rss.livelink.threads-in-node

Assess Secure Boot status with Microsoft Defender

amitcohen — Mon, 27 Apr 2026 16:38:22 GMT

Understanding the Secure Boot certificate challenge

Secure Boot is a foundational security feature that validates the integrity of your device's boot process, ensuring only trusted software can run during system startup. This protection has been quietly defending enterprise devices since 2012, but the original 2011 certificates that enable this trust are approaching their expiration date.

When certificates expire in June 2026, devices that haven't transitioned to the new Windows UEFI CA 2023 certificates will no longer be able to receive new security protections for the early boot process. While these devices will continue to boot, they may no longer be able to receive or enforce new protections at the earliest stages of system startup. Over time, this can weaken the device’s root of trust and expose it to classes of attacks that operate before the operating system and security controls are fully loaded:

Malicious or tampered boot components may no longer be reliably blocked if they are not signed with trusted certificates
Devices may be unable to adopt future Secure Boot policy updates designed to mitigate newly discovered boot-level threats
Attackers may attempt to leverage boot-level persistence techniques that operate below the visibility of traditional security controls

As new vulnerabilities and protections are introduced, devices that are not updated will gradually fall behind in their ability to enforce trust at boot, but the challenge isn’t just knowing that this transition needs to happen, it’s understanding which devices in your fleet have successfully completed the update and which still require attention.

Introducing Secure Boot 2023 certificate assessment

A new recommendation in Defender allows you to ensure that devices are updated to Secure Boot 2023 certificates and boot manager, providing a centralized, at-scale view of Secure Boot certificate readiness across your environment.

This assessment automatically categorizes your devices into:

Exposed devices: Still trusting older Secure Boot certificates without trust for newer Secure Boot certificates
Compliant devices: Successfully relying on the 2023 certificates and signed boot manager
Not applicable devices: Systems where Secure Boot is disabled or not supported

From the recommendation view, you can:

Drill down into exposed devices and identify exactly which systems require attention
Filter by OS platform and device context to prioritize remediation efforts
Export device data to share with infrastructure and platform teams
Track rollout progress across your organization
Integrate findings into existing security posture workflows

[Secure Boot 2023 recommendation in MDE portal showing deployment status across the fleet]

Take action on your Secure Boot readiness

To access this tool in the Defender portal, navigate to Exposure Management → Recommendations → Devices → Misconfigurations. Once Defender identifies exposed devices, it provides remediation guidance.

For detailed deployment guidance, including enterprise rollout strategies and validation practices, see: https://aka.ms/GetSecureBoot

Your action plan

Assess your exposure
Navigate to the tool to understand how many devices in your environment require updates.
Engage the right teams
Secure Boot certificate deployment is typically owned by infrastructure and platform teams, so coordinate across your organization.
Prioritize high-value assets
Focus remediation efforts on critical devices and sensitive environments first.
Track progress over time
Monitor rollout progress and ensure coverage improves ahead of the June 2026 deadline.

Learn more

Visit the comprehensive Secure Boot guidance at https://aka.ms/GetSecureBoot
Learn more about Microsoft Secure Score for Devices in Microsoft Defender for Endpoint
To learn more about endpoint protection with Microsoft Defender, check out our website.
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

Introducing effective settings: See security configurations enforced on your device

ArielMichaeli1 — Mon, 09 Mar 2026 16:00:00 GMT

See exactly which security configurations are enforced on your device

Security teams spend significant time defining policies for Microsoft Defender security settings. But when it comes to investigations or troubleshooting, the real question is often simple: what is currently being enforced on this device? Today, we’re excited to share that the settings experience is now generally available in Defender to provide this critical visibility.

Figure #1: Effective settings tab on the device page

From intended policy to real-world enforcement

Understanding device security posture sometimes means correlating policy intent across multiple management sources, including Intune, Group Policy Object (GPO), and local admin configurations. With effective settings, administrators can see the effective value of each security setting on a specific device—along with the configuration source—and quickly identify configuration attempts that didn’t take effect. This helps eliminate silent gaps where intended protections are not actually enforced, reducing the risk of unnoticed exposure during incidents or active attacks. And this shift from intent to reality helps teams move faster when validating posture, investigating incidents, or resolving conflicts between management tools.

