0
(0)

The Defender for Endpoint sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Defender for Endpoint service. The embedded Defender for Endpoint sensor runs in system context using the LocalSystem account. The sensor uses Microsoft Windows HTTP Services (WinHTTP) to enable communication with the Defender for Endpoint cloud service.

 Tip

For organizations that use forward proxies as a gateway to the Internet, you can use network protection to investigate connection events that occur behind forward proxies.

The WinHTTP configuration setting is independent of the Windows Internet (WinINet) browsing proxy settings (see, WinINet vs. WinHTTP) and can only discover a proxy server by using the following discovery methods:

  • Auto-discovery methods:
  • Manual static proxy configuration:
    • Registry-based configuration
    • WinHTTP configured using netsh command: Suitable only for desktops in a stable topology (for example: a desktop in a corporate network behind the same proxy)

 Note

Defender antivirus and EDR proxies can be set independently. In the sections that follow, be aware of those distinctions.

Configure the proxy server manually using a registry-based static proxy

Configure a registry-based static proxy for Defender for Endpoint detection and response (EDR) sensor to report diagnostic data and communicate with Defender for Endpoint services if a computer is not permitted to connect to the Internet.

 Note

When using this option on Windows 10, or Windows 11, or Windows Server 2019, or Windows Server 2022, it is recommended to have the following (or later) build and cumulative update rollup:

These updates improve the connectivity and reliability of the CnC (Command and Control) channel.

The static proxy is also configurable through Group Policy (GP), both the settings under group policy values need to be set to configure the proxy server to be used for EDR. The group policy can be found under:

  • Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure Authenticated Proxy usage for the Connected User Experience and Telemetry Service.

    Set it to Enabled and select Disable Authenticated Proxy usage.

    Image of Group Policy setting1.

  • Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure connected user experiences and telemetry:

    Configure the proxy

    Image of Group Policy setting2.

CONFIGURE THE PROXY SERVER MANUALLY USING A REGISTRY-BASED STATIC PROXY
Group Policy Registry key Registry entry Value
Configure authenticated proxy usage for the connected user experience and the telemetry service HKLM\Software\Policies\Microsoft\Windows\DataCollection DisableEnterpriseAuthProxy 1 (REG_DWORD)
Configure connected user experiences and telemetry HKLM\Software\Policies\Microsoft\Windows\DataCollection TelemetryProxyServer servername:port or ip:port

For example: 10.0.0.6:8080 (REG_SZ)

Configure a static proxy for Microsoft Defender Antivirus

Microsoft Defender Antivirus cloud-delivered protection provides near-instant, automated protection against new and emerging threats. Note that connectivity is required for custom indicators when Defender Antivirus is your active antimalware solution; and for EDR in block mode even when using a non-Microsoft solution as the primary antimalware solution.

Configure the static proxy using the Group Policy found here:

  1. Administrative Templates > Windows Components > Microsoft Defender Antivirus > Define proxy server for connecting to the network.
  2. Set it to Enabled and define the proxy server. Note that the URL must have either http:// or https://. For supported versions for https://, see Manage Microsoft Defender Antivirus updates.

    Proxy server for Microsoft Defender Antivirus.

  3. Under the registry key HKLM\Software\Policies\Microsoft\Windows Defender, the policy sets the registry value ProxyServer as REG_SZ.

    The registry value ProxyServer takes the following string format:

    text

    <server name or ip>:<port>
    
    For example: http://10.0.0.6:8080
    

 Note

For resiliency purposes and the real-time nature of cloud-delivered protection, Microsoft Defender Antivirus will cache the last known working proxy. Ensure your proxy solution does not perform SSL inspection as this will break the secure cloud connection.

Microsoft Defender Antivirus will not use the static proxy to connect to Windows Update or Microsoft Update for downloading updates. Instead, it will use a system-wide proxy if configured to use Windows Update, or the configured internal update source according to the configured fallback order.

If required, you can use Administrative Templates > Windows Components > Microsoft Defender Antivirus > Define proxy auto-config (.pac) for connecting to the network if you need to set up advanced configurations with multiple proxies, Use Administrative Templates > Windows Components > Microsoft Defender Antivirus > Define addresses to bypass proxy server to prevent Microsoft Defender Antivirus from using a proxy server for those destinations.

You can also use PowerShell with the Set-MpPreference cmdlet to configure these options:

  • ProxyBypass
  • ProxyPacUrl
  • ProxyServer

 Note

To use proxy correctly, configure these three different proxy settings:

  • Microsoft Defender for Endpoint (MDE)
  • AV (Antivirus)
  • Endpoint Detection and Response (EDR)

Configure the proxy server manually using netsh command

Use netsh to configure a system-wide static proxy.

 Note

  • This will affect all applications including Windows services which use WinHTTP with default proxy.
  • Laptops that are changing topology (for example: from office to home) will malfunction with netsh. Use the registry-based static proxy configuration.
  1. Open an elevated command line:
    1. Go to Start and type cmd.
    2. Right-click Command prompt and select Run as administrator.
  2. Enter the following command and press Enter:
    PowerShell

    netsh winhttp set proxy <proxy>:<port>
    

    For example: netsh winhttp set proxy 10.0.0.6:8080

To reset the winhttp proxy, enter the following command and press Enter:

PowerShell

netsh winhttp reset proxy

See Netsh Command Syntax, Contexts, and Formatting to learn more.

Enable access to Microsoft Defender for Endpoint service URLs in the proxy server

If a proxy or firewall is blocking all traffic by default and allowing only specific domains through, add the domains listed in the downloadable sheet to the allowed domains list.

The following downloadable spreadsheet lists the services and their associated URLs that your network must be able to connect to. Ensure that there are no firewall or network filtering rules that would deny access to these URLs, or you may need to create an allow rule specifically for them.


ENABLE ACCESS TO MICROSOFT DEFENDER FOR ENDPOINT SERVICE URLS IN THE PROXY SERVER
Spreadsheet of domains list Description
Thumb image for Microsoft Defender for Endpoint URLs spreadsheet. Spreadsheet of specific DNS records for service locations, geographic locations, and OS.Download the spreadsheet here.

If a proxy or firewall has HTTPS scanning (SSL inspection) enabled, exclude the domains listed in the above table from HTTPS scanning. In your firewall, open all the URLs where the geography column is WW. For rows where the geography column is not WW, open the URLs to your specific data location. To verify your data location setting, see Verify data storage location and update data retention settings for Microsoft Defender for Endpoint.

 Note

settings-win.data.microsoft.com is only needed if you have Windows devices running version 1803 or earlier.

URLs that include v20 in them are only needed if you have Windows devices running version 1803 or later. For example, us-v20.events.data.microsoft.com is needed for a Windows device running version 1803 or later and onboarded to US Data Storage region.

The above spreadsheet relates to MDE EDR, if you are using Microsoft Defender Antivirus in your environment, see Configure network connections to the Microsoft Defender Antivirus cloud service.

If a proxy or firewall is blocking anonymous traffic, as Defender for Endpoint sensor is connecting from system context, make sure anonymous traffic is permitted in the previously listed URLs.

 Note

Microsoft does not provide a proxy server. These URLs are accessible via the proxy server that you configure.

Microsoft Monitoring Agent (MMA) – proxy and firewall requirements for older versions of Windows client or Windows Server

The information below list the proxy and firewall configuration information required to communicate with Log Analytics agent (often referred to as Microsoft Monitoring Agent) for the previous versions of Windows such as Windows 7 SP1, Windows 8.1, and Windows Server 2008 R2*


MICROSOFT MONITORING AGENT (MMA) – PROXY AND FIREWALL REQUIREMENTS FOR OLDER VERSIONS OF WINDOWS CLIENT OR WINDOWS SERVER
Agent Resource Ports Direction Bypass HTTPS inspection
*.ods.opinsights.azure.com Port 443 Outbound Yes
*.oms.opinsights.azure.com Port 443 Outbound Yes
*.blob.core.windows.net Port 443 Outbound Yes
*.azure-automation.net Port 443 Outbound Yes

 Note

*These connectivity requirements also apply to the previous Microsoft Defender for Endpoint for Windows Server 2016 and Windows Server 2012 R2 that requires the MMA. Instructions to onboard these operating systems with the new unified solution are at Onboard Windows servers, or to migrate to the new unified solution at Server migration scenarios in Microsoft Defender for Endpoint.

 Note

As a cloud-based solution, the IP range can change. It’s recommended you move to DNS resolving setting.

Confirm Microsoft Monitoring Agent (MMA) Service URL Requirements

See the following guidance to eliminate the wildcard (*) requirement for your specific environment when using the Microsoft Monitoring Agent (MMA) for previous versions of Windows.

  1. Onboard a previous operating system with the Microsoft Monitoring Agent (MMA) into Defender for Endpoint (for more information, see Onboard previous versions of Windows on Defender for Endpoint and Onboard Windows servers.
  2. Ensure the machine is successfully reporting into the Microsoft 365 Defender portal.
  3. Run the TestCloudConnection.exe tool from “C:\Program Files\Microsoft Monitoring Agent\Agent” to validate the connectivity and to see the required URLs for your specific workspace.
  4. Check the Microsoft Defender for Endpoint URLs list for the complete list of requirements for your region (refer to the Service URLs Spreadsheet).

    Image of administrator in Windows PowerShell.

The wildcards (*) used in *.ods.opinsights.azure.com, *.oms.opinsights.azure.com, and *.agentsvc.azure-automation.net URL endpoints can be replaced with your specific Workspace ID. The Workspace ID is specific to your environment and workspace and can be found in the Onboarding section of your tenant within the Microsoft 365 Defender portal.

The *.blob.core.windows.net URL endpoint can be replaced with the URLs shown in the “Firewall Rule: *.blob.core.windows.net” section of the test results.

 Note

In the case of onboarding via Microsoft Defender for Cloud, multiple workspaces maybe used. You will need to perform the TestCloudConnection.exe procedure above on an onboarded machine from each workspace (to determine if there are any changes to the *.blob.core.windows.net URLs between the workspaces).

Verify client connectivity to Microsoft Defender for Endpoint service URLs

Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the proxy server in your environment, and that the proxy server allows traffic to the Defender for Endpoint service URLs.

  1. Download the Microsoft Defender for Endpoint Client Analyzer tool to the PC where Defender for Endpoint sensor is running on.
  2. Extract the contents of MDEClientAnalyzer.zip on the device.
  3. Open an elevated command-line:
    1. Go to Start and type cmd.
    2. Right-click Command prompt and select Run as administrator.
  4. Enter the following command and press Enter:
    PowerShell

    HardDrivePath\MDEClientAnalyzer.cmd
    

    Replace HardDrivePath with the path where the MDEClientAnalyzer tool was downloaded to, for example:

    PowerShell

    C:\Work\tools\MDEClientAnalyzer\MDEClientAnalyzer.cmd
    
  5. Extract the MDEClientAnalyzerResult.zip file created by tool in the folder used in the HardDrivePath.
  6. Open MDEClientAnalyzerResult.txt and verify that you have performed the proxy configuration steps to enable server discovery and access to the service URLs.

    The tool checks the connectivity of Defender for Endpoint service URLs that Defender for Endpoint client is configured to interact with. It then prints the results into the MDEClientAnalyzerResult.txt file for each URL that can potentially be used to communicate with the Defender for Endpoint services. For example:

    text

    Testing URL : https://xxx.microsoft.com/xxx
    1 - Default proxy: Succeeded (200)
    2 - Proxy auto discovery (WPAD): Succeeded (200)
    3 - Proxy disabled: Succeeded (200)
    4 - Named proxy: Doesn't exist
    5 - Command line proxy: Doesn't exist
    

If at least one of the connectivity options returns a (200) status, then the Defender for Endpoint client can communicate with the tested URL properly using this connectivity method.

However, if the connectivity check results indicate a failure, an HTTP error is displayed (see HTTP Status Codes). You can then use the URLs in the table shown in Enable access to Defender for Endpoint service URLs in the proxy server. The URLs you’ll use will depend on the region selected during the onboarding procedure.

 Note

The Connectivity Analyzer tool cloud connectivity checks are not compatible with Attack Surface Reduction rule Block process creations originating from PSExec and WMI commands. You will need to temporarily disable this rule to run the connectivity tool. Alternatively, you can temporarily add ASR exclusions when running the analyzer.

When the TelemetryProxyServer is set, in Registry or via Group Policy, Defender for Endpoint will fall back to direct if it can’t access the defined proxy.

Source : Official Microsoft Brand
Editor by : BEST Antivirus KBS Team

How useful was this post?

Click on a star to rate it!

Average rating 0 / 5. Vote count: 0

No votes so far! Be the first to rate this post.