Local Group Enumeration in MDE?

Wondering if it is possible to enumerate local group membership (Administrators, Remote Desktop Admins etc.) via Defender for Endpoint.  If not directly, perhaps there is a way via Advanced Hunting?

I did a quick look but did not find anything obvious.


Thanks in advance,



Hi Kevin, unfortunately MDE does not currently have the capacity to do this. One option could be to write a custom PowerShell script that works with Live Response.