Windows 11/10 offers tons of privacy control for end users which they can control at their will. If you are installing a fresh copy of Windows 11/10, Microsoft has released details of which endpoints it connects to, and we think you should know about it. While we already know that whenever you connect to the email server or browse the web or access backups stored on the cloud, and use the location for weather, they all connect to respective servers, but then there is more to that. Check out which websites & endpoints Windows 10 connects to after a clean install.
Websites that Windows 11/10 connects to
When connecting to different websites, Windows users many methodologies. It includes setting up Windows 11/10 on a virtual test machine with default conditions, idle conditions, globally accepted network protocol analyzer/capturing tools, and they also compile reports on traffic going to public IP addresses. Below is the list of websites with which Windows 11/10 Enterprise connections.
Apps
Weather App Live Tile.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|---|---|---|---|
| explorer | HTTP | tile-service.weather.microsoft.com | 1709 |
| HTTP | blob.weather.microsoft.com | 1803 |
OneNote Live Tile.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|---|---|---|---|
| HTTPS | cdn.onenote.net/livetile/?Language=en-US | 1709 |
Twitter updates.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|---|---|---|---|
| HTTPS | wildcard.twimg.com | 1709 | |
| svchost.exe | oem.twimg.com/windows/tile.xml | 1709 |
Facebook updates.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|---|---|---|---|
| star-mini.c10r.facebook.com | 1709 |
Photos app to download configuration files, and to connect to the Office 365 portal’s shared infrastructure, including Office Online
| Source process | Protocol | Destination | Applies from Windows 10 version |
|---|---|---|---|
| WindowsApps\Microsoft.Windows.Photos | HTTPS | evoke-windowsservices-tas.msedge.net | 1709 |
Candy Crush Saga updates.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|---|---|---|---|
| TLS v1.2 | candycrushsoda.king.com | 1709 |
Microsoft Wallet app.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|---|---|---|---|
| system32\AppHostRegistrationVerifier.exe | HTTPS | wallet.microsoft.com | 1709 |
Groove Music app
| Source process | Protocol | Destination | Applies from Windows 10 version |
|---|---|---|---|
| system32\AppHostRegistrationVerifier.exe | HTTPS | mediaredirect.microsoft.com | 1709 |
Cortana and Search
This website or endpoint is used to get images that are used for Microsoft Store suggestions.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|---|---|---|---|
| searchui | HTTPS | store-images.s-microsoft.com | 1709 |
To update Cortana greetings, tips, and Live Tiles.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|---|---|---|---|
| backgroundtaskhost | HTTPS | www.bing.com/client | 1709 |
The following endpoint is used to configure parameters, such as how often the Live Tile is updated, and for enabling experimental features.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|---|---|---|---|
| backgroundtaskhost | HTTPS | www.bing.com/proactive | 1709 |
Cortana uses this website to report diagnostic and diagnostic data information
| Source process | Protocol | Destination | Applies from Windows 10 version |
|---|---|---|---|
| searchui backgroundtaskhost |
HTTPS | www.bing.com/threshold/xls.aspx | 1709 |
Certificates
This website is used by Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|---|---|---|---|
| svchost | HTTP | ctldl.windowsupdate.com | 1709 |
Windows uses this website to download certificates that are publicly known to be fraudulent.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|---|---|---|---|
| svchost | HTTP | ctldl.windowsupdate.com | 1709 |
Device authentication
Endpoint used to authenticate a device.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|---|---|---|---|
| HTTPS | login.live.com/ppsecure | 1709 |
Device metadata
In order to retrieve device metadata.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|---|---|---|---|
| dmd.metaservices.microsoft.com.akadns.net | 1709 | ||
| HTTP | dmd.metaservices.microsoft.com | 1803 |
Diagnostic Data
The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|---|---|---|---|
| svchost | cy2.vortex.data.microsoft.com.akadns.net | 1709 |
Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|---|---|---|---|
| svchost | v10.vortex-win.data.microsoft.com/collect/v1 | 1709 |
The following endpoints are used by Windows Error Reporting.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|---|---|---|---|
| wermgr | watson.telemetry.microsoft.com | 1709 | |
| TLS v1.2 | modern.watson.data.microsoft.com.akadns.net | 1709 |
Font streaming
The following endpoints are used to download fonts on demand.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|---|---|---|---|
| svchost | fs.microsoft.com | 1709 | |
| fs.microsoft.com/fs/windows/config.json | 1709 |
Licensing
The website used for online activation and some app licensing.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|---|---|---|---|
| licensemanager | HTTPS | licensing.mp.microsoft.com/v7.0/licenses/content | 1709 |
Location
Location data.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|---|---|---|---|
| HTTP | location-inference-westus.cloudapp.net | 1709 |
Maps
The following endpoint is used to check for updates to maps that have been downloaded for offline use.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|---|---|---|---|
| svchost | HTTPS | *g.akamaiedge.net | 1709 |
Microsoft account
The following endpoints are used for Microsoft accounts to sign in.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|---|---|---|---|
| login.msa.akadns6.net | 1709 | ||
| system32\Auth.Host.exe | HTTPS | auth.gfx.ms | 1709 |
Microsoft Store
The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|---|---|---|---|
| *.wns.windows.com | 1709 |
To revoke licenses for malicious apps in the Microsoft Store.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|---|---|---|---|
| HTTP | storecatalogrevocation.storequality.microsoft.com | 1709 |
Download image files that are called when applications run (Microsoft Store or Inbox MSN Apps).
