Defender signals in AD servers hosted in Azure AD

%3CLINGO-SUB%20id%3D%22lingo-sub-2086307%22%20slang%3D%22en-US%22%3EDefender%20signals%20in%20AD%20servers%20hosted%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2086307%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eif%20we%20onboard%20a%20Windows%20Active%20Directory%20or%20other%20server%20in%20Azure%20VM%2C%20does%20the%20signals%20that%20the%20(VM%20endpoint)%20send%20to%20the%20Defender%20Endpoint%20URLs%20in%20cloud%2C%20go%20out%20throw%20the%20Internet%20or%20the%20connection%20remain%20inside%20Microsoft%20Datacenters%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20is%20need%20to%20open%20the%20following%20urls%20and%20Ports%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EService%20Description%20URL%3C%2FP%3E%3CTABLE%3E%3CTBODY%3E%3CTR%3E%3CTD%3EMicrosoft%20Defender%20Antivirus%20cloud-delivered%20protection%20service%2C%20also%20referred%20to%20as%20Microsoft%20Active%20Protection%20Service%20(MAPS)%3C%2FTD%3E%3CTD%3EUsed%20by%20Microsoft%20Defender%20Antivirus%20to%20provide%20cloud-delivered%20protection%3C%2FTD%3E%3CTD%3E*.wdcp.microsoft.com%3CBR%20%2F%3E*.wdcpalt.microsoft.com%3CBR%20%2F%3E*.wd.microsoft.com%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3EMicrosoft%20Update%20Service%20(MU)%3CBR%20%2F%3EWindows%20Update%20Service%20(WU)%3C%2FTD%3E%3CTD%3ESecurity%20intelligence%20and%20product%20updates%3C%2FTD%3E%3CTD%3E*.update.microsoft.com%3CBR%20%2F%3E*.delivery.mp.microsoft.com%3CBR%20%2F%3E*.windowsupdate.com%3CBR%20%2F%3E%3CBR%20%2F%3EFor%20details%20see%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fprivacy%2Fmanage-windows-1709-endpoints%23windows-update%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EConnection%20endpoints%20for%20Windows%20Update%3C%2FA%3E%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3ESecurity%20intelligence%20updates%20Alternate%20Download%20Location%20(ADL)%3C%2FTD%3E%3CTD%3EAlternate%20location%20for%20Microsoft%20Defender%20Antivirus%20Security%20intelligence%20updates%20if%20the%20installed%20Security%20intelligence%20is%20out%20of%20date%20(7%20or%20more%20days%20behind)%3C%2FTD%3E%3CTD%3E*.download.microsoft.com%3CBR%20%2F%3E*.download.windowsupdate.com%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ffe3cr.delivery.mp.microsoft.com%2FClientWebService%2Fclient.asmx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Ffe3cr.delivery.mp.microsoft.com%2FClientWebService%2Fclient.asmx%3C%2FA%3E%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3EMalware%20submission%20storage%3C%2FTD%3E%3CTD%3EUpload%20location%20for%20files%20submitted%20to%20Microsoft%20via%20the%20Submission%20form%20or%20automatic%20sample%20submission%3C%2FTD%3E%3CTD%3Eussus1eastprod.blob.core.windows.net%3CBR%20%2F%3Eussus1westprod.blob.core.windows.net%3CBR%20%2F%3Eusseu1northprod.blob.core.windows.net%3CBR%20%2F%3Eusseu1westprod.blob.core.windows.net%3CBR%20%2F%3Eussuk1southprod.blob.core.windows.net%3CBR%20%2F%3Eussuk1westprod.blob.core.windows.net%3CBR%20%2F%3Eussas1eastprod.blob.core.windows.net%3CBR%20%2F%3Eussas1southeastprod.blob.core.windows.net%3CBR%20%2F%3Eussau1eastprod.blob.core.windows.net%3CBR%20%2F%3Eussau1southeastprod.blob.core.windows.net%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3ECertificate%20Revocation%20List%20(CRL)%3C%2FTD%3E%3CTD%3EUsed%20by%20Windows%20when%20creating%20the%20SSL%20connection%20to%20MAPS%20for%20updating%20the%20CRL%3C%2FTD%3E%3CTD%3E%3CA%20href%3D%22http%3A%2F%2Fwww.microsoft.com%2Fpkiops%2Fcrl%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttp%3A%2F%2Fwww.microsoft.com%2Fpkiops%2Fcrl%2F%3C%2FA%3E%3CBR%20%2F%3E%3CA%20href%3D%22http%3A%2F%2Fwww.microsoft.com%2Fpkiops%2Fcerts%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttp%3A%2F%2Fwww.microsoft.com%2Fpkiops%2Fcerts%3C%2FA%3E%3CBR%20%2F%3E%3CA%20href%3D%22http%3A%2F%2Fcrl.microsoft.com%2Fpki%2Fcrl%2Fproducts%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttp%3A%2F%2Fcrl.microsoft.com%2Fpki%2Fcrl%2Fproducts%3C%2FA%3E%3CBR%20%2F%3E%3CA%20href%3D%22http%3A%2F%2Fwww.microsoft.com%2Fpki%2Fcerts%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttp%3A%2F%2Fwww.microsoft.com%2Fpki%2Fcerts%3C%2FA%3E%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3ESymbol%20Store%3C%2FTD%3E%3CTD%3EUsed%20by%20Microsoft%20Defender%20Antivirus%20to%20restore%20certain%20critical%20files%20during%20remediation%20flows%3C%2FTD%3E%3CTD%3E%3CA%20href%3D%22https%3A%2F%2Fmsdl.microsoft.com%2Fdownload%2Fsymbols%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fmsdl.microsoft.com%2Fdownload%2Fsymbols%3C%2FA%3E%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3EUniversal%20Telemetry%20Client%3C%2FTD%3E%3CTD%3EUsed%20by%20Windows%20to%20send%20client%20diagnostic%20data%3B%20Microsoft%20Defender%20Antivirus%20uses%20telemetry%20for%20product%20quality%20monitoring%20purposes%3C%2FTD%3E%3CTD%3EThe%20update%20uses%20SSL%20(TCP%20Port%20443)%20to%20download%20manifests%20and%20upload%20diagnostic%20data%20to%20Microsoft%20that%20uses%20the%20following%20DNS%20endpoints%3A%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Evortex-win.data.microsoft.com%3CBR%20%2F%3Esettings-win.data.microsoft.com%3C%2FTD%3E%3C%2FTR%3E%3C%2FTBODY%3E%3C%2FTABLE%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2090035%22%20slang%3D%22en-US%22%3ERe%3A%20Defender%20signals%20in%20AD%20servers%20hosted%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2090035%22%20slang%3D%22en-US%22%3EA%20VM%20needs%20access%20to%20these%20URLs%2C%20if%20they%20are%20in%20Azure%20or%20not.%3CBR%20%2F%3ESo%20if%20you%20would%20block%20internet%20access%20on%20an%20NSG%20level%2C%20your%20machine%20will%20not%20report%20properly.%3CBR%20%2F%3E%3CBR%20%2F%3EYou%20need%20to%20create%20whitelisting%20on%20the%20NSG%20or%20your%20firewall%3C%2FLINGO-BODY%3E
Senior Member

