Passive mode and EDR in block mode. It’s fair to assume that if Defender is not the “Active” or the “Primary” AV on the computer, then that will be running in Passive mode. However, in the Defender world, it is one of the states where you can leave Defender running. However, that might not be the state where you need to leave it running if you are planning on moving from your current AV or the EDR solution to Microsoft Defender for Endpoint. It’s important to understand the Defender for Endpoint capabilities if you are planning on a rollout soon in your security roadmap.
Passive Mode and Passive Mode with EDR Block mode. Also, what is EDR in Block mode?
Passive mode
- Passive mode is when Defender is not the primary AV in your computer.
- When Defender is in primary, Files are scanned, and detected threats are reported, but threats are not remediated by Microsoft Defender Antivirus.
- Devices should be onboarded into Defender
EDR in Block Mode
EDR in Block mode stands for Enpoint Detection and Response. Which is the ideal state you can get the AV to be in. This can be enabled with both Active and Passive mode. It will run from the background and will continue to report and remediate threats.
Endpoint detection and response (EDR) in block mode provides added protection from malicious artifacts when Microsoft Defender Antivirus is not the primary antivirus product and is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that were detected by EDR capabilities. Such artifacts might have been missed by the primary, non-Microsoft antivirus product. EDR in block mode allows Microsoft Defender Antivirus to take actions on post-breach, behavioral EDR detections.
Security Recommendations for Active non-Microsoft antivirus solution (with Microsoft Defender Antivirus in passive mode)
Enabling EDR in block mode is one of the Security Recommendations in the Defender Portal and this comes under the Threat and Vulnerability Management this will tell you how many devices that don’t have the feature enabled
How to Check if the Defender on the Device is in Passive Mode?
- Run get-process on the device and if Defender is in the active state, you will see MsMpEng.exe process
- Run Get-MpComputerStatus | select AMRunningMode on the Windows device the results can be – Normal, Passive, or EDR Block Mode
Passive Mode Important Notes
- Operating system: Windows 10 or newer; Windows Server 2022, Windows Server 2019, or Windows Server, version 1803, or newer (Windows Server 2012 R2 and Windows Server 2016 if onboarded using the modern, unified solution)
- Microsoft Defender Antivirus must be installed
- Another non-Microsoft antivirus/antimalware product must be installed and used as the primary antivirus solution
- Scans aren’t scheduled. If scans are scheduled in your configuration, the schedule is ignored
- Catchup scans continue to occur unless they are disabled
- Scan tasks that are set up in Windows Task Scheduler continue to run according to their schedule
- This doesn’t remediate threats
- Web content filtering only works with the Microsoft Edge browser
- You can still manage updates for Microsoft Defender Antivirus
- When Windows Server 2019, Windows Server, version 1803 or newer, Windows Server 2016, or Windows Server 2012 R2, Microsoft Defender Antivirus doesn’t enter passive mode automatically when you install a non-Microsoft antivirus product, set the below registry key as below
- Path:
HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection - Name:
ForceDefenderPassiveMode - Type:
REG_DWORD - Value:
1
- Path:
Defender Protection Features and Passive Vs. Active Mode
| Protection | Active mode | Passive mode |
|---|---|---|
| Real-time protection | Yes | In general, when Microsoft Defender Antivirus is in passive mode, real-time protection doesn’t provide any blocking or enforcement, even though it’s enabled and in passive mode. |
| Cloud-delivered protection | Yes | No |
| Network protection | Yes | No |
| Attack surface reduction rules | Yes | No |
| Limited periodic scanning availability | No | Yes |
| File scanning and detection information | Yes | Yes |
| File scanning and detection information | Yes | When Microsoft Defender Antivirus is in passive mode, scans aren’t scheduled. If scans are scheduled in your configuration, the schedule is ignored. However, catchup scans continue to occur unless they are disabled. Scan tasks that are set up in Windows Task Scheduler continue to run according to their schedule. If you have scheduled tasks, you can remove them, if preferred. |
| Threat remediation | Yes | When Microsoft Defender Antivirus is in passive mode, it doesn’t remediate threats. However, Endpoint detection and response (EDR) in block mode can remediate threats. In this case, you might see alerts showing Microsoft Defender Antivirus as a source, even when Microsoft Defender Antivirus is in passive mode. |
| Security intelligence updates | Yes | Yes |
| Security intelligence updates | Yes | The security intelligence update cadence is controlled by Windows Update settings only. Defender-specific update schedulers (daily/weekly at specific time, interval-based) settings only work when Microsoft Defender Antivirus is in active mode. They’re ignored in passive mode. |
| Data Loss Prevention | Yes | Yes |
| Controlled folder access | Yes | No |
| Web content filtering | Yes | When Microsoft Defender Antivirus is in passive mode, web content filtering only works with the Microsoft Edge browser. |
| Device control | Yes | Yes |
| PUA protection | Yes | No |
How to Enable the EDR in Block Mode?
Using the Defender Portal – This will enable this feature on every Onboarded Windows device.
Go to Defender portal > Settings > Endpoints > Advanced Features > Switch on Enable EDR in block mode
And Save preferences
The above option sets all the onboarded devices with the EDR in Block mode.
KQL can help you understand a bit more about the devices than the UI does. When it comes to the AV mode, the table DeviceTvmSecureConfigurationAssessment. According to the Context, it will tell you what state it is in.
Defender AV modes.
- “0” = Defender AV is active,
- “1” = Defender AV is passive,
- “4” = Defender AV is in “EDR Block Mode”
With this in mind, I found this KQL query that says the status of your fleet.
let avmodetable = DeviceTvmSecureConfigurationAssessment
| where ConfigurationId == “scid-2010” and isnotnull(Context)
| extend avdata=parsejson(Context)
| extend AVMode = iif(tostring(avdata[0][0]) == ‘0’, ‘Active’ , iif(tostring(avdata[0][0]) == ‘1’, ‘Passive’ ,iif(tostring(avdata[0][0]) == ‘4’, ‘EDR Blocked’ ,’Unknown’)))
| project DeviceId, AVMode;
DeviceTvmSecureConfigurationAssessment
| where ConfigurationId == “scid-2011” and isnotnull(Context)
| extend avdata=parsejson(Context)
| extend AVSigVersion = tostring(avdata[0][0])
| extend AVEngineVersion = tostring(avdata[0][1])
| extend AVSigLastUpdateTime = tostring(avdata[0][2])
| extend AVProductVersion = tostring(avdata[0][3])
| project DeviceId, DeviceName, OSPlatform, AVSigVersion, AVEngineVersion, AVSigLastUpdateTime, AVProductVersion, IsCompliant, IsApplicable
| join avmodetable on DeviceId
| project-away DeviceId1
Wrapping Up
Now you know what Passive mode means and how Passive mode + EDR in block mode can help you to actively block threats even when Defender is not the primary AV. The good thing is you can enable EDR in block mode without the current primary AV’s activities.
Discover more from EMS Route
Subscribe to get the latest posts to your email.
EMS Route 