Indicators and custom detections

Copper Contributor

When we create Indicators and Custom Detection block rules, how does MDATP enforces that setting to clients because in our environment we have only allowed one-way communication from clients to MDATP cloud service.

Does MDATP requires bi-directional communication between endpoints and MDATP cloud service URLs?

What else we miss if it is a uni-directional (endpoint to MDATP) communication?

4 Replies


The follow 95 seconds video provide a brief summary of the things that you may be missing:

Basically, there are capabilities of auto-remediation.  You can also use Device Health as part of the Zero Trust Strategy.  So besides checking for device compliance, you can check if the device is showing indications of compromise and if so, deny access until the system is remediated. (

So lots of functionality will not work:


@Gladys Rodriguez   - Thanks a lot for your response, i will checkout the links you have shared.

Also, are you implying that a bi-directional communication is a must?

"The Microsoft Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Microsoft Defender ATP service.

The embedded Microsoft Defender ATP sensor runs in system context using the LocalSystem account. The sensor uses Microsoft Windows HTTP Services (WinHTTP) to enable communication with the Microsoft Defender ATP cloud service."

Hope this helps,



@Gladys Rodriguez  - Thank you so much, it really helps.