A new view on the device page

The effective settings tab is available as a new tab under the configuration management tab on the device page. From this single location, you can:

View the actual value enforced for each security setting
Identify the configuring source responsible for that value
See additional configuration attempts from other sources that were evaluated but not applied

For complex or layered scenarios such as Microsoft Defender Antivirus exclusions and Attack Surface Reduction (ASR) rules, all configured rules are shown together with their effective value, configuring source, and additional configuration attempts.

This makes it far simpler to understand why a device behaves the way it does, without jumping between consoles or guessing which policy “won.”

Figure #2: Simple settings side panelFigure #3: Complex settings side panel

Practical use cases

Security admins and analysts can use effective settings for use cases like:

Validating enforcement – Confirm that intended security configurations are truly applied on devices
Troubleshooting conflicts – Quickly spot competing policies or management sources that prevented a configuration from being enforced
Improving operational confidence – Reduce uncertainty by relying on an authoritative, device-level view of security settings

Platform support and what’s next

The current release focuses on Windows platform antivirus security settings, including ASR rules and exclusions. This is just the beginning. Our roadmap includes expanding coverage across additional platforms, and a broader set of security settings configured through the Microsoft 365 Defender and Intune portals.

Getting started

If you’re using Microsoft Defender for Endpoint, head to a device page and open the configuration management → effective settings tab to explore the experience firsthand.

Supported versions:

Microsoft Defender for Endpoint Sense client: 10.8735.26018.1000 or later
Microsoft Defender Antivirus platform: 4.18.25010.11 (January 2025 release) or later

Learn more

Learn more about investigating devices in Defender. To get started, navigate to a device page and open the configuration management → effective settings tab.
To learn more about Microsoft Defender endpoint protection, check out our website.
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

Transparent and customizable onboarding for modern and legacy Windows devices

Sinclaire_Hamilton — Tue, 03 Mar 2026 03:25:40 GMT

Onboarding all devices in your estate is paramount for strong security posture. In fact, Microsoft Threat Intelligence research shows that in the majority of ransomware attacks, the spreader machine was a device that was not yet onboarded. But customers often struggle to follow complex steps that differ by OS, accidentally duplicate devices because they can’t tell whether onboarding is in progress or failed, or have incorrect initial configuration settings causing system incompatibility. That’s why we’re introducing an updated onboarding experience via the Defender deployment tool for Windows that improves progress visibility and adds controls—like package naming and configurable expiry—to help administrators manage onboarding securely at scale.

What’s new

The Defender deployment tool streamlines the onboarding process by dynamically adapting to the operating system, delivering healthy endpoint security to a diverse estate of Windows devices. It is the preferred automated solution that works on modern and legacy devices and removes the need for a separate onboarding file by embedding the onboarding package and all related information within a downloadable .exe that can be run to onboard devices. This updated experience makes onboarding more predictable and transparent, while adding administrative controls that help reduce exposure if onboarding packages are accidentally shared beyond your organization:

A single, runnable .exe for onboarding with the onboarding information embedded (no separate onboarding file required)

Silent and non-interactive onboarding options to support large-scale deployments with tools like Group Policy or Configuration Manager

Custom package identifiers to help track and manage onboarding packages across your organization

Configurable onboarding package expiry (up to one year)

Customizable name identifiers and keys for increased control and visibility

New portal entry points and guidance to make it easier to find the right onboarding and offboarding method for Windows, including directly from the device inventory page

The new, streamlined onboarding tab in the Defender portal

Customize your deployment package

This experience moves away from using scripts and loose blobs, making it more difficult for onboarding to take place at the hands of unauthorized users and significantly decreasing security issues related to blobs in the wild that don't expire. And for the first time, you can set custom expiry dates on onboarding packages for 1 day, 7 days, or a custom amount up to a year. Expiry for onboarding packages protects customers from unwanted onboarding and compliance issues, limiting packages from getting misused if they’re found in a public place. Expiry reduces the likelihood of unauthorized package usage, together with the new portal-provided key that you must input to complete the onboarding process.

