deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 21:37:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'master' into repo_sync_working_branch

Browse Source
This commit is contained in:
Tina Burden 2020-05-12 09:35:10 -07:00 committed by GitHub
commit e63d97941b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
14 changed files with 369 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md
View File

@ -1,6 +1,6 @@
---
title: Deploying Microsoft Office 2016 by using App-V (Windows 10)
description: Deploying Microsoft Office 2016 by using App-V
description: Use Application Virtualization (App-V) to deliver Microsoft Office 2016 as a virtualized application to computers in your organization.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy

4
windows/application-management/app-v/appv-preparing-your-environment.md
View File

@ -1,13 +1,13 @@
---
title: Preparing Your Environment for App-V (Windows 10)
description: Preparing Your Environment for App-V
author: lomayor
description: Use this info to prepare for deployment configurations and prerequisites for Microsoft Application Virtualization (App-V).
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
author: dansimp
manager: dansimp
ms.author: dansimp
ms.topic: article

22
windows/client-management/mdm/policy-csp-restrictedgroups.md
View File

@ -8,14 +8,14 @@ ms.technology: windows
author: manikadhiman
ms.localizationpriority: medium
ms.date: 04/07/2020
ms.reviewer:
manager: dansimp
---
# Policy CSP - RestrictedGroups
> [!WARNING]
> Some information in this article relates to prereleased products, which may be substantially modified before they are commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
<hr/>
@ -86,7 +86,7 @@ For example, you can create a Restricted Groups policy to allow only specified u
> |----------|----------|----------|----------|
> | 0x55b (Hex) <br> 1371 (Dec) |ERROR_SPECIAL_ACCOUNT|Cannot perform this operation on built-in accounts.| winerror.h |
Starting in Windows 10, version 1809, you can use this schema for retrieval and application of the RestrictedGroups/ConfigureGroupMembership policy. A minimum occurrence of 0 members when applying the policy implies clearing the access group and should be used with caution.
Starting in Windows 10, version 1809, you can use this schema for retrieval and application of the RestrictedGroups/ConfigureGroupMembership policy. A minimum occurrence of zero members when applying the policy implies clearing the access group and should be used with caution.
```xml
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" version="1.0">
@ -145,8 +145,7 @@ Here's an example:
```
where:
- `<accessgroup desc>` contains the local group SID or group name to configure. If an SID is specified here, the policy uses the [LookupAccountName](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountnamea) API to get the local group name. For best results, use names for `<accessgroup desc>`.
- `<member name>` contains the members to add to the group in `<accessgroup desc>`. If a name is specified here, the policy will try to get the corresponding SID using the [LookupAccountSID](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountsida) API. (**Note:** This doesn't query Azure AD). For best results, use SID for `<member name>`. As groups can be renamed and account name lookups are limited to AD/local machine, hence SID is the best and most deterministic way to configure.
The member SID can be a user account or a group in AD, Azure AD, or on the local machine. Membership is configured using the [NetLocalGroupSetMembers](https://docs.microsoft.com/windows/win32/api/lmaccess/nf-lmaccess-netlocalgroupsetmembers) API.
- `<member name>` contains the members to add to the group in `<accessgroup desc>`. If a name is specified here, the policy will try to get the corresponding SID using the [LookupAccountSID](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountsida) API. For best results, use SID for `<member name>`. The member SID can be a user account or a group in AD, Azure AD, or on the local machine. Membership is configured using the [NetLocalGroupSetMembers](https://docs.microsoft.com/windows/win32/api/lmaccess/nf-lmaccess-netlocalgroupsetmembers) API.
- In this example, `Group1` and `Group2` are local groups on the device being configured.
> [!Note]
@ -154,6 +153,19 @@ The member SID can be a user account or a group in AD, Azure AD, or on the local
<!--/Example-->
<!--Validation-->
### Policy timeline
The behavior of this policy setting differs in different Windows 10 versions. For Windows 10, version 1809 through version 1909, you can use name in `<accessgroup dec>` and SID in `<member name>`. For the latest release of Windows 10, you can use name or SID for both the elements, as described in this topic.
The following table describes how this policy setting behaves in different Windows 10 versions:
| Windows 10 version | Policy behavior |
| ------------------ | --------------- |
|Windows 10, version 1803 | Added this policy setting. <br> XML accepts group and member only by name. <br> Supports configuring the administrators group using the group name. <br> Expects member name to be in the account name format. |
| Windows 10, version 1809 <br> Windows 10, version 1903 <br> Windows 10, version 1909 | Supports configuring any local group. <br> `<accessgroup desc>` accepts only name. <br> `<member name>` accepts a name or an SID. <br> This is useful when you want to ensure a certain local group always has a well-known SID as member. |
| The latest release of Windows 10 | Behaves as described in this topic. <br> Accepts name or SID for group and members and translates as appropriate. |
<!--/Validation-->
<!--/Policy-->
<hr/>

