Disconnected Environments Revisited

Brian BaldockBrian Baldock
3 min read

Back in 2023, I wrote about deploying Microsoft Defender for Endpoint (MDE) (Link) in disconnected environments, covering why proxies were necessary and how to make them work. Fast forward to 2025, and the core message hasn't changed: Defender for Endpoint is a cloud-powered security solution, and you need to give it a way to reach the cloud if you want the best protection. The good news? Microsoft has made connectivity easier with Streamlined Connectivity, but proxies are still a key tool in getting Defender working in restricted networks. Let’s break it down.

What’s Changed?

Since 2023, Microsoft has dramatically reduced the number of URLs needed for allow-listing, consolidating Defender for Endpoint’s cloud endpoints into a much smaller set. Instead of dealing with a long list of domains, most organizations now only need to allow *.endpoint.security.microsoft.com and a few others. Microsoft also introduced static IP ranges and Azure service tags, making firewall configurations much more manageable.

For organizations with disconnected networks, these changes mean fewer headaches when setting up proxy rules. But even with these improvements, you still need a path to the cloud—and that’s where proxies remain essential.

Why Proxies Still Matter

Many organizations don’t allow direct internet access from endpoints, especially in high-security environments. A proxy allows MDE to connect to Microsoft’s cloud while maintaining network control. This isn’t a security compromise; it’s a smart way to ensure MDE can leverage AI-driven protection and real-time threat intelligence without opening the floodgates.

To make it work, you need to:

  • Use a system-wide proxy configuration (WinHTTP) so Defender can always communicate, even when no user is logged in.

  • Allow required Microsoft endpoints without SSL inspection; Defender uses certificate pinning, and inspecting traffic will break its connection.

  • Ensure outbound connections don’t require user authentication, since Defender’s telemetry is sent by the system, not a logged-in user.

With a properly configured proxy, you get full cloud protection without sacrificing security.

Airgapped Environments Need a Different Approach

If your environment is fully airgapped (no internet at all), then cloud-based protection just isn’t an option. Defender for Endpoint isn’t designed for fully offline use, and while you can keep Defender Antivirus running with offline signature updates, you lose out on AI-driven threat detection, EDR, and cloud analytics.

For true airgap scenarios, your focus should be on offline update mechanisms (WSUS, Configuration Manager) and strict network segmentation to prevent lateral movement. But if there’s even a tiny opportunity to establish controlled, intermittent connectivity; say, syncing telemetry weekly; it’s worth doing.

Let’s Talk About Trust

One of the biggest pushbacks I still hear is trust. Some organizations hesitate to open a proxy for Defender’s cloud security, despite already trusting Microsoft with their emails (Exchange Online), files (SharePoint and OneDrive), and collaboration (Teams). If your business-critical data already lives in Microsoft’s cloud, why would you suddenly draw the line at security telemetry?

Defender for Endpoint sends security signals, not sensitive business data. It’s about identifying threats, improving detection, and keeping your environment safe. If your security model is still based on “we don’t trust cloud security,” it might be time to rethink that stance.

Best Practices for 2025

If you’re operating in a disconnected or hybrid network, here’s what you should be doing:

  • Use the new streamlined allow-list instead of managing dozens of URLs.

  • Disable SSL inspection for Defender traffic; it’ll break functionality.

  • Use a dedicated proxy configuration so Defender always has cloud access.

  • Regularly check connectivity using the client analyzer tool.

  • Educate security teams; this isn’t about opening everything, it’s about controlled access to a trusted security cloud.

References:

Announcing a streamlined device connectivity experience for Microsoft Defender for Endpoint

Disconnected environments, proxies and Microsoft Defender for Endpoint

Defender for Endpoint and disconnected environments. Cloud-centric networking decisions

0
Subscribe to my newsletter

Read articles from Brian Baldock directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Defender for EndpointMDEproxiesdisconnected networksDefenderPortalxdr

Written by

Brian Baldock
Brian Baldock

I’m Brian Baldock, a Senior Program Manager at Microsoft with over a decade of experience in cybersecurity, cloud technology, and Microsoft 365 deployments. My career has been shaped by a passion for solving complex technical challenges, driving digital transformation, and exploring the frontiers of AI and large language models (LLMs). Beyond my work at Microsoft, I spend my time experimenting in my home lab, writing about the latest in cybersecurity, and sharing blueprints to help others navigate the evolving digital landscape.