Application Resilience policies for Microsoft Defender for Endpoint

System requirements

Application Resilience policies for Microsoft Defender for Endpoint are supported on devices running:

a supported version of the Windows operating system
PowerShell version 5.1 or higher

Due to PowerShell restrictions imposed by Microsoft, Application Resilience isn't supported for this application on devices running Windows 11 SE.
any version of Microsoft Defender for Endpoint

Health checks

The following table describes the health checks performed:

If you select Report higher versions as Compliant, higher versions report Compliant if all health checks, other than the version check, pass.

Component	Test
Services	Running	Signed by
Windows Defender Advanced Threat Protection Service (MsSense.exe)	P	One of the signers entered in the policy configuration By default, Signers contains "Microsoft Corporation" and "Microsoft Windows Publisher".
Registry keys	Exists	Value name	Data
HKLM:\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection	P	OnboardingInfo	<not parsed>
HKLM:\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\Status	P	OnboardingState	1
Application name
The application uses the following name: Microsoft Defender for Endpoint

Repairing and reinstalling

You can configure an Application Resilience policy for Microsoft Defender for Endpoint to enable the Application Resilience (RAR) component A lightweight software component of the Secure Endpoint Agent that detects the status of third party applications installed on a device. The component may also attempt to repair the third party application if it is non-compliant. The RAR component is deployed on a device only when the device is associated with a customized policy group and that policy group's Application Resilience policy is activated. to attempt to repair Microsoft Defender for Endpoint if it's not functioning, or onboard the device, if it's not onboarded.

Depending on the Absolute product licenses associated with your account, the Report and repair and Report, repair, and reinstall options may not be available.

The RAR component of the Secure Endpoint Agent can respond to the following issues:

Issue	Resolution
Repair
The Windows Defender Advanced Threat Protection Service (MsSense.exe) isn't running	The RAR component restarts the service.
Reinstall
If the OnboardingState registry key is not set to 1, or the key does not exist	The RAR component downloads and runs the onboarding script.

Preparing the onboarding script

You can onboard a device using a local onboarding script. For information about generating a local script for Microsoft Defender for Endpoint, see Microsoft documentation.

The onboarding script must meet the following requirements:

The script's file name is WindowsDefenderATPOnboardingPackage.cmd
The script is contained in a ZIP file, with file name WindowsDefenderATPOnboardingPackage.zip

Before uploading the onboarding script, ensure that:

The script does not contain any commands, such as "pause" or "set /p", that require the user to interact with the script.

The script is signed by a Trusted Publisher.

Configuring Application Resilience policies

Before you activate an Application Resilience policy, you need to configure the policy. You need to configure the application version in addition to the settings in Configuring Application Resilience policies.

To configure the Microsoft Defender for Endpoint version and specific settings:

Under Microsoft Defender for Endpoint version, enter the version of Microsoft Defender for Endpoint you expect to be running on your devices.

The target version must be a sequence of digits separated by a period.
You can use wild card "*" characters after the major version, for example, 10.*, 10.8672.*, or 10.8672.25926.*.