Configure device proxy and Internet connection settings
Configure device proxy and Internet connection settings | Microsoft Docs
Skip to main content
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
9 minutes to read
In this article
Microsoft Defender for Endpoint
Microsoft 365 Defender
Want to experience Defender for Endpoint? Sign up for a free trial.
The Defender for Endpoint sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Defender for Endpoint service.
The embedded Defender for Endpoint sensor runs in system context using the LocalSystem account. The sensor uses Microsoft Windows HTTP Services (WinHTTP) to enable communication with the Defender for Endpoint cloud service.
The WinHTTP configuration setting is independent of the Windows Internet (WinINet) browsing proxy settings and can only discover a proxy server by using the following discovery methods:
Web Proxy Auto-discovery Protocol (WPAD)
If you’re using Transparent proxy or WPAD in your network topology, you don’t need special configuration settings. For more information on Defender for Endpoint URL exclusions in the proxy, see Enable access to Defender for Endpoint service URLs in the proxy server.
Manual static proxy configuration:
WinHTTP configured using netsh command: Suitable only for desktops in a stable topology (for example: a desktop in a corporate network behind the same proxy)
Configure the proxy server manually using a registry-based static proxy
Configure a registry-based static proxy for Defender for Endpoint detection and response (EDR) sensor to report diagnostic data and communicate with Defender for Endpoint services if a computer is not permitted to connect to the Internet.
The static proxy is also configurable through Group Policy (GP). The group policy can be found under:
Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure Authenticated Proxy usage for the Connected User Experience and Telemetry Service.
Set it to Enabled and select Disable Authenticated Proxy usage.
Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure connected user experiences and telemetry:
Configure the proxy
Configure authenticated proxy usage for the connected user experience and the telemetry service
Configure connected user experiences and telemetry
servername or ip:port For example: (REG_SZ)
Configure a static proxy for Microsoft Defender Antivirus
Microsoft Defender Antivirus cloud-delivered protection provides near-instant, automated protection against new and emerging threats. Note that connectivity is required for custom indicators when Defender Antivirus is your active antimalware solution; and for EDR in block mode even when using a non-Microsoft solution as the primary antimalware solution.
Configure the static proxy using the Group Policy found here:
Administrative Templates > Windows Components > Microsoft Defender Antivirus > Define proxy server for connecting to the network.
Set it to Enabled and define the proxy server. Note that the URL must have either or. For supported versions for, see Manage Microsoft Defender Antivirus updates.
Under the registry key HKLM\Software\Policies\Microsoft\Windows Defender, the policy sets the registry value ProxyServer as REG_SZ.
The registry value ProxyServer takes the following string format:
For resiliency purposes and the real-time nature of cloud-delivered protection, Microsoft Defender Antivirus will cache the last known working proxy. Ensure your proxy solution does not perform SSL inspection as this will break the secure cloud connection.
Microsoft Defender Antivirus will not use the static proxy to connect to Windows Update or Microsoft Update for downloading updates. Instead, it will use a system-wide proxy if configured to use Windows Update, or the configured internal update source according to the configured fallback order.
If required, you can use Administrative Templates > Windows Components > Microsoft Defender Antivirus > Define proxy auto-config () for connecting to the network if you need to set up advanced configurations with multiple proxies, Use Administrative Templates > Windows Components > Microsoft Defender Antivirus > Define addresses to bypass proxy server to prevent Microsoft Defender Antivirus from using a proxy server for those destinations.
You can also use PowerShell with the Set-MpPreference cmdlet to configure these options:
Configure the proxy server manually using netsh command
Use netsh to configure a system-wide static proxy.
This will affect all applications including Windows services which use WinHTTP with default proxy.
Laptops that are changing topology (for example: from office to home) will malfunction with netsh. Use the registry-based static proxy configuration.
Open an elevated command line:
Go to Start and type cmd.
Right-click Command prompt and select Run as administrator.
Enter the following command and press Enter:
netsh win set proxy
To reset the win proxy, enter the following command and press Enter:
netsh win reset proxy
See Netsh Command Syntax, Contexts, and Formatting to learn more.
Enable access to Microsoft Defender for Endpoint service URLs in the proxy server
If a proxy or firewall is blocking all traffic by default and allowing only specific domains through, add the domains listed in the downloadable sheet to the allowed domains list.
The following downloadable spreadsheet lists the services and their associated URLs that your network must be able to connect to. Ensure that there are no firewall or network filtering rules that would deny access to these URLs, or you may need to create an allow rule specifically for them.
Spreadsheet of domains list
Spreadsheet of specific DNS records for service locations, geographic locations, and OS. Download the spreadsheet here.
If a proxy or firewall has HTTPS scanning (SSL inspection) enabled, exclude the domains listed in the above table from HTTPS scanning.
In your firewall, open all the URLs where the geography column is WW. For rows where the geography column is not WW, open the URLs to your specific data location. To verify your data location setting, see Verify data storage location and update data retention settings for Microsoft Defender for Endpoint.
is only needed if you have Windows devices running version 1803 or earlier.
URLs that include v20 in them are only needed if you have Windows devices running version 1803 or later. For example, is needed for a Windows device running version 1803 or later and onboarded to US Data Storage region.
If you are using Microsoft Defender Antivirus in your environment, see Configure network connections to the Microsoft Defender Antivirus cloud service.
If a proxy or firewall is blocking anonymous traffic, as Defender for Endpoint sensor is connecting from system context, make sure anonymous traffic is permitted in the previously listed URLs.
Microsoft Monitoring Agent (MMA) – proxy and firewall requirements for older versions of Windows client or Windows Server
The information below list the proxy and firewall configuration information required to communicate with Log Analytics agent (often referred to as Microsoft Monitoring Agent) for the previous versions of Windows such as Windows 7 SP1, Windows 8. 1, Windows Server 2008 R2, Windows Server 2012 R2, and Windows Server 2016.
Bypass HTTPS inspection
As a cloud-based solution, the IP range can change. It’s recommended you move to DNS resolving setting.
Confirm Microsoft Monitoring Agent (MMA) Service URL Requirements
See the following guidance to eliminate the wildcard (*) requirement for your specific environment when using the Microsoft Monitoring Agent (MMA) for previous versions of Windows.
Onboard a previous operating system with the Microsoft Monitoring Agent (MMA) into Defender for Endpoint (for more information, see Onboard previous versions of Windows on Defender for Endpoint and Onboard Windows servers.
Ensure the machine is successfully reporting into the Microsoft 365 Defender portal.
Run the tool from “C:\Program Files\Microsoft Monitoring Agent\Agent” to validate the connectivity and to see the required URLs for your specific workspace.
Check the Microsoft Defender for Endpoint URLs list for the complete list of requirements for your region (refer to the Service URLs Spreadsheet).
The wildcards (*) used in *, *, and * URL endpoints can be replaced with your specific Workspace ID. The Workspace ID is specific to your environment and workspace and can be found in the Onboarding section of your tenant within the Microsoft 365 Defender portal.
The * URL endpoint can be replaced with the URLs shown in the “Firewall Rule: *” section of the test results.
In the case of onboarding via Azure Defender, multiple workspaces maybe used. You will need to perform the procedure above on an onboarded machine from each workspace (to determine if there are any changes to the * URLs between the workspaces).
Verify client connectivity to Microsoft Defender for Endpoint service URLs
Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the proxy server in your environment, and that the proxy server allows traffic to the Defender for Endpoint service URLs.
Download the Microsoft Defender for Endpoint Client Analyzer tool to the PC where Defender for Endpoint sensor is running on.
Extract the contents of on the device.
Open an elevated command-line:
Replace HardDrivePath with the path where the MDEClientAnalyzer tool was downloaded to, for example:
Extract the file created by tool in the folder used in the HardDrivePath.
Open and verify that you have performed the proxy configuration steps to enable server discovery and access to the service URLs.
The tool checks the connectivity of Defender for Endpoint service URLs that Defender for Endpoint client is configured to interact with. It then prints the results into the file for each URL that can potentially be used to communicate with the Defender for Endpoint services. For example:
Testing URL: 1 – Default proxy: Succeeded (200)
2 – Proxy auto discovery (WPAD): Succeeded (200)
3 – Proxy disabled: Succeeded (200)
4 – Named proxy: Doesn’t exist
5 – Command line proxy: Doesn’t exist
If at least one of the connectivity options returns a (200) status, then the Defender for Endpoint client can communicate with the tested URL properly using this connectivity method.
However, if the connectivity check results indicate a failure, an HTTP error is displayed (see HTTP Status Codes). You can then use the URLs in the table shown in Enable access to Defender for Endpoint service URLs in the proxy server. The URLs you’ll use will depend on the region selected during the onboarding procedure.
The Connectivity Analyzer tool cloud connectivity checks are not compatible with Attack Surface Reduction rule Block process creations originating from PSExec and WMI commands. You will need to temporarily disable this rule to run the connectivity tool. Alternatively, you can temporarily add ASR exclusions when running the analyzer.
When the TelemetryProxyServer is set, in Registry or via Group Policy, Defender for Endpoint will fall back to direct if it can’t access the defined proxy.
Configure and validate Microsoft Defender Antivirus network connections
Use Group Policy settings to configure and manage Microsoft Defender Antivirus
Onboard Windows devices
Troubleshoot Microsoft Defender for Endpoint onboarding issues
Submit and view feedback for
Configure system wide proxy setting – Stack Overflow
I am going to provide a somewhat unusual answer, because I’ve noticed that this particular ‘way’ of solving this problem has (for some reason) not crossed people’s minds so far.
If you want to really make all apps without exception send internet traffic through your proxy, you are going to have to use a special technology known as TUN/TAP devices.
In short, these are special drivers, which when installed appear to a system as a network adapter (just like your local Ethernet or Wireless card), but they are in fact built in such a way so as to be easy to control from a software level.
Basically, when you install such a driver on the system, the system now regards that device as a fully functional Network Adapter. Therefore, if you now set this network adapter as the default gateway, all apps (without knowing it or being able to prevent it) will automatically pass through it, the same way as all apps pass through a generic Wireless Adapter / Ethernet.
Now that you have a basic idea of what redirecting system traffic through a TAP/TUN device means, there are a couple of ways of doing this.
Before I start, I really recommend that even if you stray from the suggested resources here, you stick to using OpenVPN’s open source TAP device, since it has been extensively tested and confirmed to work on many systems, and is very widely used now (Some basics are available at, and I trust you should find it embedded in any latest version of OpenVPN, the only files you need are the compiled drivers (), you don’t need to have the entirety of OpenVPN installed to use them).
The project that instantly comes to mind when thinking of using SOCKS proxies as the endpoint of a TAP device is badvpn/tun2socks. The project basically does exactly what is outlined here, so I definitely recommend you read the source code, or use it as a standalone utility (If you need some help with usage, I suggest you check out this wiki page.
First of all, speaking of compatibility, performance and bugs, there are no drawbacks of using this approach at all, it is if anything more reliable and easier to use then even the ways of doing this provided by the system.
The only two drawbacks I can see at this point would be:
You have to be careful to make sure whatever proxy/intermediate host you are using, it is capable of handling at least the majority of system traffic, because if an app sends incompatible internet traffic, it will still be redirected through the TAP device (that is it’s purpose).
The code base may be larger than in other cases
If you are interested in only setting this proxy for Firefox, there are a couple of unclean ways of doing this: For instance, via the command line. It is, however (in my opinion), a very cheap and dirty way of achieving this, as this does not provide any compatibility whatsoever (basically a hack).
While implementing this may take a while, and the code base may be large:
It is not really possible, through any other means to achieve the same effect as VPNs achieve when they tunnel the entirety of your machine’s traffic through the OpenVPN server.
If you want to achieve this kind of behavior, it is recommended that you use the approach outlined above, as it is a lot cleaner then ‘alternative’ methods of doing so (e. g. Socksifying traffic by intercepting it at a software level)
How to Configure a Proxy Server on Windows – HowToGeek
Configure a proxy server on Windows, and Windows applications will send your network traffic through the proxy server. For example, you may need to use a proxy server provided by your employer.
RELATED: What’s the Difference Between a VPN and a Proxy?
Generally, you’ll use a proxy if your school or work provides it to you. You could also use a proxy to hide your IP address or access geoblocked websites that aren’t available in your country, but we recommend a VPN for that instead. If you need to set up a proxy for school or work, get the necessary credentials from them and read on.
The settings you choose will be used for Microsoft Edge, Google Chrome, Internet Explorer, and other applications that use your system proxy settings. Some applications, including Mozilla Firefox, allow you to set custom proxy settings that override your system settings. Here’s how to set up a system-wide proxy in Windows 10, 8, and 7.
Windows 8 and 10
RELATED: How to Configure a Proxy Server in Firefox
On Windows 10, you’ll find these options under Settings > Network & Internet > Proxy. On Windows 8, the same screen is available at PC Settings > Network Proxy.
The settings here apply when you’re connected to Ethernet and Wi-FI network connections, but won’t be used when you’re connected to a VPN.
