Skip to main content
🦉
Message CenterMicrosoft 365 Updates
HomePermissionsTenant FinderPortfolio
🦉
M365 Message Centerby Cengiz YILMAZ

Track the latest updates, features, and announcements for Microsoft 365 services. Comprehensive archive of service updates and important changes.

Quick Links

HomePermissionsTenant FinderPortfolio

Connect

© 2026 M365 Message Center. Created with ❤️ by Cengiz YILMAZ

Data sourced from Microsoft 365 Message Center • Not affiliated with Microsoft

  1. Home
  2. /
  3. MC906487

Microsoft Defender XDR: InitiatingProcessFolderPath changes to include file names

Plan for Change

Message ID

MC906487
View in Admin Center

Services

Microsoft Defender XDR

Summary

Microsoft Defender for Endpoint will update the InitiatingProcessFolderPath to include file names, affecting all Advanced Hunting tables. Rollout begins November 18, 2024. Organizations should adjust custom detection rules and queries accordingly. The change applies only to Windows activity.

Details

Updated November 5, 2024: We have updated the rollout timeline below. Thank you for your patience.

Coming soon: Microsoft Defender for Endpoint will modify the InitiatingProcessFolderPath column across all relevant Advanced Hunting tables to include the initiating process file name. This message applies to Windows activity only.

When this will happen:

General Availability (Worldwide): We will roll out to all Microsoft Defender for Endpoint customers on November 18, 2024 (previously November 4).

How this will affect your organization:

Before this rollout, the InitiatingProcessFolderPath column is inconsistent across action types. Some columns include the file name, and other columns do not include the file name.

After the rollout, all Microsoft Defender for Endpoint action types across all tables will report the full path including the file name of the initiating process in the InitiatingProcessFolderPath column.

Consider the following example to be the new normal, InitiatingProcessFolderPath == c:\temp\file.exe

An example of a possible current implementation that will be retired with this change: InitiatingProcessFolderPath == c:\temp\

Custom detection rules and queries considering the InitiatingProcessFolderPath may be affected.

If you know your custom detection rules or Advanced Hunting queries include this column, please modify them to consider the new convention:

  • To modify your custom detection rules, go to the Defender portal > Investigation & response > Hunting > Custom detection rules
  • To modify other Advanced Hunting queries, go to the Defender portal > Investigation & response > Hunting > Advanced hunting

To learn more, go to the Shema reference button in the top right of the Advanced hunting page.

This change is on by default.

What you need to do to prepare:

Before November 4, 2024, map your affected custom detection rules and KQL functions and prepare a fix. Where possible, we recommend updating your queries before the release.

This rollout will happen automatically by the specified date. You may want to notify your admins about this change and update any relevant documentation.

Timeline

📅
Published
Oct 7, 2024
Message published to Message Center
⚠️
Action Required By
Nov 3, 2024
Action deadline
✏️
Updated
Nov 5, 2024
Message content updated
🏁
End Date
Jan 31, 2025
Message timeline ends

Tags

#Updated message#Feature update#Admin impact

Category

📋Plan for Change

Related Messages

Similar updates

MC912708●

Microsoft Defender for Identity: "Alert notifications" feature will retire starting in November 2024

Oct 17, 2024
MC883197

Microsoft Defender for Endpoint: Removing a recommendation to update Microsoft Secure Score

Sep 4, 2024
MC1192257●

Microsoft Defender Threat Intelligence: Convergence with Microsoft Defender and Microsoft Sentinel

Dec 5, 2025
MC1073068

Microsoft Defender for Identity: We will disable collection of local administrators' group members (using SAM-R)

May 13, 2025
MC1057719

MDE Mobile: Open Wi-Fi and Certificate Detections will be logged as Events

Apr 18, 2025