Recent Discussions
Using MDE (Passive Mode) with Palo Alto Cortex XDR to enable Defender for IoT (Enterprise IoT)
Hi everyone! I’m working with a customer that uses Palo Alto Cortex XDR as their primary EDR. We want to leverage Microsoft Defender for IoT specifically for Enterprise IoT (not OT/ICS). I have a few questions: MDE in Passive Mode as a sensor: Can Microsoft Defender for Endpoint (MDE) running in Passive mode act as a sensor to enable Enterprise IoT discovery/monitoring for Defender for IoT? Are there any feature limitations when MDE is not the primary EDR? Appliance sensor in Enterprise IT: If we cannot use the MDE agent, is it supported to deploy the Defender for IoT appliance sensor in an enterprise IT network (e.g., offices/campuses) to cover Enterprise IoT use cases? Coexistence / Complementary sensors: Is it possible (and recommended) to run the appliance sensor alongside MDE (sensor) to complement coverage/features? Any guidance on architecture, data overlap/deduplication, or licensing implications?
MS Defender setting
Hello, I have a question. I'm not an English-speaking country, so please understand any shortcomings. I'm trying to block or alert on specific URLs in Microsoft Defender > Settings > Endpoint > Rules > Indicators. I've completed the setup, but I'd like to customize the screen that appears on the webpage when an alert is triggered. Is there a way to do this? Thank you in advance for your help.
Latest Threat Intelligence (December 2025)
Microsoft Defender for IoT has released the December 2025 Threat Intelligence package. The package is available for download from the Microsoft Defender for IoT portal (click Updates, then Download file). Threat Intelligence updates reflect the combined impact of proprietary research and threat intelligence carried out by Microsoft security teams. Each package contains the latest CVEs (Common Vulnerabilities and Exposures), IOCs (Indicators of Compromise), and other indicators applicable to IoT/ICS/OT networks (published during the past month) researched and implemented by Microsoft Threat Intelligence Research - CPS. The CVE scores are aligned with the National Vulnerability Database (NVD). Starting with the August 2023 threat intelligence updates, CVSSv3 scores are shown if they are relevant; otherwise the CVSSv2 scores are shown. Guidance Customers are recommended to update their systems with the latest TI package in order to detect potential exposure risks and vulnerabilities in their networks and on their devices. Threat Intelligence packages are updated every month with the most up-to-date security information available, ensuring that Microsoft Defender for IoT can identify malicious actors and behaviors on devices. Update your system with the latest TI package The package is available for download from the Microsoft Defender for IoT portal (click Updates, then Download file), for more information, please review Update threat intelligence data | Microsoft Docs. MD5 Hash: 5c642a16bf56cb6d98ef8b12fdc89939 For cloud connected sensors, Microsoft Defender for IoT can automatically update new threat intelligence packages following their release, click here for more information.Microsoft Defender for Endpoint for Vulnerability Management and Reporting
Hi All, We’re currently using Rapid7 for vulnerability management and reporting, but we’re actively evaluating the possibility of moving to Microsoft Defender for Endpoint going forward. We’d like to better understand how to properly leverage Defender for Endpoint for vulnerability management and reporting. If this means using custom reports—such as building dashboards in Power BI—we’re definitely open to that approach. At a high level, we’re looking for guidance on best practices and the right direction to meet the following requirements: Ongoing vulnerability tracking and remediation Clearer reporting on vulnerability trends and areas needing improvement Breakdown of vulnerabilities by severity (Critical, High, Medium, Low), grouped by aging buckets (e.g., 30, 60, 90 days) Defender Secure Score reporting over time (30, 60, and 90-day views) Visibility into non-compliant devices in Intune, including devices in grace period and PCs that have checked in within the last 14 days Any recommendations, examples, or pointers to documentation or reporting approaches would be greatly appreciated. Thanks in advance, Dilan
Correct firewall log names to be included in a Defender investigation package?
