Troubleshooting mode for Microsoft Defender for Endpoint now Generally Available

mode for Microsoft Defender for Endpoint now Generally Available!

Microsoft Defender for Endpoint offers the best possible protection when all capabilities—including tamper protection—are enabled and configured. Tamper protection offers great prevention against inadvertent changes of critical settings. Because of this, configuration can require some adjustment to get it just right for your organization's specific environment. Introducing mode, a unique, innovative, and secure way to investigate and adjust configurations on your devices.  This mode will enable the local admin on the device to override Microsoft Defender security policy configurations on the device, including tamper protection. 

mode is initiated by a single-use command that is created for a single device and is time bound (the window of time for troubleshooting mode is 3 hours). Once troubleshooting mode has expired, the security settings that were configured on the device prior to troubleshooting mode will be restored, and any new policies that were created by your security or IT admin during troubleshooting mode will be applied. (Such new policies are blocked during troubleshooting mode.)  

Additional diagnostic files will be available for collection after troubleshooting mode. Your security admin can collect the diagnostic files by using the Collect Investigation Package feature. The files include a before and after snapshot of the MpPreferences and the MpLogs during the troubleshooting window. 

Prerequisites 

  • A device running Windows 10 (version 19044.1618 and above), Windows 11, 2019, or 2022. 
  • For troubleshooting mode to be applied, Microsoft Defender for Endpoint must be tenant-enrolled and active on the device. 
  • The device must be actively running Microsoft Defender , version 4.18.2203 and above. 
Semester/Redstone  OsVersion  Release 
21H2/SV1  >= 22000.593   (KB5011563) Microsoft Update Catalog 
20H1/20H2/21H1  >= 19042.1620, 
>= 19041.1620 
>=19043.1620 
(KB5011543)Microsoft Update Catalog 
  >=20348.617  KB5011558 Microsoft Update Catalog 
Server 2019(RS5)  >=17763.2746  KB5011551 Microsoft Update Catalog 

turn on Troubleshooting mode (TS mode) on an endpoint:  

  1. Go to the Microsoft 365 Defender portal (https://security.microsoft.com) and sign in. 
  2. Navigate to the Device page/Machine page for the device you would like to enable troubleshooting mode on and select the Turn on troubleshooting mode. Note that this requires Manage security settings in permissions for Microsoft Defender for Endpoint. 

JuliHooper_1-1652132600446.png

 3. Confirm you want to turn on troubleshooting mode for the device:  

JuliHooper_2-1652132600448.png

 4. Now the device page shows the device is in troubleshooting mode (note that the menu item will remain greyed out for as long as the device is in troubleshooting mode):  

JuliHooper_3-1652132600451.png

Advanced hunting queries 

Here are some pre-built advanced hunting queries to give you visibility into the troubleshooting events that are occurring in your environment. You can also use these queries to create detection rules that will alert you when the devices are in troubleshooting mode. 

Get troubleshooting events for a particular device

<CODE class="lang-kusto" style="box-sizing: inherit; outline-color: inherit; font-family: SFMono-Regular, Consolas, 'Liberation Mono', Menlo, Courier, monospace; font-size: 1em; direction: ltr; line-height: 1.3571; border: 0px; display: block; padding: 0px; position: relative;" data-author-content="let deviceName = "”;   // update with device name
let deviceId = “”; // update with device id
search in (DeviceEvents)
(DeviceName == deviceName
) and ActionType == ”AntivirusTroubleshootModeEvent”
| extend _tsmodeproperties = parse_json(AdditionalFields) 
| project $table, Timestamp,DeviceId, DeviceName, _tsmodeproperties,
 _tsmodeproperties.TroubleshootingState, _tsmodeproperties.TroubleshootingPreviousState, _tsmodeproperties.TroubleshootingStartTime,
 _tsmodeproperties.TroubleshootingStateExpiry, _tsmodeproperties.TroubleshootingStateRemainingMinutes,
 _tsmodeproperties.TroubleshootingStateChangeReason, _tsmodeproperties.TroubleshootingStateChangeSource
“>let deviceName = “”; // update with device name
let deviceId = “”; // update with device id
search in (DeviceEvents)
(DeviceName == deviceName
) and ActionType == “AntivirusTroubleshootModeEvent”
| extend _tsmodeproperties = parse_json(AdditionalFields) 
| project $table, Timestamp,DeviceId, DeviceName, _tsmodeproperties,
 _tsmodeproperties.TroubleshootingState, _tsmodeproperties.TroubleshootingPreviousState, _tsmodeproperties.TroubleshootingStartTime,
 _tsmodeproperties.TroubleshootingStateExpiry, _tsmodeproperties.TroubleshootingStateRemainingMinutes,
 _tsmodeproperties.TroubleshootingStateChangeReason, _tsmodeproperties.TroubleshootingStateChangeSource

