Optimizing your Windows 365 experience: A deep dive into connectivity options
Running a Cloud PC is one thing. Making sure the connection you have to it, is another. In this post, we will explore how Windows 365 establishes connectivity, the different transport options it uses, and how to optimize for the best possible experience.
Windows 365 Connectivity: The Basics
When you connect to a Windows 365 Cloud PC, your device needs to establish a connection to the virtual machine running in Microsoft’s datacenters. This connection is critical for performance, responsiveness, and overall user experience. Various factors can influence the quality of this connection, including network configuration, firewall rules, and the presence of NAT (Network Address Translation). Let’s have a look at the different connection types and how Windows 365 handles them.
STUN vs TURN vs TCP: Connection Comparison
| Aspect | STUN (Direct UDP) | TURN (Relayed UDP) | TCP (Reverse Connect) |
|---|---|---|---|
| Transport | UDP | UDP | TCP |
| Connection type | Direct peer-to-peer | Relayed via Microsoft TURN servers | Relayed via Microsoft gateways |
| Latency | Lowest | Low-medium | Highest |
| Bandwidth efficiency | Excellent | Good | Limited |
| Reliability | Depends on NAT/firewall | Very high | Extremely high |
| Works behind strict firewalls | Sometimes | Yes | Yes |
| Requires UDP allowed | Yes | Yes | No |
| Uses ICE | Yes | Yes | No |
| Typical scenario | Home networks, open internet | Corporate networks with NAT | Locked-down or guest networks |
| User experience | Best possible | Very good | Acceptable but degraded |
This table summarizes how Windows 365 evaluates and selects the optimal transport. The goal is always STUN first, TURN when needed, and TCP only as a last resort.
Which connection should you aim for?
- Aim for STUN (Direct UDP) whenever possible. This gives you the lowest latency and best overall user experience.
- TURN (Relayed UDP) is a fully acceptable and supported outcome on corporate networks. Performance is still very good.
- TCP fallback should be treated as a warning sign. It works everywhere, but if users frequently land here, it is worth investigating firewall and network restrictions.
In short: if you see UDP, you are on the right path. (Get it, get it? UDP path? No? Moving on…)
One of the most common questions I get when discussing Windows 365 is:
“Why does my Cloud PC feel great at home, but slow on hotel Wi-Fi or a corporate network?”
The short answer: network paths matter.
Windows 365 is built on top of modern Remote Desktop Protocol (RDP) transports that automatically tries to find the best possible connection between your endpoint and your Cloud PC. This post explains how that works, what all those networking acronyms mean, and, most importantly, what you can do to optimize the experience.
Connection options explored
OK, let’s break down the different connection types and how Windows 365 uses them.
1. The Default Connection: TCP and Reverse Connect
Every Windows 365 session always starts the same way: with a TCP connection using reverse connect. This design has a very deliberate goal - it must work everywhere.
What is reverse connect?
Instead of requiring inbound connections to your Cloud PC, the Cloud PC establishes an outbound connection to Microsoft-managed gateways. Your client connects to those same gateways, and RDP traffic is tunneled between them.
Why this matters
- ✅ No inbound firewall rules required
- ✅ Works on almost every network
- ✅ Predictable and secure
- ⚠️ Higher latency
- ⚠️ Less efficient for real-time interaction
This TCP path is reliable, but it is not optimized for interactive workloads like video, audio, or rapid UI updates.
Think of TCP reverse connect as the safe default: not the fastest, but always available.
2. RDP Shortpath: Smarter Transport for Better Performance
To improve the user experience, Windows 365 introduces RDP Shortpath. Shortpath does not replace TCP; it enhances it.
What RDP Shortpath does
- ✅Adds a UDP-based transport alongside TCP
- ✅ Reduces latency and jitter
- ✅ Improves bandwidth utilization
- ✅ Keeps TCP as a safety net
RDP Shortpath is enabled by default and should generally stay that way. When available, it dramatically improves responsiveness.
3. How Windows 365 Chooses a Path: ICE
At the heart of modern Windows 365 connectivity is ICE (Interactive Connectivity Establishment).
ICE is a standard mechanism used to find the best possible network path between two endpoints that may be behind NATs or firewalls.
In simple terms, ICE:
- ➡️ Gathers all possible connection options (called candidates)
- ➡️ Tests them
- ➡️ Selects the best working path
Windows 365 uses ICE to automatically decide whether it can use (in this order):
- Direct UDP
- Relayed UDP
- TCP fallback
This happens every time you connect.
