This post will get more details about the Intune Firewall Proxy Requirements for Windows 10 or Windows 11 PCs. I often heard that Windows Autopilot deployment fails because of external issues with Intune and Windows.
So one of the main reasons identified for common Windows deployment failures is network connectivity requirements. The following are some of the Intune-related posts that would be helpful.
Introduction – Windows 10 or Windows 11 Proxy Requirements
I would recommend going through the following sections to ensure your proxy team has whitelisted all the URLs required. Microsoft updates this documentation for all the Windows 10 versions.
Suppose you can add the following list of URLs (Windows 10 1903 enterprise version) into your proxy server whitelisting. In that case, you can get rid of ~60% of your Windows Autopilot, and Intune Enrollment Page issues will be resolved.
More details of Microsoft documentation are available in the resources section of this post.
Windows Update Related URLs
The following URLs should be opened to get Windows Update for Business to work on your corporate Windows 10 1903 devices. Windows updates related to Windows 10 or Windows 11 Proxy Requirements are in the below list.
Apps | Protocols | Destination |
Windows Update | HTTPS | *.prod.do.dsp.mp.microsoft.com |
Windows Update | HTTP | cs9.wac.phicdn.net |
Windows Update | HTTP | emdl.ws.microsoft.com |
Windows Update | HTTP | *.dl.delivery.mp.microsoft.com |
Windows Update | HTTP | .windowsupdate.com |
Windows Update | HTTPS | *.delivery.mp.microsoft.com |
Windows Update | HTTPS | *.update.microsoft.com |
Windows Update | HTTPS | tsfe.trafficshaping.dsp.mp.microsoft.com |
Windows Settings URLs
Windows settings should have access to the following URLs as per the best practices. Windows Settings related to Windows 10 or Windows 11 Proxy Requirements are listed below.
App | Protocol | Destination |
Settings | HTTPS | cy2.settings.data.microsoft.com.akadns.net |
Settings | HTTPS | settings.data.microsoft.com |
Settings | HTTPS | settings-win.data.microsoft.com |
Microsoft Office Update URLs
The following URLs should be accessed to get Microsoft office updates on Windows 10 devices.
App | Protocols | Destination |
Office | HTTP | *.c-msedge.net |
Office | HTTPS | *.e-msedge.net |
Office | HTTPS | *.s-msedge.net |
Office | HTTPS | nexusrules.officeapps.live.com |
Office | HTTPS | ocos-office365-s2s.msedge.net |
Office | HTTPS | officeclient.microsoft.com |
Office | HTTPS | outlook.office365.com |
Office | HTTPS | client-office365-tas.msedge.net |
Office | HTTPS | www.office.com |
Office | HTTPS | onecollector.cloudapp.aria |
Office | HTTP | v10.events.data.microsoft.com/onecollector/1.0/ |
Office | HTTPS | self.events.data.microsoft.com |
Office | HTTPS | to-do.microsoft.com |
Windows Defender URLs
The following list of URLs should be opened or whitelisted on your proxy server to get Windows Defender updates and policy management.
App | Protocols | Destination |
Defender | HTTPS | wdcp.microsoft.com |
Defender | HTTPS | definitionupdates.microsoft.com |
Defender | HTTPS | go.microsoft.com |
Defender | HTTPS | *smartscreen.microsoft.com |
Defender | HTTPS | SmartScreen-sn3p.smartscreen.microsoft.com |
Defender | HTTPS | unitedstates.smartscreen-prod.microsoft.com |
Microsoft Store Access URLs
The following URLs should be accessible from Windows 10 devices to access Microsoft Store.
App | Protocol | Destination |
Microsoft Store | HTTPS | *.wns.windows.com |
Microsoft Store | HTTP | storecatalogrevocation.storequality.microsoft.com |
Microsoft Store | HTTPS | img-prod-cms-rt-microsoft-com* |
Microsoft Store | HTTPS | store-images.microsoft.com |
Microsoft Store | TLS v1.2 | .md.mp.microsoft.com |
Microsoft Store | HTTPS | *displaycatalog.mp.microsoft.com |
Microsoft Store | HTTP \ HTTPS | pti.store.microsoft.com |
Microsoft Store | HTTP | storeedgefd.dsx.mp.microsoft.com |
Microsoft Store | HTTP | markets.books.microsoft.com |
Microsoft Store | HTTP | share.microsoft.com |
OneDrive Access URLs
The following URLs should be acceptable for Windows 10 devices to access OneDrive. OneDrive related Windows 10 Proxy Requirements are in the below list.
App | Protocol | Destination |
OneDrive | HTTP \ HTTPS | g.live.com/1rewlive5skydrive/* |
OneDrive | HTTP | msagfx.live.com |
OneDrive | HTTPS | oneclient.sfx.ms |
Device Authentication URLs
The following URLs should be accessible from Windows 10 devices to get authenticated. The URLs should be part of proxy whitelisting to get the Windows 10 devices working properly.
App | Protocol | Destination |
Device authentication | HTTPS | login.live.com* |
Retrieve device metadata | HTTP | dmd.metaservices.microsoft.com |
Diagnostics Data URLs
The following URLs are required for sending the diagnostics data & telemetry data to Microsoft services. I would recommend opening up these ports or white listings these URLs in your corporate proxy.
Apps | Protocol | Destination |
Telemetry | HTTP | v10.events.data.microsoft.com |
Diagnostic | HTTPS | v10.vortex-win.data.microsoft.com/collect/v1 |
Diagnostic | HTTP | www.microsoft.com |
Telemetry | HTTPS | co4.telecommand.telemetry.microsoft.com |
Diagnostic | HTTP | cs11.wpc.v0cdn.net |
Diagnostic | HTTPS | cs1137.wpc.gammacdn.net |
Diagnostic | TLS v1.2 | modern.watson.data.microsoft.com* |
Telemetry | HTTPS | watson.telemetry.microsoft.com |
Licensing Related URLs
The following URLs need to be whitelisted in your cooperate proxy environment to get Microsoft licensing-related functionalities to work.
App | Protocol | Destination |
Licensing | HTTPS | licensing.mp.microsoft.com |
Azure Related Components
The following URLs must be whitelisted in your cooperate proxy environment to get Azure-related apps working with Windows 10 1903. Azure-related Windows 10 Proxy Requirements are in the below list.
App | Protocol | Destination |
Azure Cloud App | HTTPS | wd-prod-fe.cloudapp.azure.com |
Traffic Manager | HTTPS | ris-prod-atm.trafficmanager.net |
Traffic Manager | HTTPS | validation-v2.sls.trafficmanager.net |
Certificates Windows Update
The following URL needs to be whitelisted in your cooperate proxy environment to get Windows update-related certificate working.
App | Protocol | Destination |
Certificates | HTTP | ctldl.windowsupdate.com |
Location URLs for Windows
You should white list the following URLs to Windows location services to work.
App | Protocol | Destination |
Location | HTTPS | inference.location.live.net |
Location | HTTP | location-inference-westus.cloudapp.net |
Microsoft Account Access URLs
If you want to sign in with Microsoft account to Windows 10 1903 device, you should white list URLs.
App | Protocol | Destination |
Microsoft Account | HTTP | login.msa.akadns6.net |
Microsoft Account | HTTP | us.configsvc1.live.com.akadns.net |
Windows Spotlight Related URLs
To make Windows spotlight work on Windows 10 devices, you might need to open the following URLs.
App | Protocol | Destination |
Windows Spotlight | TLS v1.2 | *.search.msn.com |
Windows Spotlight | HTTPS | arc.msn.com |
Windows Spotlight | HTTPS | g.msn.com* |
Windows Spotlight | HTTPS | query.prod.cms.rt.microsoft.com |
Windows Spotlight | HTTPS | ris.api.iris.microsoft.com |
Skype Access URLs
You might need to access the following URLs to get access to Skype from Windows 10 1903 device.
App | Protocol | Destination |
Skype | HTTPS | browser.pipe.aria.microsoft.com |
Skype | HTTP | config.edge.skype.com |
Skype | HTTP | s2s.config.skype.com |
Skype | HTTPS | skypeecs-prod-usw-0-b.cloudapp.net |
Windows Apps Related URLs
Windows 10 1903 applications require the following URL should be opened via your corporate proxy. Windows Apps related to Windows 10 Proxy Requirements are in the below list.
NOTE! – The following list is not mandatory.
App | Protocol | Destination |
Weather | HTTP | blob.weather.microsoft.com |
Weather | HTTP | tile-service.weather.microsoft.com |
OneNote | HTTPS | cdn.onenote.net/livetile/?Language=en-US |
HTTPS | .twimg.com | |
Candy Crush | TLS v1.2 | candycrushsoda.king.com |
Photo App | HTTPS | evoke-windowsservices-tas.msedge.net |
Wallet App | HTTPS | wallet.microsoft.com |
Groove | HTTPS | mediaredirect.microsoft.com |
Whiteboard | HTTPS | int.whiteboard.microsoft.com |
Whiteboard | HTTPS | wbd.ms |
Whiteboard | HTTPS | whiteboard.microsoft.com |
Whiteboard | HTTP / HTTPS | whiteboard.ms |
URLs for Cortana and Search
The following URLs are for Cortana & search features working on Windows 10.
App | Protocol | Destination |
Cortana and Search | HTTPS | store-images.*microsoft.com |
Cortana and Search | HTTPS | www.bing.com/client |
Cortana and Search | HTTPS | www.bing.com |
Cortana and Search | HTTPS | www.bing.com/proactive |
Cortana and Search | HTTPS | www.bing.com/threshold/xls.aspx |
Cortana and Search | HTTP | Exo-ring.msedge.net |
Cortana and Search | HTTP | fp.msedge.net |
Cortana and Search | HTTP | fp-vp.azureedge.net |
Cortana and Search | HTTP | odinvzc.azureedge.net |
Cortana and Search | HTTP | so-ring.msedge.net |
Maps Related URLs for Windows Devices
When you want access to update OFFLINE MAPS, you need to allow the following URLs.
App | Protocol | Destination |
Maps | HTTPS | *g.akamaiedge.net |
Maps | HTTP | maps.windows.com |
Other URLs – Intune Firewall Proxy Requirements Modern Windows 10 Deployment
The following URLs are also should accessible from Windows 10 1903 devices.
App | Protocols | Destination |
Microsoft Edge | HTTPS | iecvlist.microsoft.com |
Microsoft forward link redirection service (FWLink) | HTTPS | go.microsoft.com |
Network Connection Status Indicator (NCSI) | HTTP | www.msftconnecttest.com* |
Resources
- Connection endpoints for Windows 10 Enterprise, version 21H1
- Connection endpoints for Windows 11 Enterprise
Author
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…