Configuration Manager Proxy Exceptions

This post provides a summary of the URLs required for Configuration Manager current branch to provide resources that require Internet access. Because Configuration Manager relies on other components, it can be difficult to find a single source of URLs required. Software Updates rely on Windows Server Updates Services (WSUS) and the Service Connection Point uses Intune and other online services.

The features of Configuration Manager that require Internet access are:

• Asset Intelligence Synchronisation Point;
• Configuration Manger Console (pending investigation);
• Cloud Distribution Points (pending investigation, initial URLs added);
• Software Update Point (SUP);
• Windows Store for Business;
• Intune Subscription;
• Service Connection Point.

Configuration Manager URLs

The table below contains a list of URLs required by Configuration Manager components to connect to the Internet. If I've missed anything, please let me know by leaving a comment and I'll update it ASAP!

Source	Destination URL	Component
Asset Intelligence Synchronisation Point	sc.microsoft.com.nsatc.net	Asset Intelligence
SUP	windowsupdate.microsoft.com	Software Updates
SUP	*.windowsupdate.microsoft.com	Software Updates
SUP	*.update.microsoft.com	Software Updates
SUP	*.windowsupdate.com	Software Updates
SUP	download.windowsupdate.com	Software Updates
SUP	download.microsoft.com	Software Updates
SUP	*.download.windowsupdate.com	Software Updates
SUP	wustat.windows.com	Software Updates
SUP	ntservicepack.microsoft.com	Software Updates
SUP	go.microsoft.com	Software Updates
SUP	officecdn.microsoft.com	Office 365 Software Updates
SUP	officecdn.microsoft.com.edgesuite.net	Office 365 Software Updates
SUP	config.office.com	Office 365 Software Updates
Service Connection Point	*akamaiedge.net	Updates and Servicing
Service Connection Point	*.manage.microsoft.com	Updates and Servicing
Service Connection Point	go.microsoft.com	Updates and Servicing
Service Connection Point	blob.core.windows.net	Updates and Servicing
Service Connection Point	download.microsoft.com	Updates and Servicing
Service Connection Point	sccmconnected-a01.cloudapp.net	Updates and Servicing
Service Connection Point	https://silverlight.dlservice.microsoft.com	Updates and Servicing
Service Connection Point	*.manage.microsoft.com	Microsoft Intune
Service Connection Point	https://bspmts.mp.microsoft.com/V1/	Microsoft Intune
Service Connection Point	https://login.microsoftonline.com//	Microsoft Intune
Service Connection Point	download.microsoft.com	Windows 10 Servicing
Service Connection Point	https://go.microsoft.com/fwlink/?LinkID=619849	Windows 10 Servicing
Primary Site	*.core.windows.net	Cloud Distribution Point
Primary Site	*.cloudapp.net	Cloud Distribution Point
Primary Site	https://bspmts.mp.microsoft.com/V1/	Windows Store for Business
Primary Site	https://login.microsoftonline.com/	Windows Store for Business
Console	login.windows.net/	Any component requiring logon to online services
Site Server	has.spserv.microsoft.com	Cloud Device Attestation Service

Certain services require direct access from Configuration Manager clients to the internet.

Source	Destination URL	Component
Client	https://wdcp.microsoft.com	Microsoft Active Protection Service
Client	https://wdcpalt.microsoft.com	Microsoft Active Protection Service
Client	has.spserv.microsoft.com	Cloud Device Attestation Service

Information Sources

The information above is collected from the following articles and random experience:

• Configure WSUS
• Network infrastructure requirements for Microsoft Intune
• Manage Office 365 client updates with System Center Configuration Manager
• Service Connection Point Internet Access Requirements
• Proxy server support in System Center Configuration Manager
• Important changes to Microsoft Active Protection Service (MAPS) endpoint
• Checklist for installing update 1610 for System Center Configuration Manager
• Device Health Attestation

