Windows Autopilot depends on various internet-based services. Access to these services must be provided for Autopilot to function properly. In the simplest case, enabling proper functionality can be achieved by ensuring the following conditions:
- Ensure Domain Name Services (DNS) name resolution for internet DNS names.
- Allow access to all hosts via port 80 (HTTP), 443 (HTTPS), and 123 (UDP/NTP).
Additional configuration might be required to grant access to required services in environments that:
- Have more restrictive internet access.
- Require authentication before internet access can be obtained.
Windows Autopilot relies on several different type of services to function properly. In order for these services to function properly, certain network configurations need to be performed. These services and their required network configurations are as follows:
Windows Autopilot Deployment Service
After a network connection is in place, each Windows device will contact the Windows Autopilot Deployment Service. The following URLs are used:
https://ztd.dds.microsoft.com
https://cs.dds.microsoft.com
https://login.live.com
Windows Autopilot requires Windows Activation services. For more information about the URLs that need to be accessible for the activation services, see Windows activation or validation fails with error code 0x8004FE33.
Microsoft Entra ID validates user credentials. Additionally, the device is joined or registered to Microsoft Entra ID during Windows Autopilot. For more information, see Office 365 IP Address and URL Web service.
Once authenticated, Microsoft Entra ID triggers enrollment of the device into the Intune mobile device management (MDM) service. For more information about Intune's network communication requirements, see the following articles:
Autopilot automatic device diagnostics collection
For diagnostics to be able to upload successfully from the client, make sure that the URL lgmsapeweu.blob.core.windows.net
isn't blocked on the network. Diagnostics are available for 28 days before they're removed.
For more information, see Collect diagnostics from a Windows device.
During the out-of-box experience (OOBE) process and after the Windows OS configuration, the Windows Update service retrieves needed updates. If there are problems connecting to Windows Update, see Windows Update issues troubleshooting.
If Windows Update is inaccessible, the Autopilot process still continues but critical updates aren't available.
Autopilot contacts the Delivery Optimization service when downloading the applications and updates. This contact establishes peer-to-peer sharing of content so that only a few devices need to download it from the internet.
- Windows Updates.
- Microsoft Store applications and application updates.
- Office Updates.
- Intune Win32 Applications.
If the Delivery Optimization Service is inaccessible, the Autopilot process still continues with Delivery Optimization downloads from the cloud without peer-to-peer.
Network Time Protocol (NTP) sync
When a Windows device starts up, it talks to a network time server to ensure that the time on the device is correct. Ensure that UDP port 123 to time.windows.com
is accessible.
Domain Name Services (DNS)
To resolve internet names for all services, the device communicates with a DNS server, typically provided via DHCP. This DNS server must be able to resolve internet names.
Diagnostic data collection is enabled by default. For more information, see Manage enterprise diagnostic data.
If the device can't send diagnostic data, the Autopilot process still continues. However, services that depend on diagnostic data don't work.
Network Connection Status Indicator (NCSI)
Windows must be able to tell that the device can access the internet. For more information, see Network Connection Status Indicator (NCSI).
*.msftconnecttest.com
must be resolvable via DNS and accessible via HTTP.
Windows Notification Services (WNS)
This service is used to enable Windows to receive notifications from applications and services. For more information, see Microsoft Store.
If the WNS services aren't available, the Autopilot process still continues without notifications.
Applications in the Microsoft Store can be pushed to the device by triggering them via Intune or other MDM service. App updates and additional applications might also be needed when the user first logs in. For more information, see Update to Intune integration with the Microsoft Store on Windows and FAQ: Supporting Microsoft Store experiences on managed devices.
If the Microsoft Store isn't accessible, the Autopilot process still continues without Microsoft Store apps.
As part of the Intune device configuration, installation of Microsoft 365 Applications for enterprise might be required. For a list that includes all Office services, DNS names, IP addresses, including Microsoft Entra ID and other services that might overlap with the previously listed services, see Office 365 URLs and IP address ranges.
Certificate revocation lists (CRLs)
Some of these services also need to check certificate revocation lists (CRLs) for certificates used in the services. For a full list, see Office 365 URLs and IP address ranges and Office 365 Certificate Chains.
Microsoft Entra hybrid join
The device can be Microsoft Entra hybrid joined. The computer should be on the internal network for Microsoft Entra hybrid join to work. For more information, see Windows Autopilot user-driven mode.
Autopilot self-deploying mode and Autopilot pre-provisioning
The TPM attestation process requires access to a set of HTTPS URLs, which are unique for each TPM provider. Ensure access to this URL pattern: *.microsoftaik.azure.net
.
Firmware TPM devices, which are only provided by Intel, AMD, or Qualcomm, don't include all needed certificates at boot time and must be able to retrieve them from the manufacturer on first use. Devices with discrete TPM chips come with these certificates preinstalled. These devices include ones from any other manufacturer. For more information, see TPM recommendations.
For each firmware TPM provider, make sure that the appropriate URL is accessible so that certificates can be successfully requested. For example:
- Intel:
https://ekop.intel.com/ekcertservice
- Qualcomm:
https://ekcert.spserv.microsoft.com/EKCertificate/GetEKCertificate/v1
- AMD:
https://ftpm.amd.com/pki/aia
Deploying proxy settings for Windows Autopilot should be configured on the proxy server itself. Implementing proxy settings via Intune policy isn't fully supported as it might cause issues and unexpected behavior with privileged access deployments.