Recent Discussions
Bad quality of Defender / Intunesdocubannoying
Whenever i need learning.microsoft.com, i found their describing A) very often menulinks, which does not exist (guess its rearranged) B) very often mistakes happen: in this article https://learn.microsoft.com/en-us/defender-endpoint/android-configure-mam several parameters are described with an integer value and the same parameter a Seconds time at the same place as boolean. And so many mistakes morebi found. Well: some companies wanna earn money maybe doing training with their customers, which is necessary onlY, as the docu is unreadable or written so boring that you fall a sleep and understand nothing. Please do more qualityCannot delete a tag added through an Asset rule
Hello, We had created in the past an asset rule to assign a tag to a few machines. Now we are trying to remove the tag but we can't find the right way. We have delete the Asset rule. (it was turned off more than 2 months ago) When I go to the machine details and click on 'Manage tags', I can see a section called 'Manual tags' (there I can add remove tags from the console) and a section called 'Rule-based tags' with the description 'Rule-based tags are automatically added to devices based on rules that you create. You can add, edit or delete a rule in Manage rules.' Going through powershell and the API, it doesn't work either. Even getting the details from a machine only shows the manual tags. How do we remove then such a tag ? Thanks in advance for your help. Marc
Differentiate actual DfC/DfE license usage on Windows systems
Trying to understand on how the Windows endpoint(server/laptops) licenses are being used in my environment and for that, trying to figure out how to check the number of on-prem/azure cloud systems deployed with Microsoft Defender for Endpoint or Defender for server P2 license? Like where and how can i see which are the assets that are getting configured DfS license and which systems have been configured with MS DfE?
Alert Rule Fails on Dynamic Field Parsing in DeviceTvmInfoGathering
Hi, Need Help: Alert Rule Fails but Hunting Query Works (Dynamic Fields Issue) Alert Rule Query Fails When Using parse_json on AdditionalFields — Any Workarounds? Need to get alert when avmode is disabled. KQL: DeviceTvmInfoGathering | where isnotempty(AdditionalFields) | where Timestamp > ago(1h) | extend AF = parse_json(AdditionalFields) | where AF has "AvMode" | extend AvMode = tostring(AF.AvMode) | where AvMode == "2" | extend ReportId = tolong(abs(hash(DeviceId))) | project Timestamp, ReportId, DeviceId, DeviceName, OSPlatform, AvMode
Issue with Missing Endpoint menu in Settings
I know this is a frequent topic, but nothing seems to be working for me. I am a security admin and licensed for Microsoft 365 Business Standard and I have a Defender for Endpoint P2 license assigned to my user ID. The license has been assigned for over 24 hours, I've clicked on menu choices waiting for provisioning, but the Endpoint menu and settings link do not appear. Any other ideas? Thanks for your assistance.Defender API - Get software by ID with a " ' " inside the defender_id
In the list of software I retrieved with the API ("/api/Software") some of the software have an Id with a "'" (apostrophe) in the name i.e. : microsoft-_-portail_d'entreprise when calling, for exemple, Get Software by Id ("/api/Software/{Id}"), so in this case it would be /api/Software/microsoft-_-portail_d'entreprise or if I replace the ' by %27, so /api/Software/microsoft-_-portail_d%27entreprise I always get a status code 400 (malformed). How can make it to work ? Thx
Core Isolation False Positives
Why is there currently no way to white list or even submit Memory Integrity Core Isolation false positives to Microsoft? I have a services that is constantly detected (even though now it has been digitally signed by the vendor). When it is detected it stops the product from working correctly. There is no way to white list this service and the only way to currently work around it is to turn off Core Isolation. But our security teams are wanting to turn Core Isolation back on for users. How do we get this service looked at? I have tried submitting the file to Microsoft who say it isn't malicious but it's still getting detected. I don't have access to the MDE console so can't submit anything directly from there either.
