Microsoft Defender for Endpoint | Microsoft Community Hub

Recent Discussions

How to remove SSL Certificate on CLI
How can an SSL certificate get removed on the backend through the CLI? When I delete the cert in the GUI, it doesn't seem to actually get removed from the backend. The cert doesn't show in the GUI, but the cert is still recognized in the browser so it appears apache is still seeing it serving it up. There's a cert folder at: /var/cyberx/keys/certificates There's a properties folder at: /var/cyberx/properties Do I just remove the folder and restart apache? Are there any .properties files that need modified?
Solved
ry__panov__
Brass Contributor
Dec 12, 2025 Place Microsoft Defender for Endpoint
microsoft defender for iot
1KViews
0likes
1Comment
DNP3 Serial Protocol Support
Is DNP3 Serial a supported protocol?
Solved
ry__panov__
Brass Contributor
Dec 12, 2025 Place Microsoft Defender for Endpoint
microsoft defender for iot
SCADA Security
3KViews
0likes
2Comments
Is Raspberry PI Bullseye also supported by Defender for IoT agent installation?
Hello, As Azure IoT Edge is https://azure.microsoft.com/en-us/updates/azure-iot-edge-supports-debian-bullseye-arm32v7/ on a Raspberry PI, I was hoping to install the Defender for IoT agent on this device. But when I follow the Debian installation steps, I get an exception: sudo apt-get install defender-iot-micro-agent Reading package lists... Done Building dependency tree... Done Reading state information... Done Some packages could not be installed. This may mean that you have requested an impossible situation or if you are using the unstable distribution that some required packages have not yet been created or been moved out of Incoming. The following information may help to resolve the situation: The following packages have unmet dependencies: defender-iot-micro-agent : Depends: libcurl3 but it is not installable E: Unable to correct problems, you have held broken packages. Unfortunately, I'm not able to install libcurl3: sudo apt install libcurl3 Reading package lists... Done Building dependency tree... Done Reading state information... Done Package libcurl3 is not available, but is referred to by another package. This may mean that the package is missing, has been obsoleted, or is only available from another source However the following packages replace it: libcurl4 E: Package 'libcurl3' has no installation candidate Because libcurl3 is mandatory instead of optional, I'm not able to let the installer ignore it. Is there some solution? Thanks, Sander
Solved
Sander van de Velde
Copper Contributor
Dec 12, 2025 Place Microsoft Defender for Endpoint
IoT security
microsoft defender for iot
4.8KViews
0likes
4Comments
Defender for Endpoint - macOS scan takes 1 second
Hello, We use Defender for Endpoint on macOS deployed by Mosyle MDM. However, we noticed when user run quick or full scan that action takes 1 second and that is it - 0 files scanned. This used to work before; I happen to have a screenshot: Now, if I run scan from command line, again the same: We use config profiles from here: https://github.com/microsoft/mdatp-xplat/tree/master/macos/mobileconfig/profiles mdatp health output: Did anyone have this issue? Thanks!
Solved
djolenole
Iron Contributor
Nov 04, 2025 Place Microsoft Defender for Endpoint
191Views
0likes
2Comments
High CPU Usage by Microsoft Defender Antivirus on Windows Server 2019 Azure VMs
Hello, I’m running into a recurring issue on Windows Server 2019 Datacenter VMs running in Azure where MsMpEng.exe (Antimalware Service Executable) consistently spikes CPU usage every day. Here’s what I’ve observed so far: Microsoft Defender pulls threat intelligence from the cloud continuously in real-time, in addition to multiple scheduled updates per day. Despite this continuous checking, I’ve noticed a consistent CPU spike only between 4:40 PM and 4:55 PM daily. During this time, Defender consumes 100% CPU. I’ve checked Task Scheduler and Defender scan settings — there are no scans or tasks scheduled during this period. Limiting CPU usage using Set-MpPreference -ScanAvgCPULoadFactor 30 has had no effect on these background maintenance routines. Automatic provisioning via Defender for Cloud is enabled on these Azure VMs, so the MDE agent installs and updates automatically. Logs from Microsoft-Windows-Windows Defender/Operational during the high CPU window: 10/2/2025 4:41:57 PM 2010 Microsoft Defender Antivirus used cloud protection to get additional security intelligence... 