Recent Discussions
MS Defender - Installation Error version 101.25072 on macOS
Dear experts, The latest version of MS Defender can't be installed. I'm getting an error message since release date (5th Aug). I have tested to restart the computer, tested with different networks, same issue 🙁Solved3.6KViews6likes21CommentsEndpoint menu missing in settings in security center
Hello, I'm trying to understand while endpoint menu is missing in security center. (security.microsoft.com). I currently have a Microsoft 365 E5 Security License but I can't access to endpoint menu. I'm currently logging with a global admin account with the "Microsoft 365 E5 Security" license assigned but I can't access to the endpoint menu at all. Am I doing something wrong? My current license is a trial license, could be the issue (I don't think so)? Thanks15KViews1like5CommentsMDE-Onboarding issue
Hello Community, while i am trying to onboard a windows 10 machine into MDE where there is already another AV running which is Kaspersky, i am facing that issue that Microsoft AV is not able to revert its status from disabled into running state (passive mode). even if i am trying to start the service manually, it will revert itself back to the disable status. Did anyone experience that issue before between Defender AV and Kaspersky?62Views0likes1CommentRansomeware query
If any ransomware detection i need following query for advance hunting in defender Look for rapid file modification or creation or deletion 2. Rapid file encryption one 3. look for a ransom note 4. look for encryption algorithms 5. look for double extension 6. Also query for birth time of the file51Views0likes1CommentRegistry modifications
If a file was downloaded, executed, and created a registry entry for persistence, is it enough to just delete the file from its original location? Or does the registry entry also need to be removed? What happens if it is not removed? If a malicious file created an entry under HKLM Run, HKCU Run, or RunOnce, and the file is later deleted but the registry entry is left behind, will the system still try to execute it at startup?64Views0likes1CommentCan't update Defender app on macOS
Hello, We started getting this situation where Defender for macOS can't be updated: Microsoft Defender 101.25072 Current Version: 101.25062 Installed: 2025-08-05 Update error: The update could not be installed at this time. Please try again later. Microsoft AutoUpdate is up to date. Operating System Version: 15.6.1 Device managed by Mosyle MDM. All of our active users have been updated to 15.6.1 (and this problem was observed on OS versions from 15.1 to 15.6.1) What could be causing this? And what can we do about it?Solved1.6KViews5likes7CommentsEndpoint settings missing in Microsoft Defender for Endpoint
Hi, I am currently using the Microsoft 365 Developer program and is trying to setup an Intune and Microsoft defender for endpoint tenant however when i am trying to integrate Defender with Intune, the endpoint setting is not showing in the settings despite that i have the Security administrator role. Is this expected when using the developer program or am i missing something? Would appreciate your kind advise.Solved72Views0likes1CommentDefender detection caused by monitoring script
Dear Community We use PRGT, which monitors various things for our customers. One of our customers uses Microsoft Defender, which issued an alert for “SmokeLoader.” After some research, we found that this is caused by two of our scripts, which establish a connection to our servers and query various things. This raised the question of how we can best whitelist this, since the detection comes from “WinRM” and not directly from the script itself. However, the script itself establishes a connection to the servers and requests some information. Are there any sensible measures that can be taken here, because only whitelisting the script (folder or hash) makes limited sense here, since the detection in this case was for the WinRM process. So the behavior analysis would kick in again. Thank you for your time! Best regards, SleeperHeadSolved88Views0likes1CommentBad quality of Defender / Intunesdocubannoying
Whenever i need learning.microsoft.com, i found their describing A) very often menulinks, which does not exist (guess its rearranged) B) very often mistakes happen: in this article https://learn.microsoft.com/en-us/defender-endpoint/android-configure-mam several parameters are described with an integer value and the same parameter a Seconds time at the same place as boolean. And so many mistakes morebi found. Well: some companies wanna earn money maybe doing training with their customers, which is necessary onlY, as the docu is unreadable or written so boring that you fall a sleep and understand nothing. Please do more quality16Views0likes0CommentsCannot delete a tag added through an Asset rule
Hello, We had created in the past an asset rule to assign a tag to a few machines. Now we are trying to remove the tag but we can't find the right way. We have delete the Asset rule. (it was turned off more than 2 months ago) When I go to the machine details and click on 'Manage tags', I can see a section called 'Manual tags' (there I can add remove tags from the console) and a section called 'Rule-based tags' with the description 'Rule-based tags are automatically added to devices based on rules that you create. You can add, edit or delete a rule in Manage rules.' Going through powershell and the API, it doesn't work either. Even getting the details from a machine only shows the manual tags. How do we remove then such a tag ? Thanks in advance for your help. Marc33Views0likes0CommentsAzure site recovery cache storage identified with mallware
Hello, I have enable Azure Site recovery on multiple servers. I am using a premium storage account for the cache data required for the replication. Defender is keep being trigger telling that he is detection different Malwares by temporary files that are generated on the cache storage account generated by the replication. The servers, that get replicated, do not detect any mallware on them. What is the reason and what is the solution? Is this a normal behaviour? Thank you44Views0likes1Commenthow to disable Defender on Windows Server with tamper protection enabled
As a third-party security vendor, when our users enabled tampering protection on Windows Server 2022, we were unable to disable Defender through group policy as before, which resulted in conflicts between third-party anti malware and Defender. Of course, Defender for Endpoint is not onboarded in the system because users do not want to pay for two sets of antivirus software. So in this situation, can only users manually turn off tampering protection? But this is clearly unfriendly for large-scale systems. In addition, installing third-party antivirus software on Windows Server systems that have onboarded Defender for Endpoint seems to have no way to put Defender into passive mode if tampering protection is enabled. We urgently hope that someone can provide some suggestions on this issue!141Views0likes2CommentsHow to fetch dynamic tags in Defender for Endpoint (Machines API or KQL)?
Hi, I'm trying to retrieve all unique tags (both manual and dynamic) in Microsoft Defender for Endpoint and then identify the currently active devices associated with each tag. I have tried below Machines API (/api/machines): This only returns manual tags (machine.tags) and does not include dynamic tags. Advanced Hunting – DeviceInfo table: This seems to contain both manual and dynamic tags, but: There are duplicate entries for the same device. It's not clear how to filter for active devices only or how to get a clean mapping of tag → devices. I need guidance on how to Retrieve all unique tags (manual + dynamic)? Map these tags to the list of currently active devices (without duplicates)? Is there any API or KQL query that can provide this cleanly? Any advice, best practices, or sample queries would be greatly appreciated!90Views0likes1CommentDefender on Windows server only detects - not prevents
Hello, we noticed that on the Windows server Defender only detects things but doesn't block anything. Shouldn't it at least block something? Should we apply ASR rules to the server(all rules or some of them)? It is WindowsServer2019, onboarded using local script(no MDM and Group policies). Defender is primary(and only one) antivirus installed on the server. Example here:201Views0likes7CommentsWhat does "deprecated" mean in the Defender Antivirus for Linux settings?
When you create a Microsoft Defender Antivirus policy for Linux in the Endpoint Security Policies blade of the Defender admin center, there are two settings in the Antivirus Engine section that have "(deprecated)" after them: "Enable real-time protection (deprecated)" and "Enable passive mode (deprecated)": What exactly does "deprecated" mean in this context? I can't imagine that the features themselves are deprecated; are we supposed to be configuring them elsewhere?Solved126Views0likes2CommentsLinux (Ubuntu 22.04) Discovered Vulnerabilities/Missing Security Updates
Hello we have Defender for endpoint P2 server is reporting correctly enrolled. Everything MDE is updated Full and quick scan are completed Inventory software is complete No weaknesses / no vulnerable components reported No discovered vulnerabilities No missing security update Licence issue/installation issue...any hints where i could look ? Thanks268Views0likes5CommentsDifferentiate actual DfC/DfE license usage on Windows systems
Trying to understand on how the Windows endpoint(server/laptops) licenses are being used in my environment and for that, trying to figure out how to check the number of on-prem/azure cloud systems deployed with Microsoft Defender for Endpoint or Defender for server P2 license? Like where and how can i see which are the assets that are getting configured DfS license and which systems have been configured with MS DfE?33Views1like0Comments
Events
Recent Blogs
- We’re excited to announce a key milestone in Defender’s multi-tenant management journey—Microsoft Defender for Endpoint security policies can now be distributed across multiple tenants from the Defen...Aug 07, 20251.8KViews3likes0Comments
- Network isolation refers to how Microsoft Defender for Endpoint restricts a compromised device’s communication within the network in order to contain threats and prevent lateral movement. But oftenti...Jun 25, 20251KViews1like0Comments
Resources
Tags
No tags to show