Want to experience Defender for Endpoint? Sign up for a free trial.
Defender for Endpoint can block what Microsoft deems as malicious IPs/URLs, through Windows Defender SmartScreen for Microsoft browsers, and through Network Protection for non-Microsoft browsers or calls made outside of a browser.
The threat intelligence data set for this has been managed by Microsoft.
By creating indicators for IPs and URLs or domains, you can now allow or block IPs, URLs, or domains based on your own threat intelligence. You can also warn users with a prompt if they open a risky app. The prompt won’t stop them from using the app but you can provide a custom message and links to a company page that describes appropriate usage of the app. Users can still bypass the warning and continue to use the app if they need.
You can do this through the settings page or by machine groups if you deem certain groups to be more or less at risk than others.
Classless Inter-Domain Routing (CIDR) notation for IP addresses is not supported.
Before you begin
It’s important to understand the following prerequisites prior to creating indicators for IPS, URLs, or domains:
- URL/IP allow and block relies on the Defender for Endpoint component Network Protection to be enabled in block mode. For more information on Network Protection and configuration instructions, see Enable network protection.
- The Antimalware client version must be 4.18.1906.x or later.
- Supported on machines on Windows 10, version 1709 or later, Windows 11, Windows Server 2016, Windows Server 2012 R2, Windows Server 2019, and Windows Server 2022.
Windows Server 2016 and Windows Server 2012 R2 will need to be onboarded using the instructions in Onboard Windows servers for this feature to work.
- Ensure that Custom network indicators is enabled in Microsoft Defender Security Center > Settings > Advanced features. For more information, see Advanced features.
- For support of indicators on iOS, see Configure custom indicators.
Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge leverages Network Protection to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). If there are conflicting URL indicator policies, the longer path is applied. For example, the URL indicator policy
https://support.microsoft.com/office takes precedence over the URL indicator policy
For all other processes, web protection scenarios leverage Network Protection for inspection and enforcement:
- IP is supported for all three protocols
- Only single IP addresses are supported (no CIDR blocks or IP ranges)
- Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)
- Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge)
- Full URL path blocks can be applied on the domain level and all unencrypted URLs
There may be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.
When using the warn mode, you can configure the following controls:
- Allow button in Edge
- Allow button on toast (Non-Microsoft browsers)
- Bypass duration parameter on the indicator
- Bypass enforcement across Microsoft and Non-Microsoft browsers
- Redirect URL parameter on the indicator
- Redirect URL in Edge
- Redirect URL on toast (Non-Microsoft browsers)
For more information, see Govern apps discovered by Microsoft Defender for Endpoint.
Create an indicator for IPs, URLs, or domains from the settings page
- In the navigation pane, select Settings > Endpoints > Indicators (under Rules).
- Select the IP addresses or URLs/Domains tab.
- Select Add item.
- Specify the following details:
- Indicator – Specify the entity details and define the expiration of the indicator.
- Action – Specify the action to be taken and provide a description.
- Scope – Define the scope of the machine group.
- Review the details in the Summary tab, then click Save.