Merge pull request #3742 from j0rt3g4/Issue#3499

Adding note to be explicit on issue #3499
2025-06-16 10:53:43 +00:00 · 2019-05-30 23:02:13 -07:00
parent 73a47e25da 85ea3d52ea
commit e8ca979dc6
2 changed files with 219 additions and 309 deletions
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
@ -118,8 +118,8 @@ If your AD FS farm is not already configured for Device Authentication (you can
 ![Device Registration](images/hybridct/device2.png)
  
 2.  On your AD FS primary server, ensure you are logged in as AD DS user with enterprise administrator privileges and open an elevated Windows PowerShell prompt.  Then, run the following commands:  
-    
-    `Import-module activedirectory`  
+	
+	`Import-module activedirectory`  
 	`PS C:\> Initialize-ADDeviceRegistration -ServiceAccountName "<your service account>" ` 
 3.  On the pop-up window click **Yes**.

@ -144,7 +144,7 @@ The above PSH creates the following objects:
 ### Create Service Connection Point (SCP) in Active Directory  
 If you plan to use Windows 10 domain join (with automatic registration to Azure AD) as described here, execute the following commands to create a service connection point in AD DS  
 1.  Open Windows PowerShell and execute the following:
-    
+	
 	`PS C:>Import-Module -Name "C:\Program Files\Microsoft Azure Active Directory Connect\AdPrep\AdSyncPrep.psm1" ` 

 > [!NOTE]
@ -160,7 +160,7 @@ If you plan to use Windows 10 domain join (with automatic registration to Azure

 3.  Run the following PowerShell command 

-    `PS C:>Initialize-ADSyncDomainJoinedComputerSync -AdConnectorAccount [AD connector account name] -AzureADCredentials $aadAdminCred ` 
+	`PS C:>Initialize-ADSyncDomainJoinedComputerSync -AdConnectorAccount [AD connector account name] -AzureADCredentials $aadAdminCred ` 

 Where the [AD connector account name] is the name of the account you configured in Azure AD Connect when adding your on-premises AD DS directory.
  
@ -171,7 +171,7 @@ To ensure AD DS objects and containers are in the correct state for write back o

 1.  Open Windows PowerShell and execute the following:  

-    `PS C:>Initialize-ADSyncDeviceWriteBack -DomainName <AD DS domain name> -AdConnectorAccount [AD connector account name] ` 
+	`PS C:>Initialize-ADSyncDeviceWriteBack -DomainName <AD DS domain name> -AdConnectorAccount [AD connector account name] ` 

 Where the [AD connector account name] is the name of the account you configured in Azure AD Connect when adding your on-premises AD DS directory in domain\accountname format  

@ -224,100 +224,100 @@ The definition helps you to verify whether the values are present or if you need

 **`http://schemas.microsoft.com/ws/2012/01/accounttype`** - This claim must contain a value of **DJ**, which identifies the device as a domain-joined computer. In AD FS, you can add an issuance transform rule that looks like this:

-    @RuleName = "Issue account type for domain-joined computers"
-    c:[
-        Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", 
-        Value =~ "-515$", 
-        Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
-    ]
-    => issue(
-        Type = "http://schemas.microsoft.com/ws/2012/01/accounttype", 
-        Value = "DJ"
-    );
+	@RuleName = "Issue account type for domain-joined computers"
+	c:[
+		Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", 
+		Value =~ "-515$", 
+		Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
+	]
+	=> issue(
+		Type = "http://schemas.microsoft.com/ws/2012/01/accounttype", 
+		Value = "DJ"
+	);

 #### Issue objectGUID of the computer account on-premises

 **`http://schemas.microsoft.com/identity/claims/onpremobjectguid`** - This claim must contain the **objectGUID** value of the on-premises computer account. In AD FS, you can add an issuance transform rule that looks like this:

-    @RuleName = "Issue object GUID for domain-joined computers"
-    c1:[
-        Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", 
-        Value =~ "-515$", 
-        Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
-    ]
-    && 
-    c2:[
-        Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", 
-        Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
-    ]
-    => issue(
-        store = "Active Directory", 
-        types = ("http://schemas.microsoft.com/identity/claims/onpremobjectguid"), 
-        query = ";objectguid;{0}", 
-        param = c2.Value
-    );
+	@RuleName = "Issue object GUID for domain-joined computers"
+	c1:[
+		Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", 
+		Value =~ "-515$", 
+		Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
+	]
+	&& 
+	c2:[
+		Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", 
+		Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
+	]
+	=> issue(
+		store = "Active Directory", 
+		types = ("http://schemas.microsoft.com/identity/claims/onpremobjectguid"), 
+		query = ";objectguid;{0}", 
+		param = c2.Value
+	);
 
 #### Issue objectSID of the computer account on-premises

 **`http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid`** - This claim must contain the **objectSid** value of the on-premises computer account. In AD FS, you can add an issuance transform rule that looks like this:

-    @RuleName = "Issue objectSID for domain-joined computers"
-    c1:[
-        Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", 
-        Value =~ "-515$", 
-        Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
-    ]
-    && 
-    c2:[
-        Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid", 
-        Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
-    ]
-    => issue(claim = c2);
+	@RuleName = "Issue objectSID for domain-joined computers"
+	c1:[
+		Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", 
+		Value =~ "-515$", 
+		Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
+	]
+	&& 
+	c2:[
+		Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid", 
+		Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
+	]
+	=> issue(claim = c2);

 #### Issue issuerID for computer when multiple verified domain names in Azure AD

 **`http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid`** - This claim must contain the Uniform Resource Identifier (URI) of any of the verified domain names that connect with the on-premises federation service (AD FS or 3rd party) issuing the token. In AD FS, you can add issuance transform rules that look like the ones below in that specific order after the ones above. Please note that one rule to explicitly issue the rule for users is necessary. In the rules below, a first rule identifying user vs. computer authentication is added.

-    @RuleName = "Issue account type with the value User when its not a computer"
-    NOT EXISTS(
-    [
-        Type == "http://schemas.microsoft.com/ws/2012/01/accounttype", 
-        Value == "DJ"
-    ]
-    )
-    => add(
-        Type = "http://schemas.microsoft.com/ws/2012/01/accounttype", 
-        Value = "User"
-    );
-    
-    @RuleName = "Capture UPN when AccountType is User and issue the IssuerID"
-    c1:[
-        Type == "http://schemas.xmlsoap.org/claims/UPN"
-    ]
-    && 
-    c2:[
-        Type == "http://schemas.microsoft.com/ws/2012/01/accounttype", 
-        Value == "User"
-    ]
-    => issue(
-        Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", 
-        Value = regexreplace(
-        c1.Value, 
-        ".+@(?<domain>.+)", 
-        "http://${domain}/adfs/services/trust/"
-        )
-    );
-    
-    @RuleName = "Issue issuerID for domain-joined computers"
-    c:[
-        Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", 
-        Value =~ "-515$", 
-        Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
-    ]
-    => issue(
-        Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", 
-        Value = "http://<verified-domain-name>/adfs/services/trust/"
-    );
+	@RuleName = "Issue account type with the value User when its not a computer"
+	NOT EXISTS(
+	[
+		Type == "http://schemas.microsoft.com/ws/2012/01/accounttype", 
+		Value == "DJ"
+	]
+	)
+	=> add(
+		Type = "http://schemas.microsoft.com/ws/2012/01/accounttype", 
+		Value = "User"
+	);
+	
+	@RuleName = "Capture UPN when AccountType is User and issue the IssuerID"
+	c1:[
+		Type == "http://schemas.xmlsoap.org/claims/UPN"
+	]
+	&& 
+	c2:[
+		Type == "http://schemas.microsoft.com/ws/2012/01/accounttype", 
+		Value == "User"
+	]
+	=> issue(
+		Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", 
+		Value = regexreplace(
+		c1.Value, 
+		".+@(?<domain>.+)", 
+		"http://${domain}/adfs/services/trust/"
+		)
+	);
+	
+	@RuleName = "Issue issuerID for domain-joined computers"
+	c:[
+		Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", 
+		Value =~ "-515$", 
+		Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
+	]
+	=> issue(
+		Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", 
+		Value = "http://<verified-domain-name>/adfs/services/trust/"
+	);


 In the claim above,
@ -332,138 +332,138 @@ To get a list of your verified company domains, you can use the [Get-MsolDomain]

 **`http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID`** - This claim must contain a valid value for computers. In AD FS, you can create an issuance transform rule as follows:

-    @RuleName = "Issue ImmutableID for computers"
-    c1:[
-        Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", 
-        Value =~ "-515$", 
-        Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
-    ] 
-    && 
-    c2:[
-        Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", 
-        Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
-    ]
-    => issue(
-        store = "Active Directory", 
-        types = ("http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"), 
-        query = ";objectguid;{0}", 
-        param = c2.Value
-    );
+	@RuleName = "Issue ImmutableID for computers"
+	c1:[
+		Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", 
+		Value =~ "-515$", 
+		Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
+	] 
+	&& 
+	c2:[
+		Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", 
+		Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
+	]
+	=> issue(
+		store = "Active Directory", 
+		types = ("http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"), 
+		query = ";objectguid;{0}", 
+		param = c2.Value
+	);

 #### Helper script to create the AD FS issuance transform rules

 The following script helps you with the creation of the issuance transform rules described above.

