Troubleshooting mode scenarios in Microsoft Defender for Endpoint

Article
10/26/2023

Applies to:

Want to experience Defender for Endpoint? Sign up for a free trial.

Microsoft Defender for Endpoint troubleshooting mode allows you to troubleshoot various Microsoft Defender Antivirus features by enabling them from the device and testing different scenarios, even if they're controlled by the organization policy. The troubleshooting mode is disabled by default and requires you to turn it on for a device (and/or group of devices) for a limited time. This is exclusively an enterprise-only feature, and requires Microsoft Defender XDR access.

For troubleshooting performance-specific issues related to Microsoft Defender Antivirus, see: Performance analyzer for Microsoft Defender Antivirus.

Tip

During troubleshooting mode, you can use the PowerShell command Set-MPPreference -DisableTamperProtection $true on Windows devices.
To check the state of tamper protection, you can use the Get-MpComputerStatus PowerShell cmdlet. In the list of results, look for IsTamperProtected or RealTimeProtectionEnabled. (A value of true means tamper protection is enabled.)

Scenario 1: Unable to install application

If you want to install an application but receive an error message that Microsoft Defender Antivirus and tamper protection is on, use the following procedure to troubleshoot the issue.

Request the security admin to turn on troubleshooting mode. You get a Windows Security notification once the troubleshooting mode starts.
Connect to the device (using Terminal Services for example) with local admin permissions.
Start Process Monitor (ProcMon). See the steps described in Troubleshoot performance issues related to real-time protection.
Go to Windows security > Threat & virus protection > Manage settings > Tamper protection > Off.

Alternately, during troubleshooting mode, you can use the PowerShell command Set-MPPreference -DisableTamperProtection $true on Windows devices.

To check the state of tamper protection, you can use the Get-MpComputerStatus PowerShell cmdlet. In the list of results, look for IsTamperProtected or RealTimeProtectionEnabled. (A value of true means tamper protection is enabled.)
Launch an elevated PowerShell command prompt, and toggle off real-time protection.
- Run Get-MpComputerStatus to check the status of real-time protection.
- Run Set-MpPreference -DisableRealtimeMonitoring $true to turn off real-time protection.
- Run Get-MpComputerStatus again to verify status.
Try installing the application.

Scenario 2: High CPU usage due to Windows Defender (MsMpEng.exe)

Sometimes during a scheduled scan, MsMpEng.exe can consume high CPU.

Go to Task Manager > Details tab to confirm that MsMpEng.exe is the reason behind the high CPU usage. Also check to see if a scheduled scan is currently underway.
Run Process Monitor (ProcMon) during the CPU spike for around five minutes, and then review the ProcMon log for clues.
When the root cause is determined, turn on troubleshooting mode.
Sign into the device, and launch an elevated PowerShell command prompt.
Add process/file/folder/extension exclusions based on ProcMon findings using one of the following commands (the path, extension, and process exclusions mentioned in this article are examples only):

Set-mppreference -ExclusionPath (for example, C:\DB\DataFiles) Set-mppreference –ExclusionExtension (for example, .dbx) Set-mppreference –ExclusionProcess (for example, C:\DB\Bin\Convertdb.exe)
After adding the exclusion, check to see if the CPU usage has dropped.

For more information on Set-MpPreference cmdlet configuration preferences for Microsoft Defender Antivirus scans and updates, see Set-MpPreference.

Scenario 3: Application taking longer to perform an action

When Microsoft Defender Antivirus real-time protection is turned on, applications can take longer to perform basic tasks. To turn off real-time protection and troubleshoot the issue, use the following procedure.

Request security admin to turn on troubleshooting mode on the device.
To disable real-time protection for this scenario, first turn off tamper protection. You can use the PowerShell command Set-MPPreference -DisableTamperProtection $true on Windows devices.

To check the state of tamper protection, you can use the Get-MpComputerStatus PowerShell cmdlet. In the list of results, look for IsTamperProtected or RealTimeProtectionEnabled. (A value of true means tamper protection is enabled.)

For more information, see Protect security settings with tamper protection.
Once tamper protection is disabled, sign into the device.
Launch an elevated PowerShell command prompt, and run the following command:

Set-mppreference -DisableRealtimeMonitoring $true
After disabling real-time protection, check to see if the application is slow.

Scenario 4: Microsoft Office plugin blocked by Attack Surface Reduction

Attack surface reduction isn't allowing Microsoft Office plugin to work properly because Block all Office applications from creating child processes is set to block mode.

Turn on troubleshooting mode, and sign into the device.
Launch an elevated PowerShell command prompt, and run the following command:

Set-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Disabled
After disabling the ASR Rule, confirm that the Microsoft Office plugin now works.

For more information, see Overview of attack surface reduction.

Scenario 5: Domain blocked by Network Protection

Network Protection is blocking Microsoft domain, preventing users from accessing it.

Turn on troubleshooting mode, and sign into the device.
Launch an elevated PowerShell command prompt, and run the following command:

Set-MpPreference -EnableNetworkProtection Disabled
After disabling Network Protection, check to see if the domain is now allowed.

For more information, see Use network protection to help prevent connections to bad sites.