Mde Urls Commercial

Microsoft Defender for Endpoint - Proxy Service URLs (Commercial)
This spreadsheet details the endpoint service URLs and services required for Microso
Overview:
Microsoft Defender URLs sheet lists the URL endpoints used by Microsoft Defender
Defender Portal URLs sheet lists the URL endpoints required to access the Microsoft
Microsoft Defender Processes sheet lists the processes used by Microsoft Defender
General guidance:
Filters for each column can be used to filter the URLs by the Microsoft Defender for
required for Microsoft Defender for Endpoint commercial tenants.
Microsoft Defender for Endpoint. These URLs can be filtered by Required and Optional - Plea
access the Microsoft Defender Security portals
Microsoft Defender for Endpoint
rosoft Defender for Endpoint tenant location (Geography) / if they are required or optional /
ired and Optional - Please see comments for guidance on optional URLs. The requirement fo
required or optional / and by platform

Ls. The requirement for these optional URLs will depend on the operating system platform o
ating system platform or features being used.
Service Geography Category Port
Microsoft Defender for Endpoint WW CRL 80

Microsoft Defender for Endpoint WW Common 443
Microsoft Defender for Endpoint WW Common (Mac/Linux) 443
Microsoft Defender for Endpoint WW Common (Linux) 443
Microsoft Defender for Endpoint WW Microsoft Defender for Endpoint 443
Microsoft Defender for Endpoint WW Security Management 443
Microsoft Defender for Endpoint WW Security Management 443
Microsoft Defender for Endpoint WW Microsoft Monitoring Agent (MMA) 443

Microsoft Defender for Endpoint US Microsoft Defender for Endpoint US 443
Microsoft Defender for Endpoint EU Microsoft Defender for Endpoint EU 443
Microsoft Defender for Endpoint UK Microsoft Defender for Endpoint UK 443
Microsoft Defender for Endpoint AU Microsoft Defender for Endpoint AU 443
Microsoft Defender Antivirus WW UTC 443
Microsoft Defender Antivirus WW MU / WU 443

Microsoft Defender Antivirus WW MU (ADL) 443
Microsoft Defender Antivirus WW MAPS 443
Microsoft Defender Antivirus WW MAPS 443
Microsoft Defender Antivirus WW Common 443
Microsoft Defender Antivirus WW Common 443

