Sep 11 2023 01:00 AM
Hoping to clarify URL requirements for Live Response in Defender for Endpoint. The URLs listed in the Defender URLs spreadsheet online that reference being required for Live Response are:
*.wns.windows.com
login.microsoftonline.com
login.live.com
When you run the client analyzer tool, the MDEClientAnalyzer.txt file contains a results section called
############# Connectivity Check for Live Response URL################
That section lists the following 2 URLs as being tested:
Host: global.notify.windows.com on Port: 443
Host: client.wns.windows.com on Port: 443
I can see no reference to global.notify.windows.com (or *.windows.com) in the URL spreadsheet?
In my testing I have been able to successfully connect via Live Response to servers that show failed connections to global.notify.windows in their MDEClientAnalyzer.txt files.
Can anyone confirm if global.notify.windows.com is a required URL for Live Response?
Thanks
Sep 11 2023 05:32 AM
Sep 11 2023 05:33 AM
Sep 13 2023 02:55 AM - edited Sep 13 2023 03:30 AM
SolutionI've found an older version of the Defender URLs spreadsheet that has an entry for
*.notify.windows.com
The latest version of the spreadsheet doesnt contain this URL anymore and only lists the following requirements for Live Response:
*.wns.windows.com
login.live.com
login.microsoftonline.com
Interestingly in the ChangeLog tab on the latest version of the spreadsheet, it notes that *.notify.windows.com was removed on the 25/01/22. I have a version I downloaded in May this year with that URL present.
Regardless of the above it looks like perhaps they havent updated the connectivity analyzer to remove the test to global.notify.windows.com.
Sep 13 2023 02:55 AM - edited Sep 13 2023 03:30 AM
SolutionI've found an older version of the Defender URLs spreadsheet that has an entry for
*.notify.windows.com
The latest version of the spreadsheet doesnt contain this URL anymore and only lists the following requirements for Live Response:
*.wns.windows.com
login.live.com
login.microsoftonline.com
Interestingly in the ChangeLog tab on the latest version of the spreadsheet, it notes that *.notify.windows.com was removed on the 25/01/22. I have a version I downloaded in May this year with that URL present.
Regardless of the above it looks like perhaps they havent updated the connectivity analyzer to remove the test to global.notify.windows.com.