This will be a very short blog post about the Intune Windows Autopilot Network URLs Whitelist Requirements for Proxy/Firewall.
Firewall/Proxy blocking outgoing communication to the required service endpoints is one of the most common reasons for Windows Autopilot deployment failure within a corporate network.
Every organization restricts network communication with the internet using a firewall/proxy solution. As such, you need to make sure that the outgoing communication to the required service endpoints is allowed, in order for Intune Windows Autopilot deployments to work within the corporate network. However, when you embark on the mission to find out all the endpoints (URLs) that need to be whitelisted, you would not find all of them in any single Microsoft document. You would need to go through many and collate them. The same happened to me as well while working on a project, trying to gather everything from the Microsoft docs and the awesome blogs that are available in the community. Hence the thought of doing this blog post so that if I stumble upon such a request in any of my future projects, I can easily refer to this.
Hope this post would come in handy for anyone having the requirement of gathering the URLs required for Intune and Windows Autopilot to work within the corporate network.
Yet to read my last post on Exploring TeamViewer Remote Assistance in Intune? If yes, do not forget to bookmark this blog site to check it out later.
Intune Windows Autopilot Network URLs Whitelist Requirements for Proxy/Firewall
Unless specified otherwise, all the endpoints listed below uses TCP connection over port 80, 443.
| Explicit endpoints | aka.ms* go.microsoft.com |
| Device Authentication endpoints | login.live.com dmd.metaservices.microsoft.com [used to retrieve device metadata] |
| Windows Autopilot endpoints | ztd.dds.microsoft.com cs.dds.microsoft.com |
| TPM Attestation endpoints [If doing WhiteGlove process] | *.microsoftaik.azure.net ekop.intel.com/ekcertservice [If device firmware is from Intel] ekcert.spserv.microsoft.com/EKCertificate/GetEKCertificate/v1 [If device firmware is from Qualcomm] ftpm.amd.com/pki/aia [If device firmware is from AMD] |
| Windows Activation and Licensing endpoints | activation.sls.microsoft.com validation.sls.microsoft.com activation-v2.sls.microsoft.com validation-v2.sls.microsoft.com licensing.mp.microsoft.com licensing.md.mp.microsoft.com |
| CRL and OCSP checks to the issuing certificate authorities | crl.microsoft.com/pki/crl/products/MicProSecSerCA_2007-12-04.crl crl.microsoft.com/pki/crl/* *microsoft.com/pkiops/* ocsp.digicert.com/* |
| Windows Update endpoint and Delivery Optimization | ctldl.windowsupdate.com cs9.wac.phicdn.net *.windowsupdate.com *.update.microsoft.com *hwcdn.net *.delivery.mp.microsoft.com tsfe.trafficshaping.dsp.mp.microsoft.com *.prod.do.dsp.mp.microsoft.com *geo-prod.do.dsp.mp.microsoft.com* *.dl.delivery.mp.microsoft.com *.emdl.ws.microsoft.com adl.windows.com |
| Microsoft Store [includes MSfB] | *displaycatalog.mp.microsoft.com d isplaycatalog.md.mp.microsoft.com purchase.mp.microsoft.com purchase.md.mp.microsoft.com storecatalogrevocation.storequality.microsoft.com img-prod-cms-rt-microsoft-com.akamaized.net .md.mp.microsoft.com pti.store.microsoft.com markets.books.microsoft.com storeedgefd.dsx.mp.microsoft.com livetileedge.dsx.mp.microsoft.com share.microsoft.com *.microsoft.com.akadns.net clientconfig.passport.net windowsphone.com *.microsoft.com *.s-microsoft.com manage.devcenter.microsoft.com |
| NTP Sync endpoint | time.windows.com [over UDP port 123] |
| Network Connection Status Indicator endpoint | www.msftconnecttest.com* |
| Diagnostics Data endpoints | *.events.data.microsoft.com *.telemetry.microsoft.com watson.*.microsoft.com *.vortex-win.data.microsoft.com/collect/v1 cs11.wpc.v0cdn.net cs1137.wpc.gammacdn.net settings.data.microsoft.com settings-win.data.microsoft.com *.blob.core.windows.net |
| Windows Notification Services endpoint | *.wns.windows.com |
| Office Apps and Office Updates endpoints | *.c-msedge.net *.e-msedge.net *.s-msedge.net nexusrules.officeapps.live.com ocos-office365-s2s.msedge.net officeclient.microsoft.com outlook.office365.com client-office365-tas.msedge.net www.office.com onecollector.cloudapp.aria v10.events.data.microsoft.com/onecollector/1.0/ self.events.data.microsoft.com to-do.microsoft.com g.live.com/1rewlive5skydrive/* msagfx.live.com oneclient.sfx.ms logincdn.msauth.net blobs.officehome.msocdn.com officehomeblobs.blob.core.windows.net self.events.data.microsoft.com outlookmobile-office365-tas.msedge.net config.teams.microsoft.com |
| Defender endpoints | wdcp.microsoft.com definitionupdates.microsoft.com *.smartscreen.microsoft.com *.smartscreen-prod.microsoft.com checkappexec.microsoft.com |
| Microsoft Account Access endpoints | *.login.microsoftonline.com *.login.microsoft.com login.windows.net account.live.com signup.live.com login.msa.akadns6.net us.configsvc1.live.com.akadns.net |
| Cortana required endpoints | www.bing.com* I-ring.msedge.net s-ring.msedge.net |
| MS Edge endpoints | iecvlist.microsoft.com msedge.api.cdp.microsoft.com |
| Azure related endpoints | wd-prod-fe.cloudapp.azure.com accountalt.azureedge.net secure.aadcdn.microsoftonline-p.com ris-prod-atm.trafficmanager.net validation-v2.sls.trafficmanager.net |
| Intune related endpoints | portal.manage.microsoft.com r.manage.microsoft.com m.manage.microsoft.com *.manage.microsoft.com *.officeconfig.msocdn.com config.office.com graph.windows.net enterpriseregistration.windows.net fef.msuc03.manage.microsoft.com wip.mam.manage.microsoft.com [requires port 444] mam.manage.microsoft.com |
Further, for Intune Management Extension (PowerShell and Win32 app deployments) to work, you need to whitelist the endpoints based on the tenant ASU. For that, refer to this link.
You may also need to have the O365 URLs whitelisted for the functioning of O365 services in the environment.
If using Config Manager and plan on doing Tenant Attach with Intune or continue with SCCM for Windows co-management, you can refer to the network requirements for MEM Config Manager SCCM.
The endpoints used by Windows 10 for accessing the different required services might change from one version to another. As such, always try to check the MS doc for the endpoint information specific to the Windows 10 versions you are going to have in your environment.
Wrap Up
That was all for today.
Edit:
You can download and run the Test-DeviceRegConnectivity script from this GitHub repo.
Check this MS article for more information on the script.
Resources:
1 Trackback / Pingback
Comments are closed.