Forum Discussion

Saad_Farooq's avatar
Saad_Farooq
MCT
Dec 04, 2025

Bitdefender in Active Mode and Need to Enable MDE in Passive Mode

Hi

We have Bitdefender in place active mode, and now we have a plan to use Defender for Endpoint in Passive Mode. Does anyone share experience or steps to achieve this how to configure MDE in passive mode 

5 Replies

  • Surya_Narayana's avatar
    Surya_Narayana
    MCT
    Dec 04, 2025

    hi Saad_Farooq​  pl check below Steps to Configure MDE in Passive Mode

    Confirm License

      • You need Microsoft Defender for Endpoint P1/P2
      • Not just Microsoft Defender Antivirus

    Enable Passive Mode via Intune (Recommended)

    Create configuration profile: yaml

      • Platform: Windows 10 and later
      • Type: Custom
      • Add OMA-URI:

    o   OMA-URI:

    o   ./Vendor/MSFT/Policy/Config/Defender/PassiveMode

    o    

    o   Data type:

    o   Integer

    o    

    o   Value:

    o   1

      • Assign to devices

    Alternative: Set via Registry (GPO/Script)

    Key:   HKLM\SOFTWARE\Policies\Microsoft\Windows Defender

    Value: ForceDefenderPassiveMode (DWORD)

    Data:  1

    Ensure Defender Antivirus is Disabled

    Since Bitdefender is active, Windows should auto-disable Defender AV.
    Confirm using PowerShell:

    Get-MpComputerStatus | select AMRunningMode

    You should see:

    Passive Mode

     

    • Saad_Farooq's avatar
      Saad_Farooq
      MCT
      Dec 08, 2025

      Hi Surya_Narayana​

       

      Thanks for sharing steps. Basically we have clients Windows 11 (1000+) and Bitdefender is active on all , what i have go through Microsoft Docs that Defender for endpoint is in passive mode automatically once devices are onboarded via Intune or SCCM

       

      https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-passive-mode

       

      Based on your suggestions still we need to configure policy? Please share your thoughts or experience if any about this scenario?

      • Surya_Narayana's avatar
        Surya_Narayana
        MCT
        Dec 08, 2025

        You’re right that Defender for Endpoint can automatically enter Passive Mode when a third-party AV like Bitdefender is the active/primary antivirus – but in real enterprise environments (especially at 1,000+ endpoints) it’s not something I’d ever leave to “automatic behavior” alone.

        Short answer to your question - Yes — you should still configure policy. Do not rely only on “automatic” switching to passive mode.

        Microsoft’s automatic Passive Mode depends on several conditions being perfectly met (correct onboarding, correct AV registration, proper health signals). Those conditions fail more often than people expect.

        A policy makes the state predictable and auditable.

        Reality check: When does MDE switch to Passive Mode automatically?

        Microsoft is correct in theory:

        If a third-party AV is the primary antivirus and registered in Windows Security Center (WSC), Microsoft Defender Antivirus will run in Passive Mode.

        But in the real world, you’ll run into:

        • Bitdefender not correctly registered in WSC on some machines
        • Delayed / failed WSC updates
        • Defender briefly becoming “Active” after reboot or update
        • Split brain situations during onboarding
        • Dual AV performance issues on some endpoints

        That’s why large enterprises always enforce Passive Mode via policy.

        Recommended setup in your scenario (Bitdefender = Active, MDE = Passive)

        Since you are:

        • On Windows 11
        • Using Intune or SCCM
        • Keeping Bitdefender as the primary AV
        • Wanting EDR visibility from MDE

        You SHOULD configure one of the following:

        Option 1 – Intune (Recommended for you)

        Create a device configuration profile:

        Profile type:
        Endpoint security → Antivirus

        Set:

        Microsoft Defender Antivirus mode = Passive

        OR using OMA-URI:

        OMA-URI: ./Device/Vendor/MSFT/Defender/PassiveMode

        Data type: Integer

        Value: 1

        Push it to the collection that is already onboarded to MDE.

        This ensures:
        No conflict
        Guaranteed passive state
        Consistent behavior across 1000+ devices

        Option 2 – SCCM (If Intune isn’t primary for all)

        Set registry via Configuration Baseline or script:

        HKLM\SOFTWARE\Policies\Microsoft\Windows Defender

        PassiveMode = 1 (DWORD)

        Reboot not always required, but recommended for consistency.

        My recommendation for your setup

        For your environment, I would do:

        Bitdefender = Primary AV
        Defender AV = Forced Passive Mode (via Intune policy)
        Defender for Endpoint = Full EDR / XDR / Live Response
        ASR rules = OFF (leave to Bitdefender unless testing)

        This gets you:

        • No AV conflict
        • Full Microsoft Defender visibility (EDR)
        • Better integration with Sentinel / Purview / Defender portal

         

         

Resources