troubleshooting mode – SEC-LABS R&D

Defender troubleshooting mode

SEC-LABS R&D 2022-05-28 0 Comments

Troubleshooting mode will make it possible for local admins on the endpoint to override Antivirus policy on the device, including tamper protection. When enabled it give the admin a 3 hour window to do what was intended. After the 3 hour window, the settings will be re-applied again.

Enabling Troubleshooting mode

Go to the Device page in Microsoft 365 Defender and click on the 3 dots menu item and select troubleshooting mode

In the Device action center we can see the following entry

Prerequisites

Windows 10 (version 19044.1618 and above)
Windows 11
Windows Server 2019
Windows Server 2022
Microsoft Defender for Endpoint must be tenant-enrolled and active on the device.
The device must be actively running Microsoft Defender Antivirus, version 4.18.2203 and above.

Hunting for events

//Use the following ActionType and the DeviceEvents table
DeviceEvents
| where ActionType == "AntivirusTroubleshootModeEvent"

Happy Hunting!

Detect, Protect, Respond, Security

MDE, Tamper protection, troubleshooting mode

Tag Archive: troubleshooting mode

Defender troubleshooting mode