How To Set Defender For Endpoint To Work In Parallel When Defender Is Not The Primary A/V In The Workstation/ Server

EDR in Block Mode

EDR stands for Endpoint Detection and Response. MDE has the capability to work in parallel to the 3rd party A/V running in the device. While this will not provide 100% of the tasks done by an A/V which includes real-time protection, it will help to report malicious activities.
Because there is a different A/V running in your computer, you can depend on it for the real-time protection.

  • Switching ON the EDR in Block Mode is a security recommendation.
  • When a malicious item is found, it will be reported in the Action Center and will be remediated. The status of the item will be marked as Blocked or Prevented
  • RBAC roles to enable EDR in Block mode: Global Admin or Security Admin
  • Operation Systems
    • Windows 10 (all releases)
    • Windows Server, version 1803 or newer
    • Windows Server 2019
    • Windows Server 2022
    • Windows Server 2016 (only when Microsoft Defender Antivirus is in active mode)
  • Devices must be Onboarded in Defender for Endpoint portal

Full set of requirements can be found here

Enable EDR in Block Mode


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.