| Source process | Protocol | Destination | Applies from Windows 10 version |
|---|---|---|---|
| HTTPS | img-prod-cms-rt-microsoft-com.akamaized.net | 1709 | |
| backgroundtransferhost | HTTPS | store-images.microsoft.com | 1803 |
Windows communicates with Microsoft Store through these
| Source process | Protocol | Destination | Applies from Windows 10 version |
|---|---|---|---|
| HTTP | storeedgefd.dsx.mp.microsoft.com | 1709 | |
| HTTP | pti.store.microsoft.com | 1709 | |
| TLS v1.2 | cy2.*.md.mp.microsoft.com.*. | 1709 | |
| svchost | HTTPS | displaycatalog.mp.microsoft.com | 1803 |
Network Connection Status Indicator (NCSI)
Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|---|---|---|---|
| HTTP | www.msftconnecttest.com/connecttest.txt | 1709 |
Office
The following endpoints are used to connect to the Office 365 portal’s shared infrastructure, including Office Online. For more info, see Office 365 URLs and IP address ranges.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|---|---|---|---|
| *.a-msedge.net | 1709 | ||
| hxstr | *.c-msedge.net | 1709 | |
| *.e-msedge.net | 1709 | ||
| *.s-msedge.net | 1709 | ||
| HTTPS | ocos-office365-s2s.msedge.net | 1803 |
The following endpoint is used to connect to the Office 365 portal’s shared infrastructure, including Office Online.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|---|---|---|---|
| system32\Auth.Host.exe | HTTPS | outlook.office365.com | 1709 |
The following endpoint is OfficeHub traffic used to get the metadata of Office apps.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|---|---|---|---|
| Windows Apps\Microsoft.Windows.Photos | HTTPS | client-office365-tas.msedge.net | 1709 |
OneDrive
Microsoft Redirection service uses these to automatically update URLs.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|---|---|---|---|
| onedrive | HTTP \ HTTPS | g.live.com/1rewlive5skydrive/ODSUProduction | 1709 |
OneDrive for Business to download and verify app updates from here.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|---|---|---|---|
| onedrive | HTTPS | oneclient.sfx.ms | 1709 |
Settings
The following endpoint is used as a way for apps to dynamically update their configuration.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|---|---|---|---|
| dmclient | cy2.settings.data.microsoft.com.akadns.net | 1709 |
| Source process | Protocol | Destination | Applies from Windows 10 version |
|---|---|---|---|
| dmclient | HTTPS | settings.data.microsoft.com | 1709 |
| Source process | Protocol | Destination | Applies from Windows 10 version |
|---|---|---|---|
| svchost | HTTPS | settings-win.data.microsoft.com | 1709 |
Skype
Skype configuration values are downloaded from these endpoints.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|---|---|---|---|
| microsoft.windowscommunicationsapps.exe | HTTPS | config.edge.skype.com | 1709 |
Windows Defender
Windows Defender when Cloud-based Protection is enabled through these.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|---|---|---|---|
| wdcp.microsoft.com | 1709 |
Windows Defender definition updates.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|---|---|---|---|
| definitionupdates.microsoft.com | 1709 | ||
| MpCmdRun.exe | HTTPS | go.microsoft.com | 1709 |
Windows Spotlight
These endpoints make it possible for Windows Spotlight metadata for image locations, as well as suggested apps, Microsoft account notifications, and Windows tips.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|---|---|---|---|
| backgroundtaskhost | HTTPS | arc.msn.com | 1709 |
| backgroundtaskhost | g.msn.com.nsatc.net | 1709 | |
| TLS v1.2 | *.search.msn.com | 1709 | |
| HTTPS | ris.api.iris.microsoft.com | 1709 | |
| HTTPS | query.prod.cms.rt.microsoft.com | 1709 |
Windows Update
The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|---|---|---|---|
| svchost | HTTPS | *.prod.do.dsp.mp.microsoft.com | 1709 |
Windows uses these endpoints to download operating system patches and updates.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|---|---|---|---|
| svchost | HTTP | *.windowsupdate.com | 1709 |
| HTTP | fg.download.windowsupdate.com.c.footprint.net | 1709 |
Highwinds Content Delivery Network uses these to perform Windows updates.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|---|---|---|---|
| cds.d2s7q6s2.hwcdn.net | 1709 |
Verizon Content Delivery Network uses these to perform Windows updates.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|---|---|---|---|
| HTTP | *wac.phicdn.net | 1709 | |
| *wac.edgecastcdn.net | 1709 |
This website or endpoint is used to download apps and Windows Insider Preview builds from the Microsoft Store. Time Limited URL (TLU) is a mechanism for protecting the content.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|---|---|---|---|
| svchost | *.tlu.dl.delivery.mp.microsoft.com.c.footprint.net | 1709 |
The following endpoint is used to download apps from the Microsoft Store.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|---|---|---|---|
| svchost | emdl.ws.microsoft.com | 1709 |
The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|---|---|---|---|
| svchost | HTTPS | fe2.update.microsoft.com | 1709 |
| svchost | fe3.delivery.mp.microsoft.com | 1709 | |
| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | 1709 | ||
| svchost | HTTPS | sls.update.microsoft.com | 1709 |
| HTTP | *.dl.delivery.mp.microsoft.com | 1803 |
The following endpoint is used for content regulation.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|---|---|---|---|
| svchost | HTTPS | tsfe.trafficshaping.dsp.mp.microsoft.com | 1709 |
The following endpoints are used to download content.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|---|---|---|---|
| a122.dscd.akamai.net | 1709 | ||
| a1621.g.akamai.net | 1709 |
Microsoft forward link redirection service (FWLink)
Microsoft forward link redirection service uses the below-mentioned website to redirect permanent web links to the actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|---|---|---|---|
| Various | HTTPS | go.microsoft.com | 1709 |
For full details on this and how to turn off traffic for particular endpoints, visit docs.microsoft.com.
