Network configuration for Microsoft Managed Desktop

Proxy configuration

Microsoft Managed Desktop is a cloud-managed service. There are a set of endpoints the Microsoft Managed Desktop services needs to be able to reach. This section lists the endpoints that need to be allowed for the various aspects of the Microsoft Managed Desktop service.

Customers can optimize their network by sending all trusted Microsoft 365 network requests directly through their firewall or proxy, bypassing authentication and all additional packet-level inspection or processing. This reduces latency and your perimeter capacity requirements.

Also, to optimize performance to Microsoft Managed Desktop cloud-based services, these endpoints need special handling by customer client browsers and the devices in their edge network. These devices include firewalls, SSL Break and Inspect, packet inspection devices, and data loss prevention systems.

Proxy requirement

The proxy or firewall must support TLS 1.2. Otherwise, you might have to disable protocol detection.

Endpoints allowed - specific for Microsoft Managed Desktop

Microsoft Managed Desktop uses the Azure Portal to host its web console. The following URLs in the table below need to be on the allowed list of your proxy and firewall so that Microsoft Managed Desktop devices can communicate with Microsoft Services.

Note that the Microsoft Managed Desktop URL below is used for anything our service runs on the customer API. You must ensure this URL is always accessible on your corporate network.

Microsoft service URLs required on allow list
Microsoft Managed Desktop prod-mwaas-services-customerapi.azurewebsites.net
Get Help *.support.services.microsoft.com
inprod.support.services.microsoft.com
supportchannels.services.microsoft.com
graph.windows.net
login.windows.net
prod-mwaas-services-customerapi.azurewebsites.net
Quick Assist remoteassistance.support.services.microsoft.com
relay.support.services.microsoft.com
channelwebsdks.azureedge.net
web.vortex.data.microsoft.com
gateway.channelservices.microsoft.com
*.lync.com
Microsoft Support and Recovery Assistant for Office 365 *.apibasic.diagnostics.office.com
*.api.diagnostics.office.com

Endpoints allowed - other Microsoft products

There are URLs from several Microsoft products that need to be in the allowed list so that Microsoft Managed Desktop devices can communicate with those Microsoft Services. Use the links to see the complete list for each product.

Microsoft service Documentation source - URLs required on allow list
Windows 10 Enterprise including Windows Update for Business Manage connection endpoints for Windows 10, version 1803

Manage connection endpoints for Windows 10, version 1809

Manage connection endpoints for Windows 10, version 1903

time.windows.com
Delivery Optimization Configure Delivery Optimization for Windows 10 updates
Office 365 Office 365 URL and IP address ranges
Azure Active Directory Hybrid identity required ports and protocols and Active Directory and Active Directory Domain Services Port Requirements
Microsoft Intune Intune network configuration requirements
Microsoft Defender Advanced Threat Protection (ATP) Microsoft Defender ATP endpoints