Intune URL

Handian Sudianto 7,301 Reputation points
2026-06-22T13:41:42.6633333+00:00

We implement 802.1x with user authentication. When user certificate is not found in the endpoint then the device will enter to isolation network and on isolation network only a few URL is whitelisted (login.microsoft.com for example which was whitelisted). Because the endpoint should able to connect to the intune for pushing or deploy the certificate from intune to endpoint then what intune URL i must whitelisted?

Microsoft Security | Intune | Configuration
0 comments No comments

1 answer

Sort by: Most helpful
  1. AI answer

    2026-06-22T13:42:18.1533333+00:00

    For devices in the isolation network to reach Intune and receive certificates, allow at least the core Intune and required dependency endpoints through the firewall/proxy.

    From the provided endpoints, the key FQDNs and ports to whitelist are:

    1. Intune core service / device management
      • *.manage.microsoft.com
      • manage.microsoft.com
      • Ports: TCP 80, 443
      • Note: SSL inspection is not supported on *.manage.microsoft.com and *.dm.microsoft.com.
    2. Intune Win32 app / content delivery (if using Win32 apps or content)
      • swda01-mscdn.manage.microsoft.com
      • swda02-mscdn.manage.microsoft.com
      • swdb01-mscdn.manage.microsoft.com
      • swdb02-mscdn.manage.microsoft.com
      • swdc01-mscdn.manage.microsoft.com
      • swdc02-mscdn.manage.microsoft.com
      • swdd01-mscdn.manage.microsoft.com
      • swdd02-mscdn.manage.microsoft.com
      • swdin01-mscdn.manage.microsoft.com
      • swdin02-mscdn.manage.microsoft.com
      • Ports: TCP 80, 443
    3. Authentication and identity (for Entra ID sign-in and device registration)
      • login.microsoftonline.com
      • graph.windows.net
      • enterpriseregistration.windows.net
      • certauth.enterpriseregistration.windows.net
      • Ports: TCP 80, 443
    4. Other required dependencies commonly used by Intune-managed devices
      • Endpoint discovery:
        • go.microsoft.com (TCP 80, 443)
      • Consumer Microsoft account / device auth (if applicable):
        • account.live.com
        • login.live.com (TCP 443)
      • Feature deployment dependencies:
        • config.edge.skype.com
        • ecs.office.com (TCP 443)
      • Organizational messages (if used):
        • fd.api.orgmsg.microsoft.com
        • ris.prod.api.personalization.ideas.microsoft.com (TCP 443)
    5. Windows Autopilot and update-related endpoints (if Autopilot or update-based provisioning is involved)
      • Windows Update / content:
        • *.windowsupdate.com
        • *.dl.delivery.mp.microsoft.com
        • *.prod.do.dsp.mp.microsoft.com
        • *.delivery.mp.microsoft.com
        • *.update.microsoft.com
        • tsfe.trafficshaping.dsp.mp.microsoft.com
        • adl.windows.com (TCP 80, 443)
      • NTP sync:
        • time.windows.com (UDP 123)
      • WNS dependencies:
        • clientconfig.passport.net
        • windowsphone.com
        • *.s-microsoft.com
        • c.s-microsoft.com (TCP 443)

    Additionally, Intune requires unauthenticated proxy access for some tasks to:

    • manage.microsoft.com
    • *.azureedge.net
    • graph.microsoft.com

    Ensure these are reachable from the isolation network (no SSL inspection on *.manage.microsoft.com and *.dm.microsoft.com).

    For US Government/GCC High/DoD tenants, use the corresponding government endpoints instead (for example manage.microsoft.us instead of manage.microsoft.com) as documented in the US government endpoints article.


    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.