NCSI Change Notification
Published Jul 05 2023 03:21 PM 11.5K Views
Microsoft

James Kehr from the Windows networking support team here with a public notification. 

 

There is a service in Windows called the Network Connectivity Status Indicator, or NCSI for short. Please do not mistake this for NCIS (Naval Criminal Investigative Service). 

 

NCSI is the Windows operating system service that determines whether your computer is connected to the Internet, or whether you need to sign into a captive portal to access a wireless network to reach the Internet. This is a captive portal example care of Wiki Commons. 

 

JamesKehr_0-1688595534566.png

 

NCIS is an American TV show that may be broadcast in your area of the world. It is also an actual, real-life service of the US Department of the Navy. Seriously, they even have a cool looking official shield. 

 

JamesKehr_1-1688595534573.jpeg

 

Now on to the point of this article. 

 

NCSI determines Internet connectivity by performing a DNS lookup and downloading a tiny text file from a website. This is called the NCSI active probe. For Windows 10/11 and Windows Server 2022 these websites are: 

 

http://www.msftconnecttest.com/connecttest.txt 

http://ipv6.msftconnecttest.com/connecttest.txt 

 

For older versions of Windows, the sites are: 

 

http://www.msftncsi.com/ncsi.txt 

http://ipv6.msftncsi.com/ncsi.txt 

 

The lack of HTTPS is on purpose. It saves the time, bandwidth, and energy needed to encrypt a plain text file that says, "Microsoft Connect Test" or " Microsoft NCSI" respectively. NCSI determines that you are Internet connected when it can resolve a special public DNS record and read the corresponding text file. 

 

The important change happened with the IPv4 address for www.msftconnecttest.com. 

 

DNS for this site used to resolve to a single IPv4 address, 13.107.4.52. That is until June 20, 2023. Microsoft no longer uses a single IP address for any active probe URL, nor do we guarantee any specific set of IP addresses that the NCSI active probe will use. 

 

Network security devices, like firewalls, that depended on the NCSI active probe using a single IPv4 address for security rules must now use URL Filtering. This is a firewall rule containing a URL rather than an IP address or address range. 

 

More details about this, and NCSI in general, can be found at these two links. 

 

https://learn.microsoft.com/en-us/windows-server/networking/ncsi/ncsi-overview 

https://learn.microsoft.com/en-us/windows-server/networking/ncsi/ncsi-frequently-asked-questions 

 

8 Comments
Co-Authors
Version history
Last update:
‎Jul 05 2023 03:21 PM
Updated by: