From 140a699e7b6044f0e80301ffbf5b2e19cbbba867 Mon Sep 17 00:00:00 2001 From: Andre <85677225+gh-andrem@users.noreply.github.com> Date: Tue, 27 Aug 2024 12:41:02 +0200 Subject: [PATCH 1/5] Update enable-troubleshooting-mode.md Update section for events that are being generated when changing settings in troubleshooting mode --- defender-endpoint/enable-troubleshooting-mode.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/defender-endpoint/enable-troubleshooting-mode.md b/defender-endpoint/enable-troubleshooting-mode.md index 69badcb5d7..af97500030 100644 --- a/defender-endpoint/enable-troubleshooting-mode.md +++ b/defender-endpoint/enable-troubleshooting-mode.md @@ -62,7 +62,9 @@ During troubleshooting mode, you can use the PowerShell command `Set-MPPreferenc - Logs and snapshots are collected and are available for an admin to collect using the [Collect investigation package](respond-machine-alerts.md#collect-investigation-package-from-devices) feature on the device page. Microsoft doesn't remove this data from the device until an admin has collected it. -- Admins can also review the changes in settings that take place during Troubleshooting mode in **Event Viewer** on the device page. +- Admins can also review the changes in settings that take place during Troubleshooting mode in **Event Viewer** on the device itself. + - `Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational` + - Potential events may be event ID 5000, 5001, 5004, 5007 and others. See more details at [Review event logs and error codes to troubleshoot issues with Microsoft Defender Antivirus](https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus#event-id-5000). - Troubleshooting mode automatically turns off after reaching the expiration time (it lasts for 4 hours). After expiration, all policy-managed configurations become read-only again and revert back to how the device was configured before enabling troubleshooting mode. From 850a4f17602d177f291a640b5bc464baa86baa0d Mon Sep 17 00:00:00 2001 From: Andre <85677225+gh-andrem@users.noreply.github.com> Date: Tue, 27 Aug 2024 12:47:14 +0200 Subject: [PATCH 2/5] Update enable-troubleshooting-mode.md Remove hard-coded link --- defender-endpoint/enable-troubleshooting-mode.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defender-endpoint/enable-troubleshooting-mode.md b/defender-endpoint/enable-troubleshooting-mode.md index af97500030..d7ef79d6cc 100644 --- a/defender-endpoint/enable-troubleshooting-mode.md +++ b/defender-endpoint/enable-troubleshooting-mode.md @@ -64,7 +64,7 @@ During troubleshooting mode, you can use the PowerShell command `Set-MPPreferenc - Admins can also review the changes in settings that take place during Troubleshooting mode in **Event Viewer** on the device itself. - `Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational` - - Potential events may be event ID 5000, 5001, 5004, 5007 and others. See more details at [Review event logs and error codes to troubleshoot issues with Microsoft Defender Antivirus](https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus#event-id-5000). + - Potential events may be event IDs 5000, 5001, 5004, 5007 and others. See more details at [Review event logs and error codes to troubleshoot issues with Microsoft Defender Antivirus](troubleshoot-microsoft-defender-antivirus#event-id-5000). - Troubleshooting mode automatically turns off after reaching the expiration time (it lasts for 4 hours). After expiration, all policy-managed configurations become read-only again and revert back to how the device was configured before enabling troubleshooting mode. From 41ffa6eb4484580e661f38d4e5f25cca1c5fae57 Mon Sep 17 00:00:00 2001 From: Andre <85677225+gh-andrem@users.noreply.github.com> Date: Tue, 27 Aug 2024 13:04:00 +0200 Subject: [PATCH 3/5] Update enable-troubleshooting-mode.md Update link to yml --- defender-endpoint/enable-troubleshooting-mode.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defender-endpoint/enable-troubleshooting-mode.md b/defender-endpoint/enable-troubleshooting-mode.md index d7ef79d6cc..f5b0358d3e 100644 --- a/defender-endpoint/enable-troubleshooting-mode.md +++ b/defender-endpoint/enable-troubleshooting-mode.md @@ -64,7 +64,7 @@ During troubleshooting mode, you can use the PowerShell command `Set-MPPreferenc - Admins can also review the changes in settings that take place during Troubleshooting mode in **Event Viewer** on the device itself. - `Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational` - - Potential events may be event IDs 5000, 5001, 5004, 5007 and others. See more details at [Review event logs and error codes to troubleshoot issues with Microsoft Defender Antivirus](troubleshoot-microsoft-defender-antivirus#event-id-5000). + - Potential events may be event IDs 5000, 5001, 5004, 5007 and others. See more details at [Review event logs and error codes to troubleshoot issues with Microsoft Defender Antivirus](troubleshoot-microsoft-defender-antivirus.yml#event-id-5000). - Troubleshooting mode automatically turns off after reaching the expiration time (it lasts for 4 hours). After expiration, all policy-managed configurations become read-only again and revert back to how the device was configured before enabling troubleshooting mode. From 0559898adc7d80d2a961ddee5dad3c4dfdb95bd6 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 27 Aug 2024 11:37:14 -0700 Subject: [PATCH 4/5] Update enable-troubleshooting-mode.md --- defender-endpoint/enable-troubleshooting-mode.