[MS Defender for Endpoint] Wanted guidance on Alerts API
Question: Which API is recommended for reliably sharing domain information, especially for integration with external tools? https://learn.microsoft.com/en-us/defender-endpoint/api/get-alert-info-by-id https://learn.microsoft.com/en-us/defender-endpoint/api/get-alert-related-domain-info How can I generate or simulate alerts so that the https://learn.microsoft.com/en-us/defender-endpoint/api/get-alert-related-domain-info API returns actual domain-related data? What are the best practices for selecting the appropriate API for this use case, considering I cannot use both in my integration? Things I have explored so far, Currently using https://learn.microsoft.com/en-us/defender-endpoint/api/get-alert-info-by-id API. Provides domain-related data in the evidence section. Example response includes entities with entityType as Url containing domain names and URLs both. Alert Response { "id": "da0c5a38e4-3ef4-4c75-a0ad-9af83e866cf1_1", "detectionSource": "WindowsDefenderAtp", "category": "CredentialAccess", "evidence": [ { "entityType": "Url", "url": "pub-8eab0c35f1eb4dacafaaa2b16d81a149.r2.dev" DOMAIN TYPE // ... Other fields }, { "entityType": "Url", "url": "https://example.com" URL TYPE // ... Other fields } ] // ... Other fields } Noticed another API: https://learn.microsoft.com/en-us/defender-endpoint/api/get-alert-related-domain-info. Purpose-built for retrieving domains related to alerts. Returns empty data object with no domains or hosts, even when generating alerts by accessing blocked domains. Custom IOC type domain has been added to endpoint indicators list and then accessed the same domain from windows machine. Ref: https://learn.microsoft.com/en-us/defender-endpoint/indicator-ip-domain#create-an-indicator-for-ips-urls-or-domains-from-the-settings-pageHow to extract vulnerability details from Microsoft Defender?
With the KQL below, I'm able to retrieve only a few details about the vulnerability. DeviceInfo | summarize arg max(Timestamp, DeviceName, OSPlatform, SensorHealthState, OnboardingStatus) by DeviceId join kind inner ( DeviceLogonEvents where ActionType == "LogonSuccess" summarize arg max(Timestamp, AccountName, AccountDomain) by DeviceId extend Owner = strcat(AccountDomain, "\\", AccountName) ) on DeviceId | join kind=inner ( DeviceTvmSoftwareVulnerabilities | project DeviceId, Cveld, SoftwareName, VulnerabilitySeverityLevel, RecommendedSecurityUpdate ) on DeviceId OnboardingStatus, Cveld, SoftwareName, RecommendedSecurityUpdate However, I need additional details as below: Environment,OS Version,Vulnerability Name,Apps/Infra,Owner, Risk,CVSS, CVE ID, Solution, Vulnerability links,IP, Port,DNS/NETBIOS NAME, Plugin Output, Synopsis Description, Occurance, Ageing, Region, Plugin ID, Purpose, Exception, Application Is there a way or script (KQL or PowerShell) to retrieve these details from Microsoft Defender?Defender for Endpoint/Identity not logging eventid 4625
During some on-prem pen-testing password-sprays were conducted and defender did not alert in any way and even digging in the advanced hunting did not show enough indication of this attack. We were also ingesting the logs(Eventid 4624 and 4625) from a domain-controller which made it possible to create an SIEM-rule to detect the behavior but the question is what is missing for Defender to pick this up or atleast log the events to make custom detection an option? The Domaincontroller that generated the SIEM-logs was onboarded with a type of "domain controller", defender for identity is also enabled. Does any users have this experience with Defender is missing pen-test activities?Looking for Siloed solution
Hello, my organization is looking for a new cyber security solution for our siloed network. The network is kept internal and we have been using a trellix solution for our needs, but we are looking to move away from it for various reasons. With MDE looking at the current solution we want, we have been unable to find if there is a solution for an isolated network like ours where it we would still have access to the GUI and the features, but we wouldn't connect via the cloud to the greater networks outside. Is this possible for us to set up with MDE or should we begin looking for a different solution?MemScanVfz-AMSI scan causing CPU performance issue
We have few workstations (W11) and servers (Win Srv 2019) where there is slow performance due to MsMpEng.exe is the highest CPU utilizer (80-90%). Based on MP performance recording, noticed only MemScanVfz-AMSI in the top 20 scans. Is there a anyway we can disable this service or add exclusions, or any suggest to reduce the CPU utilization?
