Configure and validate Microsoft Defender Antivirus network connections
Applies to:
- Microsoft Defender Antivirus
Important
This article contains information about configuring network connections only for Microsoft Defender Antivirus, when used without Microsoft Defender for Endpoint. If you are using Microsoft Defender for Endpoint (which includes Microsoft Defender Antivirus), see Configure device proxy and Internet connectivity settings for Defender for Endpoint.
Platforms
- Windows
To ensure Microsoft Defender Antivirus cloud-delivered protection works properly, your security team must configure your network to allow connections between your endpoints and certain Microsoft servers. This article lists which destinations much be accessible. It also provides instructions for validating connections. Configuring connectivity properly ensures you receive the best value from Microsoft Defender Antivirus cloud-delivered protection services.
Allow connections to the Microsoft Defender Antivirus cloud service
The Microsoft Defender Antivirus cloud service provides fast, strong protection for your endpoints. While it's optional to enable and use the cloud-delivered protection services provided by Microsoft Defender Antivirus, it's highly recommended because it provides important and timely protection against emerging threats on your endpoints and network. For more information, see Enable cloud-delivered protection, which describes how to enable the service by using Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, or individual clients in the Windows Security app.
After you've enabled the service, you need to configure your network or firewall to allow connections between network and your endpoints. Computers must have access to the internet and reach the Microsoft cloud services for proper operation.
Note
The Microsoft Defender Antivirus cloud service delivers updated protection to your network and endpoints. The cloud service should not be considered as protection for or against files that are stored in the cloud; instead, the cloud service uses distributed resources and machine learning to deliver protection for your endpoints at a faster rate than the traditional Security intelligence updates, and applies to file-based and file-less threats, regardless of where they originate from.
Services and URLs
The table in this section lists services and their associated website addresses (URLs).
Make sure that there are no firewall or network filtering rules denying access to these URLs. Otherwise, you must create an allow rule specifically for those URLs. The URLs in the following table use port 443 for communication. (Port 80 is also required for some URLs, as noted in the following table.)
| Service and description | URL |
|---|---|
| Microsoft Defender Antivirus cloud-delivered protection service is referred to as Microsoft Active Protection Service (MAPS). Microsoft Defender Antivirus uses the MAPS service to provide cloud-delivered protection. |
*.wdcp.microsoft.com *.wdcpalt.microsoft.com*.wd.microsoft.com |
| Microsoft Update Service (MU) and Windows Update Service (WU) These services allow security intelligence and product updates. |
*.update.microsoft.com*.delivery.mp.microsoft.com*.windowsupdate.com ctldl.windowsupdate.comFor more information, see Connection endpoints for Windows Update. |
| Security intelligence updates Alternate Download Location (ADL) This is an alternate location for Microsoft Defender Antivirus Security intelligence updates, if the installed Security intelligence is out of date (Seven or more days behind). |
*.download.microsoft.com*.download.windowsupdate.com (Port 80 is required)go.microsoft.com (Port 80 is required)https://www.microsoft.com/security/encyclopedia/adlpackages.aspx https://definitionupdates.microsoft.com/download/DefinitionUpdates/https://fe3cr.delivery.mp.microsoft.com/ClientWebService/client.asmx |
| Malware submission storage This is an upload location for files submitted to Microsoft via the Submission form or automatic sample submission. |
ussus1eastprod.blob.core.windows.netussus2eastprod.blob.core.windows.netussus3eastprod.blob.core.windows.netussus4eastprod.blob.core.windows.netwsus1eastprod.blob.core.windows.netwsus2eastprod.blob.core.windows.netussus1westprod.blob.core.windows.netussus2westprod.blob.core.windows.netussus3westprod.blob.core.windows.netussus4westprod.blob.core.windows.netwsus1westprod.blob.core.windows.netwsus2westprod.blob.core.windows.netusseu1northprod.blob.core.windows.netwseu1northprod.blob.core.windows.netusseu1westprod.blob.core.windows.netwseu1westprod.blob.core.windows.netussuk1southprod.blob.core.windows.netwsuk1southprod.blob.core.windows.netussuk1westprod.blob.core.windows.netwsuk1westprod.blob.core.windows.net |
| Certificate Revocation List (CRL) Windows use this list while creating the SSL connection to MAPS for updating the CRL. |
http://www.microsoft.com/pkiops/crl/http://www.microsoft.com/pkiops/certshttp://crl.microsoft.com/pki/crl/productshttp://www.microsoft.com/pki/certs |
| Universal GDPR Client Windows use this client to send the client diagnostic data. Microsoft Defender Antivirus uses General Data Protection Regulation for product quality, and monitoring purposes. |
The update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints:vortex-win.data.microsoft.comsettings-win.data.microsoft.com |
Validate connections between your network and the cloud
After allowing the URLs listed, test whether you're connected to the Microsoft Defender Antivirus cloud service. Test the URLs are correctly reporting and receiving information to ensure you're fully protected.
