.microsoft.com | HTTPS | Used to retrieve Windows Insider Preview builds. | -| wallet.microsoft.com | HTTPS | Used by the Microsoft Wallet app. | -| wdcp.microsoft.akadns.net | HTTPS | Used for Windows Defender when Cloud-based Protection is enabled. | -| wildcard.twimg.com | TLSv1.2 | Used for the Twitter Live Tile. | -| www.bing.com | TLSv1.2 | Used for updates for Cortana, apps, and Live Tiles. | -| www.facebook.com | HTTPS | Used for the Facebook Live Tile. | -| [www.microsoft.com](https://www.microsoft.com/) | HTTPS | Used for updates for Cortana, apps, and Live Tiles. | - -## Windows 10 Education - -| **Destination** | **Protocol** | **Description** | -| --- | --- | --- | -| *.a-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. | -| *.b.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. | -| *.c-msedge.net | HTTP | Used by OfficeHub to get the metadata of Office apps. | -| *.dscb1.akamaiedge.net | HTTP | Used to check for updates to maps that have been downloaded for offline use. | -| *.dscd.akamai.net | HTTP | Used to download content. | -| *.dspb.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. | -| *.dspw65.akamai.net | HTTP | Used to download content. | -| *.e-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. | -| *.g.akamai.net | HTTP | Used to download content. | -| *.g.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. | -| *.l.windowsupdate.com | HTTP | Enables connections to Windows Update. | -| *.s-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. | -| *.wac.phicdn.net | HTTP | Used by the Verizon Content Delivery Network to perform Windows updates | -| *.wns.windows.com | TLSv1.2 | Used for the Windows Push Notification Services (WNS). | -| *prod.do.dsp.mp.microsoft.com | TLSv1.2 | Used for Windows Update downloads of apps and OS updates. | -| *prod.do.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Used for Windows Update downloads of apps and OS updates. | -| 3.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. | -| 3.tlu.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. | -| a-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| au.download.windowsupdate.com | HTTP | Used to download operating system patches and updates. | -| cdn.onenote.net | HTTPS | Used for OneNote Live Tile. | -| cds.*.hwcdn.net | HTTP | Used by the Highwinds Content Delivery Network to perform Windows updates. | -| co4.telecommand.telemetry.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. | -| config.edge.skype.com | HTTPS | Used to retrieve Skype configuration values. | -| ctldl.windowsupdate.com | HTTP | Used to download certificates that are publicly known to be fraudulent. | -| cs12.wpc.v0cdn.net | HTTP | Used by the Verizon Content Delivery Network to download content for Windows upgrades with Wireless Planning and Coordination (WPC). | -| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. | -| cy2.settings.data.microsoft.com.akadns.net | TLSv1.2 | Used as a way for apps to dynamically update their configuration. | -| cy2.vortex.data.microsoft.com.akadns.net | TLSv1.2 | Used to retrieve Windows Insider Preview builds. | -| dl.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update. | -| download.windowsupdate.com | HTTP | Enables connections to Windows Update. | -| evoke-windowsservices-tas.msedge.net/ab | HTTPS | Used by the Photos app to download configuration files, and to connect to the Microsoft 365 admin center’s shared infrastructure, including Office. | -| fe2.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | -| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. | -| fg.download.windowsupdate.com.c.footprint.net | HTTP | Used to download operating system patches and updates. | -| fp.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| g.msn.com.nsatc.net | TLSv1.2\/HTTP | Used to retrieve Windows Spotlight metadata. | -| geo-prod.do.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. | -| geover-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. | -| go.microsoft.com | HTTPS | Used by a redirection service to automatically update URLs. | -| gpla1.wac.v2cdn.net | HTTP | Used for Baltimore CyberTrust Root traffic. . | -| ipv4.login.msa.akadns6.net | TLSv1.2 | Used for Microsoft accounts to sign in. | -| licensing.mp.microsoft.com | HTTPS | Used for online activation and some app licensing. | -| location-inference-westus.cloudapp.net | TLSv1.2 | Used for location data. | -| login.live.com/* | HTTPS | Used to authenticate a device. | -| l-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| mediaredirect.microsoft.com | HTTPS | Used by the Groove Music app to update HTTP handler status. | -| modern.watson.data.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. | -| msftconnecttest.com/* | HTTP | Used by Network Connection Status Indicator (NCSI) to detect Internet connectivity and corporate network connectivity status. | -| msnbot-65-52-108-198.search.msn.com | TLSv1.2 | Used to retrieve Windows Spotlight metadata. | -| oneclient.sfx.ms | HTTP | Used by OneDrive for Business to download and verify app updates. | -| peer1-wst.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| pti.store.microsoft.com.unistore.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. | -| settings-win.data.microsoft.com | HTTPS | Used for Windows apps to dynamically update their configuration. | -| sls.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. | -| store-images.s-microsoft.com | HTTPS | Used to get images that are used for Microsoft Store suggestions. | -| tile-service.weather.microsoft.com | HTTP | Used to download updates to the Weather app Live Tile. | -| *.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. | -| ceuswatcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | -| ceuswatcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | -| eaus2watcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | -| eaus2watcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | -| weus2watcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | -| weus2watcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | -| tsfe.trafficshaping.dsp.mp.microsoft.com | TLSv1.2 | Used for content regulation. | -| wallet.microsoft.com | HTTPS | Used by the Microsoft Wallet app. | -| wdcp.microsoft.akadns.net | TLSv1.2 | Used for Windows Defender when Cloud-based Protection is enabled. | -| www.bing.com | HTTPS | Used for updates for Cortana, apps, and Live Tiles. | \ No newline at end of file diff --git a/windows/privacy/windows-endpoints-1803-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1803-non-enterprise-editions.md deleted file mode 100644 index b3ec01bc64..0000000000 --- a/windows/privacy/windows-endpoints-1803-non-enterprise-editions.md +++ /dev/null @@ -1,166 +0,0 @@ ---- -title: Windows 10, version 1803, connection endpoints for non-Enterprise editions -description: Explains what Windows 10 endpoints are used in non-Enterprise editions. Specific to Windows 10, version 1803. -keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016 -ms.prod: m365-security -ms.mktglfcycl: manage -ms.sitesec: library -ms.localizationpriority: high -audience: ITPro -author: dansimp -ms.author: dansimp -manager: dansimp -ms.collection: M365-security-compliance -ms.topic: article -ms.date: 12/01/2021 -ms.reviewer: -ms.technology: privacy ---- -# Windows 10, version 1803, connection endpoints for non-Enterprise editions - - **Applies to** - -- Windows 10 Home, version 1803 -- Windows 10 Professional, version 1803 -- Windows 10 Education, version 1803 - -In addition to the endpoints listed for [Windows 10 Enterprise](./manage-windows-1803-endpoints.md), the following endpoints are available on other editions of Windows 10, version 1803. - -We used the following methodology to derive these network endpoints: - -1. Set up the latest version of Windows 10 on a test virtual machine using the default settings. -2. Leave the devices running idle for a week (that is, a user is not interacting with the system/device). -3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic. -4. Compile reports on traffic going to public IP addresses. -5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory. -6. All traffic was captured in our lab using a IPV4 network. Therefore no IPV6 traffic is reported here. - -> [!NOTE] -> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. - -## Windows 10 Family - -| **Destination** | **Protocol** | **Description** | -| --- | --- | --- | -| *.e-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| *.g.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. | -| *.s-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| *.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/ | HTTP | Enables connections to Windows Update. | -| arc.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. | -| arc.msn.com/v3/Delivery/Placement | HTTPS | Used to retrieve Windows Spotlight metadata. | -| client-office365-tas.msedge.net* | HTTPS | Used to connect to the Microsoft 365 admin center’s shared infrastructure, including Office. | -| config.edge.skype.com/config/* | HTTPS | Used to retrieve Skype configuration values. | -| ctldl.windowsupdate.com/msdownload/update* | HTTP | Used to download certificates that are publicly known to be fraudulent. | -| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | -| cy2.licensing.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | -| cy2.settings.data.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | -| displaycatalog.mp.microsoft.com* | HTTPS | Used to communicate with Microsoft Store. | -| dm3p.wns.notify.windows.com.akadns.net | HTTPS | Used for the Windows Push Notification Services (WNS). | -| fe2.update.microsoft.com* | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | -| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | -| fe3.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | -| g.live.com/odclientsettings/Prod | HTTPS | Used by OneDrive for Business to download and verify app updates. | -| g.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. | -| geo-prod.dodsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update. | -| ip5.afdorigin-prod-am02.afdogw.com | HTTPS | Used to serve office 365 experimentation traffic. | -| ipv4.login.msa.akadns6.net | HTTPS | Used for Microsoft accounts to sign in. | -| licensing.mp.microsoft.com/v7.0/licenses/content | HTTPS | Used for online activation and some app licensing. | -| location-inference-westus.cloudapp.net | HTTPS | Used for location data. | -| maps.windows.com/windows-app-web-link | HTTPS | Link to Maps application. | -| modern.watson.data.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. | -| ocos-office365-s2s.msedge.net* | HTTPS | Used to connect to the Microsoft 365 admin center's shared infrastructure. | -| ocsp.digicert.com* | HTTP | CRL and OCSP checks to the issuing certificate authorities. | -| oneclient.sfx.ms* | HTTPS | Used by OneDrive for Business to download and verify app updates. | -| onecollector.cloudapp.aria.akadns.net | HTTPS | Office Telemetry | -| prod.nexusrules.live.com.akadns.net | HTTPS | Office Telemetry | -| query.prod.cms.rt.microsoft.com* | HTTPS | Used to retrieve Windows Spotlight metadata. | -| ris.api.iris.microsoft.com* | HTTPS | Used to retrieve Windows Spotlight metadata. | -| settings.data.microsoft.com/settings/v2.0/* | HTTPS | Used for Windows apps to dynamically update their configuration. | -| settings-win.data.microsoft.com/settings/* | HTTPS | Used as a way for apps to dynamically update their configuration.  | -| share.microsoft.com/windows-app-web-link | HTTPS | Traffic related to Books app | -| sls.update.microsoft.com* | HTTPS | Enables connections to Windows Update. | -| storecatalogrevocation.storequality.microsoft.com* | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. | -| storeedgefd.dsx.mp.microsoft.com* | HTTPS | Used to communicate with Microsoft Store. | -| tile-service.weather.microsoft.com* | HTTP | Used to download updates to the Weather app Live Tile. | -| tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. | -| us.configsvc1.live.com.akadns.net | HTTPS | Microsoft Office configuration related traffic | -| watson.telemetry.microsoft.com/Telemetry.Request | HTTPS | Used by Windows Error Reporting. | -| wd-prod-cp-us-east-2-fe.eastus.cloudapp.azure.com | HTTPS | Azure front end traffic | - - -## Windows 10 Pro -| **Destination** | **Protocol** | **Description** | -| --- | --- | --- | -| *.e-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| *.g.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. | -| *.s-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| *.tlu.dl.delivery.mp.microsoft.com/* | HTTP | Enables connections to Windows Update. | -| *geo-prod.dodsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update. | -| arc.