Configure and validate network connections for Windows Defender Antivirus

Applies to:

  • Windows 10 (some instructions are only applicable for Windows 10, version 1703 or later)

Audience

  • Enterprise security administrators

To ensure Windows Defender Antivirus cloud-delivered protection works properly, you need to configure your network to allow connections between your endpoints and certain Microsoft servers.

This topic lists the connections that must be allowed, such as by using firewall rules, and provides instructions for validating your connection. This will help ensure you receive the best protection from our cloud-delivered protection services.

See the Enterprise Mobility and Security blog post Important changes to Microsoft Active Protection Services endpoint for some details about network connectivity.

Tip

You can also visit the Windows Defender Testground website at demo.wd.microsoft.com to confirm the following features are working:

  • Cloud-delivered protection
  • Fast learning (including Block at first sight)
  • Potentially unwanted application blocking

Allow connections to the Windows Defender Antivirus cloud

The Windows Defender Antivirus cloud provides fast, strong protection for your endpoints. Enabling the cloud-delivered protection service is optional, however it is highly recommend as it provides very important protection against malware on your endpoints and across your network.

Note

The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional signature updates.

See the Enable cloud-delivered protection topic for details on enabling the service with Group Policy, System Center Configuration Manager, PowerShell cmdlets, Microsoft Intune, or on individual clients in the Windows Defender Security Center app.

After you've enabled the service, you may need to configure your network or firewall to allow connections between it and your endpoints.

The following table lists the services and their associated URLs that your network must be able to connect to. You should ensure there are no firewall or network filtering rules that would deny access to these URLs, or you may need to create an allow rule specifically for them:

Service Description URL
Windows Defender Antivirus cloud-delivered protection service, also referred to as Microsoft Active Protection Service (MAPS) Used by Windows Defender Antivirus to provide cloud-delivered protection .wdcp.microsoft.com
.wdcpalt.microsoft.com
Microsoft Update Service (MU) Signature and product updates *.update.microsoft.com
Definition updates alternate download location (ADL) Alternate location for Windows Defender Antivirus definition updates if the installed definitions fall out of date (7 or more days behind) *.download.microsoft.com
Malware submission storage Upload location for files submitted to Microsoft via the Submission form or automatic sample submission *.blob.core.windows.net
Certificate Revocation List (CRL) Used by Windows when creating the SSL connection to MAPS for updating the CRL http://www.microsoft.com/pkiops/crl/
http://www.microsoft.com/pkiops/certs
http://crl.microsoft.com/pki/crl/products
http://www.microsoft.com/pki/certs
Symbol Store Used by Windows Defender Antivirus to restore certain critical files during remediation flows https://msdl.microsoft.com/download/symbols
Universal Telemetry Client Used by Windows to send client diagnostic data, Windows Defender Antivirus uses this for product quality monitoring purposes This update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints:
  • vortex-win.data.microsoft.com
  • settings-win.data.microsoft.com

Validate connections between your network and the cloud

After whitelisting the URLs listed above, you can test if you are connected to the Windows Defender AV cloud and are correctly reporting and receiving information to ensure you are fully protected.

Use the cmdline tool to validate cloud-delivered protection:

Use the following argument with the Windows Defender AV command line utility (mpcmdrun.exe) to verify that your network can communicate with the Windows Defender AV cloud:

MpCmdRun -ValidateMapsConnection 

Note

You need to open an administrator-level version of the command prompt. Right-click the item in the Start menu, click Run as administrator and click Yes at the permissions prompt. This command will only work on Windows 10, version 1703.

See Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender Antivirus for more information on how to use the mpcmdrun.exe utility.

Attempt to download a fake malware file from Microsoft:

You can download a sample file that Windows Defender AV will detect and block if you are properly connected to the cloud.

Download the file by visiting the following link:

Note

This file is not an actual piece of malware. It is a fake file that is designed to test if you are properly connected to the cloud.

If you are properly connected, you will see a warning notification from Windows Defender Antivirus:

Windows Defender Antivirus notification informing the user that malware was found

If you are using Microsoft Edge, you'll also see a notification message:

Microsoft Edge informing the user that malware was found

A similar message occurs if you are using Internet Explorer:

Windows Defender Antivirus notification informing the user that malware was found

You will also see a detection under Quarantined threats in the Scan history section in the Windows Defender Security Center app:

  1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for Defender.

  2. Click the Virus & threat protection tile (or the shield icon on the left menu bar) and then the Scan history label:

    Screenshot of the Scan history label in the Windows Defender Security Center app

  3. Under the Quarantined threats section, click the See full history label to see the detected fake malware:

    Screenshot of quarantined items in the Windows Defender Security Center app

Note

Versions of Windows 10 before version 1703 have a different user interface. See the Windows Defender Antivirus in the Windows Defender Security Center topic for more information about the differences between versions, and instructions on how to perform common tasks in the different interfaces.

The Windows event log will also show Windows Defender client event ID 2050.

Important

You will not be able to use a proxy auto-config (.pac) file to test network connections to these URLs. You will need to verify your proxy servers and any network filtering tools manually to ensure connectivity.