Share via

Windows Defender Antivirus network protection feature blocking legitimate enterprise API connection endpoints

Ninas Teiner 0 Reputation points
2026-06-09T10:27:28.5533333+00:00

Hi, we enabled Network Protection in block mode via Intune endpoint security configurations to combat malware command-and-control communication. However, this has inadvertently broken our production line-of-business inventory application, because the engine is flagging our internal cloud API relay servers as suspicious tracking endpoints.

Windows for business | Windows 365 Enterprise
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. VPHAN 35,285 Reputation points Independent Advisor
    2026-06-09T22:39:19.4566667+00:00

    Hi Ninas Teiner,

    To resolve the Network Protection block on your internal cloud API relay servers, you must explicitly whitelist their traffic by creating custom indicators in the Microsoft Defender portal. You first need to identify the exact blocked IP addresses or domains by checking the Event Viewer on an affected machine. Navigate to Applications and Services Logs, expand Microsoft, then Windows, then Windows Defender, and open the Operational log. Look specifically for Event ID 1125, which records actively blocked connections, or Event ID 1126, which records audited connections. These log entries will provide the exact destination addresses that the engine is intercepting, allowing you to see exactly what needs to be whitelisted.

    Once you have gathered this data, log into the Microsoft Defender portal, navigate through the Settings area to Endpoints, and open the Indicators configuration. Add those specific URLs or IPs here with the action set to allow. This policy synchronizes across your environment and instructs Network Protection to bypass its reputation check for your application. If mapping all addresses immediately is difficult, you can temporarily modify your Intune endpoint security configuration to change the Network Protection policy from block mode to audit mode for a targeted pilot group. This approach allows your inventory application to resume functioning while silently logging the connection attempts in the background, giving you the time to build a complete allow list without disrupting production.

    VPHAN

    Was this answer helpful?

    0 comments
  2. Chen Tran 10,560 Reputation points Independent Advisor
    2026-06-09T17:20:15.47+00:00

    Hello Ninas,

    Thank you for posting question on Microsoft Windows Forum!

    Based on the issue description. Well! Since Network Protection leverages SmartScreen/Microsoft Defender SmartScreen intelligence, it can sometimes flag private or custom cloud endpoints if they do not have a well-established global reputation or if their traffic patterns resemble tracking/telemetry behavior.

    While you configure Network Protection policies via Intune, exclusions for Network Protection (like IP addresses, URLs, and domains) are managed directly within the Microsoft Defender Security Center. Intune honors these global indicators. You can consider to add custom indicators in Microsoft Defender for Endpoint. Try to put a small pilot group into audit mode to confirm the exact blocked destination, then add a narrow allow indicator for the public FQDN/IP if the relay is externally addressable, or use an IP/process exclusion for internal-only endpoints if needed.

    For further reference, please consult the following links.

    Hope the above information is helpful! If it is. Free feel to hit "Accepted" for benefitting others in community having the same issue too.

    Was this answer helpful?

    0 comments
  3. Chen Tran 10,560 Reputation points Independent Advisor
    2026-06-09T17:04:54.97+00:00

    Hello Ninas,

    Thank you for posting question on Microsoft Windows Forum!

    Based on the issue description. Well! Since Network Protection leverages SmartScreen/Microsoft Defender SmartScreen intelligence, it can sometimes flag private or custom cloud endpoints if they do not have a well-established global reputation or if their traffic patterns resemble tracking/telemetry behavior.

    While you configure Network Protection policies via Intune, exclusions for Network Protection (like IP addresses, URLs, and domains) are managed directly within the Microsoft Defender Security Center. Intune honors these global indicators. You can consider to add custom indicators in Microsoft Defender for Endpoint. Try to put a small pilot group into audit mode to confirm the exact blocked destination, then add a narrow allow indicator for the public FQDN/IP if the relay is externally addressable, or use an IP/process exclusion for internal-only endpoints if needed.

    For further reference, please consult the following links.

    Hope the above information is helpful! If it is. Free feel to hit "Accepted" for benefitting others in community having the same issue too.

    Was this answer helpful?

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.