Onboard devices without Internet access to Microsoft Defender for Endpoint

Applies to:

• Microsoft Defender for Endpoint Plan 2
• Microsoft 365 Defender

Want to experience Microsoft Defender for Endpoint? Sign up for a free trial.

For devices with no direct internet connection, the use of a proxy solution is the recommended approach. For older Windows devices onboarded using the previous, MMA-based solution the use of the OMS gateway solution provides an alternative approach. For more information about onboarding methods, see the following articles:

• Onboard previous versions of Windows
• Onboard servers to the Microsoft Defender for Endpoint service

Important

• Windows or Windows Server in disconnected environments must be able to update Certificate Trust Lists offline via an internal file or web server.
• For more information about updating CTLs offline, see Configure a file or web server to download the CTL files.

Devices running Windows 10 or later, Windows Server 2012 R2 or later, Linux and macOS

Depending on the operating system, the proxy to be used for Microsoft Defender for Endpoint can be configured automatically, typically through the use of autodiscovery or an autoconfig file, or statically specific to Defender for Endpoint services running on the device.

• For Windows devices, see Configure device proxy and Internet connectivity settings
• For Linux devices, see Configure Microsoft Defender for Endpoint on Linux for static proxy discovery
• For macOS devices, see Microsoft Defender for Endpoint on Mac

Windows devices running the previous MMA-based solution

Note

• An OMS gateway server cannot be used as proxy for disconnected Windows or Windows Server devices when configured via 'TelemetryProxyServer' registry or GPO.
• For Windows or Windows Server - while you may use TelemetryProxyServer, it must point to a standard proxy device or appliance.

• Set up Azure Log Analytics (formerly known as OMS Gateway) to act as proxy or hub:
  • Azure Log Analytics Agent
  • Install and configure Microsoft Monitoring Agent (MMA) point to Defender for Endpoint Workspace key & ID

Onboard previous versions of Windows

Azure virtual machines

• For devices running the previous, MMA-based solution, set up Azure Log Analytics Gateway (formerly known as OMS Gateway) to act as proxy or hub:

  • Azure Log Analytics Gateway
  • Install and configure Microsoft Monitoring Agent (MMA) point to Defender for Endpoint Workspace key & ID

• Offline Azure VMs in the same network of OMS Gateway

  • Configure Azure Log Analytics IP as a proxy
  • Azure Log Analytics Workspace Key & ID

• Microsoft Defender for Cloud

  • Security Policy > Log Analytics Workspace
  • Threat Detection > Allow Defender for Endpoint to access my data

  For more information, see Working with security policies.

Note

Any client that has no access to the internet cannot be onboarded to Microsoft Defender Endpoint. A client must either have access to the required URLs directly, or it must have access via a proxy.