10/2/2025 4:41:57 PM 2010 Microsoft Defender Antivirus used cloud protection to get additional security intelligence... 10/2/2025 4:49:41 PM 1150 Endpoint Protection client is up and running in a healthy state... These logs confirm that Defender’s cloud intelligence updates and endpoint checks run exactly during the CPU spike window. Even though Defender continuously checks for cloud protection updates throughout the day, the CPU spike occurs only during this particular window. The pattern is consistent across multiple Azure VMs, suggesting this is part of Defender’s automated behavior. Questions for the community: Is this behavior expected for Azure VMs, or could it indicate a bug in Defender on Windows Server 2019? Is there a supported way to throttle, defer, or better manage CPU usage during these maintenance and cloud intelligence routines? Are there recommended best practices for always-on production environments in Azure to avoid performance degradation caused by Defender? Any guidance or advice would be really appreciated. Thanks, Nikunj
Solved
nsojitra
Copper Contributor
Oct 15, 2025 Place Microsoft Defender for Endpoint
767Views
1like
4Comments
ASR rules enabled after onboarding Windows server
Hello, I tested onboarding Windows Server 2019 to Defender using local script and noticed that after onboarding some ASR rules are already enabled in Block mode by default: Block Office applications from creating executable content 3b576869-a4ec-4529-8536-b80a7769e899 Block execution of potentially obfuscated scripts 5beb7efe-fd9a-4556-801d-275e5ffc04cc Block Office applications from injecting code into other processes 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 Block Win32 API calls from Office macros 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b Block credential stealing from the Windows local security authority subsystem (lsass.exe) 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 Block executable content from email client and webmail be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 Block JavaScript or VBScript from launching downloaded executable content d3e037e1-3eb8-44c8-a917-57927947596d Block all Office applications from creating child processes d4f940ab-401b-4efc-aadc-ad5f3c50688a I haven't applied any group policies yet to it. The server is domain joined. Could it happen that it pulls the configuration from another place? Thanks
Solved
djolenole
Iron Contributor
Oct 08, 2025 Place Microsoft Defender for Endpoint
124Views
0likes
2Comments
Can't update Defender app on macOS
Hello, We started getting this situation where Defender for macOS can't be updated: Microsoft Defender 101.25072 Current Version: 101.25062 Installed: 2025-08-05 Update error: The update could not be installed at this time. Please try again later. Microsoft AutoUpdate is up to date. Operating System Version: 15.6.1 Device managed by Mosyle MDM. All of our active users have been updated to 15.6.1 (and this problem was observed on OS versions from 15.1 to 15.6.1) What could be causing this? And what can we do about it?
Solved
djolenole
Iron Contributor
Sep 10, 2025 Place Microsoft Defender for Endpoint
4.2KViews
5likes
7Comments
KQL query
I wanted to best KQL query to check registry modifications, run key value , startup items in defender
Solved
Yogeesh143
Copper Contributor
Sep 09, 2025 Place Microsoft Defender for Endpoint
157Views
0likes
3Comments
Endpoint settings missing in Microsoft Defender for Endpoint
Hi, I am currently using the Microsoft 365 Developer program and is trying to setup an Intune and Microsoft defender for endpoint tenant however when i am trying to integrate Defender with Intune, the endpoint setting is not showing in the settings despite that i have the Security administrator role. Is this expected when using the developer program or am i missing something? Would appreciate your kind advise.
Solved
777LDV777
Copper Contributor
Sep 08, 2025 Place Microsoft Defender for Endpoint
142Views
0likes
1Comment
MS Defender - Installation Error version 101.25072 on macOS
Dear experts, The latest version of MS Defender can't be installed. I'm getting an error message since release date (5th Aug). I have tested to restart the computer, tested with different networks, same issue 🙁
Solved
Yassin Koleilat
Brass Contributor
Aug 29, 2025 Place Microsoft Defender for Endpoint
7.2KViews
6likes
22Comments
What does "deprecated" mean in the Defender Antivirus for Linux settings?
When you create a Microsoft Defender Antivirus policy for Linux in the Endpoint Security Policies blade of the Defender admin center, there are two settings in the Antivirus Engine section that have "(deprecated)" after them: "Enable real-time protection (deprecated)" and "Enable passive mode (deprecated)": What exactly does "deprecated" mean in this context? I can't imagine that the features themselves are deprecated; are we supposed to be configuring them elsewhere?
Solved
RyanSteele-CoV
Iron Contributor
Aug 20, 2025 Place Microsoft Defender for Endpoint
198Views
0likes
2Comments
Get-MpPerformanceReport empty processpath
Hi, anyone knows why we sometimes get empty processpath when using Get-MpPerformanceReport to get top processes? Some say it could be Defender for Endpoint, but I would like to be sure what it is. Any ideas on how to get more info? Thank you in advance and don't hesitate if you have any questions
Solved
lalanc01
Iron Contributor
Aug 13, 2025 Place Microsoft Defender for Endpoint
142Views
0likes
1Comment
Defender detection caused by monitoring script
Dear Community We use PRGT, which monitors various things for our customers. One of our customers uses Microsoft Defender, which issued an alert for “SmokeLoader.” After some research, we found that this is caused by two of our scripts, which establish a connection to our servers and query various things. This raised the question of how we can best whitelist this, since the detection comes from “WinRM” and not directly from the script itself. However, the script itself establishes a connection to the servers and requests some information. Are there any sensible measures that can be taken here, because only whitelisting the script (folder or hash) makes limited sense here, since the detection in this case was for the WinRM process. So the behavior analysis would kick in again. Thank you for your time! Best regards, SleeperHead
Solved
SleeperHead
Copper Contributor
Aug 07, 2025 Place Microsoft Defender for Endpoint
112Views
0likes
1Comment
When is a device considered deleted or inactive in the DeviceInfo table?
Hi, I’m trying to better understand how device lifecycle is handled within Microsoft Defender for Endpoint, specifically in the context of Advanced Hunting via the DeviceInfo table. When can we consider a device as deleted or removed from the DeviceInfo table? How long do offboarded or inactive devices remain in the DeviceInfo table before they are automatically purged? Are there specific values (e.g., onboardingStatus, lastSeen, isActive, etc.) or time-based thresholds that should be used to determine if a device is no longer active? Any guidance or documentation references would be greatly appreciated!
Solved
vinaygowlla
Copper Contributor
Aug 07, 2025 Place Microsoft Defender for Endpoint
147Views
0likes
1Comment
How to Automatically Export Microsoft Defender Security Recommendations with Historical Tracking
Hi everyone, I'm currently using Microsoft Defender for Endpoint, and I'm looking for a way to automate the export of security recommendations. Right now, the only available option is to manually export these recommendations as a CSV using the "Export" button in the portal. However, I’d like to: Automatically pull these recommendations regularly Store them in an Azure SQL database/Azure Storage Use Power BI to create dashboards and track trends over time (since Defender does not provide historical views) Is there a way to fetch this data programmatically? My Goal: Automatically query this API daily (via Azure Function or Azure Automation or any other way) Store each day's results in an Azure SQL table/Storage account with timestamps Build Power BI reports for: Most frequent vulnerabilities Exposure trends over time Recommendation coverage and progress
Solved
TammyJha
Copper Contributor
Jul 24, 2025 Place Microsoft Defender for Endpoint
257Views
