EDR in Block Mode
EDR stands for Endpoint Detection and Response. MDE has the capability to work in parallel to the 3rd party A/V running in the device. While this will not provide 100% of the tasks done by an A/V which includes real-time protection, it will help to report malicious activities.
Because there is a different A/V running in your computer, you can depend on it for the real-time protection.
- Switching ON the EDR in Block Mode is a security recommendation.
- When a malicious item is found, it will be reported in the Action Center and will be remediated. The status of the item will be marked as Blocked or Prevented
- RBAC roles to enable EDR in Block mode: Global Admin or Security Admin
- Operation Systems
- Windows 10 (all releases)
- Windows Server, version 1803 or newer
- Windows Server 2019
- Windows Server 2022
- Windows Server 2016 (only when Microsoft Defender Antivirus is in active mode)
- Devices must be Onboarded in Defender for Endpoint portal
Full set of requirements can be found here
Enable EDR in Block Mode
- Go to https://security.microsoft.com
- Go to Settings
- Go to Advanced Features
- Navigate to EDR in Block Mode option and switch it ON
- Hit Save Preference