Share via

Windows Defender Antivirus network isolation protection rules blocking legitimate internal cloud application routing pipelines

Harry Young 20 Reputation points
2026-06-18T15:21:45.6633333+00:00

Hi security engineering, we enabled Network Protection configurations in block mode across our enterprise laptops collection. This has inadvertently severed communication pipelines to our internal cloud-hosted logistics portal, because the threat engine flags the application's connection string as an unverified endpoint.

Windows for business | Windows Client for IT Pros | Devices and deployment | Configure application groups
0 comments

Answer accepted by question author

HLBui 6,755 Reputation points Independent Advisor
2026-06-18T22:23:57.54+00:00

Hi Harry Young

Enabling Network Protection in block mode can definitely cause headaches when internal apps get flagged. What’s happening here is that the threat engine is treating your logistics portal’s connection string as if it were an unknown external endpoint, so it’s cutting off traffic even though it’s trusted inside your environment. The way around this is to define custom indicators or exclusions for that specific domain/IP so the protection engine knows it’s safe. You can do this in Microsoft Defender for Endpoint by adding the portal’s FQDN or IP range into the allowed list under Network Protection settings.

Another option is to configure a policy that sets the portal as a trusted resource, so the block mode won’t apply there. Just be careful to scope the exclusion narrowly you don’t want to weaken protection for unrelated traffic. Once you’ve added the exclusion, push the updated policy to your laptops and test connectivity again. You should see the portal working normally while still keeping block mode active for everything else.

Give that a try and let me know how it goes.

Was this answer helpful?

1 person found this answer helpful.
0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest

  1. AI answer

    2026-06-18T15:22:05.83+00:00

    Network protection in block mode is enforcing reputation-based blocking on outbound HTTP(S) connections, so the internal logistics portal (or its endpoints) is being treated as an untrusted or malicious destination. To restore access while keeping protection, use a combination of verification, audit, and targeted exclusions.

    1. Confirm prerequisites and mode Ensure the environment meets the supported conditions so behavior is expected and consistent:
      • Windows 10 Pro/Enterprise, version 1709 or higher.
      • Microsoft Defender Antivirus is the sole, active antivirus.
      • Real-time protection, Behavior Monitoring, and Cloud-delivered protection are enabled.
      • Cloud Protection network connectivity is functional.
      • Network protection is indeed in block mode (not audit).
      These prerequisites are described under “Confirm prerequisites” for network protection.
    2. Temporarily switch to audit mode to validate impact To understand exactly what network protection would block without actually breaking access, switch affected test devices to audit mode and reproduce the issue: 
         Set-MpPreference -EnableNetworkProtection AuditMode
      Then:
      1. Use the logistics portal from a test device.
      2. Review network protection events in Event Viewer:
        • Log: Microsoft-Windows-Windows Defender/Operational
        • Event IDs:
          • 1125 – network connection audited
          • 1126 – network connection blocked
      3. Confirm which domains/hosts or IPs for the logistics portal are being flagged.
      If the portal works in audit mode and events show it would be blocked in block mode, network protection is the cause.
    3. Add targeted exclusions for the internal application Once the specific endpoints are identified, use the supported exclusion mechanisms to allow only the required traffic rather than disabling protection globally: Available options:
      • Custom allow indicator for the domain/hostname (recommended for Defender for Endpoint-managed environments).
      • IP exclusions for specific internal IPs: 
             Add-MpPreference -ExclusionIpAddress 10.0.0.10
      • Process exclusion if a dedicated client process is used to connect to the logistics portal.
      These options are listed under “Add exclusions” for network protection. Use the narrowest possible scope (specific IPs or domains) to avoid weakening protection.
    4. Return to block mode after validation After confirming that the exclusions correctly allow the logistics portal while other malicious destinations remain blocked, re-enable block mode on the pilot devices, then roll out broadly: 
         Set-MpPreference -EnableNetworkProtection Enabled
    5. If the portal is still flagged as malicious If the internal cloud-hosted portal uses public domains or infrastructure that Defender intelligence is classifying as malicious or suspicious, and the behavior persists even after exclusions are tuned, submit it as a potential false positive:
      • Use the Windows Defender Security Intelligence web-based submission form to report a false positive for network protection.
      • If licensed with E5, include a link to any associated alert from the Microsoft Defender portal.
      This workflow is described under “Report a false positive or false negative”.
    6. Operational monitoring and tuning
      • Continue to monitor Event IDs 1125 and 1126 to ensure only intended endpoints are being allowed.
      • Use audit mode on a small subset of devices when introducing new internal services to see how network protection would treat them before enforcing block mode globally.

    This approach preserves the security benefits of network protection while restoring and maintaining connectivity to the internal logistics portal through precise exclusions and, where appropriate, false-positive reporting.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.