diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboard-offline-machines.md b/windows/security/threat-protection/microsoft-defender-atp/onboard-offline-machines.md
index 0534d30935..1208f1a24d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/onboard-offline-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/onboard-offline-machines.md
@@ -30,7 +30,10 @@ To onboard machines without Internet access, you'll need to take the following g
 Windows Server 2016 and earlier or Windows 8.1 and earlier.
 
 > [!NOTE]
-> An OMS gateway server can still be used as proxy for disconnected Windows 10 machines when configured via 'TelemetryProxyServer' registry or GPO.
+> An OMS gateway server cannot be used as proxy for disconnected Windows 10 or Windows Server 2019 machines when configured via 'TelemetryProxyServer' registry or GPO.
+For Windows 10 or Windows Server 2019 - you can use TelemetryProxyServer, but it must point to a standard proxy device or appliance.
+In addition, Windows 10 or Windows Server 2019 in disconnected environments must be able to update Certificate Trust Lists offline via an internal file or web server. 
+For more information refer to: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn265983(v=ws.11)#configure-a-file-or-web-server-to-download-the-ctl-files
 
 For more information, see the following articles:
 - [Onboard previous versions of Windows](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel)