Defender on Windows server only detects - not prevents

Hello, we noticed that on the Windows server Defender only detects things but doesn't block anything. Shouldn't it at least block something? Should we apply ASR rules to the server(all rules or som...

djolenole

Brass Contributor

Aug 22, 2025

Hello,

according to Microsoft I do not need EDR in block mode to be enabled since Defender is primary and the only one antivirus.

Do I need to turn EDR in block mode on if I have Microsoft Defender Antivirus running on devices?

No, Microsoft recommends disabling EDR in block mode, when the primary antivirus software on the system is Microsoft Defender Antivirus. The primary purpose of EDR in block mode is to remediate post-breach detections that were missed by a non-Microsoft antivirus product.

https://learn.microsoft.com/en-us/defender-endpoint/edr-block-mode-faqs#do-i-need-to-turn-edr-in-block-mode-on-if-i-have-microsoft-defender-antivirus-running-on-devices-

And this is my situation:

In Defender portal I see that cloud protection is enabled(not visible in powershell output):

JiriLacina

Brass Contributor

Aug 27, 2025

Microsoft states EDR in block mode isn’t required when Defender AV is the primary antivirus. However, many experts recommend enabling it anyway as a best practice. It provides an extra layer of defense in case Defender is tampered with or bypassed, ensuring detections are still blocked. It’s a low-cost way to improve resilience.

Forum Discussion

Defender on Windows server only detects - not prevents

Do I need to turn EDR in block mode on if I have Microsoft Defender Antivirus running on devices?

Resources