From 6f918f68b76e43fbdbc783741e9d8930e01434bc Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Thu, 28 Jun 2018 16:31:14 -0700 Subject: [PATCH 1/3] edits to parent topic --- ...-client-digitally-sign-communications-always.md | 4 ++-- .../security-policy-settings/security-options.md | 14 ++++++++------ 2 files changed, 10 insertions(+), 8 deletions(-) diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md index 8792852d43..779be1af43 100644 --- a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md +++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md @@ -6,8 +6,8 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -author: brianlic-msft -ms.date: 06/21/2018 +author: justinha +ms.date: 06/28/2018 --- # Microsoft network client: Digitally sign communications (always) diff --git a/windows/security/threat-protection/security-policy-settings/security-options.md b/windows/security/threat-protection/security-policy-settings/security-options.md index c33e590f5c..58d123a11a 100644 --- a/windows/security/threat-protection/security-policy-settings/security-options.md +++ b/windows/security/threat-protection/security-policy-settings/security-options.md @@ -6,8 +6,8 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -author: brianlic-msft -ms.date: 08/01/2017 +author: justinha +ms.date: 06/28/2018 --- # Security Options @@ -66,13 +66,15 @@ For info about setting security policies, see [Configure security policy setting | [Interactive logon: Require Domain Controller authentication to unlock workstation](interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md)| Describes the best practices, location, values, policy management, and security considerations for the **Interactive logon: Require Domain Controller authentication to unlock workstation** security policy setting. | | [Interactive logon: Require smart card](interactive-logon-require-smart-card.md) | Describes the best practices, location, values, policy management and security considerations for the **Interactive logon: Require smart card** security policy setting.| | [Interactive logon: Smart card removal behavior](interactive-logon-smart-card-removal-behavior.md) | Describes the best practices, location, values, policy management and security considerations for the **Interactive logon: Smart card removal behavior** security policy setting.| -| [Microsoft network client: Digitally sign communications (always)](smbv1-microsoft-network-client-digitally-sign-communications-always.md) | Describes the best practices, location, values, policy management and security considerations for the **Microsoft network client: Digitally sign communications (always)** security policy setting. | -| [Microsoft network client: Digitally sign communications (if server agrees)](smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md)| Describes the best practices, location, values, and security considerations for the **Microsoft network client: Digitally sign communications (if server agrees)** security policy setting. | +| [Microsoft network client: Digitally sign communications (always)](microsoft-network-client-digitally-sign-communications-always.md) | Describes the best practices, location, values, policy management and security considerations for the **Microsoft network client: Digitally sign communications (always)** security policy setting for SMBv3 and SMBv2. | +| [SMBv1 Microsoft network client: Digitally sign communications (always)](smbv1-microsoft-network-client-digitally-sign-communications-always.md) | Describes the best practices, location, values, policy management and security considerations for the **Microsoft network client: Digitally sign communications (always)** security policy setting for SMBv1 only. | +| [SMBv1 Microsoft network client: Digitally sign communications (if server agrees)](smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md)| Describes the best practices, location, values, and security considerations for the **Microsoft network client: Digitally sign communications (if server agrees)** security policy setting for SMBv1 only. | | [Microsoft network client: Send unencrypted password to third-party SMB servers](microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md)| Describes the best practices, location, values, policy management and security considerations for the **Microsoft network client: Send unencrypted password to third-party SMB servers** security policy setting. | | [Microsoft network server: Amount of idle time required before suspending session](microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md)| Describes the best practices, location, values, and security considerations for the **Microsoft network server: Amount of idle time required before suspending session** security policy setting. | | [Microsoft network server: Attempt S4U2Self to obtain claim information](microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md)| Describes the best practices, location, values, management, and security considerations for the **Microsoft network server: Attempt S4U2Self to obtain claim information** security policy setting. | -| [Microsoft network server: Digitally sign communications (always)](smbv1-microsoft-network-server-digitally-sign-communications-always.md)| Describes the best practices, location, values, policy management and security considerations for the **Microsoft network server: Digitally sign communications (always)** security policy setting.| -| [Microsoft network server: Digitally sign communications (if client agrees)](smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md)| Describes the best practices, location, values, policy management and security considerations for the **Microsoft network server: Digitally sign communications (if client agrees)** security policy setting. | +| [Microsoft network server: Digitally sign communications (always)](smbv1-microsoft-network-server-digitally-sign-communications-always.md)| Describes the best practices, location, values, policy management and security considerations for the **Microsoft network server: Digitally sign communications (always)** security policy setting for SMBv3 and SMBv2.| +| [SMBv1 Microsoft network server: Digitally sign communications (always)](smbv1-microsoft-network-server-digitally-sign-communications-always.md)| Describes the best practices, location, values, policy management and security considerations for the **Microsoft network server: Digitally sign communications (always)** security policy setting for SMBv1 only.| +| [SMBv1 Microsoft network server: Digitally sign communications (if client agrees)](smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md)| Describes the best practices, location, values, policy management and security considerations for the **Microsoft network server: Digitally sign communications (if client agrees)** security policy setting for SMBv1 only. | | [Microsoft network server: Disconnect clients when logon hours expire](microsoft-network-server-disconnect-clients-when-logon-hours-expire.md)| Describes the best practices, location, values, and security considerations for the **Microsoft network server: Disconnect clients when logon hours expire** security policy setting. | | [Microsoft network server: Server SPN target name validation level](microsoft-network-server-server-spn-target-name-validation-level.md)| Describes the best practices, location, and values, policy management and security considerations for the **Microsoft network server: Server SPN target name validation level** security policy setting. | | [Network access: Allow anonymous SID/Name translation](network-access-allow-anonymous-sidname-translation.md)| Describes the best practices, location, values, policy management and security considerations for the **Network access: Allow anonymous SID/Name translation** security policy setting.| From b6563bde0cdfc0eacdccc0dcfcf18a234b2c5964 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Thu, 28 Jun 2018 16:35:03 -0700 Subject: [PATCH 2/3] edits to parent topic --- .../security-policy-settings/security-options.