Blog Post

Core Infrastructure and Security Blog
5 MIN READ

Solving Network Connectivity for MDE and MDI

WillS1485's avatar
WillS1485
Icon for Microsoft rankMicrosoft
Oct 10, 2025

Automated solution to simplify the connectivity requirements for cloud connectivity in restricted environments.

Hi, I’m Will Sykes, a Senior Security Researcher in Microsoft IR. My colleagues and I specialize in helping customers with incident response and compromise recovery. In our work with customers who’ve...
Updated Oct 30, 2025
Version 3.0
MDE
MDI
Proxy
SQUID
WILLSYKES
PJR_CDF's avatar
PJR_CDF
Iron Contributor
Oct 10, 2025

Is it not the case that the MDE defender specific proxy is used for MDE telemetry only and not signature updates? 

Therefore you must also consider an offline method for sig updates too, as if you are reliant on Microsoft Update/MMPC for access to sig updates, the update engine still utilises the system proxy/default gateway.

  • jospaid's avatar
    jospaid
    Icon for Microsoft rankMicrosoft
    Oct 10, 2025

    You are correct, but you can configure the squid proxy as your system proxy or use advanced options outlined below.

    Microsoft Defender Antivirus doesn't use the static proxy to connect to Windows Update or Microsoft Update for downloading updates. Instead, it uses a system-wide proxy if configured to use Windows Update, or the configured internal update source according to the configured fallback order. If necessary, you can use Administrative Templates > Windows Components > Microsoft Defender Antivirus > Define proxy auto-config (.pac) for connecting to the network. If you need to set up advanced configurations with multiple proxies, use Administrative Templates > Windows Components > Microsoft Defender Antivirus > Define addresses to bypass proxy server and prevent Microsoft Defender Antivirus from using a proxy server for those destinations.

    You can use PowerShell with the Set-MpPreference cmdlet to configure these options:

    • ProxyBypass
    • ProxyPacUrl
    • ProxyServer

    For more, see this documentation: Configure your devices to connect to the Defender for Endpoint service using a proxy - Microsoft Defender for Endpoint | Microsoft Learn

    • PJR_CDF's avatar
      PJR_CDF
      Iron Contributor
      Oct 13, 2025

      Thanks for confirming. 

      In that case I suggest the title of this article is amended (as the solution outlined is not a complete solution for what I would class as a functioning install of MDE), or additional notes are added to point out that:

      1) MDAV also requires a static proxy configured in order for custom indicators to work
      2) If using Windows or Microsoft Updates for security intelligence updates, then you must also consider either enabling either the Squid proxy outlined in the article as the system proxy, or another proxy solution.

      I appreciate the intention behind this article as network connectivity for MDE is a minefield and clarity is definitely required. I see many clients struggling with it, but Microsoft articles such as this one in its current form, can lead to clients following the instructions and assuming everything is working and configured as required, when in reality additional configuration is required (but not mentioned).