Forum Discussion

Floyds_on_Greenwood's avatar
Floyds_on_Greenwood
Brass Contributor
Sep 06, 2023

Microsoft Defender for Endpoint (MDE) P2 - Deployed to endpoints by only enabling Tamper Protection?

Greetings. Our Tenant is predominately M365 E3.  It is a hybrid ADDS/AZureAD with Configuration Manager and Intune (co-managed). We have a few MDE P2 licenses as well.     Our desired outcome i...
rahuljindal's avatar
rahuljindal
Bronze Contributor
Sep 06, 2023
The only reference I found to Tamper protection in the link you shared is not switching to passive mode when already in active mode, that too being applicable to Windows Server 2012 R2. Defender AV is part of the Windows OS. When you onboard using MDE, then AV is also managed under MDE. How are you checking for active state on the onboarded devices?
Floyds_on_Greenwood's avatar
Floyds_on_Greenwood
Brass Contributor
Sep 06, 2023
Hello, Thanks again for the help.
Looks like a whole bunch of badgers needed the same solution as MS has a configuration in preview: We are going to take advantage of the Defender For Endpoint P1 and P2 mixed tenant (in preview) as it looks to address our needs and desired outcome.
This is the PowerShell command we run to verify status. Get-MpComputerStatus | select AMRunningMode
This article references Windows Server and Workstation OS'. I believe the ForceDefenderPassiveMode works with Windows 10/11 too? However, when Tamper Protection is turned on - it disables passive mode and changes the registry setting to 0 (active) from 1 (passive)
https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility?view=o365-worldwide
  • rahuljindal's avatar
    rahuljindal
    Bronze Contributor
    Sep 07, 2023
    Can you share the output of Get-MpComputerStatus?

Resources