Forum Discussion

gabpereira's avatar
gabpereira
Icon for Microsoft rankMicrosoft
Jan 14, 2026

Using MDE (Passive Mode) with Palo Alto Cortex XDR to enable Defender for IoT (Enterprise IoT)

Hi everyone!
I’m working with a customer that uses Palo Alto Cortex XDR as their primary EDR. We want to leverage Microsoft Defender for IoT specifically for Enterprise IoT (not OT/ICS). I have a few questions:

  1. MDE in Passive Mode as a sensor:
    Can Microsoft Defender for Endpoint (MDE) running in Passive mode act as a sensor to enable Enterprise IoT discovery/monitoring for Defender for IoT? Are there any feature limitations when MDE is not the primary EDR?
  2. Appliance sensor in Enterprise IT:
    If we cannot use the MDE agent, is it supported to deploy the Defender for IoT appliance sensor in an enterprise IT network (e.g., offices/campuses) to cover Enterprise IoT use cases?
  3. Coexistence / Complementary sensors:
    Is it possible (and recommended) to run the appliance sensor alongside MDE (sensor) to complement coverage/features? Any guidance on architecture, data overlap/deduplication, or licensing implications?

1 Reply

  • Pbv85's avatar
    Pbv85
    MCT
    Mar 26, 2026

    MDE in Passive Mode for Enterprise IoT:

    Yes - the Defender for Endpoint can run in Passive Mode alongside other XDR and still act as the sensor for Enterprise IoT. Enterprise IoT discovery and monitoring rely on MDE’s device discovery and network telemetry, not on Defender being the primary EDR or antivirus. Running MDE in Passive Mode preserves the IoT inventory, vulnerability insights, recommendations, and alerts in Defender XDR, with response actions remaining with the primary EDR. 

    Appliance sensor in Enterprise IT networks:

    No - the Defender for IoT appliance (network) sensor is designed for OT/ICS environments, not for enterprise IT (offices/campuses). For Enterprise IoT, the recommended approach is MDE based discovery.

    NOTE:  If i am correct, the use of standalone Enterprise IoT sensor model is now deprecated in favor of utilising the MDE agents even though when MDE operates in Passive Mode. 

    Coexistence and complementary sensors:

    Coexistence is technically possible but not recommended for Enterprise IoT. Use MDE-based Enterprise IoT for corporate IT and OT sensors only where OT/ICS exists. Deploying both for the same enterprise IT segments adds complexity without additional EIoT value and can create unnecessary overlap; licensing also differs, with OT sensors licensed separately

     

    If you find the answer useful, please do not forget to like and mark it as a solution 🙂