Microsoft Defender cloud-delivered protection service FQDNs not working

Hello,

We have some hosts that are blocked from the internet. However, we want them to communicate with Microsoft Defender. I have followed https://community.fortinet.com/t5/FortiGate/Technical-Tip-Allow-Windows-Defender-in-firewall-policy/ta-p/284854 and added the FQDNs for cloud-delivered protection. When running the batch command provided by Microsoft https://learn.microsoft.com/en-us/defender-endpoint/configure-network-connections-microsoft-defender-antivirus to check the connection, I'm getting failed error. Below is the policy applied to those hosts.

# show firewall policy ** config firewall policy     edit **         set name "Allowed Policy"         set uuid 8ac35f8c-eadf-51ef-****-694c164*****         set srcintf "lan"         set dstintf "wan1"         set action accept         set srcaddr "HOST_ADDRS"         set dstaddr "Microsoft Defender"         set schedule "always"         set service "HTTPS" "DNS" "PING"         set logtraffic all         set nat enable     next end

So, "Microsoft Defender" is the address group and below is one of the members.

# show firewall address Microsoft\ Defender\ 1  config firewall address     edit "Microsoft Defender 1"         set uuid b8685e3a-eae2-51ef-****-5fdc4d8*****         set type fqdn         set fqdn "*.wdcp.microsoft.com"     next end

Recap, I'm looking into a way that can only allow Defender traffic pass through. Do NOT want all other Microsoft services be available to the hosts.

Thank you