This post details the Intune Firewall Proxy Requirements for Modern Windows 10 or Windows 11 Deployment. I often hear that Windows Autopilot deployment fails because of external issues with Intune and Windows.
I recommend reviewing the following sections to ensure your proxy team has whitelisted all the required URLs. Microsoft updates this documentation for all Windows 10 versions.
Suppose you can add the following list of URLs (Windows 10 1903 enterprise version) into your proxy server whitelisting. In that case, you can eliminate ~60% of your Windows Autopilot, and Intune Enrollment Page issues will be resolved.
So one of the main reasons identified for common Windows deployment failures is network connectivity requirements. The following are some of the Intune-related posts that would be helpful.
More Microsoft documentation details are available in this post’s resources section.
Windows Update Related URLs
The following URLs should be opened to get Windows Update for Business to work on your corporate Windows 10 1903 devices. Windows updates related to Windows 10 or Windows 11 Proxy Requirements are in the below list.
| Apps | Protocols | Destination |
|---|---|---|
| Windows Update | HTTPS | *.prod.do.dsp.mp.microsoft.com |
| Windows Update | HTTP | cs9.wac.phicdn.net |
| Windows Update | HTTP | emdl.ws.microsoft.com |
| Windows Update | HTTP | *.dl.delivery.mp.microsoft.com |
| Windows Update | HTTP | .windowsupdate.com |
| Windows Update | HTTPS | *.delivery.mp.microsoft.com |
| Windows Update | HTTPS | *.update.microsoft.com |
| Windows Update | HTTPS | tsfe.trafficshaping.dsp.mp.microsoft.com |
Windows Settings URLs
Windows settings should have access to the following URLs per best practices. Windows Settings related to Windows 10 or Windows 11 Proxy Requirements are listed below.
| App | Protocol | Destination |
|---|---|---|
| Settings | HTTPS | cy2.settings.data.microsoft.com.akadns.net |
| Settings | HTTPS | settings.data.microsoft.com |
| Settings | HTTPS | settings-win.data.microsoft.com |
Microsoft Office Update URLs
The following URLs should be accessed to get Microsoft Office updates on Windows 10 devices.
| App | Protocols | Destination |
|---|---|---|
| Office | HTTP | *.c-msedge.net |
| Office | HTTPS | *.e-msedge.net |
| Office | HTTPS | *.s-msedge.net |
| Office | HTTPS | nexusrules.officeapps.live.com |
| Office | HTTPS | ocos-office365-s2s.msedge.net |
| Office | HTTPS | officeclient.microsoft.com |
| Office | HTTPS | outlook.office365.com |
| Office | HTTPS | client-office365-tas.msedge.net |
| Office | HTTPS | www.office.com |
| Office | HTTPS | onecollector.cloudapp.aria |
| Office | HTTP | v10.events.data.microsoft.com/onecollector/1.0/ |
| Office | HTTPS | self.events.data.microsoft.com |
| Office | HTTPS | to-do.microsoft.com |
Windows Defender URLs
The following list of URLs should be opened or whitelisted on your proxy server to receive Windows Defender updates and manage policy.
| App | Protocols | Destination |
|---|---|---|
| App | Protocols | Destination |
| Defender | HTTPS | wdcp.microsoft.com |
| Defender | HTTPS | definitionupdates.microsoft.com |
| Defender | HTTPS | go.microsoft.com |
| Defender | HTTPS | *smartscreen.microsoft.com |
| Defender | HTTPS | SmartScreen-sn3p.smartscreen.microsoft.com |
| Defender | HTTPS | unitedstates.smartscreen-prod.microsoft.com |
Microsoft Store Access URLs
The following URLs should be accessible from Windows 10 devices to access the Microsoft Store.
