Overview

A potential issue has been identified through correlation of recent incidents involving Microsoft Defender App Restriction and Windows TPM behaviour.

In the observed scenario, a device entered App Restrict following an automated Defender scan. If the device is powered off or shut down while still in App Restrict, the device may subsequently present a TPM-related failure, preventing the user from logging in.

This behaviour can appear similar to a device dropping off the domain.

The issue has been raised with the MCS SOAR team to escalate to Microsoft, as this appears to be unexpected behaviour during a Defender security event.


What Happens In App Restrict

A device triggers an automated Defender scan

Defender places the device into App Restrict

App Restrict can take up to 45 minutes to complete, depending on scan duration

Once the scan completes, the device is normally released automatically


Observed issue

If the device is powered down while App Restrict is still active, Windows can:


Break TPM state within Windows Security

Prevent the primary user from logging in

Present extended loading screens followed by login failure


Identifying the Issue

1. Confirm App Restrict status

Search for the user’s incident in Freshservice (FS).

If the device is in App Restrict, you will see a ticket similar to:


“MCS SOAR Security Alert: Host pc‑<device>.maddocks.com.au is under Restricted Mode in Response to an Incident. ID:<number>” [MS Defende...Recording | Video]


2. User‑side symptoms

When the user attempts to sign in:


Device sits on a loading screen for ~5 minutes

Login then fails without a clear authentication error

If the user is logged in, they will only be able to open MS Applications - Adobe, Expert will not work. 


This occurs even though:

Network connectivity is present

Credentials are correct


Quick Fix (Confirmed Workaround)

This workaround has been successfully used to restore access.

Log in to the affected device using an a different account

A password login is required (Windows Hello may fail)


Allow the session to fully load

Sign out of the account just used to log in

Ask the user to sign back in - this should be successful. 


 In observed cases, once the admin login has completed successfully, the TPM state recovers and the user can log in normally.

This has been performed on‑site in the office - awaiting to see if it works remotely.


Important Notes for Support Staff

Do not power off a device while it is actively in App Restrict unless absolutely required

If App Restrict duration has not exceeded ~35 minutes, allow Defender to complete automatically


To release a device from App restrict, review this KB