You’ve got a problem on a PC and you need to investigate but Defender is getting in the way. Your first step should be to isolate the machine from the network and then enter troubleshooting mode to temporarily disable Defender’s settings.
Isolate is an official part of the troubleshooting process and clicking on that button will prevent other machines from becoming infected and prevent lateral movement. But after that, you need of course to work on the device. Many time, Defender’s actions and settings will prevent you from taking certain actions. This is where Troubleshooting Mode comes in.
Isolate the device
When a device is isolated, it is disconnected from the rest of the network and the Internet, except for specific connections to Microsoft services. You are still able to remotely connect to the device. The firewall goes into lockdown and prevents data exfiltration and lateral movement of the infection.
The details
- Network disconnection: The isolated device is cut off from all network connections, both internal and external.
- Defender connectivity: The device remains connected to the Microsoft Defender for Endpoint service, allowing for continued monitoring and investigation.
- User impact: The user on the isolated device will be unable to access the internet, local network resources, or perform network-related tasks like printing or sending emails.
- Selective isolation option: For Windows 10 version 1709 or later, administrators can choose to allow Outlook, Microsoft Teams, and Skype for Business connectivity while the device is isolated.
- Remote investigation: Security administrators can still use Live Response sessions to investigate and remediate issues on the isolated device.
If you are not investigating an infection but rather a configuration problem, then you can use Troubleshooting Mode.
Troubleshooting mode
Troubleshooting mode is a temporary mode that allows the admin to troubleshoot possible performance or application block scenarios.
In this article, Microsoft runs down some of the scenarios in which Troubleshooting mode might be helpful.
- Scenario 1: Unable to install application
- Scenario 2: High CPU usage due to Windows Defender (MsMpEng.exe)
- Scenario 3: Application taking longer to perform an action
- Scenario 4: Microsoft Office plugin blocked by Attack Surface Reduction
- Scenario 5: Domain blocked by Network Protection
- Microsoft Defender for Endpoint collects logs and investigation data throughout the troubleshooting process.
- A snapshot of
MpPreference
is taken before troubleshooting mode begins. - A second snapshot is taken just before troubleshooting mode expires.
- Operational logs from during troubleshooting mode are also collected.
- Logs and snapshots are collected and are available for an admin to collect using the Collect investigation package feature on the device page. Microsoft doesn’t remove this data from the device until an admin has collected it.
- A snapshot of
During troubleshooting mode, you are able to turn off tamper protection and make settings and configuration changes to Defender. However, this mode only lasts for up to 4 hours at which time it will be disabled, and the configuration and settings will roll back to the way they were before you initiated troubleshooting mode. The entire process is logged and put into the collection package. If you need to open a ticket with Microsoft or otherwise provide documentation, it is collected for you by default.
The real purpose of Troubleshooting Mode, then is for you to document changes that you need to make to the organizational policy for Defender for the affect machines.
All we do is support IT professionals. Help for IT Pros, M365 admin News, Security community, Mentor-led Mastermind groups, MSP training and more. https://www.thirdtier.net