Jan 22 2021 02:23 AM - edited Jan 22 2021 03:47 AM
Hi all,
if we onboard a Windows Active Directory or other server in Azure VM, does the signals that the (VM endpoint) send to the Defender Endpoint URLs in cloud, go out throw the Internet or the connection remain inside Microsoft Datacenters?
It is need to open the following urls and Ports?
Service Description URL
Microsoft Defender Antivirus cloud-delivered protection service, also referred to as Microsoft Active Protection Service (MAPS) | Used by Microsoft Defender Antivirus to provide cloud-delivered protection | *.wdcp.microsoft.com *.wdcpalt.microsoft.com *.wd.microsoft.com |
Microsoft Update Service (MU) Windows Update Service (WU) | Security intelligence and product updates | *.update.microsoft.com *.delivery.mp.microsoft.com *.windowsupdate.com For details see Connection endpoints for Windows Update |
Security intelligence updates Alternate Download Location (ADL) | Alternate location for Microsoft Defender Antivirus Security intelligence updates if the installed Security intelligence is out of date (7 or more days behind) | *.download.microsoft.com *.download.windowsupdate.com https://fe3cr.delivery.mp.microsoft.com/ClientWebService/client.asmx |
Malware submission storage | Upload location for files submitted to Microsoft via the Submission form or automatic sample submission | ussus1eastprod.blob.core.windows.net ussus1westprod.blob.core.windows.net usseu1northprod.blob.core.windows.net usseu1westprod.blob.core.windows.net ussuk1southprod.blob.core.windows.net ussuk1westprod.blob.core.windows.net ussas1eastprod.blob.core.windows.net ussas1southeastprod.blob.core.windows.net ussau1eastprod.blob.core.windows.net ussau1southeastprod.blob.core.windows.net |
Certificate Revocation List (CRL) | Used by Windows when creating the SSL connection to MAPS for updating the CRL | http://www.microsoft.com/pkiops/crl/ http://www.microsoft.com/pkiops/certs http://crl.microsoft.com/pki/crl/products http://www.microsoft.com/pki/certs |
Symbol Store | Used by Microsoft Defender Antivirus to restore certain critical files during remediation flows | https://msdl.microsoft.com/download/symbols |
Universal Telemetry Client | Used by Windows to send client diagnostic data; Microsoft Defender Antivirus uses telemetry for product quality monitoring purposes | The update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints: vortex-win.data.microsoft.com settings-win.data.microsoft.com |
Jan 23 2021 09:12 AM