Forum Discussion
Bitdefender in Active Mode and Need to Enable MDE in Passive Mode
Thanks for sharing steps. Basically we have clients Windows 11 (1000+) and Bitdefender is active on all , what i have go through Microsoft Docs that Defender for endpoint is in passive mode automatically once devices are onboarded via Intune or SCCM
https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-passive-mode
Based on your suggestions still we need to configure policy? Please share your thoughts or experience if any about this scenario?
You’re right that Defender for Endpoint can automatically enter Passive Mode when a third-party AV like Bitdefender is the active/primary antivirus – but in real enterprise environments (especially at 1,000+ endpoints) it’s not something I’d ever leave to “automatic behavior” alone.
Short answer to your question - Yes — you should still configure policy. Do not rely only on “automatic” switching to passive mode.
Microsoft’s automatic Passive Mode depends on several conditions being perfectly met (correct onboarding, correct AV registration, proper health signals). Those conditions fail more often than people expect.
A policy makes the state predictable and auditable.
Reality check: When does MDE switch to Passive Mode automatically?
Microsoft is correct in theory:
If a third-party AV is the primary antivirus and registered in Windows Security Center (WSC), Microsoft Defender Antivirus will run in Passive Mode.
But in the real world, you’ll run into:
- Bitdefender not correctly registered in WSC on some machines
- Delayed / failed WSC updates
- Defender briefly becoming “Active” after reboot or update
- Split brain situations during onboarding
- Dual AV performance issues on some endpoints
That’s why large enterprises always enforce Passive Mode via policy.
Recommended setup in your scenario (Bitdefender = Active, MDE = Passive)
Since you are:
- On Windows 11
- Using Intune or SCCM
- Keeping Bitdefender as the primary AV
- Wanting EDR visibility from MDE
You SHOULD configure one of the following:
Option 1 – Intune (Recommended for you)
Create a device configuration profile:
Profile type:
Endpoint security → Antivirus
Set:
Microsoft Defender Antivirus mode = Passive
OR using OMA-URI:
OMA-URI: ./Device/Vendor/MSFT/Defender/PassiveMode
Data type: Integer
Value: 1
Push it to the collection that is already onboarded to MDE.
This ensures:
No conflict
Guaranteed passive state
Consistent behavior across 1000+ devices
Option 2 – SCCM (If Intune isn’t primary for all)
Set registry via Configuration Baseline or script:
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender
PassiveMode = 1 (DWORD)
Reboot not always required, but recommended for consistency.
My recommendation for your setup
For your environment, I would do:
Bitdefender = Primary AV
Defender AV = Forced Passive Mode (via Intune policy)
Defender for Endpoint = Full EDR / XDR / Live Response
ASR rules = OFF (leave to Bitdefender unless testing)
This gets you:
- No AV conflict
- Full Microsoft Defender visibility (EDR)
- Better integration with Sentinel / Purview / Defender portal
Dear Surya_Narayana
Thanks for sharing your thoughts and recommendations. Microsoft launched the product and just shared a generic approach, not covering the scenarios, considerations, or challenges faced in the enterprise world. Thanks again for your support and guidance.
thanks Saad_Farooq for the update. pl close the thread if no further info required. thank you