Defender for Endpoint - Blocking Unsanctioned VPN Connections

Brass Contributor

Good day community,


Is there a way to prevent users from connecting to unsanctioned VPN services using Defender?


We have a Palo Alto solution that needs to be used, but we are seeing a heck of a lot of Impossible Travel activities in Cloud App Security suggesting that VPN services are used.


Would adding these connections to a custom indicator/detection list do the trick? Or is there a better/more preferred way to achieve this?



3 Replies

An indicator or custom detection would be able to block these programs yes.

IMO, taking away local admin from these users would be a lot easier and a better solution in the long run


Interesting question, would be great to know how you get on mitigating that risk. thanks

@Thijs Lecomte 

Thanks. I agree, the long-term solution would be to actually limit the installation of these programs to begin with.


I think we will end up creating the indicator to do the initial detection of these connections, and then transitions the devices across to be managed through policy.


It's definitely a pain in the backside!