Microsoft Defender SmartScreen WW Reporting and Notifications 443
Endpoint/URL
crl.microsoft.com
ctldl.windowsupdate.com
www.microsoft.com/pkiops/*
www.microsoft.com/pki/*
events.data.microsoft.com
*.wns.windows.com
login.microsoftonline.com
login.live.com
settings-win.data.microsoft.com
x.cp.wd.microsoft.com
cdn.x.cp.wd.microsoft.com
officecdn-microsoft-com.akamaized.net
packages.microsoft.com
login.windows.net
*.security.microsoft.com
*.blob.core.windows.net/networkscannerstable/*
enterpriseregistration.windows.net
*.dm.microsoft.com
*.ods.opinsights.azure.com
*.oms.opinsights.azure.com
*.blob.core.windows.net
unitedstates.x.cp.wd.microsoft.com
us.vortex-win.data.microsoft.com
us-v20.events.data.microsoft.com
winatp-gw-cus.microsoft.com
winatp-gw-eus.microsoft.com
winatp-gw-cus3.microsoft.com
winatp-gw-eus3.microsoft.com
automatedirstrprdcus.blob.core.windows.net
automatedirstrprdeus.blob.core.windows.net
automatedirstrprdcus3.blob.core.windows.net
automatedirstrprdeus3.blob.core.windows.net
ussus1eastprod.blob.core.windows.net
wsus1eastprod.blob.core.windows.net
wsus2eastprod.blob.core.windows.net
ussus1westprod.blob.core.windows.net
wsus1westprod.blob.core.windows.net
wsus2westprod.blob.core.windows.net
europe.x.cp.wd.microsoft.com
eu.vortex-win.data.microsoft.com
eu-v20.events.data.microsoft.com
winatp-gw-neu.microsoft.com
winatp-gw-weu.microsoft.com
winatp-gw-neu3.microsoft.com
winatp-gw-weu3.microsoft.com
automatedirstrprdneu.blob.core.windows.net
automatedirstrprdweu.blob.core.windows.net
automatedirstrprdneu3.blob.core.windows.net
automatedirstrprdweu3.blob.core.windows.net
usseu1northprod.blob.core.windows.net
wseu1northprod.blob.core.windows.net
usseu1westprod.blob.core.windows.net
wseu1westprod.blob.core.windows.net
unitedkingdom.x.cp.wd.microsoft.com
uk.vortex-win.data.microsoft.com
uk-v20.events.data.microsoft.com
winatp-gw-uks.microsoft.com
winatp-gw-ukw.microsoft.com
automatedirstrprduks.blob.core.windows.net
automatedirstrprdukw.blob.core.windows.net
ussuk1southprod.blob.core.windows.net
wsuk1southprod.blob.core.windows.net
ussuk1westprod.blob.core.windows.net
wsuk1westprod.blob.core.windows.net
australia.x.cp.wd.microsoft.com
au.vortex-win.data.microsoft.com
au-v20.events.data.microsoft.com
winatp-gw-aue.microsoft.com
winatp-gw-aus.microsoft.com
automatedirstrprdaue.blob.core.windows.net
automatedirstrprdaus.blob.core.windows.net
ussau1southeastprod.blob.core.windows.net
ussau1eastprod.blob.core.windows.net
vortex-win.data.microsoft.com
*.update.microsoft.com
*.delivery.mp.microsoft.com
*.windowsupdate.com
go.microsoft.com
definitionupdates.microsoft.com
https://www.microsoft.com/security/encyclopedia/adlpackages.aspx
*.download.windowsupdate.com
*.download.microsoft.com
fe3cr.delivery.mp.microsoft.com/ClientWebService/client.asmx
*.wdcp.microsoft.com
*.wd.microsoft.com
*.events.data.microsoft.com
*.ecs.office.com/config/v1/MicrosoftWindowsDefenderClient
*.smartscreen-prod.microsoft.com
*.smartscreen.microsoft.com
*.checkappexec.microsoft.com
*.urs.microsoft.com
Endpoint/URL Description
Certificate Revocation Lists - required to validate certificates / Used by Windows when creating the SSL connection to MAPS fo
CRL
Expands on the existing automatic root update mechanism technology to let certificates that are compromised or untrusted b
flagged as untrusted
Used when creating the SSL connection to MAPS for updating the CRL
Used when creating the SSL connection to MAPS for updating the CRL
Used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service
Windows Push Notification Services (WNS) - Live Response
Windows Push Notification Services (WNS) - Live Response / Vulnerability assessment for network devices / Security Managem
Defender for Endpoint - Azure Registration
Windows Push Notification Services (WNS) - Live Response
Connected User Experiences and Telemetry Channel
Used by Microsoft Defender Antivirus to provide cloud-delivered protection and security intelligence updates
Microsoft Defender Antivirus Content Delivery Network (CDN) - Security Intelligence updates
Microsoft Office Content Delivery Network (CDN) - Product Updates
Required to download and update the MDE Linux agent
Microsoft Defender for Endpoint Vulnerability assessment for network devices (network scanner)
Security Management for Microsoft Defender for Endpoint - Azure Registration
Security Management for Microsoft Defender for Endpoint - Enrollment, check-in, and reporting
MMA for Win 7/8.1/2008R2/2012R2/2016
MMA for Win 7/8.1/2008R2/2012R2/2016
MMA for Win 7/8.1/2008R2/2012R2/2016

Microsoft Defender for Endpoint EDR Cyber Data
Microsoft Defender for Endpoint Command and Control
Microsoft Defender for Endpoint AutoIR Sample Storage
Malware Sample Submission Storage
Used by Windows to send client diagnostic data; Microsoft Defender Antivirus uses this for product quality monitoring purpos
MU / WU - Security intelligence and product updates

ADL - Alternate location for Microsoft Defender Antivirus Security intelligence updates
MAPS - Used by Microsoft Defender Antivirus to provide cloud-delivered protection
MAPS - Used by Microsoft Defender Antivirus to provide cloud-delivered protection
Used by Microsoft Defender Antivirus to send Diagnostic Telemetry for Microsoft Defender Core Service
Used by Microsoft Defender Antivirus to download internal feature configurations (ECS) for Microsoft Defender Core service
Used for Microsoft Defender SmartScreen protection, reporting, and notifications. MDAV Network Protection and custom URL
Used for Microsoft Defender SmartScreen protection, reporting, and notifications. MDAV Network Protection and custom URL
Used for Microsoft Defender SmartScreen to check application execution for trusted apps
Used for Microsoft Defender SmartScreen to check application execution for trusted apps
Windows 11 / Windows 10
Windows Server
/ Server 2022 / 2019 /
Required / 2008 R2 / 2012 R2 /
Server 2016 (Unified Windows 7 / 8.1 Mac Linux
Optional 2016
Agent) / Server 2012 R2
(MMA Based)
(Unified Agent)
Required Yes Yes Yes
Required Yes
Optional Yes
Optional Yes Yes Yes
Optional Yes
Optional Yes
Required Yes Yes
Required Yes Yes
Required Yes Yes
Required Yes
Optional Yes
Optional Yes
Optional Yes Yes
Optional Yes Yes
Optional Yes Yes

Required Yes Yes
Optional Yes
Required Yes Yes Yes Yes Yes
Required Yes
Required Yes
Required Yes
Required Yes
Required Yes Yes
Optional Yes
Required Yes
Required Yes
Required Yes Yes
Optional Yes
Required Yes
Required Yes
Required Yes Yes
Optional Yes
Required Yes
Required Yes
Optional Yes
Required Yes* Yes* Yes* Yes Yes
Required Yes* Yes* Yes* Yes Yes
Required Yes* Yes* Yes Yes Yes

Optional Yes No Yes No No
Optional Yes No Yes No No

Optional Yes
Optional Yes
Comments
Required for Live Response Performance (Direct Connection/Proxy bypass required)

