MC1165051: Plan for change: Update firewall and network settings for new Fully Qualified Domain Names for Windows 365
Microsoft introduces three new wildcard FQDNs (*.windows.cloud.microsoft, *.service.windows.cloud.microsoft, *.windows.static.microsoft) for Windows 365 to simplify endpoints. Update firewall and network settings to allow outbound traffic to these domains by late 2025 to ensure Cloud PC functiona...
To streamline and future-proof endpoint requirements for Windows 365, Microsoft is introducing three new wildcard Fully Qualified Domain Names (FQDNs) essential for service operation:
- *.windows.cloud.microsoft
- *.service.windows.cloud.microsoft
- *.windows.static.microsoft
These new endpoints will reduce complexity, minimize future changes, and consolidate service traffic under unified domains. Existing FQDNs will gradually transition to these new domains as part of Microsoft’s unified domain approach used across Microsoft 365 services.
[When this will happen:]
The new endpoints are available now. The related Azure Network Connection (ANC) health check will begin rolling out in late October 2025 and is expected to complete by mid-November 2025.
[How will this affect your organization?]
You’ll need to update network access rules in your Windows 365 environment to allow traffic to the new endpoints. Ensure that any Proxy, VPN, or Secure Web Gateway configurations permit access to these endpoints, which are required only for outbound traffic from Cloud PCs. For optimal performance, route this traffic directly to Microsoft’s network without interception.
Customers using Azure Network Connection (ANC) should confirm these domains are allowed in firewall rules and not blocked by proxy or Secure Web Gateway policies. The new ANC health check will help identify accessibility issues once it becomes available.
For Microsoft Hosted Network deployments, no underlying network changes are required, but local Cloud PC configurations must not block these domains.
Update your network configurations to ensure the new domains are accessible. These domains are required for service-critical traffic, and if they are not allowed, Cloud PC provisioning or operations may be disrupted. While no direct user impact is expected, inaccessible endpoints can affect Cloud PC functionality.
[What you need to do to prepare]
- Notify your IT administrators about this change and update any internal guides or documentation to reflect the new requirements.
- Make the necessary updates to your environment based on the guidance provided above.
Additional Information
For detailed documentation, please see: