Internet access requirements
Some Configuration Manager features rely on internet connectivity for full functionality. If your organization restricts network communication with the internet using a firewall or proxy device, make sure to allow these endpoints.
Configuration Manager uses the following Microsoft URL forwarding services throughout the product:
https://aka.ms
https://go.microsoft.com
Even if they're not explicitly listed in the sections below, you should always allow these endpoints.
Service connection point
For more information, see About the service connection point.
These configurations apply to the server that hosts the service connection point and any firewalls between that server and the internet. Allow communication through outgoing HTTPS port TCP 443 to the internet locations.
The service connection point supports using a web proxy with or without authentication to use these locations. For more information, see Proxy server support.
If the Configuration Manager site fails to connect to required endpoints for a cloud service, it raises a critical status message ID 11488. When it can't connect to the service, the SMS_SERVICE_CONNECTOR component status changes to critical. View detailed status in the Component Status node of the Configuration Manager console.
Starting in version 2010, the service connection point validates important internet endpoints for tenant attach. These checks help make sure that the cloud-connected services are available. It also helps you troubleshoot issues by quickly determining if network connectivity is a problem. For more information, see Validate internet access.
The specific URLs required by the service connection point vary by Configuration Manager feature:
- Updates and servicing
- Windows servicing
- Azure services
- Microsoft Store for Business
- Cloud services
- Configuration Manager console
- Tenant attach
- External notifications
Tip
The service connection point uses the Microsoft Intune service when it connects to go.microsoft.com
or manage.microsoft.com
. There's a known issue in which the Intune connector experiences connectivity issues if the Baltimore CyberTrust Root Certificate isn't installed, is expired, or is corrupted on the service connection point. For more information, see Service connection point doesn't download updates.
Updates and servicing
For more information, see Updates and servicing.
Tip
Enable these endpoints for the management insight rule, Connect the site to the Microsoft cloud for Configuration Manager updates.
*.akamaiedge.net
*.akamaitechnologies.com
*.manage.microsoft.com
go.microsoft.com
download.microsoft.com
download.windowsupdate.com
download.visualstudio.microsoft.com
sccmconnected-a01.cloudapp.net
definitionupdates.microsoft.com
configmgrbits.azureedge.net
Important
This Azure endpoint only supports TLS 1.2 with specific cipher suites. Make sure your environment supports these Azure configurations. For more information, see Azure Front Door: TLS configuration FAQ.
cmbitsstore.blob.core.windows.net
ceuswatcab01.blob.core.windows.net
ceuswatcab02.blob.core.windows.net
eaus2watcab01.blob.core.windows.net
eaus2watcab02.blob.core.windows.net
weus2watcab01.blob.core.windows.net
weus2watcab02.blob.core.windows.net
cmbitsstore.blob.core.windows.net
umwatsonc.events.data.microsoft.com
*-umwatsonc.events.data.microsoft.com
Windows servicing
For more information, see Manage Windows as a service.
download.microsoft.com
https://go.microsoft.com/fwlink/?LinkID=619849
dl.delivery.mp.microsoft.com
Azure services
For more information, see Configure Azure services for use with Configuration Manager.
management.azure.com
(Azure public cloud)management.usgovcloudapi.net
(Azure US Government cloud)
Co-management
If you enroll Windows devices to Microsoft Intune for co-management, make sure those devices can access the endpoints required by Intune. For more information, see Network endpoints for Microsoft Intune.
Microsoft Store for Business
If you integrate Configuration Manager with the Microsoft Store for Business, make sure the service connection point and targeted devices can access the cloud service. For more information, see Microsoft Store for Business proxy configuration.
Delivery optimization
If you use delivery optimization, clients need to communicate with its cloud service: *.do.dsp.mp.microsoft.com
Distribution points that support Microsoft Connected Cache also require these endpoints.
For more information, see the following articles:
- Delivery optimization FAQ
- Fundamental concepts for content management in Configuration Manager
- Microsoft Connected Cache with Configuration Manager
Cloud services
For more information on the cloud management gateway (CMG), see Plan for CMG.
This section covers the following features:
Cloud management gateway (CMG)
Microsoft Entra integration
Microsoft Entra ID-based discovery
Cloud distribution point (CDP)
Note
The cloud-based distribution point (CDP) is deprecated. Starting in version 2107, you can't create new CDP instances. To provide content to internet-based devices, enable the CMG to distribute content.
The following sections list the endpoints by role. Some endpoints refer to a service by <prefix>
, which is the prefix name of the CMG. For example, if your CMG is GraniteFalls.WestUS.CloudApp.Azure.Com
, then the actual storage endpoint is GraniteFalls.blob.core.windows.net
.
Tip
To clarify some terminology:
CMG service name: The common name (CN) of the CMG server authentication certificate. Clients and the CMG connection point site system role communicate with this service name. For example,
GraniteFalls.contoso.com
orGraniteFalls.WestUS.CloudApp.Azure.Com
.CMG deployment name: The first part of the service name plus the Azure location for the cloud service deployment. The cloud service manager component of the service connection point uses this name when it deploys the CMG in Azure. The deployment name is always in an Azure domain. The Azure location depends upon the deployment method, for example:
- Virtual machine scale set:
GraniteFalls.WestUS.CloudApp.Azure.Com
- Classic deployment:
GraniteFalls.CloudApp.Net
- Virtual machine scale set:
This article uses examples with a virtual machine scale set as the recommended deployment method in version 2107 and later. If you use a classic deployment, note the difference as you read this article and configure internet access.
Service connection point for cloud services
For Configuration Manager to deploy the CMG service in Azure, the service connection point needs access to:
Specific Azure endpoints, which are different per environment depending upon the configuration. Configuration Manager stores these endpoints in the site database. Query the AzureEnvironments table in SQL Server for the list of Azure endpoints.
Azure services:
management.azure.com
(Azure public cloud)management.usgovcloudapi.net
(Azure US Government cloud)
For Microsoft Entra user discovery: Microsoft Graph endpoint
https://graph.microsoft.com/
CMG connection point for cloud services
The CMG connection point needs access to the following endpoints:
Type | Azure public cloud | Azure US Government cloud |
---|---|---|
Service name | <prefix>.<region>.cloudapp.azure.com |
<prefix>.usgovcloudapp.net |
Storage endpoint 1 | <prefix>.blob.core.windows.net |
<prefix>.blob.core.usgovcloudapi.net |
Storage endpoint 2 | <prefix>.table.core.windows.net |
<prefix>.table.core.usgovcloudapi.net |
Key vault | <prefix>.vault.azure.net |
<prefix>.vault.usgovcloudapi.net |
The CMG connection point site system supports using a web proxy. For more information on configuring this role for a proxy, see Proxy server support.
The CMG connection point only needs to connect to the CMG service endpoints. It doesn't need access to other Azure endpoints.
Configuration Manager client for cloud services
Any Configuration Manager client that needs to communicate with a CMG needs access to the following endpoints:
Type | Azure public cloud | Azure US Government cloud |
---|---|---|
Deployment name | <prefix>.<region>.cloudapp.azure.com |
<prefix>.usgovcloudapp.net |
Storage endpoint | <prefix>.blob.core.windows.net |
<prefix>.blob.core.usgovcloudapi.net |
Microsoft Entra endpoint | login.microsoftonline.com |
login.microsoftonline.us |
Configuration Manager console for cloud services
Any device with the Configuration Manager console needs access to the following endpoints:
Type | Azure public cloud | Azure US Government cloud |
---|---|---|
Microsoft Entra endpoints | login.microsoftonline.com aadcdn.msauth.net aadcdn.msftauth.net |
login.microsoftonline.us |
Software updates
Allow the active software update point to access the following endpoints so that WSUS and Automatic Updates can communicate with the Microsoft Update cloud service:
http://windowsupdate.microsoft.com
http://*.windowsupdate.microsoft.com
https://*.windowsupdate.microsoft.com
http://*.update.microsoft.com
https://*.update.microsoft.com
http://*.windowsupdate.com
http://download.windowsupdate.com
http://download.microsoft.com
http://*.download.windowsupdate.com
http://ntservicepack.microsoft.com
For more information on software updates, see Plan for software updates.
Intranet firewall
You might need to add endpoints to a firewall that's between two site systems in the following cases:
- If child sites have a software update point
- If there's a remote active internet-based software update point at a site
Software update point on the child site
http://<FQDN for software update point on child site>
https://<FQDN for software update point on child site>
http://<FQDN for software update point on parent site>
https://<FQDN for software update point on parent site>
Manage Microsoft 365 Apps
Note
Starting on April 21, 2020, Office 365 ProPlus is being renamed to Microsoft 365 Apps for enterprise. For more information, see Name change for Office 365 ProPlus. You may still see references to the old name in the Configuration Manager console and supporting documentation while the console is being updated.
If you use Configuration Manager to deploy and update Microsoft 365 Apps for enterprise, allow the following endpoints:
officecdn.microsoft.com
to synchronize the software update point for Microsoft 365 Apps for enterprise client updatesconfig.office.com
to create custom configurations for Microsoft 365 Apps for enterprise deploymentshttps://clients.config.office.net
andhttps://go.microsoft.com/fwlink/?linkid=2190568
to support deploying updates for Microsoft 365 Apps for enterprisecontentstorage.osi.office.net
to support the evaluation of Office add-in readiness
Your top-level site server needs access to the following endpoint to download the Microsoft Apps 365 readiness file:
- Starting March 2, 2021:
https://omex.cdn.office.net/mirrored/sccmreadiness/SOT_SCCM_AddinReadiness.CAB
- Location prior to March 2, 2021:
https://contentstorage.osi.office.net/sccmreadinessppe/sot_sccm_addinreadiness.cab
- Location prior to March 2, 2021:
Note
The location of this file is changing March 2, 2021 . For more information, see Download location change for Microsoft 365 Apps readiness file.
Configuration Manager console
Computers with the Configuration Manager console require access to the following internet endpoints for specific features:
Note
For push notifications from Microsoft to show in the console, the service connection point needs access to configmgrbits.azureedge.net
. It also needs access to this endpoint for updates and servicing, so you may have already allowed it.
In-console feedback
On the computer where you run the console, allow it to access the following internet endpoints to send diagnostic data to Microsoft:
petrol.office.microsoft.com
ceuswatcab01.blob.core.windows.net
ceuswatcab02.blob.core.windows.net
eaus2watcab01.blob.core.windows.net
eaus2watcab02.blob.core.windows.net
weus2watcab01.blob.core.windows.net
weus2watcab02.blob.core.windows.net
umwatsonc.events.data.microsoft.com
*-umwatsonc.events.data.microsoft.com
For more information on this feature, see Product feedback.
Community workspace
Documentation node
For more information on this console node, see Using the Configuration Manager console.
https://aka.ms
https://raw.githubusercontent.com
Community hub
For more information on this feature, see Community hub.
https://github.com
https://communityhub.microsoft.com
Tenant attach
For more information, see Enable tenant attach.
https://aka.ms/configmgrgateway
https://*.manage.microsoft.com
for Azure public cloud customershttps://*.manage.microsoft.us
for US Government cloud customers on version 2107 or laterhttps://dc.services.visualstudio.com
The service connection point makes a long standing outgoing connection to the notification service hosted on https://*.manage.microsoft.com
. Verify the proxy used for the service connection point doesn't time out outgoing connections too quickly. We recommend 3 minutes for outgoing connections to this internet endpoint.
If your environment has proxy rules to allow only specific certificate revocation lists (CRLs) or online certificate status protocol (OCSP) verification locations, also allow the following CRL and OCSP URLs:
http://crl3.digicert.com
http://crl4.digicert.com
http://ocsp.digicert.com
http://www.d-trust.net
http://root-c3-ca2-2009.ocsp.d-trust.net
http://crl.microsoft.com
http://oneocsp.microsoft.com
http://ocsp.msocsp.com
http://www.microsoft.com/pkiops
Endpoint analytics
For more information, see Endpoint analytics proxy configuration.
Endpoints required for Configuration Manager-managed devices
Configuration Manager-managed devices send data to Intune via the connector on the Configuration Manager role and they don't need directly access to the Microsoft public cloud.
Endpoint | Function |
---|---|
https://graph.windows.net |
Used to automatically retrieve settings when attaching your hierarchy to Endpoint analytics on Configuration Manager server role. For more information, see Configure the proxy for a site system server. |
https://*.manage.microsoft.com |
Used to synch device collection and devices with Endpoint analytics on Configuration Manager server role only. For more information, see Configure the proxy for a site system server. |
Endpoints required for Intune-managed devices
To enroll devices to Endpoint analytics, they need to send required functional data to Microsoft public cloud. Endpoint Analytics uses the Windows client and Windows Server Connected User Experiences and Telemetry component (DiagTrack) to collect the data from Intune-managed devices. Make sure that the Connected User Experiences and Telemetry service on the device is running.
Endpoint | Function |
---|---|
https://*.events.data.microsoft.com |
Used by Intune-managed devices to send required functional data to the Intune data collection endpoint. |
Asset intelligence
If you use asset intelligence, allow the following endpoints for the service to synchronize:
https://sc.microsoft.com
https://ssu2.manage.microsoft.com
Deploy Microsoft Edge
The device running the Configuration Manager console needs access to the following endpoints for deploying Microsoft Edge:
Location | Use |
---|---|
https://aka.ms/cmedgeapi |
Information about releases of Microsoft Edge |
https://edgeupdates.microsoft.com/api/products?view=enterprise |
Information about releases of Microsoft Edge |
http://dl.delivery.mp.microsoft.com |
Content for Microsoft Edge releases |
External notifications
For more information, see External notifications.
The service connection point needs to communicate with the notification service, for example Azure Logic Apps. The access endpoint for the logic app typically has the following format: https://*.<RegionName>.logic.azure.com:443
. For example: https://prod1.westus2.logic.azure.com:443
To get the access endpoint for the logic app, as well as the associated IP addresses, use the following process:
- In the Azure portal, under Logic Apps, select the logic app for your notification. For more information, see Manage logic apps in the Azure portal.
- In the app's menu, in the Settings section, select Properties.
- View or copy the values for the Access endpoint and the Access endpoint IP addresses.
Microsoft public IP addresses
For more information on the Microsoft IP address ranges, see Microsoft Public IP Space. These addresses update regularly. There's no granularity by service, any IP address in these ranges could be used.