To ensure Microsoft Defender Antivirus cloud-delivered protection works properly, your security team must configure your network to allow connections between your endpoints and certain Microsoft servers. This article lists the connections that must be allowed, such as by using firewall rules, and provides instructions for validating your connection. Configuring your protection properly helps ensure that you receive the best value from your cloud-delivered protection services.
See the blog post Important changes to Microsoft Active Protection Services endpoint for some details about network connectivity.
Visit the Microsoft Defender for Endpoint demo website at demo.wd.microsoft.com to confirm the following features are working:
- Cloud-delivered protection
- Fast learning (including block at first sight)
- Potentially unwanted application blocking
- Allow connections to the Microsoft Defender Antivirus cloud service
- Services and URLs
- Validate connections between your network and the cloud
Allow connections to the Microsoft Defender Antivirus cloud service
The Microsoft Defender Antivirus cloud service provides fast, strong protection for your endpoints. Enabling the cloud-delivered protection service is optional, however it’s highly recommended because it provides important protection against malware on your endpoints and across your network. See Enable cloud-delivered protection for details on enabling the service with Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, or on individual clients in the Windows Security app.
After you’ve enabled the service, you might need to configure your network or firewall to allow connections between it and your endpoints. Because your protection is a cloud service, computers must have access to the internet and reach the Microsoft Defender for Office 365 machine learning services. Don’t exclude the URL
*.blob.core.windows.net from any kind of network inspection.
The Microsoft Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it’s called a cloud service, it’s not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates.
Services and URLs
The table in this section lists the services and their associated website addresses (URLs).
Make sure that there are no firewall or network filtering rules denying access to these URLs. Otherwise, you might need to create an allow rule specifically for them (excluding the URL
*.blob.core.windows.net). The URLs in the following table use port 443 for communication.
|Service and description||URL|
|Microsoft Defender Antivirus cloud-delivered protection service, also referred to as Microsoft Active Protection Service (MAPS)This service is used by Microsoft Defender Antivirus to provide cloud-delivered protection||
|Microsoft Update Service (MU) and Windows Update Service (WU)These services allow for security intelligence and product updates||
For more details, see Connection endpoints for Windows Update
|Security intelligence updates Alternate Download Location (ADL)This is an alternate location for Microsoft Defender Antivirus Security intelligence updates if the installed Security intelligence is out of date (7 or more days behind)||
|Malware submission storageThis is the upload location for files submitted to Microsoft via the Submission form or automatic sample submission||
|Certificate Revocation List (CRL)This list is used by Windows when creating the SSL connection to MAPS for updating the CRL||
|Symbol StoreThe symbol store is used by Microsoft Defender Antivirus to restore certain critical files during remediation flows||
|Universal Telemetry ClientThis client is used by Windows to send client diagnostic data
Microsoft Defender Antivirus uses telemetry for product quality monitoring purposes
|The update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints:
Validate connections between your network and the cloud
After allowing the URLs listed above, you can test if you’re connected to the Microsoft Defender Antivirus cloud service and are correctly reporting and receiving information to ensure you’re fully protected.
Use the cmdline tool to validate cloud-delivered protection
Use the following argument with the Microsoft Defender Antivirus command-line utility (
mpcmdrun.exe) to verify that your network can communicate with the Microsoft Defender Antivirus cloud service:
"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -ValidateMapsConnection
You need to open an administrator-level version of the command prompt. Right-click the item in the Start menu, click Run as administrator and click Yes at the permissions prompt. This command will only work on Windows 10, version 1703 or higher, or Windows 11.
For more information, see Manage Microsoft Defender Antivirus with the mpcmdrun.exe commandline tool.
Attempt to download a fake malware file from Microsoft
You can download a sample file that Microsoft Defender Antivirus will detect and block if you’re properly connected to the cloud.
Download the file by visiting https://aka.ms/ioavtest.
This file is not an actual piece of malware. It’s a fake file that is designed to test if you’re properly connected to the cloud.
If you’re properly connected, you’ll see a warning Microsoft Defender Antivirus notification.
If you’re using Microsoft Edge, you’ll also see a notification message:
A similar message occurs if you’re using Internet Explorer:
You’ll also see a detection under Quarantined threats in the Scan history section in the Windows Security app:
- Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for Security.
- Select Virus & threat protection, and then select Protection history.
- Under the Quarantined threats section, select See full history to see the detected fake malware.
Versions of Windows 10 before version 1703 have a different user interface. See Microsoft Defender Antivirus in the Windows Security app.
The Windows event log will also show Windows Defender client event ID 1116.