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/security-policy-settings/security-options.md b/windows/security/threat-protection/security-policy-settings/security-options.md index 58d123a11a..b4d90dc74c 100644 --- a/windows/security/threat-protection/security-policy-settings/security-options.md +++ b/windows/security/threat-protection/security-policy-settings/security-options.md @@ -72,7 +72,7 @@ For info about setting security policies, see [Configure security policy setting | [Microsoft network client: Send unencrypted password to third-party SMB servers](microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md)| Describes the best practices, location, values, policy management and security considerations for the **Microsoft network client: Send unencrypted password to third-party SMB servers** security policy setting. | | [Microsoft network server: Amount of idle time required before suspending session](microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md)| Describes the best practices, location, values, and security considerations for the **Microsoft network server: Amount of idle time required before suspending session** security policy setting. | | [Microsoft network server: Attempt S4U2Self to obtain claim information](microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md)| Describes the best practices, location, values, management, and security considerations for the **Microsoft network server: Attempt S4U2Self to obtain claim information** security policy setting. | -| [Microsoft network server: Digitally sign communications (always)](smbv1-microsoft-network-server-digitally-sign-communications-always.md)| Describes the best practices, location, values, policy management and security considerations for the **Microsoft network server: Digitally sign communications (always)** security policy setting for SMBv3 and SMBv2.| +| [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md)| Describes the best practices, location, values, policy management and security considerations for the **Microsoft network server: Digitally sign communications (always)** security policy setting for SMBv3 and SMBv2.| | [SMBv1 Microsoft network server: Digitally sign communications (always)](smbv1-microsoft-network-server-digitally-sign-communications-always.md)| Describes the best practices, location, values, policy management and security considerations for the **Microsoft network server: Digitally sign communications (always)** security policy setting for SMBv1 only.| | [SMBv1 Microsoft network server: Digitally sign communications (if client agrees)](smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md)| Describes the best practices, location, values, policy management and security considerations for the **Microsoft network server: Digitally sign communications (if client agrees)** security policy setting for SMBv1 only. | | [Microsoft network server: Disconnect clients when logon hours expire](microsoft-network-server-disconnect-clients-when-logon-hours-expire.md)| Describes the best practices, location, values, and security considerations for the **Microsoft network server: Disconnect clients when logon hours expire** security policy setting. | From 03695484d5ef3ca456d861ac6475a471b1811da1 Mon Sep 17 00:00:00 2001 From: Dani Halfin Date: Fri, 29 Jun 2018 00:06:27 +0000 Subject: [PATCH 3/3] Merged PR 9471: Consumer endpoints added and security statement tweaked --- windows/privacy/TOC.md | 2 + ...ws-diagnostic-data-in-your-organization.md | 2 +- windows/privacy/manage-windows-endpoints.md | 254 +--------------- ...-endpoints-1709-non-enterprise-editions.md | 273 ++++++++++++++++++ ...-endpoints-1803-non-enterprise-editions.md | 148 ++++++++++ 5 files changed, 431 insertions(+), 248 deletions(-) create mode 100644 windows/privacy/windows-endpoints-1709-non-enterprise-editions.md create mode 100644 windows/privacy/windows-endpoints-1803-non-enterprise-editions.md diff --git a/windows/privacy/TOC.md b/windows/privacy/TOC.md index e3d3190996..05709993b8 100644 --- a/windows/privacy/TOC.md +++ b/windows/privacy/TOC.md @@ -14,4 +14,6 @@ ### [Windows 10, version 1709 and newer diagnostic data for the Full level](windows-diagnostic-data.md) ### [Windows 10, version 1703 diagnostic data for the Full level](windows-diagnostic-data-1703.md) ## [Manage Windows 10 connection endpoints](manage-windows-endpoints.md) +### [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md) +### [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md) ## [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) diff --git a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md index 3fda54cb26..17d45d542b 100644 --- a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md +++ b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md @@ -25,7 +25,7 @@ To frame a discussion about diagnostic data, it is important to understand Micro - **Control.** We offer customers control of the diagnostic data they share with us by providing easy-to-use management tools. - **Transparency.** We provide information about the diagnostic data that Windows and Windows Server collects so our customers can make informed decisions. -- **Security.** We encrypt diagnostic data in transit from your device and protect that data at our secure data centers. +- **Security.** We encrypt diagnostic data in transit from your device via TLS 1.2, and additionally use certificate pinning to secure the connection. - **Strong legal protections.** We respect customers’ local privacy laws and fight for legal protection of their privacy as a fundamental human right. - **No content-based targeting.** We take steps to avoid and minimize the collection of customer content, such as the content of files, chats, or emails, through the Windows diagnostic data system. Customer content inadvertently collected is kept confidential and not used for user targeting. - **Benefits to you.** We collect Windows diagnostic data to help provide you with an up-to-date, more secure, reliable and performant product, and to improve Windows for all our customers. diff --git a/windows/privacy/manage-windows-endpoints.md b/windows/privacy/manage-windows-endpoints.md index c9bc42d287..c5fb0c11f5 100644 --- a/windows/privacy/manage-windows-endpoints.md +++ b/windows/privacy/manage-windows-endpoints.md @@ -5,10 +5,10 @@ keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2 ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -ms.localizationpriority: medium -author: brianlic-msft -ms.author: brianlic -ms.date: 11/21/2017 +ms.localizationpriority: high +author: danihalfin +ms.author: daniha +ms.date: 6/26/2018 --- # Manage Windows 10 connection endpoints @@ -482,250 +482,10 @@ If you disable this endpoint, Windows Defender won't be able to update its malwa |----------------|----------|------------|----------------------------------| |Various|HTTPS|go.microsoft.com| 1709 | -## Endpoints for other Windows editions +## Other Windows 10 editions -In addition to the endpoints listed for Windows 10 Enterprise, the following endpoints are available on other editions of Windows 10, version 1709. - -## Windows 10 Home - -| **Destination** | **Protocol** | **Description** | -| --- | --- | --- | -| *.tlu.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. | -| *.wac.phicdn.net | HTTP | Used by the Verizon Content Delivery Network to perform Windows updates. | -| *.1.msftsrvcs.vo.llnwi.net | HTTP | Used for Windows Update downloads of apps and OS updates. | -| *.c-msedge.net | HTTP | Used by OfficeHub to get the metadata of Office apps. | -| *.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. | -| *.dscd.akamai.net | HTTP | Used to download content. | -| *.dspg.akamaiedge.net | HTTP | Used to check for updates to maps that have been downloaded for offline use. | -| *.hwcdn.net | HTTP | Used by the Highwinds Content Delivery Network to perform Windows updates. | -| *.m1-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. | -| *.search.msn.com | TLSv1.2 | Used to retrieve Windows Spotlight metadata. | -| *.wac.edgecastcdn.net | TLSv1.2 | Used by the Verizon Content Delivery Network to perform Windows updates. | -| *.wns.windows.com | TLSv1.2 | Used for the Windows Push Notification Services (WNS). | -| *prod.do.dsp.mp.microsoft.com | TLSv1.2\/HTTPS | Used for Windows Update downloads of apps and OS updates. | -| .g.akamaiedge.net | HTTP | Used to check for updates to maps that have been downloaded for offline use. | -| telecommand.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. | -| 2.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. | -| 2.tlu.