Microsoft Defender for Endpoint for US Government customers

Applies to:

Microsoft Defender for Endpoint for US Government customers, built in the Azure US Government environment, uses the same underlying technologies as Defender for Endpoint in Azure Commercial.

This offering is available to GCC, GCC High, and DoD customers and is based on the same prevention, detection, investigation, and remediation as the commercial version. However, there are some differences in the availability of capabilities for this offering.

Note

If you are a GCC customer using Defender for Endpoint in Commercial, please refer to the public documentation pages.

Licensing requirements

Microsoft Defender for Endpoint for US Government customers requires one of the following Microsoft volume licensing offers:

Desktop licensing

GCC GCC High DoD
Windows 10 Enterprise E5 GCC Windows 10 Enterprise E5 for GCC High Windows 10 Enterprise E5 for DOD
Microsoft 365 E5 for GCC High Microsoft 365 G5 for DOD
Microsoft 365 G5 Security for GCC High Microsoft 365 G5 Security for DOD
Microsoft Defender for Endpoint - GCC Microsoft Defender for Endpoint for GCC High Microsoft Defender for Endpoint for DOD

Server licensing

GCC GCC High DoD
Microsoft Defender for Endpoint Server GCC Microsoft Defender for Endpoint Server for GCC High Microsoft Defender for Endpoint Server for DOD
Azure Defender for Servers Azure Defender for Servers - Government Azure Defender for Servers - Government

Portal URLs

The following are the Microsoft Defender for Endpoint portal URLs for US Government customers:

Customer type Portal URL
GCC https://gcc.securitycenter.microsoft.us
GCC High https://securitycenter.microsoft.us
DoD https://securitycenter.microsoft.us

Endpoint versions

Standalone OS versions

The following OS versions are supported:

OS version GCC GCC High DoD
Windows 10, version 20H2 (with KB4586853) Yes Yes Yes
Windows 10, version 2004 (with KB4586853) Yes Yes Yes
Windows 10, version 1909 (with KB4586819) Yes Yes Yes
Windows 10, version 1903 (with KB4586819) Yes Yes Yes
Windows 10, version 1809 (with KB4586839) Yes Yes Yes
Windows 10, version 1803 (with KB4598245) Yes Yes Yes
Windows 10, version 1709 No
Note: Won't be supported
Yes With KB4499147
Note: Deprecated, please upgrade
No
Note: Won't be supported
Windows 10, version 1703 and earlier No
Note: Won't be supported
No
Note: Won't be supported
No
Note: Won't be supported
Windows Server 2019 (with KB4586839) Yes Yes Yes
Windows Server 2016 Yes Yes Yes
Windows Server 2012 R2 Yes Yes Yes
Windows Server 2008 R2 SP1 Yes Yes Yes
Windows 8.1 Enterprise Yes Yes Yes
Windows 8 Pro Yes Yes Yes
Windows 7 SP1 Enterprise Yes Yes Yes
Windows 7 SP1 Pro Yes Yes Yes
Linux Yes In preview
See note below
Yes In preview
See note below
Yes In preview
See note below
macOS Yes In preview
See note below
Yes In preview
See note below
Yes In preview
See note below
Android No On engineering backlog No On engineering backlog No On engineering backlog
iOS No On engineering backlog No On engineering backlog No On engineering backlog

Note

Where a patch is specified, it must be deployed prior to device onboarding in order to configure Defender for Endpoint to the correct environment.

Note

Trying to onboard Windows devices older than Windows 10 or Windows Server 2019 using Microsoft Monitoring Agent? You'll need to choose "Azure US Government" under "Azure Cloud" if using the setup wizard, or if using a command line or a script - set the "OPINSIGHTS_WORKSPACE_AZURE_CLOUD_TYPE" parameter to 1.

Note

You'll need version 101.25.72 and above for Linux, and version 101.25.69 and above for macOS. During preview those versions are availble only in the "Insider Fast" channel. See Configure the Linux software repository or Set the channel name (macOS) for instructions.

