Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Important
Some information in this article relates to a prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, with respect to the information provided here.
This article includes a list of the streamlined connectivity URLs required to onboard and maintain devices in Microsoft Defender for Endpoint in US Government cloud environments (GCC, GCC High, DoD).
Prerequisites
See the prerequisites for streamlined connectivity.
Notes
Devices running Defender for Endpoint delivered via the Microsoft Monitoring Agent (MMA, also known as the Log Analytics Agent - specifically, Windows 7 SP1, Windows 8.1, Windows Server 2008 R2 and those Windows Server 2012 R2, 2016 devices not upgraded to the modern unified solution) will continue using the associated legacy method. For the list of additional URLs, refer to the Windows 7, 8.1, 2008R2 (MMA) tab.
Devices running Windows version 1607, 1703, 1709, 1803 can onboard using the new onboarding package but still require a longer list of URLs. The Windows 1607 to 1803 tab lists the additional URLs required.
US Gov URLs
General URLs
Note
Make sure your devices meet all component (app/antimalware platform, engine, EDR sensor) update versions and OS requirements else onboarding might be unsuccessful. You can re-onboard devices to switch them to streamlined connectivity if they meet these requirements.
| Service | Geography | Category | Port | Endpoint/URL | Description | Required | Win 11/10/Server (Unified) | Win 7/8.1 | Server (MMA) | Mac | Linux |
|---|---|---|---|---|---|---|---|---|---|---|---|
| Consolidated Defender for Endpoint services | USGov | Streamlined connectivity URL | 443 | *.endpoint.security.microsoft.us | Streamlined connectivity URL consolidation and future services | Required | Yes | No | Yes | Yes | Yes |
| Microsoft Defender SmartScreen | GCC | Reporting and Notifications | 443 | unitedstates4.ss.wd.microsoft.us | SmartScreen protection, reporting, notifications, Network Protection, custom URL indicators | Required | Yes | Yes | Yes | ||
| Microsoft Defender SmartScreen | GCC High | Reporting and Notifications | 443 | unitedstates1.ss.wd.microsoft.us | SmartScreen protection, reporting, notifications, Network Protection, custom URL indicators | Required | Yes | Yes | Yes | ||
| Microsoft Defender SmartScreen | DoD | Reporting and Notifications | 443 | unitedstates2.ss.wd.microsoft.us | SmartScreen protection, reporting, notifications, Network Protection, custom URL indicators | Required | Yes | Yes | Yes | ||
| Defender for Endpoint | DoD | Internal configuration management | 443 | https://config.ecs.dod.teams.microsoft.us/config/v1 | This URL must be allowed to enable Defender on Linux endpoints to receive internal configurations from the cloud. | Required | Yes | ||||
| Defender for Endpoint | GCC High | Internal configuration management | 443 | https://config.ecs.gov.teams.microsoft.us/config/v1 | This URL must be allowed to enable Defender on Linux endpoints to receive internal configurations from the cloud. | Required | Yes | ||||
| Defender for Endpoint | GCC Mod | Internal configuration management | 443 | https://gccmod.ecs.office.com/config/v1 | This URL must be allowed to enable Defender on Linux endpoints to receive internal configurations from the cloud. | Required | Yes |
URLs used for updates
Note
Depending on your environment, you may apply updates from a file share or update server and don't need to allow (all) direct connections from devices, or these connections are already required and allowed in your environment for other purposes such as Windows updates.
This table lists URL endpoints used by Microsoft Defender Antivirus. These endpoints are optional when updates are managed internally using WSUS, Configuration Manager, or a file share.
| Service | Geography | Category | Port | Endpoint/URL | Description | Required/Optional | Win 11/10/Server (Unified) | Win 7/8.1 | Server (MMA) |
|---|---|---|---|---|---|---|---|---|---|
| Microsoft Defender Antivirus | US Gov | MU/WU | 443 | *.update.microsoft.com | Security intelligence and product updates | Optional | Yes | Yes | Yes |
| Microsoft Defender Antivirus | US Gov | MU/WU | 443 | *.delivery.mp.microsoft.com | Security intelligence and product updates | Optional | Yes | Yes | Yes |
| Microsoft Defender Antivirus | US Gov | MU/WU | 443 | *.windowsupdate.com | Security intelligence and product updates | Optional | Yes | Yes | Yes |
| Microsoft Defender Antivirus | US Gov | MU (ADL) | 443 | *.download.windowsupdate.com | Alternate location for Microsoft Defender Antivirus Security intelligence updates | Optional | Yes | Yes | Yes |
| Microsoft Defender Antivirus | US Gov | MU (ADL) | 443 | *.download.microsoft.com | Alternate location for Microsoft Defender Antivirus Security intelligence updates | Optional | Yes | Yes | Yes |
| Microsoft Defender Antivirus | US Gov | MU (ADL) | 443 | fe3cr.delivery.mp.microsoft.com/ClientWebService/client.asmx | Alternate location for Microsoft Defender Antivirus Security intelligence updates | Optional | Yes | Yes | Yes |
URLs used for certificate validation checks
Note
Certificate validation is performed through the Windows operating system, helping to prevent abuse of compromised certificates. This means the operating system must be able to connect to these destinations, or, should be updated with the latest certificate trust lists if they can't retrieve them from Microsoft directly. For more information, see Configure trusted roots and disallowed certificates in Windows.
| Service | Geography | Category | Port | Endpoint/URL | Description | Required/Optional | Win 11/10/Server (Unified) | Win 7/8.1 | Server (MMA) | Mac | Linux |
|---|---|---|---|---|---|---|---|---|---|---|---|
| Microsoft Defender for Endpoint | US Gov | CRL | 80 | crl.microsoft.com/pki/crl/* | Certificate Revocation Lists - required to validate certificates / Used by Windows when creating the SSL connection to MAPS for updating the CRL | Required | Yes | Yes | Yes | ||
| Microsoft Defender for Endpoint | US Gov | CRL | 80 | ctldl.windowsupdate.com | Expands on the existing automatic root update mechanism technology to let certificates that are compromised or untrusted be specifically flagged as untrusted | Required | Yes | ||||
| Microsoft Defender for Endpoint | US Gov | CRL | 80 | www.microsoft.com/pkiops/* | Used when creating the SSL connection to MAPS for updating the CRL | Required | Yes | Yes | Yes | ||
| Microsoft Defender for Endpoint | US Gov | CRL | 80 | http://www.microsoft.com/pki/certs | Used when creating the SSL connection to MAPS for updating the CRL | Required | Yes | Yes | Yes |
Other URLs
Note
The URLs in this table are required for Live Response Performance (Direct Connection/Proxy bypass required)
| Service | Geography | Category | Port | Endpoint/URL | Description | Required/Optional | Win 11/10/Server (Unified) |
|---|---|---|---|---|---|---|---|
| Microsoft Defender for Endpoint | US Gov | Common | 443 | *.wns.windows.com | Windows Push Notification Services (WNS) - Live Response | Required | Yes |
| Microsoft Defender for Endpoint | US Gov | Common | 443 | login.microsoftonline.us | Windows Push Notification Services (WNS) - Live Response | Required | Yes |
| Microsoft Defender for Endpoint | US Gov | Common | 443 | login.live.com | Windows Push Notification Services (WNS) - Live Response | Required | Yes |
Security center URLs
Note
The following table lists the required URL endpoints for accessing the Microsoft Defender Security Center portal.
| Service | Geography | URL |
|---|---|---|
| Microsoft Defender for Endpoint | US Gov | *.blob.core.usgovcloudapi.net |
| Microsoft Defender for Endpoint | US Gov | crl.microsoft.com |
| Microsoft Defender for Endpoint | US Gov | https://*.microsoftonline-p.com |
| Microsoft Defender for Endpoint | US Gov | https://secure.aadcdn.microsoftonline-p.com |
| Microsoft Defender for Endpoint | US Gov | https://static2.sharepointonline.com |
| Microsoft Defender for Endpoint | GCC | https://login.microsoftonline.com |
| Microsoft Defender for Endpoint | GCC | https://*.gcc.securitycenter.microsoft.us |
| Microsoft Defender for Endpoint | GCC | https://onboardingpckgsusmvprd.blob.core.usgovcloudapi.net |
| Microsoft Defender for Endpoint | GCC High | https://login.microsoftonline.us |
| Microsoft Defender for Endpoint | GCC High | https://*.securitycenter.microsoft.us |
| Microsoft Defender for Endpoint | GCC High | https://onboardingpckgsusgvprd.blob.core.usgovcloudapi.net |
| Microsoft Defender for Endpoint | DoD | https://login.microsoftonline.us |
| Microsoft Defender for Endpoint | DoD | https://*.securitycenter.microsoft.us |
| Microsoft Defender for Endpoint | DoD | https://onboardingpckgsusgvprd.blob.core.usgovcloudapi.net |
Microsoft Defender process exclusions
Select the tab for information about exclusions for that operating system.