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. | -| arc.msn.com | HTTPS | Used to retrieve Windows Spotlight metadata. | -| arc.msn.com.nsatc.net | TLSv1.2 | Used to retrieve Windows Spotlight metadata. | -| a-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| au.download.windowsupdate.com | HTTP | Used to download operating system patches and updates. | -| b-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| candycrushsoda.king.com | TLSv1.2 | Used for Candy Crush Saga updates. | -| cdn.content.prod.cms.msn.com | HTTP | Used to retrieve Windows Spotlight metadata. | -| cdn.onenote.net | HTTP | Used for OneNote Live Tile. | -| client-office365-tas.msedge.net | HTTP | Used to connect to the Office 365 portal’s shared infrastructure, including Office Online. | -| config.edge.skype.com | HTTP | Used to retrieve Skype configuration values. | -| ctldl.windowsupdate.com | HTTP | Used to download certificates that are publicly known to be fraudulent. | -| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. | -| cy2.licensing.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. | -| cy2.purchase.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. | -| cy2.settings.data.microsoft.com.akadns.net | TLSv1.2 | Used as a way for apps to dynamically update their configuration. | -| cy2.vortex.data.microsoft.com.akadns.net | TLSv1.2 | Used to retrieve Windows Insider Preview builds. | -| definitionupdates.microsoft.com | HTTPS | Used for Windows Defender definition updates. | -| displaycatalog.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. | -| dl.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update. | -| dual-a-0001.a-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. | -| fe2.update.microsoft.com | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | -| fe2.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | -| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2\/HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | -| fg.download.windowsupdate.com.c.footprint.net | HTTP | Used to download operating system patches and updates. | -| fp.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| g.live.com/1rewlive5skydrive/ | HTTPS | Used by a redirection service to automatically update URLs. | -| g.msn.com.nsatc.net | HTTP | Used to retrieve Windows Spotlight metadata. | -| geo-prod.do.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. | -| go.microsoft.com | HTTPS | Used by a redirection service to automatically update URLs. | -| img-prod-cms-rt-microsoft-com.akamaized.net | HTTPS | Used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). | -| *.login.msa.akadns6.net | TLSv1.2 | Used for Microsoft accounts to sign in. | -| licensing.mp.microsoft.com | HTTPS | Used for online activation and some app licensing. | -| location-inference-westus.cloudapp.net | TLSv1.2 | Used for location data. | -| login.live.com | HTTPS | Used to authenticate a device. | -| mediaredirect.microsoft.com | HTTPS | Used by the Groove Music app to update HTTP handler status. | -| modern.watson.data.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. | -| msftsrvcs.vo.llnwd.net | HTTP | Enables connections to Windows Update. | -| msnbot-*.search.msn.com | TLSv1.2 | Used to retrieve Windows Spotlight metadata. | -| oem.twimg.com | HTTPS | Used for the Twitter Live Tile. | -| oneclient.sfx.ms | HTTPS | Used by OneDrive for Business to download and verify app updates. | -| peer4-wst.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| pti.store.microsoft.com | HTTPS | Used to communicate with Microsoft Store. | -| pti.store.microsoft.com.unistore.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. | -| purchase.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. | -| ris.api.iris.microsoft.com.akadns.net | TLSv1.2\/HTTPS | Used to retrieve Windows Spotlight metadata. | -| settings-win.data.microsoft.com | HTTPS | Used for Windows apps to dynamically update their configuration. | -| sls.update.microsoft.com.nsatc.net | TLSv1.2\/HTTPS | Enables connections to Windows Update. | -| star-mini.c10r.facebook.com | TLSv1.2 | Used for the Facebook Live Tile. | -| storecatalogrevocation.storequality.microsoft.com | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. | -| storeedgefd.dsx.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. | -| store-images.s-microsoft.com | HTTP | Used to get images that are used for Microsoft Store suggestions. | -| tile-service.weather.microsoft.com | HTTP | Used to download updates to the Weather app Live Tile. | -| tsfe.trafficshaping.dsp.mp.microsoft.com | TLSv1.2 | Used for content regulation. | -| v10.vortex-win.data.microsoft.com | HTTPS | Used to retrieve Windows Insider Preview builds. | -| wallet.microsoft.com | HTTPS | Used by the Microsoft Wallet app. | -| wallet-frontend-prod-westus.cloudapp.net | TLSv1.2 | Used by the Microsoft Wallet app. | -| watson.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. | -| wdcp.microsoft.akadns.net | TLSv1.2 | Used for Windows Defender when Cloud-based Protection is enabled. | -| wildcard.twimg.com | TLSv1.2 | Used for the Twitter Live Tile. | -| www.bing.com | HTTP | Used for updates for Cortana, apps, and Live Tiles. | -| www.facebook.com | HTTPS | Used for the Facebook Live Tile. | -| [www.microsoft.com](http://www.microsoft.com/) | HTTPS | Used for updates for Cortana, apps, and Live Tiles. | - -## Windows 10 Pro - -| **Destination** | **Protocol** | **Description** | -| --- | --- | --- | -| *.*.akamai.net | HTTP | Used to download content. | -| *.*.akamaiedge.net | TLSv1.2\/HTTP | Used to check for updates to maps that have been downloaded for offline use. | -| *.a-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. | -| *.blob.core.windows.net | HTTPS | Used by Windows Update to update words used for language input methods. | -| *.c-msedge.net | HTTP | Used by OfficeHub to get the metadata of Office apps. | -| *.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. | -| *.dspb.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. | -| *.dspg.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. | -| *.e-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. | -| *.login.msa.akadns6.net | TLSv1.2 | Used for Microsoft accounts to sign in. | -| *.s-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. | -| *.telecommand.telemetry.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. | -| *.wac.edgecastcdn.net | TLSv1.2 | Used by the Verizon Content Delivery Network to perform Windows updates. | -| *.wac.phicdn.net | HTTP | Used by the Verizon Content Delivery Network to perform Windows updates. | -| *.wns.windows.com | TLSv1.2 | Used for the Windows Push Notification Services (WNS). | -| *prod.do.dsp.mp.microsoft.com | TLSv1.2\/HTTPS | Used for Windows Update downloads of apps and OS updates. | -| 3.dl.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update. | -| 3.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. | -| 3.tlu.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. | -| 3.tlu.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. | -| arc.msn.com | HTTPS | Used to retrieve Windows Spotlight metadata. | -| arc.msn.com.nsatc.net | TLSv1.3 | Used to retrieve Windows Spotlight metadata. | -| au.download.windowsupdate.com | HTTPS | Used to download operating system patches and updates. | -| b-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| candycrushsoda.king.com | HTTPS | Used for Candy Crush Saga updates. | -| cdn.content.prod.cms.msn.com | HTTP | Used to retrieve Windows Spotlight metadata. | -| cdn.onenote.net | HTTPS | Used for OneNote Live Tile. | -| client-office365-tas.msedge.net | HTTPS | Used to connect to the Office 365 portal’s shared infrastructure, including Office Online. | -| config.edge.skype.com | HTTPS | Used to retrieve Skype configuration values. | -| ctldl.windowsupdate.com | HTTP | Used to download certificates that are publicly known to be fraudulent. | -| cs12.wpc.v0cdn.net | HTTP | Used by the Verizon Content Delivery Network to download content for Windows upgrades with Wireless Planning and Coordination (WPC). | -| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. | -| cy2.settings.data.microsoft.com.akadns.net | TLSv1.2 | Used as a way for apps to dynamically update their configuration. | -| cy2.vortex.data.microsoft.com.akadns.net | TLSv1.2 | Used to retrieve Windows Insider Preview builds. | -| definitionupdates.microsoft.com | HTTPS | Used for Windows Defender definition updates. | -| displaycatalog.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. | -| download.windowsupdate.com | HTTP | Enables connections to Windows Update. | -| evoke-windowsservices-tas.msedge.net | HTTPS | Used by the Photos app to download configuration files, and to connect to the Office 365 portal’s shared infrastructure, including Office Online. | -| fe2.update.microsoft.com | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | -| fe2.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | -| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2\/HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | -| fe3.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | -| fg.download.windowsupdate.com.c.footprint.net | HTTP | Used to download operating system patches and updates. | -| fp.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| fs.microsoft.com | HTTPS | Used to download fonts on demand | -| g.live.com | HTTP | Used by a redirection service to automatically update URLs. | -| g.msn.com | HTTPS | Used to retrieve Windows Spotlight metadata. | -| g.msn.com.nsatc.net | TLSv1.2 | Used to retrieve Windows Spotlight metadata. | -| geo-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. | -| geover-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. | -| go.microsoft.com | HTTPS | Used by a redirection service to automatically update URLs. | -| gpla1.wac.v2cdn.net | HTTP | Used for Baltimore CyberTrust Root traffic. . | -| img-prod-cms-rt-microsoft-com.akamaized.net | HTTPS | Used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). | -| licensing.mp.microsoft.com | HTTPS | Used for online activation and some app licensing. | -| location-inference-westus.cloudapp.net | TLSv1.2 | Used for location data. | -| login.live.com | HTTPS | Used to authenticate a device. | -| l-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| mediaredirect.microsoft.com | HTTPS | Used by the Groove Music app to update HTTP handler status. | -| modern.watson.data.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. | -| msnbot-*.search.msn.com | TLSv1.2 | Used to retrieve Windows Spotlight metadata. | -| oem.twimg.com | HTTP | Used for the Twitter Live Tile. | -| oneclient.sfx.ms | HTTP | Used by OneDrive for Business to download and verify app updates. | -| peer1-wst.msedge.net | HTTP | Used by OfficeHub to get the metadata of Office apps. | -| pti.store.microsoft.com | HTTPS | Used to communicate with Microsoft Store. | -| pti.store.microsoft.com.unistore.akadns.net | HTTPS | Used to communicate with Microsoft Store. | -| purchase.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. | -| ris.api.iris.microsoft.com | HTTPS | Used to retrieve Windows Spotlight metadata. | -| settings-win.data.microsoft.com | HTTPS | Used for Windows apps to dynamically update their configuration. | -| sls.update.microsoft.com | HTTPS | Enables connections to Windows Update. | -| storecatalogrevocation.storequality.microsoft.com | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. | -| storeedgefd.dsx.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. | -| store-images.s-microsoft.com | HTTPS | Used to get images that are used for Microsoft Store suggestions. | -| store-images.s-microsoft.com | HTTPS | Used to get images that are used for Microsoft Store suggestions. | -| telecommand.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. | -| tile-service.weather.microsoft.com | HTTP | Used to download updates to the Weather app Live Tile. | -| tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. | -| v10.vortex-win.data.microsoft.com | HTTPS | Used to retrieve Windows Insider Preview builds. | -| wallet.microsoft.com | HTTPS | Used by the Microsoft Wallet app. | -| watson.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. | -| wdcp.microsoft.akadns.net | HTTPS | Used for Windows Defender when Cloud-based Protection is enabled. | -| wildcard.twimg.com | TLSv1.2 | Used for the Twitter Live Tile. | -| www.bing.com | TLSv1.2 | Used for updates for Cortana, apps, and Live Tiles. | -| www.facebook.com | HTTPS | Used for the Facebook Live Tile. | -| [www.microsoft.com](http://www.microsoft.com/) | HTTPS | Used for updates for Cortana, apps, and Live Tiles. | - -## Windows 10 Education - -| **Destination** | **Protocol** | **Description** | -| --- | --- | --- | -| *.a-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. | -| *.b.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. | -| *.c-msedge.net | HTTP | Used by OfficeHub to get the metadata of Office apps. | -| *.dscb1.akamaiedge.net | HTTP | Used to check for updates to maps that have been downloaded for offline use. | -| *.dscd.akamai.net | HTTP | Used to download content. | -| *.dspb.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. | -| *.dspw65.akamai.net | HTTP | Used to download content. | -| *.e-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. | -| *.g.akamai.net | HTTP | Used to download content. | -| *.g.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. | -| *.l.windowsupdate.com | HTTP | Enables connections to Windows Update. | -| *.s-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. | -| *.wac.phicdn.net | HTTP | Used by the Verizon Content Delivery Network to perform Windows updates | -| *.wns.windows.com | TLSv1.2 | Used for the Windows Push Notification Services (WNS). | -| *prod.do.dsp.mp.microsoft.com | TLSv1.2 | Used for Windows Update downloads of apps and OS updates. | -| *prod.do.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Used for Windows Update downloads of apps and OS updates. | -| 3.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. | -| 3.tlu.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. | -| a-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| au.download.windowsupdate.com | HTTP | Used to download operating system patches and updates. | -| cdn.onenote.net | HTTPS | Used for OneNote Live Tile. | -| cds.*.hwcdn.net | HTTP | Used by the Highwinds Content Delivery Network to perform Windows updates. | -| co4.telecommand.telemetry.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. | -| config.edge.skype.com | HTTPS | Used to retrieve Skype configuration values. | -| ctldl.windowsupdate.com | HTTP | Used to download certificates that are publicly known to be fraudulent. | -| cs12.wpc.v0cdn.net | HTTP | Used by the Verizon Content Delivery Network to download content for Windows upgrades with Wireless Planning and Coordination (WPC). | -| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. | -| cy2.settings.data.microsoft.com.akadns.net | TLSv1.2 | Used as a way for apps to dynamically update their configuration. | -| cy2.vortex.data.microsoft.com.akadns.net | TLSv1.2 | Used to retrieve Windows Insider Preview builds. | -| dl.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update. | -| download.windowsupdate.com | HTTP | Enables connections to Windows Update. | -| evoke-windowsservices-tas.msedge.net/ab | HTTPS | Used by the Photos app to download configuration files, and to connect to the Office 365 portal’s shared infrastructure, including Office Online. | -| fe2.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | -| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. | -| fg.download.windowsupdate.com.c.footprint.net | HTTP | Used to download operating system patches and updates. | -| fp.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| g.msn.com.nsatc.net | TLSv1.2\/HTTP | Used to retrieve Windows Spotlight metadata. | -| geo-prod.do.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. | -| geover-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. | -| go.microsoft.com | HTTPS | Used by a redirection service to automatically update URLs. | -| gpla1.wac.v2cdn.net | HTTP | Used for Baltimore CyberTrust Root traffic. . | -| ipv4.login.msa.akadns6.net | TLSv1.2 | Used for Microsoft accounts to sign in. | -| licensing.mp.microsoft.com | HTTPS | Used for online activation and some app licensing. | -| location-inference-westus.cloudapp.net | TLSv1.2 | Used for location data. | -| login.live.com/* | HTTPS | Used to authenticate a device. | -| l-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| mediaredirect.microsoft.com | HTTPS | Used by the Groove Music app to update HTTP handler status. | -| modern.watson.data.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. | -| msftconnecttest.com/* | HTTP | Used by Network Connection Status Indicator (NCSI) to detect Internet connectivity and corporate network connectivity status. | -| msnbot-65-52-108-198.search.msn.com | TLSv1.2 | Used to retrieve Windows Spotlight metadata. | -| oneclient.sfx.ms | HTTP | Used by OneDrive for Business to download and verify app updates. | -| peer1-wst.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| pti.store.microsoft.com.unistore.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. | -| settings-win.data.microsoft.com | HTTPS | Used for Windows apps to dynamically update their configuration. | -| sls.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. | -| store-images.s-microsoft.com | HTTPS | Used to get images that are used for Microsoft Store suggestions. | -| tile-service.weather.microsoft.com | HTTP | Used to download updates to the Weather app Live Tile. | -| telecommand.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. | -| tsfe.trafficshaping.dsp.mp.microsoft.com | TLSv1.2 | Used for content regulation. | -| wallet.microsoft.com | HTTPS | Used by the Microsoft Wallet app. | -| watson.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. | -| wdcp.microsoft.akadns.net | TLSv1.2 | Used for Windows Defender when Cloud-based Protection is enabled. | -| www.bing.com | HTTPS | Used for updates for Cortana, apps, and Live Tiles. | +To view endpoints for non-Enterprise Windows 10 editions, see: +- [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md) ## Related links diff --git a/windows/privacy/windows-endpoints-1709-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1709-non-enterprise-editions.md new file mode 100644 index 0000000000..601a236c61 --- /dev/null +++ b/windows/privacy/windows-endpoints-1709-non-enterprise-editions.md @@ -0,0 +1,273 @@ +--- +title: Windows 10, version 1709, connection endpoints for non-Enterprise editions +description: Explains what Windows 10 endpoints are used in non-Enterprise editions. +keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016 +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.localizationpriority: high +author: danihalfin +ms.author: daniha +ms.date: 6/26/2018 +--- +# Windows 10, version 1709, connection endpoints for non-Enterprise editions + + **Applies to** + +- Windows 10 Home, version 1709 +- Windows 10 Professional, version 1709 +- Windows 10 Education, version 1709 + +In addition to the endpoints listed for [Windows 10 Enterprise](manage-windows-endpoints.md), the following endpoints are available on other editions of Windows 10, version 1709. + +We used the following methodology to derive these network endpoints: + +1. Set up the latest version of Windows 10 on a test virtual machine using the default settings. +2. Leave the devices running idle for a week (that is, a user is not interacting with the system/device). +3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic. +4. Compile reports on traffic going to public IP addresses. +5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory. + +> [!NOTE] +> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. + +## Windows 10 Home + +| **Destination** | **Protocol** | **Description** | +| --- | --- | --- | +| *.tlu.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. | +| *.wac.phicdn.net | HTTP | Used by the Verizon Content Delivery Network to perform Windows updates. | +| *.1.msftsrvcs.vo.llnwi.net | HTTP | Used for Windows Update downloads of apps and OS updates. | +| *.c-msedge.net | HTTP | Used by OfficeHub to get the metadata of Office apps. | +| *.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. | +| *.dscd.akamai.net | HTTP | Used to download content. | +| *.dspg.akamaiedge.net | HTTP | Used to check for updates to maps that have been downloaded for offline use. | +| *.hwcdn.net | HTTP | Used by the Highwinds Content Delivery Network to perform Windows updates. | +| *.m1-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. | +| *.search.msn.com | TLSv1.2 | Used to retrieve Windows Spotlight metadata. | +| *.wac.edgecastcdn.net | TLSv1.2 | Used by the Verizon Content Delivery Network to perform Windows updates. | +| *.wns.windows.com | TLSv1.2 | Used for the Windows Push Notification Services (WNS). | +| *prod.do.dsp.mp.microsoft.com | TLSv1.2\/HTTPS | Used for Windows Update downloads of apps and OS updates. | +| .g.akamaiedge.net | HTTP | Used to check for updates to maps that have been downloaded for offline use. | +| telecommand.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. | +| 2.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. | +| 2.tlu.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. | +| arc.msn.com | HTTPS | Used to retrieve Windows Spotlight metadata. | +| arc.msn.com.nsatc.net | TLSv1.2 | Used to retrieve Windows Spotlight metadata. | +| a-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | +| au.download.windowsupdate.com | HTTP | Used to download operating system patches and updates. | +| b-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | +| candycrushsoda.king.com | TLSv1.2 | Used for Candy Crush Saga updates. | +| cdn.content.prod.cms.msn.com | HTTP | Used to retrieve Windows Spotlight metadata. | +| cdn.onenote.net | HTTP | Used for OneNote Live Tile. | +| client-office365-tas.msedge.net | HTTP | Used to connect to the Office 365 portal’s shared infrastructure, including Office Online. | +| config.edge.skype.com | HTTP | Used to retrieve Skype configuration values. | +| ctldl.windowsupdate.com | HTTP | Used to download certificates that are publicly known to be fraudulent. | +| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. | +| cy2.licensing.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. | +| cy2.purchase.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. | +| cy2.settings.data.microsoft.com.akadns.net | TLSv1.2 | Used as a way for apps to dynamically update their configuration. | +| cy2.vortex.data.microsoft.com.akadns.net | TLSv1.2 | Used to retrieve Windows Insider Preview builds. | +| definitionupdates.microsoft.com | HTTPS | Used for Windows Defender definition updates. | +| displaycatalog.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. | +| dl.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update. | +| dual-a-0001.a-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. | +| fe2.update.microsoft.com | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | +| fe2.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | +| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2\/HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | +| fg.download.windowsupdate.com.c.footprint.net | HTTP | Used to download operating system patches and updates. | +| fp.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | +| g.live.com/1rewlive5skydrive/ | HTTPS | Used by a redirection service to automatically update URLs. | +| g.msn.com.nsatc.net | HTTP | Used to retrieve Windows Spotlight metadata. | +| geo-prod.do.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. | +| go.microsoft.com | HTTPS | Used by a redirection service to automatically update URLs. | +| img-prod-cms-rt-microsoft-com.akamaized.net | HTTPS | Used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). | +| *.login.msa.akadns6.net | TLSv1.2 | Used for Microsoft accounts to sign in. | +| licensing.mp.microsoft.com | HTTPS | Used for online activation and some app licensing. | +| location-inference-westus.cloudapp.net | TLSv1.2 | Used for location data. | +| login.live.com | HTTPS | Used to authenticate a device. | +| mediaredirect.microsoft.com | HTTPS | Used by the Groove Music app to update HTTP handler status. | +| modern.watson.data.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. | +| msftsrvcs.vo.llnwd.net | HTTP | Enables connections to Windows Update. | +| msnbot-*.search.msn.com | TLSv1.2 | Used to retrieve Windows Spotlight metadata. | +| oem.twimg.com | HTTPS | Used for the Twitter Live Tile. | +| oneclient.sfx.ms | HTTPS | Used by OneDrive for Business to download and verify app updates. | +| peer4-wst.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | +| pti.store.microsoft.com | HTTPS | Used to communicate with Microsoft Store. | +| pti.store.microsoft.com.unistore.