Ever wondered what happens when #MicrosoftDefender quarantines a PUP, but then you go in the notification, and select to "Allow" the application in the future? Well, a Registry value with the name of ThreatId (detected threat) is set in the Registry with a Data of 6 for Ignore. 
It seems that this Regkey is regularly cleaned however, since the application gets flagged every few days and I need to restart the process.
Registry key for copy/paste:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction
Registry key for copy/paste:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction
I don't know if it works in a similar fashion for actual threats (non-PUA/PUP), but if I ever get in that situation (oops... downloading malicious samples in P R O D), I'll be sure to test it out and update this tweet.
This is also documented in @fabian_bader AWESOME Guide to Microsoft Defender for Endpoint exclusion that he posted back in May 2022. You should definitely check it out!
cloudbrothers.info/guide-to-defen…
cloudbrothers.info/guide-to-defen…
• • •
Missing some Tweet in this thread? You can try to
force a refresh
