Troubleshooting mode for Microsoft Defender for Endpoint now Generally Available
Published May 16 2022 01:39 PM 12.3K Views
Microsoft

Troubleshooting mode for Microsoft Defender for Endpoint now Generally Available!

 

Microsoft Defender for Endpoint offers the best possible protection when all capabilities—including tamper protection—are enabled and configured. Tamper protection offers great prevention against inadvertent changes of critical settings. Because of this, configuration can require some adjustment to get it just right for your organization's specific environment. Introducing troubleshooting mode, a unique, innovative, and secure way to investigate and adjust configurations on your devices.  This mode will enable the local admin on the device to override Microsoft Defender Antivirus security policy configurations on the device, including tamper protection. 

  

Troubleshooting mode is initiated by a single-use command that is created for a single device and is time bound (the window of time for troubleshooting mode is 3 hours). Once troubleshooting mode has expired, the security settings that were configured on the device prior to troubleshooting mode will be restored, and any new policies that were created by your security or IT admin during troubleshooting mode will be applied. (Such new policies are blocked during troubleshooting mode.)  

  

Additional diagnostic files will be available for collection after troubleshooting mode. Your security admin can collect the diagnostic files by using the Collect Investigation Package feature. The files include a before and after snapshot of the MpPreferences and the MpLogs during the troubleshooting window. 

 

Prerequisites 

  • A device running Windows 10 (version 19044.1618 and above), Windows 11, Windows Server 2019, or Windows Server 2022. 
  • For troubleshooting mode to be applied, Microsoft Defender for Endpoint must be tenant-enrolled and active on the device. 
  • The device must be actively running Microsoft Defender Antivirus, version 4.18.2203 and above. 

 

Semester/Redstone 

OsVersion 

Release 

21H2/SV1 

>= 22000.593 

 (KB5011563) Microsoft Update Catalog 

20H1/20H2/21H1 

>= 19042.1620, 
>= 19041.1620 
>=19043.1620 

(KB5011543)Microsoft Update Catalog 

Server 2022 

>=20348.617 

KB5011558 Microsoft Update Catalog 

Server 2019(RS5) 

>=17763.2746 

KB5011551 Microsoft Update Catalog 

 

 

How to turn on Troubleshooting mode (TS mode) on an endpoint:  

  

  1. Go to the Microsoft 365 Defender portal (https://security.microsoft.com) and sign in. 
  2. Navigate to the Device page/Machine page for the device you would like to enable troubleshooting mode on and select the Turn on troubleshooting mode. Note that this requires Manage security settings in Security Center permissions for Microsoft Defender for Endpoint. 

 

JuliHooper_1-1652132600446.png

 

 3. Confirm you want to turn on troubleshooting mode for the device:  

 

JuliHooper_2-1652132600448.png

 

 4. Now the device page shows the device is in troubleshooting mode (note that the menu item will remain greyed out for as long as the device is in troubleshooting mode):  

 

JuliHooper_3-1652132600451.png


 

Advanced hunting queries 

Here are some pre-built advanced hunting queries to give you visibility into the troubleshooting events that are occurring in your environment. You can also use these queries to create detection rules that will alert you when the devices are in troubleshooting mode. 

 

Get troubleshooting events for a particular device

let deviceName = "<device name>";   // update with device name 
let deviceId = "<device id>";   // update with device id 
searchin (DeviceEvents)  
(DeviceName == deviceName  
) and ActionType == "AntivirusTroubleshootModeEvent"  
| extend _tsmodeproperties = parse_json(AdditionalFields)   
| project $table, Timestamp,DeviceId, DeviceName, _tsmodeproperties,  
 _tsmodeproperties.TroubleshootingState, _tsmodeproperties.TroubleshootingPreviousState, _tsmodeproperties.TroubleshootingStartTime,  
 _tsmodeproperties.TroubleshootingStateExpiry, _tsmodeproperties.TroubleshootingStateRemainingMinutes,  
 _tsmodeproperties.TroubleshootingStateChangeReason, _tsmodeproperties.TroubleshootingStateChangeSource 

Devices currently in troubleshooting mode 

searchin (DeviceEvents)  
ActionType == "AntivirusTroubleshootModeEvent"  
| extend _tsmodeproperties = parse_json(AdditionalFields)   
| where Timestamp > ago(3h)    
| where _tsmodeproperties.TroubleshootingStateChangeReason == "Troubleshooting mode started"  
|summarize (Timestamp, ReportId)=arg_max(Timestamp, ReportId), count() by DeviceId

Count of troubleshooting mode instances by device

searchin (DeviceEvents)  
ActionType == "AntivirusTroubleshootModeEvent"  
| extend _tsmodeproperties = parse_json(AdditionalFields)   
| where Timestamp > ago(30d)  // choose the date range you want  
| where _tsmodeproperties.TroubleshootingStateChangeReason == "Troubleshooting mode started"  
| summarize (Timestamp, ReportId)=arg_max(Timestamp, ReportId), count() by DeviceId  
| sortby count_  

Total count

searchin (DeviceEvents)  
ActionType == "AntivirusTroubleshootModeEvent"  
| extend _tsmodeproperties = parse_json(AdditionalFields)   
| where Timestamp > ago(2d) //beginning of time range  
| where Timestamp < ago(1d) //end of time range  
| where _tsmodeproperties.TroubleshootingStateChangeReason == "Troubleshooting mode started"  
| summarize (Timestamp, ReportId)=arg_max(Timestamp, ReportId), count()   
| where count_ > 5          // choose your max # of TS mode instances for your time range

   

Known issues 

There is a known issue for troubleshooting mode in Microsoft Defender Antivirus platforms prior to the March platform version (4.18.2203.*) that can prevent the device from re-enabling the troubleshooting mode after a previous instance has expired. To solve this issue, update affected devices to the March platform version (4.18.2203.*) or higher. 

 

Learn more 

Want to learn more about troubleshooting mode? See the articles on troubleshooting mode for details: 

Get started with troubleshooting mode in Microsoft Defender for Endpoint | Microsoft Docs

Troubleshooting mode scenarios in Microsoft Defender for Endpoint | Microsoft Docs

 
 

Let us know what you think!  

We are excited to bring troubleshooting mode to you and your Security teams. Try out troubleshooting mode today and let us know what you think! We would also like to hear your feedback on improvements we can make to this feature in future versions. 

10 Comments
Co-Authors
Version history
Last update:
‎Jun 16 2022 10:52 AM
Updated by: