MDE onboarding issues with proxy configuration

Copper Contributor

Hello Everyone,

We're currently in the process of onboarding MDE via scripts on several Windows 10 and 11 PCs. These PCs have proxies configured in Settings > Network & internet > Proxy > Manual proxy setup. Additionally, they have a 3rd party EDR solution active.

While the onboarding scripts run without errors, the devices aren't appearing online in the defender portal under Assets. Upon running the Analyzer tool, we identified communication errors. Unfortunately, we couldn't utilize PSExec due to restrictions imposed by the 3rd party EDR.

Here are the areas where we need guidance:

1. Is the proxy configuration method correct? Does it ensure that all traffic initiated from the PC passes through the proxy, including Defender for Endpoint traffic?

2. What's the ideal proxy configuration method for Windows?

3. Since we can't use Powershell or PSExec, is there an alternative method to check Defender version and service status?

4. Should we exempt the path "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection" and allow Powershell scripts from this location?

5. Will allowing all the URLs provided by Microsoft in the Excel file ensure full functionality of MDE? Can we allow based on IP with Proxy setup instead of URLs?

6. Is it necessary to exempt the processes used by MDE in Windows 10 and 11 from the 3rd party EDR?

Awaiting your valuable insights and assistance on these queries.

Thanks in advance.

16 Replies
If you have web proxy configured, then you will need to bypass the relevant Defender urls using winhttp proxy as well. Refer to the Microsoft’s official link for MDE connectivity requirements to configure the urls for winhttp. Also, make sure that you don’t have SSL inspection enabled in the proxy or else CRL checks will fail.



Thank you for the response.


If i understand correctly, apart from configuring the proxy through Windows Settings, I will have to configure the proxy through either of the following as well,

  • Registry-based configuration

  • WinHTTP configured using netsh command: Suitable only for desktops in a stable topology (for example: a desktop in a corporate network behind the same proxy)

Reference link:


Please guide if i am not correct or confirm.



Spot on. I recently had similar requirements and chose to use the winhttp method as the devices were co-managed so it was easier to push the command using ConfigMgr. However, you should be able to achieve the same using GPO.
Thanks for your guidance.
Configuring the registry settings for the proxy helped to onboard the machines.
We noticed that the health status of the machines on the defender portal does not display the version info. Also the analyzer tool reported to update the defender/av plaform and version to a supported version.
While we are addressing the update part, can you guide whether configuration of WinHTTP proxy through netsh command is also a must alongwith registry? Or just registry configuration for the proxy is enough?
Please guide. Thanks,

Hello. I have been trying o onboard but having issues. Can you help me? Thank you @drivesafely 


Hello, With limit info shared by you, i would advise to go through below links that will be helpful to troubleshoot the issue,

Troubleshoot Microsoft Defender for Endpoint onboarding issues:

Run client analyzer on Windows:

I don’t think both are needed as long as the system proxy is configured correctly. Which all urls did you bypass?
We have bypassed all URLs (specific to EU and WW regions) as per the excel file for "Microsoft Defender for Endpoint URL list for commercial customers (Standard)" from the below link,

The MDE Client Analyzer is your friend here, run it and review the results.




Thanks for your responses. 

We have onboarded devices in workgroup through script. The device status displays the info like versions as and status is unknown. I have a doubt on applying security policy to the added device. Like i have created ASR, AV and Device policies. At the option to assign the policy, there is option to assign it to group only. I created a group through Intune, then added one of the device to it, then applied this group to the ASR and Device policy. The issue is that when i click on the Applied devices tab, i do see any devices applied although assigning the policy to the group to which the device is added.

How to we assign policies to such devices that are in workgroup ?

Please guide. Thanks,

Are you using security settings management to onboard the devices to MDE and manage the devices using Intune? If yes, then have the devices created a synthetic object in Entra ID? As for the unknown status, can you check if Defender antimalware service is enabled and running or not?
I have onboarded the device using a local script. I am trying to manage the devices through the portal "" and not through intune.
Due to other EDR running, i cannot run powershell or psexec tools. Can you guide other way to check whether the antimalware service is enable and running?
Thanks for your support,
You mentioned Intune here - “ I created a group through Intune, then added one of the device to it, ”, which is why I asked. Why and how is Intune being used here? Since you have another EDR solution running, which is the primary AV solution running on the devices? Can you check the manage security providers in Windows security and confirm?

Since there is no option to create group and add devices to it through "" portal page, i created the group through intune.
Further i followed the below guide and after many hours, i can see devices under the Applied devices tab in the policy.
The primary AV is not the Defender. The other EDR is the primary AV solution.
Since Defender is in passive mode, does any of the policies will take effect on devices?
Thanks for your time and guidance,

The blog post you shared is covering the security settings management feature that I asked you about in my previous posts. Also, the blog post is old and a lot has changed since then. Using the security settings management feature you are able to onboard domain, workgroup devices by creating synthetic objects in Entra ID. This way the devices are not enrolled in Intune, but can be managed for MDE policies. You can tag such devices in MDE and create a dynamic Entra ID group for the purpose of assignment of policies. Please look at the pre-reqs and licensing requirements before using this feature if not already done. Coming to your devices running in unknown state. If MDE is running in passive mode then it should report that in Defender and not as Unknown. This normally happens when the devices are not correctly onboarded and the mssense is not communicating with Defender correctly. Check if Defender antimalware service is running or not. You can check the local policy to see if it was set to disable Defender in favour of third party AV solution or not. Maybe this can help

@rahuljindal-MVP it has been hard trying to configure my computer. I have a Mac and not sure if I was supposed to get a PC. Also, I am being asked to create an email with EDA. There has been communication that I don't have access to. Can you help me? Thank you.