Forum Widgets
Latest Discussions
DVM Certificate Inventory Shows No Data Despite Healthy Endpoints in Defender for Endpoint
Hi Team, I'm testing Microsoft Defender Vulnerability Management. Current status: - Defender Vulnerability Management Add-on enabled - Certificates inventory tab is visible - Software Inventory populated - Security Recommendations populated - Windows and Linux devices onboarded - Linux mdatp health = healthy:true, licensed:true, cloud_enabled:true - Devices have local certificates installed - Certificate Inventory page shows "No data" The DVM Add-on was enabled more than 36 hours ago. Has anyone experienced a delay in Certificate Inventory population or are there additional prerequisites beyond DVM licensing and device onboarding? Thanks.vijaysethiyaJul 07, 2026Copper Contributor29Views0likes1CommentMicrosoft Defender false positive and WDSI submission details page bug
Hello, I am the developer and publisher of Pulse Launcher, a legitimate signed Windows application / Minecraft mod launcher. I already submitted this through Microsoft Security Intelligence and also opened a Microsoft Q&A thread, but I am posting here because the WDSI submission portal itself appears to be broken for these submissions. Related Microsoft Q&A thread: https://learn.microsoft.com/en-us/answers/questions/5929545/microsoft-defender-false-positive-and-wdsi-submiss There are two related issues: 1. Microsoft Defender cloud ML false positives keep appearing on public multi-engine scan results for the same signed application/product family. The Microsoft detection name changes across rescans and equivalent builds, including: - PUA:Win32/Puwaders.C!ml - Program:Win32/Wacapew.C!ml - Trojan:Win32/Wacatac.B!ml - Trojan:Win32/Wacatac.C!ml - Trojan:Win32/Sabsik.EN.A!ml 2. Microsoft Security Intelligence submissions are visible in Submission history and show status "In progress", but opening the submission details page returns: "The details for the submission were not found or the submission has expired." Affected submission IDs: - dd476efa-fc04-4f13-82cf-631bbfd145a6 - efc6514c-d700-4d6a-a7e2-67a9a83334a2 - ff8d04b7-c5fc-4a05-bd53-ee7ac5981284 File details: - File name: pulse_launcher.exe - SHA-256: def6059c07c3e1f4a8c5649a1bbf190d4f355ee8e8b88c55c5b404edee99ecc8 - Signer: FOP Haponiuk Mykola Viktorovych - Certificate: GlobalSign EV Code Signing certificate The executable is not VMProtect-packed or obfuscated. It is EV-signed. A previous Microsoft analyst response stated that the file did not meet Microsoft criteria for malware or PUA, but Microsoft cloud detections continue to appear. Could someone route this to Microsoft Defender Security Intelligence / malware analysis, or advise how to escalate WDSI submissions that exist in history but whose details endpoint returns "not found or expired"? Thank you.MykolaHaponiukJun 24, 2026Copper Contributor50Views0likes1CommentMicrosoft Defender for Endpoint and WDAC audit logs not include kernel audit/blocks
While testing WDAC on a fully patched Win11 pro machine - I noticed that kernel audit/block events do not get collected by MDE in the advanced hunting portal, only user mode audit/blocks are collected. Can anyone confirm they see this too and is this by design? My test case is to use a Strict Kernel Mode WDAC policy (as per: https://github.com/HotCakeX/Harden-Windows-Security/wiki/WDAC-policy-for-BYOVD-Kernel-mode-only-protection) which is active, using the global secure access client as my test, when the machine boots, the below event is generated locally on the machine: This event is never shown on the MDE advanced hunting portal, though user events do show. Examples of events that are coming through: Not receiving these events centrally for auditing would make deploying a kernel mode wdac control impossible. Would be amazing if Microsoft product team could look into this and resolve as these alerts should be captured as well please to facilitate deployment of more secure controls.Warren212Jun 12, 2026Tin Contributor108Views0likes2CommentsWays to fetch quarantine files
We are working with quarantine files and have a few questions: 1. Is there a public API available to retrieve quarantined files from Microsoft Defender for Endpoint? 2. Is there a documented method to map an alert or a file SHA-1/SHA-256 hash to the corresponding object in the Defender quarantine store? 3. Is there a way to retrieve quarantined files other than using a PowerShell script through the Live Response API?Dhwani_ShahJun 08, 2026Copper Contributor152Views0likes4CommentsUnderstanding AI workloads on Linux
Hi everyone, I’m a PM working on security for Linux environments and trying to better understand how AI workloads are actually showing up in production today. Would appreciate hearing from folks here: Are you running any AI workloads on Linux today? Or actively exploring? What does your deployment/setup look like — e.g., model training/inference, agents, MCP servers, data pipelines, etc.? How are you thinking about securing this stack, if at all? If you’re open to a quick 30-min chat, I’d love to learn more from your experience as well. Thanks in advance — this will directly help shape where we invest next.tejaskashyapJun 02, 2026Microsoft74Views0likes1CommentLarac2shell: Turning MDE Live Response into a near real-time shell We are the EDR!
https://github.com/akefallonitis/larac2shell Turning MDE live response into a near real time interactive shell beta version out Features: - Internal (Thanks to https://www.linkedin.com/in/fabianbader/ - https://www.linkedin.com/in/nathanmcnulty/ and xdrinternals research ) vs External api authentication - Arbitrary command execution via pre-uploaded base64 wrapper script - Cross-OS support PS Two MSRC bugs reported for direct command execution bypass waiting for Microsoft Response in order to publish them Coming SOON TM Full LaraC2 Post Exploitation OST framework over MDE as C2/C3 Channel - We are the EDR / No external Infra / Onboarding to your controlled tenant silencing MDE Happy testing 🥳 🎉alkefallonitisMay 08, 2026Copper Contributor102Views0likes2CommentsrunHuntingQuery API and 'evaluate pivot'
Seem to have a problem where any request to the runHuntingQuery API with 'evaluate pivot' fails with error": { "code": "UnknownError", "message": "", Is this just a 'feature' ? The query happily runs trough the website/XDR portal. :-( Is there a way to simulate a pivot (easily) in powerapps ?Tim4May 01, 2026Copper Contributor73Views0likes1CommentDefender for Business - No alert after process lock out ?
Hello all, A few days ago, I have setup Defender for business server on a Windows Server 2019. I can see that server in the Microsoft security portail devices list. I have also tested the "suspicious" powershell command provided by Microsoft and it went all good. Powershell blocked, alert escaladed as incident in the security portal, email received, ... But the next day, I tried to install a service on that server that got blocked by Virus & Thread Protection because it was attempting to modify a lot of files. That was a good point for Defender (it was not a real thread and was later added as exception). My worry is that it was never escaladed to the security portal, I didn't received a alert email, .. The system blocked that "thread" multiple times during my attempt to deploy it and no incident were throw. What could be wrong ? Thank you.karnaltaJan 27, 2026Copper Contributor160Views0likes3CommentsSave the date - January 26, 2026 - AMA: Secure your endpoints with policy and Microsoft Defender
Save the date for January 26 at 8:00 AM PT! Have questions about using Microsoft Intune to enforce device compliance? Curious how to configure devices to help prevent security breaches and limit the impact of threats? Ask Microsoft Anything (AMA) about integrating Microsoft Defender for Endpoint with Microsoft Intune at Tech Community Live! Product teams will be answering your questions live and in chat. Get tips using policy to onboard devices, define risk level, block non-compliant devices from accessing corporate resources, and more. Go to aka.ms/AMA/SecureEndpoints to save the date and add this event to your calendar!Pearl-AngelesJan 20, 2026Community Manager358Views0likes0Comments
Tags
- microsoft defender for iot80 Topics
- threat intelligence35 Topics
- IoT security17 Topics
- threat protection15 Topics
- defender14 Topics
- MDATP13 Topics
- Defender for Endpoint13 Topics
- security13 Topics
- ATP10 Topics
- defender atp10 Topics