Internet access requirements
Some Configuration Manager features rely on internet connectivity for full functionality. If your organization restricts network communication with the internet using a firewall or proxy device, make sure to allow these endpoints.
Service connection point
These configurations apply to the computer that hosts the service connection point and any firewalls between that computer and the internet. They both must allow communications through outgoing port TCP 443 for HTTPS and outgoing port TCP 80 for HTTP to the below internet locations.
The service connection point supports using a web proxy (with or without authentication) to use these locations. For more information, see Proxy server support.
For more information on the service connection point, see About the service connection point.
Other Configuration Manager features may require additional endpoints from the service connection point. For more information, see the other sections in this article.
The service connection point uses the Microsoft Intune service when it connects to
manage.microsoft.com. There's a known issue in which the Intune connector experiences connectivity issues if the Baltimore CyberTrust Root Certificate isn't installed, is expired, or is corrupted on the service connection point. For more information, see KB 3187516: Service connection point doesn't download updates.
Starting in version 2002, if the Configuration Manager site fails to connect to required endpoints for a cloud service, it raises a critical status message ID 11488. When it can't connect to the service, the SMS_SERVICE_CONNECTOR component status changes to critical. View detailed status in the Component Status node of the Configuration Manager console.
For more information on this function, see Updates and servicing for Configuration Manager.
Enable these endpoints for the management insight rule, Connect the site to the Microsoft cloud for Configuration Manager updates.
Windows 10 servicing
For more information on this function, see Manage Windows as a service.
For more information on this function, see Configure Azure services for use with Configuration Manager.
If you enroll Windows 10 devices to Microsoft Intune for co-management, make sure those devices can access the endpoints required by Intune. For more information, see Network endpoints for Microsoft Intune.
Microsoft Store for Business
If you integrate Configuration Manager with the Microsoft Store for Business, make sure the service connection point and targeted devices can access the cloud service. For more information, see Microsoft Store for Business proxy configuration.
This section covers the following features:
- Cloud management gateway (CMG)
- Cloud distribution point (CDP)
- Azure Active Directory (Azure AD) integration
- Azure AD-based discovery
For CMG/CDP service deployment, the service connection point needs access to:
- Specific Azure endpoints are different per environment depending upon the configuration. Configuration Manager stores these endpoints in the site database. Query the AzureEnvironments table in SQL Server for the list of Azure endpoints.
The CMG connection point needs access to the following service endpoints:
Service Management endpoint:
<name>is the cloud service name of your CMG or CDP. For example, if your CMG is
GraniteFalls.CloudApp.Net, then the first storage endpoint to allow is
For Azure AD token retrieval by the Configuration Manager console and client:
For Azure AD user discovery, the service connection point needs access to:
Version 1810 and earlier: Azure AD Graph endpoint
Version 1902 and later: Microsoft Graph endpoint
The cloud management point (CMG) connection point site system supports using a web proxy. For more information on configuring this role for a proxy, see Proxy server support. The CMG connection point only needs to connect to the CMG service endpoints. It doesn't need access to other Azure endpoints.
For more information on the CMG, see Plan for CMG.
Allow the active software update point to access the following endpoints so that WSUS and Automatic Updates can communicate with the Microsoft Update cloud service:
For more information on software updates, see Plan for software updates.
You might need to add endpoints to a firewall that's between two site systems in the following cases:
- If child sites have a software update point
- If there's a remote active internet-based software update point at a site
Software update point on the child site
http://<FQDN for software update point on child site>
https://<FQDN for software update point on child site>
http://<FQDN for software update point on parent site>
https://<FQDN for software update point on parent site>
Manage Office 365
Starting on April 21, 2020, Office 365 ProPlus is being renamed to Microsoft 365 Apps for enterprise. For more information, see Name change for Office 365 ProPlus. You may still see references to the old name in the Configuration Manager console and supporting documentation while the console is being updated.
If you use Configuration Manager to deploy and update Microsoft 365 Apps for enterprise, allow the following endpoints:
officecdn.microsoft.comto synchronize the software update point for Microsoft 365 Apps for enterprise client updates
config.office.comto create custom configurations for Microsoft 365 Apps for enterprise deployments
Configuration Manager console
Computers with the Configuration Manager console require access to the following internet endpoints for specific features:
For more information on this feature, see Product feedback.
Community workspace, Documentation node
For more information on this console node, see Using the Configuration Manager console.
Monitoring workspace, Site Hierarchy node
If you use the Geographical View, allow access to the following endpoint:
For more information on the required endpoints for the Desktop Analytics cloud service, see Enable data sharing.
Microsoft public IP addresses
For more information on the Microsoft IP address ranges, see Microsoft Public IP Space. These addresses update regularly. There's no granularity by service, any IP address in these ranges could be used.