zScaler and Windows Defender on VDI

Hi

We are deploying Defender on VDI but it can’t fetch definition updates. We run a .pac file in IE for user traffic, which works fine. But Defender fetches updates under LocalSystem context, which isn’t working.

We have tried following
1/ Whitelist all URLs required by Defender : https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus

2/ Tried configuring ‘Manual static proxy configuration’ options listed here:https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/production-deployment - setting zscaler as the winhttp proxy doesn’t work, and enabling ‘Disable Authentication’ against the GPO-based option doesn’t work either.

3/ Looking at wireshark and netmon - the only packets being sent by the MpCmdRun.exe service (defender) are going to e11290.dsph.akamaedge and are SYNREtransmit packets, presumably because they’re dropping…

Has anyone else encountered the same problem here?

Hello David,

what Tunnel-Settings you are using?

We were struggling a long time with Defender definition updates. Final and yet working solution was putting “au.download.windowsupdate.com” in VPN Gateway bypass list in the ZCC AppProfile. Sounds a liitle bit strange, but at least solved our Defender update-issues. We never managed to get it working by putting these URLs in pac-file bypasses.

BR
Manuel

@manuel I’m informed that setting will not be applicable to our environment because we don’t have direct access to MS servers and we’re using a PAC file, not the Zapp client.

Ah ok, I see. I mistakenly assumed you are also using ZCC on the VDI.

Turns out the zscaler was not to blame. Windows update service needed to be running on the desktop, and the traffic was going via zscaler ok. Leaving this here for posterity!