Hi - first time poster, I work in a SecOps team using Defender for Endpoint. I noticed that when we collect an investigation package from a device in Defender that the firewall logs aren't being found. The advice on Microsoft Learn articles seems to be contradictory as to what firewalls should be named as: https://learn.microsoft.com/en-us/defender-endpoint/respond-machine-alerts FirewallExecutionLog.txt and pfirewall.log The pfirewall.log file must exist in %windir%\system32\logfiles\firewall\pfirewall.log, so it's included in the investigation package. For more information on creating the firewall log file, see https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/configure-logging?tabs=intune. This section implies for the firewall log to be collected it has to be called "pfirewall.log" but on the linked page it is recommended to change the log file names: For each profile (Domain, Private, and Public) change the default log file name from %windir%\system32\logfiles\firewall\pfirewall.log to: %windir%\system32\logfiles\firewall\pfirewall_Domain.log %windir%\system32\logfiles\firewall\pfirewall_Private.log %windir%\system32\logfiles\firewall\pfirewall_Public.log We have tested the changed names and they are not found by the investigation package. Which one is recommended and is the logic used in the Defender investigation package correct?Investigating Excel-Initiated Email Activity Without Sent Items Trace
Two days ago, three emails were sent from a user’s inbox without leaving any copies in the Sent Items folder. The user did not send these emails manually—this is confirmed by the presence of the SimpleMAPI flag in Outlook. What I know: Email Characteristics: All three emails contained a Word attachment. No body text was present. The subject line matched the attachment file name. Two of the emails were identical. Recipients: Emails were sent to colleagues who originally created the attached documents. Attachment Details: One attachment appeared to be a temporary file (e.g., a3e6....). System Behavior: No suspicious logins detected before or after the event. Emails were sent via the Outlook.exe process on the user’s machine. Excel.exe was identified as the parent initiating process according to Microsoft Defender endpoint logs. In Defender's Endpoint logs I found this under Typed Details (related to the firing of the 3 emails): 1. -Downloaded file: 2057_5_0_word_httpsshredder-eu.osi.office.net_main.html Path: C:\Users\s***s\AppData\Local\Microsoft\Office\16.0\TapCache\2057_5_0_word_httpsshredder-eu.osi.office.net_main.html 2. Downloaded file: ~$rmalEmail.dotm Path: C:\Users\s***s\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm I am seeking assistance to replicate this issue and accurately determine how these three emails were triggered.
KQL query to report on Audit/Block status of Network Protection
Anyone know how to run a query using KQL in the defender portal to return the status of Network Protection - Audit or Block mode? The following query returns the results but "IsCompliant" = 1 when Network Protection is on in either Audit or Block mode. I thought the context might help but for this SCID it is always empty. DeviceTvmSecureConfigurationAssessment | where ConfigurationId == "scid-96" The information is available within the portal when you drill into the device - configuration management - effective settings - but this is not scalable when needing to check across a large estate. How could you query this via KQL or another way to generate on a report on overall estate health and configuration? Long term would be great to report on this in a powerBi dashboard. Thanks
MS Defender 101.25102 update error
I have been trying to update MS Defender for several days now and without luck. I am on a iMac M3 with macOS 26.1. I tried removing and reinstalling the app, but it seems that the uninstall script does not remove the app at all. Yes, I did restart the machine. Does anyone have a solution?
Defender for Endpoint on Linux
I'm using the Linux version of the defender agent on RHEL 8. The intended setup is, The agents are registered to the Defender cloud. And we have enabled the InTune to Defender connector. So when you register your endpoint, it should also create a skeleton registration in Intune so it can manage the Linux policy. I've got that setup. However, If you need to make quick, perhaps unscheduled changes to your Linux MDATP profile. How do you do it? As it seems to be based on when the endpoint checks in with Intune. Which Intune does between 4-6 hours. Some of the docs I read, said just make the change to the .json config on the client. Then Intune will reapply the update policy when it checks the agent in. Ok, but if you have enabled the anti tamper feature on the agents. How do you then update the .json file? It's just going to block you from doing thatBitdefender active mode , configure MDE passive mode
Hi We have scenario where client currently has Bitdefender in Active Mode and uses it to manage their endpoints and now plans to use Defender for Endpoint in Passive Mode for Endpoints (Windows 11/Server) How to configure MDE in passive mode step by step I have 500 devices how to onboard that on MDE step by step in co-management While MDE in Passive mode any performance issue along with 3rd party antivirus solutionMDE use of Certificate based IoC not working
I have been trying to use MDE IoC with certificates as per the following link: https://learn.microsoft.com/en-us/defender-endpoint/indicator-certificates#create-an-indicator-for-certificates-from-the-settings-page This is on a demo tenant with full M365 E5 licenses and vulnerability trial enabled just in case. Test devices are: windows 11 with latest updates - domain joined and managed by Intune MDE onboarded and active with AV Network protection in block mode Cloud delivered protection enabled File hash enabled In defender portal - settings - endpoints advanced settings - all options enabled I am testing with Firefox - the installer and the application .exe after installation. I have extracted the leaf certificate from both these .exe's using the helpful information in the following link: https://www.linkedin.com/pulse/microsoft-defender-missing-manual-how-actually-create-adair-collins-paiye/ Then uploaded the certs into defender portal - settings - endpoints - IoC - certificates - set to Block and remediate Issue: Its been 24h and nothing happens on the client devices. In the defender portal - assets - devices - device timeline - I can see the firefox processes but at no point is the installer or application blocked. Have I miss understood how the feature works? Has anyone else managed to get this to work? Advice appreciated. Thanks Warren
