The remote shell you already own and never switched on

MAI_f92fd6ff5e6c3e0b


A client rings. A machine’s behaving strangely — fake-looking PowerShell, a scheduled task nobody created, something. What do most of us do?

We RDP in. Or worse, we send someone onsite.

Here’s the thing. If that device is onboarded to Defender for Endpoint, you already have a remote command line sitting right there in the portal. You can be on the box, reading its running processes, in about thirty seconds. From your desk.

Most MSPs I talk to have never turned it on. For some it’s a checkbox they walked straight past during onboarding. For others — and this is the part that trips people up — it’s a licence they didn’t realise they’re missing. Either way, it’s a gap worth closing.

What is Live Response, really?

Live Response is a secure remote shell into any onboarded device, run entirely from the Defender portal. No RDP. No VPN. No jump box. No asking a panicked user to “click the thing I just emailed you”.

You open a session and you’re talking to the machine in real time. List processes, pull a suspicious file back to the portal for analysis, kill something, drop a registry change, or run a PowerShell script you’ve pre-loaded.

Think of it as the SSH session you always wished you had for your Windows fleet — except the audit trail writes itself and you never went near the network.

Here’s the real win. The thirty minutes you used to burn coordinating remote access to a maybe-compromised box just disappears. You’re simply there.

Step-by-step: getting on the box

This lives in Live Response in Defender for Endpoint, and it needs Defender for Endpoint Plan 2.

Now read this next bit carefully, because it’s where the assumption bites. Business Premium does not give you Plan 2. Business Premium includes Defender for Business — same great EDR detections, and the basic response actions you’d expect (isolate the device, run an antivirus scan, quarantine a file). But Live Response, the remote shell, is not in Defender for Business. It’s a Plan 2-only feature.

So before you promise a client “I’ll just hop on the box,” check what they’re actually licensed for. To get Live Response onto a Business Premium tenant you need either the Defender Suite for Business Premium add-on (around $10/user/month — which also lands you Defender for Office 365 P2, Entra ID P2 and more) or a standalone Defender for Endpoint Plan 2 licence.

And one last gotcha that catches people out: even after you assign the licences, the tenant defaults to the Defender for Business experience. You have to contact Microsoft Support and ask them to switch the tenant to the Plan 2 experience before the remote shell appears. It’s a one-time thing, but it’s a ticket, not a toggle.

None of this is a reason not to do it. It’s a reason to do it deliberately — a line item on the proposal and a switch request, not a feature your client already paid for and forgot about. Honestly, for a managed-security MSP that’s the easy version of this conversation: “for ten dollars a user I can be on any sick machine in thirty seconds” sells itself.

Turn it on first

This is the step everyone misses. Even once you’re licensed, Live Response is off by default.

Go to the Microsoft Defender portal, then Settings > Endpoints > Advanced features. Flip Live Response on. If you want to push scripts to servers too, enable Live Response for Servers. Save. (Configure advanced features walks through every toggle on that page.)

There’s a second switch just below: Live Response unsigned script execution. Leave that off. I’ll come back to why.

Check who’s allowed

Live Response is gated by role. Read-only permissions can look but not touch. To actually run commands and push files, your technician group needs the right Defender permission assigned. Sort this before an incident, not during one.

Open a session

Find the device in the inventory, open its page, and click Initiate live response session. Give it a few seconds to connect, and you’ve got a prompt.

Build your library once

This is where it goes from handy to a service. From the session console — or the Library management page — you can upload PowerShell scripts and run them on demand with a single command (upload to the live response library). Write the scripts once, run them across every client tenant.

A triage runbook might look like this:

run Get-RunningProcesses.ps1
run Get-PersistenceItems.ps1
run Collect-EventLogs.ps1
getfile "C:\Users\Public\suspicious.exe"

Notice what’s missing? No RDP credentials. No copying scripts onto the box and hoping nobody double-clicks them. No “can you read me the error message”. You point at the device, run a vetted script, pull the evidence back. Same four commands, every tenant, every time.

Why this actually changes behaviour

“We don’t touch the machine until we know what we’re dealing with.”

That used to mean waiting. Now it means a thirty-second session and a script you wrote last month.

Here’s what shifts. Triage stops being a scheduling problem and becomes a muscle. Your L1 can open a session and run the runbook before escalating, which means your L3 gets a tidy evidence pack instead of a vague ticket. The work moves down a tier and your senior people stay doing senior work.

And that unsigned-scripts toggle I told you to leave off? That’s the discipline. If every script in your library is signed, a compromised technician account can’t quietly run arbitrary code across your clients’ fleets through your own tooling. Convenience that becomes an attack path isn’t convenience. Leave it off.

If you’re selling managed Defender and you’re still RDP-ing in to triage, you’re billing time for a problem Microsoft already solved for you — assuming you’ve licensed the fix.

Live Response isn’t there to make remote access faster. It’s there to make “let me get on the machine” a non-event.

Check which tenants are licensed, turn it on this week, and the next incident will thank you.