Forum Discussion
Defender for Endpoint "EDR in Block Mode" useful when using Windows Defender as primary AV
Hi, we're currently looking for pros / cons for enabling the "EDR in Block Mode" Feature. All of our clients are using only the Windows Defender as the primary Antivirus solution.
We already found these"great" articles and quotes:
1. "EDR in block mode is primarily recommended for devices that are running Microsoft Defender Antivirus in passive mode (a non-Microsoft antivirus solution is installed and active on the device)."
Got it, it is PRIMARILIY recommended. Is it useful to enable this while using only Defender AV as primary, as well?
2. "There is little benefit to enabling EDR in block mode when Microsoft Defender Antivirus is the primary antivirus solution on devices."
Ok, but WHAT is the little benefit? Little benefits are okay, too. 😆
3. "Do I need to turn EDR in block mode on if I have Microsoft Defender Antivirus running on devices?"
Any idea is highly appreciated!
Regards,
Patrick
9 Replies
In addition: In this Youtube video (timestamp included) from MS they clearly say "Therefore, EDR in block mode is only beneficial when using a third-party Antivirus solution and microsoft defender antivirus is in passive mode.
PatrickF11 we ran into this situation recently when it would have been beneficial to have EDR Block Mode On. We have Defender and Crowdstrike and a change was made that forced Crowdstrike as primary resulting in Defender basically shutting down. After this happened, all our devices stopped responding to ASR rules. If we were to have had EDR Block Mode On, our machines would still have been able to respond to ASR rules.
ThomasGillespie Thanks for your reply.
So you mean it would be good to activate, so that in case Defender AV gets into passive mode (for whatever reason), we've got a little bit extra protection. Okay got it.
But is there any benefit, when there is absolutely no change that there is a 3rd Party AV solution in place? 😆
