Microsoft Defender for Endpoint gets a new troubleshooting mode

Microsoft says Defender for Endpoint now comes with a new “troubleshooting mode” that will help Windows administrators test Defender Antivirus performance and run compatibility scenarios without being blocked by tamper protection.

The new mode is available in public preview and allows administrators to disable or change the tamper protection setting while diagnosing false positive application blocks or performing performance troubleshooting.

This enterprise-only feature is disabled by default and, according to Microsoft, requires access to Microsoft 365 Defender.

“Introducing Troubleshoot Mode, a unique, innovative, and secure way to investigate and adjust configurations on your devices,” explained Juli Hooper of Microsoft.

“This mode will allow the local device administrator to override Microsoft Defender Antivirus security policy configurations on the device, including tamper protection.”

To try this new feature in preview, you need:

  • A device running Windows 10 (version 19044.1618 or later), Windows 11, Windows Server 2019, or Windows Server 2022.
  • Microsoft Defender for Endpoint must be registered and active on the device.
  • Microsoft Defender Antivirus, version 4.18.2203 or later, running on the device.

How to enable Defender for Endpoint troubleshooting

You can enable troubleshooting mode by following these steps:

  1. Go to the Microsoft 365 Defender Portal ( and sign in.
  2. Go to the Device/Machine page of the device on which you want to enable troubleshooting mode and select Activate troubleshooting mode. Note that this requires Manage security settings in Security Center permissions for Microsoft Defender for Endpoint.
  3. Confirm that you want to enable troubleshooting mode for the device.
  4. Now the device page shows that the device is in troubleshooting mode (note that the menu item will remain grayed out while the device is in troubleshooting mode).

Administrators have 3 hours to adjust and test the system configuration to match their organization’s environment after enabling troubleshooting on a specific endpoint.

Troubleshooting mode scenarios available for Microsoft Defender for Endpoint include:

  • Diagnose app installation issues
  • high CPU usage due to Windows Defender (MsMpEng.exe),
  • applications taking longer to perform an action,
  • Microsoft Office plugins being blocked by Attack Surface Reduction,
  • and specific domains blocked by Network Protection.

Once the test window is closed, all security settings configured before activating the troubleshooting mode will be restored.

Additionally, any new security policies created by the organization’s security or IT administrators will be applied automatically (they will be blocked during the troubleshooting process).

“Additional diagnostic files will be available for collection after troubleshooting mode. Your security administrator can collect diagnostic files using the Collect Investigation Package feature,” Hooper added.

“Files include a before and after snapshot of MpPreferences and MpLogs during the troubleshooting window.”

Microsoft also provides additional information about what you need to know before enabling this new mode here and available scenarios here.

Previous BT releases 2022 progress update on UK 10MB broadband USO
Next North Korean Developers Impersonate American Freelancers and Help DRPK Government Hackers