By default, Windows attempts to automatically detect your proxy settings with the “Automatically detect settings” option. Specifically, Windows uses the Web Proxy Auto-Discovery Protocol, or WPAD. Business and school networks may use this feature to automatically provide proxy settings to all PCs on their networks. If the network you’re connected to requires a proxy and it provides that proxy via WPAD, Windows will automatically configure and use the proxy. If the network doesn’t provide a proxy, it won’t use a proxy at all.
If you don’t want Windows to automatically detect proxy settings, set the “Automatically detect settings” option here to “Off”. Windows will then only use a proxy if you configure one under Manual proxy setup.
In some cases, you may need to manually enter the address of a setup script for your proxy configuration. To do so, enable the “Use setup script” option here. Plug the network address of the script into the “Script address” box, and click “Save”. This script may also be referred to as a file.
Your organization or proxy provider will provide you with the address of the setup script, if you need one.
To enter manual proxy settings, enable “Use a proxy server” under Manual proxy setup. Enter the address of the proxy server and the port it uses in the “Address” and “Port” box.
Your organization or proxy service provider will provide you with the network address and port number the proxy requires.
When you connect to any address, Windows will send the traffic through the proxy server. However, you can configure a list of addresses that Windows won’t use the proxy server for. By default, the list includes only *. The asterisk is a wildcard and means “anything”. So, if you attempt to connect to,, or anything else that ends with, Windows will bypass the proxy and connect directly.
You can add more entries to this list. Just separate each with a semicolon (;) and a space. For example, let’s say you wanted to bypass the proxy when connecting to You’d enter:
You can also check the “Don’t use the proxy server for local (intranet) addresses”. Windows will bypass the proxy server when you connect to resources on your local network, or intranet. When you connect to addresses on the Internet, Windows will use the proxy server.
Click “Save” when you’re done to change your proxy settings.
On Windows 7, you can change your proxy through the Internet Settings dialog. You can also use this dialog on Windows 8 and 10, if you like. Both interfaces change the same system-wide setting.
First, open the Internet Options window. You’ll find it at Control Panel > Network and Internet > Internet Options. You can also click the Tools menu in Internet Explorer and select “Internet Options” to open it.
Click the “Connections” tab at the top of the Internet Options window. Click the “LAN Settings” button at the bottom of the window.
The “Automatically detect settings” option is enabled by default. When this option is enabled, Windows will attempt to automatically discover a proxy with the Web Proxy Auto-Discovery Protocol, or WPAD. If no proxy is provided by your network, none will be used. Disable this option to prevent Windows from using WPAD to automatically configure your proxy settings.
The “Use automatic configuration script” option allows you to enter the address of an automatic proxy configuration script. This address will be provided by your organization or proxy provider, if you need it.
The “Use a proxy server for your LAN” checkbox will allow you to manually enable and configure a proxy. Check it and enter the network address and port of the proxy below. The organization providing your proxy server will provide you with these details.
By default, Windows will automatically send all traffic through the proxy, including traffic to addresses on your local network, or intranet. To always bypass the proxy server when connecting to these local addresses, enable the “Bypass proxy server for local addresses” checkbox. Applications will bypass the proxy and connect directly to resources on your local network, but not Internet addresses.
Click the “Advanced” button under Proxy Server if you want to change advanced settings when enabling a manual proxy server.
The Servers section here allow you to set a different proxy server for HTTP, Secure (HTTPS), FTP, and SOCKS protocols. By default, the “Use the same proxy server for all protocols” box is checked. If you know you need to use a different proxy server for different types of connections, uncheck this box and enter the details you require here. This isn’t common.
The Exceptions section allows you to provide a list of addresses Windows will bypass the proxy for. By default, it only includes *. The asterisk here is known as a “wildcard” and matches everything. This means that any address ending with “”, including and, will be accessed directly.
If you like, you can enter additional addresses. Use a semicolon (;) and a space to separate each entry in the list. For example, if you also wanted to access directly without going through the proxy, you’d enter:
When you attempt to connect to, Windows would then make a direct connection to without going through the proxy server.
Click “OK” to save your changes.
If there’s a problem with the proxy server—for example, if the proxy server goes down or if you enter the proxy server details incorrectly—you’ll see a proxy server-related network error message in the applications you use. You’ll need to return to your proxy server settings and fix any problems.
› How to Upgrade Your PC to Windows 11
› How to Put a Link in Your Instagram Bio
› Surprise: Windows 11 Arrives a Day Early
› How to Find, Add, and Remove Fonts in Google Slides
› Epic Games Store Finally Getting Achievements