Zscaler connector winhttp and defender


We are facing an implementation issue and we are seeking for some advices.
We are currently deploying some security software (Defender, intune / win10) and we like that theirs respectives services will be able to talk to the defender server and Intune server regardless of user logged in or not.

We have Zscaler Connector, and the services will use winhttp proxy in system context to communicate with microsoft server.

We are thinking about setting winhttp proxy to localhost:9000. but we fear that it will be unreachable when no user is logged in. so defender services and intunes services will be unavailable without reaching the MS endpoints.

We faced another, issue where ideally we would like to have winhttp proxy set to while on trusted site, and winhttp proxy set to while off site.

Do you faced this kind of issues ? If so what’s the best practices did you implement ?

All opinions would be welcome…
(I have a support ticket open but for the moment no real answer)


@sperson did you get any fix for this? We have the same issue - deploying defender on VDI with a zscaler connector.

We have a .pac file on the desktop machines for user traffic, but because Defender uses SYSTEM/LocalSystem traffic , it doesn’t appear to work. I have exhausted the MS documentation that involves configuring a winhttp proxy on the system (doesn’t work) and setting the ‘Connected User Experience and Telemetry’ and ‘Disable Authenticated Proxy’ usage - these are the two options for Registry based proxy configuration covered under ‘Network requirements’ for Defender. We have not had any response from zscaler on how their appliances handle local system traffic (which is unauthenticated, I assume).

we are using registry settings as mentioned here : Configure device proxy and Internet connection settings - Windows security | Microsoft Docs

this settings :
The policy sets two registry values TelemetryProxyServer as REG_SZ and DisableEnterpriseAuthProxy as REG_DWORD under the registry key HKLM\Software\Policies\Microsoft\Windows\DataCollection .

because : “When the TelemetryProxyServer is set, in Registry or via Group Policy, Defender for Endpoint will fall back to direct if it can’t access the defined proxy.”

so we assume that if a proxy is reachable it will be used otherwise we go direct.
regarding Zscaler, as we didn’t managed to handle user authentification from system context we go direct.
we digged the dedicated port path, or authentication bypass but our tenant settings won’t fit requirements for this scenarios