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defender-endpoint/enable-troubleshooting-mode.md b/defender-endpoint/enable-troubleshooting-mode.md index f5b0358d3e..2d3464ed0e 100644 --- a/defender-endpoint/enable-troubleshooting-mode.md +++ b/defender-endpoint/enable-troubleshooting-mode.md @@ -15,7 +15,7 @@ ms.collection: - mde-ngp ms.topic: conceptual ms.subservice: ngp -ms.date: 09/25/2023 +ms.date: 08/27/2024 --- # Get started with troubleshooting mode in Microsoft Defender for Endpoint From c75ffa4842107bad11f7013fb21702cda51632e2 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 27 Aug 2024 11:44:30 -0700 Subject: [PATCH 5/5] Update enable-troubleshooting-mode.md --- .../enable-troubleshooting-mode.md | 20 +++++++++---------- 1 file changed, 9 insertions(+), 11 deletions(-) diff --git a/defender-endpoint/enable-troubleshooting-mode.md b/defender-endpoint/enable-troubleshooting-mode.md index 2d3464ed0e..133dc6f040 100644 --- a/defender-endpoint/enable-troubleshooting-mode.md +++ b/defender-endpoint/enable-troubleshooting-mode.md @@ -62,9 +62,9 @@ During troubleshooting mode, you can use the PowerShell command `Set-MPPreferenc - Logs and snapshots are collected and are available for an admin to collect using the [Collect investigation package](respond-machine-alerts.md#collect-investigation-package-from-devices) feature on the device page. Microsoft doesn't remove this data from the device until an admin has collected it. -- Admins can also review the changes in settings that take place during Troubleshooting mode in **Event Viewer** on the device itself. - - `Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational` - - Potential events may be event IDs 5000, 5001, 5004, 5007 and others. See more details at [Review event logs and error codes to troubleshoot issues with Microsoft Defender Antivirus](troubleshoot-microsoft-defender-antivirus.yml#event-id-5000). +- Admins can also review the changes in settings that take place during troubleshooting mode in **Event Viewer** on the device itself. + - Open Event Viewer, and then expand **Applications and Services Logs** > **Microsoft** > **Windows** > **Windows Defender**, and then select **Operational**. + - Potential events can include be events with IDs 5000, 5001, 5004, 5007 and others. See more details at [Review event logs and error codes to troubleshoot issues with Microsoft Defender Antivirus](troubleshoot-microsoft-defender-antivirus.yml#event-id-5000). - Troubleshooting mode automatically turns off after reaching the expiration time (it lasts for 4 hours). After expiration, all policy-managed configurations become read-only again and revert back to how the device was configured before enabling troubleshooting mode. @@ -83,19 +83,17 @@ During troubleshooting mode, you can use the PowerShell command `Set-MPPreferenc - A device running Windows 10 (version 19044.1618 or later), Windows 11, Windows Server 2019, or Windows Server 2022. - Semester/Redstone|OS version|Release - :---|:---|:--- - 21H2/SV1|>=22000.593|[KB5011563: Microsoft Update Catalog](https://www.catalog.update.microsoft.com/Search.aspx?q=KB5019275) - 20H1/20H2/21H1|>=19042.1620
>=19041.1620
>=19043.1620|[KB5011543: Microsoft Update Catalog](https://www.catalog.update.microsoft.com/Search.aspx?q=KB5011543) - Windows Server 2022|>=20348.617|[KB5011558: Microsoft Update Catalog](https://www.catalog.update.microsoft.com/Search.aspx?q=KB5011558) - Windows Server 2019 (RS5)|>=17763.2746|[KB5011551: Microsoft Update Catalog](https://www.catalog.update.microsoft.com/Search.aspx?q=KB5011551) + |Semester/Redstone|OS version|Release| + |:---|:---|:---| + | 21H2/SV1|>=22000.593|[KB5011563: Microsoft Update Catalog](https://www.catalog.update.microsoft.com/Search.aspx?q=KB5019275) | + | 20H1/20H2/21H1|>=19042.1620
>=19041.1620
>=19043.1620|[KB5011543: Microsoft Update Catalog](https://www.catalog.update.microsoft.com/Search.aspx?q=KB5011543) | + | Windows Server 2022|>=20348.617|[KB5011558: Microsoft Update Catalog](https://www.catalog.update.microsoft.com/Search.aspx?q=KB5011558) | + | Windows Server 2019 (RS5)|>=17763.2746|[KB5011551: Microsoft Update Catalog](https://www.catalog.update.microsoft.com/Search.aspx?q=KB5011551) | - Troubleshooting mode is also available for machines running the modern, unified solution for Windows Server 2012 R2 and Windows Server 2016. Before you use troubleshooting mode, make sure all of the following components are up to date: - Sense version `10.8049.22439.1084` or later ([KB5005292: Microsoft Update Catalog](https://www.catalog.update.microsoft.com/Search.aspx?q=KB5005292)) - - Microsoft Defender Antivirus - Platform: `4.18.2207.7` or later ([KB4052623: Microsoft Update Catalog](https://www.catalog.update.microsoft.com/Search.aspx?q=KB4052623)) - - Microsoft Defender Antivirus - Engine: `1.1.19500.2` or later ([KB2267602: Microsoft Update Catalog](https://www.microsoft.com/en-us/wdsi/defenderupdates)) - For troubleshooting mode to be applied, Microsoft Defender for Endpoint must be tenant-enrolled and active on the device.