2
windows/privacy/TOC.md
View File

@ -21,10 +21,12 @@
## Manage Windows 10 connection endpoints
### [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
### [Manage connections from Windows operating system components to Microsoft services using MDM](manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md)
### [Connection endpoints for Windows 10, version 2004](manage-windows-2004-endpoints.md)
### [Connection endpoints for Windows 10, version 1903](manage-windows-1903-endpoints.md)
### [Connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md)
### [Connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md)
### [Connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md)
### [Connection endpoints for non-Enterprise editions of Windows 10, version 2004](windows-endpoints-2004-non-enterprise-editions.md)
### [Connection endpoints for non-Enterprise editions of Windows 10, version 1903](windows-endpoints-1903-non-enterprise-editions.md)
### [Connection endpoints for non-Enterprise editions of Windows 10, version 1809](windows-endpoints-1809-non-enterprise-editions.md)
### [Connection endpoints for non-Enterprise editions of Windows 10, version 1803](windows-endpoints-1803-non-enterprise-editions.md)

135
windows/privacy/manage-windows-2004-endpoints.md Normal file
View File

@ -0,0 +1,135 @@
---
title: Connection endpoints for Windows 10 Enterprise, version 2004
description: Explains what Windows 10 endpoints are used for, how to turn off traffic to them, and the impact. Specific to Windows 10 Enterprise, version 2004.
keywords: privacy, manage connections to Microsoft, Windows 10
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.localizationpriority: high
audience: ITPro
author: linque1
ms.author: obezeajo
manager: robsize
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 5/11/2020
---
# Manage connection endpoints for Windows 10 Enterprise, version 2004
**Applies to**
- Windows 10 Enterprise, version 2004
Some Windows components, app, and related services transfer data to Microsoft network endpoints. Some examples include:
- Connecting to Microsoft Office and Windows sites to download the latest app and security updates.
- Connecting to email servers to send and receive email.
- Connecting to the web for every day web browsing.
- Connecting to the cloud to store and access backups.
- Using your location to show a weather forecast.
Details about the different ways to control traffic to these endpoints are covered in [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md).
Where applicable, each endpoint covered in this topic includes a link to the specific details on how to control that traffic.
The following methodology was used to derive these network endpoints:
1. Set up the latest version of Windows 10 on a test virtual machine using the default settings.
2. Leave the device(s) running idle for a week ("idle" means a user is not interacting with the system/device).
3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
4. Compile reports on traffic going to public IP addresses.
5. The test virtual machine(s) was logged into using a local account, and was not joined to a domain or Azure Active Directory.
6. All traffic was captured in our lab using a IPV4 network. Therefore, no IPV6 traffic is reported here.
7. These tests were conducted in an approved Microsoft lab. It's possible your results may be different.
8. These tests were conducted for one week, but if you capture traffic for longer you may have different results.
> [!NOTE]
> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time.
## Windows 10 2004 Enterprise connection endpoints
|Area|Description|Protocol|Destination|
|----------------|----------|----------|------------|
|Apps|||[Learn how to turn off traffic to the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)|
||The following endpoint is used for the Weather app. To turn off traffic for this endpoint, either uninstall the Weather app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|tile-service.weather.microsoft.com
||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|cdn.onenote.net/*
||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2|evoke-windowsservices-tas.msedge.net|
