This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(70.4, 43%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETA%3C/text%3E%3C/svg%3E)
Hi all,
I’m currently using Intune and have configured Antivirus policies. When I check the report in Microsoft Defender Antivirus, I can see malware such as HackTool:Win32/AutoKMS!MSR that have been detected and moved to quarantine on a couple of devices.
I would like to find the location of the quarantined malware files on these devices. Specifically, I’m looking for:
Any help would be greatly appreciated.
Thanks!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 35%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EZM%3C/text%3E%3C/svg%3E)
@Tim A, Terry, Thanks for posting in Q&A.
Q1.How to access the location of quarantined files through Microsoft Defender or any other related Azure/Intune tools.
A1.Method 1:
Open Windows Security
Select Virus & threat protection and then click Protection history
In the list of all recent items, filter on Quarantined Items
Select an item you want to keep, and take an action, such as restore
Method 2:
By default, the Windows Defender virus storage is located under the following path: C:\ProgramData\Microsoft\Windows Defender\Quarantine
Method 3:
Using Microsoft Defender for Endpoint
Q2.The steps to navigate through the Defender console or Intune to review the details of the quarantined files, specifically the file path/source of malware.
A2.Sign in to Microsoft Defender Security Center:
Navigate to the Action Center:
In the left-hand navigation pane, select Action center.
Filter Quarantined Files:
Use the filters to select "Quarantined Items".
View Details of Quarantined Files:
Click on a specific quarantined file to view its details. This will include information such as the file path, the source of the malware, and other relevant details. From the file's detail page, you can choose to restore, delete, or download the file for further analysis.
Q3.What reports or logs in Intune or Defender will provide this information so that I can effectively identify where the malware is stored on the device(s).
A3.Sign in to Microsoft Intune Admin Center:
Navigate to Reports:
In the left-hand navigation pane, select Reports.
Select Endpoint Security:
Under Endpoint security, select Microsoft Defender Antivirus.
Generate Detected Malware Report:
In the Reports tab, select Detected malware.
Use the dropdown lists to filter by severity level, execution state, and managed by options.
Click on Generate report.
Review Report Details.
PowerShell:
Open PowerShell as Administrator:
Run the Following Command:
Get-MpThreatDetection
The output will include details about the detected threats, including file paths and sources.
Hope above information can help you.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.