Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Some Windows 365 Link components, apps, and related services transfer data to Microsoft network endpoints. This article lists different endpoints and URLs that must be allowed in your network configuration (proxy or firewall) for those components to function.
These endpoints are required to be accessed by the Windows 365 Link device. If a proxy server is used in between the Link device and the internet, these endpoints must have authentication bypassed. The Windows 365 Link device won't support proxy authentication because many of these endpoints are needed without a user context (like during the logon process or before a user authenticates).
This list is designed as a starting point for your network connectivity. Windows 365, Intune, and Microsoft Entra ID are evolving services and changes can occur regularly. Check the service pages linked to from this page frequently in case updates are made. Your own configurations might require adding more URLs. When troubleshooting make sure that your network engineers:
- Can validate connections made from the Link device.
- Identify if other URLs or connectivity must be allowed.
The following methodology was used to derive these network endpoints:
- Unbox and plug in Windows 365 Link with an ethernet cable.
- Begin a Windows Update cycle to ensure the latest version of the OS (tested in May 2025).
- Join a representative Microsoft Entra and Intune tenant, and connect to a Windows 365 Cloud PC.
- Use the device at various times for one week, including various Intune commands (like Reset, Collect Diagnostics, Sync, and so on).
- All HTTP/(S) requests were captured at the internet egress.
- Other endpoints are added from the relevant Intune / Windows documentation to support global regions.
| Purpose | Endpoints required |
|---|---|
| Authentication. These endpoints must authenticate with Microsoft Entra ID to perform Microsoft Entra join and enable user authentication. | login.microsoftonline.com login.live.com www.microsoft.com *.microsoftaik.azure.net aadcdn.msauth.net aadcdn.msauthimages.net login.microsoft.com aadcdn.msftauth.net graph.windows.net |
| Connectivity. Network Connection Status Indicator (NCSI) detects internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet. If you turn off traffic for this endpoint, NCSI can't determine if the device is connected to the internet, and the network status tray icon shows a warning. | www.msftconnecttest.com ipv6.msftconnecttest.com |
| Security. These endpoints are used for certificate updates, and Microsoft Defender Protections. | ocsp.digicert.com *.endpoint.security.microsoft.com ctldl.windowsupdate.com mscrl.microsoft.com wdcp.microsoft.com fpt.dfp.microsoft.com |
| Windows Update | *.windowsupdate.com *.mp.microsoft.com *.update.microsoft.com |
| Windows Push Notification Services. WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This service provides a mechanism to deliver new updates to your users in a power-efficient and dependable way. If you turn off traffic for this endpoint, push notifications don't work, including MDM device management, mail synchronization, settings synchronization. | *.wns.windows.com *.notify.windows.com |
| Location. The following endpoint is used for location data. If you turn off traffic for this endpoint, Windows 365 Link can't detect its current location (or time zone) | inference.location.live.net |
| Intune | Manage.microsoft.com *.manage.microsoft.com *.mp.microsoft.com Ecs.office.com *.spserv.microsoft.com enterpriseregistration.windows.net certauth.enterpriseregistration.windows.net lgmsapeweu.blob.core.windows.net lgmsapewus2.blob.core.windows.net lgmsapesea.blob.core.windows.net lgmsapeaus.blob.core.windows.net lgmsapeind.blob.core.windows.net *.attest.azure.net checkin.dm.microsoft.com *.azureedge.net |
| Diagnostic data | *.data.microsoft.com |
| Browser. These endpoints are used by the WebView components within the Link Device. | edge.microsoft.com static.edge.microsoftapp.net edge-cloud-resource-static.azureedge.net edge-mobile-static.azureedge.net |
Additional service endpoints
Windows 365
Windows 365 Link connects to the Windows 365 Service. Therefore, the device must connect to the endpoints listed under End user devices.
Microsoft Teams
The Windows 365 Link device optimizes traffic to Microsoft Teams by offloading media connections directly from the device to the Microsoft Teams service. Therefore, connections must be allowed to the Microsoft Teams services as described in Microsoft 365 URLs and IP address ranges under Microsoft Teams.
Additional endpoints
Depending on your configurations, you might need to enable other endpoints not listed here. This could be for many reasons, but may include:
- MMR Call Redirection to third party call center providers.
- Additional authentication services (like ADFS, third party IdPs, or MFA providers).
Additional ports and network requirements
The Windows 365 Link device might need:
- UDP 53 – DNS
- UDP 67 – DHCP
- UDP 123 – SNTP (Connection to Time.Windows.Com)