I wanted to create a single point, that I will aim to maintain over time, that provides a repository of troubleshooting tips, links and information on Microsoft Defender for Business.
[Updated 1 February 2022]
– Microsoft Defender for Business documentation
Microsoft Defender is subset of the capabilities of Microsoft Defender for Endpoint.
– Microsoft Defender for Endpoint
– Microsoft Defender for Endpoint documentation
– What’s new in Microsoft Defender for Endpoint
– Minimum requirements for Microsoft Defender for Endpoint
Onboarding to the Microsoft Defender for Endpoint service
Onboarding using a local script
Onboarding using Intune device configuration policy
Onboarding using an Endpoint Security policy
– Most of the required files are in a directory:
C:\Program Files\Windows Defender Advanced Threat Protection
which is already present on Windows Pro and Enterprise devices.
– Look for events from WDATPonboarding in the Application logs in the Event viewer.
These event IDs are specific to the onboarding script only.
– Troubleshooting onboarding issues using Microsoft Intune
View the MDM event logs to troubleshoot issues that might arise during onboarding:
Log name: Microsoft\Windows\DeviceManagement-EnterpriseDiagnostics-Provider
– View agent onboarding errors in the device event log
Applications and Services Logs > Microsoft > Windows > SENSE
– Make sure that the diagnostic data service is enabled on all devices in your organization
– The Microsoft Defender for Endpoint sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Microsoft Defender for Endpoint service.
– Services that should be running for Windows 10/11 device:
Service name = Microsoft Defender Antivirus Service
Service = WinDefend
Service name = Microsoft Defender Antivirus Network Inspection Service
Service = WdNisSvc
C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe”
Service name = Windows Defender Advanced Threat Protection Service
Service = Sense
Note – SENSE is the internal name used to refer to the behavioral sensor that powers Microsoft Defender for Endpoint.
When the SENSE service starts for the first time, it writes onboarding status to the registry location HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status
C:\WINDOWS\system32\svchost.exe -k LocalServiceNoNetworkFirewall –p
Service name = Windows Defender Firewall
Service = mpssvc
– It may take up to one (1) hour for the onboarded device to appear in Device Inventory
– The status of the device will be switched to inactive after 7 days of failed contact
– Troubleshoot Microsoft Defender for Endpoint onboarding issues
Offboarding from the Defender for Endpoint service
Offboarding using a local script
Offboarding using Intune device configuration profile
Offboarding using an API and PowerShell
Offboarding using Power Automate
– If the device was offboarded, it will still appear in devices list. After seven (7) days, the device health state should change to inactive.
– Offboarded devices’ data (such as Timeline, Alerts, Vulnerabilities, etc.) will remain in the portal until the configured retention period expires.
– The device’s profile (without data) will remain in the Devices List for no longer than 180 days.
– Any device that is not in use for more than seven (7) days will retain ‘Inactive’ status in the portal.
– A new device entity is generated in Microsoft 365 Defender for reinstalled or renamed devices. The previous device entity remains, with an ‘Inactive’ status in the portal. If you reinstalled a device and deployed the Defender for Endpoint package, search for the new device name to verify that the device is reporting normally.
– Offboarding a device causes the devices to stop sending data to Defender for Business (preview). However, data received prior to offboarding is retained for up to six (6) months.
– Threat Vulnerability Management (TVM) will only collect and process information from active devices.
– Verify client connectivity to Microsoft Defender for Endpoint service URLs
– Defender for Endpoint Connectivity analyzer – https://aka.ms/mdeanalyzer
– The Connectivity Analyzer tool cloud connectivity checks are not compatible with Attack Surface Reduction rule Block process creations originating from PSExec and WMI commands. You will need to temporarily disable this rule to run the connectivity tool. Alternatively, you can temporarily add ASR exclusions when running the analyzer.
– When the TelemetryProxyServer is set, in Registry or via Group Policy, Defender for Endpoint will fall back to direct if it can’t access the defined proxy.
Review event logs and error codes to troubleshoot issues with Microsoft Defender Antivirus – Microsoft Defender Antivirus event IDs and error codes | Microsoft Docs
To generate the support information, type
After a while, several logs will be packaged into an archive (MpSupportFiles.cab) and made available in
Extract that archive and you will have many files available for troubleshooting purposes.
The most relevant files are:
- MPOperationalEvents.txt – This file contains same level of information found in Event Viewer for Windows Defender’s Operational log.
- MPRegistry.txt – In this file you will be able to analyze all the current Windows Defender configurations, from the moment the support logs were captured.
- MPLog-***.txt – This log contains more verbose information about all the actions/operations of the Windows Defender.