|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible turn off traffic to this endpoint, but that is not recommended because when root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. Additionally, it is used to download certificates that are publicly known to be fraudulent. These settings are critical for both Windows security and the overall security of the Internet. We do not recommend blocking this endpoint. If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)|
|||HTTP|ctldl.windowsupdate.com|
|Cortana and Search|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana)|
||The following endpoints are related to Cortana and Live Tiles. If you turn off traffic for this endpoint, you will block updates to Cortana greetings, tips, and Live Tiles.|TLSv1.2|www.bing.com*|
|Device metadata|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#4-device-metadata-retrieval)|
||The following endpoint is used to retrieve device metadata. If you turn off traffic for this endpoint, metadata will not be updated for the device.|HTTPS|dmd.metaservices.microsoft.com|
|Diagnostic Data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. ||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)|
|||TLSv1.2|v10.events.data.microsoft.com|
|||TLSv1.2|v20.events.data.microsoft.com|
||The following endpoints are used by Windows Error Reporting. To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft.|HTTPS|*.telecommand.telemetry.microsoft.com|
|||TLS v1.2|watson.*.microsoft.com|
|Licensing|The following endpoint is used for online activation and some app licensing. To turn off traffic for this endpoint, disable the Windows License Manager Service. This will also block online activation and app licensing may not work.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#9-license-manager)|
|||HTTPS|*licensing.mp.microsoft.com|
|Maps|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-offlinemaps)|
||The following endpoints are used to check for updates to maps that have been downloaded for offline use. If you turn off traffic for this endpoint, offline maps will not be updated.|TLSv1.2|*maps.windows.com|
|| The following endpoints are used to check for updates to maps that have been downloaded for offline use.|HTTP|fs.microsoft.com*|
|Microsoft Account|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-microsoft-account)|
||The following endpoints are used for Microsoft accounts to sign in. If you turn off traffic for these endpoints, users cannot sign in with Microsoft accounts. |TLSv1.2|*login.live.com|
|Microsoft Edge|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#13-microsoft-edge)|
||This traffic is related to the Microsoft Edge browser.|TLSv1.2|img-prod-cms-rt-microsoft-com*|
|Microsoft forward link redirection service (FWLink)|The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer. If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded.|HTTPS|go.microsoft.com|
|Microsoft Store|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
||The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way. If you turn off traffic for this endpoint, push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization.|TLSv1.2|*.wns.windows.com|
||The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft Store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|TLSv1.2|storecatalogrevocation.storequality.microsoft.com|
||The following endpoints are used to communicate with Microsoft Store. If you turn off traffic for these endpoints, apps cannot be installed or updated from the Microsoft Store. |HTTP|*.dl.delivery.mp.microsoft.com|
||The following endpoint is used to get Microsoft Store analytics.|TLSv1.2|manage.devcenter.microsoft.com|
|Network Connection Status Indicator (NCSI)|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-ncsi)|
||Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet. If you turn off traffic for this endpoint, NCSI won't be able to determine if the device is connected to the Internet and the network status tray icon will show a warning.|HTTPS|www.msftconnecttest.com*|
|Office|The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office in a browser. For more info, see Office 365 URLs and IP address ranges. You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
|||HTTPS|*ow1.res.office365.com|