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. | +| purchase.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. | +| ris.api.iris.microsoft.com.akadns.net | TLSv1.2\/HTTPS | Used to retrieve Windows Spotlight metadata. | +| settings-win.data.microsoft.com | HTTPS | Used for Windows apps to dynamically update their configuration. | +| sls.update.microsoft.com.nsatc.net | TLSv1.2\/HTTPS | Enables connections to Windows Update. | +| star-mini.c10r.facebook.com | TLSv1.2 | Used for the Facebook Live Tile. | +| storecatalogrevocation.storequality.microsoft.com | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. | +| storeedgefd.dsx.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. | +| store-images.s-microsoft.com | HTTP | Used to get images that are used for Microsoft Store suggestions. | +| tile-service.weather.microsoft.com | HTTP | Used to download updates to the Weather app Live Tile. | +| tsfe.trafficshaping.dsp.mp.microsoft.com | TLSv1.2 | Used for content regulation. | +| v10.vortex-win.data.microsoft.com | HTTPS | Used to retrieve Windows Insider Preview builds. | +| wallet.microsoft.com | HTTPS | Used by the Microsoft Wallet app. | +| wallet-frontend-prod-westus.cloudapp.net | TLSv1.2 | Used by the Microsoft Wallet app. | +| watson.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. | +| wdcp.microsoft.akadns.net | TLSv1.2 | Used for Windows Defender when Cloud-based Protection is enabled. | +| wildcard.twimg.com | TLSv1.2 | Used for the Twitter Live Tile. | +| www.bing.com | HTTP | Used for updates for Cortana, apps, and Live Tiles. | +| www.facebook.com | HTTPS | Used for the Facebook Live Tile. | +| [www.microsoft.com](http://www.microsoft.com/) | HTTPS | Used for updates for Cortana, apps, and Live Tiles. | + +## Windows 10 Pro + +| **Destination** | **Protocol** | **Description** | +| --- | --- | --- | +| *.*.akamai.net | HTTP | Used to download content. | +| *.*.akamaiedge.net | TLSv1.2\/HTTP | Used to check for updates to maps that have been downloaded for offline use. | +| *.a-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. | +| *.blob.core.windows.net | HTTPS | Used by Windows Update to update words used for language input methods. | +| *.c-msedge.net | HTTP | Used by OfficeHub to get the metadata of Office apps. | +| *.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. | +| *.dspb.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. | +| *.dspg.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. | +| *.e-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. | +| *.login.msa.akadns6.net | TLSv1.2 | Used for Microsoft accounts to sign in. | +| *.s-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. | +| *.telecommand.telemetry.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. | +| *.wac.edgecastcdn.net | TLSv1.2 | Used by the Verizon Content Delivery Network to perform Windows updates. | +| *.wac.phicdn.net | HTTP | Used by the Verizon Content Delivery Network to perform Windows updates. | +| *.wns.windows.com | TLSv1.2 | Used for the Windows Push Notification Services (WNS). | +| *prod.do.dsp.mp.microsoft.com | TLSv1.2\/HTTPS | Used for Windows Update downloads of apps and OS updates. | +| 3.dl.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update. | +| 3.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. | +| 3.tlu.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. | +| 3.tlu.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. | +| arc.msn.com | HTTPS | Used to retrieve Windows Spotlight metadata. | +| arc.msn.com.nsatc.net | TLSv1.3 | Used to retrieve Windows Spotlight metadata. | +| au.download.windowsupdate.com | HTTPS | Used to download operating system patches and updates. | +| b-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | +| candycrushsoda.king.com | HTTPS | Used for Candy Crush Saga updates. | +| cdn.content.prod.cms.msn.com | HTTP | Used to retrieve Windows Spotlight metadata. | +| cdn.onenote.net | HTTPS | Used for OneNote Live Tile. | +| client-office365-tas.msedge.net | HTTPS | Used to connect to the Office 365 portal’s shared infrastructure, including Office Online. | +| config.edge.skype.com | HTTPS | Used to retrieve Skype configuration values. | +| ctldl.windowsupdate.com | HTTP | Used to download certificates that are publicly known to be fraudulent. | +| cs12.wpc.v0cdn.net | HTTP | Used by the Verizon Content Delivery Network to download content for Windows upgrades with Wireless Planning and Coordination (WPC). | +| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. | +| cy2.settings.data.microsoft.com.akadns.net | TLSv1.2 | Used as a way for apps to dynamically update their configuration. | +| cy2.vortex.data.microsoft.com.akadns.net | TLSv1.2 | Used to retrieve Windows Insider Preview builds. | +| definitionupdates.microsoft.com | HTTPS | Used for Windows Defender definition updates. | +| displaycatalog.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. | +| download.windowsupdate.com | HTTP | Enables connections to Windows Update. | +| evoke-windowsservices-tas.msedge.net | HTTPS | Used by the Photos app to download configuration files, and to connect to the Office 365 portal’s shared infrastructure, including Office Online. | +| fe2.update.microsoft.com | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | +| fe2.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | +| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2\/HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | +| fe3.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | +| fg.download.windowsupdate.com.c.footprint.net | HTTP | Used to download operating system patches and updates. | +| fp.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | +| fs.microsoft.com | HTTPS | Used to download fonts on demand | +| g.live.com | HTTP | Used by a redirection service to automatically update URLs. | +| g.msn.com | HTTPS | Used to retrieve Windows Spotlight metadata. | +| g.msn.com.nsatc.net | TLSv1.2 | Used to retrieve Windows Spotlight metadata. | +| geo-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. | +| geover-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. | +| go.microsoft.com | HTTPS | Used by a redirection service to automatically update URLs. | +| gpla1.wac.v2cdn.net | HTTP | Used for Baltimore CyberTrust Root traffic. . | +| img-prod-cms-rt-microsoft-com.akamaized.net | HTTPS | Used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). | +| licensing.mp.microsoft.com | HTTPS | Used for online activation and some app licensing. | +| location-inference-westus.cloudapp.net | TLSv1.2 | Used for location data. | +| login.live.com | HTTPS | Used to authenticate a device. | +| l-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | +| mediaredirect.microsoft.com | HTTPS | Used by the Groove Music app to update HTTP handler status. | +| modern.watson.data.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. | +| msnbot-*.search.msn.com | TLSv1.2 | Used to retrieve Windows Spotlight metadata. | +| oem.twimg.com | HTTP | Used for the Twitter Live Tile. | +| oneclient.sfx.ms | HTTP | Used by OneDrive for Business to download and verify app updates. | +| peer1-wst.msedge.net | HTTP | Used by OfficeHub to get the metadata of Office apps. | +| pti.store.microsoft.com | HTTPS | Used to communicate with Microsoft Store. | +| pti.store.microsoft.com.unistore.akadns.net | HTTPS | Used to communicate with Microsoft Store. | +| purchase.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. | +| ris.api.iris.microsoft.com | HTTPS | Used to retrieve Windows Spotlight metadata. | +| settings-win.data.microsoft.com | HTTPS | Used for Windows apps to dynamically update their configuration. | +| sls.update.microsoft.com | HTTPS | Enables connections to Windows Update. | +| storecatalogrevocation.storequality.microsoft.com | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. | +| storeedgefd.dsx.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. | +| store-images.s-microsoft.com | HTTPS | Used to get images that are used for Microsoft Store suggestions. | +| store-images.s-microsoft.com | HTTPS | Used to get images that are used for Microsoft Store suggestions. | +| telecommand.