Customize your deployment package with a name and expiry date

See your onboarding telemetry in detail

Deployment tool events are available in the device timeline and advanced hunting tabs for increased transparency into onboarding progress and errors, so you can quickly address any issues.

On the new deployment packages page, you can see your organization's onboarding packages at a glance and click to see more package properties, increasing visibility and traceability within the onboarding process. This is a great foundation for adding even more onboarding-related telemetry to view per device in the future. You can even filter by active or expired packages and hide packages you no longer wish to see.

The new deployment packages page in the Defender portal

To experience this next iteration of the Defender deployment tool for Windows, navigate to Settings > Endpoints > Onboarding > Windows, or jump there directly from the device inventory page. There you'll see the newly designed onboarding page in the Defender portal, complete with on/offboarding guides. Select the Defender deployment tool from the options shown.

New onboarding and offboarding buttons on the device inventory page

The Defender deployment tool is also available for Linux. We look forward continuing to share ways we're making it easier to onboard devices to Defender.

Learn more

Deploy Microsoft Defender endpoint security to Windows devices using the Defender deployment tool (preview) - Microsoft Defender for Endpoint | Microsoft Learn

Deploy Microsoft Defender endpoint security to Linux devices using the Defender deployment tool (preview) - Microsoft Defender for Endpoint | Microsoft Learn

To learn more about Microsoft Defender's endpoint protection, check out our website.

To learn more about Microsoft Security solutions, visit our website. Bookmark the https://www.microsoft.com/security/blog/ to keep up with our expert coverage on security matters. Follow us on LinkedIn (https://www.linkedin.com/showcase/microsoft-security/) and X (https://twitter.com/@MSFTSecurity) for the latest news and updates on cybersecurity.

Introducing library management in Microsoft Defender

amibarayev — Tue, 17 Feb 2026 17:52:18 GMT

In dynamic investigation environments, preparation and agility are key. Security analysts working with live response in Microsoft Defender often rely on scripts and tools to triage, investigate, and remediate threats. Until now, these assets had to be uploaded during active sessions, limiting manageability and increasing time to action.

Recognizing the need for better readiness and control, Defender now introduces a more proactive and efficient way to manage these assets: library management.

The new library management experience in Defender brings powerful enhancements to how security teams manage scripts and files used in live response. With this centralized and streamlined interface, analysts no longer need to wait for an active session to organize their investigation tools everything can now be managed proactively, directly from the portal. This enhancement in Defender’s live response tooling improves operational readiness, enhances visibility and control, and helps streamline response workflows across SOC teams.

What’s new in library management?

Centralized script and file management – Security teams can now upload, manage, and clean up their entire collection of Live Response scripts and files outside of an active investigation. This proactive approach allows better preparation and alignment across analysts.

Upload in advance – Easily upload PowerShell scripts, batch files, or other response tools ahead of time, so they're immediately accessible when needed during an investigation.

View script contents in the portal – No need to switch tools, analysts can review script contents directly within the Defender UI to validate logic and confirm functionality before execution.

Clean and organize – Outdated or redundant scripts can be deleted with a click, keeping your library lean, relevant, and audit-friendly.

Boost analyst understanding with Copilot – Understanding unfamiliar scripts can slow down investigations. That’s where Microsoft Security Copilot comes in.

Copilot automatically analyzes scripts in the library and provides:

Summarized behavior descriptions
Security-relevant insights
Execution risk context

This makes it easier for analysts—especially those new to a team or handling inherited tools—to assess what a script does before running it, reducing errors and increasing confidence.

Get started today

You can access the Library Management experience from the live response page in the Microsoft Defender portal. Start uploading your investigation tools, explore script previews, and let Copilot assist in surfacing the intent and behavior of your scripts.

Defender for Business - No alert after process lock out ?

karnalta — Tue, 27 Jan 2026 11:43:15 GMT

Hello all,

A few days ago, I have setup Defender for business server on a Windows Server 2019.

I can see that server in the Microsoft security portail devices list.