|||HTTPS|office.com|
|||HTTPS|blobs.officehome.msocdn.com|
|OneDrive|The following endpoints are related to OneDrive. If you turn off traffic for these endpoints, anything that relies on g.live.com to get updated URL information will no longer work.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-onedrive)|
|||TLSv1.2|*g.live.com|
|||TLSv1.2|oneclient.sfx.ms|
|||HTTPS| logincdn.msauth.net|
|Settings|The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. If you turn off traffic for this endpoint, an app that uses this endpoint may stop working.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)|
|||TLSv1.2|settings-win.data.microsoft.com|
|Skype|The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)|
|||HTTPS|*.pipe.aria.microsoft.com|
|||HTTPS|config.edge.skype.com|
|Teams|The following endpoint is used for Microsoft Teams application.||[Learn how to turn off traffic to all of the following endpoint(s).]( manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
|||TLSv1.2|config.teams.microsoft.com|
|Windows Defender|The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. If you turn off traffic for this endpoint, the device will not use Cloud-based Protection.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender)|
|||TLSv1.2|wdcp.microsoft.com|
|||HTTPS|go.microsoft.com|
||The following endpoints are used for Windows Defender SmartScreen reporting and notifications. If you turn off traffic for these endpoints, SmartScreen notifications will not appear.|HTTPS|*smartscreen-prod.microsoft.com|
|||HTTPS|checkappexec.microsoft.com|
|Windows Spotlight|The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips. If you turn off traffic for these endpoints, Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips will not be downloaded. For more information, see Windows Spotlight.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight)|
|||TLSv1.2|arc.msn.com|
|Windows Update|The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. If you turn off traffic for this endpoint, Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates)|
|||TLSv1.2|*.prod.do.dsp.mp.microsoft.com|
|||HTTP|emdl.ws.microsoft.com|
||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store. If you turn off traffic for these endpoints, the device will not be able to download updates for the operating system.|HTTP|*.dl.delivery.mp.microsoft.com|
|||HTTP|*.windowsupdate.com|
||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. If you turn off traffic for these endpoints, the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store. These are dependent on also enabling "Device authentication" and "Microsoft Account" endpoints.|HTTPS|*.delivery.mp.microsoft.com|
|||TLSv1.2|*.update.microsoft.com|
||The following endpoint is used for content regulation. If you turn off traffic for this endpoint, the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly.|TLSv1.2|tsfe.trafficshaping.dsp.mp.microsoft.com|
|Xbox Live|The following endpoint is used for Xbox Live.||[Learn how to turn off traffic to all of the following endpoint(s).]( manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
|||TLSv1.2|dlassets-ssl.xboxlive.com|
## Other Windows 10 editions
To view endpoints for other versions of Windows 10 Enterprise, see:
- [Manage connection endpoints for Windows 10, version 1903](manage-windows-1903-endpoints.md)
- [Manage connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md)
- [Manage connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md)
- [Manage connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md)
To view endpoints for non-Enterprise Windows 10 editions, see:
- [Windows 10, version 1903, connection endpoints for non-Enterprise editions](windows-endpoints-1903-non-enterprise-editions.md)
- [Windows 10, version 1809, connection endpoints for non-Enterprise editions](windows-endpoints-1809-non-enterprise-editions.md)
- [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md)
- [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md)
## Related links
- [Office 365 URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US)
- [Network infrastructure requirements for Microsoft Intune](https://docs.microsoft.com/intune/get-started/network-infrastructure-requirements-for-microsoft-intune)