Hi all, 

 

if we onboard a Windows Active Directory or other server in Azure VM, does the signals that the (VM endpoint) send to the Defender Endpoint URLs in cloud, go out throw the Internet or the connection remain inside Microsoft Datacenters?

 

It is need to open the following urls and Ports?

 

Service Description URL

Microsoft Defender Antivirus cloud-delivered protection service, also referred to as Microsoft Active Protection Service (MAPS)Used by Microsoft Defender Antivirus to provide cloud-delivered protection*.wdcp.microsoft.com
*.wdcpalt.microsoft.com
*.wd.microsoft.com
Microsoft Update Service (MU)
Windows Update Service (WU)
Security intelligence and product updates*.update.microsoft.com
*.delivery.mp.microsoft.com
*.windowsupdate.com

For details see Connection endpoints for Windows Update
Security intelligence updates Alternate Download Location (ADL)Alternate location for Microsoft Defender Antivirus Security intelligence updates if the installed Security intelligence is out of date (7 or more days behind)*.download.microsoft.com
*.download.windowsupdate.com
https://fe3cr.delivery.mp.microsoft.com/ClientWebService/client.asmx
Malware submission storageUpload location for files submitted to Microsoft via the Submission form or automatic sample submissionussus1eastprod.blob.core.windows.net
ussus1westprod.blob.core.windows.net
usseu1northprod.blob.core.windows.net
usseu1westprod.blob.core.windows.net
ussuk1southprod.blob.core.windows.net
ussuk1westprod.blob.core.windows.net
ussas1eastprod.blob.core.windows.net
ussas1southeastprod.blob.core.windows.net
ussau1eastprod.blob.core.windows.net
ussau1southeastprod.blob.core.windows.net
Certificate Revocation List (CRL)Used by Windows when creating the SSL connection to MAPS for updating the CRLhttp://www.microsoft.com/pkiops/crl/
http://www.microsoft.com/pkiops/certs
http://crl.microsoft.com/pki/crl/products
http://www.microsoft.com/pki/certs
Symbol StoreUsed by Microsoft Defender Antivirus to restore certain critical files during remediation flowshttps://msdl.microsoft.com/download/symbols
Universal Telemetry ClientUsed by Windows to send client diagnostic data; Microsoft Defender Antivirus uses telemetry for product quality monitoring purposesThe update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints: vortex-win.data.microsoft.com
settings-win.data.microsoft.com
1 Reply
A VM needs access to these URLs, if they are in Azure or not.
So if you would block internet access on an NSG level, your machine will not report properly.

You need to create whitelisting on the NSG or your firewall