4. STUN: Direct UDP (Best Case Scenario)
What is STUN?
STUN (Session Traversal Utilities for NAT) allows a device to discover how it appears on the public internet when it is behind a NAT.
You see STUN for example in VoIP deployments, where it is used to enable direct UDP connectivity between endpoints. In Windows 365, STUN is used to enable direct UDP connectivity between your client and your Cloud PC.
STUN connection flow
Why STUN is ideal
- ➡️ Lowest latency
- ➡️ No relay hop
- ➡️ Best performance
When STUN fails
- ❌ Symmetric NATs
- ❌ Strict firewalls
- ❌ Blocked UDP
If STUN fails, Windows 365 automatically moves on to the next option with no user action required.
5. TURN: Relayed UDP (Reliable and Predictable)
What is TURN?
TURN (Traversal Using Relays around NAT) acts as a fallback when direct UDP is not possible.
Instead of connecting directly, traffic is relayed through Microsoft-managed TURN servers, still using UDP.
TURN connection flow
Why TURN matters
- ➡️ Works behind restrictive NATs
- ➡️ Uses known IP ranges and ports
- ➡️ Still far better than TCP
6. TCP Fallback: The Last Resort
If all UDP paths fail, Windows 365 falls back to the original TCP reverse connect transport.
Typical scenarios:
- ➡️ Guest Wi-Fi networks
- ➡️ Very restrictive corporate firewalls
- ➡️ Deep packet inspection environments
This guarantees connectivity, but with higher latency and lower responsiveness.
7. Seeing the Active Connection Type
One of the most underrated troubleshooting features is built right into the client.
How to check
- Open a Windows 365 session.
- Open Connection Information in the Remote Desktop client.
- Look for:
- Transport type (TCP or UDP)
- Shortpath status
- STUN or TURN usage
This immediately tells you why a session feels the way it does.
8. Optimizing Windows 365 Connectivity
No we’ve seen all the different connection types, let’s talk about how to optimize for the best possible experience.
Network best practices
There are some best practices to follow when it comes to network configuration for Windows 365:
- ✅ Allow outbound UDP 3478
- ✅ Avoid SSL inspection on RDP traffic
- ✅ Follow Microsoft 365 network connectivity principles
Configuration guidance
To ensure the best experience for your users, consider:
- ✅ Keep RDP Shortpath enabled
- ✅ Keep TURN enabled
- ✅ Use centralized configuration via Intune where possible
Test from the user’s perspective
In the end, it’s the end user’s experience that matters the most. Always validate connectivity and performance from the user’s perspective, not just from the datacenter.
So, always validate from:
- ➡️ Home networks
- ➡️ Corporate offices
- ➡️ Public Wi-Fi
What works in the datacenter does not always work for end users.
9. Key Takeaways
- TCP reverse connect is the baseline
- RDP Shortpath adds performance
- STUN equals best experience
- TURN equals reliable fallback
- TCP equals last resort
- Visibility and UDP are key
Windows 365 connectivity is not magic; it is smart, adaptive networking. Understanding it makes troubleshooting and optimization much easier.
TL;DR
Windows 365 Cloud PCs always start with a TCP-based reverse connect path that works everywhere, but is not always fast. To improve performance, Windows 365 uses RDP Shortpath, which adds UDP-based connectivity. Using ICE, the platform automatically tries:
- Direct UDP via STUN (best performance)
- Relayed UDP via TURN (very reliable, slightly higher latency)
- TCP fallback (last resort, works everywhere)
You can see which path is in use directly in the Remote Desktop client. Keeping UDP, STUN, and TURN enabled is the single most important optimization you can make.
Further Reading
- Microsoft Learn - RDP Shortpath for Windows 365: https://learn.microsoft.com/windows-365/enterprise/rdp-shortpath-public-networks
- Configure RDP Shortpath options: https://learn.microsoft.com/windows-365/enterprise/rdp-option-configuration
- Relayed RDP Shortpath announcement: https://techcommunity.microsoft.com/blog/windows-itpro-blog/relayed-rdp-shortpath-for-public-networks-now-available/4249502
- STUN and TURN deep dive: https://kempeneers.eu/2025/02/02/rdp-shortpath-over-public-internet-stun-and-turn-explained/