Use the cmdline tool to validate cloud-delivered protection
Use the following argument with the Microsoft Defender Antivirus command-line utility (mpcmdrun.exe) to verify that your network can communicate with the Microsoft Defender Antivirus cloud service:
"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -ValidateMapsConnection
Note
Open Command Prompt as an administrator. Right-click the item in the Start menu, click Run as administrator and click Yes at the permissions prompt. This command will only work on Windows 10, version 1703 or higher, or Windows 11.
For more information, see Manage Microsoft Defender Antivirus with the mpcmdrun.exe commandline tool.
Error messages
Here are some error messages you might see:
Start Time: <Day_of_the_week> MM DD YYYY HH:MM:SS
MpEnsureProcessMitigationPolicy: hr = 0x1
ValidateMapsConnection
ValidateMapsConnection failed to establish a connection to MAPS (hr=0x80070006 httpcore=451)
MpCmdRun.exe: hr = 0x80070006
ValidateMapsConnection failed to establish a connection to MAPS (hr=0x80072F8F httpcore=451)
MpCmdRun.exe: hr = 0x80072F8F
ValidateMapsConnection failed to establish a connection to MAPS (hr=0x80072EFE httpcore=451)
MpCmdRun.exe: hr = 0x80072EFE
Root causes
The root cause of these error messages is that the device doesn't have its system-wide WinHttp proxy configured. If you don't set this proxy, then the operating system isn't aware of the proxy and can't fetch the CRL (the operating system does this, not Defender for Endpoint), which means that TLS connections to URLs like http://cp.wd.microsoft.com/ don't succeed. You see successful (response 200) connections to the endpoints, but the MAPS connections would still fail.
Solutions
The following table lists solutions:
| Solution | Description |
|---|---|
| Solution (Preferred) | Configure the system-wide WinHttp proxy that allows the CRL check. |
| Solution (Preferred 2) | 1. Go to Computer Configuration > Windows Settings > Security Settings > Public Key Policies > Certificate Path Validation Settings. 2. Select the Network Retrieval tab, and then select Define these policy settings. 3. Clear the Automatically update certificates in the Microsoft Root Certificate Program (recommended) check box. Here are some useful resources: - Configure Trusted Roots and Disallowed Certificates - Improving application Start up time: GeneratePublisherEvidence setting in Machine.config |
| Work-around solution (Alternative) This is not a best practice since you're no longer checking for revoked certificates or certificate pinning. |
Disable CRL check only for SPYNET. Configuring this registry SSLOption disables CRL check only for SPYNET reporting. It won't impact other services. Go to HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet, and then set SSLOptions (dword) to 2 (hex). For reference, here are possible values for the DWORD: - 0 – disable pinning and revocation checks - 1 – disable pinning - 2 – disable revocation checks only - 3 – enable revocation checks and pinning (default) |
Attempt to download a fake malware file from Microsoft
You can download a sample file that Microsoft Defender Antivirus will detect and block if you're properly connected to the cloud.
Note
The downloaded file is not exactly malware. It's a fake file designed to test if you're properly connected to the cloud.
If you're properly connected, you'll see a warning Microsoft Defender Antivirus notification.
If you're using Microsoft Edge, you'll also see a notification message:
A similar message occurs if you're using Internet Explorer:
View the fake malware detection in your Windows Security app
On your task bar, select the Shield icon, open the Windows Security app. Or, search the Start for Security.
Select Virus & threat protection, and then select Protection history.
Under the Quarantined threats section, select See full history to see the detected fake malware.
Note
Versions of Windows 10 before version 1703 have a different user interface. See Microsoft Defender Antivirus in the Windows Security app.
The Windows event log will also show Windows Defender client event ID 1116.
Tip
If you're looking for Antivirus related information for other platforms, see:
See also
- Configure device proxy and Internet connectivity settings for Microsoft Defender for Endpoint
- Use Group Policy settings to configure and manage Microsoft Defender Antivirus
- Important changes to Microsoft Active Protection Services endpoint
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.