Forum Discussion

Floyds_on_Greenwood's avatar
Floyds_on_Greenwood
Brass Contributor
Sep 06, 2023

Microsoft Defender for Endpoint (MDE) P2 - Deployed to endpoints by only enabling Tamper Protection?

Greetings.


Our Tenant is predominately M365 E3.  It is a hybrid ADDS/AZureAD with Configuration Manager and Intune (co-managed).

We have a few MDE P2 licenses as well.  

 

Our desired outcome is to run MDE P1 or Windows Defender in basic AV passive-mode only.

 

We have a non-MS EDR sensor product (CB).  We also have some 3rd party endpoints, joined to our domain that have a different EDR (XDR).

We had set up the GPO to run MS Defender in passive mode.  Recently I discovered that the MDE on our endpoints was running in active mode.  After digging and digging - It looks like one of our IT folks ran the endpoint device wizard on the tenant.  This enabled "Tamper Protection".  I did find some MS articles that mention if tamper protection is enabled - the MDE runs in "Active Mode".


There are no M365 Defender endpoint rules or policy's configured.

The only settings are those configured when running the initial endpoint security wizard, without specifying the options when doing so.

 

Those under  https://security.microsoft.com/securitysettings/endpoints then --- Settings > Endpoints > Advanced features.  Most of these may have been disabled - but "Tamper Protection" remains enabled.

My question is - If we tun off tamper protection - will our GPO reapply MDE in "passive mode"?

--- Our desired outcome is to run MDE P1 or Windows Defender in basic AV passive-mode only.

 

Thanks in advance.

 

  • rahuljindal-MVP's avatar
    rahuljindal-MVP
    Bronze Contributor

    Tamper protection will not enable MDE plan 2 features. You need the license itself for this. As far as I know MDE will only run in passive mode if a third party AV is detected. Do you have a third party AV installed or just the EDR? Also, how are you onboarding the devices on MDE?

    • Floyds_on_Greenwood's avatar
      Floyds_on_Greenwood
      Brass Contributor

      Hello rahuljindal-MVP.
      They were acquired before our EDR managed solution engagement. but.. we have 180+ license's for MDE p2. We show two assigned via the tenant (subscription products) assigned licensing. Likewise - reporting via Azure licensing reports the same.
      However, within the endpoints > licensing the report indicates: 255 /183 used.
      I will check with the team to ask if the onboarding to our tenant happens via Intune/configuration manager or scripted.  Only ADDS joined "Windows" systems show as onboarded.  There is currently no AV installed other then WDE/MDE. We intended, and still very much desire to use Windows Defender or MDE P1 as our AV on the endpoints - not P2.
      Since we have P2 licenses MS automatically deploys this as it is of a higher level than our P1 licenses. It looks like the options to set P1 specifically vs. the higher level P2 is available (in preview).
      https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/defender-endpoint-subscription-settings?view=o365-worldwide&tabs=mixed

      Below is the link I have used to discover the active / passive mode and relation to "Tamper Protection". https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility?view=o365-worldwide

      • rahuljindal-MVP's avatar
        rahuljindal-MVP
        Bronze Contributor
        The only reference I found to Tamper protection in the link you shared is not switching to passive mode when already in active mode, that too being applicable to Windows Server 2012 R2. Defender AV is part of the Windows OS. When you onboard using MDE, then AV is also managed under MDE. How are you checking for active state on the onboarded devices?

Resources