I have also tested the "suspicious" powershell command provided by Microsoft and it went all good. Powershell blocked, alert escaladed as incident in the security portal, email received, ...

But the next day, I tried to install a service on that server that got blocked by Virus & Thread Protection because it was attempting to modify a lot of files. That was a good point for Defender (it was not a real thread and was later added as exception).

My worry is that it was never escaladed to the security portal, I didn't received a alert email, .. The system blocked that "thread" multiple times during my attempt to deploy it and no incident were throw.

What could be wrong ?

Thank you.

Save the date - January 26, 2026 - AMA: Secure your endpoints with policy and Microsoft Defender

Pearl-Angeles — Tue, 20 Jan 2026 22:13:25 GMT

Save the date for January 26 at 8:00 AM PT! Have questions about using Microsoft Intune to enforce device compliance? Curious how to configure devices to help prevent security breaches and limit the impact of threats? Ask Microsoft Anything (AMA) about integrating Microsoft Defender for Endpoint with Microsoft Intune at Tech Community Live!

Product teams will be answering your questions live and in chat. Get tips using policy to onboard devices, define risk level, block non-compliant devices from accessing corporate resources, and more.

Go to aka.ms/AMA/SecureEndpoints to save the date and add this event to your calendar!

Defender for Identity health issues

zlate81 — Mon, 19 Jan 2026 11:31:19 GMT

When will the issues/alerts from defender for identity sensors be available to view via advanced hunting instead of the Graph API and "/security/identities/healthIssues"

Using MDE (Passive Mode) with Palo Alto Cortex XDR to enable Defender for IoT (Enterprise IoT)

gabpereira — Wed, 14 Jan 2026 13:56:04 GMT

Hi everyone!
I’m working with a customer that uses Palo Alto Cortex XDR as their primary EDR. We want to leverage Microsoft Defender for IoT specifically for Enterprise IoT (not OT/ICS). I have a few questions:

MDE in Passive Mode as a sensor:
Can Microsoft Defender for Endpoint (MDE) running in Passive mode act as a sensor to enable Enterprise IoT discovery/monitoring for Defender for IoT? Are there any feature limitations when MDE is not the primary EDR?
Appliance sensor in Enterprise IT:
If we cannot use the MDE agent, is it supported to deploy the Defender for IoT appliance sensor in an enterprise IT network (e.g., offices/campuses) to cover Enterprise IoT use cases?
Coexistence / Complementary sensors:
Is it possible (and recommended) to run the appliance sensor alongside MDE (sensor) to complement coverage/features? Any guidance on architecture, data overlap/deduplication, or licensing implications?

Alert tuning for Custom detection rules

mikhailf — Tue, 13 Jan 2026 18:40:36 GMT

undefined

MS Defender setting

sangbin — Mon, 12 Jan 2026 01:19:46 GMT

Hello, I have a question.

I'm not an English-speaking country, so please understand any shortcomings.

I'm trying to block or alert on specific URLs in Microsoft Defender > Settings > Endpoint > Rules > Indicators. I've completed the setup, but I'd like to customize the screen that appears on the webpage when an alert is triggered.

Is there a way to do this?

Thank you in advance for your help.

Grounds up

ozanwilliams — Wed, 07 Jan 2026 10:30:30 GMT

A business that respects others to help kis be business owners

Latest Threat Intelligence (December 2025)

Theo_Cohen — Mon, 29 Dec 2025 07:00:11 GMT

Microsoft Defender for IoT has released the December 2025 Threat Intelligence package. The package is available for download from the Microsoft Defender for IoT portal (click Updates, then Download file).

Threat Intelligence updates reflect the combined impact of proprietary research and threat intelligence carried out by Microsoft security teams. Each package contains the latest CVEs (Common Vulnerabilities and Exposures), IOCs (Indicators of Compromise), and other indicators applicable to IoT/ICS/OT networks (published during the past month) researched and implemented by Microsoft Threat Intelligence Research - CPS.

The CVE scores are aligned with the National Vulnerability Database (NVD). Starting with the August 2023 threat intelligence updates, CVSSv3 scores are shown if they are relevant; otherwise the CVSSv2 scores are shown.

