I wanted to create a single point, that I will aim to maintain over time, that provides a repository of troubleshooting tips, links and information on Microsoft Defender for Business.
Microsoft Defender is subset of the capabilities of Microsoft Defender for Endpoint.
– Most of the required files are in a directory:
C:\Program Files\Windows Defender Advanced Threat Protection
which is already present on Windows Pro and Enterprise devices.
– Look for events from WDATPonboarding in the Application logs in the Event viewer.
These event IDs are specific to the onboarding script only.
View the MDM event logs to troubleshoot issues that might arise during onboarding:
Log name: Microsoft\Windows\DeviceManagement-EnterpriseDiagnostics-Provider
Applications and Services Logs > Microsoft > Windows > SENSE
– The Microsoft Defender for Endpoint sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Microsoft Defender for Endpoint service.
– Services that should be running for Windows 10/11 device:
Service name = Microsoft Defender Antivirus Service
Service = WinDefend
Service name = Microsoft Defender Antivirus Network Inspection Service
Service = WdNisSvc
C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe”
Service name = Windows Defender Advanced Threat Protection Service
Service = Sense
Note – SENSE is the internal name used to refer to the behavioral sensor that powers Microsoft Defender for Endpoint.
When the SENSE service starts for the first time, it writes onboarding status to the registry location HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status
C:\WINDOWS\system32\svchost.exe -k LocalServiceNoNetworkFirewall –p
Service name = Windows Defender Firewall
Service = mpssvc
– It may take up to one (1) hour for the onboarded device to appear in Device Inventory
– The status of the device will be switched to inactive after 7 days of failed contact
– If the device was offboarded, it will still appear in devices list. After seven (7) days, the device health state should change to inactive.
– Offboarded devices’ data (such as Timeline, Alerts, Vulnerabilities, etc.) will remain in the portal until the configured retention period expires.
– The device’s profile (without data) will remain in the Devices List for no longer than 180 days.
– Any device that is not in use for more than seven (7) days will retain ‘Inactive’ status in the portal.
– A new device entity is generated in Microsoft 365 Defender for reinstalled or renamed devices. The previous device entity remains, with an ‘Inactive’ status in the portal. If you reinstalled a device and deployed the Defender for Endpoint package, search for the new device name to verify that the device is reporting normally.
– Offboarding a device causes the devices to stop sending data to Defender for Business (preview). However, data received prior to offboarding is retained for up to six (6) months.
– Defender for Endpoint Connectivity analyzer – https://aka.ms/mdeanalyzer
– The Connectivity Analyzer tool cloud connectivity checks are not compatible with Attack Surface Reduction rule Block process creations originating from PSExec and WMI commands. You will need to temporarily disable this rule to run the connectivity tool. Alternatively, you can temporarily add ASR exclusions when running the analyzer.
– When the TelemetryProxyServer is set, in Registry or via Group Policy, Defender for Endpoint will fall back to direct if it can’t access the defined proxy.