Last update: 5th January 2017

• 4th May 2016 - Added Cloud Distribution Points
• 23rd May 2016 - Added Office 365 Client Software Updates
• 7th June 2016 - Microsoft has published requirements for a Service Connection Point
• 13th November 2016 - Included Windows Store for Business
• 5th January 2017 - Included endpoints for Microsoft Active Protection Service & added https://silverlight.dlservice.microsoft.com based on feedback
• Included additional URLs based on feedback for Office 365 Updates and Console login to cloud services
• 15th September 2017 - Added Device Health Attestation

Comments

• Anonymous
  November 21, 2016
  This URL is missing from the list: login.windows.net . This URL is needed when adding the subscription in the console to sign in.
  • Anonymous
    November 21, 2016
    Thank you - added :)
• Anonymous
  November 21, 2016
  When SCCM tries to download http://officecdn.microsoft.com/pr/wsus/ofl.cab, this gets redirected to officecdn.microsoft.com.edgesuite.net. So this URL is also missing from the list.
  • Anonymous
    November 21, 2016
    Thank you :) Added.
• Anonymous
  December 14, 2016
  Hey Scott, what about this one:https://go.microsoft.com/fwlink/?LinkId=797875.I see that it's downloading ConfigMgr.Update.Manifest.cab from there.BTW, any idea why ConfigMgr doesn't appear to respect the proxy authentication settings set in Administration > Site Configuration > Servers and Site System Roles > [servername] > Site system... [proxy tab]?That's definitely set and working, as Software Update syncs are working. However, if I try to download a Software Update, it's using my own admin account and not the account specified in the proxy settings. As my admin account is denied access to the internet via the proxy, the software update downloads fail. we're also getting (407) Proxy Authentication Required when trying to download that .cab file I mentioned above. Seems to be that different parts of ConfigMgr just ignore the Proxy settings entirely. Maybe something for User Voice... one proxy setting for ConfigMgr that everything uses.
  • Anonymous
    January 03, 2017
    Is this your post as well, or does it help - https://social.technet.microsoft.com/Forums/en-US/9484df4f-6905-4451-ad11-d5c9e14ca367/failed-to-download-content-proxy-issue-when-downloading-software-updates?forum=ConfigMgrCBGeneral?Sorry for the delay in replying!
• Anonymous
  January 03, 2017
  Hi Scott, we've got a similar problem, outlined here:https://social.technet.microsoft.com/Forums/en-US/9484df4f-6905-4451-ad11-d5c9e14ca367/failed-to-download-content-proxy-issue-when-downloading-software-updates?forum=ConfigMgrCBGeneralSeen this before?Glenn
  • Anonymous
    January 03, 2017
    Hi Glenn, I replied to your post on the forum :)
• Anonymous
  January 04, 2017
  Based on the Checklist (https://docs.microsoft.com/en-us/sccm/core/servers/manage/checklist-for-installing-update-1610) for 1610, the following URL is missing: http://silverlight.dlservice.microsoft.com
  • Anonymous
    January 05, 2017
    updated, thank you :)
• Anonymous
  February 06, 2017
  Hi Scott - Our security guys are reluctant to allow all of *akamaiedge.net, as half the internet appears to be hosted there. Are there any specific sub-domains that relate just to Microsoft content that we could allow? Same goes for *.cloudapp.net.
  • Anonymous
    April 04, 2017
    Hi Glenn,Apologies for not getting back to you earlier. I guess it was because I didn't have good news! I don't have a more limited list for *akamaiedge.net, however for cloudapp.net you could restrict it to sccmconnected-a01.cloudapp.net and if you were using any cloud DPs or anything you'd need to add those as exceptions as well.
• Anonymous
  February 07, 2017
  Hi Scott,When enabling to use a proxy server in the site system properties, there is no way to provide a bypass list. The problem is when the site server connects to the local SUP, it uses the specified proxy and it fails to connect.On the other hand if I don't specify the proxy my service connection point can't get out to Intune etc.Do you have any idea how we can specify the proxy bypass list (registry, smsexec.config ??)Thanks