Guidance

Customers are recommended to update their systems with the latest TI package in order to detect potential exposure risks and vulnerabilities in their networks and on their devices. Threat Intelligence packages are updated every month with the most up-to-date security information available, ensuring that Microsoft Defender for IoT can identify malicious actors and behaviors on devices.

Update your system with the latest TI package

The package is available for download from the Microsoft Defender for IoT portal (click Updates, then Download file), for more information, please review Update threat intelligence data | Microsoft Docs.

MD5 Hash: 5c642a16bf56cb6d98ef8b12fdc89939

For cloud connected sensors, Microsoft Defender for IoT can automatically update new threat intelligence packages following their release, click here for more information.

Microsoft Defender for Endpoint for Vulnerability Management and Reporting

dilanmic — Sat, 13 Dec 2025 21:05:29 GMT

Hi All,

We’re currently using Rapid7 for vulnerability management and reporting, but we’re actively evaluating the possibility of moving to Microsoft Defender for Endpoint going forward. We’d like to better understand how to properly leverage Defender for Endpoint for vulnerability management and reporting.

If this means using custom reports—such as building dashboards in Power BI—we’re definitely open to that approach. At a high level, we’re looking for guidance on best practices and the right direction to meet the following requirements:

Ongoing vulnerability tracking and remediation
Clearer reporting on vulnerability trends and areas needing improvement
Breakdown of vulnerabilities by severity (Critical, High, Medium, Low), grouped by aging buckets (e.g., 30, 60, 90 days)
Defender Secure Score reporting over time (30, 60, and 90-day views)
Visibility into non-compliant devices in Intune, including devices in grace period and PCs that have checked in within the last 14 days

Any recommendations, examples, or pointers to documentation or reporting approaches would be greatly appreciated.

Thanks in advance,

Dilan

Correct firewall log names to be included in a Defender investigation package?

BenDodson1 — Fri, 12 Dec 2025 14:57:54 GMT

Hi - first time poster,

I work in a SecOps team using Defender for Endpoint. I noticed that when we collect an investigation package from a device in Defender that the firewall logs aren't being found. The advice on Microsoft Learn articles seems to be contradictory as to what firewalls should be named as:

Take response actions on a device in Microsoft Defender for Endpoint - Microsoft Defender for Endpoint | Microsoft Learn

FirewallExecutionLog.txt and pfirewall.log

The pfirewall.log file must exist in %windir%\system32\logfiles\firewall\pfirewall.log, so it's included in the investigation package. For more information on creating the firewall log file, see Configure the Windows Firewall with Advanced Security Log.

This section implies for the firewall log to be collected it has to be called "pfirewall.log" but on the linked page it is recommended to change the log file names:

For each profile (Domain, Private, and Public) change the default log file name from %windir%\system32\logfiles\firewall\pfirewall.log to:

%windir%\system32\logfiles\firewall\pfirewall_Domain.log
%windir%\system32\logfiles\firewall\pfirewall_Private.log
%windir%\system32\logfiles\firewall\pfirewall_Public.log

We have tested the changed names and they are not found by the investigation package. Which one is recommended and is the logic used in the Defender investigation package correct?

Investigating Excel-Initiated Email Activity Without Sent Items Trace

8932LDG — Thu, 11 Dec 2025 11:10:24 GMT

Two days ago, three emails were sent from a user’s inbox without leaving any copies in the Sent Items folder. The user did not send these emails manually—this is confirmed by the presence of the SimpleMAPI flag in Outlook.
What I know:

Email Characteristics:

All three emails contained a Word attachment.
No body text was present.
The subject line matched the attachment file name.
Two of the emails were identical.

Recipients:

Emails were sent to colleagues who originally created the attached documents.

Attachment Details:

One attachment appeared to be a temporary file (e.g., a3e6....).

System Behavior:

No suspicious logins detected before or after the event.
Emails were sent via the Outlook.exe process on the user’s machine.
Excel.exe was identified as the parent initiating process according to Microsoft Defender endpoint logs.

In Defender's Endpoint logs I found this under Typed Details (related to the firing of the 3 emails):

1. -Downloaded file: 2057_5_0_word_httpsshredder-eu.osi.office.net_main.html

Path: C:\Users\s***s\AppData\Local\Microsoft\Office\16.0\TapCache\2057_5_0_word_httpsshredder-eu.osi.office.net_main.html

2. Downloaded file: ~$rmalEmail.dotm

Path: C:\Users\s***s\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm

I am seeking assistance to replicate this issue and accurately determine how these three emails were triggered.

KQL query to report on Audit/Block status of Network Protection

Warren212 — Tue, 09 Dec 2025 21:32:37 GMT

Anyone know how to run a query using KQL in the defender portal to return the status of Network Protection - Audit or Block mode? The following query returns the results but "IsCompliant" = 1 when Network Protection is on in either Audit or Block mode. I thought the context might help but for this SCID it is always empty.

DeviceTvmSecureConfigurationAssessment

| where ConfigurationId == "scid-96"

The information is available within the portal when you drill into the device - configuration management - effective settings - but this is not scalable when needing to check across a large estate. How could you query this via KQL or another way to generate on a report on overall estate health and configuration? Long term would be great to report on this in a powerBi dashboard.

Thanks

MS Defender 101.25102 update error

Utz78 — Tue, 09 Dec 2025 08:15:31 GMT

I have been trying to update MS Defender for several days now and without luck. I am on a iMac M3 with macOS 26.1.

I tried removing and reinstalling the app, but it seems that the uninstall script does not remove the app at all. Yes, I did restart the machine.

Does anyone have a solution?

Defender for Endpoint on Linux

RyanLindsay — Tue, 09 Dec 2025 03:43:27 GMT

I'm using the Linux version of the defender agent on RHEL 8.

The intended setup is, The agents are registered to the Defender cloud. And we have enabled the InTune to Defender connector. So when you register your endpoint, it should also create a skeleton registration in Intune so it can manage the Linux policy.

I've got that setup. However, If you need to make quick, perhaps unscheduled changes to your Linux MDATP profile. How do you do it? As it seems to be based on when the endpoint checks in with Intune. Which Intune does between 4-6 hours.

Some of the docs I read, said just make the change to the .json config on the client. Then Intune will reapply the update policy when it checks the agent in.

Ok, but if you have enabled the anti tamper feature on the agents. How do you then update the .json file? It's just going to block you from doing that

‎Bitdefender active mode , configure MDE passive mode

Saad_Farooq — Thu, 04 Dec 2025 08:02:57 GMT

We have scenario where client currently has Bitdefender in Active Mode and uses it to manage their endpoints and now plans to use Defender for Endpoint in Passive Mode for Endpoints (Windows 11/Server)

How to configure MDE in passive mode step by step

I have 500 devices how to onboard that on MDE step by step in co-management

While MDE in Passive mode any performance issue along with 3rd party antivirus solution

MDE use of Certificate based IoC not working

Warren212 — Mon, 01 Dec 2025 14:12:03 GMT

I have been trying to use MDE IoC with certificates as per the following link: https://learn.microsoft.com/en-us/defender-endpoint/indicator-certificates#create-an-indicator-for-certificates-from-the-settings-page

This is on a demo tenant with full M365 E5 licenses and vulnerability trial enabled just in case. Test devices are:

windows 11 with latest updates - domain joined and managed by Intune
MDE onboarded and active with AV
Network protection in block mode
Cloud delivered protection enabled
File hash enabled
In defender portal - settings - endpoints advanced settings - all options enabled

I am testing with Firefox - the installer and the application .exe after installation.

I have extracted the leaf certificate from both these .exe's using the helpful information in the following link: https://www.linkedin.com/pulse/microsoft-defender-missing-manual-how-actually-create-adair-collins-paiye/

Then uploaded the certs into defender portal - settings - endpoints - IoC - certificates - set to Block and remediate

Issue:

Its been 24h and nothing happens on the client devices. In the defender portal - assets - devices - device timeline - I can see the firefox processes but at no point is the installer or application blocked.

Have I miss understood how the feature works?

Has anyone else managed to get this to work?

Advice appreciated.

Thanks

Warren