Required when using Security Management for Microsoft Defender for Endpoint
Only required for Windows 10 1703 and below. Not required on Windows Server.
Supported on Windows 8 and above and Windows Server 2012 and above
Only required when using Security Management for Microsoft Defender for Endpoint
Only required when using Security Management for Microsoft Defender for Endpoint
Required when using MMA, refer to the unified solution for Windows Server 2012 R2 and 2016
Refer to steps at https://aka.ms/mde_network_requirements to eliminate wildcards (*)
Not required for Windows 10 1803 (RS4) and above / Windows Server 2019 and above
Not required for Windows 10 1803 (RS4) and above / Windows Server 2019
Optional if updates are being managed internally (WSUS/FileShare/ConfigMgr)
*Optional if updates are being managed internally (WSUS/FileShare/ConfigMgr)
Required for Mac and Linux platforms
To enhance your endpoint security experience, Microsoft is releasing the Microsoft Defender Core service to
help with the stability and performance of Microsoft Defender Antivirus. Alternatively, to wildcard, can allow:
us-mobile.events.data.microsoft.com/OneCollector/1.0
eu-mobile.events.data.microsoft.com/OneCollector/1.0
uk-mobile.events.data.microsoft.com/OneCollector/1.0
au-mobile.events.data.microsoft.com/OneCollector/1.0
mobile.events.data.microsoft.com/OneCollector/1.0
Microsoft Defender Core service is used to enhance stability and performance of Microsoft Defender Antivirus
for customers.
Microsoft Defender SmartScreen reporting and notifications. Network Protection and custom URL indicators
Microsoft Defender SmartScreen reporting and notifications. Network Protection and custom URL indicators
Microsoft Defender SmartScreen checking application execution for trusted apps
Microsoft Defender SmartScreen checking application execution for trusted apps
Service Geography
Microsoft Defender for Endpoint WW
Microsoft 365 Defender WW
URL
*.blob.core.windows.net
crl.microsoft.com
https://*.microsoftonline-p.com
https://secure.aadcdn.microsoftonline-p.com
https://static2.sharepointonline.com
https://login.microsoftonline.com
https://*.securitycenter.windows.com
https://onboardingpackagescusprd.blob.core.windows.net
https://security.microsoft.com
Comment
Microsoft Defender Security Center Portal URL
Microsoft 365 Defender Portal URL
Process
MpCmdRun.exe
MpDlpCmd.exe
MsMpEng.exe
ConfigSecurityPolicy.exe
MpDefenderCoreService.exe
MpDlpService.exe
NisSrv.exe
MsSense.exe
SenseCnCProxy.exe
SenseIR.exe
SenseCE.exe
SenseSampleUploader.exe
SenseNdr.exe
SenseSC.exe
SenseCM.exe
SenseTVM.exe
MsSense.exe
SenseCnCProxy.exe
SenseIR.exe
SenseSampleUploader.exe
SenseCM.exe
MpCmdRun.exe
MsMpEng.exe
NisSrv.exe
SenseTVM.exe
MonitoringHost.exe
HealthService.exe
TestCloudConnection.exe
MpCmdRun.exe
MsMpEng.exe
NisSrv.exe
MonitoringHost.exe
HealthService.exe
TestCloudConnection.exe
MpCmdRun.exe
MsMpEng.exe
NisSrv.exe
Note
The above processes are exclusively

for Microsoft Defender for Endpoint
for Windows platforms, including
down-level OS. This list does not
account for any other Windows
communications requirements. For
further information on managing
Windows connections, please consult
the following article:
Path
Windows 11, Windows 10, Windows Server 2022 and Windows Server 2019
C:\Program Files\Windows Defender
C:\Program Files\Windows Defender Advanced Threat Protection
C:\Program Files\Windows Defender Advanced Threat Protection\Classification
Windows Server 2016 and Windows Server 2012 R2 (Unified Agent)
Windows 8.1 and Windows Server 2016 (MMA Based)
C:\Program Files\Microsoft Monitoring Agent\Agent
Windows 7 SP1, Windows Server 2012 R2 and Windows Server 2008 R2 (MMA Based)
C:\Program Files\Microsoft Security Client
Note
https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microso
Comment
Microsoft Defender Antivirus command-line utility

Microsoft Endpoint DLP command-line utility
Microsoft Defender Antivirus service executable
Microsoft Security Client Policy Configuration Tool
Microsoft Defender Antivirus Core Service
Microsoft Purview Data Loss Prevention Service
Microsoft Defender Antivirus Network Realtime Inspection
Microsoft Defender for Endpoint service executable
Microsoft Defender for Endpoint communication module
Microsoft Defender for Endpoint Sense IR (Incident Response) module
Microsoft Defender for Endpoint Sense CE (Classification Engine) module
Microsoft Defender for Endpoint Sample Upload module
Microsoft Defender for Endpoint Sense NDR (Network Detection and Response) module
Microsoft Defender for Endpoint Sense SC (Screenshot Capture) module
Microsoft Defender for Endpoint Sense CM (Configuration Management)
Microsoft Defender for Endpoint Sense TVM (Threat Vulnerability Management)
Microsoft Defender for Endpoint service executable

Microsoft Defender for Endpoint communication module
Microsoft Defender for Endpoint Sense IR (Incident Response) module
Microsoft Defender for Endpoint Sample Upload module
Microsoft Defender for Endpoint Sense CM (Configuration Management)
Microsoft Defender for Endpoint Sense TVM (Threat Vulnerability Management)
Microsoft Monitoring Agent Service Host Process

Microsoft Monitoring Agent Service
Microsoft Monitoring Agent Cloud Connection Test utility
Microsoft Monitoring Agent Service Host Process

Microsoft Monitoring Agent Service
Microsoft Monitoring Agent Cloud Connection Test utility
Microsoft Defender Antivirus command-line utility (SCEP)
Microsoft Defender Antivirus service executable (SCEP)
Microsoft Security Client Policy Configuration Tool (SCEP)
Microsoft Defender Antivirus Network Realtime Inspection (SCEP)
Note 2
Although this list will continue to be updated, Microsoft cannot provide any guarantees on
it being up-to-date with the latest product or OS changes. Customers should use this list as
a baseline and conduct their testing before using it directly in production.
Date
1/22/2024
8/14/2023
12/5/2022
6/22/2022
5/27/2022
3/11/2022
1/25/2022
11/2/2021
10/7/2021
9/22/2021
9/10/2021
9/1/2021
7/22/2021
4/14/2021
2/18/2021
2/3/2021
2/2/2021
12/16/2020
11/16/2020
7/9/2020
Change Log
Updates for URLs required for Microsoft Defender Core service & DLP service processes:
Added new line 93 for 1DS url in Microsoft Defender URLs
Added new line 94 for ECS url in Microsoft Defender URLs
Added new line 8 for Defender Core Service in Microsoft Defender Processes
Added new line 9 for Purview DLP Process
Updates for Australia region:

Added Line 72: australia.x.cp.wd.microsoft.com
Added Line 73: au.vortex-win.data.microsoft.com
Added Line 74: au-v20.events.data.microsoft.com
Added Line 75: winatp-gw-aue.microsoft.com
Added Line 76: winatp-gw-aus.microsoft.com
Added Line 77: automatedirstrprdaue.blob.core.windows.net
Added Line 78: automatedirstrprdaus.blob.core.windows.net
Added Line 79: ussau1southeastprod.blob.core.windows.net
Added Line 80: ussau1eastprod.blob.core.windows.net
Removed URL:
Removed: https://msdl.microsoft.com/download/symbols
URL details updated:

Updated Line 82: Updated from required to optional
Updated Line 85: Changed from optional to required - guidance text updated - added Mac & Linux
Updated Line 86: Changed from optional to required - guidance text updated - added Mac & Linux
Updates as part of the new antimalware engine for Mac and Linux:
Updated Line 76: Updated guidance for optional vs required (required for Mac and Linux platforms)
Updated Line 77: Updated guidance for optional vs required (required for Mac and Linux platforms)
Added Line 78: https://www.microsoft.com/security/encyclopedia/adlpackages.aspx
Updated Line 83: URL Required for Mac and Linux platforms
Removed preview status from Server 2012 R2 and Server 2016 Unified Agent references
Updated Line 82 URL: From wdcp.microsoft.com to *.wdcp.microsoft.com
Unnecessary non-breaking spaces (NBSP) removed from Endpoint/URL column
Duplicate URLs consolidated.

