Hey everyone! We've noticed a surge in alerts over the past six hours from various customer systems indicating that the Microsoft Defender Core Service (MDCoreSvc) is missing. This isn't isolated to just one client; several tenants are affected. We haven't made any recent changes that could explain this behavior. Has anyone else experienced similar alerts today? Could this be tied to a new Defender update or is it just a false positive from our monitoring tools? Any thoughts or insights would be super helpful. Thanks!
4 Answers
I saw this too! I found a relevant note here: [https://mc.merill.net/message/MC1142620](https://mc.merill.net/message/MC1142620). It seems like others are reporting similar issues.
I just checked one of the impacted servers and found an interesting log event indicating that Windows installed a new security intelligence update for Microsoft Defender (KB2267602). The event ID is 19 and it looks like the service might not restart after the update.
Yeah, we're dealing with that too. Do you have any other antivirus or EDR solutions like SentinelOne running alongside Defender? If there's interference, that might be causing the alerts.
Glad to see we're not the only ones! As far as I know, we don’t have any other AV or EDR installed. Defender is the sole antivirus on the affected systems.
I experienced the same issue, and it seems like it may only be happening on our 2016 Server systems. Just a heads up that the Core Service for those servers had a mid-September release date.
Sounds like you're on to something. I confirmed the same event in a few other servers. There’s a clear pattern where the Defender service shuts down during the update process and then just doesn’t restart or even show up in services.msc afterward.