Defender exclusion model seems to Violate CIS Benchmarks
Basically i wanted to exclude Shadow copies from the Virus scans as this already takes forever and i could see high system usage while this was done on our server. The logic being that this data was already scanned multiple times again and again, and even if a virus managed to infect the shadow volume it would be caught as soon as the file was restored. Unfortunately it seems to be impossible to only exclude the HarddiskVolumeShadowCopy, so to achieve this i would have to exclude the whole "System Volume Information" folder.... and this obviously violates the CIS benchmark for security, and is generally just weak design that this is not possible (unless I am misunderstanding something and that it is possible in some way). So here is the long and short after my debate with Copilot: Microsoft Defender Antivirus currently lacks support for exclusions using NT device paths such as: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy* This limitation forces administrators to exclude the entire System Volume Information folder to prevent scanning of VSS shadow copies. However, this folder contains multiple critical system components beyond shadow copies, including: NTFS Change Journal (USN) DFS Replication Database Indexing Service Data Other system metadata Excluding this entire folder violates CIS Benchmarks and Microsoft’s own hardening guidance, which recommend minimizing antivirus exclusions to the smallest scope possible (Principle of Least Privilege). Current design introduces unnecessary risk and creates compliance gaps for organizations following CIS or similar frameworks. Impact: Security risk: Broader exclusions than necessary reduce visibility into system metadata. Compliance risk: Organizations cannot meet CIS Benchmark requirements for AV configuration. Operational inefficiency: Defender scans shadow copies using kernel paths but does not allow precise exclusions for those same paths. Recommendation: Microsoft should: Support exclusions for NT device paths (e.g., \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy*). Alternatively, provide a specific policy setting to exclude VSS snapshots without excluding other system components. This change would align Defender with CIS Benchmark principles, reduce unnecessary exclusions, and improve performance without compromising security. References: CIS Microsoft Windows Server Benchmark v3.0 Microsoft Defender Antivirus Configuration Guidelines Principle of Least Privilege in AV ExclusionsLatest Threat Intelligence (November 2025)
Microsoft Defender for IoT has released the November 2025 Threat Intelligence package. The package is available for download from the Microsoft Defender for IoT portal (click Updates, then Download file). Threat Intelligence updates reflect the combined impact of proprietary research and threat intelligence carried out by Microsoft security teams. Each package contains the latest CVEs (Common Vulnerabilities and Exposures), IOCs (Indicators of Compromise), and other indicators applicable to IoT/ICS/OT networks (published during the past month) researched and implemented by Microsoft Threat Intelligence Research - CPS. The CVE scores are aligned with the National Vulnerability Database (NVD). Starting with the August 2023 threat intelligence updates, CVSSv3 scores are shown if they are relevant; otherwise the CVSSv2 scores are shown. Guidance Customers are recommended to update their systems with the latest TI package in order to detect potential exposure risks and vulnerabilities in their networks and on their devices. Threat Intelligence packages are updated every month with the most up-to-date security information available, ensuring that Microsoft Defender for IoT can identify malicious actors and behaviors on devices. Update your system with the latest TI package The package is available for download from the Microsoft Defender for IoT portal (click Updates, then Download file), for more information, please review Update threat intelligence data | Microsoft Docs. MD5 Hash: 0ed5b864101c471d987b332fc8619551 For cloud connected sensors, Microsoft Defender for IoT can automatically update new threat intelligence packages following their release, click here for more information.
Does Windows Defender create a batch file?
Hi there, I am on Windows 11 an Defender did detect some malware during an installation. The files have been blocked and quarantined, a deep scan did not find any more issues. But I had a weired explorer behaviour after restarting - explorer exe did stop and restart. I realized the is a bactch file called securitycenter.bat in the autostart folder. The batch stops and restarts explorer. It was created right at the time defender did notice about the malware. I checked explorer exe. There is only one on the system and it seems to be the correct one (signed by Microsoft). Any ideas?Web Protection not blocking click throughs, but blocks direct access
I'm currently working to block all AI LLM's that aren't CoPilot. I'm using the Defender for Cloud integration which so far in testing is working well. However, I have one example with Grok where I have needed to add a custom URL so that I can block it being accessed from the sidebar on the main X website. I've added the URL as a custom URL indicator but if I follow the link on the X website it's not blocked. If I refresh the page once I'm on it, it will then return the expected block page. Similarly, if I manually browse to that URL it's also blocked on the first attempt. What's preventing Endpoint from blocking the click through to the page? I'm using Edge.Defender for Endpoint - macOS scan takes 1 second
Hello, We use Defender for Endpoint on macOS deployed by Mosyle MDM. However, we noticed when user run quick or full scan that action takes 1 second and that is it - 0 files scanned. This used to work before; I happen to have a screenshot: Now, if I run scan from command line, again the same: We use config profiles from here: https://github.com/microsoft/mdatp-xplat/tree/master/macos/mobileconfig/profiles mdatp health output: Did anyone have this issue? Thanks!
Recent Blogs
- This year at Microsoft Ignite, Microsoft Defender is announcing exciting innovations for endpoint protection that help security teams deploy faster, gain more visibility, and proactively block attack...Nov 18, 2025
- Root detection is a critical security control that identifies whether an Android device has been compromised to gain elevated privileges or unrestricted access to the operating system. When a device ...Nov 17, 2025
