Application Resilience policies for Microsoft Defender for Endpoint
You can activate an Application Resilience policy for Microsoft Defender for Endpoint to collect information about the functional status of Microsoft Defender for Endpoint installed on your Windows devices and view the results in reports. You can also configure the policy to attempt to repair the application.
Microsoft Defender for Endpoint was formerly known as Windows Defender ATP.
Application Resilience policies for Microsoft Defender for Endpoint are supported on devices running:
- a supported version of the Windows operating system
-
PowerShell version 5.1 or higher
Due to PowerShell restrictions imposed by Microsoft, Application Resilience isn't supported for this application on devices running Windows 11 SE.
- any version of Microsoft Defender for Endpoint
The following table describes the health checks performed:
If you select Report higher versions as Compliant, higher versions report Compliant if all health checks, other than the version check, pass.
Component | Test | |
---|---|---|
Services | Running | Signed by |
Windows Defender Advanced Threat Protection Service (MsSense.exe) | P |
One of the signers entered in the policy configuration By default, Signers contains "Microsoft Corporation" and "Microsoft Windows Publisher". |
Registry keys | Exists | Key value |
HKLM:\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection |
P | OnboardingInfo |
You can configure an Application Resilience policy for Microsoft Defender for Endpoint to enable the Application Resilience (RAR) component A lightweight software component of the Secure Endpoint Agent that detects the status of third party applications installed on a device. The component may also attempt to repair the third party application if it is non-compliant. The RAR component is deployed on a device only when the device is associated with a customized policy group and that policy group's Application Resilience policy is activated. to attempt to repair Microsoft Defender for Endpoint if it's not functioning.
The Report, repair, and reinstall option isn't supported. Depending on the Absolute product licenses associated with your account, the Report and repair option may not be available.
The RAR component of the Secure Endpoint Agent can respond to the following issues:
Issue | Resolution |
---|---|
Repair | |
The Windows Defender Advanced Threat Protection Service (MsSense.exe) isn't running |
The RAR component restarts the service. |
Before you activate an Application Resilience policy you need to configure the policy. You need to configure the application version in addition to the settings in Configuring Application Resilience policies.
To configure the Microsoft Defender for Endpoint version and specific settings:
Under Microsoft Defender for Endpoint version, enter the version of Microsoft Defender for Endpoint you expect to be running on your devices.
- The target version must be a sequence of digits separated by a period.
- You can use wild card "*" characters after the major version, for example, 10.*, 10.8672.*, or 10.8672.25926.*.