Internet access requirements

Some Configuration Manager features rely on internet connectivity for full functionality. If your organization restricts network communication with the internet using a firewall or proxy device, make sure to allow these endpoints.

Service connection point

These configurations apply to the computer that hosts the service connection point and any firewalls between that computer and the internet. They both must allow communications through outgoing port TCP 443 for HTTPS and outgoing port TCP 80 for HTTP to the below internet locations.

The service connection point supports using a web proxy (with or without authentication) to use these locations. For more information, see Proxy server support.

For more information on the service connection point, see About the service connection point.

Other Configuration Manager features may require additional endpoints from the service connection point. For more information, see the other sections in this article.

Tip

The service connection point uses the Microsoft Intune service when it connects to go.microsoft.com or manage.microsoft.com. There's a known issue in which the Intune connector experiences connectivity issues if the Baltimore CyberTrust Root Certificate isn't installed, is expired, or is corrupted on the service connection point. For more information, see KB 3187516: Service connection point doesn't download updates.

Starting in version 2002, if the Configuration Manager site fails to connect to required endpoints for a cloud service, it raises a critical status message ID 11488. When it can't connect to the service, the SMS_SERVICE_CONNECTOR component status changes to critical. View detailed status in the Component Status node of the Configuration Manager console.

Updates and servicing

For more information on this function, see Updates and servicing for Configuration Manager.

Tip

Enable these endpoints for the management insight rule, Connect the site to the Microsoft cloud for Configuration Manager updates.

  • *.akamaiedge.net

  • *.akamaitechnologies.com

  • *.manage.microsoft.com

  • go.microsoft.com

  • *.blob.core.windows.net

  • download.microsoft.com

  • download.windowsupdate.com

  • sccmconnected-a01.cloudapp.net

  • configmgrbits.azureedge.net

Windows 10 servicing

For more information on this function, see Manage Windows as a service.

  • download.microsoft.com

  • https://go.microsoft.com/fwlink/?LinkID=619849

  • dl.delivery.mp.microsoft.com

Azure services

For more information on this function, see Configure Azure services for use with Configuration Manager.

  • management.azure.com

Co-management

If you enroll Windows 10 devices to Microsoft Intune for co-management, make sure those devices can access the endpoints required by Intune. For more information, see Network endpoints for Microsoft Intune.

Microsoft Store for Business

If you integrate Configuration Manager with the Microsoft Store for Business, make sure the service connection point and targeted devices can access the cloud service. For more information, see Microsoft Store for Business proxy configuration.

Cloud services

This section covers the following features:

  • Cloud management gateway (CMG)
  • Cloud distribution point (CDP)
  • Azure Active Directory (Azure AD) integration
  • Azure AD-based discovery

For CMG/CDP service deployment, the service connection point needs access to:

  • Specific Azure endpoints are different per environment depending upon the configuration. Configuration Manager stores these endpoints in the site database. Query the AzureEnvironments table in SQL Server for the list of Azure endpoints.

The CMG connection point needs access to the following service endpoints:

  • Service Management endpoint: https://management.core.windows.net/

  • Storage endpoint: <name>.blob.core.windows.net and <name>.table.core.windows.net

    Where <name> is the cloud service name of your CMG or CDP. For example, if your CMG is GraniteFalls.CloudApp.Net, then the first storage endpoint to allow is GraniteFalls.blob.core.windows.net.

For Azure AD token retrieval by the Configuration Manager console and client:

  • ActiveDirectoryEndpoint https://login.microsoftonline.com/

For Azure AD user discovery, the service connection point needs access to:

  • Version 1810 and earlier: Azure AD Graph endpoint https://graph.windows.net/

  • Version 1902 and later: Microsoft Graph endpoint https://graph.microsoft.com/

The cloud management point (CMG) connection point site system supports using a web proxy. For more information on configuring this role for a proxy, see Proxy server support. The CMG connection point only needs to connect to the CMG service endpoints. It doesn't need access to other Azure endpoints.

For more information on the CMG, see Plan for CMG.

Software updates

Allow the active software update point to access the following endpoints so that WSUS and Automatic Updates can communicate with the Microsoft Update cloud service:

  • http://windowsupdate.microsoft.com

  • http://*.windowsupdate.microsoft.com

  • https://*.windowsupdate.microsoft.com

  • http://*.update.microsoft.com

  • https://*.update.microsoft.com

  • http://*.windowsupdate.com

  • http://download.windowsupdate.com

  • http://download.microsoft.com

  • http://*.download.windowsupdate.com

  • http://test.stats.update.microsoft.com

  • http://ntservicepack.microsoft.com

For more information on software updates, see Plan for software updates.

Intranet firewall

You might need to add endpoints to a firewall that's between two site systems in the following cases:

  • If child sites have a software update point
  • If there's a remote active internet-based software update point at a site

Software update point on the child site

  • http://<FQDN for software update point on child site>

  • https://<FQDN for software update point on child site>

  • http://<FQDN for software update point on parent site>

  • https://<FQDN for software update point on parent site>

Manage Office 365

Note

Starting on April 21, 2020, Office 365 ProPlus is being renamed to Microsoft 365 Apps for enterprise. For more information, see Name change for Office 365 ProPlus. You may still see references to the old name in the Configuration Manager console and supporting documentation while the console is being updated.

If you use Configuration Manager to deploy and update Microsoft 365 Apps for enterprise, allow the following endpoints:

  • officecdn.microsoft.com to synchronize the software update point for Microsoft 365 Apps for enterprise client updates

  • config.office.com to create custom configurations for Microsoft 365 Apps for enterprise deployments

Configuration Manager console

Computers with the Configuration Manager console require access to the following internet endpoints for specific features:

In-console feedback

  • http://petrol.office.microsoft.com

For more information on this feature, see Product feedback.

Community workspace, Documentation node

  • https://aka.ms

  • https://raw.githubusercontent.com

For more information on this console node, see Using the Configuration Manager console.

Monitoring workspace, Site Hierarchy node

If you use the Geographical View, allow access to the following endpoint:

  • http://maps.bing.com

Desktop Analytics

For more information on the required endpoints for the Desktop Analytics cloud service, see Enable data sharing.

Microsoft public IP addresses

For more information on the Microsoft IP address ranges, see Microsoft Public IP Space. These addresses update regularly. There's no granularity by service, any IP address in these ranges could be used.

See also