Internet access requirements

Some Configuration Manager features rely on internet connectivity for full functionality. If your organization restricts network communication with the internet using a firewall or proxy device, make sure to allow these endpoints.

Configuration Manager uses the following Microsoft URL forwarding services throughout the product:

  • https://aka.ms
  • https://go.microsoft.com

Even if they're not explicitly listed in the sections below, you should always allow these endpoints.

Service connection point

For more information, see About the service connection point.

These configurations apply to the server that hosts the service connection point and any firewalls between that server and the internet. Allow communication through outgoing HTTPS port TCP 443 to the internet locations.

The service connection point supports using a web proxy with or without authentication to use these locations. For more information, see Proxy server support.

Starting in version 2002, if the Configuration Manager site fails to connect to required endpoints for a cloud service, it raises a critical status message ID 11488. When it can't connect to the service, the SMS_SERVICE_CONNECTOR component status changes to critical. View detailed status in the Component Status node of the Configuration Manager console.

Starting in version 2010, the service connection point validates important internet endpoints for Desktop Analytics and tenant attach. These checks help make sure that the cloud-connected services are available. It also helps you troubleshoot issues by quickly determining if network connectivity is a problem. For more information, see Validate internet access.

The specific URLs required by the service connection point vary by Configuration Manager feature:

Tip

The service connection point uses the Microsoft Intune service when it connects to go.microsoft.com or manage.microsoft.com. There's a known issue in which the Intune connector experiences connectivity issues if the Baltimore CyberTrust Root Certificate isn't installed, is expired, or is corrupted on the service connection point. For more information, see Service connection point doesn't download updates.

Updates and servicing

For more information, see Updates and servicing.

Tip

Enable these endpoints for the management insight rule, Connect the site to the Microsoft cloud for Configuration Manager updates.

  • *.akamaiedge.net

  • *.akamaitechnologies.com

  • *.manage.microsoft.com

  • go.microsoft.com

  • download.microsoft.com

  • download.windowsupdate.com

  • sccmconnected-a01.cloudapp.net

  • configmgrbits.azureedge.net

  • ceuswatcab01.blob.core.windows.net

  • ceuswatcab02.blob.core.windows.net

  • eaus2watcab01.blob.core.windows.net

  • eaus2watcab02.blob.core.windows.net

  • weus2watcab01.blob.core.windows.net

  • weus2watcab02.blob.core.windows.net

  • umwatsonc.events.data.microsoft.com

  • *-umwatsonc.events.data.microsoft.com

  • cmupdatepackppe.blob.core.windows.net (technical preview branch version 2104 and earlier)

Windows 10 servicing

For more information, see Manage Windows as a service.

  • download.microsoft.com

  • https://go.microsoft.com/fwlink/?LinkID=619849

  • dl.delivery.mp.microsoft.com

Azure services

For more information, see Configure Azure services for use with Configuration Manager.

  • management.azure.com (Azure public cloud)
  • management.usgovcloudapi.net (Azure US Government cloud)

Co-management

If you enroll Windows 10 devices to Microsoft Intune for co-management, make sure those devices can access the endpoints required by Intune. For more information, see Network endpoints for Microsoft Intune.

Microsoft Store for Business

If you integrate Configuration Manager with the Microsoft Store for Business, make sure the service connection point and targeted devices can access the cloud service. For more information, see Microsoft Store for Business proxy configuration.

Delivery optimization

If you use delivery optimization, clients need to communicate with its cloud service: *.do.dsp.mp.microsoft.com

Distribution points that support Microsoft Connected Cache also require these endpoints.

For more information, see the following articles:

Cloud services

For more information on the cloud management gateway (CMG), see Plan for CMG.

This section covers the following features:

  • Cloud management gateway (CMG)
  • Cloud distribution point (CDP)
  • Azure Active Directory (Azure AD) integration
  • Azure AD-based discovery

The following sections list the endpoints by role. Some endpoints refer to a service by <name>, which is the cloud service name of the CMG or CDP. For example, if your CMG is GraniteFalls.CloudApp.Net, then the actual storage endpoint is GraniteFalls.blob.core.windows.net.