0likes
2Comments
ASR rule blocking execution of OneDriveSetup.exe
A member of our Service Desk team was working with a user to troubleshoot an issue with the OneDrive sync client on their Windows workstation. As part of their troubleshooting, they uninstalled the client with the intent to re-install it, but when they attempted to run OneDriveSetup.exe, they received an error. It turned out that execution was being blocked by the "Block use of copied or impersonated system tools" Attack Surface Reduction rule. I was able to work around the issue by creating an exception in our Attack Surface Reduction Rules policy, but this situation consumed most of my morning and seriously impacted the productivity of one of our users, so I would like to ensure that it does not happen again. Should I report this as a false positive (per https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-asr#report-a-false-positive-or-false-negative ), or is this policy somehow working as designed? If it is the latter, what is the correct approach for reinstalling the OneDrive sync client on a machine with this ASR rule applied to it?
Solved
RyanSteele-CoV
Iron Contributor
Jul 18, 2025 Place Microsoft Defender for Endpoint
428Views
0likes
2Comments
DLP
Hello Team, please does Microsoft Business Premium support Endpoint Data Lost Protection
Solved
Michael_Obeng
Copper Contributor
Jun 24, 2025 Place Microsoft Defender for Endpoint
255Views
0likes
6Comments
Indicators added for URL with setting 'Audit'. But where can I review those?
Was asked to put a few domains on a watchlist to see how often they're actually requested from endpoints in our organization. Went to Defender, Settings, Endpoints, Indicators, and added the domains there with the action set to 'audit'. I figured I should be able to review something in the Audit logs of Defender itself, but all I see there are the actions I did when adding the URLs to the indicator list. Anyone have any idea where I can review the usage of those websites I've set to audit, so we can determine if it's feasable to shut them down or not?
Solved
JurriaanvD
Copper Contributor
Jun 03, 2025 Place Microsoft Defender for Endpoint
116Views
0likes
2Comments
Can I use Microsoft Defender for Endpoint for CIS benchmark assessment
Hi Team, I have a customer who wants to do CIS benchmark assessment (CIS Microsoft Windows Server Benchmarks) for On-prem Windows 2022 servers. Can we use Microsoft defender for endpoint to do it? What's the prerequisite? E5 and Arc onboarding? Thank you. Regards, Huaye
Solved
Huaye
Microsoft
Apr 09, 2025 Place Microsoft Defender for Endpoint
1.7KViews
0likes
6Comments
Defender for endpoint expiration - Linux and macOS
Since the application expires on Linux after 9 months and on MacOS after 6 months, is there a report or portal indicating that the application has expired? What does that look like?
Solved
djolenole
Iron Contributor
Apr 01, 2025 Place Microsoft Defender for Endpoint
195Views
0likes
2Comments

Recent Discussions

How to remove SSL Certificate on CLI

DNP3 Serial Protocol Support

Is Raspberry PI Bullseye also supported by Defender for IoT agent installation?

Defender for Endpoint - macOS scan takes 1 second

High CPU Usage by Microsoft Defender Antivirus on Windows Server 2019 Azure VMs

ASR rules enabled after onboarding Windows server

Can't update Defender app on macOS

KQL query

Endpoint settings missing in Microsoft Defender for Endpoint

MS Defender - Installation Error version 101.25072 on macOS

What does "deprecated" mean in the Defender Antivirus for Linux settings?

Get-MpPerformanceReport empty processpath

Defender detection caused by monitoring script

When is a device considered deleted or inactive in the DeviceInfo table?

How to Automatically Export Microsoft Defender Security Recommendations with Historical Tracking

ASR rule blocking execution of OneDriveSetup.exe

DLP

Indicators added for URL with setting 'Audit'. But where can I review those?

Can I use Microsoft Defender for Endpoint for CIS benchmark assessment

Defender for endpoint expiration - Linux and macOS

Events

Recent Blogs

Ignite 2025: Microsoft Defender now prevents threats on endpoints during an attack

Native root detection support for Microsoft Defender on Android

Resources

Tags