Merge pull request #108866 from Pavithir/patch-1

Updated URLs needed for whitelisting VM and client

Author: GitHubber17

articles/virtual-desktop/overview.md

@@ -84,22 +84,39 @@ The Azure virtual machines you create for Windows Virtual Desktop must be:
 
 The Azure virtual machines you create for Windows Virtual Desktop must have access to the following URLs:
 
-|Address|Outbound port|Purpose|
-|---|---|---|
-|*.wvd.microsoft.com|TCP port 443|Service traffic|
-|*.blob.core.windows.net|TCP port 443|Agent, SXS stack updates, and Agent traffic|
-|*.core.windows.net|TCP port 443|Agent traffic|
-|*.servicebus.windows.net|TCP port 443|Agent traffic|
-|prod.warmpath.msftcloudes.com|TCP port 443|Agent traffic|
-|catalogartifact.azureedge.net|TCP port 443|Azure Marketplace|
-|kms.core.windows.net|TCP port 1688|Windows 10 activation|
+|Address|Outbound TCP port|Purpose|Service Tag|
+|---|---|---|---|
+|*.wvd.microsoft.com|443|Service traffic|WindowsVirtualDesktop|
+|mrsglobalsteus2prod.blob.core.windows.net|443|Agent and SXS stack updates|AzureCloud|
+|*.core.windows.net|443|Agent traffic|AzureCloud|
+|*.servicebus.windows.net|443|Agent traffic|AzureCloud|
+|prod.warmpath.msftcloudes.com|443|Agent traffic|AzureCloud|
+|catalogartifact.azureedge.net|443|Azure Marketplace|AzureCloud|
+|kms.core.windows.net|1688|Windows activation|Internet|
+
+
 
 >[!IMPORTANT]
 >Opening these URLs is essential for a reliable Windows Virtual Desktop deployment. Blocking access to these URLs is unsupported and will affect service functionality. These URLs only correspond to Windows Virtual Desktop sites and resources, and don't include URLs for other services like Azure Active Directory.
 
+The following table lists optional URLs that your Azure virtual machines can have access to:
+
+|Address|Outbound TCP port|Purpose|Service Tag|
+|---|---|---|---|
+|*.microsoftonline.com|443|Authentication to MS Online Services|None|
+|*.events.data.microsoft.com|443|Telemetry Service|None|
+|www.msftconnecttest.com|443|Detects if the OS is connected to the internet|None|
+|*.prod.do.dsp.mp.microsoft.com|443|Windows Update|None|
+|login.windows.net|443|Login to MS Online Services, Office 365|None|
+|*.sfx.ms|443|Updates for OneDrive client software|None|
+|*.digicert.com|443|Certificate revocation check|None|
+
+
 >[!NOTE]
 >Windows Virtual Desktop currently doesn't have a list of IP address ranges that you can whitelist to allow network traffic. We only support whitelisting specific URLs at this time.
 >
+>For a list of Office-related URLs, including required Azure Active Directory-related URLs, see [Office 365 URLs and IP address ranges](/office365/enterprise/urls-and-ip-address-ranges).
+>
 >You must use the wildcard character (*) for URLs involving service traffic. If you prefer to not use * for agent-related traffic, here's how to find the URLs without wildcards:
 >
 >1. Register your virtual machines to the Windows Virtual Desktop host pool.
@@ -132,15 +149,15 @@ The following Remote Desktop clients support Windows Virtual Desktop:
 
 The Remote Desktop clients must have access to the following URLs:
 
-|Address|Outbound port|Purpose|Client(s)|
+|Address|Outbound TCP port|Purpose|Client(s)|
 |---|---|---|---|
-|*.wvd.microsoft.com|TCP port 443|Service traffic|All|
-|*.servicebus.windows.net|TCP port 443|Troubleshooting data|All|
-|go.microsoft.com|TCP port 443|Microsoft FWLinks|All|
-|aka.ms|TCP port 443|Microsoft URL shortener|All|
-|docs.microsoft.com|TCP port 443|Documentation|All|
-|privacy.microsoft.com|TCP port 443|Privacy statement|All|
-|query.prod.cms.rt.microsoft.com|TCP port 443|Client updates|Windows Desktop|
+|*.wvd.microsoft.com|443|Service traffic|All|
+|*.servicebus.windows.net|443|Troubleshooting data|All|
+|go.microsoft.com|443|Microsoft FWLinks|All|
+|aka.ms|443|Microsoft URL shortener|All|
+|docs.microsoft.com|443|Documentation|All|
+|privacy.microsoft.com|443|Privacy statement|All|
+|query.prod.cms.rt.microsoft.com|443|Client updates|Windows Desktop|
 
 >[!IMPORTANT]
 >Opening these URLs is essential for a reliable client experience. Blocking access to these URLs is unsupported and will affect service functionality. These URLs only correspond to the client sites and resources, and don't include URLs for other services like Azure Active Directory.