Devices currently in troubleshooting mode 

 ago(3h)
| where _tsmodeproperties.TroubleshootingStateChangeReason == ”Troubleshooting mode started”
|summarize (Timestamp, ReportId)=arg_max(Timestamp, ReportId), count() by DeviceId
“>search in (DeviceEvents)
ActionType == “AntivirusTroubleshootModeEvent”
| extend _tsmodeproperties = parse_json(AdditionalFields) 
| where Timestamp > ago(3h)
| where _tsmodeproperties.TroubleshootingStateChangeReason == “Troubleshooting mode started”
|summarize (Timestamp, ReportId)=arg_max(Timestamp, ReportId), count() by DeviceId

Count of troubleshooting mode instances by device

 ago(30d)  // choose the date range you want
| where _tsmodeproperties.TroubleshootingStateChangeReason == ”Troubleshooting mode started”
| summarize (Timestamp, ReportId)=arg_max(Timestamp, ReportId), count() by DeviceId
| sort by count_
“>search in (DeviceEvents)
ActionType == “AntivirusTroubleshootModeEvent”
| extend _tsmodeproperties = parse_json(AdditionalFields) 
| where Timestamp > ago(30d)  // choose the date range you want
| where _tsmodeproperties.TroubleshootingStateChangeReason == “Troubleshooting mode started”
| summarize (Timestamp, ReportId)=arg_max(Timestamp, ReportId), count() by DeviceId
| sort by count_

Total count

 ago(2d) //beginning of time range
| where Timestamp  5          // choose your max # of TS mode instances for your time range
“>search in (DeviceEvents)
ActionType == “AntivirusTroubleshootModeEvent”
| extend _tsmodeproperties = parse_json(AdditionalFields) 
| where Timestamp > ago(2d) //beginning of time range
| where Timestamp < ago(1d) //end of time range
| where _tsmodeproperties.TroubleshootingStateChangeReason == “Troubleshooting mode started”
| summarize (Timestamp, ReportId)=arg_max(Timestamp, ReportId), count() 
| where count_ > 5          // choose your max # of TS mode instances for your time range

Known issues 

There is a known issue for troubleshooting mode in Microsoft Defender Antivirus platforms prior to the March platform version (4.18.2203.*) that can prevent the device from re-enabling the troubleshooting mode after a previous instance has expired. To solve this issue, update affected devices to the March platform version (4.18.2203.*) or higher. 

Learn more 

Want to learn more about troubleshooting mode? See the articles on troubleshooting mode for details: 

Get started with troubleshooting mode in Microsoft Defender for Endpoint | Microsoft Docs

Troubleshooting mode scenarios in Microsoft Defender for Endpoint | Microsoft Docs

 
 

Let us know what you think!  

We are excited to bring troubleshooting mode to you and your Security teams. Try out troubleshooting mode today and let us know what you think! We would also like to hear your feedback on improvements we can make to this feature in future versions. 

 

This article was originally published by Microsoft's Defender for Endpoint Blog. You can find the original article here.