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. | -| au.download.windowsupdate.com/* | HTTP | Enables connections to Windows Update. | -| ctldl.windowsupdate.com/msdownload/update/* | HTTP | Used to download certificates that are publicly known to be fraudulent. | -| cy2.licensing.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | -| cy2.settings.data.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | -| dm3p.wns.notify.windows.com.akadns.net | HTTPS | Used for the Windows Push Notification Services (WNS) | -| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | -| flightingservicewus.cloudapp.net | HTTPS | Insider Program | -| g.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. | -| ipv4.login.msa.akadns6.net | HTTPS | Used for Microsoft accounts to sign in. | -| location-inference-westus.cloudapp.net | HTTPS | Used for location data. | -| modern.watson.data.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. | -| ocsp.digicert.com* | HTTP | CRL and OCSP checks to the issuing certificate authorities. | -| onecollector.cloudapp.aria.akadns.net | HTTPS | Office Telemetry | -| ris.api.iris.microsoft.com.akadns.net | HTTPS | Used to retrieve Windows Spotlight metadata. | -| tile-service.weather.microsoft.com/* | HTTP | Used to download updates to the Weather app Live Tile. | -| tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. | -| vip5.afdorigin-prod-am02.afdogw.com | HTTPS | Used to serve office 365 experimentation traffic | - - -## Windows 10 Education - -| **Destination** | **Protocol** | **Description** | -| --- | --- | --- | -| *.b.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. | -| *.e-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| *.g.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. | -| *.s-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| *.telecommand.telemetry.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. | -| *.tlu.dl.delivery.mp.microsoft.com* | HTTP | Enables connections to Windows Update. | -| *.windowsupdate.com* | HTTP | Enables connections to Windows Update. | -| *geo-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. | -| au.download.windowsupdate.com* | HTTP | Enables connections to Windows Update. | -| cdn.onenote.net/livetile/* | HTTPS | Used for OneNote Live Tile. | -| client-office365-tas.msedge.net/* | HTTPS | Used to connect to the Microsoft 365 admin center’s shared infrastructure, including Office. | -| cloudtile.photos.microsoft.com.akadns.net | HTTPS | Photos App in MS Store -| config.edge.skype.com/* | HTTPS | Used to retrieve Skype configuration values.  | -| ctldl.windowsupdate.com/* | HTTP | Used to download certificates that are publicly known to be fraudulent. | -| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | -| cy2.licensing.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | -| cy2.settings.data.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | -| displaycatalog.mp.microsoft.com/* | HTTPS | Used to communicate with Microsoft Store. | -| download.windowsupdate.com/* | HTTPS | Enables connections to Windows Update. | -| emdl.ws.microsoft.com/* | HTTP | Used to download apps from the Microsoft Store. | -| fe2.update.microsoft.com/* | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | -| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | -| fe3.delivery.mp.microsoft.com/* | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | -| flightingservicewus.cloudapp.net | HTTPS | Insider Program | -| g.live.com/odclientsettings/* | HTTPS | Used by OneDrive for Business to download and verify app updates. | -| g.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. | -| ipv4.login.msa.akadns6.net | HTTPS | Used for Microsoft accounts to sign in. | -| licensing.mp.microsoft.com/* | HTTPS | Used for online activation and some app licensing. | -| maps.windows.com/windows-app-web-link | HTTPS | Link to Maps application | -| modern.watson.data.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. | -| ocos-office365-s2s.msedge.net/* | HTTPS | Used to connect to the Microsoft 365 admin center's shared infrastructure. | -| ocsp.digicert.com* | HTTP | CRL and OCSP checks to the issuing certificate authorities. | -| oneclient.sfx.ms/* | HTTPS | Used by OneDrive for Business to download and verify app updates. | -| onecollector.cloudapp.aria.akadns.net | HTTPS | Office telemetry | -| settings-win.data.microsoft.com/settings/* | HTTPS | Used as a way for apps to dynamically update their configuration. | -| share.microsoft.com/windows-app-web-link | HTTPS | Traffic related to Books app | -| sls.update.microsoft.com/* | HTTPS | Enables connections to Windows Update. | -| storecatalogrevocation.storequality.microsoft.com/* | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. | -| tile-service.weather.microsoft.com/* | HTTP | Used to download updates to the Weather app Live Tile. | -| tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. | -| vip5.afdorigin-prod-ch02.afdogw.com | HTTPS | Used to serve office 365 experimentation traffic. | -| watson.telemetry.microsoft.com/Telemetry.Request | HTTPS | Used by Windows Error Reporting. | -| wd-prod-cp-us-west-3-fe.westus.cloudapp.azure.com | HTTPS | Azure front end traffic | -| www.bing.com/* | HTTPS | Used for updates for Cortana, apps, and Live Tiles. | \ No newline at end of file From 195524f81d81a994f543a9175862f2d973032703 Mon Sep 17 00:00:00 2001 From: ansonhsho Date: Thu, 3 Feb 2022 23:18:59 -0800 Subject: [PATCH 10/32] Update application list for Jan 2022 Update application list and change how we talk about versions --- education/windows/windows-11-se-overview.md | 42 ++++++++++++--------- 1 file changed, 25 insertions(+), 17 deletions(-) diff --git a/education/windows/windows-11-se-overview.md b/education/windows/windows-11-se-overview.md index 32f5f7795d..474837edb2 100644 --- a/education/windows/windows-11-se-overview.md +++ b/education/windows/windows-11-se-overview.md @@ -38,24 +38,32 @@ Windows 11 SE is only available preinstalled on devices from OEMs. The OEM insta Windows 11 SE comes with some preinstalled apps. The following apps can also run on Windows 11 SE, and are deployed using the [Intune for Education portal](https://intuneeducation.portal.azure.com). For more information, see [Manage devices running Windows 11 SE](/intune-education/windows-11-se-overview). --- -| Application | Min version | Vendor | +| Application | Supported version | Vendor | | --- | --- | --- | -| Chrome | 95.0.4638.54 | Google | -| Dragon Assistant | 3.2.98.061 | Nuance Communications | -| Dragon Professional Individual | 15.00.100 | Nuance Communications | -| e-Speaking Voice and Speech recognition | 4.4.0.8 | e-speaking | -| Free NaturalReader | 16.1.2 | Natural Soft | -| Jaws for Windows | 2022.2109.84 ILM | Freedom Scientific | -| Kite Student Portal | 8.0.1 | Dynamic Learning Maps | -| NextUp Talker | 1.0.49 | NextUp Technologies, LLC. | -| NonVisual Desktop Access | 2021.2 | NV Access | -| Read and Write | 12.0.71 | Texthelp Systems Ltd. | -| SuperNova Magnifier & Screen Reader | 20.03 | Dolphin Computer Access | -| SuperNova Magnifier & Speech | 20.03 | Dolphin Computer Access | -| Text Aloud | 4.0.64 | Nextup.com | -| Zoom | 5.8.3 (1581) | Zoom Inc | -| Zoomtext Fusion by AiSquared | 2022.2109.10 | ORF Fusion | -| ZoomText Magnifier/Reader | 2022.2109.25ILM | AI Squared | +|Blub Digital Portoflio |0.0.7.0 |bulb | +|CA Secure Browser |14.0.0 |Cambium Development | +|Cisco Umbrella |3.0.110.0 |Cisco | +|Dragon Professional Individual |15.00.100 |Nuance Communications| +|DRC INSIGHT Online Assessments |12.0.0.0 |DRC | +|e-Speaking Voice and Speech recognition|4.4.0.8 |e-speaking | +|Free NaturalReader |16.1.2 |Natural Soft | +|GoGuardian |1.4.4 |GoGuardian | +|Google Chrome |97.0.4692.71 |Google | +|Jaws for Windows |2022.2112.24 ILM|Freedom Scientific | +|Kortext |2.3.418.0 |Kortext | +|LanSchool |9.1.0.46 |Stoneware | +|Lightspeed Smart Agent |1.9.1 |Lightspeed Systems | +|Mozilla Firefox |96.0.2 |Mozilla | +|NextUp Talker |1.0.49 |NextUp Technologies | +|NonVisual Desktop Access |2021.3.1 |NV Access | +|NWEA Secure Testing Browser |5.4.300.0 |NEWA | +|Proctorio |1 |Proctorio | +|Secure Browser |4.8.3.376 |Questar, Inc | +|Read&Write for Windows (US English) |12.0.60.0 |Texthelp Ltd. | +|Respondus Lockdown Browser |2.0.8.03 |Respondus | +|TestNav |1.10.2.0 |Pearson Education Inc| +|SecureBrowser |14.0.0 |Cambium Development | +|Zoom |5.9.1 (2581) |Zoom | --- From 329e4bcfa2775181b20657b4d35bda4913cf73df Mon Sep 17 00:00:00 2001 From: ansonhsho Date: Thu, 3 Feb 2022 23:44:59 -0800 Subject: [PATCH 11/32] Update windows-11-se-overview.md --- education/windows/windows-11-se-overview.md | 1 - 1 file changed, 1 deletion(-) diff --git a/education/windows/windows-11-se-overview.md b/education/windows/windows-11-se-overview.md index 474837edb2..0351b9caf7 100644 --- a/education/windows/windows-11-se-overview.md +++ b/education/windows/windows-11-se-overview.md @@ -57,7 +57,6 @@ Windows 11 SE comes with some preinstalled apps. The following apps can also run |NextUp Talker |1.0.49 |NextUp Technologies | |NonVisual Desktop Access |2021.3.1 |NV Access | |NWEA Secure Testing Browser |5.4.300.0 |NEWA | -|Proctorio |1 |Proctorio | |Secure Browser |4.8.3.376 |Questar, Inc | |Read&Write for Windows (US English) |12.0.60.0 |Texthelp Ltd. | |Respondus Lockdown Browser |2.0.8.03 |Respondus | From 55768a17aa430becf6fa78d48de389f7173eccde Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi Date: Fri, 4 Feb 2022 13:35:03 +0530 Subject: [PATCH 12/32] Enterprise changes --- ...tial-services-and-connected-experiences.md | 3 +- .../privacy/manage-windows-11-endpoints.md | 3 +- .../privacy/manage-windows-1709-endpoints.md | 461 ----------------- .../privacy/manage-windows-1803-endpoints.md | 465 ------------------ .../privacy/manage-windows-1809-endpoints.md | 4 +- .../privacy/manage-windows-1903-endpoints.md | 4 +- .../privacy/manage-windows-1909-endpoints.md | 4 +- .../privacy/manage-windows-2004-endpoints.md | 4 +- .../privacy/manage-windows-20H2-endpoints.md | 3 +- .../privacy/manage-windows-21H1-endpoints.md | 3 +- .../privacy/manage-windows-21h2-endpoints.md | 2 - windows/privacy/toc.yml | 4 - 12 files changed, 12 insertions(+), 948 deletions(-) delete mode 100644 windows/privacy/manage-windows-1709-endpoints.md delete mode 100644 windows/privacy/manage-windows-1803-endpoints.md diff --git a/windows/privacy/essential-services-and-connected-experiences.md b/windows/privacy/essential-services-and-connected-experiences.md index 76a1f065e6..b84bda7733 100644 --- a/windows/privacy/essential-services-and-connected-experiences.md +++ b/windows/privacy/essential-services-and-connected-experiences.md @@ -106,12 +106,11 @@ To view endpoints for Windows Enterprise, see: - [Manage connection endpoints for Windows 11](manage-windows-11-endpoints.md) - [Manage connection endpoints for Windows 10, version 21H1](manage-windows-21H1-endpoints.md) +- [Manage connection endpoints for Windows 10, version 21H2](manage-windows-21H2-endpoints.md) - [Manage connection endpoints for Windows 10, version 20H2](manage-windows-20h2-endpoints.md) - [Manage connection endpoints for Windows 10, version 1909](manage-windows-1909-endpoints.md) - [Manage connection endpoints for Windows 10, version 1903](manage-windows-1903-endpoints.md) - [Manage connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md) -- [Manage connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md) -- [Manage connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md) To view endpoints for non-Enterprise Windows editions, see: diff --git a/windows/privacy/manage-windows-11-endpoints.md b/windows/privacy/manage-windows-11-endpoints.md index ed77595e83..d2770a3edf 100644 --- a/windows/privacy/manage-windows-11-endpoints.md +++ b/windows/privacy/manage-windows-11-endpoints.md @@ -137,12 +137,11 @@ The following methodology was used to derive these network endpoints: To view endpoints for other versions of Windows 10 Enterprise, see: - [Manage connection endpoints for Windows 10, version 21H1](manage-windows-21H1-endpoints.md) +- [Manage connection endpoints for Windows 10, version 21H2](manage-windows-21H2-endpoints.md) - [Manage connection endpoints for Windows 10, version 2004](manage-windows-2004-endpoints.md) - [Manage connection endpoints for Windows 10, version 1909](manage-windows-1909-endpoints.md) - [Manage connection endpoints for Windows 10, version 1903](manage-windows-1903-endpoints.md) - [Manage connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md) -- [Manage connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md) -- [Manage connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md) To view