Configure and validate Microsoft Defender Antivirus network connections

Applies to:

Platforms

  • Windows

To ensure Microsoft Defender Antivirus cloud-delivered protection works properly, your security team must configure your network to allow connections between your endpoints and certain Microsoft servers. This article lists connections that must be allowed for using the firewall rules. It also provides instructions for validating your connection. Configuring your protection properly ensures you receive the best value from your cloud-delivered protection services.

Important

This article contains information about configuring network connections only for Microsoft Defender Antivirus. If you are using Microsoft Defender for Endpoint (which includes Microsoft Defender Antivirus), see Configure device proxy and Internet connectivity settings for Defender for Endpoint.

Allow connections to the Microsoft Defender Antivirus cloud service

The Microsoft Defender Antivirus cloud service provides fast, and strong protection for your endpoints. It's optional to enable the cloud-delivered protection service. Microsoft Defender Antivirus cloud service is recommended, because it provides important protection against malware on your endpoints and network. For more information, see Enable cloud-delivered protection for enabling service with Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, or individual clients in the Windows Security app.

After you've enabled the service, you need to configure your network or firewall to allow connections between network and your endpoints. Because your protection is a cloud service, computers must have access to the internet and reach the Microsoft cloud services. Don't exclude the URL *.blob.core.windows.net from any kind of network inspection.

Note

The Microsoft Defender Antivirus cloud service delivers updated protection to your network and endpoints. The cloud service should not be considered as only protection for your files that are stored in the cloud; instead, the cloud service uses distributed resources and machine learning to deliver protection for your endpoints at a faster rate than the traditional Security intelligence updates.

Services and URLs

The table in this section lists services and their associated website addresses (URLs).

Make sure that there are no firewall or network filtering rules denying access to these URLs. Otherwise, you must create an allow rule specifically for those URLs (excluding the URL *.blob.core.windows.net). The URLs in the following table use port 443 for communication. (Port 80 is also required for some URLs, as noted in the following table.)

Service and description URL
Microsoft Defender Antivirus cloud-delivered protection service is referred to as Microsoft Active Protection Service (MAPS).
Microsoft Defender Antivirus uses the MAPS service to provide cloud-delivered protection.
*.wdcp.microsoft.com
*.wdcpalt.microsoft.com
*.wd.microsoft.com
Microsoft Update Service (MU) and Windows Update Service (WU)
These services allow security intelligence and product updates.
*.update.microsoft.com
*.delivery.mp.microsoft.com
*.windowsupdate.com
ctldl.windowsupdate.com

For more information, see Connection endpoints for Windows Update.
Security intelligence updates Alternate Download Location (ADL)
This is an alternate location for Microsoft Defender Antivirus Security intelligence updates, if the installed Security intelligence is out of date (Seven or more days behind).
*.download.microsoft.com
*.download.windowsupdate.com (Port 80 is required)
go.microsoft.com (Port 80 is required)
https://www.microsoft.com/security/encyclopedia/adlpackages.aspx
https://definitionupdates.microsoft.com/download/DefinitionUpdates/
https://fe3cr.delivery.mp.microsoft.com/ClientWebService/client.asmx
Malware submission storage
This is an upload location for files submitted to Microsoft via the Submission form or automatic sample submission.
ussus1eastprod.blob.core.windows.net
ussus2eastprod.blob.core.windows.net
ussus3eastprod.blob.core.windows.net
ussus4eastprod.blob.core.windows.net
wsus1eastprod.blob.core.windows.net
wsus2eastprod.blob.core.windows.net
ussus1westprod.blob.core.windows.net
ussus2westprod.blob.core.windows.net
ussus3westprod.blob.core.windows.net
ussus4westprod.blob.core.windows.net
wsus1westprod.blob.core.windows.net
wsus2westprod.blob.core.windows.net
usseu1northprod.blob.core.windows.net
wseu1northprod.blob.core.windows.net
usseu1westprod.blob.core.windows.net
wseu1westprod.blob.core.windows.net
ussuk1southprod.blob.core.windows.net
wsuk1southprod.blob.core.windows.net
ussuk1westprod.blob.core.windows.net
wsuk1westprod.blob.core.windows.net
Certificate Revocation List (CRL)
Windows use this list while creating the SSL connection to MAPS for updating the CRL.
http://www.microsoft.com/pkiops/crl/
http://www.microsoft.com/pkiops/certs
http://crl.microsoft.com/pki/crl/products
http://www.microsoft.com/pki/certs
Universal GDPR Client
Windows use this client to send the client diagnostic data.

