Microsoft Defender for Endpoint 'Troubleshooting Mode' Previewed
Microsoft on Tuesday announced a public preview of "troubleshooting mode" for Microsoft Defender for Endpoint, which is used to protect devices.
Troubleshooting mode gives IT pros three hours to conduct tests while overriding "Microsoft' Defender Antivirus security configurations on a device. It even overrides a tamper protection capability for testing purposes, the announcement explained.
IT pros can make policy changes while in troubleshooting mode, but those changes only will take effect after the three-hour period ends, according to this Microsoft "Get Started" document.
IT pros might want to use troubleshooting mode to investigate things such as:
- An inability to install an application
- The application takes longer than usual to perform an action
- A Microsoft Office plugin gets blocked by Attack Surface Reduction
- A domain gets blocked by Network Protection
- High CPU use happens when Windows Defender antivirus is active
Microsoft described those troubleshooting mode scenarios in this document. Some possible advanced hunting queries to use are listed in this document.
Troubleshooting mode produces diagnostic files for analysis that can be accessed via a "Collect Investigation Package feature."
IT pros with "Manage Security settings permissions" can initiate troubleshooting mode from the Microsoft 365 Defender portal for a device or devices. It's turned off by default, though. Local administrators have the permissions to configure Microsoft Defender Antivirus settings in troubleshooting mode, but they can't disable or uninstall Microsoft Defender Antivirus.
There are requirements to be running specific versions of Windows 10 or Windows 11 client operating systems, as well as requirements for Windows Server 2019 or Windows Server 2022, to use troubleshooting mode.
Troubleshooting mode is described as "exclusively an Enterprise-only feature, and requires Microsoft 365 Defender access."
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.