- Article
- 10 minutes to read
Applies to:
- Microsoft Defender for Endpoint Plan 2
- Microsoft 365 advocates
Want to try Defender for Endpoint?Sign up for a free trial.
The Defender for Endpoint sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Defender for Endpoint service. The embedded Defender for Endpoint sensor runs in the system context using the LocalSystem account.
Rat
For organizations that use forward proxies as gateways to the Internet, you can use Network Protection to do thisInvestigate connection events occurring behind forward proxies.
The WinHTTP settings are independent of the Windows Internet Browsing (WinINet) proxy settings (seeWinINet versus WinHTTP). You can only detect a proxy server using the following detection methods:
Automatic detection methods:
transparenter Proxy
Web Proxy Auto Discovery Protocol (WPAD)
monitoring
If you use a transparent proxy or WPAD in your network topology, you don't need any special configuration. For more information on Defender for Endpoint URL exclusions in the proxy, seeEnable access to Defender for Endpoint service URLs on the proxy server
Manual static proxy configuration:
Registry-Based Configuration
WinHTTP configured with the netsh command: only suitable for desktops in a stable topology (e.g. a desktop in a corporate network behind the same proxy)
monitoring
Defender Antivirus and EDR proxies can be configured independently. Note these distinctions in the following sections.
Manually configure the proxy server with a registry-based static proxy
Configure a registry-based static proxy for the Defender for Endpoint Detection and Response (EDR) sensor to report diagnostic data and communicate with Defender for Endpoint services when a computer can't connect to the internet.
monitoring
If you are using this option on Windows 10, Windows 11, Windows Server 2019 or Windows Server 2022, it is recommended that you have the following build (or later) and update rollup package:
- window 11
- Windows 10, version 1809 or Windows Server 2019 or Windows Server 2022 -https://support.microsoft.com/kb/5001384
- Windows 10, Version 1909 -https://support.microsoft.com/kb/4601380
- Windows 10, Version 2004 -https://support.microsoft.com/kb/4601382
- Windows 10, Version 20H2 -https://support.microsoft.com/kb/4601382
These upgrades improve the connectivity and reliability of the CNC (Command and Control) channel.
Static proxy can be configured via Group Policy (GP), both settings in Group Policy values must be configured for proxy server to use EDR. Group Policy is available under Administrative Templates.
Administrative Templates > Windows Components > Data Collection and Display Builds > Configure the connected user experience and telemetry service to use an authenticated proxy.
configure itCapableand selectDisable the use of authenticated proxy.
Administrative Templates > Windows Components > Data Collection and Visualization Builds > Configure Experiences and Telemetry for Signed-in Users:
Configure the proxy.
| Group Policy | register key | registry entry | bravery |
|---|---|---|---|
| Configure the connected user experience and telemetry service to use an authenticated proxy | HKLM\Software\Policies\Microsoft\Windows\DataCollection | DesativarEnterpriseAuthProxy | 1 (REG_DWORD) |
| Configure connected user experiences and telemetry | HKLM\Software\Policies\Microsoft\Windows\DataCollection | Telemetry Proxy Server | Servername: Port oder IP: Port For example: |
monitoring
If you use the 'TelemetryProxyServer' configuration on devices that don'tcompletely offline, which means that the operating system cannot connect to the online certificate revocation list or Windows Update, it is recommended to add additional registry settingsPreferStaticProxyForHttpRequestWert1.
The main registry path for PreferStaticProxyForHttpRequest is HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection
The following command can be used to paste the registry value in the right place:Registrieren Sie „HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection“ /v PreferStaticProxyForHttpRequest /t REG_DWORD /d 1 /f
The above registry value applies only to version 10.8210.* of MsSense.exe or version 10.8049.* and later.
Configure a static proxy for Microsoft Defender Antivirus
Microsoft Defense AntivirusProtection provided in the cloudprovides near-instant automated protection against new and emerging threats. Please note that connectivity is requiredcustom indicatorsif Defender Antivirus is your antimalware solution of choice. toEDR in lockdown modeHave a primary anti-malware solution if using a non-Microsoft solution.
Configure the static proxy using Group Policy available in the Administrative Templates:
Administrative Templates > Windows Components > Microsoft Defender Antivirus > Set proxy server for network connection.
configure itCapableand configure the proxy server. Note that the URL must contain either http:// or https://. For versions compatible with https://, seeManage Microsoft Defender Antivirus updates.
under the registration key
HKLM\Software\Policies\Microsoft\Windows Defender, the policy sets the registry valueProxy Serveras REG_SZ.The registry value
Proxy Servertakes the following string format:<server name or IP>:<port> For example: http://10.0.0.6:8080
monitoring
For resiliency and the real-time nature of cloud-delivered protection, Microsoft Defender Antivirus caches the last known active proxy. Make sure your proxy solution does not perform SSL inspection. This breaks the secure connection to the cloud.
Microsoft Defender Antivirus doesn't use a static proxy to connect to Windows Update or Microsoft Update to download updates. Instead, a system-wide proxy is used if configured to use Windows Update or the internal update source configured as perReservation order set up.
If necessary, you can useAdministrative Templates > Windows Components > Microsoft Defender Antivirus > Configure Proxy Auto Configuration (.pac)to connect to the network. If you need to configure advanced settings with multiple proxies, useAdministrative Templates > Windows Components > Microsoft Defender Antivirus > Set Addressesto bypass the proxy server and prevent Microsoft Defender Antivirus from using a proxy server for these purposes.
You can use PowerShell with thatSet-MpPreferenceCmdlet to configure these options:
- proxy bypass
- ProxyPacUrl
- Proxy Server
monitoring
To use the proxy properly, configure these three different proxy settings:
- Microsoft Defender for Endpoints (MDE)
- OFF (antivirus)
- Endpoint Detection and Response (EDR)
Set the proxy server manually using the netsh command
Use netsh to configure a system-wide static proxy.
monitoring
- This affects all applications including Windows services using WinHTTP with the default proxy.
Open an elevated command line:
- Go toBeginand typecmd.
- The right mouse buttoncommand soonand selectExecute as administrator.
Enter the following command and pressGet into:
netsh winhttp establece Proxy <proxy>:<porta>For example:
netsh winhttp definir Proxy 10.0.0.6:8080
To reset the winhttp proxy, type the following command and pressGet into:
netsh winhttp redefinir ProxyverSyntax, contexts and format of Netsh commandsLearn more.
Enable access to Microsoft Defender for Endpoint service URLs on the proxy server
If a proxy or firewall blocks all traffic and only allows certain domains by default, add the domains listed on the download sheet to the list of allowed domains.
The following downloadable worksheet lists the services and their associated URLs that your network should be able to connect to. Ensure that no network filter or firewall rules are denying access to these URLs. Optionally, you may need to create oneto allowrule specially for them.
| Domain list worksheet | description |
|---|---|
| Microsoft Defender for Endpoints URL List for commercial customers | Specific worksheet for DNS records for service locations, geographic locations, and operating systems for business customers. Download the table here. Note that Microsoft Defender for Endpoint Plan 1 and Plan 2 use the same proxy service URLs. |
| Microsoft Defender for Gov/GCC/DoD Endpoint URL List | Worksheet with specific DNS records for service locations, geographic locations, and operating systems for Gov/GCC/DoD clients. Download the table here. |
If a proxy or firewall has HTTPS inspection (SSL inspection) enabled, exclude the domains listed in the table above from HTTPS inspection. On your firewall, open all URLs where the geographic column is WW. For rows where the geographic column is not WW, open the URLs for your specific data location. For information about checking the data location settings, seeCheck data location and update data retention settings for Microsoft Defender for Endpoint. Don't delete the URL*.blob.core.windows.netany kind of network inspection.
monitoring
Windows devices running version 1803 or earliersetup-win.data.microsoft.com.
URLs containing v20 are only required if you have Windows devices running version 1803 or later. For example,us-v20.events.data.microsoft.comRequired for a Windows device running version 1803 or later and embedded in the US data storage region.
If a proxy or firewall blocks anonymous traffic like Defender for Endpoint Sensor and connects from the system context to ensure anonymous traffic is allowed on the URLs listed above.
monitoring
Microsoft does not provide a proxy server. These URLs can be accessed through the proxy server you configured.
Microsoft Monitoring Agent (MMA): Proxy and firewall requirements for previous versions of Windows client or Windows server
The information in the Firewall and Proxy Configuration Information list is required to communicate with the Log Analytics agent (commonly known as Microsoft Monitoring Agent) for earlier versions of Windows such as Windows 7 SP1, Windows 8.1 and Windows Server 2008 R2*.
| agent resource | doors | Direction | Bypass HTTPS check |
|---|---|---|---|
| *.ods.opinsights.azure.com | Puerta 443 | Salida | Sim |
| *.oms.opinsights.azure.com | Puerta 443 | Salida | Sim |
| *.blob.core.windows.net | Puerta 443 | Salida | Sim |
| *.azure-automation.net | Puerta 443 | Salida | Sim |
monitoring
*These connectivity requirements apply to Microsoft Defender for Endpoint Windows Server 2016 and earlier versions of Windows Server 2012 R2 that require MMA. For instructions on integrating these operating systems into the new unified solution, seeIntegrated Windows serversor migrate to the new unified solution underServer migration scenarios in Microsoft Defender for Endpoint.
monitoring
As a cloud-based solution, the IP range is subject to change. It is recommended to go to the DNS resolver settings.
