Setting up and managing device configurations using Intune
For devices in the isolation network to reach Intune and receive certificates, allow at least the core Intune and required dependency endpoints through the firewall/proxy.
From the provided endpoints, the key FQDNs and ports to whitelist are:
- Intune core service / device management
-
*.manage.microsoft.com -
manage.microsoft.com - Ports: TCP 80, 443
- Note: SSL inspection is not supported on
*.manage.microsoft.comand*.dm.microsoft.com.
-
- Intune Win32 app / content delivery (if using Win32 apps or content)
-
swda01-mscdn.manage.microsoft.com -
swda02-mscdn.manage.microsoft.com -
swdb01-mscdn.manage.microsoft.com -
swdb02-mscdn.manage.microsoft.com -
swdc01-mscdn.manage.microsoft.com -
swdc02-mscdn.manage.microsoft.com -
swdd01-mscdn.manage.microsoft.com -
swdd02-mscdn.manage.microsoft.com -
swdin01-mscdn.manage.microsoft.com -
swdin02-mscdn.manage.microsoft.com - Ports: TCP 80, 443
-
- Authentication and identity (for Entra ID sign-in and device registration)
-
login.microsoftonline.com -
graph.windows.net -
enterpriseregistration.windows.net -
certauth.enterpriseregistration.windows.net - Ports: TCP 80, 443
-
- Other required dependencies commonly used by Intune-managed devices
- Endpoint discovery:
-
go.microsoft.com(TCP 80, 443)
-
- Consumer Microsoft account / device auth (if applicable):
-
account.live.com -
login.live.com(TCP 443)
-
- Feature deployment dependencies:
-
config.edge.skype.com -
ecs.office.com(TCP 443)
-
- Organizational messages (if used):
-
fd.api.orgmsg.microsoft.com -
ris.prod.api.personalization.ideas.microsoft.com(TCP 443)
-
- Endpoint discovery:
- Windows Autopilot and update-related endpoints (if Autopilot or update-based provisioning is involved)
- Windows Update / content:
-
*.windowsupdate.com -
*.dl.delivery.mp.microsoft.com -
*.prod.do.dsp.mp.microsoft.com -
*.delivery.mp.microsoft.com -
*.update.microsoft.com -
tsfe.trafficshaping.dsp.mp.microsoft.com -
adl.windows.com(TCP 80, 443)
-
- NTP sync:
-
time.windows.com(UDP 123)
-
- WNS dependencies:
-
clientconfig.passport.net -
windowsphone.com -
*.s-microsoft.com -
c.s-microsoft.com(TCP 443)
-
- Windows Update / content:
Additionally, Intune requires unauthenticated proxy access for some tasks to:
-
manage.microsoft.com -
*.azureedge.net -
graph.microsoft.com
Ensure these are reachable from the isolation network (no SSL inspection on *.manage.microsoft.com and *.dm.microsoft.com).
For US Government/GCC High/DoD tenants, use the corresponding government endpoints instead (for example manage.microsoft.us instead of manage.microsoft.com) as documented in the US government endpoints article.
References: