This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(230.39999999999998, 31%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGZ%3C/text%3E%3C/svg%3E)
We have received a request to block an entire TLD in all workstation with Defender for Endpoint. I know you can add domains and block them to do that, but I dont know if this extends to full TLDs.
BTW I tagged defender for cloud because i didnt see an option to tag defender for endpoint.
Does anyone know this is doable with some wildcard nonsense?
Thanks,
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 93%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EO%3C/text%3E%3C/svg%3E)
Same question here - is it working to block TLD with MS Defender?
Would like to block *.zip, *.mov and when i already work on the topic, also block *.xxx
Already created a DNS-Zone to block access, but that does not help for mobile users.
Edit: To clearify: I do not want to block zip-files. I want to Block TLD .zip.
You cannot do that using Indicators, but you can do this via Intune firewall rule
Check this article - its for same .zip domain block
https://jeffreyappel.nl/block-gtld-zip-fqdn-domains-with-windows-firewall-and-defender-for-endpoint/
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Hi @George Zerphey ,
I have not personally tested by adding .biz, but the MDE team has stated that blocking top level domains (.xyz) is not supported though the MDE URL indicators. https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/indicator-ip-domain?view=o365-worldwide. You can block individual IPs / URLs.
The documentation does not explicitly state that top-level domains cannot be blocked, so I have reached out and made a pull request to the guide and looped in the authors. I've also reached out to the Security team to propose this as a feature request and see if they can advise additional workarounds for this scenario.
The MDE team advises that in order to block an entire top-level domain, you would need to use a firewall or DNS filtering service. Network device options would depend on your setup.
I've shared your feedback with the Security team and recommend leaving feedback in the feedback forum as well. https://feedback.azure.com/
Let me know if you have further questions or details about your scenario that you would like to share.
*-
If the information helped you, please Accept the answer. This will help us as well as others in the community who may be researching similar information.*
TLD? I am not familiar with the term.
Maybe Defender for Cloud Apps is more what you need? It can block applications that might be represented by a broad IP/domain range.
TLD = Top Level Domain. Like *.microsoft.com
https://learn.microsoft.com/en-us/defender-cloud-apps/proxy-deployment-any-app
Use of wildcards are mentioned in this article (when using Defender for Cloud Apps)
Yeah TLD is top level domain, but it goes beyond what was said in the comment above. The current ask is to be able to block an entire TLD not just a domain. For example wanting to block *.biz or something like that because the organization does not have any interaction with that TLD and sees it as a security risk. This is just an example mind you.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(12.8, 26%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ET%3C/text%3E%3C/svg%3E)
You're an MS employee in a thread like this and don't know what Top Level Domain is? No wonder Defender doesn't work properly.
People (myself VERY much included) want the ability to just write off entire countries/gimmick domains like .br, .xxx, .info etc without playing whack-a-mole with domains. It USED to be possible with simple mail rules but they broke mail rules when they brought in this rubbish product named Defender (which couldn't Defend a thing).