Scott Woodgate thank you for posting some information and getting a message out as soon as possible, but I don't think a single sentence explaining that this mess was due to an "incorrect detection pattern" even begins to handle the mess we're all in. A root cause analysis and details on how you're going to prevent this in the future goes a long way in restoring faith. A few questions so that we can better prepare for the future:
- How can we know ahead of time if security intelligence updates will include this sort of disruptive updates?
- Did this "incorrect detection pattern" also get pushed out through cloud-delivered protection service, a service that is also referred to as Microsoft Active Protection Service (MAPS)?
- Currently, there are not that many options regarding security intelligence updates in terms of phasing/staging/deployment in rings. What options do we have in the future? Other Microsoft products have rings available and we can configure the devices in each of those rings.....did we forget to provide the same functionality for Defender updates?
- Other technology products, specifically EDR/XDR, include file recovery/rollback. Is that not a possibility for you to leverage and help organizations with the support operations we will all be dealing with during the next few days?
I would also suggest you publish a step-by-step guide on how to deploy the script mentioned above through Intune/MEM, MECM and GPO, as that would reduce the stress levels on the teams. Balancing the "what's going on?" coming in from the organization/business and "figuring out how to deploy this" is not a fun thing to do right now for a lot of teams.
Microsoft