Sign in Subscribe
3 min read Windows 365

The Ultimate Windows 365 Network Validation Script

Dan Bowker

by Dan Bowker

The Ultimate Windows 365 Network Validation Script

Network connectivity is one of the most common reasons a Windows 365 deployment doesn't go to plan. Provisioning fails, health checks turn red, or users connect but the experience is incosistent.

In most cases, a firewall or proxy is blocking something it shouldn't be. The challenge is that Microsoft's network requirements are spread across four different documentation pages, covering Windows 365, Azure Virtual Desktop session hosts, end user devices, and Intune. There is no single place to validate everything at once, and manually working through each table row by row is slow and where things inevitably slip through the cracks.

I've built a free, open-source PowerShell script to handle that for you.

Credit to Shannon Fritz whose original gist inspired the approach and structure behind this.

What It Does

Test-W365NetworkHealth tests connectivity to every required endpoint across all four Microsoft documentation sources:

  • Windows 365 service endpoints (provisioning, IoT hubs, registration)
  • AVD session host endpoints (required and optional)
  • End user device / client endpoints
  • Intune and Windows Autopilot endpoints

It runs in one of two modes:

  • Mode 1 – Cloud PC / Host Network: Run this directly on the Cloud PC or a VM in the same Azure VNet. Tests everything the Cloud PC needs to reach.
  • Mode 2 – Client Device Network: Run this on the physical device used to connect to the Cloud PC. Tests what the end user's machine needs.
  • Mode 3 – Both: Runs all tests in sequence.

Results are colour-coded in the console and you can export to CSV for documentation or ticketing.

What Gets Tested

The script handles four types of entries:

[ OK ] — TCP connection succeeded
[FAIL] — TCP connection blocked or timed out
[SKIP] — Wildcard endpoint (e.g. *.wvd.microsoft.com) — cannot be TCP tested; flagged for manual DNS verification
[INFO] — UDP or IP range entry (e.g. 51.5.0.0/16 UDP/3478 for RDP Shortpath) — flagged for firewall/NSG verification

At the end, the script produces a full summary listing every failure, every wildcard, and every UDP/IP range entry that needs manual attention.

A Note on Intune Endpoints

One thing worth calling out specifically: Microsoft's documentation includes a caution that the previously available PowerShell scripts for retrieving Intune endpoint IP addresses and FQDNs no longer return accurate data from the Office 365 Endpoint API. That API is deprecated for this purpose.

💡
This script uses the static consolidated list from the Microsoft Intune documentation instead, which is the correct approach. If you're using older scripts that query endpoints.office.com for Intune FQDNs, you should stop — they'll give you an incomplete and potentially inaccurate picture.

Running the Script

From a PowerShell 7 prompt (simplest — recommended for Cloud PCs):

irm https://bowker.cloud/w365check | iex

From a CMD prompt or Run dialog:

pwsh -ExecutionPolicy Bypass -Command "irm https://bowker.cloud/w365check | iex"

From Windows PowerShell 5.1:

powershell -ExecutionPolicy Bypass -Command "irm https://bowker.cloud/w365check | iex"

Run locally with a specific mode:

.\Test-W365NetworkHealth.ps1 -Mode 1
.\Test-W365NetworkHealth.ps1 -Mode 2 -OutputPath C:\Temp\results.csv
.\Test-W365NetworkHealth.ps1 -Mode 3 -EndpointsCSV .\Endpoints.csv

The Endpoints CSV

The script loads its endpoint list from a companion Endpoints.csv file, which is hosted in the same GitHub repository. When run via irm | iex, it downloads the CSV automatically. If that fails, it falls back to a built-in default list.

The CSV is the source of truth - all 134 entries are structured with category, endpoint, port, protocol, test mode, wildcard notes, and a direct reference link back to the relevant Microsoft documentation page. If Microsoft update their requirements, the CSV can be updated independently of the script.

What's Covered

The endpoint list is built directly from these four Microsoft documentation sources:

That includes the Azure Certificate Authority endpoints for closed networks, all Windows Autopilot dependencies, every IoT hub region, and the full set of Intune Win32 app CDN nodes.

Get It

Everything is available on GitHub:

https://github.com/bowkercloud/windows365

The repo contains the script and the CSV. Raise an issue if you spot something missing or if Microsoft update their documentation and something needs adding. Happy troubleshooting!

Subscribe to my newsletter.

Become a subscriber receive the latest updates in your inbox.

You might also like

Nov 21
Windows 365 User Experience Sync – Profile persistence for Frontline Shared and Cloud Apps

Windows 365 User Experience Sync – Profile persistence for Frontline Shared and Cloud Apps

Microsoft has launched User Experience Sync for Windows 365 Frontline Shared and Cloud Apps. I was involved in the private
8 min read
Nov 18
A First Look at Windows Cloud IO Keyboard Input Protection

A First Look at Windows Cloud IO Keyboard Input Protection

As organisations continue adopting Windows 365 and Azure Virtual Desktop, the conversation around security has shifted from the data centre
4 min read
Nov 18
Hands On With AI-Enabled Windows 365 Cloud PCs

Hands On With AI-Enabled Windows 365 Cloud PCs

Microsoft is bringing next-generation AI capabilities from Copilot+ PCs into Windows 365. As part of the private preview, I have
6 min read
Sep 29
Windows 10 End of Support: What the Extended Security Updates (ESU) Program Means for Your Organisation

Windows 10 End of Support: What the Extended Security Updates (ESU) Program Means for Your Organisation

Microsoft will officially end support for Windows 10 on 14 October 2025 (with the exception of certain LTSC editions). After
3 min read
Sep 20
From Legacy to Cloud PCs: Why the DaaS Market Shift Is No Longer a Future Prediction

From Legacy to Cloud PCs: Why the DaaS Market Shift Is No Longer a Future Prediction

In July, I had the chance to speak with The Register's Richard Speed about the challenges many organizations
4 min read