Share via

Configuration enforcement error after deploying a desktop to MS 365 Defender

Anonymous
2023-11-25T16:54:14+00:00

Hi

After onboarding a desktop to MS 365 Defender I'm getting the following error:

This device has a configuration enforcement error: The device was onboarded to Microsoft Defender for Endpoint but encountered a connectivity issue.
Verify that the required endpoints are opened in your firewall.

required endpoints are showing as:

Devices must have access to the following endpoint:

  • *.dm.microsoft.com - The use of a wildcard supports the cloud-service endpoints that are used for enrollment, check-in, and reporting, and which can change as the service scales.

Could you help how to open required endpoints in firewall?

Many thanks

Michal

Microsoft 365 and Office | Microsoft 365 Defender | Other | Windows

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.

0 comments

Answer accepted by question author

Anonymous
2023-11-26T23:30:27+00:00

Hi again Michal,

Sure, I'd be happy to guide you further. To add a firewall rule or modify an existing one to permit traffic to *.dm.microsoft.com, you would need to do it in Windows Defender Firewall. Here are the steps:

  1. Open Windows Defender Firewall by typing "Windows Defender Firewall" in the search bar and selecting it from the results.
  2. Click on "Advanced settings" on the left-hand side of the window.
  3. In the left-hand pane, click on "Inbound Rules" or "Outbound Rules" depending on whether you want to allow incoming or outgoing traffic.
  4. Click on "New Rule" on the right-hand side of the window.
  5. Select "Custom" and click "Next".
  6. Select "All Programs" and click "Next".
  7. Under "Protocol type", select "TCP" and enter "443" as the port number. Click "Next".
  8. Under "Scope", select "These IP addresses" and click "Add".
  9. Enter "*.dm.microsoft.com" in the "This IP address or subnet" field and click "OK". Click "Next".
  10. Select "Allow the connection" and click "Next".
  11. Select the appropriate network location types and click "Next".
  12. Give the rule a name and click "Finish".

You do not need to do this in Intune as Windows Defender Firewall is a built-in feature of Windows.

Respectfully,

Bryll

Microsoft Moderator

Was this answer helpful?

1 person found this answer helpful.
0 comments

Answer accepted by question author

Anonymous
2023-11-26T16:20:41+00:00

Hi Michal, This is Bryll

Thank you for writing us here in Microsoft Community.

If you have deployed a desktop to MS 365 Defender and you see a configuration enforcement error, it means that the device could not communicate with the cloud-service endpoints. This could be due to a firewall blocking the access to *.dm.microsoft.com, which is required for enrollment, check-in, and reporting. To fix this, you need to allow the device to access this endpoint using a wildcard. You can do this by adding a firewall rule or modifying an existing one to permit the traffic to *.dm.microsoft.com. After that, you should restart the device and check if the error is resolved.

Should problem remain, here are other strategies we can recommend:

1.) Close any running Office 365 applications and check the task manager for any residual processes.

2.) Temporarily disable your VPN, Antivirus software or firewall and try the deployment again.

3.) Switch to a different internet network. If your mobile phone's internet data is strong and stable, try connecting your computer to it via Hotspot.

4.) Check your firewall settings to ensure that the required endpoints are not blocked.

5.) Ensure that your network configuration allows outbound traffic to the required endpoints.

6.) Verify that your DNS settings are configured correctly, and that the device can resolve the required endpoints.

7.) If you are using a proxy server, ensure that it is configured correctly to allow traffic to the required endpoints.

8.) Uninstall any previous versions of Office suite from your computer and run the Office Deployment Tool with the "RemoveMSI" option.

9.) Run the Office Deployment Tool with the "MatchInstalled" feature to make changes to the existing installation without changing the version.

To know more, please visit this link: Use Intune to manage Microsoft Defender security settings management on devices not enrolled with Microsoft Intune | Microsoft Learn

Should problem remain, we have few questions to ask so we can recommend other strategies. If possible, please send us some screenshots.

  • Is your computer connected to a domain? To check (Go to Windows Settings > System >Domain or Workgroup)
  • What is the Windows OS license and version build of your computer? To check (Type winver from Start Menu)

Yours truly,

Bryll

Microsoft Moderator

Was this answer helpful?

1 person found this answer helpful.
0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2023-11-27T21:07:08+00:00

    Hello there,

    I am pleased to offer you guidance and support. Thanks again for choosing Microsoft.

    Best wishes,

    Bryll

    Microsoft Moderator

    Was this answer helpful?

    0 comments
  2. Anonymous
    2023-11-26T20:11:18+00:00

    Hi Bryll

    Thanks for your answer. Can you guide me how to add a firewall rule or modifying an existing one to permit the traffic to *.dm.microsoft.com? Do I need to do it in Defender or Intune?

    Thanks very much!

    Michal

    Was this answer helpful?

    0 comments