Bonjour support (Mac only): HP recommends routers that support Bonjour, Apple's network discovery software. Connecting with. Step 5: Check the Internet proxy server settings. Admin, no user name required, or Comcast.
-->Applies to:
Want to experience Microsoft Defender ATP? Sign up for a free trial.
The Microsoft Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Microsoft Defender ATP service.
The embedded Microsoft Defender ATP sensor runs in system context using the LocalSystem account. The sensor uses Microsoft Windows HTTP Services (WinHTTP) to enable communication with the Microsoft Defender ATP cloud service.
Tip
For organizations that use forward proxies as a gateway to the Internet, you can use network protection to investigate behind a proxy. For more information, see Investigate connection events that occur behind forward proxies.
The WinHTTP configuration setting is independent of the Windows Internet (WinINet) Internet browsing proxy settings and can only discover a proxy server by using the following discovery methods:
- Auto-discovery methods:
- Transparent proxy
- Web Proxy Auto-discovery Protocol (WPAD)
Note
If you're using Transparent proxy or WPAD in your network topology, you don't need special configuration settings. For more information on Microsoft Defender ATP URL exclusions in the proxy, see Enable access to Microsoft Defender ATP service URLs in the proxy server.
- Manual static proxy configuration:
- Registry based configuration
- WinHTTP configured using netsh command – Suitable only for desktops in a stable topology (for example: a desktop in a corporate network behind the same proxy)
Configure the proxy server manually using a registry-based static proxy
Configure a registry-based static proxy to allow only Microsoft Defender ATP sensor to report diagnostic data and communicate with Microsoft Defender ATP services if a computer is not be permitted to connect to the Internet.
The static proxy is configurable through Group Policy (GP). The group policy can be found under:
- Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure Authenticated Proxy usage for the Connected User Experience and Telemetry Service
- Set it to Enabled and select Disable Authenticated Proxy usage:
- Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure connected user experiences and telemetry:
Configure the proxy:
The policy sets two registry values
TelemetryProxyServeras REG_SZ andDisableEnterpriseAuthProxyas REG_DWORD under the registry keyHKLMSoftwarePoliciesMicrosoftWindowsDataCollection.The registry value
TelemetryProxyServertakes the following string format:For example: 10.0.0.6:8080
The registry value
DisableEnterpriseAuthProxyshould be set to 1.
Configure the proxy server manually using netsh command
Use netsh to configure a system-wide static proxy.
Note
- This will affect all applications including Windows services which use WinHTTP with default proxy.
- Laptops that are changing topology (for example: from office to home) will malfunction with netsh. Use the registry-based static proxy configuration.
Open an elevated command-line:
a. Go to Start and type cmd.
b. Right-click Command prompt and select Run as administrator.
Enter the following command and press Enter:
For example: netsh winhttp set proxy 10.0.0.6:8080
To reset the winhttp proxy, enter the following command and press Enter
See Netsh Command Syntax, Contexts, and Formatting to learn more.
Enable access to Microsoft Defender ATP service URLs in the proxy server
If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are not blocked by default. Do not disable security monitoring or inspection of these URLs, but allow them as you would other internet traffic. They permit communication with Microsoft Defender ATP service in port 80 and 443:
Note
settings-win.data.microsoft.com is only needed if you have Windows 10 machines running version 1803 or earlier.
URLs that include v20 in them are only needed if you have Windows 10 machines running version 1803 or later. For example, us-v20.events.data.microsoft.com is needed for a Windows 10 machine running version 1803 or later and onboarded to US Data Storage region.
| Service location | Microsoft.com DNS record |
|---|---|
| Common URLs for all locations | crl.microsoft.comctldl.windowsupdate.comevents.data.microsoft.comnotify.windows.comsettings-win.data.microsoft.com |
| European Union | eu.vortex-win.data.microsoft.comeu-v20.events.data.microsoft.comusseu1northprod.blob.core.windows.netusseu1westprod.blob.core.windows.netwinatp-gw-neu.microsoft.comwinatp-gw-weu.microsoft.comwseu1northprod.blob.core.windows.netwseu1westprod.blob.core.windows.netautomatedirstrprdweu.blob.core.windows.netautomatedirstrprdneu.blob.core.windows.net |
| United Kingdom | uk.vortex-win.data.microsoft.comuk-v20.events.data.microsoft.comussuk1southprod.blob.core.windows.netussuk1westprod.blob.core.windows.netwinatp-gw-uks.microsoft.comwinatp-gw-ukw.microsoft.comwsuk1southprod.blob.core.windows.netwsuk1westprod.blob.core.windows.netautomatedirstrprduks.blob.core.windows.netautomatedirstrprdukw.blob.core.windows.net |
| United States | us.vortex-win.data.microsoft.comussus1eastprod.blob.core.windows.netussus1westprod.blob.core.windows.netussus2eastprod.blob.core.windows.netussus2westprod.blob.core.windows.netussus3eastprod.blob.core.windows.netussus3westprod.blob.core.windows.netussus4eastprod.blob.core.windows.netussus4westprod.blob.core.windows.netus-v20.events.data.microsoft.comwinatp-gw-cus.microsoft.comwinatp-gw-eus.microsoft.comwsus1eastprod.blob.core.windows.netwsus1westprod.blob.core.windows.netwsus2eastprod.blob.core.windows.netwsus2westprod.blob.core.windows.netautomatedirstrprdcus.blob.core.windows.netautomatedirstrprdeus.blob.core.windows.net |
Note
If you are using Windows Defender Antivirus in your environment, please refer to the following article for details on allowing connections to the Windows Defender Antivirus cloud service: https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus
If a proxy or firewall is blocking anonymous traffic, as Microsoft Defender ATP sensor is connecting from system context, make sure anonymous traffic is permitted in the previously listed URLs.
Microsoft Defender ATP service backend IP range
If your network devices don't support the URLs added to an 'allow' list in the prior section, you can use the following information.
Microsoft Defender ATP is built on Azure cloud, deployed in the following regions:
- +<Region Name='uswestcentral'>
- +<Region Name='useast2'>
- +<Region Name='useast'>
- +<Region Name='europenorth'>
- +<Region Name='europewest'>
- +<Region Name='uksouth'>
- +<Region Name='ukwest'>
You can find the Azure IP range on Microsoft Azure Datacenter IP Ranges.
Note
As a cloud-based solution, the IP range can change. It's recommended you move to DNS resolving setting.
Verify client connectivity to Microsoft Defender ATP service URLs
Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the proxy server in your environment, and that the proxy server allows traffic to the Microsoft Defender ATP service URLs.
Download the MDATP Client Analyzer tool to the PC where Microsoft Defender ATP sensor is running on.
Extract the contents of MDATPClientAnalyzer.zip on the machine.
Open an elevated command-line:
a. Go to Start and type cmd.
b. Right-click Command prompt and select Run as administrator.
Enter the following command and press Enter:
Replace HardDrivePath with the path where the MDATPClientAnalyzer tool was downloaded to, for example
Extract the MDATPClientAnalyzerResult.zip file created by tool in the folder used in the HardDrivePath.
Open MDATPClientAnalyzerResult.txt and verify that you have performed the proxy configuration steps to enable server discovery and access to the service URLs.
The tool checks the connectivity of Microsoft Defender ATP service URLs that Microsoft Defender ATP client is configured to interact with. It then prints the results into the MDATPClientAnalyzerResult.txt file for each URL that can potentially be used to communicate with the Microsoft Defender ATP services. For example:
If at least one of the connectivity options returns a (200) status, then the Microsoft Defender ATP client can communicate with the tested URL properly using this connectivity method.
However, if the connectivity check results indicate a failure, an HTTP error is displayed (see HTTP Status Codes). You can then use the URLs in the table shown in Enable access to Microsoft Defender ATP service URLs in the proxy server. The URLs you'll use will depend on the region selected during the onboarding procedure.
Note
The Connectivity Analyzer tool is not compatible with ASR rule Block process creations originating from PSExec and WMI commands. You will need to temporarily disable this rule to run the connectivity tool.When the TelemetryProxyServer is set, in Registry or via Group Policy, Microsoft Defender ATP will fall back to direct if it can't access the defined proxy.
Related topics
If you feel your Internet connection is slower than what it should be or you notice that certain websites get blocked while browsing, it could be because all your Internet traffic is going through a proxy server.
A proxy server is basically just another computer that sits between you and your ISP. It’s usually configured in corporate environments to filter web traffic going to and from employee computers. In this article, I’ll show you how you can check your proxy settings to see if your computer is indeed using a proxy server or not.
In most cases, you won’t actually be able to turn off the proxy server, since it is controlled by an administrator. However, there are times when personal computers accidentally or maliciously get set to use a proxy server.
Check Proxy Settings in Windows
In Windows, most browsers will use the proxy settings that are set on the computer. Each browser has a settings page to adjust proxy settings, but they normally just link to the settings dialog in Windows itself.
In Windows 10, there are two ways to go about changing the settings: via the Settings app or via the traditional Control Panel. I’ll mention both methods here because the Control Panel method is what you’ll need to use for Windows 7, 8 or Windows Vista.
Windows 10 Settings App
Click on Start and then click on the gear icon (Settings) at the far left. In Settings, click on Network & Internet.
In the left-hand pane, click on Proxy at the very bottom.
Here you have all the settings that are related to setting up a proxy in Windows. It’s basically split into two configurations: either Automatic or Manual proxy setup. In 99% of the cases, everything should be set to Off. If anything is turned on, your web traffic could be going through a proxy.
Control Panel
If you’re using an older version of Windows or if you just like the old way, you can edit the same settings via the Control Panel. Note that whichever way you choose to edit the settings, there are only one set of proxy settings in Windows.
Once you open Control Panel, just click on Internet Options.
In the Internet Options dialog, go ahead and click on the Connections tab and then click on LAN settings at the bottom.
Here you will see all the same settings as in the Settings app shown above. Anything you configure here will show up there and vice versa.
Check Proxy Settings in Mac OS X
If you are using a Mac with OS X, then the procedure is similar. You have to change the proxy settings in System Preferences as this is where most browsers check automatically.
Open System Preferences and click on Network. On the left-hand side, make sure to select the connected or active network connection. You can have different proxy settings for each type of network connection.
At the bottom, click on the Advanced button. Click on the Proxies tab and you’ll see a bunch of different protocols you can configure.
For example, if you click on Web Proxy (HTTP), you’ll be able to enter the proxy server IP address, port number, username and password. Google earth for mac free.
Check Proxy Settings in Linux
In Linux, it really depends on what distribution you are running. Mostly, though, it’s going to be some version of KDE or GNOME. For example, in Linux Mint Cinnamon, which is based heavily on GNOME, you would click on the button and then click on System Settings.
Next, you would scroll down to Hardware and then click on Networking.
Finally, if you click on Network Proxy, you can choose from Automatic or Manual.
This is pretty much the same procedure for Ubuntu also, which uses Unity and GNOME. It’ll be different if you are using a different desktop environment. If you have any questions, feel free to comment. Enjoy!