Microsoft Defender for Endpoint | Microsoft Community Hub

Forum Widgets

Latest Discussions

Can't update Defender app on macOS
Hello, We started getting this situation where Defender for macOS can't be updated: Microsoft Defender 101.25072 Current Version: 101.25062 Installed: 2025-08-05 Update error: The update could not be installed at this time. Please try again later. Microsoft AutoUpdate is up to date. Operating System Version: 15.6.1 Device managed by Mosyle MDM. All of our active users have been updated to 15.6.1 (and this problem was observed on OS versions from 15.1 to 15.6.1) What could be causing this? And what can we do about it?
Solved
djolenole
Brass Contributor
Sep 10, 2025
2KViews
5likes
7Comments
KQL query
I wanted to best KQL query to check registry modifications, run key value , startup items in defender
Solved
Yogeesh143
Copper Contributor
Sep 09, 2025
104Views
0likes
3Comments
Endpoint settings missing in Microsoft Defender for Endpoint
Hi, I am currently using the Microsoft 365 Developer program and is trying to setup an Intune and Microsoft defender for endpoint tenant however when i am trying to integrate Defender with Intune, the endpoint setting is not showing in the settings despite that i have the Security administrator role. Is this expected when using the developer program or am i missing something? Would appreciate your kind advise.
Solved
777LDV777
Copper Contributor
Sep 08, 2025
96Views
0likes
1Comment
MS Defender - Installation Error version 101.25072 on macOS
Dear experts, The latest version of MS Defender can't be installed. I'm getting an error message since release date (5th Aug). I have tested to restart the computer, tested with different networks, same issue 🙁
Solved
Yassin Koleilat
Brass Contributor
Aug 29, 2025
4.2KViews
6likes
22Comments
What does "deprecated" mean in the Defender Antivirus for Linux settings?
When you create a Microsoft Defender Antivirus policy for Linux in the Endpoint Security Policies blade of the Defender admin center, there are two settings in the Antivirus Engine section that have "(deprecated)" after them: "Enable real-time protection (deprecated)" and "Enable passive mode (deprecated)": What exactly does "deprecated" mean in this context? I can't imagine that the features themselves are deprecated; are we supposed to be configuring them elsewhere?
Solved
RyanSteele-CoV
Iron Contributor
Aug 20, 2025
139Views
0likes
2Comments
Get-MpPerformanceReport empty processpath
Hi, anyone knows why we sometimes get empty processpath when using Get-MpPerformanceReport to get top processes? Some say it could be Defender for Endpoint, but I would like to be sure what it is. Any ideas on how to get more info? Thank you in advance and don't hesitate if you have any questions
Solved
lalanc01
Iron Contributor
Aug 13, 2025
75Views
0likes
1Comment
Defender detection caused by monitoring script
Dear Community We use PRGT, which monitors various things for our customers. One of our customers uses Microsoft Defender, which issued an alert for “SmokeLoader.” After some research, we found that this is caused by two of our scripts, which establish a connection to our servers and query various things. This raised the question of how we can best whitelist this, since the detection comes from “WinRM” and not directly from the script itself. However, the script itself establishes a connection to the servers and requests some information. Are there any sensible measures that can be taken here, because only whitelisting the script (folder or hash) makes limited sense here, since the detection in this case was for the WinRM process. So the behavior analysis would kick in again. Thank you for your time! Best regards, SleeperHead
Solved
SleeperHead
Copper Contributor
Aug 07, 2025
92Views
0likes
1Comment
When is a device considered deleted or inactive in the DeviceInfo table?
Hi, I’m trying to better understand how device lifecycle is handled within Microsoft Defender for Endpoint, specifically in the context of Advanced Hunting via the DeviceInfo table. When can we consider a device as deleted or removed from the DeviceInfo table? How long do offboarded or inactive devices remain in the DeviceInfo table before they are automatically purged? Are there specific values (e.g., onboardingStatus, lastSeen, isActive, etc.) or time-based thresholds that should be used to determine if a device is no longer active? Any guidance or documentation references would be greatly appreciated!
Solved
vinaygowlla
Copper Contributor
Aug 07, 2025
98Views
0likes
1Comment
How to Automatically Export Microsoft Defender Security Recommendations with Historical Tracking
Hi everyone, I'm currently using Microsoft Defender for Endpoint, and I'm looking for a way to automate the export of security recommendations. Right now, the only available option is to manually export these recommendations as a CSV using the "Export" button in the portal. However, I’d like to: Automatically pull these recommendations regularly Store them in an Azure SQL database/Azure Storage Use Power BI to create dashboards and track trends over time (since Defender does not provide historical views) Is there a way to fetch this data programmatically? My Goal: Automatically query this API daily (via Azure Function or Azure Automation or any other way) Store each day's results in an Azure SQL table/Storage account with timestamps Build Power BI reports for: Most frequent vulnerabilities Exposure trends over time Recommendation coverage and progress
Solved
TammyJha
Copper Contributor
Jul 25, 2025
231Views
0likes
2Comments
ASR rule blocking execution of OneDriveSetup.exe
A member of our Service Desk team was working with a user to troubleshoot an issue with the OneDrive sync client on their Windows workstation. As part of their troubleshooting, they uninstalled the client with the intent to re-install it, but when they attempted to run OneDriveSetup.exe, they received an error. It turned out that execution was being blocked by the "Block use of copied or impersonated system tools" Attack Surface Reduction rule. I was able to work around the issue by creating an exception in our Attack Surface Reduction Rules policy, but this situation consumed most of my morning and seriously impacted the productivity of one of our users, so I would like to ensure that it does not happen again. Should I report this as a false positive (per https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-asr#report-a-false-positive-or-false-negative ), or is this policy somehow working as designed? If it is the latter, what is the correct approach for reinstalling the OneDrive sync client on a machine with this ASR rule applied to it?
Solved
RyanSteele-CoV
Iron Contributor
Jul 18, 2025
284Views
0likes
2Comments

Resources

Tags

defender14 Topics
MDATP13 Topics
Defender for Endpoint13 Topics
ATP10 Topics
defender atp10 Topics
security7 Topics
Defender Advanced Threat Protection6 Topics
microsoft defender for endpoint6 Topics
Microsoft Defender ATP5 Topics
MDE5 Topics