endpoints for non-Enterprise Windows 10 editions, see: diff --git a/windows/privacy/manage-windows-1709-endpoints.md b/windows/privacy/manage-windows-1709-endpoints.md deleted file mode 100644 index 574d7ec82d..0000000000 --- a/windows/privacy/manage-windows-1709-endpoints.md +++ /dev/null @@ -1,461 +0,0 @@ ---- -title: Connection endpoints for Windows 10 Enterprise, version 1709 -description: Explains what Windows 10 endpoints are used for, how to turn off traffic to them, and the impact. Specific to Windows 10 Enterprise, version 1709. -keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016 -ms.prod: m365-security -ms.mktglfcycl: manage -ms.sitesec: library -ms.localizationpriority: high -audience: ITPro -author: dansimp -ms.author: dansimp -manager: dansimp -ms.collection: M365-security-compliance -ms.topic: article -ms.date: 11/29/2021 -ms.reviewer: -ms.technology: privacy ---- -# Manage connection endpoints for Windows 10 Enterprise, version 1709 - -**Applies to** - -- Windows 10 Enterprise, version 1709 - -Some Windows components, app, and related services transfer data to Microsoft network endpoints. Some examples include: - -- Connecting to Microsoft Office and Windows sites to download the latest app and security updates. -- Connecting to email servers to send and receive email. -- Connecting to the web for every day web browsing. -- Connecting to the cloud to store and access backups. -- Using your location to show a weather forecast. - -This article lists different endpoints that are available on a clean installation of Windows 10, version 1709 and later. -Details about the different ways to control traffic to these endpoints are covered in [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md). -Where applicable, each endpoint covered in this article includes a link to specific details about how to control traffic to it. - -We used the following methodology to derive these network endpoints: - -1. Set up the latest version of Windows 10 on a test virtual machine using the default settings. -2. Leave the devices running idle for a week (that is, a user isn't interacting with the system/device). -3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic. -4. Compile reports on traffic going to public IP addresses. -5. The test virtual machine was logged in using a local account and wasn't joined to a domain or Azure Active Directory. -6. All traffic was captured in our lab using a IPV4 network. As such no IPV6 traffic is reported here. - -> [!NOTE] -> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. - -## Windows 10 Enterprise connection endpoints - -## Apps - -The following endpoint is used to download updates to the Weather app Live Tile. -If you [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#live-tiles), no Live Tiles will be updated. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| explorer | HTTP | tile-service.weather.microsoft.com | - -The following endpoint is used for OneNote Live Tile. -To turn off traffic for this endpoint, either uninstall OneNote or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). -If you disable the Microsoft store, other Store apps cannot be installed or updated. -Additionally, the Microsoft Store can't revoke malicious Store apps and users can still open them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | HTTPS | cdn.onenote.net/livetile/?Language=en-US | - -The following endpoints are used for Twitter updates. -To turn off traffic for these endpoints, either uninstall Twitter or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). -If you disable the Microsoft store, other Store apps cannot be installed or updated. -Additionally, the Microsoft Store can't revoke malicious Store apps and users can still open them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | HTTPS | wildcard.twimg.com | -| svchost.exe | | oem.twimg.com/windows/tile.xml | - -The following endpoint is used for Facebook updates. -To turn off traffic for this endpoint, either uninstall Facebook or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). -If you disable the Microsoft store, other Store apps cannot be installed or updated. -Additionally, the Microsoft Store can't revoke malicious Store apps and users can still open them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | | star-mini.c10r.facebook.com | - -The following endpoint is used by the Photos app to download configuration files, and to connect to the Microsoft 365 admin center's shared infrastructure, including Office. -To turn off traffic for this endpoint, either uninstall the Photos app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). -If you disable the Microsoft store, other Store apps cannot be installed or updated. -Additionally, the Microsoft Store can't revoke malicious Store apps and users can still open them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| WindowsApps\Microsoft.Windows.Photos | HTTPS | evoke-windowsservices-tas.msedge.net | - -The following endpoint is used for Candy Crush Saga updates. -To turn off traffic for this endpoint, either uninstall Candy Crush Saga or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). -If you disable the Microsoft store, other Store apps cannot be installed or updated. -Additionally, the Microsoft Store can't revoke malicious Store apps and users can still open them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | TLS v1.2 | candycrushsoda.king.com | - -The following endpoint is used for by the Microsoft Wallet app. -To turn off traffic for this endpoint, either uninstall the Wallet app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). -If you disable the Microsoft store, other Store apps cannot be installed or updated. -Additionally, the Microsoft Store can't revoke malicious Store apps and users can still open them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| system32\AppHostRegistrationVerifier.exe | HTTPS | wallet.microsoft.com | - -The following endpoint is used by the Groove Music app for update HTTP handler status. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-apps-for-websites), apps for websites won't work and customers who visit websites (such as mediaredirect.microsoft.com) that are registered with their associated app (such as Groove Music) will stay at the website and can't directly launch the app. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| system32\AppHostRegistrationVerifier.exe | HTTPS | mediaredirect.microsoft.com | - -## Cortana and Search - -The following endpoint is used to get images that are used for Microsoft Store suggestions. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), you'll block images that are used for Microsoft Store suggestions. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| searchui | HTTPS |store-images.s-microsoft.com | - -The following endpoint is used to update Cortana greetings, tips, and Live Tiles. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), you'll block updates to Cortana greetings, tips, and Live Tiles. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| backgroundtaskhost | HTTPS | www.bing.com/client | - -The following endpoint is used to configure parameters, such as how often the Live Tile is updated. It's also used to activate experiments. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), parameters wouldn't be updated and the device would no longer participate in experiments. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| backgroundtaskhost | HTTPS | www.bing.com/proactive | - -The following endpoint is used by Cortana to report diagnostic and diagnostic data information. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), Microsoft won't be aware of issues with Cortana and can't fix them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| searchui
backgroundtaskhost | HTTPS | www.bing.com/threshold/xls.aspx | - -## Certificates - -The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It's possible to [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update), but that isn't recommended because when root certificates are updated over time, applications and websites may stop working because they didn't receive an updated root certificate the application uses. - -Additionally, it's used to download certificates that are publicly known to be fraudulent. -These settings are critical for both Windows security and the overall security of the Internet. -We don't recommend blocking this endpoint. -If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| svchost | HTTP | ctldl.windowsupdate.com | - -## Device authentication - -The following endpoint is used to authenticate a device. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), the device will not be authenticated. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | HTTPS | login.live.com/ppsecure | - -## Device metadata - -The following endpoint is used to retrieve device metadata. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-devinst), metadata will not be updated for the device. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | | dmd.metaservices.microsoft.com.akadns.net | - -## Diagnostic Data - -The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| svchost | | cy2.vortex.data.microsoft.com.akadns.net | - -The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| svchost | | v10.vortex-win.data.microsoft.com/collect/v1 | - -The following endpoints are used by Windows Error Reporting. -To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| wermgr | | watson.telemetry.microsoft.com | -| | TLS v1.2 | modern.watson.data.microsoft.com.akadns.net | - -## Font streaming - -The following endpoints are used to download fonts on demand. -If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#font-streaming), you will not be able to download fonts on demand. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| svchost | | fs.microsoft.com | -| | | fs.microsoft.com/fs/windows/config.json | - -## Licensing - -The following endpoint is used for online activation and some app licensing. -To turn off traffic for this endpoint, disable the Windows License Manager Service. This will also block online activation and app licensing may not work. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| licensemanager | HTTPS | licensing.mp.microsoft.com/v7.0/licenses/content | - -## Location - -The following endpoint is used for location data. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-location), apps cannot use location data. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | HTTP | location-inference-westus.cloudapp.net | - -## Maps - -The following endpoint is used to check for updates to maps that have been downloaded for offline use. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-offlinemaps), offline maps will not be updated. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| svchost | HTTPS | *g.akamaiedge.net | - -## Microsoft account - -The following endpoints are used for Microsoft accounts to sign in. -If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-microsoft-account), users cannot sign in with Microsoft accounts. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | | login.msa.akadns6.net | -| system32\Auth.Host.exe | HTTPS | auth.gfx.ms | - -## Microsoft Store - -The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#live-tiles), push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | | *.wns.windows.com | - -The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store. -To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | HTTP | storecatalogrevocation.storequality.microsoft.com | - -The following endpoints are used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). -If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | HTTPS | img-prod-cms-rt-microsoft-com.akamaized.net | - -The following endpoints are used to communicate with Microsoft Store. -If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | HTTP | storeedgefd.dsx.mp.microsoft.com | -| | HTTP | pti.store.microsoft.com | -||TLS v1.2|cy2.\*.md.mp.microsoft.com.\*.| - -## Network Connection Status Indicator (NCSI) - -Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-ncsi), NCSI won't be able to determine if the device is connected to the Internet and the network status tray icon will show a warning. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | HTTP | www.msftconnecttest.com/connecttest.txt | - -## Office - -The following endpoints are used to connect to the Microsoft 365 admin center's shared infrastructure, including Office. For more info, see [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges). -You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. -If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | | *.a-msedge.net | -| hxstr | | *.c-msedge.net | -| | | *.e-msedge.net | -| | | *.s-msedge.net | - -The following endpoint is used to connect to the Microsoft 365 admin center's shared infrastructure, including Office. For more info, see [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges). -You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. -If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| system32\Auth.Host.exe | HTTPS | outlook.office365.com | - -The following endpoint is OfficeHub traffic used to get the metadata of Office apps. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -|Windows Apps\Microsoft.Windows.Photos|HTTPS|client-office365-tas.msedge.net| - -## OneDrive - -The following endpoint is a redirection service that’s used to automatically update URLs. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-onedrive), anything that relies on g.live.com to get updated URL information will no longer work. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| onedrive | HTTP \ HTTPS | g.live.com/1rewlive5skydrive/ODSUProduction | - -The following endpoint is used by OneDrive for Business to download and verify app updates. For more info, see [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges). -To turn off traffic for this endpoint, uninstall OneDrive for Business. In this case, your device will not able to get OneDrive for Business app updates. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| onedrive | HTTPS | oneclient.sfx.ms | - -## Settings - -The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| dmclient | | cy2.settings.data.microsoft.com.akadns.net | - -The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| dmclient | HTTPS | settings.data.microsoft.com | - -The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as Windows Connected User Experiences and Telemetry component and Windows Insider Program use it. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| svchost | HTTPS | settings-win.data.microsoft.com | - -## Skype - -The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -|microsoft.windowscommunicationsapps.exe | HTTPS | config.edge.skype.com | - - - -## Windows Defender - -The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), the device will not use Cloud-based Protection. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | | wdcp.microsoft.com | - -The following endpoints are used for Windows Defender definition updates. -If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), definitions will not be updated. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | | definitionupdates.microsoft.com | -|MpCmdRun.exe|HTTPS|go.microsoft.com | - -## Windows Spotlight - -The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips. -If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight), Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips will not be downloaded. For more information, see [Windows Spotlight](/windows/configuration/windows-spotlight). - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| backgroundtaskhost | HTTPS | arc.msn.com | -| backgroundtaskhost | | g.msn.com.nsatc.net | -| |TLS v1.2| *.search.msn.com | -| | HTTPS | ris.api.iris.microsoft.com | -| | HTTPS | query.prod.cms.rt.microsoft.com | - -## Windows Update - -The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates), Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| svchost | HTTPS | *.prod.do.dsp.mp.microsoft.com | - -The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store. -If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to download updates for the operating system. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| svchost | HTTP | *.windowsupdate.com | -| svchost | HTTP | *.dl.delivery.mp.microsoft.com | - -The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. -If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| svchost | HTTPS | *.update.microsoft.com | -| svchost | HTTPS | *.delivery.mp.microsoft.com | - -These are dependent on enabling: -- [Device authentication](manage-windows-1709-endpoints.md#device-authentication) -- [Microsoft account](manage-windows-1709-endpoints.md#microsoft-account) - -The following endpoint is used for content regulation. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly downloaded or not downloaded at all. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| svchost | HTTPS | tsfe.trafficshaping.dsp.mp.microsoft.com | - -## Microsoft forward link redirection service (FWLink) - -The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer. - -If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updatable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -|Various|HTTPS|go.microsoft.com| - -## Other Windows 10 versions and editions - -To view endpoints for other versions of Windows 10 enterprise, see: - -- [Manage connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md) -- [Manage connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md) - -To view endpoints for non-Enterprise Windows 10 editions, see: - -- [Windows 10, version 21H1, connection endpoints for non-Enterprise editions](windows-endpoints-21H1-non-enterprise-editions.md) - -## Related links - -- [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges) -- [Network infrastructure requirements for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints) \ No newline at end of file diff --git a/windows/privacy/manage-windows-1803-endpoints.md b/windows/privacy/manage-windows-1803-endpoints.md deleted file mode 100644 index 4fad481b53..0000000000 --- a/windows/privacy/manage-windows-1803-endpoints.md +++ /dev/null @@ -1,465 +0,0 @@ ---- -title: Connection endpoints for Windows 10, version 1803 -description: Explains what Windows 10 endpoints are used for, how to turn off traffic to them, and the impact. Specific to Windows 10 Enterprise, version 1803. -keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016 -ms.prod: m365-security -ms.mktglfcycl: manage -ms.sitesec: library -ms.localizationpriority: high -audience: ITPro -author: dansimp -ms.author: dansimp -manager: dansimp -ms.collection: M365-security-compliance -ms.topic: article -ms.date: 11/29/2021 -ms.reviewer: -ms.technology: privacy ---- -# Manage connection endpoints for Windows 10 Enterprise, version 1803 - -**Applies to** - -- Windows 10 Enterprise, version 1803 - -Some Windows components, app, and related services transfer data to Microsoft network endpoints. Some examples include: - -- Connecting to Microsoft Office and Windows sites to download the latest app and security updates. -- Connecting to email servers to send and receive email. -- Connecting to the web for every day web browsing. -- Connecting to the cloud to store and access backups. -- Using your location to show a weather forecast. - -This article lists different endpoints that are available on a clean installation of Windows 10, version 1709 and later. -Details about the different ways to control traffic to these endpoints are covered in [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md). -Where applicable, each endpoint covered in this article includes a link to specific details about how to control traffic to it. - -We used the following methodology to derive these network endpoints: - -1. Set up the latest version of Windows 10 on a test virtual machine using the default settings. -2. Leave the devices running idle for a week (that is, a user isn't interacting with the system/device). -3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic. -4. Compile reports on traffic going to public IP addresses. -5. The test virtual machine was logged in using a local account and wasn't joined to a domain or Azure Active Directory. -6. All traffic was captured in our lab using a IPV4 network. As such no IPV6 traffic is reported here. - -> [!NOTE] -> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. - -## Windows 10 Enterprise connection endpoints - -## Apps - -The following endpoint is used to download updates to the Weather app Live Tile. -If you [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#live-tiles), no Live Tiles will be updated. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| explorer | HTTP | tile-service.weather.microsoft.com | -| | HTTP | blob.weather.microsoft.com | - -The following endpoint is used for OneNote Live Tile. -To turn off traffic for this endpoint, either uninstall OneNote or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). -If you disable the Microsoft store, other Store apps cannot be installed or updated. -Additionally, the Microsoft Store can't revoke malicious Store apps and users will can still open them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | HTTPS | cdn.onenote.net/livetile/?Language=en-US | - -The following endpoints are used for Twitter updates. -To turn off traffic for these endpoints, either uninstall Twitter or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). -If you disable the Microsoft store, other Store apps cannot be installed or updated. -Additionally, the Microsoft Store can't revoke malicious Store apps and users will can still open them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | HTTPS | wildcard.twimg.com | -| svchost.exe | | oem.twimg.com/windows/tile.xml | - -The following endpoint is used for Facebook updates. -To turn off traffic for this endpoint, either uninstall Facebook or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). -If you disable the Microsoft store, other Store apps cannot be installed or updated. -Additionally, the Microsoft Store can't revoke malicious Store apps and users will can still open them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | | star-mini.c10r.facebook.com | - -The following endpoint is used by the Photos app to download configuration files, and to connect to the Microsoft 365 admin center's shared infrastructure, including Office. -To turn off traffic for this endpoint, either uninstall the Photos app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). -If you disable the Microsoft store, other Store apps cannot be installed or updated. -Additionally, the Microsoft Store can't revoke malicious Store apps and users can still open them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| WindowsApps\Microsoft.Windows.Photos | HTTPS | evoke-windowsservices-tas.msedge.net | - -The following endpoint is used for Candy Crush Saga updates. -To turn off traffic for this endpoint, either uninstall Candy Crush Saga or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). -If you disable the Microsoft store, other Store apps cannot be installed or updated. -Additionally, the Microsoft Store can't revoke malicious Store apps and users can still open them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | TLS v1.2 | candycrushsoda.king.com | - -The following endpoint is used for by the Microsoft Wallet app. -To turn off traffic for this endpoint, either uninstall the Wallet app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). -If you disable the Microsoft store, other Store apps cannot be installed or updated. -Additionally, the Microsoft Store can't revoke malicious Store apps and users can still open them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| system32\AppHostRegistrationVerifier.exe | HTTPS | wallet.microsoft.com | - -The following endpoint is used by the Groove Music app for update HTTP handler status. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-apps-for-websites), apps for websites won't work and customers who visit websites (such as mediaredirect.microsoft.com) that are registered with their associated app (such as Groove Music) will stay at the website and can't directly launch the app. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| system32\AppHostRegistrationVerifier.exe | HTTPS | mediaredirect.microsoft.com | - -## Cortana and Search - -The following endpoint is used to get images that are used for Microsoft Store suggestions. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), you'll block images that are used for Microsoft Store suggestions. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| searchui | HTTPS |store-images.s-microsoft.com | - -The following endpoint is used to update Cortana greetings, tips, and Live Tiles. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), you'll block updates to Cortana greetings, tips, and Live Tiles. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| backgroundtaskhost | HTTPS | www.bing.com/client | - -The following endpoint is used to configure parameters, such as how often the Live Tile is updated. It's also used to activate experiments. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), parameters wouldn't be updated and the device would no longer participate in experiments. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| backgroundtaskhost | HTTPS | www.bing.com/proactive | - -The following endpoint is used by Cortana to report diagnostic and diagnostic data information. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), Microsoft won't be aware of issues with Cortana and can't fix them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| searchui
backgroundtaskhost | HTTPS | www.bing.com/threshold/xls.aspx | - -## Certificates - -The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It's possible to [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update), but that isn't recommended because when root certificates are updated over time, applications and websites may stop working because they didn't receive an updated root certificate the application uses. - -Additionally, it's used to download certificates that are publicly known to be fraudulent. -These settings are critical for both Windows security and the overall security of the Internet. -We don't recommend blocking this endpoint. -If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| svchost | HTTP | ctldl.windowsupdate.com | - -## Device authentication - -The following endpoint is used to authenticate a device. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), the device won't be authenticated. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | HTTPS | login.live.com/ppsecure | - -## Device metadata - -The following endpoint is used to retrieve device metadata. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-devinst), metadata won't be updated for the device. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | | dmd.metaservices.microsoft.com.akadns.net | -| | HTTP | dmd.metaservices.microsoft.com | - -## Diagnostic Data - -The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, won't be sent back to Microsoft. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| svchost | | cy2.vortex.data.microsoft.com.akadns.net | - -The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| svchost | | v10.vortex-win.data.microsoft.com/collect/v1 | - -The following endpoints are used by Windows Error Reporting. -To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| wermgr | | watson.telemetry.microsoft.com | -| | TLS v1.2 | modern.watson.data.microsoft.com.akadns.net | - -## Font streaming - -The following endpoints are used to download fonts on demand. -If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#font-streaming), you will not be able to download fonts on demand. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| svchost | | fs.microsoft.com | -| | | fs.microsoft.com/fs/windows/config.json | - -## Licensing - -The following endpoint is used for online activation and some app licensing. -To turn off traffic for this endpoint, disable the Windows License Manager Service. This will also block online activation and app licensing may not work. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| licensemanager | HTTPS | licensing.mp.microsoft.com/v7.0/licenses/content | - -## Location - -The following endpoint is used for location data. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-location), apps cannot use location data. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | HTTP | location-inference-westus.cloudapp.net | - -## Maps - -The following endpoint is used to check for updates to maps that have been downloaded for offline use. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-offlinemaps), offline maps will not be updated. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| svchost | HTTPS | *g.akamaiedge.net | - -## Microsoft account - -The following endpoints are used for Microsoft accounts to sign in. -If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-microsoft-account), users cannot sign in with Microsoft accounts. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | | login.msa.akadns6.net | -| system32\Auth.Host.exe | HTTPS | auth.gfx.ms | - -## Microsoft Store - -The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#live-tiles), push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | | *.wns.windows.com | - -The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store. -To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | HTTP | storecatalogrevocation.storequality.microsoft.com | - -The following endpoints are used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). -If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | HTTPS | img-prod-cms-rt-microsoft-com.akamaized.net | -| backgroundtransferhost | HTTPS | store-images.microsoft.com | - -The following endpoints are used to communicate with Microsoft Store. -If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | HTTP | storeedgefd.dsx.mp.microsoft.com | -| | HTTP | pti.store.microsoft.com | -||TLS v1.2|cy2.\*.md.mp.microsoft.com.\*.| -| svchost | HTTPS | displaycatalog.mp.microsoft.com | - -## Network Connection Status Indicator (NCSI) - -Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-ncsi), NCSI won't be able to determine if the device is connected to the Internet and the network status tray icon will show a warning. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | HTTP | www.msftconnecttest.com/connecttest.txt | - -## Office - -The following endpoints are used to connect to the Microsoft 365 admin center's shared infrastructure, including Office. For more info, see [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges). -You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. -If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | | *.a-msedge.net | -| hxstr | | *.c-msedge.net | -| | | *.e-msedge.net | -| | | *.s-msedge.net | -| | HTTPS | ocos-office365-s2s.msedge.net | - -The following endpoint is used to connect to the Microsoft 365 admin center's shared infrastructure, including Office. For more info, see [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges). -You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. -If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| system32\Auth.Host.exe | HTTPS | outlook.office365.com | - -The following endpoint is OfficeHub traffic used to get the metadata of Office apps. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -|Windows Apps\Microsoft.Windows.Photos|HTTPS|client-office365-tas.msedge.net| - -## OneDrive - -The following endpoint is a redirection service that’s used to automatically update URLs. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-onedrive), anything that relies on g.live.com to get updated URL information will no longer work. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| onedrive | HTTP \ HTTPS | g.live.com/1rewlive5skydrive/ODSUProduction | - -The following endpoint is used by OneDrive for Business to download and verify app updates. For more info, see [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges). -To turn off traffic for this endpoint, uninstall OneDrive for Business. In this case, your device will not able to get OneDrive for Business app updates. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| onedrive | HTTPS | oneclient.sfx.ms | - -## Settings - -The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| dmclient | | cy2.settings.data.microsoft.com.akadns.net | - -The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| dmclient | HTTPS | settings.data.microsoft.com | - -The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as Windows Connected User Experiences and Telemetry component and Windows Insider Program use it. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| svchost | HTTPS | settings-win.data.microsoft.com | - -## Skype - -The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -|microsoft.windowscommunicationsapps.exe | HTTPS | config.edge.skype.com | - - - -## Windows Defender - -The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), the device will not use Cloud-based Protection. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | | wdcp.microsoft.com | - -The following endpoints are used for Windows Defender definition updates. -If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), definitions will not be updated. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | | definitionupdates.microsoft.com | -|MpCmdRun.exe|HTTPS|go.microsoft.com | - -## Windows Spotlight - -The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips. -If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight), Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips will not be downloaded. For more information, see [Windows Spotlight](/windows/configuration/windows-spotlight). - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| backgroundtaskhost | HTTPS | arc.msn.com | -| backgroundtaskhost | | g.msn.com.nsatc.net | -| |TLS v1.2| *.search.msn.com | -| | HTTPS | ris.api.iris.microsoft.com | -| | HTTPS | query.prod.cms.rt.microsoft.com | - -## Windows Update - -The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates), Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| svchost | HTTPS | *.prod.do.dsp.mp.microsoft.com | - -The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store. -If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to download updates for the operating system. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| svchost | HTTP | *.windowsupdate.com | -| svchost | HTTP | *.dl.delivery.mp.microsoft.com | - -The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. -If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| svchost | HTTPS | *.update.microsoft.com | -| svchost | HTTPS | *.delivery.mp.microsoft.com | - -These are dependent on enabling: -- [Device authentication](manage-windows-1803-endpoints.md#device-authentication) -- [Microsoft account](manage-windows-1803-endpoints.md#microsoft-account) - -The following endpoint is used for content regulation. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly downloaded or not downloaded at all. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| svchost | HTTPS | tsfe.trafficshaping.dsp.mp.microsoft.com | - -## Microsoft forward link redirection service (FWLink) - -The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer. - -If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -|Various|HTTPS|go.microsoft.com| - -## Other Windows 10 editions - -To view endpoints for other versions of Windows 10 enterprise, see: -- [Manage connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md) -- [Manage connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md) - -To view endpoints for non-Enterprise Windows 10 editions, see: - -- [Windows 10, version 21H1, connection endpoints for non-Enterprise editions](windows-endpoints-21H1-non-enterprise-editions.md) - -## Related links - -- [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges) -- [Network infrastructure requirements for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints) \ No newline at end of file diff --git a/windows/privacy/manage-windows-1809-endpoints.md b/windows/privacy/manage-windows-1809-endpoints.md index 2b7cd033a1..1b459257be 100644 --- a/windows/privacy/manage-windows-1809-endpoints.md +++ b/windows/privacy/manage-windows-1809-endpoints.md @@ -487,8 +487,8 @@ If you disable this endpoint, Windows Defender won't be able to update its malwa ## Other Windows 10 editions To view endpoints for other versions of Windows 10 Enterprise, see: -- [Manage connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md) -- [Manage connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md) + +- [Manage connection endpoints for Windows 10, version 21H2](manage-windows-21H2-endpoints.md) To view endpoints for non-Enterprise Windows 10 editions, see: diff --git a/windows/privacy/manage-windows-1903-endpoints.md b/windows/privacy/manage-windows-1903-endpoints.md index caa5542551..b5a68720ab 100644 --- a/windows/privacy/manage-windows-1903-endpoints.md +++ b/windows/privacy/manage-windows-1903-endpoints.md @@ -175,9 +175,9 @@ The following methodology was used to derive these network endpoints: ## Other Windows 10 editions To view endpoints for other versions of Windows 10 Enterprise, see: + +- [Manage connection endpoints for Windows 10, version 21H2](manage-windows-21H2-endpoints.md) - [Manage connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md) -- [Manage connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md) -- [Manage connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md) To view endpoints for non-Enterprise Windows 10 editions, see: diff --git a/windows/privacy/manage-windows-1909-endpoints.md b/windows/privacy/manage-windows-1909-endpoints.md index 9e9116e24b..da29e4f457 100644 --- a/windows/privacy/manage-windows-1909-endpoints.md +++ b/windows/privacy/manage-windows-1909-endpoints.md @@ -123,10 +123,10 @@ The following methodology was used to derive these network endpoints: ## Other Windows 10 editions To view endpoints for other versions of Windows 10 Enterprise, see: + +- [Manage connection endpoints for Windows 10, version 21H2](manage-windows-21H2-endpoints.md) - [Manage connection endpoints for Windows 10, version 1903](manage-windows-1903-endpoints.md) - [Manage connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md) -- [Manage connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md) -- [Manage connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md) To view endpoints for non-Enterprise Windows 10 editions, see: diff --git a/windows/privacy/manage-windows-2004-endpoints.md b/windows/privacy/manage-windows-2004-endpoints.md index 755a48556c..48879ed467 100644 --- a/windows/privacy/manage-windows-2004-endpoints.md +++ b/windows/privacy/manage-windows-2004-endpoints.md @@ -122,11 +122,11 @@ The following methodology was used to derive these network endpoints: ## Other Windows 10 editions To view endpoints for other versions of Windows 10 Enterprise, see: + +- [Manage connection endpoints for Windows 10, version 21H2](manage-windows-21H2-endpoints.md) - [Manage connection endpoints for Windows 10, version 1909](manage-windows-1909-endpoints.md) - [Manage connection endpoints for Windows 10, version 1903](manage-windows-1903-endpoints.md) - [Manage connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md) -- [Manage connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md) -- [Manage connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md) To view endpoints for non-Enterprise Windows 10 editions, see: diff --git a/windows/privacy/manage-windows-20H2-endpoints.md b/windows/privacy/manage-windows-20H2-endpoints.md index 888f475761..8035ebc8d5 100644 --- a/windows/privacy/manage-windows-20H2-endpoints.md +++ b/windows/privacy/manage-windows-20H2-endpoints.md @@ -138,12 +138,11 @@ The following methodology was used to derive these network endpoints: To view endpoints for other versions of Windows 10 Enterprise, see: +- [Manage connection endpoints for Windows 10, version 21H2](manage-windows-21H2-endpoints.md) - [Manage connection endpoints for Windows 10, version 2004](manage-windows-2004-endpoints.md) - [Manage connection endpoints for Windows 10, version 1909](manage-windows-1909-endpoints.md) - [Manage connection endpoints for Windows 10, version 1903](manage-windows-1903-endpoints.md) - [Manage connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md) -- [Manage connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md) -- [Manage connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md) To view endpoints for non-Enterprise Windows 10 editions, see: diff --git a/windows/privacy/manage-windows-21H1-endpoints.md b/windows/privacy/manage-windows-21H1-endpoints.md index 13ef58f4a6..940115bae8 100644 --- a/windows/privacy/manage-windows-21H1-endpoints.md +++ b/windows/privacy/manage-windows-21H1-endpoints.md @@ -136,12 +136,11 @@ The following methodology was used to derive these network endpoints: To view endpoints for other versions of Windows 10 Enterprise, see: +- [Manage connection endpoints for Windows 10, version 21H2](manage-windows-21H2-endpoints.md) - [Manage connection endpoints for Windows 10, version 2004](manage-windows-2004-endpoints.md) - [Manage connection endpoints for Windows 10, version 1909](manage-windows-1909-endpoints.md) - [Manage connection endpoints for Windows 10, version 1903](manage-windows-1903-endpoints.md) - [Manage connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md) -- [Manage connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md) -- [Manage connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md) To view endpoints for non-Enterprise Windows 10 editions, see: diff --git a/windows/privacy/manage-windows-21h2-endpoints.md b/windows/privacy/manage-windows-21h2-endpoints.md index bd2e54060d..f8bf449d07 100644 --- a/windows/privacy/manage-windows-21h2-endpoints.md +++ b/windows/privacy/manage-windows-21h2-endpoints.md @@ -140,8 +140,6 @@ To view endpoints for other versions of Windows 10 Enterprise, see: - [Manage connection endpoints for Windows 10, version 1909](manage-windows-1909-endpoints.md) - [Manage connection endpoints for Windows 10, version 1903](manage-windows-1903-endpoints.md) - [Manage connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md) -- [Manage connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md) -- [Manage connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md) To view endpoints for non-Enterprise Windows 10 editions, see: diff --git a/windows/privacy/toc.yml b/windows/privacy/toc.yml index d7a8de4c65..ef92db9493 100644 --- a/windows/privacy/toc.yml +++ b/windows/privacy/toc.yml @@ -61,10 +61,6 @@ href: manage-windows-1903-endpoints.md - name: Connection endpoints for Windows 10, version 1809 href: manage-windows-1809-endpoints.md - - name: Connection endpoints for Windows 10, version 1803 - href: manage-windows-1803-endpoints.md - - name: Connection endpoints for Windows 10, version 1709 - href: manage-windows-1709-endpoints.md - name: Connection endpoints for non-Enterprise editions of Windows 11 href: windows-11-endpoints-non-enterprise-editions.md - name: Connection endpoints for non-Enterprise editions of Windows 10, version 21H1 From f1f1fa06919761c4717d5dc7cf4228473c0d7658 Mon Sep 17 00:00:00 2001 From: Priya Rakshith <96460485+PriyaRakshith@users.noreply.github.com> Date: Fri, 4 Feb 2022 21:51:15 +0530 Subject: [PATCH 13/32] Updated-5774816 Replaced the community link. --- .../windows-security-baselines.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md index ebdec42441..0142c1ca7f 100644 --- a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md +++ b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md @@ -69,7 +69,7 @@ There are several ways to get and use security baselines: ## Community -[![Microsoft Security Guidance Blog.](./../images/community.png)](/archive/blogs/secguide/) +[https://techcommunity.microsoft.com/t5/microsoft-security-baselines/bg-p/Microsoft-Security-Baselines] ## Related Videos From 3fd6710157fbedd6fcb33f01938bbfec3d7ac5a0 Mon Sep 17 00:00:00 2001 From: GitHubPang <61439577+GitHubPang@users.noreply.github.com> Date: Mon, 7 Feb 2022 11:30:50 +0800 Subject: [PATCH 14/32] Fix typos --- windows/client-management/troubleshoot-tcpip-port-exhaust.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/troubleshoot-tcpip-port-exhaust.md b/windows/client-management/troubleshoot-tcpip-port-exhaust.md index 7cdbf400e9..8a5e47f439 100644 --- a/windows/client-management/troubleshoot-tcpip-port-exhaust.md +++ b/windows/client-management/troubleshoot-tcpip-port-exhaust.md @@ -24,7 +24,7 @@ There are two types of ports: Clients when connecting to an application or service will make use of an ephemeral port from its machine to connect to a well-known port defined for that application or service. A browser on a client machine will use an ephemeral port to connect to https://www.microsoft.com on port 443. -In a scenario where the same browser is creating a lot of connections to multiple website, for any new connection that the browser is attempting, an ephemeral port is used. After some time, you will notice that the connections will start to fail and one high possibility for this would be because the browser has used all the available ports to make connections outside and any new attempt to establish a connection will fail as there are no more ports available. When all the ports are on a machine are used, we term it as *port exhaustion*. +In a scenario where the same browser is creating a lot of connections to multiple website, for any new connection that the browser is attempting, an ephemeral port is used. After some time, you will notice that the connections will start to fail and one high possibility for this would be because the browser has used all the available ports to make connections outside and any new attempt to establish a connection will fail as there are no more ports available. When all the ports on a machine are used, we term it as *port exhaustion*. ## Default dynamic port range for TCP/IP @@ -95,7 +95,7 @@ If you suspect that the machine is in a state of port exhaustion: ![Screenshot of netstate command output.](images/tcp-ts-20.png) - After a graceful closure or an abrupt closure of a session, after a period of 4 minutes (default), the port used the process or application would be released back to the available pool. During this 4 minutes, the TCP connection state will be TIME_WAIT state. In a situation where you suspect port exhaustion, an application or process will not be able to release all the ports that it has consumed and will remain in the TIME_WAIT state. + After a graceful closure or an abrupt closure of a session, after a period of 4 minutes (default), the port used by the process or application would be released back to the available pool. During this 4 minutes, the TCP connection state will be TIME_WAIT state. In a situation where you suspect port exhaustion, an application or process will not be able to release all the ports that it has consumed and will remain in the TIME_WAIT state. You may also see CLOSE_WAIT state connections in the same output, however CLOSE_WAIT state is a state when one side of the TCP peer has no more data to send (FIN sent) but is able to receive data from the other end. This state does not necessarily indicate port exhaustion. From 8da203e9ce3126b34b1165c56f7d8bc4c60b48bc Mon Sep 17 00:00:00 2001 From: Priya Rakshith <96460485+PriyaRakshith@users.noreply.github.com> Date: Mon, 7 Feb 2022 11:32:21 +0530 Subject: [PATCH 15/32] Update windows-security-baselines.md --- .../windows-security-baselines.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md index 0142c1ca7f..6d4c993655 100644 --- a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md +++ b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md @@ -69,7 +69,7 @@ There are several ways to get and use security baselines: ## Community -[https://techcommunity.microsoft.com/t5/microsoft-security-baselines/bg-p/Microsoft-Security-Baselines] +[![Microsoft Security Guidance Blog.](./../images/community.png)](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/bg-p/Microsoft-Security-Baselines) ## Related Videos From abf491e3d81fc7899731b3872179398f21acab7c Mon Sep 17 00:00:00 2001 From: GitHubPang <61439577+GitHubPang@users.noreply.github.com> Date: Mon, 7 Feb 2022 16:46:46 +0800 Subject: [PATCH 16/32] Update windows/client-management/troubleshoot-tcpip-port-exhaust.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/client-management/troubleshoot-tcpip-port-exhaust.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/troubleshoot-tcpip-port-exhaust.md b/windows/client-management/troubleshoot-tcpip-port-exhaust.md index 8a5e47f439..91707bb524 100644 --- a/windows/client-management/troubleshoot-tcpip-port-exhaust.md +++ b/windows/client-management/troubleshoot-tcpip-port-exhaust.md @@ -24,7 +24,7 @@ There are two types of ports: Clients when connecting to an application or service will make use of an ephemeral port from its machine to connect to a well-known port defined for that application or service. A browser on a client machine will use an ephemeral port to connect to https://www.microsoft.com on port 443. -In a scenario where the same browser is creating a lot of connections to multiple website, for any new connection that the browser is attempting, an ephemeral port is used. After some time, you will notice that the connections will start to fail and one high possibility for this would be because the browser has used all the available ports to make connections outside and any new attempt to establish a connection will fail as there are no more ports available. When all the ports on a machine are used, we term it as *port exhaustion*. +In a scenario where the same browser is creating a lot of connections to multiple websites, for any new connection that the browser is attempting, an ephemeral port is used. After some time, you will notice that the connections will start to fail and one high possibility for this would be because the browser has used all the available ports to make connections outside and any new attempt to establish a connection will fail as there are no more ports available. When all the ports on a machine are used, we term it as *port exhaustion*. ## Default dynamic port range for TCP/IP From 6c552e6040dfade832739ad1ce7f45a2995a9592 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi Date: Mon, 7 Feb 2022 16:31:32 +0530 Subject: [PATCH 17/32] format issue fix --- windows/privacy/manage-windows-1903-endpoints.