OS versions when using Azure Defender for Servers

The following OS versions are supported when using Azure Defender for Servers:

OS version GCC GCC High DoD
Windows Server 2016 Yes Yes Yes
Windows Server 2012 R2 Yes Yes Yes
Windows Server 2008 R2 SP1 Yes Yes Yes

Required connectivity settings

If a proxy or firewall is blocking all traffic by default and allowing only specific domains through, add the domains listed in the downloadable sheet to the allowed domains list.

The following downloadable spreadsheet lists the services and their associated URLs your network must be able to connect to. Verify there are no firewall or network filtering rules that would deny access to these URLs, or create an allow rule specifically for them.

Spreadsheet of domains list Description
Thumb image for Microsoft Defender for Endpoint URLs spreadsheet
Spreadsheet of specific DNS records for service locations, geographic locations, and OS.

Download the spreadsheet here.

For more information, see Configure device proxy and Internet connectivity settings.

Note

The spreadsheet contains commercial URLs as well, make sure you check the "US Gov" tabs.

When filtering, look for the records labeled as "US Gov" and your specific cloud under the geography column.

Service backend IP ranges

If your network devices don't support DNS-based rules, use IP ranges instead.

Defender for Endpoint for US Government customers is built in the Azure US Government environment, deployed in the following regions:

  • AzureCloud.usgovtexas
  • AzureCloud.usgovvirginia

You can find the Azure IP ranges in Azure IP Ranges and Service Tags – US Government Cloud.

Note

As a cloud-based solution, the IP address ranges can change. It's recommended you move to DNS-based rules.


API

Instead of the public URIs listed in our API documentation, you'll need to use the following URIs:

Endpoint type GCC GCC High & DoD
Login https://login.microsoftonline.com https://login.microsoftonline.us
Defender for Endpoint API https://api-gcc.securitycenter.microsoft.us https://api-gov.securitycenter.microsoft.us
SIEM https://wdatp-alertexporter-us.gcc.securitycenter.windows.us https://wdatp-alertexporter-us.securitycenter.windows.us

Feature parity with commercial

Defender for Endpoint for US Government customers doesn't have complete parity with the commercial offering. While our goal is to deliver all commercial features and functionality to our US Government customers, there are some capabilities not yet available we want to highlight.

These are the known gaps as of March 2021:

Feature name GCC GCC High DoD
Automated investigation and remediation: Live response Yes Yes Yes
Automated investigation and remediation: Response to Office 365 alerts No On engineering backlog No On engineering backlog No On engineering backlog
Email notifications Yes Yes Yes
Evaluation lab Yes Yes Yes
Management and APIs: Device health and compliance report Yes Yes Yes
Management and APIs: Integration with third-party products Yes Yes Yes
Management and APIs: Streaming API Yes No In development No In development
Management and APIs: Threat protection report Yes Yes Yes
Threat & vulnerability management Yes Yes Yes
Threat analytics Yes Yes Yes
Web content filtering No In development No In development No In development
Integrations: Azure Sentinel Yes No In development No In development
Integrations: Microsoft Cloud App Security No On engineering backlog No On engineering backlog No On engineering backlog
Integrations: Microsoft Compliance Manager No On engineering backlog No On engineering backlog No On engineering backlog
Integrations: Microsoft Defender for Identity No On engineering backlog No On engineering backlog No On engineering backlog
Integrations: Microsoft Defender for Office 365 No On engineering backlog No On engineering backlog No On engineering backlog
Integrations: Microsoft Endpoint DLP No On engineering backlog No On engineering backlog No On engineering backlog
Integrations: Microsoft Intune Yes No In development No In development
Integrations: Microsoft Power Automate & Azure Logic Apps Yes No In development No In development
Integrations: Skype for Business / Teams Yes Yes Yes
Microsoft Threat Experts No On engineering backlog No On engineering backlog No On engineering backlog