 	$multipleVerifiedDomainNames = $false
-    $immutableIDAlreadyIssuedforUsers = $false
-    $oneOfVerifiedDomainNames = 'example.com'   # Replace example.com with one of your verified domains
-    
-    $rule1 = '@RuleName = "Issue account type for domain-joined computers"
-    c:[
-        Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", 
-        Value =~ "-515$", 
-        Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
-    ]
-    => issue(
-        Type = "http://schemas.microsoft.com/ws/2012/01/accounttype", 
-        Value = "DJ"
-    );'
+	$immutableIDAlreadyIssuedforUsers = $false
+	$oneOfVerifiedDomainNames = 'example.com'   # Replace example.com with one of your verified domains
+	
+	$rule1 = '@RuleName = "Issue account type for domain-joined computers"
+	c:[
+		Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", 
+		Value =~ "-515$", 
+		Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
+	]
+	=> issue(
+		Type = "http://schemas.microsoft.com/ws/2012/01/accounttype", 
+		Value = "DJ"
+	);'

-    $rule2 = '@RuleName = "Issue object GUID for domain-joined computers"
-    c1:[
-        Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", 
-        Value =~ "-515$", 
-        Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
-    ]
-    && 
-    c2:[
-        Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", 
-        Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
-    ]
-    => issue(
-        store = "Active Directory", 
-        types = ("http://schemas.microsoft.com/identity/claims/onpremobjectguid"), 
-        query = ";objectguid;{0}", 
-        param = c2.Value
-    );'
+	$rule2 = '@RuleName = "Issue object GUID for domain-joined computers"
+	c1:[
+		Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", 
+		Value =~ "-515$", 
+		Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
+	]
+	&& 
+	c2:[
+		Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", 
+		Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
+	]
+	=> issue(
+		store = "Active Directory", 
+		types = ("http://schemas.microsoft.com/identity/claims/onpremobjectguid"), 
+		query = ";objectguid;{0}", 
+		param = c2.Value
+	);'

-    $rule3 = '@RuleName = "Issue objectSID for domain-joined computers"
-    c1:[
-        Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", 
-        Value =~ "-515$", 
-        Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
-    ]
-    && 
-    c2:[
-        Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid", 
-        Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
-    ]
-    => issue(claim = c2);'
+	$rule3 = '@RuleName = "Issue objectSID for domain-joined computers"
+	c1:[
+		Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", 
+		Value =~ "-515$", 
+		Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
+	]
+	&& 
+	c2:[
+		Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid", 
+		Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
+	]
+	=> issue(claim = c2);'

-    $rule4 = ''
-    if ($multipleVerifiedDomainNames -eq $true) {
-    $rule4 = '@RuleName = "Issue account type with the value User when it is not a computer"
-    NOT EXISTS(
-    [
-        Type == "http://schemas.microsoft.com/ws/2012/01/accounttype", 
-        Value == "DJ"
-    ]
-    )
-    => add(
-        Type = "http://schemas.microsoft.com/ws/2012/01/accounttype", 
-        Value = "User"
-    );
-    
-    @RuleName = "Capture UPN when AccountType is User and issue the IssuerID"
-    c1:[
-        Type == "http://schemas.xmlsoap.org/claims/UPN"
-    ]
-    && 
-    c2:[
-        Type == "http://schemas.microsoft.com/ws/2012/01/accounttype", 
-        Value == "User"
-    ]
-    => issue(
-        Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", 
-        Value = regexreplace(
-        c1.Value, 
-        ".+@(?<domain>.+)", 
-        "http://${domain}/adfs/services/trust/"
-        )
-    );
-    
-    @RuleName = "Issue issuerID for domain-joined computers"
-    c:[
-        Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", 
-        Value =~ "-515$", 
-        Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
-    ]
-    => issue(
-        Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", 
-        Value = "http://' + $oneOfVerifiedDomainNames + '/adfs/services/trust/"
-    );'
-    }
+	$rule4 = ''
+	if ($multipleVerifiedDomainNames -eq $true) {
+	$rule4 = '@RuleName = "Issue account type with the value User when it is not a computer"
+	NOT EXISTS(
+	[
+		Type == "http://schemas.microsoft.com/ws/2012/01/accounttype", 
+		Value == "DJ"
+	]
+	)
+	=> add(
+		Type = "http://schemas.microsoft.com/ws/2012/01/accounttype", 
+		Value = "User"
+	);
+	
+	@RuleName = "Capture UPN when AccountType is User and issue the IssuerID"
+	c1:[
+		Type == "http://schemas.xmlsoap.org/claims/UPN"
+	]
+	&& 
+	c2:[
+		Type == "http://schemas.microsoft.com/ws/2012/01/accounttype", 
+		Value == "User"
+	]
+	=> issue(
+		Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", 
+		Value = regexreplace(
+		c1.Value, 
+		".+@(?<domain>.+)", 
+		"http://${domain}/adfs/services/trust/"
+		)
+	);
+	
+	@RuleName = "Issue issuerID for domain-joined computers"
+	c:[
+		Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", 
+		Value =~ "-515$", 
+		Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
+	]
+	=> issue(
+		Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", 
+		Value = "http://' + $oneOfVerifiedDomainNames + '/adfs/services/trust/"
+	);'
+	}