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. | +| tile-service.weather.microsoft.com | HTTP | Used to download updates to the Weather app Live Tile. | +| tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. | +| v10.vortex-win.data.microsoft.com | HTTPS | Used to retrieve Windows Insider Preview builds. | +| wallet.microsoft.com | HTTPS | Used by the Microsoft Wallet app. | +| watson.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. | +| wdcp.microsoft.akadns.net | HTTPS | Used for Windows Defender when Cloud-based Protection is enabled. | +| wildcard.twimg.com | TLSv1.2 | Used for the Twitter Live Tile. | +| www.bing.com | TLSv1.2 | Used for updates for Cortana, apps, and Live Tiles. | +| www.facebook.com | HTTPS | Used for the Facebook Live Tile. | +| [www.microsoft.com](http://www.microsoft.com/) | HTTPS | Used for updates for Cortana, apps, and Live Tiles. | + +## Windows 10 Education + +| **Destination** | **Protocol** | **Description** | +| --- | --- | --- | +| *.a-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. | +| *.b.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. | +| *.c-msedge.net | HTTP | Used by OfficeHub to get the metadata of Office apps. | +| *.dscb1.akamaiedge.net | HTTP | Used to check for updates to maps that have been downloaded for offline use. | +| *.dscd.akamai.net | HTTP | Used to download content. | +| *.dspb.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. | +| *.dspw65.akamai.net | HTTP | Used to download content. | +| *.e-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. | +| *.g.akamai.net | HTTP | Used to download content. | +| *.g.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. | +| *.l.windowsupdate.com | HTTP | Enables connections to Windows Update. | +| *.s-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. | +| *.wac.phicdn.net | HTTP | Used by the Verizon Content Delivery Network to perform Windows updates | +| *.wns.windows.com | TLSv1.2 | Used for the Windows Push Notification Services (WNS). | +| *prod.do.dsp.mp.microsoft.com | TLSv1.2 | Used for Windows Update downloads of apps and OS updates. | +| *prod.do.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Used for Windows Update downloads of apps and OS updates. | +| 3.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. | +| 3.tlu.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. | +| a-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | +| au.download.windowsupdate.com | HTTP | Used to download operating system patches and updates. | +| cdn.onenote.net | HTTPS | Used for OneNote Live Tile. | +| cds.*.hwcdn.net | HTTP | Used by the Highwinds Content Delivery Network to perform Windows updates. | +| co4.telecommand.telemetry.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. | +| config.edge.skype.com | HTTPS | Used to retrieve Skype configuration values. | +| ctldl.windowsupdate.com | HTTP | Used to download certificates that are publicly known to be fraudulent. | +| cs12.wpc.v0cdn.net | HTTP | Used by the Verizon Content Delivery Network to download content for Windows upgrades with Wireless Planning and Coordination (WPC). | +| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. | +| cy2.settings.data.microsoft.com.akadns.net | TLSv1.2 | Used as a way for apps to dynamically update their configuration. | +| cy2.vortex.data.microsoft.com.akadns.net | TLSv1.2 | Used to retrieve Windows Insider Preview builds. | +| dl.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update. | +| download.windowsupdate.com | HTTP | Enables connections to Windows Update. | +| evoke-windowsservices-tas.msedge.net/ab | HTTPS | Used by the Photos app to download configuration files, and to connect to the Office 365 portal’s shared infrastructure, including Office Online. | +| fe2.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | +| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. | +| fg.download.windowsupdate.com.c.footprint.net | HTTP | Used to download operating system patches and updates. | +| fp.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | +| g.msn.com.nsatc.net | TLSv1.2\/HTTP | Used to retrieve Windows Spotlight metadata. | +| geo-prod.do.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. | +| geover-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. | +| go.microsoft.com | HTTPS | Used by a redirection service to automatically update URLs. | +| gpla1.wac.v2cdn.net | HTTP | Used for Baltimore CyberTrust Root traffic. . | +| ipv4.login.msa.akadns6.net | TLSv1.2 | Used for Microsoft accounts to sign in. | +| licensing.mp.microsoft.com | HTTPS | Used for online activation and some app licensing. | +| location-inference-westus.cloudapp.net | TLSv1.2 | Used for location data. | +| login.live.com/* | HTTPS | Used to authenticate a device. | +| l-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | +| mediaredirect.microsoft.com | HTTPS | Used by the Groove Music app to update HTTP handler status. | +| modern.watson.data.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. | +| msftconnecttest.com/* | HTTP | Used by Network Connection Status Indicator (NCSI) to detect Internet connectivity and corporate network connectivity status. | +| msnbot-65-52-108-198.search.msn.com | TLSv1.2 | Used to retrieve Windows Spotlight metadata. | +| oneclient.sfx.ms | HTTP | Used by OneDrive for Business to download and verify app updates. | +| peer1-wst.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | +| pti.store.microsoft.com.unistore.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. | +| settings-win.data.microsoft.com | HTTPS | Used for Windows apps to dynamically update their configuration. | +| sls.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. | +| store-images.s-microsoft.com | HTTPS | Used to get images that are used for Microsoft Store suggestions. | +| tile-service.weather.microsoft.com | HTTP | Used to download updates to the Weather app Live Tile. | +| telecommand.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. | +| tsfe.trafficshaping.dsp.mp.microsoft.com | TLSv1.2 | Used for content regulation. | +| wallet.microsoft.com | HTTPS | Used by the Microsoft Wallet app. | +| watson.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. | +| wdcp.microsoft.akadns.net | TLSv1.2 | Used for Windows Defender when Cloud-based Protection is enabled. | +| www.bing.com | HTTPS | Used for updates for Cortana, apps, and Live Tiles. | \ No newline at end of file diff --git a/windows/privacy/windows-endpoints-1803-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1803-non-enterprise-editions.md new file mode 100644 index 0000000000..0e3da94eee --- /dev/null +++ b/windows/privacy/windows-endpoints-1803-non-enterprise-editions.md @@ -0,0 +1,148 @@ +--- +title: Windows 10, version 1803, connection endpoints for non-Enterprise editions +description: Explains what Windows 10 endpoints are used in non-Enterprise editions. +keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016 +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.localizationpriority: high +author: danihalfin +ms.author: daniha +ms.date: 6/26/2018 +--- +# Windows 10, version 1803, connection endpoints for non-Enterprise editions + + **Applies to** + +- Windows 10 Home, version 1803 +- Windows 10 Professional, version 1803 +- Windows 10 Education, version 1803 + +In addition to the endpoints listed for [Windows 10 Enterprise](manage-windows-endpoints.md), the following endpoints are available on other editions of Windows 10, version 1803. + +We used the following methodology to derive these network endpoints: + +1. Set up the latest version of Windows 10 on a test virtual machine using the default settings. +2. Leave the devices running idle for a week (that is, a user is not interacting with the system/device). +3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic. +4. Compile reports on traffic going to public IP addresses. +5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory. + +> [!NOTE] +> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. + +## Windows 10 Family + +| **Destination** | **Protocol** | **Description** | +| --- | --- | --- | +| *.e-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | +| *.g.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. | +| *.s-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | +| *.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/ HTTP Enables connections to Windows Update. | +| arc.