Contents
Troubleshooting mode for Microsoft Defender for Endpoint now Generally Available!
Microsoft Defender for Endpoint offers the best possible protection when all capabilities—including tamper protection—are enabled and configured. Tamper protection offers great prevention against inadvertent changes of critical settings. Because of this, configuration can require some adjustment to get it just right for your organization's specific environment. Introducing troubleshooting mode, a unique, innovative, and secure way to investigate and adjust configurations on your devices. This mode will enable the local admin on the device to override Microsoft Defender Antivirus security policy configurations on the device, including tamper protection.
Troubleshooting mode is initiated by a single-use command that is created for a single device and is time bound (the window of time for troubleshooting mode is 3 hours). Once troubleshooting mode has expired, the security settings that were configured on the device prior to troubleshooting mode will be restored, and any new policies that were created by your security or IT admin during troubleshooting mode will be applied. (Such new policies are blocked during troubleshooting mode.)
Additional diagnostic files will be available for collection after troubleshooting mode. Your security admin can collect the diagnostic files by using the Collect Investigation Package feature. The files include a before and after snapshot of the MpPreferences and the MpLogs during the troubleshooting window.
Prerequisites
- A device running Windows 10 (version 19044.1618 and above), Windows 11, Windows Server 2019, or Windows Server 2022.
- For troubleshooting mode to be applied, Microsoft Defender for Endpoint must be tenant-enrolled and active on the device.
- The device must be actively running Microsoft Defender Antivirus, version 4.18.2203 and above.
| Semester/Redstone | OsVersion | Release |
| 21H2/SV1 | >= 22000.593 | (KB5011563) Microsoft Update Catalog |
| 20H1/20H2/21H1 | >= 19042.1620, >= 19041.1620 >=19043.1620 | (KB5011543)Microsoft Update Catalog |
| Server 2022 | >=20348.617 | KB5011558 Microsoft Update Catalog |
| Server 2019(RS5) | >=17763.2746 | KB5011551 Microsoft Update Catalog |
How to turn on Troubleshooting mode (TS mode) on an endpoint:
- Go to the Microsoft 365 Defender portal (https://security.microsoft.com) and sign in.
- Navigate to the Device page/Machine page for the device you would like to enable troubleshooting mode on and select the Turn on troubleshooting mode. Note that this requires Manage security settings in Security Center permissions for Microsoft Defender for Endpoint.
3. Confirm you want to turn on troubleshooting mode for the device:
4. Now the device page shows the device is in troubleshooting mode (note that the menu item will remain greyed out for as long as the device is in troubleshooting mode):
Advanced hunting queries
Here are some pre-built advanced hunting queries to give you visibility into the troubleshooting events that are occurring in your environment. You can also use these queries to create detection rules that will alert you when the devices are in troubleshooting mode.
Get troubleshooting events for a particular device
<CODE class="lang-kusto" style="box-sizing: inherit; outline-color: inherit; font-family: SFMono-Regular, Consolas, 'Liberation Mono', Menlo, Courier, monospace; font-size: 1em; direction: ltr; line-height: 1.3571; border: 0px; display: block; padding: 0px; position: relative;" data-author-content="let deviceName = "”; // update with device name
let deviceId = “”; // update with device id
search in (DeviceEvents)
(DeviceName == deviceName
) and ActionType == ”AntivirusTroubleshootModeEvent”
| extend _tsmodeproperties = parse_json(AdditionalFields)
| project $table, Timestamp,DeviceId, DeviceName, _tsmodeproperties,
_tsmodeproperties.TroubleshootingState, _tsmodeproperties.TroubleshootingPreviousState, _tsmodeproperties.TroubleshootingStartTime,
_tsmodeproperties.TroubleshootingStateExpiry, _tsmodeproperties.TroubleshootingStateRemainingMinutes,
_tsmodeproperties.TroubleshootingStateChangeReason, _tsmodeproperties.TroubleshootingStateChangeSource
“>let deviceName = “”; // update with device name
let deviceId = “”; // update with device id
search in (DeviceEvents)
(DeviceName == deviceName
) and ActionType == “AntivirusTroubleshootModeEvent”
| extend _tsmodeproperties = parse_json(AdditionalFields)
| project $table, Timestamp,DeviceId, DeviceName, _tsmodeproperties,
_tsmodeproperties.TroubleshootingState, _tsmodeproperties.TroubleshootingPreviousState, _tsmodeproperties.TroubleshootingStartTime,
_tsmodeproperties.TroubleshootingStateExpiry, _tsmodeproperties.TroubleshootingStateRemainingMinutes,
_tsmodeproperties.TroubleshootingStateChangeReason, _tsmodeproperties.TroubleshootingStateChangeSource
Devices currently in troubleshooting mode
ago(3h)
| where _tsmodeproperties.TroubleshootingStateChangeReason == ”Troubleshooting mode started”
|summarize (Timestamp, ReportId)=arg_max(Timestamp, ReportId), count() by DeviceId
“>search in (DeviceEvents)
ActionType == “AntivirusTroubleshootModeEvent”
| extend _tsmodeproperties = parse_json(AdditionalFields)
| where Timestamp > ago(3h)
| where _tsmodeproperties.TroubleshootingStateChangeReason == “Troubleshooting mode started”
|summarize (Timestamp, ReportId)=arg_max(Timestamp, ReportId), count() by DeviceId
Count of troubleshooting mode instances by device
ago(30d) // choose the date range you want
| where _tsmodeproperties.TroubleshootingStateChangeReason == ”Troubleshooting mode started”
| summarize (Timestamp, ReportId)=arg_max(Timestamp, ReportId), count() by DeviceId
| sort by count_
“>search in (DeviceEvents)
ActionType == “AntivirusTroubleshootModeEvent”
| extend _tsmodeproperties = parse_json(AdditionalFields)
| where Timestamp > ago(30d) // choose the date range you want
| where _tsmodeproperties.TroubleshootingStateChangeReason == “Troubleshooting mode started”
| summarize (Timestamp, ReportId)=arg_max(Timestamp, ReportId), count() by DeviceId
| sort by count_
Total count
ago(2d) //beginning of time range
| where Timestamp 5 // choose your max # of TS mode instances for your time range
“>search in (DeviceEvents)
ActionType == “AntivirusTroubleshootModeEvent”
| extend _tsmodeproperties = parse_json(AdditionalFields)
| where Timestamp > ago(2d) //beginning of time range
| where Timestamp < ago(1d) //end of time range
| where _tsmodeproperties.TroubleshootingStateChangeReason == “Troubleshooting mode started”
| summarize (Timestamp, ReportId)=arg_max(Timestamp, ReportId), count()
| where count_ > 5 // choose your max # of TS mode instances for your time rangeKnown issues
There is a known issue for troubleshooting mode in Microsoft Defender Antivirus platforms prior to the March platform version (4.18.2203.*) that can prevent the device from re-enabling the troubleshooting mode after a previous instance has expired. To solve this issue, update affected devices to the March platform version (4.18.2203.*) or higher.
Learn more
Want to learn more about troubleshooting mode? See the articles on troubleshooting mode for details:
Get started with troubleshooting mode in Microsoft Defender for Endpoint | Microsoft Docs
Troubleshooting mode scenarios in Microsoft Defender for Endpoint | Microsoft Docs
Let us know what you think!
We are excited to bring troubleshooting mode to you and your Security teams. Try out troubleshooting mode today and let us know what you think! We would also like to hear your feedback on improvements we can make to this feature in future versions.