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-windows-1903-endpoints.md b/windows/privacy/manage-windows-1903-endpoints.md index b5a68720ab..7c2bf27999 100644 --- a/windows/privacy/manage-windows-1903-endpoints.md +++ b/windows/privacy/manage-windows-1903-endpoints.md @@ -181,8 +181,8 @@ To view endpoints for other versions of Windows 10 Enterprise, see: To view endpoints for non-Enterprise Windows 10 editions, see: -- [Windows 10, version 1809, connection endpoints for non-Enterprise editions](windows-endpoints-1809-non-enterprise-editions.md) - [Windows 10, version 21H1, connection endpoints for non-Enterprise editions](windows-endpoints-21H1-non-enterprise-editions.md) +- [Windows 10, version 1809, connection endpoints for non-Enterprise editions](windows-endpoints-1809-non-enterprise-editions.md) ## Related links From 7ed625814f22503331819a84943d3de899bcd17d Mon Sep 17 00:00:00 2001 From: ansonhsho Date: Mon, 7 Feb 2022 08:34:41 -0800 Subject: [PATCH 18/32] Adding additional set of applications --- education/windows/windows-11-se-overview.md | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/education/windows/windows-11-se-overview.md b/education/windows/windows-11-se-overview.md index 0351b9caf7..0848e6c0c3 100644 --- a/education/windows/windows-11-se-overview.md +++ b/education/windows/windows-11-se-overview.md @@ -50,6 +50,7 @@ Windows 11 SE comes with some preinstalled apps. The following apps can also run |GoGuardian |1.4.4 |GoGuardian | |Google Chrome |97.0.4692.71 |Google | |Jaws for Windows |2022.2112.24 ILM|Freedom Scientific | +|Kite Student Portal | 8.0.1 | Dynamic Learning Maps| |Kortext |2.3.418.0 |Kortext | |LanSchool |9.1.0.46 |Stoneware | |Lightspeed Smart Agent |1.9.1 |Lightspeed Systems | @@ -57,13 +58,16 @@ Windows 11 SE comes with some preinstalled apps. The following apps can also run |NextUp Talker |1.0.49 |NextUp Technologies | |NonVisual Desktop Access |2021.3.1 |NV Access | |NWEA Secure Testing Browser |5.4.300.0 |NEWA | -|Secure Browser |4.8.3.376 |Questar, Inc | |Read&Write for Windows (US English) |12.0.60.0 |Texthelp Ltd. | +|Safe Exam Broswer |3.3.1 |Safe Exam Broswer | +|Secure Browser |4.8.3.376 |Questar, Inc | +|SuperNova Magnifier & Screen Reader | 20.03 | Dolphin Computer Access | +|SuperNova Magnifier & Speech | 20.03 | Dolphin Computer Access | |Respondus Lockdown Browser |2.0.8.03 |Respondus | |TestNav |1.10.2.0 |Pearson Education Inc| |SecureBrowser |14.0.0 |Cambium Development | |Zoom |5.9.1 (2581) |Zoom | - +|ZoomText Magnifier/Reader |2022.2109.25ILM | AI Squared | --- ### Enabled apps From cd9d3755f84ec3ed174432207c928f21577ed1cb Mon Sep 17 00:00:00 2001 From: Laura Newsad Date: Mon, 7 Feb 2022 11:53:31 -0500 Subject: [PATCH 19/32] Update windows-11-se-overview.md Fixed table formatting --- education/windows/windows-11-se-overview.md | 55 ++++++++++----------- 1 file changed, 27 insertions(+), 28 deletions(-) diff --git a/education/windows/windows-11-se-overview.md b/education/windows/windows-11-se-overview.md index 0848e6c0c3..e0d992618e 100644 --- a/education/windows/windows-11-se-overview.md +++ b/education/windows/windows-11-se-overview.md @@ -37,38 +37,37 @@ Windows 11 SE is only available preinstalled on devices from OEMs. The OEM insta Windows 11 SE comes with some preinstalled apps. The following apps can also run on Windows 11 SE, and are deployed using the [Intune for Education portal](https://intuneeducation.portal.azure.com). For more information, see [Manage devices running Windows 11 SE](/intune-education/windows-11-se-overview). ---- + | Application | Supported version | Vendor | | --- | --- | --- | -|Blub Digital Portoflio |0.0.7.0 |bulb | -|CA Secure Browser |14.0.0 |Cambium Development | -|Cisco Umbrella |3.0.110.0 |Cisco | +|Blub Digital Portoflio |0.0.7.0 |bulb| +|CA Secure Browser |14.0.0 |Cambium Development| +|Cisco Umbrella |3.0.110.0 |Cisco| |Dragon Professional Individual |15.00.100 |Nuance Communications| -|DRC INSIGHT Online Assessments |12.0.0.0 |DRC | -|e-Speaking Voice and Speech recognition|4.4.0.8 |e-speaking | -|Free NaturalReader |16.1.2 |Natural Soft | -|GoGuardian |1.4.4 |GoGuardian | -|Google Chrome |97.0.4692.71 |Google | -|Jaws for Windows |2022.2112.24 ILM|Freedom Scientific | -|Kite Student Portal | 8.0.1 | Dynamic Learning Maps| -|Kortext |2.3.418.0 |Kortext | -|LanSchool |9.1.0.46 |Stoneware | -|Lightspeed Smart Agent |1.9.1 |Lightspeed Systems | -|Mozilla Firefox |96.0.2 |Mozilla | -|NextUp Talker |1.0.49 |NextUp Technologies | -|NonVisual Desktop Access |2021.3.1 |NV Access | -|NWEA Secure Testing Browser |5.4.300.0 |NEWA | -|Read&Write for Windows (US English) |12.0.60.0 |Texthelp Ltd. | -|Safe Exam Broswer |3.3.1 |Safe Exam Broswer | -|Secure Browser |4.8.3.376 |Questar, Inc | -|SuperNova Magnifier & Screen Reader | 20.03 | Dolphin Computer Access | -|SuperNova Magnifier & Speech | 20.03 | Dolphin Computer Access | -|Respondus Lockdown Browser |2.0.8.03 |Respondus | +|DRC INSIGHT Online Assessments |12.0.0.0 |DRC| +|e-Speaking Voice and Speech recognition|4.4.0.8 |e-speaking| +|Free NaturalReader |16.1.2 |Natural Soft| +|GoGuardian |1.4.4 |GoGuardian| +|Google Chrome |97.0.4692.71 |Google| +|Jaws for Windows |2022.2112.24 ILM|Freedom Scientific| +|Kite Student Portal |8.0.1|Dynamic Learning Maps| +|Kortext |2.3.418.0 |Kortext| +|LanSchool |9.1.0.46 |Stoneware| +|Lightspeed Smart Agent |1.9.1 |Lightspeed Systems| +|Mozilla Firefox |96.0.2 |Mozilla| +|NextUp Talker |1.0.49 |NextUp Technologies| +|NonVisual Desktop Access |2021.3.1 |NV Access| +|NWEA Secure Testing Browser |5.4.300.0 |NEWA| +|Read&Write for Windows (US English) |12.0.60.0 |Texthelp Ltd.| +|Safe Exam Broswer |3.3.1 |Safe Exam Broswer| +|Secure Browser |4.8.3.376 |Questar, Inc| +|SuperNova Magnifier & Screen Reader | 20.03 |Dolphin Computer Access| +|SuperNova Magnifier & Speech | 20.03 |Dolphin Computer Access| +|Respondus Lockdown Browser |2.0.8.03 |Respondus| |TestNav |1.10.2.0 |Pearson Education Inc| -|SecureBrowser |14.0.0 |Cambium Development | -|Zoom |5.9.1 (2581) |Zoom | -|ZoomText Magnifier/Reader |2022.2109.25ILM | AI Squared | ---- +|SecureBrowser |14.0.0 |Cambium Development| +|Zoom |5.9.1 (2581) |Zoom| +|ZoomText Magnifier/Reader |2022.2109.25ILM | AI Squared| ### Enabled apps From 23e53bf0889b1734578be1fd9c2703f532f0eb48 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 7 Feb 2022 16:17:12 -0800 Subject: [PATCH 20/32] Update troubleshoot-tcpip-port-exhaust.md --- windows/client-management/troubleshoot-tcpip-port-exhaust.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/troubleshoot-tcpip-port-exhaust.md b/windows/client-management/troubleshoot-tcpip-port-exhaust.md index 91707bb524..c101682206 100644 --- a/windows/client-management/troubleshoot-tcpip-port-exhaust.md +++ b/windows/client-management/troubleshoot-tcpip-port-exhaust.md @@ -7,7 +7,7 @@ ms.topic: troubleshooting author: dansimp ms.localizationpriority: medium ms.author: dansimp -ms.date: 12/06/2018 +ms.date: 02/07/2022 ms.reviewer: manager: dansimp ms.collection: highpri From cb0fc7c6440ef12d27994c987936c6171b2fd9b9 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 7 Feb 2022 16:20:04 -0800 Subject: [PATCH 21/32] Update troubleshoot-tcpip-port-exhaust.md --- .../troubleshoot-tcpip-port-exhaust.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/client-management/troubleshoot-tcpip-port-exhaust.md b/windows/client-management/troubleshoot-tcpip-port-exhaust.md index c101682206..fa586e616b 100644 --- a/windows/client-management/troubleshoot-tcpip-port-exhaust.md +++ b/windows/client-management/troubleshoot-tcpip-port-exhaust.md @@ -22,7 +22,7 @@ There are two types of ports: - *Ephemeral ports*, which are usually dynamic ports, are the set of ports that every machine by default will have them to make an outbound connection. - *Well-known ports* are the defined port for a particular application or service. For example, file server service is on port 445, HTTPS is 443, HTTP is 80, and RPC is 135. Custom application will also have their defined port numbers. -Clients when connecting to an application or service will make use of an ephemeral port from its machine to connect to a well-known port defined for that application or service. A browser on a client machine will use an ephemeral port to connect to https://www.microsoft.com on port 443. +When connecting to an application or service, client devices use an ephemeral port from the device to connect to a well-known port defined for that application or service. A browser on a client machine will use an ephemeral port to connect to `https://www.microsoft.com` on port 443. In a scenario where the same browser is creating a lot of connections to multiple websites, for any new connection that the browser is attempting, an ephemeral port is used. After some time, you will notice that the connections will start to fail and one high possibility for this would be because the browser has used all the available ports to make connections outside and any new attempt to establish a connection will fail as there are no more ports available. When all the ports on a machine are used, we term it as *port exhaustion*. @@ -97,14 +97,14 @@ If you suspect that the machine is in a state of port exhaustion: After a graceful closure or an abrupt closure of a session, after a period of 4 minutes (default), the port used by the process or application would be released back to the available pool. During this 4 minutes, the TCP connection state will be TIME_WAIT state. In a situation where you suspect port exhaustion, an application or process will not be able to release all the ports that it has consumed and will remain in the TIME_WAIT state. - You may also see CLOSE_WAIT state connections in the same output, however CLOSE_WAIT state is a state when one side of the TCP peer has no more data to send (FIN sent) but is able to receive data from the other end. This state does not necessarily indicate port exhaustion. + You might also see CLOSE_WAIT state connections in the same output; however, CLOSE_WAIT state is a state when one side of the TCP peer has no more data to send (FIN sent) but is able to receive data from the other end. This state does not necessarily indicate port exhaustion. - >[!Note] - >Having huge connections in TIME_WAIT state does not always indicate that the server is currently out of ports unless the first two points are verified. Having lot of TIME_WAIT connections does indicate that the process is creating lot of TCP connections and may eventually lead to port exhaustion. + > [!Note] + > Having huge connections in TIME_WAIT state does not always indicate that the server is currently out of ports unless the first two points are verified. Having lot of TIME_WAIT connections does indicate that the process is creating lot of TCP connections and may eventually lead to port exhaustion. > - >Netstat has been updated in Windows 10 with the addition of the **-Q** switch to show ports that have transitioned out of time wait as in the BOUND state. An update for Windows 8.1 and Windows Server 2012 R2 has been released that contains this functionality. The PowerShell cmdlet `Get-NetTCPConnection` in Windows 10 also shows these BOUND ports. + > Netstat has been updated in Windows 10 with the addition of the **-Q** switch to show ports that have transitioned out of time wait as in the BOUND state. An update for Windows 8.1 and Windows Server 2012 R2 has been released that contains this functionality. The PowerShell cmdlet `Get-NetTCPConnection` in Windows 10 also shows these BOUND ports. > - >Until 10/2016, netstat was inaccurate. Fixes for netstat, back-ported to 2012 R2, allowed Netstat.exe and Get-NetTcpConnection to correctly report TCP or UDP port usage in Windows Server 2012 R2. See [Windows Server 2012 R2: Ephemeral ports hotfixes](https://support.microsoft.com/help/3123245/update-improves-port-exhaustion-identification-in-windows-server-2012) to learn more. + > Until 10/2016, netstat was inaccurate. Fixes for netstat, back-ported to 2012 R2, allowed Netstat.exe and Get-NetTcpConnection to correctly report TCP or UDP port usage in Windows Server 2012 R2. See [Windows Server 2012 R2: Ephemeral ports hotfixes](https://support.microsoft.com/help/3123245/update-improves-port-exhaustion-identification-in-windows-server-2012) to learn more. 4. Open a command prompt in admin mode and run the below command From 359b877657ed5ed1d87e3f0352e02b2524f63e3c Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi Date: Tue, 8 Feb 2022 16:50:14 +0530 Subject: [PATCH 22/32] Updating json file for redirecting purpose --- .openpublishing.redirection.json | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index f505c1d9de..047a450e39 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -15270,6 +15270,26 @@ "redirect_url": "/windows/privacy/manage-windows-2004-endpoints", "redirect_document_id": false }, + { + "source_path": "windows/privacy/windows-endpoints-1709-non-enterprise-editions.md", + "redirect_url": "/windows/privacy/windows-endpoints-21h1-non-enterprise-editions", + "redirect_document_id": false + }, + { + "source_path": "windows/privacy/windows-endpoints-1803-non-enterprise-editions.md", + "redirect_url": "/windows/privacy/windows-endpoints-21h1-non-enterprise-editions", + "redirect_document_id": false + }, + { + "source_path": "windows/privacy/manage-windows-1709-endpoints.md", + "redirect_url": "/windows/privacy/manage-windows-21h2-endpoints", + "redirect_document_id": false + }, + { + "source_path": "windows/privacy/manage-windows-1803-endpoints.md", + "redirect_url": "/windows/privacy/manage-windows-21h2-endpoints", + "redirect_document_id": false + }, { "source_path": "windows/security/threat-protection/windows-defender-atp/exposed-apis-create-app-nativeapp.md", "redirect_url": "/microsoft-365/security/defender-endpoint/exposed-apis-create-app-nativeapp", From eb3f314be61fedd375e8c0e712896edccdb22d95 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi Date: Tue, 8 Feb 2022 17:11:44 +0530 Subject: [PATCH 23/32] Update --- .openpublishing.redirection.json | 40 ++++++++++++++++---------------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 047a450e39..705656f901 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -15270,26 +15270,6 @@ "redirect_url": "/windows/privacy/manage-windows-2004-endpoints", "redirect_document_id": false }, - { - "source_path": "windows/privacy/windows-endpoints-1709-non-enterprise-editions.md", - "redirect_url": "/windows/privacy/windows-endpoints-21h1-non-enterprise-editions", - "redirect_document_id": false - }, - { - "source_path": "windows/privacy/windows-endpoints-1803-non-enterprise-editions.md", - "redirect_url": "/windows/privacy/windows-endpoints-21h1-non-enterprise-editions", - "redirect_document_id": false - }, - { - "source_path": "windows/privacy/manage-windows-1709-endpoints.md", - "redirect_url": "/windows/privacy/manage-windows-21h2-endpoints", - "redirect_document_id": false - }, - { - "source_path": "windows/privacy/manage-windows-1803-endpoints.md", - "redirect_url": "/windows/privacy/manage-windows-21h2-endpoints", - "redirect_document_id": false - }, { "source_path": "windows/security/threat-protection/windows-defender-atp/exposed-apis-create-app-nativeapp.md", "redirect_url": "/microsoft-365/security/defender-endpoint/exposed-apis-create-app-nativeapp", @@ -19326,6 +19306,26 @@ "source_path": "windows/privacy/license-terms-windows-diagnostic-data-for-powershell.md", "redirect_url": "/legal/windows/license-terms-windows-diagnostic-data-for-powershell", "redirect_document_id": false + }, + { + "source_path": "windows/privacy/windows-endpoints-1709-non-enterprise-editions.md", + "redirect_url": "/windows/privacy/windows-endpoints-21h1-non-enterprise-editions", + "redirect_document_id": true + }, + { + "source_path": "windows/privacy/windows-endpoints-1803-non-enterprise-editions.md", + "redirect_url": "/windows/privacy/windows-endpoints-21h1-non-enterprise-editions", + "redirect_document_id": true + }, + { + "source_path": "windows/privacy/manage-windows-1709-endpoints.md", + "redirect_url": "/windows/privacy/manage-windows-21h2-endpoints", + "redirect_document_id": true + }, + { + "source_path": "windows/privacy/manage-windows-1803-endpoints.md", + "redirect_url": "/windows/privacy/manage-windows-21h2-endpoints", + "redirect_document_id": true } ] } From 8875ed74ded6ec881a340c050de1f051c1cc7e51 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi Date: Tue, 8 Feb 2022 17:30:58 +0530 Subject: [PATCH 24/32] suggestion fix --- .openpublishing.redirection.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 705656f901..86dd72e816 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -19315,7 +19315,7 @@ { "source_path": "windows/privacy/windows-endpoints-1803-non-enterprise-editions.md", "redirect_url": "/windows/privacy/windows-endpoints-21h1-non-enterprise-editions", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/privacy/manage-windows-1709-endpoints.md", @@ -19325,7 +19325,7 @@ { "source_path": "windows/privacy/manage-windows-1803-endpoints.md", "redirect_url": "/windows/privacy/manage-windows-21h2-endpoints", - "redirect_document_id": true + "redirect_document_id": false } ] } From a3fcb160e20d856c36fda227d0d250bf49a76206 Mon Sep 17 00:00:00 2001 From: Diana Hanson Date: Tue, 8 Feb 2022 11:18:26 -0700 Subject: [PATCH 25/32] Update troubleshoot-tcpip-port-exhaust.md sync pr https://github.com/MicrosoftDocs/windows-docs-pr/pull/6269 fix acro typo --- windows/client-management/troubleshoot-tcpip-port-exhaust.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/troubleshoot-tcpip-port-exhaust.md b/windows/client-management/troubleshoot-tcpip-port-exhaust.md index fa586e616b..638044c3aa 100644 --- a/windows/client-management/troubleshoot-tcpip-port-exhaust.md +++ b/windows/client-management/troubleshoot-tcpip-port-exhaust.md @@ -164,7 +164,7 @@ Steps to use Process explorer: Finally, if the above methods did not help you isolate the process, we suggest you collect a complete memory dump of the machine in the issue state. The dump will tell you which process has the maximum handles. -As a workaround, rebooting the computer will get the it back in normal state and would help you resolve the issue for the time being. However, when a reboot is impractical, you can also consider increasing the number of ports on the machine using the below commands: +As a workaround, rebooting the computer will get it back in normal state and would help you resolve the issue for the time being. However, when a reboot is impractical, you can also consider increasing the number of ports on the machine using the below commands: ```console netsh int ipv4 set dynamicport tcp start=10000 num=1000 From 4293bf0fc6c270109bc5b01a51a70e20d967723b Mon Sep 17 00:00:00 2001 From: Florian Stosse Date: Wed, 9 Feb 2022 19:38:28 +0100 Subject: [PATCH 26/32] WDAC-Addins: fix a typo in executable name used in example --- ...l-policy-to-control-specific-plug-ins-add-ins-and-modules.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md index e00de62409..8128c51262 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md @@ -42,7 +42,7 @@ For example, to create a WDAC policy allowing **addin1.dll** and **addin2.dll** ```powershell $rule = New-CIPolicyRule -DriverFilePath '.\temp\addin1.dll' -Level FileName -AppID '.\ERP1.exe' -$rule += New-CIPolicyRule -DriverFilePath '.\temp\addin2.dll' -Level FileName -AppID '.\ERP2.exe' +$rule += New-CIPolicyRule -DriverFilePath '.\temp\addin2.dll' -Level FileName -AppID '.\ERP1.exe' New-CIPolicy -Rules $rule -FilePath ".\AllowERPAddins.xml" -UserPEs ``` From 7dc7d44f5d0361bd1bfbf17d845d0381b61cf5d8 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 10 Feb 2022 08:35:48 -0800 Subject: [PATCH 27/32] Update use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md --- ...l-policy-to-control-specific-plug-ins-add-ins-and-modules.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md index 8128c51262..47d1c3fb7d 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md @@ -14,7 +14,7 @@ audience: ITPro ms.collection: M365-security-compliance author: jsuther1974 ms.reviewer: isbrahm -ms.date: 08/12/2021 +ms.date: 02/10/2022 ms.technology: windows-sec --- From 86e628d7097b6a84fa275c880730aabb828c95ec Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Fri, 11 Feb 2022 06:47:37 -0800 Subject: [PATCH 28/32] change topic title and URL --- .openpublishing.redirection.json | 5 +++++ ...{windows-11-whats-new.md => windows-11-overview.md} | 10 +++++----- 2 files changed, 10 insertions(+), 5 deletions(-) rename windows/whats-new/{windows-11-whats-new.md => windows-11-overview.md} (98%) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index f505c1d9de..ee0e6accbd 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -19306,6 +19306,11 @@ "source_path": "windows/privacy/license-terms-windows-diagnostic-data-for-powershell.md", "redirect_url": "/legal/windows/license-terms-windows-diagnostic-data-for-powershell", "redirect_document_id": false + }, + { + "source_path": "windows/whats-new/windows-11-whats-new.md", + "redirect_url": "/windows/whats-new/windows-11-overview", + "redirect_document_id": false } ] } diff --git a/windows/whats-new/windows-11-whats-new.md b/windows/whats-new/windows-11-overview.md similarity index 98% rename from windows/whats-new/windows-11-whats-new.md rename to windows/whats-new/windows-11-overview.md index fbe9e7108d..daac49c8c5 100644 --- a/windows/whats-new/windows-11-whats-new.md +++ b/windows/whats-new/windows-11-overview.md @@ -1,11 +1,11 @@ --- -title: Windows 11, what's new and overview for administrators -description: Learn more about what's new in Windows 11. Read about the features IT professionals and administrators should know about Windows 11, including security, using apps, using Android apps, the new desktop, and deploying and servicing PCs. +title: Windows 11 overview for administrators +description: Learn more about Windows 11. Read about the features IT professionals and administrators should know about Windows 11, including security, using apps, using Android apps, the new desktop, and deploying and servicing PCs. ms.reviewer: manager: dougeby ms.audience: itpro -author: MandiOhlinger -ms.author: mandia +author: greg-lindsay +ms.author: greglin ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -16,7 +16,7 @@ ms.collection: highpri ms.custom: intro-overview --- -# What's new in Windows 11 +# Windows 11 overview **Applies to**: From 2960f9d50b41e1d48242e39b947936346cf928ed Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Fri, 11 Feb 2022 06:55:50 -0800 Subject: [PATCH 29/32] toc update --- windows/whats-new/TOC.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/whats-new/TOC.yml b/windows/whats-new/TOC.yml index 176668f48e..9e25d09647 100644 --- a/windows/whats-new/TOC.yml +++ b/windows/whats-new/TOC.yml @@ -3,8 +3,8 @@ - name: Windows 11 expanded: true items: - - name: What's new in Windows 11 - href: windows-11-whats-new.md + - name: Windows 11 overview + href: windows-11-overview.md - name: Windows 11 requirements href: windows-11-requirements.md - name: Plan for Windows 11 From b04dacb41b3f02dda41161a8ae12c495c170b1e0 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Fri, 11 Feb 2022 06:58:28 -0800 Subject: [PATCH 30/32] index update --- windows/hub/index.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/hub/index.yml b/windows/hub/index.yml index cd0a734c01..0d25e4093a 100644 --- a/windows/hub/index.yml +++ b/windows/hub/index.yml @@ -44,10 +44,10 @@ productDirectory: summary: Learn more about what's new, what's updated, and what you get in Windows 11 # < 160 chars (optional) items: # Card - - title: What's new in Windows 11 + - title: Windows 11 overview imageSrc: /windows/resources/images/winlogo.svg summary: Get more information about features and improvements that are important to admins - url: /windows/whats-new/windows-11-whats-new + url: /windows/whats-new/windows-11-overview - title: Windows 11 requirements imageSrc: /windows/resources/images/winlogo.svg summary: See the system requirements for Windows 11, including running Windows 11 on a virtual machine From d3c4306845e112e23448a443fedecd09fbd97802 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Fri, 11 Feb 2022 06:59:31 -0800 Subject: [PATCH 31/32] index update --- windows/whats-new/index.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/whats-new/index.yml b/windows/whats-new/index.yml index 459aec5b4f..2df276a567 100644 --- a/windows/whats-new/index.yml +++ b/windows/whats-new/index.yml @@ -30,8 +30,8 @@ landingContent: linkLists: - linkListType: overview links: - - text: What's new - url: windows-11-whats-new.md + - text: Windows 11 overview + url: windows-11-overview.md - text: Windows 11 requirements url: windows-11-requirements.md - text: Plan for Windows 11 From 4734fcf9791420183e4aafa46998da2c4be08fe6 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Fri, 11 Feb 2022 07:11:20 -0800 Subject: [PATCH 32/32] index update --- windows/hub/index.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/hub/index.yml b/windows/hub/index.yml index 0d25e4093a..278064b469 100644 --- a/windows/hub/index.yml +++ b/windows/hub/index.yml @@ -80,9 +80,9 @@ conceptualContent: # card - title: Overview links: - - url: /windows/whats-new/windows-11-whats-new + - url: /windows/whats-new/windows-11-overview itemType: overview - text: What's new in Windows 11 + text: Windows 11 overview - url: /windows/whats-new/windows-11-plan itemType: overview text: Plan for Windows 11