Defender troubleshooting mode
Troubleshooting mode will make it possible for local admins on the endpoint to override Antivirus policy on the device, including tamper protection. When enabled it give the admin a 3 hour window to do what was intended. After the 3 hour window, the settings will be re-applied again.
Enabling Troubleshooting mode
Go to the Device page in Microsoft 365 Defender and click on the 3 dots menu item and select troubleshooting mode
In the Device action center we can see the following entry
- Windows 10 (version 19044.1618 and above)
Windows Server 2019
Windows Server 2022
- Microsoft Defender for Endpoint must be tenant-enrolled and active on the device.
- The device must be actively running Microsoft Defender Antivirus, version 4.18.2203 and above.
Hunting for events
//Use the following ActionType and the DeviceEvents table DeviceEvents | where ActionType == "AntivirusTroubleshootModeEvent"