Forum Discussion

drivesafely's avatar
drivesafely
Brass Contributor
Apr 22, 2024

MDE onboarding issues with proxy configuration

Hello Everyone,

We're currently in the process of onboarding MDE via scripts on several Windows 10 and 11 PCs. These PCs have proxies configured in Settings > Network & internet > Proxy > Manual proxy setup. Additionally, they have a 3rd party EDR solution active.

While the onboarding scripts run without errors, the devices aren't appearing online in the defender portal under Assets. Upon running the Analyzer tool, we identified communication errors. Unfortunately, we couldn't utilize PSExec due to restrictions imposed by the 3rd party EDR.

Here are the areas where we need guidance:

1. Is the proxy configuration method correct? Does it ensure that all traffic initiated from the PC passes through the proxy, including Defender for Endpoint traffic?

2. What's the ideal proxy configuration method for Windows?

3. Since we can't use Powershell or PSExec, is there an alternative method to check Defender version and service status?

4. Should we exempt the path "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection" and allow Powershell scripts from this location?

5. Will allowing all the URLs provided by Microsoft in the Excel file ensure full functionality of MDE? Can we allow based on IP with Proxy setup instead of URLs?

6. Is it necessary to exempt the processes used by MDE in Windows 10 and 11 from the 3rd party EDR?

Awaiting your valuable insights and assistance on these queries.

Thanks in advance.

16 Replies

  • jbmartin6's avatar
    jbmartin6
    Iron Contributor
    The MDE Client Analyzer is your friend here, run it and review the results.
    • drivesafely's avatar
      drivesafely
      Brass Contributor

      jbmartin6 

      rahuljindal 

       

      Thanks for your responses. 

      We have onboarded devices in workgroup through script. The device status displays the info like versions as 0.0.0.0 and status is unknown. I have a doubt on applying security policy to the added device. Like i have created ASR, AV and Device policies. At the option to assign the policy, there is option to assign it to group only. I created a group through Intune, then added one of the device to it, then applied this group to the ASR and Device policy. The issue is that when i click on the Applied devices tab, i do see any devices applied although assigning the policy to the group to which the device is added.

      How to we assign policies to such devices that are in workgroup ?

      Please guide. Thanks,

      • rahuljindal's avatar
        rahuljindal
        Bronze Contributor
        Are you using security settings management to onboard the devices to MDE and manage the devices using Intune? If yes, then have the devices created a synthetic object in Entra ID? As for the unknown status, can you check if Defender antimalware service is enabled and running or not?
    • drivesafely's avatar
      drivesafely
      Brass Contributor
      tanishab40

      Hello, With limit info shared by you, i would advise to go through below links that will be helpful to troubleshoot the issue,

      Troubleshoot Microsoft Defender for Endpoint onboarding issues:
      https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-onboarding?view=o365-worldwide

      Run client analyzer on Windows:
      https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/run-analyzer-windows?view=o365-worldwide

      Regards,
  • rahuljindal's avatar
    rahuljindal
    Bronze Contributor
    If you have web proxy configured, then you will need to bypass the relevant Defender urls using winhttp proxy as well. Refer to the Microsoft’s official link for MDE connectivity requirements to configure the urls for winhttp. Also, make sure that you don’t have SSL inspection enabled in the proxy or else CRL checks will fail.
    • drivesafely's avatar
      drivesafely
      Brass Contributor

      rahuljindal 

       

      Thank you for the response.

       

      If i understand correctly, apart from configuring the proxy through Windows Settings, I will have to configure the proxy through either of the following as well,

      • Registry-based configuration

      • WinHTTP configured using netsh command: Suitable only for desktops in a stable topology (for example: a desktop in a corporate network behind the same proxy)

      Reference link: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-proxy-internet?view=o365-worldwide

       

      Please guide if i am not correct or confirm.

       

      Thanks,

      • rahuljindal's avatar
        rahuljindal
        Bronze Contributor
        Spot on. I recently had similar requirements and chose to use the winhttp method as the devices were co-managed so it was easier to push the command using ConfigMgr. However, you should be able to achieve the same using GPO.

Resources