203
windows/privacy/windows-endpoints-2004-non-enterprise-editions.md Normal file
View File

@ -0,0 +1,203 @@
---
title: Windows 10, version 2004, connection endpoints for non-Enterprise editions
description: Explains what Windows 10 endpoints are used in non-Enterprise editions. Specific to Windows 10, version 2004.
keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.localizationpriority: high
audience: ITPro
author: linque1
ms.author: obezeajo
manager: robsize
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 5/11/2020
---
# Windows 10, version 2004, connection endpoints for non-Enterprise editions
**Applies to**
- Windows 10 Home, version 2004
- Windows 10 Professional, version 2004
- Windows 10 Education, version 2004
In addition to the endpoints listed for [Windows 10 Enterprise](manage-windows-2004-endpoints.md), the following endpoints are available on other non-Enterprise editions of Windows 10, version 2004.
The following methodology was used to derive the network endpoints:
1. Set up the latest version of Windows 10 on a test virtual machine using the default settings.
2. Leave the device(s) running idle for a week ("idle" means a user is not interacting with the system/device).
3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
4. Compile reports on traffic going to public IP addresses.
5. The test virtual machine(s) was logged into using a local account, and was not joined to a domain or Azure Active Directory.
6. All traffic was captured in our lab using a IPV4 network. Therefore, no IPV6 traffic is reported here.
7. These tests were conducted in an approved Microsoft lab. It's possible your results may be different.
8. These tests were conducted for one week. If you capture traffic for longer you may have different results.
> [!NOTE]
> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time.
## Windows 10 Family
| **Destination** | **Protocol** | **Description** |
| --- | --- | --- |
|*.delivery.mp.microsoft.com|HTTP|Used to download operating system patches, updates, and apps from Microsoft
|*.prod.do.dsp.mp.microsoft.com|TLSv1.2|Windows Update
|*.smartscreen.microsoft.com|HTTPS|Windows Defender SmartScreen
|*.smartscreen-prod.microsoft.com|HTTPS|Windows Defender SmartScreen
|*.update.microsoft.com|TLSv1.2|Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store
|*.windowsupdate.com|HTTP|Used to download operating system patches and updates
|*dl.delivery.mp.microsoft.com|HTTP|Used to download operating system patches, updates, and apps from Microsoft
|*storecatalogrevocation.storequality.microsoft.com|TLSv1.2|Used to revoke licenses for malicious apps on the Microsoft Store
|arc.msn.com|TLSv1.2|Windows Spotlight
|cdn.onenote.net|HTTPS|OneNote
|config.edge.skype.com|HTTPS|Skype
|config.teams.microsoft.com|HTTPS|Skype
|crl.microsoft.com|HTTPS|Skype
|ctldl.windowsupdate.com|HTTP|Certificate Trust List
|da.xboxservices.com|HTTPS|Microsoft Edge
|displaycatalog.mp.microsoft.com|HTTPS|Microsoft Store
|dmd.metaservices.microsoft.com|HTTP|Device Authentication
|evoke-windowsservices-tas.msedge.net|TLSv1.2|Photos app
|fs.microsoft.com|TLSv1.2|Maps application
|g.live.com|TLSv1.2|OneDrive
|go.microsoft.com|HTTPS|Windows Defender
|img-prod-cms-rt-microsoft-com|TLSv1.2|This endpoint is related to Microsoft Edge
|licensing.mp.microsoft.com|HTTPS|Licensing
|login.live.com|TLSv1.2|Device Authentication
|logincdn.msauth.net|TLSv1.2|Device Authentication
|manage.devcenter.microsoft.com|TLSv1.2|Microsoft Store analytics
|maps.windows.com|TLSv1.2|Related to Maps application
|ocsp.digicert.com|HTTPS|CRL and OCSP checks to the issuing certificate authorities
|oneclient.sfx.ms|HTTPS|Used by OneDrive for Business to download and verify app updates
|pipe.aria.microsoft.com|HTTPS|Used to retrieve Skype configuration values
