Troubleshooting mode will make it possible for local admins on the endpoint to override Antivirus policy on the device, including tamper protection. When enabled it give the admin a 3 hour window to do what was intended. After the 3 hour window, the settings will be re-applied again.
Enabling Troubleshooting mode
Go to the Device page in Microsoft 365 Defender and click on the 3 dots menu item and select troubleshooting mode
In the Device action center we can see the following entry
Prerequisites
- Windows 10 (version 19044.1618 and above)
Windows 11
Windows Server 2019
Windows Server 2022 - Microsoft Defender for Endpoint must be tenant-enrolled and active on the device.
- The device must be actively running Microsoft Defender Antivirus, version 4.18.2203 and above.
Hunting for events
//Use the following ActionType and the DeviceEvents table
DeviceEvents
| where ActionType == "AntivirusTroubleshootModeEvent" Happy Hunting!