Good day TeamOn Microsoft Defender for endpoints - one of my device is running EDR in block mode in. We want to move out the device to make running in active mode. what are the steps to exit the device EDR from block mode to active mode. OS running on the device is Windows server 2019.

The issue is fixed by offboarding the device and uninstalling the Windows Defender features and again installed the Windows Defender features and onboarded the device and its working fine now. I appreciate your input - thanks a ton..

Looks like on the one device showing EDR block mode, there is 3rd party AV installed. Here is what the different modes mean:Active = Defender Antivirus is the primary AV - EDR block isn't relevant, as Defender Antivirus is active.Passive = Defender Antivirus isn't the primary and a 3rd party AV isEDR Block = the same as Passive but with EDR Block mode enabled, which means Defender Antivirus can 'wake up' and stop a threat if the 3rd party AV missed it.So you will either uninstall your 3rd party AV on that device, or leave it with EDR block enabled.

I worked with MDE for many years and never seen a server show EDR Block Mode in the portal and Get-MpComputerStatus shows AMRunningMode : Normal.That server is definitely not in EDR Block Mode regardless of what the portal says?Are you sure the device you are looking at in the portal is the same device you are looking at locally? Can you verify the Device ID in the portal matches the one in the servers registry?

Hello, EDR in block mode is either set on the tenant level (all devices will have it enabled) or via a custom policy (CSPs) in Intune. What do you mean by saying "exit block mode to active mode"?

As I looked over my MDE device's health status, I noticed that one of the device showing 'Defender Antivirus mode as EDR in block mode,' while the other devices are showing 'Defender Antivirus mode - active.' I would like assistance in enabling Defender Antivirus mode - active on the device.

Microsoft Defender for endpoint - device running in EDR block mode

11 Replies

Asheeshonroute
Copper Contributor
Jan 15, 2024
As I looked over my MDE device's health status, I noticed that one of the device showing 'Defender Antivirus mode as EDR in block mode,' while the other devices are showing 'Defender Antivirus mode - active.' I would like assistance in enabling Defender Antivirus mode - active on the device.
- HeikeRitter
  Microsoft
  Jan 16, 2024
  Looks like on the one device showing EDR block mode, there is 3rd party AV installed.
  Here is what the different modes mean:
  Active = Defender Antivirus is the primary AV - EDR block isn't relevant, as Defender Antivirus is active.
  Passive = Defender Antivirus isn't the primary and a 3rd party AV is
  EDR Block = the same as Passive but with EDR Block mode enabled, which means Defender Antivirus can 'wake up' and stop a threat if the 3rd party AV missed it.
  
  So you will either uninstall your 3rd party AV on that device, or leave it with EDR block enabled.
  - Asheeshonroute
    Copper Contributor
    Jan 16, 2024
    "On the device, Sysmantec was initially installed but later uninstalled, and Defender Antivirus took over. However, a week later, the server status transitioned to EDR in block mode. I am seeking advice on troubleshooting the issue.
HeikeRitter
Microsoft
Jan 15, 2024
Hello, EDR in block mode is either set on the tenant level (all devices will have it enabled) or via a custom policy (CSPs) in Intune. What do you mean by saying "exit block mode to active mode"?

Forum Discussion

Microsoft Defender for endpoint - device running in EDR block mode

11 Replies

Resources