STEP 1: Configure your network environment to ensure connectivity with Defender for Endpoint service
Applies to:
- Microsoft Defender for Endpoint Plan 1
- Microsoft Defender for Endpoint Plan 2
- Microsoft Defender XDR
Want to experience Defender for Endpoint? Sign up for a free trial.
Before you onboard devices to Defender for Endpoint, make sure your network is configured to connect to the service. The first step of this process involves adding URLs to the allowed domains list if your proxy server or firewall rules prevent access to Defender for Endpoint. This article also includes information about proxy and firewall requirements for older versions of Windows client and Windows Server.
Note
- Tenants created on or before May 8th, 2024 will have the option to select streamlined connectivity (consolidated set of URLs) as the default onboarding method or remain on standard through settings. When you've verified prerequisites have been met and are ready to set the default onboarding package to streamlined, you can turn on the following Advanced Feature setting in the Microsoft Defender portal (Settings > Endpoints > Advanced Features). For onboarding through Intune & Microsoft Defender for Cloud, you will need to activate the relevant option. Devices already onboarded will not automatically re-onboard; you will need to create a new policy in Intune, where it is recommended to first assign the policy to a set of test devices to verify connectivity is successful, before expanding the audience. Devices in Defender for Cloud can be re-onboarded using the relevant onboarding script.
- If your tenant already had streamlined connectivity enabled as part of the public preview, it will remain enabled.
- New tenants created after May 8th, 2024, will default to streamlined connectivity. Read more at Onboarding devices using streamlined connectivity for Microsoft Defender for Endpoint
Enable access to Microsoft Defender for Endpoint service URLs in the proxy server
The following downloadable spreadsheet lists the services and their associated URLs that devices in your network must be able to connect to. Ensure there are no firewall or network filtering rules to deny access for these URLs. Optionally, you may need to create an allow rule specifically for them.
| Spreadsheet of domains list | Description |
|---|---|
| Microsoft Defender for Endpoint consolidated URL list (Streamlined) |
Spreadsheet of consolidated URLs. Download the spreadsheet here. Applicable OS: For complete list, see streamlined connectivity. - Windows 10 1809+ - Windows 11 - Windows Server 2019 - Windows Server 2022 - Windows Server 2012 R2, Windows Server 2016 R2 running Defender for Endpoint modern unified solution (requires installation through MSI). - macOS supported versions running 101.23102.* + - Linux supported versions running 101.23102.* + Minimum component versions: - Antimalware client: 4.18.2211.5 - Engine: 1.1.19900.2 - Security intelligence: 1.391.345.0 - Xplat version: 101.23102.* + - Sensor/ KB version: >10.8040.*/ March 8, 2022+ If you are moving previously onboarded devices to the streamlined approach, see Migrating device connectivity Windows 10 version 1607, 1703, 1709, 1803 (RS1-RS4) are supported through the streamlined onboarding package but require a longer URL list (see updated URL sheet). These versions do not support reonboarding (must be fully offboarded first). Devices running on Windows 7, Windows 8.1, Windows Server 2008 R2 MMA, Servers not upgraded to Unified Agent (MMA) will need to continue using MMA onboarding method. |
| Microsoft Defender for Endpoint URL list for commercial customers (Standard) | Spreadsheet of specific DNS records for service locations, geographic locations, and OS for commercial customers. Download the spreadsheet here. Microsoft Defender for Endpoint Plan 1 and Plan 2 share the same proxy service URLs. In your firewall, open all the URLs where the geography column is WW. For rows where the geography column isn't WW, open the URLs to your specific data location. To verify your data location setting, see Verify data storage location and update data retention settings for Microsoft Defender for Endpoint. Don't exclude the URL |
| Microsoft Defender for Endpoint URL list for Gov/GCC/DoD | Spreadsheet of specific DNS records for service locations, geographic locations, and OS for Gov/GCC/DoD customers. Download the spreadsheet here. |
Important
- Connections are made from the context of the operating system or the Defender client services and as such, proxies should not require authentication for these destinations or perform inspection (HTTPS scanning / SSL inspection) that breaks the secure channel.
- Microsoft does not provide a proxy server. These URLs are accessible via the proxy server that you configure.
- In compliance with Defender for Endpoint security and compliance standards, your data will be processed and stored in accordance with your tenant's physical location. Based on client location, traffic may flow through any of the associated IP regions (which correspond to Azure datacenter regions). For more information, see Data storage and privacy.
Microsoft Monitoring Agent (MMA) - additional proxy and firewall requirements for older versions of Windows client or Windows Server
The follwoing additional destinations are required to allow Defender for Endpoint communications through the Log Analytics agent (often referred to as Microsoft Monitoring Agent) on Windows 7 SP1, Windows 8.1, and Windows Server 2008 R2.
| Agent Resource | Ports | Direction | Bypass HTTPS inspection |
|---|---|---|---|
*.ods.opinsights.azure.com |
Port 443 | Outbound | Yes |
*.oms.opinsights.azure.com |
Port 443 | Outbound | Yes |
*.blob.core.windows.net |
Port 443 | Outbound | Yes |
*.azure-automation.net |
Port 443 | Outbound | Yes |
Note
Services using MMA-based solutions are not able to leverage the new streamlined connectivity solution (consolidated URL and option to use static IPs). For Windows Server 2016 and Windows Server 2012 R2, you will need to update to the new unified solution. Instructions to onboard these operating systems with the new unified solution are at Onboard Windows servers, or migrate already onboarded devices to the new unified solution at Server migration scenarios in Microsoft Defender for Endpoint.
For devices without Internet access / without a proxy
For devices with no direct internet connection, the use of a proxy solution is the recommended approach. In specific cases, you can leverage firewall or gateway devices that allow access to IP ranges. For more information, see: Streamlined device connectivity.
Important
- Microsoft Defender for Endpoint is a Cloud security solution. "Onboard devices without Internet access" means that Internet access for the endpoints must be configured through a proxy or other network device, and DNS resolution is always required. Microsoft Defender for Endpoint does not support endpoints without direct or proxied connectivity to the Defender cloud services. A system wide proxy configuration is recommended.
- Windows or Windows Server in disconnected environments must be able to update Certificate Trust Lists offline via an internal file or web server.
- For more information about updating CTLs offline, see Configure a file or web server to download the CTL files.
Next step
STEP 2: Configure your devices to connect to the Defender for Endpoint service using a proxy
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for