The specific exclusions to configure depend on which version of Windows your endpoints or devices are running, and are listed in the following table.
| OS | Exclusions |
|---|---|
| Windows 11 Windows 10, version 1803 or later (See Windows 10 release information) Windows 10, version 1703 or 1709 with KB4493441 installed Windows Server 2025 Azure Stack HCI OS, version 23H2 and later Windows Server 2022 Windows Server 2019 Windows Server, version 1803 Windows Server 2016 running the modern unified solution Windows Server 2012 R2 running the modern unified solution |
EDR exclusions: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exeC:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exeC:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exeC:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exeC:\Program Files\Windows Defender Advanced Threat Protection\SenseCM.exeC:\Program Files\Windows Defender Advanced Threat Protection\SenseNdr.exeC:\Program Files\Windows Defender Advanced Threat Protection\Classification\SenseCE.exeC:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollectionC:\Program Files\Windows Defender Advanced Threat Protection\SenseTVM.exeC:\Program Files\Windows Defender Advanced Threat Protection\SenseTracer.exeC:\Program Files\Windows Defender Advanced Threat Protection\SenseDlpProcessor.exe Registry path: HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\* Antivirus exclusions: C:\Program Files\Windows Defender\MsMpEng.exeC:\Program Files\Windows Defender\NisSrv.exeC:\Program Files\Windows Defender\ConfigSecurityPolicy.exeC:\Program Files\Windows Defender\MpCmdRun.exeC:\Program Files\Windows Defender\MpDefenderCoreService.exeC:\ProgramData\Microsoft\Windows Defender\Platform\4.18.*\MsMpEng.exeC:\ProgramData\Microsoft\Windows Defender\Platform\4.18.*\NisSrv.exeC:\ProgramData\Microsoft\Windows Defender\Platform\4.18.*\ConfigSecurityPolicy.exeC:\ProgramData\Microsoft\Windows Defender\Platform\4.18.*\MpCopyAccelerator.exeC:\ProgramData\Microsoft\Windows Defender\Platform\4.18.*\MpCmdRun.exeC:\ProgramData\Microsoft\Windows Defender\Platform\4.18.*\MpDefenderCoreService.exeC:\ProgramData\Microsoft\Windows Defender\Platform\4.18.*\mpextms.exe Endpoint Data Loss Prevention (Endpoint DLP) exclusions: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.*\MpDlpService.exeC:\ProgramData\Microsoft\Windows Defender\Platform\4.18.*\MpDlpCmd.exeC:\ProgramData\Microsoft\Windows Defender\Platform\4.18.*\MipDlp.exeC:\ProgramData\Microsoft\Windows Defender\Platform\4.18.*\DlpUserAgent.exe |
| Windows Server 2016 or Windows Server 2012 R2 running the modern unified solution | The following additional exclusions are required after updating the Sense EDR component using KB5005292: C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\MsSense.exe C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseCnCProxy.exe C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseIR.exe C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseCE.exe C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseSampleUploader.exe C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseCM.exe C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollectionC:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseTVM.exe |
| Windows 8.1 Windows 7 Windows Server 2008 R2 SP1 | C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\Monitoring Host Temporary Files 6\45\MsSenseS.exe ( Monitoring Host Temporary Files 6\45 can be different numbered subfolders.) C:\Program Files\Microsoft Monitoring Agent\Agent\AgentControlPanel.exeC:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exeC:\Program Files\Microsoft Monitoring Agent\Agent\HSLockdown.exeC:\Program Files\Microsoft Monitoring Agent\Agent\MOMPerfSnapshotHelper.exeC:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exeC:\Program Files\Microsoft Monitoring Agent\Agent\TestCloudConnection.exe |