Bitdefender in Active Mode and Need to Enable MDE in Passive Mode

You’re right that Defender for Endpoint can automatically enter Passive Mode when a third-party AV like Bitdefender is the active/primary antivirus – but in real enterprise environments (especially at 1,000+ endpoints) it’s not something I’d ever leave to “automatic behavior” alone.

Short answer to your question - Yes — you should still configure policy. Do not rely only on “automatic” switching to passive mode.

Microsoft’s automatic Passive Mode depends on several conditions being perfectly met (correct onboarding, correct AV registration, proper health signals). Those conditions fail more often than people expect.

A policy makes the state predictable and auditable.

Reality check: When does MDE switch to Passive Mode automatically?

Microsoft is correct in theory:

If a third-party AV is the primary antivirus and registered in Windows Security Center (WSC), Microsoft Defender Antivirus will run in Passive Mode.

But in the real world, you’ll run into:

• Bitdefender not correctly registered in WSC on some machines
• Delayed / failed WSC updates
• Defender briefly becoming “Active” after reboot or update
• Split brain situations during onboarding
• Dual AV performance issues on some endpoints

That’s why large enterprises always enforce Passive Mode via policy.

Recommended setup in your scenario (Bitdefender = Active, MDE = Passive)

Since you are:

• On Windows 11
• Using Intune or SCCM
• Keeping Bitdefender as the primary AV
• Wanting EDR visibility from MDE

You SHOULD configure one of the following:

Option 1 – Intune (Recommended for you)

Create a device configuration profile:

Profile type:
Endpoint security → Antivirus

Set:

Microsoft Defender Antivirus mode = Passive

OR using OMA-URI:

OMA-URI: ./Device/Vendor/MSFT/Defender/PassiveMode

Data type: Integer

Value: 1

Push it to the collection that is already onboarded to MDE.

This ensures:
No conflict
Guaranteed passive state
Consistent behavior across 1000+ devices

Option 2 – SCCM (If Intune isn’t primary for all)

Set registry via Configuration Baseline or script:

HKLM\SOFTWARE\Policies\Microsoft\Windows Defender

PassiveMode = 1 (DWORD)

Reboot not always required, but recommended for consistency.

My recommendation for your setup

For your environment, I would do:

Bitdefender = Primary AV
Defender AV = Forced Passive Mode (via Intune policy)
Defender for Endpoint = Full EDR / XDR / Live Response
ASR rules = OFF (leave to Bitdefender unless testing)

This gets you:

• No AV conflict
• Full Microsoft Defender visibility (EDR)
• Better integration with Sentinel / Purview / Defender portal