Microsoft Defender for Endpoint (MDE) Live Response and Performance Script.
Importance of MDE Live Response and Scripts Live Response is crucial for incident response and forensic investigations. It enables analysts to: Collect evidence remotely. Run diagnostics without interrupting users. Remediate threats in real time. For more information on MDE Live Response visit the below documentation. Investigate entities on devices using live response in Microsoft Defender for Endpoint - Microsoft Defender for Endpoint | Microsoft Learn PowerShell scripts enhance this capability by automating tasks such as: Performance monitoring. Log collection. Configuration validation. This automation improves efficiency, consistency, and accuracy in security operations. For more details on running performance analyzer visit the below link. Performance analyzer for Microsoft Defender Antivirus - Microsoft Defender for Endpoint | Microsoft Learn While performance analyzer is run locally on the system to collect Microsoft Defender Anti-Virus performance details , in this document we are describing on running the performance analyzer from MDE Live Response console. This is a situation where Security administrators do not have access to the servers managed by Infra administrators. Prerequisites Required Roles and Permissions To use Live Response in Microsoft Defender for Endpoint (MDE), specific roles and permissions are necessary. The Security Administrator role, or an equivalent custom role, is typically required to enable Live Response within the portal. Users must possess the “Manage Portal Settings” permission to activate Live Response features. Permissions Needed for Live Response Actions Active Remediation Actions under Security Operations: Take response actions Approve or dismiss pending remediation actions Manage allowed/blocked lists for automation and indicators Unified Role-Based Access Control (URBAC): From 16/02/2025, new customers must use URBAC. Roles are assigned to Microsoft Entra groups. Access must be assigned to device groups for Live Response to function properly. Setup Requirements Enable Live Response: Navigate to Advanced Features in the Defender portal. Only users with the “Manage Portal Settings” permission can enable this feature. Supported Operating System Versions: Windows 10/11 (Version 1909 or later) Windows Server (2012 R2 with KB5005292, 2016 with KB5005292, 2019, 2022, 2025) macOS and Linux (specific minimum versions apply) Actual Script Details and Usage The following PowerShell script records Microsoft Defender performance for 60 seconds and saves the output to a temporary file: # Get the default temp folder for the current user $tempPath = [System.IO.Path]::GetTempPath() $outputFile = Join-Path -Path $tempPath -ChildPath "DefenderTrace.etl" $durationSeconds = 60 try { Write-Host "Starting Microsoft Defender performance recording for $durationSeconds seconds..." Write-Host "Recording will be saved to: $outputFile" # Start performance recording with duration New-MpPerformanceRecording -RecordTo $outputFile -Seconds $durationSeconds Write-Host "Recording completed. Output saved to $outputFile" } catch { Write-Host "Failed to start or complete performance recording: $_" } 🔧 Usage Notes: Run this script in an elevated PowerShell session. Ensure Defender is active, and the system supports performance recording. The output .etl file can be analyzed using performance tools like Windows Performance Analyzer. Steps to Initiate Live Response Session and Run the script. Below are the steps to initiate a Live Response session from Security.Microsoft.com portal. Below screenshot shows that console session is established. Then upload the script file to console library from your local system. Type “Library” to list the files. You can see that script got uploaded to Library. Now you execute the script by “run <file name>” command. Output of the script gets saved in the Library. Run “getfile <path of the file>” to get the file downloaded to your local system download folder. Then you can run Get-MpPerformanceReport command from your local system PowerShell as shown below to generate the report from the output file collected in above steps. Summary and Benefits This document outlines the use of MDE Live Response and PowerShell scripting for performance diagnostics. The provided script helps security teams monitor Defender performance efficiently. Similar scripts can be executed from Live Response console including signature updates , start/stop services etc. These scripts are required as a part of security investigation or MDE performance troubleshooting process. Benefits: Faster incident response through remote diagnostics. Improved visibility into endpoint behaviour. Automation of routine performance checks. Enhanced forensic capabilities with minimal user disruption.
Internet Traffic blocked in Edge Sandbox Mode (Windows Defender Application Guard)
I have successfully activated Windows Defender Application Guard but it seems surfing in Edge Sandbox Mode has been impossible. All required gpos and addition requirements as described on here: https://learn.microsoft.com/en-us/windows/security/application-security/application-isolation/microsoft-defender-application-guard/configure-md-app-guard https://learn.microsoft.com/en-us/windows/security/application-security/application-isolation/microsoft-defender-application-guard/faq-md-app-guard have been configured accordingly. I had a tip from microsoft support that my firewall could be blocking traffic (NAT)coming from the Host Computer so should allow all IP subnets in the range of 172.x.x.x or 192.x.x.x. I have tested that by allowing this traffic in the Trellix including Remote Ports 49700–65535, as described in Trellix documentation here https://kcm.trellix.com/corporate/index?page=content&id=KB88788 but to no avail. Could there be any other underlying root causes in a typical Enterprise environment where systems have been hardened using Security policies defined by CIS. What rules can be exempted here in order to allow this kind of traffic. Anybody has experience with this kind of environment or issue. Some tips will be welcomed.
Product still listed as enabled in Antivirusproduct class even though uninstalled 5 days ago
I uninstalled F-Secure 5 days ago and have restarted/powered down this device several times since. It seems that either the data returned by this query is outdated (and a refresh/reload may solve the issue, if at all possible) or that Windows truly believes the F-Secure product is still installed and enabled. Function ConvertTo-NPHex { Param([int]$Number)"0x{0:x}" -f $Number } $Products = @(); Get-CimInstance -Namespace root/SecurityCenter2 -ClassName Antivirusproduct -ErrorAction Stop | ForEach-Object{ $hex = ConvertTo-NPHex $_.ProductState; $mid = $hex.Substring(3,2); $end = $hex.Substring(5); $Products += [ordered]@{ DisplayName = $_.DisplayName; Enabled = $( If( $mid -match "00|01" ){ $False }Else{ $True } ); UpToDate = $( If($end -eq "00"){ $True }Else{ $False } ); Updated = $( (Get-Date -Date $_.Timestamp).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ssZ") ) } }; Return $Products | ConvertTo-Json; Output from snippet above: [ { "DisplayName": "F-Secure SAFE", "ProductState": 270336, "Enabled": true, "UpToDate": true, "Updated": "2020-06-17T08:09:16Z" }, { "DisplayName": "Windows Defender", "ProductState": 393472, "Enabled": false, "UpToDate": true, "Updated": "2020-06-17T07:59:53Z" }, { "DisplayName": "ESET Security", "ProductState": 266240, "Enabled": true, "UpToDate": true, "Updated": "2020-06-22T12:28:56Z" } ] I am absolutely certain that F-Secure is not installed. Not only did I remove it manually, but it's also not visible in the Security Center UI, not under installed programs and not detected by a PowerShell script that looks through the registry for installed programs. This device is also not listed in my F-Secure web administration console, so I know it's uninstalled. Expected situation: F-Secure isn't listed at all (it's not installed) Windows Defender is listed and not enabled ESET is listed and enabled Questions: Is it possible to 'force' a refresh of this class? Is it known when this class is 'organically' updated? Any tacit knowledge as to why the product is still in the response?Defender Antivirus (AV) Passive Mode
Hi, While researching how to set Defender AV to passive mode I stumbled upon two registry keys: ForceDefenderPassiveMode https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility?view=o365-worldwide#microsoft-defender-antivirus-and-non-microsoft-antivirusantimalware-solutions https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-on-windows-server?view=o365-worldwide#set-microsoft-defender-antivirus-to-passive-mode-using-a-registry-key ForcePassiveMode https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/switch-to-microsoft-defender-onboard?view=o365-worldwide#set-microsoft-defender-antivirus-on-windows-server-to-passive-mode-manually https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/switch-to-microsoft-defender-setup?view=o365-worldwide#set-microsoft-defender-antivirus-to-passive-mode-on-windows-server Does either of you know which one is the correct one? Thanks, Andre