-    $rule5 = ''
-    if ($immutableIDAlreadyIssuedforUsers -eq $true) {
-    $rule5 = '@RuleName = "Issue ImmutableID for computers"
-    c1:[
-        Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", 
-        Value =~ "-515$", 
-        Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
-    ] 
-    && 
-    c2:[
-        Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", 
-        Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
-    ]
-    => issue(
-        store = "Active Directory", 
-        types = ("http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"), 
-        query = ";objectguid;{0}", 
-        param = c2.Value
-    );'
-    }
+	$rule5 = ''
+	if ($immutableIDAlreadyIssuedforUsers -eq $true) {
+	$rule5 = '@RuleName = "Issue ImmutableID for computers"
+	c1:[
+		Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", 
+		Value =~ "-515$", 
+		Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
+	] 
+	&& 
+	c2:[
+		Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", 
+		Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
+	]
+	=> issue(
+		store = "Active Directory", 
+		types = ("http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"), 
+		query = ";objectguid;{0}", 
+		param = c2.Value
+	);'
+	}

 	$existingRules = (Get-ADFSRelyingPartyTrust -Identifier urn:federation:MicrosoftOnline).IssuanceTransformRules 

@ -480,8 +480,8 @@ The following script helps you with the creation of the issuance transform rules
 - If you have multiple verified domain names (as shown in the Azure AD portal or via the Get-MsolDomains cmdlet), set the value of **$multipleVerifiedDomainNames** in the script to **$true**. Also make sure that you remove any existing issuerid claim that might have been created by Azure AD Connect or via other means. Here is an example for this rule:


-        c:[Type == "http://schemas.xmlsoap.org/claims/UPN"]
-        => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", Value = regexreplace(c.Value, ".+@(?<domain>.+)",  "http://${domain}/adfs/services/trust/")); 
+		c:[Type == "http://schemas.xmlsoap.org/claims/UPN"]
+		=> issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", Value = regexreplace(c.Value, ".+@(?<domain>.+)",  "http://${domain}/adfs/services/trust/")); 

 - If you have already issued an **ImmutableID** claim  for user accounts, set the value of **$immutableIDAlreadyIssuedforUsers** in the script to **$true**.

@ -509,7 +509,7 @@ For your reference, below is a comprehensive list of the AD DS devices, containe
 >[!div class="nextstepaction"]
 [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md)

-<br><br>
+<br>

 <hr>

--- a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md
@ -46,108 +46,18 @@ See [Enable cloud-delivered protection](enable-cloud-protection-windows-defender

 After you've enabled the service, you may need to configure your network or firewall to allow connections between it and your endpoints.

-The following table lists the services and their associated URLs that your network must be able to connect to. You should ensure there are no firewall or network filtering rules that would deny access to these URLs, or you may need to create an **allow** rule specifically for them:
+As a cloud service, it is required that computers have access to the internet and that the ATP machine learning services are reachable. The following table lists the services and their associated URLs. You should ensure there are no firewall or network filtering rules that would deny access to these URLs, or you may need to create an allow rule specifically for them:

-<table  style="vertical-align:top">
-<tr style="vertical-align:top">
-<th >Service</th>
-<th>Description</th>
-<th>URL</th>
-</tr>
-<tr style="vertical-align:top">
-<td>
- Windows Defender Antivirus cloud-delivered protection service, also referred to as Microsoft Active Protection Service (MAPS)
-</td>
-<td>
- Used by Windows Defender Antivirus to provide cloud-delivered protection
-</td>
-<td>
-*.wdcp.microsoft.com<br />
-*.wdcpalt.microsoft.com<br />
-*.wd.microsoft.com
-</td>
-</tr>
-<tr style="vertical-align:top">
-<td>
-Microsoft Update Service (MU)
-</td>
-<td>
-Security intelligence and product updates
-</td>
-<td>
-*.update.microsoft.com
-</td>
-</tr>
-<tr style="vertical-align:top">
-<td>
- Security intelligence updates alternate download location (ADL)
-</td>
-<td>
- Alternate location for Windows Defender Antivirus Security intelligence updates if the installed Security intelligence falls out of date (7 or more days behind)
-</td>
-<td>
-*.download.microsoft.com
-</td>
-</tr>
-<tr style="vertical-align:top">
-<td>
- Malware submission storage 
-</td>
-<td>
- Upload location for files submitted to Microsoft via the <a href="https://www.microsoft.com/en-us/security/portal/submission/submit.aspx">Submission form</a> or automatic sample submission
-</td>
-<td>
-ussus1eastprod.blob.core.windows.net<br />
-ussus1westprod.blob.core.windows.net<br />
-usseu1northprod.blob.core.windows.net<br />
-usseu1westprod.blob.core.windows.net<br />
-ussuk1southprod.blob.core.windows.net<br />
-ussuk1westprod.blob.core.windows.net<br />
-ussas1eastprod.blob.core.windows.net<br />
-ussas1southeastprod.blob.core.windows.net<br />
-ussau1eastprod.blob.core.windows.net<br />
-ussau1southeastprod.blob.core.windows.net<br />
-</td>
-</tr>
-<tr style="vertical-align:top">
-<td>
-Certificate Revocation List (CRL)
-</td>
-<td>
-Used by Windows when creating the SSL connection to MAPS for updating the CRL
-</td>
-<td>
-http://www.microsoft.com/pkiops/crl/<br />
-http://www.microsoft.com/pkiops/certs<br />
-http://crl.microsoft.com/pki/crl/products<br />
-http://www.microsoft.com/pki/certs
-</ul>
-</td>
-</tr>
-<tr style="vertical-align:top">
-<td>
-Symbol Store 
-</td>
-<td>
-Used by Windows Defender Antivirus to restore certain critical files during remediation flows
-</td>
-<td>
-https://msdl.microsoft.com/download/symbols
-</td>
-</tr>
-<tr style="vertical-align:top">
-<td>
-Universal Telemetry Client
-</td>
-<td>
-Used by Windows to send client diagnostic data; Windows Defender Antivirus uses this for product quality monitoring purposes
-</td>
-<td>
-This update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints:  <ul><li>vortex-win.data.microsoft.com</li><li>settings-win.data.microsoft.com</li></ul></td>
-</tr>
-</table>

-<a id="validate"></a>
+| **Service**| **Description** |**URL** |
+| :--: | :-- | :-- |
+| *Windows Defender Antivirus cloud-delivered protection service, also referred to as Microsoft Active Protection Service (MAPS)*|Used by Windows Defender Antivirus to provide cloud-delivered protection|*.wdcp.microsoft.com  *.wdcpalt.microsoft.com  *.wd.microsoft.com|
+| *Microsoft Update Service (MU)*|	Security intelligence and product updates	|*.update.microsoft.com|
+| *Security intelligence updates Alternate Download Location (ADL)*|	Alternate location for Windows Defender Antivirus Security intelligence updates if the installed Security intelligence is out of date (7 or more days behind)|	*.download.microsoft.com|
+| *Malware submission storage	*|Upload location for files submitted to Microsoft via the Submission form or automatic sample submission	|*.blob.core.windows.net|
+| *Certificate Revocation List (CRL)*	|Used by Windows when creating the SSL connection to MAPS for updating the CRL	| http://www.microsoft.com/pkiops/crl/   http://www.microsoft.com/pkiops/certs  http://crl.microsoft.com/pki/crl/products   http://www.microsoft.com/pki/certs |
+| *Symbol Store	*|Used by Windows Defender Antivirus to restore certain critical files during remediation flows	| https://msdl.microsoft.com/download/symbols |
+| *Universal Telemetry Client*	| Used by Windows to send client diagnostic data; Windows Defender Antivirus uses this for product quality monitoring purposes	| This update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints:   * vortex-win.data.microsoft.com  * settings-win.data.microsoft.com|

 ## Validate connections between your network and the cloud