Issue
File blocking indicators do not work on an MDE endpoint in passive mode because of the reliance on Microsoft Defender's AV to block though the indicator can still be created in the MDE console through the API or from the console directly.
Environment
Microsoft Defender For Endpoint
Resolution
The below are the response actions that MDE supports and whether or not these are effective with the endpoint in passive mode.
Manage tags - console action, not impacted.
Initiate Automated Investigation - irrelevant (RC does this.)
Initiate Live Response Session - proven works
Collect investigation package - proven works
Run antivirus scan - does not work
Restrict app execution - does not work
Isolate device / de-isolate - proven works
Contain device - probably works
Consult a threat expert - irrelevant (RC does this.)
Action center - console action, not impacted
Quarantine files - does not work
Comments
0 comments
Please sign in to leave a comment.