Microsoft Defender Antivirus uses General Data Protection Regulation for product quality, and monitoring purposes.
The update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints:
vortex-win.data.microsoft.com
settings-win.data.microsoft.com

Validate connections between your network and the cloud

After allowing the URLs listed, test whether you're connected to the Microsoft Defender Antivirus cloud service. Test the URLs are correctly reporting and receiving information to ensure you're fully protected.

Use the cmdline tool to validate cloud-delivered protection

Use the following argument with the Microsoft Defender Antivirus command-line utility (mpcmdrun.exe) to verify that your network can communicate with the Microsoft Defender Antivirus cloud service:

"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -ValidateMapsConnection

Note

Open Command Prompt as an administrator. Right-click the item in the Start menu, click Run as administrator and click Yes at the permissions prompt. This command will only work on Windows 10, version 1703 or higher, or Windows 11.

For more information, see Manage Microsoft Defender Antivirus with the mpcmdrun.exe commandline tool.

Use the tables below to see error messages you might encounter along with information on the root cause and possible solutions:

Error messages Root cause
Start Time: <Day_of_the_week> MM DD YYYY HH:MM:SS
MpEnsureProcessMitigationPolicy: hr = 0x1
ValidateMapsConnection
ValidateMapsConnection failed to establish a connection to MAPS (hr=0x80070006 httpcore=451)
MpCmdRun.exe: hr = 0x80070006**

ValidateMapsConnection failed to establish a connection to MAPS (hr=0x80072F8F httpcore=451)
MpCmdRun.exe: hr = 0x80072F8F

ValidateMapsConnection failed to establish a connection to MAPS (hr=0x80072EFE httpcore=451)
MpCmdRun.exe: hr = 0x80072EFE
The root cause of these error messages is that the device doesn't have its system-wide WinHttp proxy configured. If you don’t set the system-wide WinHttp proxy, then the operating system isn't aware of the proxy and can’t fetch the CRL (the operating system does this, not Defender for Endpoint), which means that TLS connections to URLs like http://cp.wd.microsoft.com/ will not fully succeed. You'll see successful (response 200) connections to the endpoints but the MAPS connections would still fail.
Solution Description
Solution (Preferred) Configure the system-wide WinHttp proxy that allows the CRL check.
Solution (Preferred 2) - Setup Redirect the Microsoft Automatic Update URL for a disconnected environment
- Configure a server that has access to the Internet to retrieve the CTL files
- Redirect the Microsoft Automatic Update URL for a disconnected environment

Usefule references:
- Go to Computer Configuration > Windows Settings > Security Settings > Public Key Policies > Certificate Path Validation Settings > Select the Network Retrieval tab > Select Define these policy settings > Select to clear the Automatically update certificates in the Microsoft Root Certificate Program (recommended) check box.
- Certificate Revocation List (CRL) Verification - an Application Choice
- https://support.microsoft.com/help/931125/how-to-get-a-root-certificate-update-for-windows
- https://technet.microsoft.com/library/dn265983(v=ws.11).aspx
- /dotnet/framework/configure-apps/file-schema/runtime/generatepublisherevidence-element - https://blogs.msdn.microsoft.com/amolravande/2008/07/20/improving-application-start-up-time-generatepublisherevidence-setting-in-machine-config/
Work-around solution (Alternative)
Not best practice since you'll no longer check for revoked certificates or certificate pinning.
Disable CRL check only for SPYNET.
Configuring this registry SSLOption disables CRL check only for SPYNET reporting. It won’t impact other services.

To to this:
Go to HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet > set SSLOptions (dword) to 0 (hex).
- 0 – disable pinning and revocation checks
- 1 – disable pinning
- 2 – disable revocation checks only
- 3 – enable revocation checks and pinning (default)

Attempt to download a fake malware file from Microsoft

You can download a sample file that Microsoft Defender Antivirus will detect and block if you're properly connected to the cloud.

Note

The downloaded file is not exactly malware. It's a fake file designed to test if you're properly connected to the cloud.

If you're properly connected, you'll see a warning Microsoft Defender Antivirus notification.

If you're using Microsoft Edge, you'll also see a notification message:

The notification that malware was found in Edge

A similar message occurs if you're using Internet Explorer:

The Microsoft Defender Antivirus notification that malware was found

View the fake malware detection in your Windows Security app

  1. On your task bar, select the Shield icon, open the Windows Security app. Or, search the Start for Security.

  2. Select Virus & threat protection, and then select Protection history.

  3. Under the Quarantined threats section, select See full history to see the detected fake malware.

    Note

    Versions of Windows 10 before version 1703 have a different user interface. See Microsoft Defender Antivirus in the Windows Security app.

    The Windows event log will also show Windows Defender client event ID 1116.

See also

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.