So recently since using Intune and Defender for Endpoint we have noticed that when we create a wrapped MSI file with an exe inside it that it appears that something is scanning and running the file to see what it is? I appears to be ran by a low spec windows 10 VM so I'm thinking this is some sort of cloud sandbox that would do this?
I cant seem to find any logs on either local machines or 365 to say that this is happening. It is very strange.
Has anyone else had this issue or know which setting in windows 10 baseline etc that i would need to change to stop this from happening.