Recent Discussions
Cannot delete a tag added through an Asset rule
Hello, We had created in the past an asset rule to assign a tag to a few machines. Now we are trying to remove the tag but we can't find the right way. We have delete the Asset rule. (it was turned off more than 2 months ago) When I go to the machine details and click on 'Manage tags', I can see a section called 'Manual tags' (there I can add remove tags from the console) and a section called 'Rule-based tags' with the description 'Rule-based tags are automatically added to devices based on rules that you create. You can add, edit or delete a rule in Manage rules.' Going through powershell and the API, it doesn't work either. Even getting the details from a machine only shows the manual tags. How do we remove then such a tag ? Thanks in advance for your help. Marc
Azure site recovery cache storage identified with mallware
Hello, I have enable Azure Site recovery on multiple servers. I am using a premium storage account for the cache data required for the replication. Defender is keep being trigger telling that he is detection different Malwares by temporary files that are generated on the cache storage account generated by the replication. The servers, that get replicated, do not detect any mallware on them. What is the reason and what is the solution? Is this a normal behaviour? Thank you
how to disable Defender on Windows Server with tamper protection enabled
As a third-party security vendor, when our users enabled tampering protection on Windows Server 2022, we were unable to disable Defender through group policy as before, which resulted in conflicts between third-party anti malware and Defender. Of course, Defender for Endpoint is not onboarded in the system because users do not want to pay for two sets of antivirus software. So in this situation, can only users manually turn off tampering protection? But this is clearly unfriendly for large-scale systems. In addition, installing third-party antivirus software on Windows Server systems that have onboarded Defender for Endpoint seems to have no way to put Defender into passive mode if tampering protection is enabled. We urgently hope that someone can provide some suggestions on this issue!
How to fetch dynamic tags in Defender for Endpoint (Machines API or KQL)?
Hi, I'm trying to retrieve all unique tags (both manual and dynamic) in Microsoft Defender for Endpoint and then identify the currently active devices associated with each tag. I have tried below Machines API (/api/machines): This only returns manual tags (machine.tags) and does not include dynamic tags. Advanced Hunting – DeviceInfo table: This seems to contain both manual and dynamic tags, but: There are duplicate entries for the same device. It's not clear how to filter for active devices only or how to get a clean mapping of tag → devices. I need guidance on how to Retrieve all unique tags (manual + dynamic)? Map these tags to the list of currently active devices (without duplicates)? Is there any API or KQL query that can provide this cleanly? Any advice, best practices, or sample queries would be greatly appreciated!
Defender on Windows server only detects - not prevents
Hello, we noticed that on the Windows server Defender only detects things but doesn't block anything. Shouldn't it at least block something? Should we apply ASR rules to the server(all rules or some of them)? It is WindowsServer2019, onboarded using local script(no MDM and Group policies). Defender is primary(and only one) antivirus installed on the server. Example here:What does "deprecated" mean in the Defender Antivirus for Linux settings?
When you create a Microsoft Defender Antivirus policy for Linux in the Endpoint Security Policies blade of the Defender admin center, there are two settings in the Antivirus Engine section that have "(deprecated)" after them: "Enable real-time protection (deprecated)" and "Enable passive mode (deprecated)": What exactly does "deprecated" mean in this context? I can't imagine that the features themselves are deprecated; are we supposed to be configuring them elsewhere?Linux (Ubuntu 22.04) Discovered Vulnerabilities/Missing Security Updates
Hello we have Defender for endpoint P2 server is reporting correctly enrolled. Everything MDE is updated Full and quick scan are completed Inventory software is complete No weaknesses / no vulnerable components reported No discovered vulnerabilities No missing security update Licence issue/installation issue...any hints where i could look ? Thanks
Endpoint menu missing in settings in security center
Hello, I'm trying to understand while endpoint menu is missing in security center. (security.microsoft.com). I currently have a Microsoft 365 E5 Security License but I can't access to endpoint menu. I'm currently logging with a global admin account with the "Microsoft 365 E5 Security" license assigned but I can't access to the endpoint menu at all. Am I doing something wrong? My current license is a trial license, could be the issue (I don't think so)? Thanks
Differentiate actual DfC/DfE license usage on Windows systems
Trying to understand on how the Windows endpoint(server/laptops) licenses are being used in my environment and for that, trying to figure out how to check the number of on-prem/azure cloud systems deployed with Microsoft Defender for Endpoint or Defender for server P2 license? Like where and how can i see which are the assets that are getting configured DfS license and which systems have been configured with MS DfE?MDE not detecting regsecrets.py from impacket-toolkit
In a recent red-team engagement we got exposed to the regsecrets.py toolkit which made it possible to extract SAM hive without any detection from the MDE. I have tried to use advanced hunting to see if there are any event that would make up for a good custom detection rule but no success yet, please share if you have any queries that works for you. Some information regarding this script: This script is a modification of secretsdump.py that uses a different technique to extract registry secrets (the logic regarding DCSync operations has been removed). It does not write files on the disk and does not perform reg save like operations. This allow recovering the SAM database and the LSA secrets while being less prone to detection by security product. All required keys are accessed using registry queries. To access keys within the SAM and SECURITY hives, the dwOption of https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/8cb48f55-19e1-4ea2-8d76-dd0f6934f0d9 allows passing the REG_OPTION_BACKUP_RESTORE value to disable any ACL checks performed, thus, allowing to access these registry keys normally restricted to the SYSTEM user. Thanks in advance for sharing some experience of detecting this.Alert Rule Fails on Dynamic Field Parsing in DeviceTvmInfoGathering
Hi, Need Help: Alert Rule Fails but Hunting Query Works (Dynamic Fields Issue) Alert Rule Query Fails When Using parse_json on AdditionalFields — Any Workarounds? Need to get alert when avmode is disabled. KQL: DeviceTvmInfoGathering | where isnotempty(AdditionalFields) | where Timestamp > ago(1h) | extend AF = parse_json(AdditionalFields) | where AF has "AvMode" | extend AvMode = tostring(AF.AvMode) | where AvMode == "2" | extend ReportId = tolong(abs(hash(DeviceId))) | project Timestamp, ReportId, DeviceId, DeviceName, OSPlatform, AvMode
Get-MpPerformanceReport empty processpath
Hi, anyone knows why we sometimes get empty processpath when using Get-MpPerformanceReport to get top processes? Some say it could be Defender for Endpoint, but I would like to be sure what it is. Any ideas on how to get more info? Thank you in advance and don't hesitate if you have any questionsChange tamper protected settings permanently
Hi there, I need to disable real-time monitoring permanently on a device. I can turn it off temporarily using troubleshooting mode but once tamper protection is back on, so is real-time monitoring. How do we actually permanently change tamper protected settings?API - Vulnerabilities.read.all and Score.Read.All
Trying to leverage defender metrics for management reporting (things like ExposureScore, SecureScore, etc. I'm interested in absolutely everything to get the right PowerBI dashboard) When assigning (for example) Vulnerabilities.read.all and Score.Read.All and granting admin consent, these aren't actually getting pulled through to the jwt token. And then using Postman combined with jwt.ms to view the token So what gives? Where did those permissions go? I thought it might be propogation so I have now given it 5 days in total. Is it that these APIs just aren't accessible despite the Microsoft documentation like: https://learn.microsoft.com/en-us/defender-endpoint/api/get-all-vulnerabilities I am fully licensed (albeit trials). It seems that Graph API (e.g.) https://graph.microsoft.com/v1.0/security/secureScores is very friendly to my needs where as https://api.security.microsoft.com/api/exposureScore does not allow my app registration access even when permissions are there...How to Automatically Export Microsoft Defender Security Recommendations with Historical Tracking
Hi everyone, I'm currently using Microsoft Defender for Endpoint, and I'm looking for a way to automate the export of security recommendations. Right now, the only available option is to manually export these recommendations as a CSV using the "Export" button in the portal. However, I’d like to: Automatically pull these recommendations regularly Store them in an Azure SQL database/Azure Storage Use Power BI to create dashboards and track trends over time (since Defender does not provide historical views) Is there a way to fetch this data programmatically? My Goal: Automatically query this API daily (via Azure Function or Azure Automation or any other way) Store each day's results in an Azure SQL table/Storage account with timestamps Build Power BI reports for: Most frequent vulnerabilities Exposure trends over time Recommendation coverage and progressDefender detection caused by monitoring script
Dear Community We use PRGT, which monitors various things for our customers. One of our customers uses Microsoft Defender, which issued an alert for “SmokeLoader.” After some research, we found that this is caused by two of our scripts, which establish a connection to our servers and query various things. This raised the question of how we can best whitelist this, since the detection comes from “WinRM” and not directly from the script itself. However, the script itself establishes a connection to the servers and requests some information. Are there any sensible measures that can be taken here, because only whitelisting the script (folder or hash) makes limited sense here, since the detection in this case was for the WinRM process. So the behavior analysis would kick in again. Thank you for your time! Best regards, SleeperHead
Issue with Missing Endpoint menu in Settings
I know this is a frequent topic, but nothing seems to be working for me. I am a security admin and licensed for Microsoft 365 Business Standard and I have a Defender for Endpoint P2 license assigned to my user ID. The license has been assigned for over 24 hours, I've clicked on menu choices waiting for provisioning, but the Endpoint menu and settings link do not appear. Any other ideas? Thanks for your assistance.
Recent Blogs
- We’re excited to announce a key milestone in Defender’s multi-tenant management journey—Microsoft Defender for Endpoint security policies can now be distributed across multiple tenants from the Defen...Aug 07, 2025
- Network isolation refers to how Microsoft Defender for Endpoint restricts a compromised device’s communication within the network in order to contain threats and prevent lateral movement. But oftenti...Jun 25, 2025