Confirm the URL requirements for the Microsoft Monitoring Agent (MMA) service.
Read the instructions below to remove the wildcard (*) requirement for your specific environment when using the Microsoft Monitoring Agent (MMA) for earlier versions of Windows.
Legacy OS integration with Microsoft Monitoring Agent (MMA) in Defender for Endpoint (seeIntegrate older versions of Windows with Defender for EndpointmiIntegrated Windows servers).
Make sure the machine is properly reported in the Microsoft 365 Defender portal.
Run the TestCloudConnection.exe tool from C:\Programs\Microsoft Monitoring Agent\Agent to validate connectivity and get the required URLs for your specific workspace.
For the full list of requirements for your region, see the list of Microsoft Defender endpoint URLs (see Service URLsspreadsheet).
Wildcards (*) used in *.ods.opinsights.azure.com, *.oms.opinsights.azure.com, and *.agentsvc.azure-automation.net URL endpoints can be replaced with your workspace specific . The workspace ID is specific to your environment and workspace. You can find it in the Onboarding your tenant section of the Microsoft 365 Defender portal.
The *.blob.core.windows.net URL endpoint can be replaced with the URLs shown in the Firewall Rule: *.blob.core.windows.net section of the test results.
monitoring
Multiple workspaces can be used to integrate through Microsoft Defender for Cloud. You must run the TestCloudConnection.exe procedure on each desktop's embedded machine (to see if there are any changes to the *.blob.core.windows.net URLs between desktops).
Verify client connectivity to Microsoft Defender for Endpoint Service URLs
Verify that the proxy configuration completed successfully. WinHTTP can detect and communicate through the proxy server in your environment, and then the proxy server will allow traffic to the Defender for Endpoint service URLs.
download theMicrosoft Defender Tool for Endpoint Client Analyzerto the PC running the Defender for Endpoint sensor. For lower servers, use the latest preview version available for downloadMicrosoft Defender Beta Tool for Endpoint Client Analyzer.
Extract the contents of MDEClientAnalyzer.zip to the device.
Open an elevated command line:
- Go toBeginand typecmd.
- The right mouse buttoncommand soonand selectExecute as administrator.
Enter the following command and pressGet into:
Disk Path\MDEClientAnalyzer.cmdSubstitutedisk pathwith the path where the MDEClientAnalyzer tool was downloaded. For example:
C:\Work\tools\MDEClientAnalyzer\MDEClientAnalyzer.cmdThe tool creates and extracts theMDEClientAnalyzerResult.zipto use the file in the folderdisk path.
OpenMDEClientAnalyzerResult.txtand make sure you've followed the proxy configuration steps to enable server discovery and access to service URLs.
The tool verifies the connectivity of Defender for Endpoint service URLs. Make sure the Defender for Endpoint client is configured to interact. The tool prints the results on theMDEClientAnalyzerResult.txtFile for each URL that could potentially be used to communicate with Defender for Endpoint services. For example:
Test URL: https://xxx.microsoft.com/xxx1 - Default proxy: OK (200)2 - Automatic proxy detection (WPAD): OK (200)3 - Proxy disabled: OK (200)4 - Proxy with name: No 't exist5 - command line proxy: does not exist
If one of the connectivity options returns a status (200), the Defender for Endpoint client can successfully communicate with the tested URL using this connectivity method.
However, if the connectivity check results show an error, an HTTP error is displayed (see HTTP status codes). You can then use the URLs in the table inEnable access to Defender for Endpoint service URLs on the proxy server. The URLs available for use depend on the region selected during the onboarding process.
monitoring
Cloud connectivity checks in the Connectivity Analyzer tool do not support the attack surface reduction ruleBlock process creations from PSExec and WMI commands. You must temporarily disable this rule to run the connectivity tool. Alternatively, you can add temporarilyASR Exclusionswhen running the parser.
If TelemetryProxyServer is set in the registry or through group policy, Defender for Endpoint falls back as it cannot access the defined proxy.
related posts
- Separate environments, proxies and Microsoft Defender for Endpoint
- Use Group Policy settings to configure and manage Microsoft Defender Antivirus
- Windows built-in devices
- Troubleshoot Microsoft Defender for Endpoint Integration