Optional field added.
US Gov / GCC / GCC High guidance moved to separate spreadsheet
URLs removed:
eu-cdn.x.cp.wd.microsoft.com; wu-cdn.x.cp.wd.microsoft.com; *.azure-automation.net;
*.notify.windows.com
Microsoft Defender URL updates (support for Security Management for Microsoft Defender for
Endpoint):
Added Line 18: enterpriseregistration.windows.net
Added Line 19: login.microsoftonline.com
Added Line 20: *.dm.microsoft.com
Microsoft Defender URL updates (new down-level server agent & Windows 11 support):
Updated OS headers: Windows 11; Server 2016 (preview) / Server 2012 R2 (preview) and MMA-based
support
Microsoft Defender URL updates (required for new tenants):
Added Line 52: winatp-gw-neu3.microsoft.com
Added Line 53: winatp-gw-weu3.microsoft.com
Added Line 56: automatedirstrprdneu3.blob.core.windows.net
Added Line 57: automatedirstrprdweu3.blob.core.windows.net
Security Center URLs US Gov updates:

GCC: https://*.securitycenter.windows.us; https://*.gcc.securitycenter.windows.us;
https://transition.security.microsoft.com; https://security.microsoft.com
GCC High: https://*.securitycenter.windows.us
DoD: https://*.securitycenter.windows.us
Added Line 17: packages.microsoft.com

Updated Line 72 Port: From 80 to 443
Updated Line 74 URL: From *download.windowsupdate.com to *.download.windowsupdate.com
SmartScreen URL correction.

Security Center URLs Commercial / US Gov correction.
URLs Added:
winatp-gw-cus3.microsoft.com; winatp-gw-eus3.microsoft.com;
automatedirstrprdcus3.blob.core.windows.net; automatedirstrprdeus3.blob.core.windows.net
Description updated: login.microsoftonline.com

Added Defender for Endpoint URLs: login.windows.net; *.securitycenter.windows.com
Added Defender AV URLs: go.microsoft.com; definitionupdates.microsoft.com
Added US Gov URLs
Updated the malware submission URLs for US
Removed the malware submission URLs for Asia & AUS
Alternate location for Microsoft Defender Antivirus Security intelligence updates added:
*download.windowsupdate.com
fe3cr.delivery.mp.microsoft.com/ClientWebService/client.asmx
Microsoft Defender Processes tab added.
Comment updated for removing MMA wildcard (*) requirement
*.vortex-win.data.microsoft.com and Windows 10 version comments updated.

Security Center URLs Tab Added.
Windows Push Notifications Service (WNS) URLs added:
*.notify.windows.com
*.wns.windows.com
login.microsoftonline.com
login.live.com
Name change MDATP to Microsoft Defender for Endpoint

File Created

Mde Urls Commercial

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Mde Urls Commercial

Uploaded by

Copyright:

Available Formats

Microsoft Defender for Endpoint - Proxy Service URLs (Commercial)

required or optional / and by platform

Microsoft Defender for Endpoint WW CRL 80

Microsoft Defender for Endpoint WW Microsoft Monitoring Agent (MMA) 443

Microsoft Defender for Endpoint WW Microsoft Monitoring Agent (MMA) 443

Microsoft Defender Antivirus WW MU / WU 443

Microsoft Defender Antivirus WW Common 443

Microsoft Defender Antivirus WW Common 443

MMA for Win 7/8.1/2008R2/2012R2/2016

MMA for Win 7/8.1/2008R2/2012R2/2016

MU / WU - Security intelligence and product updates

Optional Yes Yes

Optional Yes Yes

Required Yes* Yes* Yes Yes Yes

Optional Yes No Yes No No

Optional Yes No Yes No No

Required for Live Response Performance (Direct Connection/Proxy bypass required)

The above processes are exclusively

Microsoft Defender Antivirus command-line utility

Microsoft Defender for Endpoint service executable

Microsoft Monitoring Agent Service Host Process

Microsoft Monitoring Agent Service Host Process

Updates for Australia region:

URL details updated:

Unnecessary non-breaking spaces (NBSP) removed from Endpoint/URL column

Duplicate URLs consolidated.

Security Center URLs US Gov updates:

Added Line 17: packages.microsoft.com

SmartScreen URL correction.

Description updated: login.microsoftonline.com

*.vortex-win.data.microsoft.com and Windows 10 version comments updated.

Name change MDATP to Microsoft Defender for Endpoint

You might also like