Forum Discussion
Onboarding Windows Server 2022 to MDE.
Currently we are preparing to to move from a non-Microsoft endpoint protection solution to https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide. On Windows Server 2022 we did set the registry key to enable passive mode(ForceDefenderPassiveMode = 1). Behavior is 2022 servers are in passive mode, but when we check the state using Powershell(Get-MpComputerStatus | select AMRunningMode) it is giving Mode =Normal.
We expect Mode is "Passive" instead of "Normal".
Is this all correct or should it be as expected("Passive" Mode)?
Hi basvhoof,
You are correct about Normal mode. Normal mode means Defender is acting as the primary AV. It is not enough to set up just the registry key, you also need a server to be onboarded to Defender for Endpoint before it can go to the passive mode. Has this server been onboarded to the MDE? https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility?view=o365-worldwide
4 Replies
Hi basvhoof,
You are correct about Normal mode. Normal mode means Defender is acting as the primary AV. It is not enough to set up just the registry key, you also need a server to be onboarded to Defender for Endpoint before it can go to the passive mode. Has this server been onboarded to the MDE? https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility?view=o365-worldwide
- Very helpful thanks. Does that mean though that should still set the registry key to enable passive mode ahead prior to be being onboarded into MDE, and it will then activate passive mode once onboarded?
Or only set that registry after onboarded?gilblumberg, that's correct. You need to set the registry key first, and once onboarded, the passive mode gets activated. https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/switch-to-mde-phase-2?view=o365-worldwide
If you try to do this later, the tamper protection will prevent you from changing the registry. And you do not want to disable the tamper protection. Therefore, it is best to have the registry key before you have onboarded a server.
- Thanks for your reply, server is not onboarded yet. Primary AV at this moment is a non-Microsoft antivirus/antimalware solution. So we assumed it should be in Passive mode using the PowerShell command.
