Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Defender signals in AD servers hosted in Azure AD

Copper Contributor

Hi all, 


if we onboard a Windows Active Directory or other server in Azure VM, does the signals that the (VM endpoint) send to the Defender Endpoint URLs in cloud, go out throw the Internet or the connection remain inside Microsoft Datacenters?


It is need to open the following urls and Ports?


Service Description URL

Microsoft Defender Antivirus cloud-delivered protection service, also referred to as Microsoft Active Protection Service (MAPS)Used by Microsoft Defender Antivirus to provide cloud-delivered protection*
Microsoft Update Service (MU)
Windows Update Service (WU)
Security intelligence and product updates*

For details see Connection endpoints for Windows Update
Security intelligence updates Alternate Download Location (ADL)Alternate location for Microsoft Defender Antivirus Security intelligence updates if the installed Security intelligence is out of date (7 or more days behind)*
Malware submission storageUpload location for files submitted to Microsoft via the Submission form or automatic sample
Certificate Revocation List (CRL)Used by Windows when creating the SSL connection to MAPS for updating the CRL
Symbol StoreUsed by Microsoft Defender Antivirus to restore certain critical files during remediation flows
Universal Telemetry ClientUsed by Windows to send client diagnostic data; Microsoft Defender Antivirus uses telemetry for product quality monitoring purposesThe update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints:
1 Reply
A VM needs access to these URLs, if they are in Azure or not.
So if you would block internet access on an NSG level, your machine will not report properly.

You need to create whitelisting on the NSG or your firewall