Forum Discussion
Defender signals in AD servers hosted in Azure AD
Hi all,
if we onboard a Windows Active Directory or other server in Azure VM, does the signals that the (VM endpoint) send to the Defender Endpoint URLs in cloud, go out throw the Internet or the connection remain inside Microsoft Datacenters?
It is need to open the following urls and Ports?
Service Description URL
| Microsoft Defender Antivirus cloud-delivered protection service, also referred to as Microsoft Active Protection Service (MAPS) | Used by Microsoft Defender Antivirus to provide cloud-delivered protection | *.wdcp.microsoft.com *.wdcpalt.microsoft.com *.wd.microsoft.com |
| Microsoft Update Service (MU) Windows Update Service (WU) | Security intelligence and product updates | *.update.microsoft.com *.delivery.mp.microsoft.com *.windowsupdate.com For details see Connection endpoints for Windows Update |
| Security intelligence updates Alternate Download Location (ADL) | Alternate location for Microsoft Defender Antivirus Security intelligence updates if the installed Security intelligence is out of date (7 or more days behind) | *.download.microsoft.com *.download.windowsupdate.com https://fe3cr.delivery.mp.microsoft.com/ClientWebService/client.asmx |
| Malware submission storage | Upload location for files submitted to Microsoft via the Submission form or automatic sample submission | ussus1eastprod.blob.core.windows.net ussus1westprod.blob.core.windows.net usseu1northprod.blob.core.windows.net usseu1westprod.blob.core.windows.net ussuk1southprod.blob.core.windows.net ussuk1westprod.blob.core.windows.net ussas1eastprod.blob.core.windows.net ussas1southeastprod.blob.core.windows.net ussau1eastprod.blob.core.windows.net ussau1southeastprod.blob.core.windows.net |
| Certificate Revocation List (CRL) | Used by Windows when creating the SSL connection to MAPS for updating the CRL | http://www.microsoft.com/pkiops/crl/ http://www.microsoft.com/pkiops/certs http://crl.microsoft.com/pki/crl/products http://www.microsoft.com/pki/certs |
| Symbol Store | Used by Microsoft Defender Antivirus to restore certain critical files during remediation flows | https://msdl.microsoft.com/download/symbols |
| Universal Telemetry Client | Used by Windows to send client diagnostic data; Microsoft Defender Antivirus uses telemetry for product quality monitoring purposes | The update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints: vortex-win.data.microsoft.com settings-win.data.microsoft.com |
1 Reply
- A VM needs access to these URLs, if they are in Azure or not.
So if you would block internet access on an NSG level, your machine will not report properly.
You need to create whitelisting on the NSG or your firewall
