Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Download quarantined files now Generally Available
Published Jul 26 2021 09:00 AM 17K Views

During a threat investigation, time is of the essence. Being able to move quickly and get the information needed to assess the situation can dramatically help to reduce the time to remediation and limit the scope of an attack.  


Today, we are excited to offer a new feature that gives security teams the ability to download quarantined files and expands the scope of sample submission to include files that are quarantined on your endpoints. This feature will help Security Admins and SecOps more efficiently investigate threats as they’ll be able to download a quarantined file directly without needing to get end users involved – helping to save critical minutes, if not hours during an investigation.  


The download quarantine files feature will be turned on by default in Microsoft 365 Defender. 

Files that have been quarantined by Microsoft Defender Antivirus or your security team will be saved in a compliant way according to your sample submission configurations. Your security team can then download the files directly from the file’s detail page via the Download file button.  




1 Screenshot of Microsoft 365 Defender showing a file page with the ”Download file” option available. 


The file will be saved in your Downloads folder: 



2 Screenshot of file explorer showing a password protected zip file that has been downloaded from quarantine. 


If you want to find a specific quarantined file, there are a few places in Microsoft 365 Defender you can look: 

  • Alerts - select the corresponding links from the “Description” or “Details” in the Artifact timeline 
  • Search box - select File from the drop–down menu, and then enter the file name 

Collecting quarantined files 

Users might be prompted to provide consent before the quarantined file is collected, depending on your sample submission configuration. If sample submission is turned off or the end user declines to share the file, the file will not be collected. A quarantined file will only be collected once per organization. 


  • Sample submission is turned on 
  • Devices have Windows 10 version 1703 or later, or Windows server 2016 or 2019 


This feature is available to customers in public preview. If you have not yet opted in, we encourage you to turn on preview features so that you can try this out today. 


Turning off the download quarantined file setting 

Having this setting turned on can help security teams examine potentially bad files and investigate incidents quickly and in a less risky way. However, if you need to turn this setting off, go to Settings Endpoints > Advanced features and toggle “Download quarantined files” Off. See Configure advanced features in Microsoft Defender for Endpoint | Microsoft Docs. 




 3 Screenshot of Microsoft 365 Defender showing the Advanced features page and the Download quarantined files button on the right 


We’re excited to offer you this new feature and look forward to your feedback, let us know what you think in the comments or through the portal! 


Microsoft Defender for Endpoint is an industry leading, cloud powered endpoint security solution offering endpoint protection, endpoint detection and response, vulnerability management, and mobile threat defense. With our solution, threats are no match. If you are not yet taking advantage of Microsoft’s unrivaled threat optics and proven capabilities, sign up for a free Microsoft Defender for Endpoint trial today.  


The Microsoft Defender for Endpoint team 

Version history
Last update:
‎Oct 19 2021 12:58 PM
Updated by: