Aren't we chatty today, Windows 11

March 10, 2023    Article    735 words    4 mins read

Continuing my work from the Web Browser telemetry article two years ago (which I plan to update, just to see the difference time does to telemetry data), I decided to make a log of all network connections a standard install of Windows 11 Pro (for ARM, 22H2, OS build 22621.1344) does.

The methodology is the same, standard setup without changing any of the default settings (Privacy ones, for example). Test device is a MacBook M1 laptop and Parallels Desktop, a clean user profile, all network connections blocked, application-level network connection whitelisting and only Little Snitch installed. So it’s actually Little Snitch that does all the heavy-lifting. Network traffic is routed through a VPN in Finland.

That’s 66 unique network connections to different hosts/domains for a clean install. Some are understandable, like Windows Update CDN, others like graph.microsoft.com and watson.events.data.microsoft.com are just the thing that would define Windows 11 as spyware. Definitely “more spyware” than DPRK’s Red Star OS.

  • config.edge.skype.com on TCP port 443 - Microsoft Skype
  • ctldl.windowsupdate.com on TCP port 80 - Windows Update
  • www.msftconnecttest.com on TCP port 80 - Network Connection (NCSI)
  • settings-win.data.microsoft.com on TCP port 443 - Used for Windows apps to dynamically update their configuration
  • msedge.api.cdp.microsoft.com on TCP port 443 - Microsoft Edge
  • msedge.f.tlu.dl.delivery.mp.microsoft.com on TCP port 80 - Microsoft Store
  • fs.microsoft.com on TCP port 443 - Used to download fonts on demand
  • 239.255.255.250 on UDP port 1900
  • cacerts.digicert.com on TCP port 80 - CRL and OCSP checks to the issuing certificate authorities
  • sdx.microsoft.com on TCP port 443
  • login.live.com on TCP port 443 - Microsoft Account
  • nav.smartscreen.microsoft.com on TCP port 443 - Windows Defender Smartscreen
  • smartscreen-prod.microsoft.com on TCP port 443 - Windows Defender
  • slscr.update.microsoft.com on TCP port 443 - Windows Update, Microsoft Update, and the online services of Microsoft Store
  • ocsp.digicert.com on TCP port 80 - CRL and OCSP checks to the issuing certificate authorities
  • crl3.digicert.com on TCP port 80 - CRL and OCSP checks to the issuing certificate authorities
  • fe2cr.update.microsoft.com on TCP port 443- Windows Update, Microsoft Update, and the online services of Microsoft Store
  • geo.prod.do.dsp.mp.microsoft.com on TCP port 443 - Windows Update
  • go.microsoft.com on TCP port 443 - Windows Defender
  • statics.teams.cdn.office.net on TCP port 443 - Microsoft Teams
  • download.windowsupdate.com on TCP port 80 - Windows Update
  • kv501.prod.do.dsp.mp.microsoft.com on TCP port 443 - Windows Update
  • fe3cr.delivery.mp.microsoft.com on TCP port 443 - Microsoft Store
  • cp501.prod.do.dsp.mp.microsoft.com on TCP port 443 - Windows Update
  • go.microsoft.com on TCP port 80 - Windows Defender
  • geover.prod.do.dsp.mp.microsoft.com on TCP port 443 - Windows Update
  • licensing.mp.microsoft.com on TCP port 443 - Used for online activation and some app licensing
  • ztd.dds.microsoft.com on TCP port 443
  • client.wns.windows.com on TCP port 443 - Used for the Windows Push Notification Services (WNS)
  • dmd.metaservices.microsoft.com on TCP port 80 - Used to retrieve device metadata
  • config.teams.microsoft.com on TCP port 443 - Microsoft Teams
  • teams.events.data.microsoft.com on TCP port 443 - Microsoft Teams
  • statics.teams.cdn.live.net on TCP port 443 - Microsoft Teams
  • edge-conumer-static.azureedge.net on TCP port 443
  • dl.delivery.mp.microsoft.com on TCP port 80 - Microsoft Store
  • msedge.b.tlu.dl.delivery.mp.microsoft.com on TCP port 80 - Microsoft Store
  • edge.microsoft.com on TCP port 443
  • account.live.com on TCP port 443
  • acctcdn.msauth.net on TCP port 443
  • browser.events.data.microsoft.com on TCP port 443
  • login.live.com on TCP port 443 - Microsoft Account
  • logincdn.msftauth.net on TCP port 443 - Microsoft OneDrive
  • v10.events.data.microsoft.com on TCP port 443 - Diagnostic Data
  • inference.location.live.net on TCP port 443 - Used for location data
  • v20.events.data.microsoft.com on TCP port 443
  • fd.api.iris.microsoft.com on TCP port 443
  • www.bing.com on TCP port 443 - Cortana, apps, and Live Tiles
  • onedscolprduks05.uksouth.cloudapp.azure.com on TCP port 443 - Azure
  • r.bing.com on TCP port 443 - Cortana, apps, and Live Tiles
  • th.bing.com on TCP port 443 - Cortana, apps, and Live Tiles
  • teams.live.com on TCP port 443 - Microsoft Teams
  • assets.msn.com on TCP port 443 - Windows Spotlight
  • edgeassetservice.azureedge.net on TCP port 443
  • arc.msn.com on TCP port 443 - Windows Spotlight
  • g.live.com on TCP port 443 - Microsoft OneDrive
  • officeclient.microsoft.com on TCP port 443 - Microsoft Office
  • oneclient.sfx.ms on TCP port 443 - Used by OneDrive for Business to download and verify app updates
  • maps.windows.com on TCP port 443 - Maps application
  • watson.events.data.microsoft.com on TCP port 443 - Diagnostic Data
  • www.microsoft.com on TCP port 80
  • self.events.data.microsoft.com on TCP port 443 - Microsoft Office
  • graph.microsoft.com on TCP port 443
  • ris.api.iris.microsoft.com on TCP port 443 - Used to retrieve Windows Spotlight metadata
  • fp.msedge.net on TCP port 443 - Microsoft OfficeHub
  • windows.msn.com on TCP port 443 - Windows Spotlight
  • nav-edge.smartscreen.microsoft.com on TCP port 443

Yeah …