Intune Website Block Policy Not Working on Newly Enrolled Devices
We configured URL blocking for multiple cloud storage services via Microsoft 365 Defender portal at https://security.microsoft.com > Settings > Endpoints > Indicators. The policy works on older devices, but we recently discovered that newly enrolled Windows devices can still access those URLs — even though they show as compliant in Microsoft Defender for Endpoint. Has anyone encountered this issue before? The PC Enroll 2day ago
Password reuse limitations
I have been doing some testing of using Windows Defender to detect password re-use. I have found that if you have the username and password fields together then password re-use detection works well. However if you have a site like chat gpt that has a form for your username and then the password box only appears after you have hit enter then the password re-use detection does not work.
how do i contact comcast about email problems
We’re deploying Microsoft Defender for Endpoint and aligning it with PCI-DSS v4.0 compliance for our UPI-first fintech brand UPYUGO Technologies. Our focus: Shield transactional emails (KYC, OTP, payment alerts) Lock down phishing/spam with custom quarantine logic Implement Defender strict policy + advanced anti-spam (MDO) Would love feedback on: Best practices for Defender ATP in regulated environments DMARC, SPF, DKIM recommendations Log forwarding to Sentinel or Azure Monitor Cheers, email address removed for privacy reasons🔒 Title: Enabling Microsoft Defender for Endpoint + PCI-DSS Email Protection (UPYUGO Use Case)
We’re deploying Microsoft Defender for Endpoint and aligning it with PCI-DSS v4.0 compliance for our UPI-first fintech brand UPYUGO Technologies. Our focus: • Shield transactional emails (KYC, OTP, payment alerts) • Lock down phishing/spam with custom quarantine logic • Implement Defender strict policy + advanced anti-spam (MDO) Would love feedback on: • Best practices for Defender ATP in regulated environments • DMARC, SPF, DKIM recommendations • Log forwarding to Sentinel or Azure Monitor Cheers, email address removed for privacy reasonsMPScanSkip error codes
From the MPScanSkip log file, does anyone know what these error codes are C:\ProgramData\Microsoft\Windows Defender\Support\MPScanSkip-xxxxxxxx-xxxxxx.log OnDemandScan skipped or partial scan for [filepath]. Reason [Scan Error]. Error Code [80500021] OnDemandScan skipped or partial scan for [pid:xx]. Reason [Scan Error]. Error Code [8050012b] OnDemandScan skipped or partial scan for [process]. Reason [Scan Error]. Error Code [8050007b]Why is Defender displaying Azure internal DNS name instead of VM name?
Hello, I am currently learning and testing Microsoft Defender for Endpoint on an Azure Linux VM. I’ve installed Defender for Endpoint on a Linux VM in Azure. However, in the Defender portal, the device is showing up with an internal Azure DNS name instead of the actual VM name. After noticing this, I changed the hostname of the Linux VM to linux-defender using the command: sudo hostnamectl set-hostname linux-defender Then, I reinstalled Defender and onboarded it again using the onboarding file. However, now I see two devices listed in Defender: The old device with the internal DNS name. The new device with the updated hostname. I’m not sure if this is the expected behavior, but I believe it may cause some issues when it comes to managing devices overall, since Defender initially took the DNS name as the device name — even the domain was showing the same. After changing the hostname, the domain is now showing as WORKGROUP. Can anyone help me understand why this is happening and how to clean up or fix the duplicate entries in Defender? Thanks for your help!API Filtering
Hello, I use the following command to retrieve all computers listed in MDE $url = "https://api.security.microsoft.com/api/machines" $webResponse = Invoke-RestMethod -Method Get -Uri $url -Headers $headers -ErrorAction Stop I've tried many options to try to filter by os platform to include only *Windows* machines. Do you know how to add a filters to the url ? Thank you for your help
Recent Blogs
- As of today, October 14, 2025, Microsoft is officially ending support for Windows 10. This means that Windows 10 devices will no longer receive security or feature updates, nor technical support from...Oct 14, 2025
- We’re excited to announce a key milestone in Defender’s multi-tenant management journey—Microsoft Defender for Endpoint security policies can now be distributed across multiple tenants from the Defen...Aug 07, 2025