|ris.api.iris.microsoft.com|TLSv1.2|Windows Telemetry
|settings-win.data.microsoft.com|TLSv1.2|Used for Windows apps to dynamically update their configuration
|storesdk.dsx.mp.microsoft.com|HTTPS|Used to communicate with Microsoft Store
|telecommand.telemetry.microsoft.com|TLSv1.2|Used by Windows Error Reporting
|tile-service.weather.microsoft.com|HTTPS|Used to download updates to the Weather app Live Tile
|tsfe.trafficshaping.dsp.mp.microsoft.com|TLSv1.2|Used for content regulation
|v10.events.data.microsoft.com|TLSv1.2|Diagnostic Data
|v20.events.data.microsoft.com|TLSv1.2|Diagnostic Data
|watson.telemetry.microsoft.com|HTTPS|Diagnostic Data
|wdcp.microsoft.com|TLSv1.2|Used for Windows Defender when Cloud-based Protection is enabled
|www.bing.com|TLSv1.2|Used for updates for Cortana, apps, and Live Tiles
|www.msftconnecttest.com|HTTPS|Network Connection (NCSI)
|www.office.com|HTTPS|Microsoft Office
## Windows 10 Pro
| **Destination** | **Protocol** | **Description** |
| --- | --- | --- |
|*.delivery.mp.microsoft.com|HTTP|Used to download operating system patches, updates, and apps from Microsoft
|*.prod.do.dsp.mp.microsoft.com|TLSv1.2|Windows Update
|*.smartscreen.microsoft.com|HTTPS|Windows Defender SmartScreen
|*.smartscreen-prod.microsoft.com|HTTPS|Windows Defender SmartScreen
|*.update.microsoft.com|TLSv1.2|Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store
|*.windowsupdate.com|HTTP|Used to download operating system patches and updates
|*.wns.windows.com|TLSv1.2|Used for the Windows Push Notification Services (WNS)
|*dl.delivery.mp.microsoft.com|HTTP|Used to download operating system patches, updates, and apps from Microsoft
|*msn-com.akamaized.net|HTTPS|This endpoint is related to Microsoft Edge
|*ring.msedge.net|HTTPS|Used by Microsoft OfficeHub to get the metadata of Microsoft Office apps
|*storecatalogrevocation.storequality.microsoft.com|TLSv1.2|Used to revoke licenses for malicious apps on the Microsoft Store
|arc.msn.com|TLSv1.2|Windows Spotlight
|blobs.officehome.msocdn.com|HTTPS|OneNote
|cdn.onenote.net|HTTPS|OneNote
|checkappexec.microsoft.com|HTTPS|OneNote
|config.edge.skype.com|HTTPS|Skype
|config.teams.microsoft.com|HTTPS|Skype
|crl.microsoft.com|HTTPS|Skype
|ctldl.windowsupdate.com|HTTP|Certificate Trust List
|d2i2wahzwrm1n5.cloudfront.net|HTTPS|Microsoft Edge
|da.xboxservices.com|HTTPS|Microsoft Edge
|displaycatalog.mp.microsoft.com|HTTPS|Microsoft Store
|dlassets-ssl.xboxlive.com|HTTPS|Xbox Live
|dmd.metaservices.microsoft.com|HTTP|Device Authentication
|emdl.ws.microsoft.com|HTTP|Windows Update
|evoke-windowsservices-tas.msedge.net|TLSv1.2|Photos app
|fp.msedge.net|HTTPS|Cortana and Live Tiles
|fs.microsoft.com|TLSv1.2|Maps application
|g.live.com|TLSv1.2|OneDrive
|go.microsoft.com|HTTPS|Windows Defender
|img-prod-cms-rt-microsoft-com*|TLSv1.2|This endpoint is related to Microsoft Edge
|licensing.mp.microsoft.com|HTTPS|Licensing
|login.live.com|TLSv1.2|Device Authentication
|manage.devcenter.microsoft.com|TLSv1.2|Microsoft Store analytics
|maps.windows.com|TLSv1.2|Related to Maps application
|ocsp.digicert.com|HTTPS|CRL and OCSP checks to the issuing certificate authorities
|oneclient.sfx.ms|HTTPS|Used by OneDrive for Business to download and verify app updates
|pipe.aria.microsoft.com|HTTPS|Used to retrieve Skype configuration values
|ris.api.iris.microsoft.com|TLSv1.2|Windows Telemetry
|s1325.t.eloqua.com|HTTPS|Microsoft Edge
|self.events.data.microsoft.com|HTTPS|Microsoft Office
|settings-win.data.microsoft.com|TLSv1.2|Used for Windows apps to dynamically update their configuration
|store-images.*microsoft.com|HTTPS|Used to get images that are used for Microsoft Store suggestions
|storesdk.dsx.mp.microsoft.com|HTTPS|Microsoft Store
