STEP 1: Configure your network environment to ensure connectivity with Defender for Endpoint service

Applies to:

Want to experience Defender for Endpoint? Sign up for a free trial.

Before you onboard devices to Defender for Endpoint, make sure your network is configured to connect to the service, by allowing outbound connection and bypassings HTTPS inspection for the service URLs. The first step of this process involves adding URLs to the allowed domains list if your proxy server or firewall rules prevent access to Defender for Endpoint. This article also includes information about proxy and firewall requirements for older versions of Windows client and Windows Server.

Note

  • After May 8, 2024, you have the option to keep streamlined connectivity (consolidated set of URLs) as the default onboarding method, or downgrade to standard connectivity through (Settings > Endpoints > Advanced Features). For onboarding through Intune or Microsoft Defender for Cloud, you need to activate the relevant option. Devices already onboarded aren't reonboarded automatically. In such cases, create a new policy in Intune, where it is recommended to first assign the policy to a set of test devices to verify connectivity is successful, and then expand the audience. Devices in Defender for Cloud can be reonboarded using the relevant onboarding script, while newly onboarded devices will automatically receive streamlined onboarding.
  • The new *.endpoint.security.microsoft.com consolidated domain needs to be reachable for all devices, for current and future functionality, regardless whether you continue to use Standard connectivity.
  • New regions will default to streamlined connectivity and will not have the option to downgrade to Standard. Read more at Onboarding devices using streamlined connectivity for Microsoft Defender for Endpoint.

Enable access to Microsoft Defender for Endpoint service URLs in the proxy server

The following downloadable spreadsheet lists the services and their associated URLs that devices in your network must be able to connect to. Ensure there are no firewall or network filtering rules to deny access for these URLs. Optionally, you might need to create an allow rule specifically for them.

Spreadsheet of domains list Description
Microsoft Defender for Endpoint consolidated URL list (Streamlined) Spreadsheet of consolidated URLs.
Download the spreadsheet here.

Applicable OS:
For complete list, see streamlined connectivity.
- Windows 10 1809+
- Windows 11
- Windows Server 2019
- Windows Server 2022
- Windows Server 2012 R2, Windows Server 2016 R2 running Defender for Endpoint modern unified solution (requires installation through MSI).
- macOS supported versions running 101.23102.* +
- Linux supported versions running 101.23102.* +

Minimum component versions:
- Antimalware client: 4.18.2211.5
- Engine: 1.1.19900.2
- Security intelligence: 1.391.345.0
- Xplat version: 101.23102.* +
- Sensor/ KB version: >10.8040.*/ March 8, 2022+

If you're moving previously onboarded devices to the streamlined approach, see Migrating device connectivity

Windows 10 versions 1607, 1703, 1709, 1803 (RS1-RS4) are supported through the streamlined onboarding package but require a longer URL list (see updated URL sheet). These versions don't support reonboarding (must be fully offboarded first).

Devices running on Windows 7, Windows 8.1, Windows Server 2008 R2 MMA, Servers not upgraded to Unified Agent (MMA) must continue using MMA onboarding method.
Microsoft Defender for Endpoint URL list for commercial customers (Standard) Spreadsheet of specific DNS records for service locations, geographic locations, and OS for commercial customers.

Download the spreadsheet here.

Microsoft Defender for Endpoint Plan 1 and Plan 2 share the same proxy service URLs. In your firewall, open all the URLs where the geography column is WW. For rows where the geography column isn't WW, open the URLs to your specific data location. To verify your data location setting, see Verify data storage location and update data retention settings for Microsoft Defender for Endpoint. Don't exclude the URL *.blob.core.windows.net from any kind of network inspection. Instead, exclude only the blob URLs that are specific to MDE and listed in the spreadsheet of domains list.

Microsoft Defender for Endpoint URL list for Gov/GCC/DoD Spreadsheet of specific DNS records for service locations, geographic locations, and OS for Gov/GCC/DoD customers.
Download the spreadsheet here.

Important

  • Connections are made from the context of the operating system or the Defender client services and as such, proxies should not require authentication for these destinations or perform inspection (HTTPS scanning / SSL inspection) that breaks the secure channel.
  • Microsoft does not provide a proxy server. These URLs are accessible via the proxy server that you configure.
  • In compliance with Defender for Endpoint security and compliance standards, your data will be processed and stored in accordance with your tenant's physical location. Based on client location, traffic may flow through any of the associated IP regions (which correspond to Azure datacenter regions). For more information, see Data storage and privacy.

Microsoft Monitoring Agent (MMA) - additional proxy and firewall requirements for older versions of Windows client or Windows Server

The following destinations are required to allow Defender for Endpoint communications through the Log Analytics agent (often referred to as Microsoft Monitoring Agent) on Windows 7 SP1, Windows 8.1, and Windows Server 2008 R2.

Agent Resource Ports Direction Bypass HTTPS inspection
*.ods.opinsights.azure.com Port 443 Outbound Yes
*.oms.opinsights.azure.com Port 443 Outbound Yes
*.blob.core.windows.net Port 443 Outbound Yes
*.azure-automation.net Port 443 Outbound Yes

To determine the exact destinations in use for your subscription within the domains listed above, see Microsoft Monitoring Agent (MMA) Service URL connections.

Note

Services using MMA-based solutions are not able to leverage the new streamlined connectivity solution (consolidated URL and option to use static IPs). For Windows Server 2016 and Windows Server 2012 R2, you will need to update to the new unified solution. Instructions to onboard these operating systems with the new unified solution are at Onboard Windows servers, or migrate already onboarded devices to the new unified solution at Server migration scenarios in Microsoft Defender for Endpoint.

For devices without Internet access / without a proxy

For devices with no direct internet connection, the use of a proxy solution is the recommended approach. In specific cases, you can use firewall or gateway devices that allow access to IP ranges. For more information, see: Streamlined device connectivity.

Important

  • Microsoft Defender for Endpoint is a Cloud security solution. "Onboard devices without Internet access" means that Internet access for the endpoints must be configured through a proxy or other network device, and DNS resolution is always required. Microsoft Defender for Endpoint does not support endpoints without direct or proxied connectivity to the Defender cloud services. A system wide proxy configuration is recommended.
  • Windows or Windows Server in disconnected environments must be able to update Certificate Trust Lists offline via an internal file or web server.
  • For more information about updating CTLs offline, see Configure a file or web server to download the CTL files.

Next step

STEP 2: Configure your devices to connect to the Defender for Endpoint service using a proxy.