MC272169: Download quarantined files now available for Microsoft Defender Antivirus in active mode

This message only applies to users who have Microsoft Defender Antivirus in active mode. This new feature release (public preview), the ability to download quarantined files, expands the scope of sample submission to include files that are quarantined on your endpoints. We are excited to offer this capability as a simpler, faster, and safer way to download quarantined files.

Download quarantined files button

Affected Workloads

  • Microsoft Defender for Endpoint

Key points

  • Timing:
    • Public preview: This will rollout in late July.
    • Standard: This will rollout in late August.
  • Roll-out: tenant level
  • Control type: user control
  • Action: review and assess

How this will affect your organization

All quarantined files will be collected and stored in a secure location according to your sample submission configuration. For example; if your sample submission is off, quarantined files will not be collected; if your sample submission is set to prompt for the users, the quarantined files will require the same prompt, if samples are automatically collected so to will all quarantined files.

This new feature will benefit Security Admins and SecOps teams during threat investigations, by permitting them to download the file directly from the file’s detail page via the “Download file” button without end user involvement. While the “Download quarantine files” setting is turned on in Microsoft 365 Defender, quarantined files will be saved in Microsoft’s malware submission storage location.

What you need to do to prepare

This is rolling out default on.

  • Your organization uses Microsoft Defender Antivirus
  • Microsoft Defender Antivirus is in active mode
  • Devices are running Windows 10, version 1703 or later, or Windows server 2016 or later.
  • Devices have Microsoft Defender Antivirus enabled in active mode with cloud-delivered protection turned on.
  • Sample submission is turned on
  • Antivirus engine version is 1.1.17300.4 or later.
  • Devices have Windows 10 version 1703 or later, or Windows server 2016 or 2019

You might want to notify your users about this new capability and update your training and documentation as appropriate.

Message ID: MC272169
Published: 22 July 2021
Updated: 22 July 2021