Forum Discussion
Defender for Endpoint "EDR in Block Mode" useful when using Windows Defender as primary AV
PatrickF11 we ran into this situation recently when it would have been beneficial to have EDR Block Mode On. We have Defender and Crowdstrike and a change was made that forced Crowdstrike as primary resulting in Defender basically shutting down. After this happened, all our devices stopped responding to ASR rules. If we were to have had EDR Block Mode On, our machines would still have been able to respond to ASR rules.
ThomasGillespie Thanks for your reply.
So you mean it would be good to activate, so that in case Defender AV gets into passive mode (for whatever reason), we've got a little bit extra protection. Okay got it.
But is there any benefit, when there is absolutely no change that there is a 3rd Party AV solution in place? 😆
- I also ran the question through Chatgpt for a better explanation.
Enabling EDR (Endpoint Detection and Response) Block Mode in Microsoft Defender offers several benefits:
1. Enhanced threat prevention: EDR Block Mode provides real-time blocking capabilities to prevent known and suspicious threats from executing on your system. It complements traditional antivirus and anti-malware solutions by adding an extra layer of proactive defense.
2. Rapid response to emerging threats: By leveraging cloud-based threat intelligence and machine learning, EDR Block Mode can quickly identify and block new and evolving threats. This helps prevent the spread of malware and other malicious activities before they can cause harm.
3. Improved incident response: EDR Block Mode enables security teams to respond swiftly to potential security incidents. It provides detailed insights and telemetry data, allowing analysts to investigate and remediate threats effectively.
4. Increased visibility and control: With EDR Block Mode, you gain greater visibility into endpoint activities and can proactively manage security events. It offers rich telemetry data, allowing you to monitor and analyze system behavior, identify patterns, and detect anomalies.
5. Centralized management and reporting: EDR Block Mode can be managed centrally through Microsoft Defender Security Center or other security management tools. This provides a unified view of security events, simplifying the monitoring and reporting processes.
It's worth noting that while EDR Block Mode is a powerful security feature, it should be used alongside other security measures to ensure comprehensive protection for your systems and data. - Absolutely. If your real time protection turned off and and you do have EDR on, Microsoft can still do some remediation. If your real time protection mode goes off and you are in a passive state, there is no clean up done and the device is no longer protected by ASR rules.
ThomasGillespie Thanks for your thoughts.
Got it. But let me ask a last "critical question" 😉
Is there any benefit, when Defender is the primary AV AND Realtime-protection is on?
(I already know, that i'm going to activate the EDR in block mode, just in case someone turns of realtime protection or 3rd Party AV kicks Defender into passive mode. Just to have this one asked. 😉
- If defender is turned off it will turn off real time protection so you have a device with no AV. With EDR, your device has some form of coverage