Forum Discussion

djolenole's avatar
djolenole
Brass Contributor
Aug 21, 2025

Defender on Windows server only detects - not prevents

Hello,

we noticed that on the Windows server Defender only detects things but doesn't block anything. Shouldn't it at least block something?

Should we apply ASR rules to the server(all rules or some of them)? 

It is WindowsServer2019, onboarded using local script(no MDM and Group policies).

Defender is primary(and only one) antivirus installed on the server.

Example here:

 

 

7 Replies

Sort By
  • cssns's avatar
    cssns
    Brass Contributor
    Aug 25, 2025

    It may also be worth checking the 'Remediation Level' set for the Device Groups.. 

    Settings -> Device Groups -> check if "No Automated Response" or "Semi-Approval' or 'Full-Remediation' enabled.

     

    Also, worth testing ASR rules in Block Mode. Prefer to attempt this in pilot groups prior to all roll-out. 

    • djolenole's avatar
      djolenole
      Brass Contributor
      Aug 27, 2025

      Full remediation is configured.

      Looks like the only thing to do is ASR rules.

      Thanks

  • JiriLacina's avatar
    JiriLacina
    Brass Contributor
    Aug 21, 2025

    Hey,

    from the alert timeline it looks like the server is only detecting activity, not blocking it. Could you confirm whether EDR in block mode is enabled on this host?

    Please run this on the server and share the output:

    Get-MpComputerStatus | Select AMRunningMode, AntivirusEnabled, RealTimeProtectionEnabled, EdrBlockMode, CloudProtectionEnabled

     

    • djolenole's avatar
      djolenole
      Brass Contributor
      Aug 22, 2025

      Hello, 

      according to Microsoft I do not need EDR in block mode to be enabled since Defender is primary and the only one antivirus.

      Do I need to turn EDR in block mode on if I have Microsoft Defender Antivirus running on devices?

      No, Microsoft recommends disabling EDR in block mode, when the primary antivirus software on the system is Microsoft Defender Antivirus. The primary purpose of EDR in block mode is to remediate post-breach detections that were missed by a non-Microsoft antivirus product.

      https://learn.microsoft.com/en-us/defender-endpoint/edr-block-mode-faqs#do-i-need-to-turn-edr-in-block-mode-on-if-i-have-microsoft-defender-antivirus-running-on-devices-


      And this is my situation: 

      In Defender portal I see that cloud protection is enabled(not visible in powershell output):

       

       

      • JiriLacina's avatar
        JiriLacina
        Brass Contributor
        Aug 27, 2025

        Microsoft states EDR in block mode isn’t required when Defender AV is the primary antivirus. However, many experts recommend enabling it anyway as a best practice. It provides an extra layer of defense in case Defender is tampered with or bypassed, ensuring detections are still blocked. It’s a low-cost way to improve resilience.

Resources