Tip

To clarify some terminology:

  • CMG service name: The common name (CN) of the CMG server authentication certificate. Clients and the CMG connection point site system role communicate with this service name. For example, GraniteFalls.contoso.com or GraniteFalls.cloudapp.net.

  • CMG deployment name: The first part of the service name plus the Azure location for the cloud service deployment. For example, GraniteFalls.cloudapp.net. The cloud service manager component of the service connection point uses this name when it deploys the CMG in Azure. The deployment name is always in an Azure domain.

Starting in version 2010, if you'll deploy the CMG to a virtual machine scale set, the deployment name is different. With a virtual machine scale set, the service name uses the cloudapp.azure.com domain along with the region. For example, GraniteFalls.EastUS.CloudApp.Azure.Com for a deployment in the East US Azure region. Note that difference as you read this article and configure internet access for a virtual machine scale set deployment.

Service connection point for cloud services

For Configuration Manager to deploy the CMG or CDP services in Azure, the service connection point needs access to:

  • Specific Azure endpoints, which are different per environment depending upon the configuration. Configuration Manager stores these endpoints in the site database. Query the AzureEnvironments table in SQL Server for the list of Azure endpoints.

  • Azure services:

    • management.azure.com (Azure public cloud)
    • management.usgovcloudapi.net (Azure US Government cloud)
  • For Azure AD user discovery: Microsoft Graph endpoint https://graph.microsoft.com/

CMG connection point

The CMG connection point needs access to the following service endpoints:

  • Service name (for CMG or CDP):

    • <name>.cloudapp.net (Azure public cloud)
    • <name>.usgovcloudapp.net (Azure US Government cloud)
  • Storage endpoint (for content-enabled CMG or CDP):

    • <name>.blob.core.windows.net (Azure public cloud)
    • <name>.blob.core.usgovcloudapi.net (Azure US Government cloud)
    • <name>.table.core.windows.net (Azure public cloud)
    • <name>.table.core.usgovcloudapi.net (Azure US Government cloud)

The CMG connection point site system supports using a web proxy. For more information on configuring this role for a proxy, see Proxy server support.

The CMG connection point only needs to connect to the CMG service endpoints. It doesn't need access to other Azure endpoints.

Configuration Manager client

  • Deployment name (for CMG or CDP):

    • <name>.cloudapp.net (Azure public cloud)
    • <name>.usgovcloudapp.net (Azure US Government cloud)
  • Storage endpoint (for content-enabled CMG or CDP):

    • <name>.blob.core.windows.net (Azure public cloud)
    • <name>.blob.core.usgovcloudapi.net (Azure US Government cloud)
  • For Azure AD token retrieval, the Azure AD endpoint:

    • login.microsoftonline.com (Azure public cloud)
    • login.microsoftonline.us (Azure US Government cloud)

Configuration Manager console for cloud services

  • For Azure AD token retrieval, the Azure AD endpoint:

    • Azure public cloud

      • login.microsoftonline.com
      • aadcdn.msauth.net
      • aadcdn.msftauth.net
    • Azure US Government cloud

      • login.microsoftonline.us

Software updates

Allow the active software update point to access the following endpoints so that WSUS and Automatic Updates can communicate with the Microsoft Update cloud service:

  • http://windowsupdate.microsoft.com

  • http://*.windowsupdate.microsoft.com

  • https://*.windowsupdate.microsoft.com

  • http://*.update.microsoft.com

  • https://*.update.microsoft.com

  • http://*.windowsupdate.com

  • http://download.windowsupdate.com

  • http://download.microsoft.com

  • http://*.download.windowsupdate.com

  • http://ntservicepack.microsoft.com

For more information on software updates, see Plan for software updates.

Intranet firewall

You might need to add endpoints to a firewall that's between two site systems in the following cases:

  • If child sites have a software update point
  • If there's a remote active internet-based software update point at a site

Software update point on the child site

  • http://<FQDN for software update point on child site>

  • https://<FQDN for software update point on child site>

  • http://<FQDN for software update point on parent site>

  • https://<FQDN for software update point on parent site>

Manage Microsoft 365 Apps

Note

Starting on April 21, 2020, Office 365 ProPlus is being renamed to Microsoft 365 Apps for enterprise. For more information, see Name change for Office 365 ProPlus. You may still see references to the old name in the Configuration Manager console and supporting documentation while the console is being updated.

If you use Configuration Manager to deploy and update Microsoft 365 Apps for enterprise, allow the following endpoints:

  • officecdn.microsoft.com to synchronize the software update point for Microsoft 365 Apps for enterprise client updates

  • config.office.com to create custom configurations for Microsoft 365 Apps for enterprise deployments

  • contentstorage.osi.office.net to support the evaluation of Office add-in readiness

Your top-level site server needs access to the following endpoint to download the Microsoft Apps 365 readiness file:

  • Starting March 2, 2021: https://omex.cdn.office.net/mirrored/sccmreadiness/SOT_SCCM_AddinReadiness.CAB
    • Location prior to March 2, 2021: https://contentstorage.osi.office.net/sccmreadinessppe/sot_sccm_addinreadiness.cab

Note

The location of this file is changing March 2, 2021 . For more information, see Download location change for Microsoft 365 Apps readiness file.

Configuration Manager console

Computers with the Configuration Manager console require access to the following internet endpoints for specific features:

Note

For push notifications from Microsoft to show in the console, the service connection point needs access to configmgrbits.azureedge.net. It also needs access to this endpoint for updates and servicing, so you may have already allowed it.

In-console feedback

On the computer where you run the console, allow it to access the following internet endpoints to send diagnostic data to Microsoft:

  • petrol.office.microsoft.com

  • ceuswatcab01.blob.core.windows.net

  • ceuswatcab02.blob.core.windows.net

  • eaus2watcab01.blob.core.windows.net

  • eaus2watcab02.blob.core.windows.net

  • weus2watcab01.blob.core.windows.net

  • weus2watcab02.blob.core.windows.net

  • umwatsonc.events.data.microsoft.com

  • *-umwatsonc.events.data.microsoft.com

For more information on this feature, see Product feedback.

Community workspace

Documentation node

For more information on this console node, see Using the Configuration Manager console.

  • https://aka.ms

  • https://raw.githubusercontent.com

Community hub

For more information on this feature, see Community hub.

  • https://github.com

  • https://communityhub.microsoft.com

Desktop Analytics

For more information, see Enable data sharing.

Server connectivity endpoints

The service connection point needs to communicate with the following endpoints:

Endpoint Function
https://aka.ms Used to locate the service
https://graph.windows.net Used to automatically retrieve settings like CommercialId when attaching your hierarchy to Desktop Analytics (on Configuration Manager Server role). For more information, see Configure the proxy for a site system server.
https://*.manage.microsoft.com Used to synch device collection memberships, deployment plans, and device readiness status with Desktop Analytics (on Configuration Manager Server role only). For more information, see Configure the proxy for a site system server.
https://dc.services.visualstudio.com For diagnostic data from on-premises service connector to gain insights about the health of cloud-connected services.

User experience and diagnostic component endpoints

Client devices need to communicate with the following endpoints:

Endpoint Function
https://v10c.events.data.microsoft.com Connected user experience and diagnostic component endpoint. Used by devices running Windows 10, version 1809 or later, or version 1803 with the 2018-09 cumulative update or later installed.
https://v10.events.data.microsoft.com Connected user experience and diagnostic component endpoint. Used by devices running Windows 10, version 1803 without the 2018-09 cumulative update installed.
https://v10.vortex-win.data.microsoft.com Connected user experience and diagnostic component endpoint. Used by devices running Windows 10, version 1709 or earlier.
https://vortex-win.data.microsoft.com Connected user experience and diagnostic component endpoint. Used by devices running Windows 7 and Windows 8.1

Client connectivity endpoints

Client devices need to communicate with the following endpoints:

