Forum Discussion

djolenole's avatar
djolenole
Brass Contributor
Aug 21, 2025

Defender on Windows server only detects - not prevents

Hello, we noticed that on the Windows server Defender only detects things but doesn't block anything. Shouldn't it at least block something? Should we apply ASR rules to the server(all rules or som...
JiriLacina's avatar
JiriLacina
Brass Contributor
Aug 21, 2025

Hey,

from the alert timeline it looks like the server is only detecting activity, not blocking it. Could you confirm whether EDR in block mode is enabled on this host?

Please run this on the server and share the output:

Get-MpComputerStatus | Select AMRunningMode, AntivirusEnabled, RealTimeProtectionEnabled, EdrBlockMode, CloudProtectionEnabled

 

  • djolenole's avatar
    djolenole
    Brass Contributor
    Aug 22, 2025

    Hello, 

    according to Microsoft I do not need EDR in block mode to be enabled since Defender is primary and the only one antivirus.

    Do I need to turn EDR in block mode on if I have Microsoft Defender Antivirus running on devices?

    No, Microsoft recommends disabling EDR in block mode, when the primary antivirus software on the system is Microsoft Defender Antivirus. The primary purpose of EDR in block mode is to remediate post-breach detections that were missed by a non-Microsoft antivirus product.

    https://learn.microsoft.com/en-us/defender-endpoint/edr-block-mode-faqs#do-i-need-to-turn-edr-in-block-mode-on-if-i-have-microsoft-defender-antivirus-running-on-devices-


    And this is my situation: 

    In Defender portal I see that cloud protection is enabled(not visible in powershell output):

     

     

    • JiriLacina's avatar
      JiriLacina
      Brass Contributor
      Aug 27, 2025

      Microsoft states EDR in block mode isn’t required when Defender AV is the primary antivirus. However, many experts recommend enabling it anyway as a best practice. It provides an extra layer of defense in case Defender is tampered with or bypassed, ensuring detections are still blocked. It’s a low-cost way to improve resilience.

    • JiriLacina's avatar
      JiriLacina
      Brass Contributor
      Aug 22, 2025

      Ah ok. Could you run this PowerShell command on the server to confirm it’s correct what we can see in console?

      Get-MpComputerStatus | select *enabled,*mode,*Realtime* -ea silentlyContinue


      I’d also start by enabling ASR Standard protection in Audit mode:
      https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-report#simplified-standard-protection-option

      • djolenole's avatar
        djolenole
        Brass Contributor
        Aug 25, 2025

        Ok, I understand that ASR rules are highly recommended ADDITIONAL layer of protection but Defender should prevent/block some suspicious actions be default?

Resources