You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Onboarding to Microsoft Defender for Endpoint is easy. From the navigation menu, select any item under the Endpoints section, or any Microsoft Defender XDR feature such as Incidents, Hunting, Action center, or Threat analytics to initiate the onboarding process.
72
+
Initiating Microsoft Defender for Endpoint tenant is easy. From the navigation menu, select any item under the Endpoints section, or any Microsoft Defender XDR feature such as Incidents, Hunting, Action center, or Threat analytics to start the tenant creation process.
73
73
74
74
From a web browser, navigate to the <ahref="https://go.microsoft.com/fwlink/p/?linkid=2077139"target="_blank">Microsoft Defender portal</a>.
75
75
76
76
## Data center location
77
77
78
-
Microsoft Defender for Endpoint will store and process data in the [same location as used by Microsoft Defender XDR](/defender-xdr/m365d-enable). If Microsoft Defender XDR has not been turned on yet, onboarding to Microsoft Defender for Endpoint will also turn on Microsoft Defender XDR and a new data center location is automatically selected based on the location of active Microsoft 365 security services. The selected data center location is shown on the screen.
78
+
Microsoft Defender for Endpoint stores and process data in the [same location as used by Microsoft Defender XDR](/defender-xdr/m365d-enable). If Microsoft Defender XDR hasn't been turned on yet, onboarding to Defender for Endpoint also turns on Defender XDR, and a new data center location is automatically selected based on the location of active Microsoft 365 security services. The selected data center location is shown on the screen.
79
79
80
80
## Network configuration
81
81
82
-
If the organization doesn't require the endpoints to use a Proxy to access the Internet, skip this section.
82
+
Ensure devices can connect to the Defender for Endpoint cloud services. The use of a proxy is recommended.
83
83
84
-
The Microsoft Defender for Endpoint sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Microsoft Defender for Endpoint service. The embedded Microsoft Defender for Endpoint sensor runs in the system context using the LocalSystem account. The sensor uses Microsoft Windows HTTP Services (WinHTTP) to enable communication with the Microsoft Defender for Endpoint cloud service. The WinHTTP configuration setting is independent of the Windows Internet (WinINet) internet browsing proxy settings and can only discover a proxy server by using the following discovery methods:
84
+
[STEP 1: Configure your network environment to ensure connectivity with Defender for Endpoint service](configure-environment.md).
85
+
[STEP 2: Configure your devices to connect to the Defender for Endpoint service using a proxy](configure-proxy-internet.md).
86
+
[STEP 3: Verify client connectivity to Microsoft Defender for Endpoint service URLs](verify-connectivity.md).
85
87
86
-
-**Autodiscovery methods**:
87
-
- Transparent proxy
88
-
- Web Proxy Autodiscovery Protocol (WPAD)
89
-
90
-
If a Transparent proxy or WPAD has been implemented in the network topology, there is no need for special configuration settings. For more information on Microsoft Defender for Endpoint URL exclusions in the proxy, see the [Proxy Service URLs](production-deployment.md#proxy-service-urls) section in this document for the URLs allow list or on [Configure device proxy and Internet connectivity settings](configure-environment.md#enable-access-to-microsoft-defender-for-endpoint-service-urls-in-the-proxy-server).
91
-
92
-
-**Manual static proxy configuration**:
93
-
- Registry-based configuration
94
-
- WinHTTP configured using netsh command
95
-
96
-
Suitable only for desktops in a stable topology (for example: a desktop in a corporate network behind the same proxy).
97
-
98
-
### Configure the proxy server manually using a registry-based static proxy
99
-
100
-
Configure a registry-based static proxy to allow only Microsoft Defender for Endpoint sensor to report diagnostic data and communicate with Microsoft Defender for Endpoint services if a computer isn't permitted to connect to the Internet. The static proxy is configurable through Group Policy (GP). The group policy can be found under:
101
-
102
-
- Administrative Templates \> Windows Components \> Data Collection and Preview Builds \> Configure Authenticated Proxy usage for the Connected User Experience and Telemetry Service
103
-
- Set it to **Enabled** and select **Disable Authenticated Proxy usage**
104
-
105
-
1. Open the Group Policy Management Console.
106
-
2. Create a policy or edit an existing policy based off the organizational practices.
107
-
3. Edit the Group Policy and navigate to **Administrative Templates \> Windows Components \> Data Collection and Preview Builds \> Configure Authenticated Proxy usage for the Connected User Experience and Telemetry Service**.
108
-
109
-
:::image type="content" source="media/atp-gpo-proxy1.png" alt-text="The options related to configuration of the usage policy" lightbox="media/atp-gpo-proxy1.png":::
110
-
111
-
4. Select **Enabled**.
112
-
5. Select **Disable Authenticated Proxy usage**.
113
-
6. Navigate to **Administrative Templates \> Windows Components \> Data Collection and Preview Builds \> Configure connected user experiences and telemetry**.
114
-
115
-
:::image type="content" source="media/atp-gpo-proxy2.png" alt-text="The options related to configuration of the connected user experience and telemetry" lightbox="media/atp-gpo-proxy2.png":::
116
-
117
-
7. Select **Enabled**.
118
-
8. Enter the **Proxy Server Name**.
119
-
120
-
The policy sets two registry values `TelemetryProxyServer` as REG_SZ and `DisableEnterpriseAuthProxy` as REG_DWORD under the registry key `HKLM\Software\Policies\Microsoft\Windows\DataCollection`.
121
-
122
-
The registry value `TelemetryProxyServer` takes the following string format:
123
-
124
-
`<server name or ip>:<port>`
125
-
126
-
For example: 10.0.0.6:8080
127
-
128
-
The registry value `DisableEnterpriseAuthProxy` should be set to 1.
129
-
130
-
### Configure the proxy server manually using netsh command
131
-
132
-
Use netsh to configure a system-wide static proxy.
133
-
134
-
> [!NOTE]
135
-
>
136
-
> - This will affect all applications including Windows services which use WinHTTP with default proxy.
137
-
> - Laptops that are changing topology (for example: from office to home) will malfunction with netsh. Use the registry-based static proxy configuration.
138
-
139
-
1. Open an elevated command line:
140
-
1. Go to **Start** and type **cmd**.
141
-
1. Right-click **Command prompt** and select **Run as administrator**.
142
-
143
-
2. Enter the following command and press **Enter**:
144
-
145
-
```cmd
146
-
netsh winhttp set proxy <proxy>:<port>
147
-
```
148
-
149
-
For example: netsh winhttp set proxy 10.0.0.6:8080
150
-
151
-
### Proxy Configuration for down-level devices
152
-
153
-
Down-Level devices include Windows 7 SP1 and Windows 8.1 workstations as well as Windows Server 2008 R2, and other server operating systems that have been onboarded previously using the Microsoft Monitoring Agent. These operating systems will have the proxy configured as part of the Microsoft Management Agent to handle communication from the endpoint to Azure. Refer to the Microsoft Management Agent Fast Deployment Guide for information on how a proxy is configured on these devices.
154
-
155
-
### Proxy Service URLs
156
-
157
-
URLs that include v20 in them are only needed if you have Windows 10, version 1803 or Windows 11 devices. For example, `us-v20.events.data.microsoft.com` is only needed if the device is on Windows 10, version 1803 or Windows 11.
158
-
159
-
If a proxy or firewall is blocking anonymous traffic, as Microsoft Defender for Endpoint sensor is connecting from system context, make sure anonymous traffic is permitted in the listed URLs.
160
-
161
-
The following downloadable spreadsheet lists the services and their associated URLs that your network must be able to connect to. Ensure there are no firewall or network filtering rules that would deny access to these URLs, or you may need to create an *allow* rule specifically for them.
162
-
163
-
164
-
| Spreadsheet of domains list | Description |
165
-
|---------|---------|
166
-
|Microsoft Defender for Endpoint URL list for commercial customers| Spreadsheet of specific DNS records for service locations, geographic locations, and OS for commercial customers. <br/><br/> [Download the spreadsheet here](https://download.microsoft.com/download/6/b/f/6bfff670-47c3-4e45-b01b-64a2610eaefa/mde-urls-commercial.xlsx). |
167
-
| Microsoft Defender for Endpoint URL list for Gov/GCC/DoD | Spreadsheet of specific DNS records for service locations, geographic locations, and OS for Gov/GCC/DoD customers. <br/><br/> [Download the spreadsheet here](https://download.microsoft.com/download/6/a/0/6a041da5-c43b-4f17-8167-79dfdc10507f/mde-urls-gov.xlsx). |
88
+
In certain scenarios, you might want to allow traffic to IP addresses. Not all services are accessible in this way and you need to evaluate how to address this potential issue in your environment - for example, by centrally downloading then distributing updates. For more information, see [Option 2: Configure connectivity using static IP ranges](configure-device-connectivity.md#option-2-configure-connectivity-using-static-ip-ranges).
0 commit comments