Forum Discussion

Floyds_on_Greenwood's avatar
Floyds_on_Greenwood
Brass Contributor
Sep 06, 2023

Microsoft Defender for Endpoint (MDE) P2 - Deployed to endpoints by only enabling Tamper Protection?

Greetings. Our Tenant is predominately M365 E3.  It is a hybrid ADDS/AZureAD with Configuration Manager and Intune (co-managed). We have a few MDE P2 licenses as well.     Our desired outcome i...
Floyds_on_Greenwood's avatar
Floyds_on_Greenwood
Brass Contributor
Sep 06, 2023

Hello rahuljindal.
They were acquired before our EDR managed solution engagement. but.. we have 180+ license's for MDE p2. We show two assigned via the tenant (subscription products) assigned licensing. Likewise - reporting via Azure licensing reports the same.
However, within the endpoints > licensing the report indicates: 255 /183 used.
I will check with the team to ask if the onboarding to our tenant happens via Intune/configuration manager or scripted.  Only ADDS joined "Windows" systems show as onboarded.  There is currently no AV installed other then WDE/MDE. We intended, and still very much desire to use Windows Defender or MDE P1 as our AV on the endpoints - not P2.
Since we have P2 licenses MS automatically deploys this as it is of a higher level than our P1 licenses. It looks like the options to set P1 specifically vs. the higher level P2 is available (in preview).
https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/defender-endpoint-subscription-settings?view=o365-worldwide&tabs=mixed

Below is the link I have used to discover the active / passive mode and relation to "Tamper Protection". https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility?view=o365-worldwide

rahuljindal's avatar
rahuljindal
Bronze Contributor
Sep 06, 2023
The only reference I found to Tamper protection in the link you shared is not switching to passive mode when already in active mode, that too being applicable to Windows Server 2012 R2. Defender AV is part of the Windows OS. When you onboard using MDE, then AV is also managed under MDE. How are you checking for active state on the onboarded devices?
  • Floyds_on_Greenwood's avatar
    Floyds_on_Greenwood
    Brass Contributor
    Sep 06, 2023
    Hello, Thanks again for the help.
    Looks like a whole bunch of badgers needed the same solution as MS has a configuration in preview: We are going to take advantage of the Defender For Endpoint P1 and P2 mixed tenant (in preview) as it looks to address our needs and desired outcome.
    This is the PowerShell command we run to verify status. Get-MpComputerStatus | select AMRunningMode
    This article references Windows Server and Workstation OS'. I believe the ForceDefenderPassiveMode works with Windows 10/11 too? However, when Tamper Protection is turned on - it disables passive mode and changes the registry setting to 0 (active) from 1 (passive)
    https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility?view=o365-worldwide
    • rahuljindal's avatar
      rahuljindal
      Bronze Contributor
      Sep 07, 2023
      Can you share the output of Get-MpComputerStatus?

Resources