|telecommand.telemetry.microsoft.com|TLSv1.2|Used by Windows Error Reporting
|tile-service.weather.microsoft.com|HTTPS|Used to download updates to the Weather app Live Tile
|time.windows.com|HTTPS|Fetch the time
|tsfe.trafficshaping.dsp.mp.microsoft.com|HTTPS|The following endpoint is used for content regulation
|v10.events.data.microsoft.com|TLSv1.2|Diagnostic Data
|watson.telemetry.microsoft.com|HTTPS|Diagnostic Data
|wdcp.microsoft.com|TLSv1.2|Used for Windows Defender when Cloud-based Protection is enabled
|www.bing.com|TLSv1.2|Used for updates for Cortana, apps, and Live Tiles
|www.msftconnecttest.com|HTTPS|Network Connection (NCSI)
|www.msn.com|HTTPS|Network Connection (NCSI)
|www.office.com|HTTPS|Microsoft Office
## Windows 10 Education
| **Destination** | **Protocol** | **Description** |
| --- | --- | --- |
|*.delivery.mp.microsoft.com|HTTP|Used to download operating system patches, updates, and apps from Microsoft
|*.prod.do.dsp.mp.microsoft.com|TLSv1.2|Windows Update
|*.smartscreen.microsoft.com|HTTPS|Windows Defender SmartScreen
|*.smartscreen-prod.microsoft.com|HTTPS|Windows Defender SmartScreen
|*.update.microsoft.com|TLSv1.2|Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store
|*.windowsupdate.com|HTTP|Used to download operating system patches and updates
|*.wns.windows.com|TLSv1.2|Used for the Windows Push Notification Services (WNS)
|*dl.delivery.mp.microsoft.com|HTTP|Used to download operating system patches, updates, and apps from Microsoft
|*ring.msedge.net|HTTPS|Used by Microsoft OfficeHub to get the metadata of Microsoft Office apps
|*storecatalogrevocation.storequality.microsoft.com|TLSv1.2|Used to revoke licenses for malicious apps on the Microsoft Store
|arc.msn.com|TLSv1.2|Windows Spotlight
|blobs.officehome.msocdn.com|HTTPS|OneNote
|cdn.onenote.net|HTTPS|OneNote
|checkappexec.microsoft.com|HTTPS|OneNote
|config.edge.skype.com|HTTPS|Skype
|config.teams.microsoft.com|HTTPS|Skype
|crl.microsoft.com|HTTPS|Skype
|ctldl.windowsupdate.com|HTTP|Certificate Trust List
|da.xboxservices.com|HTTPS|Microsoft Edge
|dmd.metaservices.microsoft.com|HTTP|Device Authentication
|emdl.ws.microsoft.com|HTTP|Windows Update
|evoke-windowsservices-tas.msedge.net|TLSv1.2|Photos app
|fp.msedge.net|HTTPS|Cortana and Live Tiles
|fs.microsoft.com|TLSv1.2|Maps application
|g.live.com|TLSv1.2|OneDrive
|go.microsoft.com|HTTPS|Windows Defender
|licensing.mp.microsoft.com|HTTPS|Licensing
|login.live.com|TLSv1.2|Device Authentication
|logincdn.msauth.net|HTTPS|Device Authentication
|manage.devcenter.microsoft.com|TLSv1.2|Microsoft Store analytics
|ocsp.digicert.com|HTTPS|CRL and OCSP checks to the issuing certificate authorities
|ocsp.msocsp.com|HTTPS|CRL and OCSP checks to the issuing certificate authorities
|ow1.res.office365.com|HTTPS|Microsoft Office
|pipe.aria.microsoft.com|HTTPS|Used to retrieve Skype configuration values
|ris.api.iris.microsoft.com|TLSv1.2|Windows Telemetry
|s1325.t.eloqua.com|HTTPS|Microsoft Edge
|settings-win.data.microsoft.com|TLSv1.2|Used for Windows apps to dynamically update their configuration
|telecommand.telemetry.microsoft.com|TLSv1.2|Used by Windows Error Reporting
|tile-service.weather.microsoft.com|HTTPS|Used to download updates to the Weather app Live Tile
|v10.events.data.microsoft.com|TLSv1.2|Diagnostic Data
|v20.events.data.microsoft.com|HTTPS|Diagnostic Data
|watson.telemetry.microsoft.com|HTTPS|Diagnostic Data
|wdcp.microsoft.com|TLSv1.2|Used for Windows Defender when Cloud-based Protection is enabled
|www.bing.com|TLSv1.2|Used for updates for Cortana, apps, and Live Tiles
|www.microsoft.com|HTTP|Connected User Experiences and Telemetry, Microsoft Data Management service
|www.msftconnecttest.com|HTTPS|Network Connection (NCSI)
|www.office.com|HTTPS|Microsoft Office