Index Endpoint Function
1 https://settings-win.data.microsoft.com Enables the compatibility update to send data to Microsoft.
2 http://adl.windows.com Allows the compatibility update to receive the latest compatibility data from Microsoft.
3 https://watson.telemetry.microsoft.com Windows Error Reporting (WER). Required to monitor deployment health in Windows 10, version 1803 or earlier.
4 https://umwatsonc.events.data.microsoft.com Windows Error Reporting (WER). Required for device health reports in Windows 10, version 1809 or later.
5 https://ceuswatcab01.blob.core.windows.net Windows Error Reporting (WER). Required to monitor deployment health in Windows 10, version 1809 or later.
6 https://ceuswatcab02.blob.core.windows.net Windows Error Reporting (WER). Required to monitor deployment health in Windows 10, version 1809 or later.
7 https://eaus2watcab01.blob.core.windows.net Windows Error Reporting (WER). Required to monitor deployment health in Windows 10, version 1809 or later.
8 https://eaus2watcab02.blob.core.windows.net Windows Error Reporting (WER). Required to monitor deployment health in Windows 10, version 1809 or later.
9 https://weus2watcab01.blob.core.windows.net Windows Error Reporting (WER). Required to monitor deployment health in Windows 10, version 1809 or later.
10 https://weus2watcab02.blob.core.windows.net Windows Error Reporting (WER). Required to monitor deployment health in Windows 10, version 1809 or later.
11 https://kmwatsonc.events.data.microsoft.com Online Crash Analysis (OCA). Required for device health reports in Windows 10, version 1809 or later.
12 https://oca.telemetry.microsoft.com Online Crash Analysis (OCA). Required to monitor deployment health in Windows 10, version 1803 or earlier.
13 https://login.live.com Required to provide a more reliable device identity for Desktop Analytics.

To disable end-user Microsoft account access, use policy settings instead of blocking this endpoint. For more information, see The Microsoft account in the enterprise.
14 https://v20.events.data.microsoft.com Connected user experience and diagnostic component endpoint.

Tenant attach

For more information, see Enable tenant attach.

  • https://aka.ms/configmgrgateway

  • https://*.manage.microsoft.com

  • https://dc.services.visualstudio.com

The service connection point makes a long standing outgoing connection to the notification service hosted on https://*.manage.microsoft.com. Verify the proxy used for the service connection point doesn't time out outgoing connections too quickly. We recommend 3 minutes for outgoing connections to this internet endpoint.

If your environment has proxy rules to allow only specific certificate revocation lists (CRLs) or online certificate status protocol (OCSP) verification locations, also allow the following CRL and OCSP URLs:

  • http://crl3.digicert.com
  • http://crl4.digicert.com
  • http://ocsp.digicert.com
  • http://www.d-trust.net
  • http://root-c3-ca2-2009.ocsp.d-trust.net
  • http://crl.microsoft.com
  • http://oneocsp.microsoft.com
  • http://ocsp.msocsp.com
  • http://www.microsoft.com/pkiops

Endpoint analytics

For more information, see Endpoint analytics proxy configuration.

Endpoints required for Configuration Manager-managed devices

Configuration Manager-managed devices send data to Intune via the connector on the Configuration Manager role and they don't need directly access to the Microsoft public cloud.

Endpoint Function
https://graph.windows.net Used to automatically retrieve settings when attaching your hierarchy to Endpoint analytics on Configuration Manager server role. For more information, see Configure the proxy for a site system server.
https://*.manage.microsoft.com Used to synch device collection and devices with Endpoint analytics on Configuration Manager server role only. For more information, see Configure the proxy for a site system server.

Endpoints required for Intune-managed devices

To enroll devices to Endpoint analytics, they need to send required functional data to Microsoft public cloud. Endpoint Analytics uses the Windows 10 and Windows Server Connected User Experiences and Telemetry component (DiagTrack) to collect the data from Intune-managed devices. Make sure that the Connected User Experiences and Telemetry service on the device is running.

Endpoint Function
https://*.events.data.microsoft.com Used by Intune-managed devices to send required functional data to the Intune data collection endpoint.

Asset intelligence

If you use asset intelligence, allow the following endpoints for the service to synchronize:

  • https://sc.microsoft.com
  • https://ssu2.manage.microsoft.com

Deploy Microsoft Edge

The device running the Configuration Manager console needs access to the following endpoints for deploying Microsoft Edge:

Location Use
https://aka.ms/cmedgeapi Information about releases of Microsoft Edge
https://edgeupdates.microsoft.com/api/products?view=enterprise Information about releases of Microsoft Edge
http://dl.delivery.mp.microsoft.com Content for Microsoft Edge releases

Microsoft public IP addresses

For more information on the Microsoft IP address ranges, see Microsoft Public IP Space. These addresses update regularly. There's no granularity by service, any IP address in these ranges could be used.

Next steps