Forum Discussion
Microsoft Defender for endpoint - device running in EDR block mode
Good day Team On Microsoft Defender for endpoints - one of my device is running EDR in block mode in. We want to move out the device to make running in active mode. what are the steps to exit the de...
"On the device, Sysmantec was initially installed but later uninstalled, and Defender Antivirus took over. However, a week later, the server status transitioned to EDR in block mode. I am seeking advice on troubleshooting the issue.
AV mode on Server OS is controlled manually by the registry and not auto detected like it is on W10/W11.
Check this article and the associated reg key
https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/switch-to-mde-troubleshooting?view=o365-worldwide#microsoft-defender-antivirus-seems-to-be-stuck-in-passive-mode
- Checked the registry key - Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection -- ForceDefenderPassiveMode REG_DWORD entry have value 1, changed the value to 0 and rebooted the server and observed value changed to 1. This server is managed by SCCM. Later deleted ForceDefenderPassiveMode this and rebooted the server, post server reboot - ForceDefenderPassiveMode is there with value 1. On MDE portal - server status is still showing as Device running in EDR mode. Kindly suggest.
- I worked with MDE for many years and never seen a server show EDR Block Mode in the portal and Get-MpComputerStatus shows AMRunningMode : Normal.
That server is definitely not in EDR Block Mode regardless of what the portal says?
Are you sure the device you are looking at in the portal is the same device you are looking at locally? Can you verify the Device ID in the portal matches the one in the servers registry?- The issue is fixed by offboarding the device and uninstalling the Windows Defender features and again installed the Windows Defender features and onboarded the device and its working fine now. I appreciate your input - thanks a ton..