Troubleshooting mode for Microsoft Defender for Endpoint now Generally Available!
Microsoft Defender for Endpoint offers the best possible protection when all capabilities—including tamper protection—are enabled and configured. Tamper protection offers great prevention against inadvertent changes of critical settings. Because of this, configuration can require some adjustment to get it just right for your organization's specific environment. Introducing troubleshooting mode, a unique, innovative, and secure way to investigate and adjust configurations on your devices. This mode will enable the local admin on the device to override Microsoft Defender Antivirus security policy configurations on the device, including tamper protection.
Troubleshooting mode is initiated by a single-use command that is created for a single device and is time bound (the window of time for troubleshooting mode is 3 hours). Once troubleshooting mode has expired, the security settings that were configured on the device prior to troubleshooting mode will be restored, and any new policies that were created by your security or IT admin during troubleshooting mode will be applied. (Such new policies are blocked during troubleshooting mode.)
Additional diagnostic files will be available for collection after troubleshooting mode. Your security admin can collect the diagnostic files by using the Collect Investigation Package feature. The files include a before and after snapshot of the MpPreferences and the MpLogs during the troubleshooting window.
Prerequisites
Semester/Redstone |
OsVersion |
Release |
21H2/SV1 |
>= 22000.593 |
|
20H1/20H2/21H1 |
>= 19042.1620, |
|
Server 2022 |
>=20348.617 |
|
Server 2019(RS5) |
>=17763.2746 |
How to turn on Troubleshooting mode (TS mode) on an endpoint:
3. Confirm you want to turn on troubleshooting mode for the device:
4. Now the device page shows the device is in troubleshooting mode (note that the menu item will remain greyed out for as long as the device is in troubleshooting mode):
Advanced hunting queries
Here are some pre-built advanced hunting queries to give you visibility into the troubleshooting events that are occurring in your environment. You can also use these queries to create detection rules that will alert you when the devices are in troubleshooting mode.
let deviceName = "<device name>"; // update with device name
let deviceId = "<device id>"; // update with device id
search in (DeviceEvents)
(DeviceName == deviceName
) and ActionType == "AntivirusTroubleshootModeEvent"
| extend _tsmodeproperties = parse_json(AdditionalFields)
| project $table, Timestamp,DeviceId, DeviceName, _tsmodeproperties,
_tsmodeproperties.TroubleshootingState, _tsmodeproperties.TroubleshootingPreviousState, _tsmodeproperties.TroubleshootingStartTime,
_tsmodeproperties.TroubleshootingStateExpiry, _tsmodeproperties.TroubleshootingStateRemainingMinutes,
_tsmodeproperties.TroubleshootingStateChangeReason, _tsmodeproperties.TroubleshootingStateChangeSource
search in (DeviceEvents)
ActionType == "AntivirusTroubleshootModeEvent"
| extend _tsmodeproperties = parse_json(AdditionalFields)
| where Timestamp > ago(3h)
| where _tsmodeproperties.TroubleshootingStateChangeReason == "Troubleshooting mode started"
|summarize (Timestamp, ReportId)=arg_max(Timestamp, ReportId), count() by DeviceId
search in (DeviceEvents)
ActionType == "AntivirusTroubleshootModeEvent"
| extend _tsmodeproperties = parse_json(AdditionalFields)
| where Timestamp > ago(30d) // choose the date range you want
| where _tsmodeproperties.TroubleshootingStateChangeReason == "Troubleshooting mode started"
| summarize (Timestamp, ReportId)=arg_max(Timestamp, ReportId), count() by DeviceId
| sort by count_
search in (DeviceEvents)
ActionType == "AntivirusTroubleshootModeEvent"
| extend _tsmodeproperties = parse_json(AdditionalFields)
| where Timestamp > ago(2d) //beginning of time range
| where Timestamp < ago(1d) //end of time range
| where _tsmodeproperties.TroubleshootingStateChangeReason == "Troubleshooting mode started"
| summarize (Timestamp, ReportId)=arg_max(Timestamp, ReportId), count()
| where count_ > 5 // choose your max # of TS mode instances for your time range
Known issues
There is a known issue for troubleshooting mode in Microsoft Defender Antivirus platforms prior to the March platform version (4.18.2203.*) that can prevent the device from re-enabling the troubleshooting mode after a previous instance has expired. To solve this issue, update affected devices to the March platform version (4.18.2203.*) or higher.
Learn more
Want to learn more about troubleshooting mode? See the articles on troubleshooting mode for details:
Get started with troubleshooting mode in Microsoft Defender for Endpoint | Microsoft Docs
Troubleshooting mode scenarios in Microsoft Defender for Endpoint | Microsoft Docs
Let us know what you think!
We are excited to bring troubleshooting mode to you and your Security teams. Try out troubleshooting mode today and let us know what you think! We would also like to hear your feedback on improvements we can make to this feature in future versions.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.