Onboard devices without Internet access to Microsoft Defender for Endpoint

Applies to:

Want to experience Microsoft Defender for Endpoint? Sign up for a free trial.

For devices with no direct internet connection, the use of a proxy solution is the recommended approach. For older Windows devices onboarded using the previous, MMA-based solution the use of the OMS gateway solution provides an alternative approach. For more information about onboarding methods, see the following articles:


Devices running Windows 10 or later, Windows Server 2012 R2 or later, Linux and macOS

Depending on the operating system, the proxy to be used for Microsoft Defender for Endpoint can be configured automatically, typically through the use of autodiscovery or an autoconfig file, or statically specific to Defender for Endpoint services running on the device.

Windows devices running the previous MMA-based solution


  • An OMS gateway server cannot be used as proxy for disconnected Windows or Windows Server devices when configured via 'TelemetryProxyServer' registry or GPO.
  • For Windows or Windows Server - while you may use TelemetryProxyServer, it must point to a standard proxy device or appliance.

Onboard previous versions of Windows

Azure virtual machines


Any client that has no access to the internet cannot be onboarded to Microsoft Defender Endpoint. A client must either have access to the required URLs directly, or it must have access via a proxy.