Troubleshooting mode scenarios in Microsoft Defender for Endpoint - Microsoft Defender for Endpoint (2024)

Table of Contents
In this article Scenario 1: Unable to install application Scenario 2: High CPU usage due to Windows Defender (MsMpEng.exe) Scenario 3: Application taking longer to perform an action Scenario 4: Microsoft Office plugin blocked by Attack Surface Reduction Scenario 5: Domain blocked by Network Protection See also
  • Article

Applies to:

  • Microsoft Defender for Endpoint
  • Microsoft Defender for Endpoint Plan 1
  • Microsoft Defender for Endpoint Plan 2

Want to experience Defender for Endpoint? Sign up for a free trial.

Microsoft Defender for Endpoint troubleshooting mode allows you to troubleshoot various Microsoft Defender Antivirus features by enabling them from the device and testing different scenarios, even if they're controlled by the organization policy. The troubleshooting mode is disabled by default and requires you to turn it on for a device (and/or group of devices) for a limited time. This is exclusively an enterprise-only feature, and requires Microsoft Defender XDR access.

For troubleshooting performance-specific issues related to Microsoft Defender Antivirus, see: Performance analyzer for Microsoft Defender Antivirus.

Tip

  • During troubleshooting mode, you can use the PowerShell command Set-MPPreference -DisableTamperProtection $true on Windows devices.
  • To check the state of tamper protection, you can use the Get-MpComputerStatus PowerShell cmdlet. In the list of results, look for IsTamperProtected or RealTimeProtectionEnabled. (A value of true means tamper protection is enabled.)

Scenario 1: Unable to install application

If you want to install an application but receive an error message that Microsoft Defender Antivirus and tamper protection is on, use the following procedure to troubleshoot the issue.

  1. Request the security admin to turn on troubleshooting mode. You get a Windows Security notification once the troubleshooting mode starts.

  2. Connect to the device (using Terminal Services for example) with local admin permissions.

  3. Start Process Monitor (ProcMon). See the steps described in Troubleshoot performance issues related to real-time protection.

    See Also
    How to Permanently Disable Windows Defender on Window 11/10How to Disable the Microsoft Defender Antivirus ServiceDisabling Windows Defender for Windows Server OS5 Ways to Permanently Disable Microsoft Defender in Windows 11

  4. Go to Windows security > Threat & virus protection > Manage settings > Tamper protection > Off.

    Alternately, during troubleshooting mode, you can use the PowerShell command Set-MPPreference -DisableTamperProtection $true on Windows devices.

    To check the state of tamper protection, you can use the Get-MpComputerStatus PowerShell cmdlet. In the list of results, look for IsTamperProtected or RealTimeProtectionEnabled. (A value of true means tamper protection is enabled.)

  5. Launch an elevated PowerShell command prompt, and toggle off real-time protection.

    • Run Get-MpComputerStatus to check the status of real-time protection.
    • Run Set-MpPreference -DisableRealtimeMonitoring $true to turn off real-time protection.
    • Run Get-MpComputerStatus again to verify status.

  6. Try installing the application.

Scenario 2: High CPU usage due to Windows Defender (MsMpEng.exe)

Sometimes during a scheduled scan, MsMpEng.exe can consume high CPU.

  1. Go to Task Manager > Details tab to confirm that MsMpEng.exe is the reason behind the high CPU usage. Also check to see if a scheduled scan is currently underway.

  2. Run Process Monitor (ProcMon) during the CPU spike for around five minutes, and then review the ProcMon log for clues.

  3. When the root cause is determined, turn on troubleshooting mode.

  4. Sign into the device, and launch an elevated PowerShell command prompt.

  5. Add process/file/folder/extension exclusions based on ProcMon findings using one of the following commands (the path, extension, and process exclusions mentioned in this article are examples only):

    Set-mppreference -ExclusionPath (for example, C:\DB\DataFiles)Set-mppreference –ExclusionExtension (for example, .dbx)Set-mppreference –ExclusionProcess (for example, C:\DB\Bin\Convertdb.exe)

    See Also
    How can SmartScreen help protect me in Microsoft Edge?

  6. After adding the exclusion, check to see if the CPU usage has dropped.

For more information on Set-MpPreference cmdlet configuration preferences for Microsoft Defender Antivirus scans and updates, see Set-MpPreference.

Scenario 3: Application taking longer to perform an action

When Microsoft Defender Antivirus real-time protection is turned on, applications can take longer to perform basic tasks. To turn off real-time protection and troubleshoot the issue, use the following procedure.

  1. Request security admin to turn on troubleshooting mode on the device.

  2. To disable real-time protection for this scenario, first turn off tamper protection. You can use the PowerShell command Set-MPPreference -DisableTamperProtection $true on Windows devices.

    To check the state of tamper protection, you can use the Get-MpComputerStatus PowerShell cmdlet. In the list of results, look for IsTamperProtected or RealTimeProtectionEnabled. (A value of true means tamper protection is enabled.)

    For more information, see Protect security settings with tamper protection.

  3. Once tamper protection is disabled, sign into the device.

  4. Launch an elevated PowerShell command prompt, and run the following command:

    Set-mppreference -DisableRealtimeMonitoring $true

  5. After disabling real-time protection, check to see if the application is slow.

Scenario 4: Microsoft Office plugin blocked by Attack Surface Reduction

Attack surface reduction isn't allowing Microsoft Office plugin to work properly because Block all Office applications from creating child processes is set to block mode.

  1. Turn on troubleshooting mode, and sign into the device.

  2. Launch an elevated PowerShell command prompt, and run the following command:

    Set-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Disabled

  3. After disabling the ASR Rule, confirm that the Microsoft Office plugin now works.

For more information, see Overview of attack surface reduction.

Scenario 5: Domain blocked by Network Protection

Network Protection is blocking Microsoft domain, preventing users from accessing it.

  1. Turn on troubleshooting mode, and sign into the device.

  2. Launch an elevated PowerShell command prompt, and run the following command:

    Set-MpPreference -EnableNetworkProtection Disabled

  3. After disabling Network Protection, check to see if the domain is now allowed.

For more information, see Use network protection to help prevent connections to bad sites.

See also

  • Enable troubleshooting mode
  • Protect security settings with tamper protection
  • Set-MpPreference
  • Get an overview of Microsoft Defender for Endpoint

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.

Troubleshooting mode scenarios in Microsoft Defender for Endpoint - Microsoft Defender for Endpoint (2024)
Top Articles
Learn the Difference Between a Credit Card and a Debit Card
What are ABLE Accounts? - ABLE National Resource Center
13 Easy Ways to Get Level 99 in Every Skill on RuneScape (F2P)
The Daily News Leader from Staunton, Virginia
Chelsea player who left on a free is now worth more than Palmer & Caicedo
No Hard Feelings Showtimes Near Metropolitan Fiesta 5 Theatre
CKS is only available in the UK | NICE
Jonathan Freeman : "Double homicide in Rowan County leads to arrest" - Bgrnd Search
What happens if I deposit a bounced check?
Snowflake Activity Congruent Triangles Answers
C Spire Express Pay
Images of CGC-graded Comic Books Now Available Using the CGC Certification Verification Tool
Divina Rapsing
X-Chromosom: Aufbau und Funktion
Curver wasmanden kopen? | Lage prijs
Robeson County Mugshots 2022
Jeffers Funeral Home Obituaries Greeneville Tennessee
Sadie Sink Reveals She Struggles With Imposter Syndrome
Troy Gamefarm Prices
Cb2 South Coast Plaza
Copper Pint Chaska
Narragansett Bay Cruising - A Complete Guide: Explore Newport, Providence & More
Login.castlebranch.com
Delta Math Login With Google
Skepticalpickle Leak
Halsted Bus Tracker
Diggy Battlefield Of Gods
Math Minor Umn
Broken Gphone X Tarkov
Delta Rastrear Vuelo
Beaver Saddle Ark
Of An Age Showtimes Near Alamo Drafthouse Sloans Lake
Poster & 1600 Autocollants créatifs | Activité facile et ludique | Poppik Stickers
The Bold And The Beautiful Recaps Soap Central
Space Marine 2 Error Code 4: Connection Lost [Solved]
Why Gas Prices Are So High (Published 2022)
Myfxbook Historical Data
Gravel Racing
The Largest Banks - ​​How to Transfer Money With Only Card Number and CVV (2024)
Bill Manser Net Worth
Coroner Photos Timothy Treadwell
Despacito Justin Bieber Lyrics
Dr Mayy Deadrick Paradise Valley
Login
Hampton In And Suites Near Me
News & Events | Pi Recordings
Lesson 5 Homework 4.5 Answer Key
Vrca File Converter
Thrift Stores In Burlingame Ca
Texas 4A Baseball
Códigos SWIFT/BIC para bancos de USA
Latest Posts
Whoops, we couldn't find that.
asset
Article information

Author: Rubie Ullrich

Last Updated:

Views: 6418

Rating: 4.1 / 5 (72 voted)

Reviews: 87% of readers found this page helpful

Author information

Name: Rubie Ullrich

Birthday: 1998-02-02

Address: 743 Stoltenberg Center, Genovevaville, NJ 59925-3119

Phone: +2202978377583

Job: Administration Engineer

Hobby: Surfing, Sailing, Listening to music, Web surfing, Kitesurfing, Geocaching, Backpacking

Introduction: My name is Rubie Ullrich, I am a enthusiastic, perfect, tender, vivacious, talented, famous, delightful person who loves writing and wants to share my knowledge and understanding with you.