NCSI Change Notification

James Kehr from the Windows networking support team here with a public notification.

There is a service in Windows called the Connectivity Status Indicator, or NCSI for short. Please do not mistake this for NCIS (Naval Criminal Investigative Service).

NCSI is the Windows operating system service that determines whether your computer is connected to the Internet, or whether you need to sign into a captive portal to access a wireless to reach the Internet. This is a captive portal example care of Wiki Commons.

JamesKehr_0-1688595534566.png

NCIS is an American TV show that may be broadcast in your area of the world. It is also an actual, real-life service of the US Department of the Navy. Seriously, they even have a cool looking official shield.

JamesKehr_1-1688595534573.jpeg

Now on to the point of this article.

NCSI determines Internet connectivity by performing a DNS lookup and downloading a tiny text file from a website. This is called the NCSI active probe. For Windows 10/11 and 2022 these websites are:

http://www.msftconnecttest.com/connecttest.txt

http://ipv6.msftconnecttest.com/connecttest.txt

For older versions of Windows, the sites are:

http://www.msftncsi.com/ncsi.txt

http://ipv6.msftncsi.com/ncsi.txt

The lack of HTTPS is on purpose. It saves the time, bandwidth, and energy needed to a plain text file that says, “Microsoft Connect Test” or ” Microsoft NCSI” respectively. NCSI determines that you are Internet connected when it can resolve a special public record and read the corresponding text file.

The important change happened with the IPv4 address for www.msftconnecttest.com.

for this site used to resolve to a single IPv4 address, 13.107.4.52. That is until June 20, 2023. Microsoft no longer uses a single IP address for any active probe URL, nor do we guarantee any specific set of IP addresses that the NCSI active probe will use.

security devices, like firewalls, that depended on the NCSI active probe using a single IPv4 address for security rules must now use URL Filtering. This is a rule containing a URL rather than an IP address or address range.

More details about this, and NCSI in general, can be found at these two links.

https://learn.microsoft.com/en-us/windows-server/networking/ncsi/ncsi-overview

https://learn.microsoft.com/en-us/windows-server/networking/ncsi/ncsi-frequently-asked-questions

 

This article was originally published by Microsoft's Windows Security Blog. You can find the original article here.