Forum Discussion

Dhwani_Shah's avatar
Dhwani_Shah
Copper Contributor
Jun 08, 2026

Ways to fetch quarantine files

We are working with quarantine files and have a few questions: 1. Is there a public API available to retrieve quarantined files from Microsoft Defender for Endpoint? 2. Is there a documented method...
Marcel_Graewer's avatar
Marcel_Graewer
Brass Contributor
Jun 17, 2026

The API conclusion holds. There's no public MDE endpoint that lists quarantine or returns the file content. StopAndQuarantineFile only acts on a file, and GET /api/files/{sha} is reputation data with no per-device quarantine state, which lines up with both your 404 and the metadata you got back.

What usually gets skipped here is that you can still get the content out without Live Response PowerShell. The file's profile page in the portal has a "Download file" action that returns a password-protected .zip of the sample. For quarantined files that depends on Settings > Endpoints > Advanced features > "Download quarantined files", which is on by default. Whether the button is actually live comes down to a few preconditions: MDAV in active mode, AV engine 1.1.17300.4 or newer, cloud protection and sample submission both on, and the file-collection RBAC permission. If MDE never stored the file you'll see "Collect file" instead. The sample is collected once per org and stays in your tenant geo. That covers your retrieval question and the alternative-to-PowerShell one.

For mapping a hash to where it landed: nothing in the quarantine store is directly queryable, but the detection event is reliable enough to lean on. Pivot from the SHA through DeviceEvents:

DeviceEvents
| where ActionType == "AntivirusDetection"
| where SHA1 == "your-sha1"   // SHA256 is often empty in this table, SHA1 is the safer key
| extend AF = parse_json(AdditionalFields)
| project Timestamp, DeviceId, DeviceName, FolderPath, FileName, SHA1,
          ThreatName = tostring(AF.ThreatName),
          WasRemediated = tostring(AF.WasRemediated),
          WasExecutingWhileDetected = tostring(AF.WasExecutingWhileDetected)
| order by Timestamp desc

WasRemediated is what confirms the quarantine actually completed on a given device rather than just firing. If you'd rather see the device spread than read rows, Action center > History lists the "Quarantine file" action with "Apply to X more instances of this file".

When you need the bytes locally, or the same thing across a fleet, MpCmdRun is the tool and the flag people overlook is -Path. MpCmdRun.exe -Restore -Path <dir> writes a copy into a directory and leaves the original in quarantine, so you walk away with the sample but the endpoint stays as it was. Run -Restore -ListAll first to see what's sitting there. Wrap it in Live Response (the run command) once it's more than a single box.

The one real gap is the programmatic side. There's nothing to enumerate or bulk-pull quarantine over an API, so anything automated still ends up going through MpCmdRun under Live Response.