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. | +| arc.msn.com/v3/Delivery/Placement | HTTPS | Used to retrieve Windows Spotlight metadata. | +| client-office365-tas.msedge.net* | HTTPS | Used to connect to the Office 365 portal’s shared infrastructure, including Office Online. | +| config.edge.skype.com/config/* | HTTPS | Used to retrieve Skype configuration values. | +| ctldl.windowsupdate.com/msdownload/update* | HTTP | Used to download certificates that are publicly known to be fraudulent. | +| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | +| cy2.licensing.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | +| cy2.settings.data.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | +| displaycatalog.mp.microsoft.com* | HTTPS | Used to communicate with Microsoft Store. | +|dm3p.wns.notify.windows.com.akadns.net | HTTPS | Used for the Windows Push Notification Services (WNS). | +| fe2.update.microsoft.com* | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | +| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | +| fe3.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | +| g.live.com/odclientsettings/Prod | HTTPS | Used by OneDrive for Business to download and verify app updates. | +| g.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. | +| geo-prod.dodsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update. | +| ipv4.login.msa.akadns6.net | HTTPS | Used for Microsoft accounts to sign in. | +| licensing.mp.microsoft.com/v7.0/licenses/content | HTTPS | Used for online activation and some app licensing. | +| location-inference-westus.cloudapp.net | HTTPS | Used for location data. | +| maps.windows.com/windows-app-web-link | HTTPS | Link to Maps application. | +| modern.watson.data.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. | +| ocos-office365-s2s.msedge.net* | HTTPS | Used to connect to the Office 365 portal's shared infrastructure. | +| ocsp.digicert.com* | HTTP | CRL and OCSP checks to the issuing certificate authorities. | +| oneclient.sfx.ms* | HTTPS | Used by OneDrive for Business to download and verify app updates. | +| query.prod.cms.rt.microsoft.com* | HTTPS | Used to retrieve Windows Spotlight metadata. | +| ris.api.iris.microsoft.com* | HTTPS | Used to retrieve Windows Spotlight metadata. | +| settings.data.microsoft.com/settings/v2.0/* | HTTPS | Used for Windows apps to dynamically update their configuration. | +| settings-win.data.microsoft.com/settings/* | HTTPS | Used as a way for apps to dynamically update their configuration.  | +| sls.update.microsoft.com* | HTTPS | Enables connections to Windows Update. | +| storecatalogrevocation.storequality.microsoft.com* | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. | +| storeedgefd.dsx.mp.microsoft.com* | HTTPS | Used to communicate with Microsoft Store. | +| tile-service.weather.microsoft.com* | HTTP | Used to download updates to the Weather app Live Tile. | +| tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. | +| ip5.afdorigin-prod-am02.afdogw.com | HTTPS | Used to serve office 365 experimentation traffic. | +| watson.telemetry.microsoft.com/Telemetry.Request | HTTPS | Used by Windows Error Reporting. | + + +## Windows 10 Pro + +| **Destination** | **Protocol** | **Description** | +| --- | --- | --- | +| *.e-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | +| *.g.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. | +| *.s-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | +| *.tlu.dl.delivery.mp.microsoft.com/* | HTTP | Enables connections to Windows Update. | +| *geo-prod.dodsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update. | +| arc.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. | +| au.download.windowsupdate.com/* | HTTP | Enables connections to Windows Update. | +| ctldl.windowsupdate.com/msdownload/update/* | HTTP | Used to download certificates that are publicly known to be fraudulent. | +| cy2.licensing.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | +| cy2.settings.data.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | +| dm3p.wns.notify.windows.com.akadns.net | HTTPS | Used for the Windows Push Notification Services (WNS) | +| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | +| g.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. | +| ipv4.login.msa.akadns6.net | HTTPS | Used for Microsoft accounts to sign in. | +| location-inference-westus.cloudapp.net | HTTPS | Used for location data. | +| modern.watson.data.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. | +| ocsp.digicert.com* | HTTP | CRL and OCSP checks to the issuing certificate authorities. | +| ris.api.iris.microsoft.com.akadns.net | HTTPS | Used to retrieve Windows Spotlight metadata. | +| tile-service.weather.microsoft.com/* | HTTP | Used to download updates to the Weather app Live Tile. | +| tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. | +| vip5.afdorigin-prod-am02.afdogw.com | HTTPS | Used to serve office 365 experimentation traffic | + + +## Windows 10 Education + +| **Destination** | **Protocol** | **Description** | +| --- | --- | --- | +| *.b.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. | +| *.e-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | +| *.g.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. | +| *.s-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | +| *.telecommand.telemetry.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. | +| *.tlu.dl.delivery.mp.microsoft.com* | HTTP | Enables connections to Windows Update. | +| *.windowsupdate.com* | HTTP | Enables connections to Windows Update. | +| *geo-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. | +| au.download.windowsupdate.com* | HTTP | Enables connections to Windows Update. | +| cdn.onenote.net/livetile/* | HTTPS | Used for OneNote Live Tile. | +| client-office365-tas.msedge.net/* | HTTPS | Used to connect to the Office 365 portal’s shared infrastructure, including Office Online. | +| config.edge.skype.com/* | HTTPS | Used to retrieve Skype configuration values.  | +| ctldl.windowsupdate.com/* | HTTP | Used to download certificates that are publicly known to be fraudulent. | +| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | +| cy2.licensing.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | +| cy2.settings.data.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | +| displaycatalog.mp.microsoft.com/* | HTTPS | Used to communicate with Microsoft Store. | +| download.windowsupdate.com/* | HTTPS | Enables connections to Windows Update. | +| emdl.ws.microsoft.com/* | HTTP | Used to download apps from the Microsoft Store. | +| fe2.update.microsoft.com/* | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | +| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | +| fe3.delivery.mp.microsoft.com/* | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | +| g.live.com/odclientsettings/* | HTTPS | Used by OneDrive for Business to download and verify app updates. | +| g.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. | +| ipv4.login.msa.akadns6.net | HTTPS | Used for Microsoft accounts to sign in. | +| licensing.mp.microsoft.com/* | HTTPS | Used for online activation and some app licensing. | +| maps.windows.com/windows-app-web-link | HTTPS | Link to Maps application | +| modern.watson.data.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. | +| ocos-office365-s2s.msedge.net/* | HTTPS | Used to connect to the Office 365 portal's shared infrastructure. | +| ocsp.digicert.com* | HTTP | CRL and OCSP checks to the issuing certificate authorities. | +| oneclient.sfx.ms/* | HTTPS | Used by OneDrive for Business to download and verify app updates. | +| settings-win.data.microsoft.com/settings/* | HTTPS | Used as a way for apps to dynamically update their configuration. | +| sls.update.microsoft.com/* | HTTPS | Enables connections to Windows Update. | +| storecatalogrevocation.storequality.microsoft.com/* | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. | +| tile-service.weather.microsoft.com/* | HTTP | Used to download updates to the Weather app Live Tile. | +| tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. | +| vip5.afdorigin-prod-ch02.afdogw.com | HTTPS | Used to serve office 365 experimentation traffic. | +| watson.telemetry.microsoft.com/Telemetry.Request | HTTPS | Used by Windows Error Reporting. | +| bing.com/* | HTTPS | Used for updates for Cortana, apps, and Live Tiles. |