Forum Discussion
BITS Downloading App updates from unknown endpoint
I found this - which appears to be a list of all the endpoints Windows 10 20H2 talks to ..
https://docs.microsoft.com/en-us/windows/privacy/manage-windows-20h2-endpoints
But if you read how they got this list, you realise Microsoft don't actually know all the endpoints they use - this was just someone in MS with a network scanner.
J.
<--
The following methodology was used to derive these network endpoints:
- Set up the latest version of Windows 10 on a test virtual machine using the default settings.
- Leave the device(s) running idle for a week ("idle" means a user is not interacting with the system/device).
- Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
- Compile reports on traffic going to public IP addresses.
- The test virtual machine(s) was logged into using a local account, and was not joined to a domain or Azure Active Directory.
- All traffic was captured in our lab using a IPV4 network. Therefore, no IPV6 traffic is reported here.
- These tests were conducted in an approved Microsoft lab. It's possible your results may be different.
- These tests were conducted for one week, but if you capture traffic for longer you may have different results.
-->
JasonC2021 Thanks for checking this out. It appears that article does not contain any of the endpoints we are seeing, although it is dated. Unfortunate that they do not keep a complete list of contacted endpoints.
Have you noticed any further strange activity stemming from your devices since this started happening?
A bit worrying that I have not seen any further mention of these endpoints online
- RA_Howtwo2012Feb 17, 2023Copper Contributor
Maximilian Demajo We are seeing IPS triggered due to a “virus” coming from one of these CDN’s. Only a certain number of devices, random, and they are blocked from download a 3D viewer app update that doesn’t appear listed on the apps page (that version). I’m concerned this is similar to a solarwinds style attack and can’t believe Microsoft would allow it. These should be pushed updates, everything is turned off for auto well anything and delivery opt. Is off as well.