2
windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md
View File

@ -1,6 +1,6 @@
---
title: Conditional Access
description: Learn more about conditional access in Azure Active Directory.
description: Ensure that only approved users can access your devices, applications, and services from anywhere by enabling single sign-on with Azure Active Directory.
keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust, device, registration, unlock, conditional access
ms.prod: w10
ms.mktglfcycl: deploy

4
windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md
View File

@ -1,7 +1,7 @@
---
title: Microsoft Defender ATP APIs connection to Power BI
ms.reviewer:
description: Create custom reports using Power BI
description: Create a Power Business Intelligence (BI) report on top of Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) APIs.
keywords: apis, supported apis, Power BI, reports
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@ -25,7 +25,7 @@ ms.topic: article
In this section you will learn create a Power BI report on top of Microsoft Defender ATP APIs.
The first example demonstrates how to connect Power BI to Advanced Hunting API and the second example demonstrates a connection to our OData APIs (e.g. Machine Actions, Alerts, etc..)
The first example demonstrates how to connect Power BI to Advanced Hunting API and the second example demonstrates a connection to our OData APIs, such as Machine Actions or Alerts.
## Connect Power BI to Advanced Hunting API

2
windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md
View File

@ -1,6 +1,6 @@
---
title: Get alert related IPs information
description: Retrieves all IPs related to a specific alert.
description: Retrieve all IPs related to a specific alert using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP).
keywords: apis, graph api, supported apis, get alert information, alert information, related ip
search.product: eADQiWindows 10XVcnh
ms.prod: w10

2
windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md
View File

@ -1,6 +1,6 @@
---
title: Get IP statistics API
description: Retrieves the prevalence for the given IP.
description: Get the latest stats for your IP using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP).
keywords: apis, graph api, supported apis, get, ip, statistics, prevalence
search.product: eADQiWindows 10XVcnh
ms.prod: w10

2
windows/security/threat-protection/microsoft-defender-atp/get-kbinfo-collection.md
View File

@ -1,6 +1,6 @@
---
title: Get KB collection API
description: Retrieves a collection of KB's.
description: Retrieve a collection of knowledge bases (KB's) and KB details with Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP).
keywords: apis, graph api, supported apis, get, kb
search.product: eADQiWindows 10XVcnh
search.appverid: met150

2
windows/security/threat-protection/microsoft-defender-atp/machine-tags.md
View File

@ -85,5 +85,3 @@ Use the following registry key entry to add a tag on a machine:
>[!NOTE]
>The device tag is part of the machine information report that's generated once a day. As an alternative, you may choose to restart the endpoint that would transfer a new machine information report.<br>
> If you need to remove a tag that was added using the above Registry key, clear the contents of the Registry key data instead of removing the 'Group' key.

4
windows/security/threat-protection/windows-firewall/exemption-list.md
View File

@ -1,6 +1,6 @@
---
title: Exemption List (Windows 10)
description: Exemption List
description: Learn the ins and outs of exemption lists on a secured network using Windows 10.
ms.assetid: a05e65b4-b48d-44b1-a7f1-3a8ea9c19ed8
ms.reviewer:
ms.author: dansimp
@ -23,7 +23,7 @@ ms.date: 04/19/2017
- Windows 10
- Windows Server 2016
When you implement a server and domain isolation security model in your organization, you are likely to find some additional challenges. Key infrastructure servers such as DNS servers and DHCP servers typically must be available to all devicess on the internal network, yet secured from network attacks. However, if they must remain available to all devicess on the network, not just to isolated domain members, then these servers cannot require IPsec for inbound access, nor can they use IPsec transport mode for outbound traffic.
When you implement a server and domain isolation security model in your organization, you are likely to find some additional challenges. Key infrastructure servers such as DNS servers and DHCP servers typically must be available to all devices on the internal network, yet secured from network attacks. However, if they must remain available to all devices on the network, not just to isolated domain members, then these servers cannot require IPsec for inbound access, nor can they use IPsec transport mode for outbound traffic.
In addition to the infrastructure servers mentioned earlier, there might also be other servers on the network that trusted devices cannot use IPsec to access, which would be added to the exemption list.

2
windows/security/threat-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md
View File

@ -1,6 +1,6 @@
---
title: Restrict Server Access to Members of a Group Only (Windows 10)
description: Restrict Server Access to Members of a Group Only
description: Create a firewall rule to access isolated servers running Windows Server 2008 or later and restrict server access to members of a group.
ms.assetid: ea51c55b-e1ed-44b4-82e3-3c4287a8628b
ms.reviewer:
ms.author: dansimp