| App | Protocol | Destination |
|---|---|---|
| Microsoft Store | HTTPS | *.wns.windows.com |
| Microsoft Store | HTTP | storecatalogrevocation.storequality.microsoft.com |
| Microsoft Store | HTTPS | img-prod-cms-rt-microsoft-com* |
| Microsoft Store | HTTPS | store-images.microsoft.com |
| Microsoft Store | TLS v1.2 | .md.mp.microsoft.com |
| Microsoft Store | HTTPS | *displaycatalog.mp.microsoft.com |
| Microsoft Store | HTTP \ HTTPS | pti.store.microsoft.com |
| Microsoft Store | HTTP | storeedgefd.dsx.mp.microsoft.com |
| Microsoft Store | HTTP | markets.books.microsoft.com |
| Microsoft Store | HTTP | share.microsoft.com |
OneDrive Access URLs
The following URLs should be acceptable for Windows 10 devices to access OneDrive. OneDrive related Windows 10 Proxy Requirements are in the below list.
| App | Protocol | Destination |
|---|---|---|
| OneDrive | HTTP \ HTTPS | g.live.com/1rewlive5skydrive/* |
| OneDrive | HTTP | msagfx.live.com |
| OneDrive | HTTPS | oneclient.sfx.ms |
Device Authentication URLs
The following URLs should be accessible from Windows 10 devices to authenticate. They should also be part of proxy whitelisting to get the Windows 10 devices working properly.
| App | Protocol | Destination |
|---|---|---|
| Device authentication | HTTPS | login.live.com* |
| Retrieve device metadata | HTTP | dmd.metaservices.microsoft.com |
Diagnostics Data URLs
The following URLs are required for sending the diagnostics data & telemetry data to Microsoft services. I would recommend opening up these ports or white listings these URLs in your corporate proxy.
| Apps | Protocol | Destination |
|---|---|---|
| Apps | Protocol | Destination |
| Telemetry | HTTP | v10.events.data.microsoft.com |
| Diagnostic | HTTPS | v10.vortex-win.data.microsoft.com/collect/v1 |
| Diagnostic | HTTP | www.microsoft.com |
| Telemetry | HTTPS | co4.telecommand.telemetry.microsoft.com |
| Diagnostic | HTTP | cs11.wpc.v0cdn.net |
| Diagnostic | HTTPS | cs1137.wpc.gammacdn.net |
| Diagnostic | TLS v1.2 | modern.watson.data.microsoft.com* |
| Telemetry | HTTPS | watson.telemetry.microsoft.com |
Licensing Related URLs
The following URLs must be whitelisted in your cooperate proxy environment to get Microsoft licensing-related functionalities to work.
| App | Protocol | Destination |
|---|---|---|
| Licensing | HTTPS | licensing.mp.microsoft.com |
Azure Related Components
To get Azure-related apps working with Windows 10 1903, the following URLs must be whitelisted in your cooperate proxy environment. The Azure-related Windows 10 Proxy Requirements are in the list below.
| App | Protocol | Destination |
|---|---|---|
| Azure Cloud App | HTTPS | wd-prod-fe.cloudapp.azure.com |
| Traffic Manager | HTTPS | ris-prod-atm.trafficmanager.net |
| Traffic Manager | HTTPS | validation-v2.sls.trafficmanager.net |
Certificates Windows Update
The following URL must be whitelisted in your cooperate proxy environment to get the Windows update-related certificate working.
| App | Protocol | Destination |
|---|---|---|
| Certificates | HTTP | ctldl.windowsupdate.com |
Location URLs for Windows
You should white list the following URLs to Windows location services to work.
| App | Protocol | Destination |
|---|---|---|
| Location | HTTPS | inference.location.live.net |
| Location | HTTP | location-inference-westus.cloudapp.net |
Microsoft Account Access URLs
If you want to sign in with a Microsoft account to a Windows 10 1903 device, you should white-list URLs.
| App | Protocol | Destination |
|---|---|---|
| Microsoft Account | HTTP | login.msa.akadns6.net |
| Microsoft Account | HTTP | us.configsvc1.live.com.akadns.net |
Windows Spotlight Related URLs
You might need to open the following URLs to make Windows Spotlight work on Windows 10 devices.
| App | Protocol | Destination |
|---|---|---|
| Windows Spotlight | TLS v1.2 | *.search.msn.com |
| Windows Spotlight | HTTPS | arc.msn.com |
| Windows Spotlight | HTTPS | g.msn.com* |
| Windows Spotlight | HTTPS | query.prod.cms.rt.microsoft.com |
| Windows Spotlight | HTTPS | ris.api.iris.microsoft.com |
Skype Access URLs
You might need to access the following URLs to access Skype from a Windows 10 1903 device.
| App | Protocol | Destination |
|---|---|---|
| Skype | HTTPS | browser.pipe.aria.microsoft.com |
| Skype | HTTP | config.edge.skype.com |
| Skype | HTTP | s2s.config.skype.com |
| Skype | HTTPS | skypeecs-prod-usw-0-b.cloudapp.net |
Windows Apps Related URLs
Windows 10 1903 applications require the following URL to be opened via your corporate proxy. The list of Windows Apps related to Windows 10 Proxy Requirements is below.
NOTE! – The following list is not mandatory.
| App | Protocol | Destination |
|---|---|---|
| Weather | HTTP | blob.weather.microsoft.com |
| Weather | HTTP | tile-service.weather.microsoft.com |
| OneNote | HTTPS | cdn.onenote.net/livetile/?Language=en-US |
| HTTPS | .twimg.com | |
| Candy Crush | TLS v1.2 | candycrushsoda.king.com |
| Photo App | HTTPS | evoke-windowsservices-tas.msedge.net |
| Wallet App | HTTPS | wallet.microsoft.com |
| Groove | HTTPS | mediaredirect.microsoft.com |
| Whiteboard | HTTPS | int.whiteboard.microsoft.com |
| Whiteboard | HTTPS | wbd.ms |
| Whiteboard | HTTPS | whiteboard.microsoft.com |
| Whiteboard | HTTP / HTTPS | whiteboard.ms |
URLs for Cortana and Search
The following URLs are for Cortana & search features working on Windows 10.
| App | Protocol | Destination |
|---|---|---|
| Cortana and Search | HTTPS | store-images.*microsoft.com |
| Cortana and Search | HTTPS | www.bing.com/client |
| Cortana and Search | HTTPS | www.bing.com |
| Cortana and Search | HTTPS | www.bing.com/proactive |
| Cortana and Search | HTTPS | www.bing.com/threshold/xls.aspx |
| Cortana and Search | HTTP | Exo-ring.msedge.net |
| Cortana and Search | HTTP | fp.msedge.net |
| Cortana and Search | HTTP | fp-vp.azureedge.net |
| Cortana and Search | HTTP | odinvzc.azureedge.net |
| Cortana and Search | HTTP | so-ring.msedge.net |
Maps Related URLs for Windows Devices
When you want access to update OFFLINE MAPS, you need to allow the following URLs.
| App | Protocol | Destination |
|---|---|---|
| Maps | HTTPS | *g.akamaiedge.net |
| Maps | HTTP | maps.windows.com |
Other URLs – Intune Firewall Proxy Requirements Modern Windows 10 Deployment
The following URLs are also should accessible from Windows 10 1903 devices.
| App | Protocols | Destination |
|---|---|---|
| Microsoft Edge | HTTPS | iecvlist.microsoft.com |
| Microsoft forward link redirection service (FWLink) | HTTPS | go.microsoft.com |
| Network Connection Status Indicator (NCSI) | HTTP | www.msftconnecttest.com* |
Resources
- Connection endpoints for Windows 10 Enterprise, version 21H1
- Connection endpoints for Windows 11 Enterprise
We are on WhatsApp. To get the latest step-by-step guides and news updates, Join our Channel. Click here –HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc