Onboard servers to Defender in Servers in passive mode using MDC?

PJR_CDF I know this is a late response, but believe this is a bit of a misconception and I wanted to outline it more fully for anyone else who might find this. 

I would say there are a few parts to "Putting Defender on a Machine", so to speak, and the best way to think about them is for a 1-off installation via Local Script, since most of the other methods kind of combine these in the background

- Installation: Actually INSTALLING the services that are needed for Defender to run (on some varieties of Windows Server, you might need to install the Defender for Endpoint, on some it will already be included) 

- Onboarding: Defender services start, and get an Onboarding Blob, I believe always from the Registry. This might be put in the Registry as an "OnboardingBlob" through one of several methods, though like Group Policy, Intune/MDM Policy, or by the Local Script. (Intune and Defender for Cloud pushing Defender for Servers, for example all lump "Onboarding" to "Install the software, get it configured to talk to Defender, and make sure it's set to be running" 

Once Defender services start, it will use that onboarding blob, and the Azure AD Joined identity to ACTUALLY ONBOARD itself to Defender, and establish communications with Defender. 

Now, at this point, your machine MAY have installed to passive (because of that Registry Key, for example, or because it detected another AV and went into Passive mode) or it may be showing as active. 

In all likelihood, if you are JUST STARTING setting up your Defender environment, at this point there won't be any Configurations applying, so there won't be much to Block - but many forms of SCANNING (and reporting to the portal security.microsoft.com will likely be active, unless it receives a configuration that specifically DISABLED them from Defender. Which brings us to the next step...

- Configuration: If your setup has policies which would apply configurations to your machines, it may CHANGE things, and start managing things like "Enable Network Scanning" or "Realtime Protection Disabled" or "Enable Tamper Protection" 

Be default, I believe that several of the capabilities will be monitoring things, but won't be set to Block much. That is still "Active" or "AMRunningMode: Normal" - but just not set for Blocking much. It just feeds back to Defender Portal and alerts on stuff. 

And I know this wasn't the question, but I've got started so... This is still VERY different from PASSIVE Mode! 

Think of the difference like a Security checkpoint scanning people as they go into a concert or large event: 

Passive Mode: A security guard looking at the Scanner screens, maybe seeing someone holding a dangerous item, and writing down what he see's, but just turning in the list of issues. 

Active Mode: A security guard making people dump out there bags, looking for dangerous items, pulling aside people that look suspicious, and MUCH more. 

Active Mode is undoubtedly MUCH more secure, but Passive mode keeps the line flowing a lot better, particularly if there is other security software running too. 

Even if you put the Active mode guard on the machine, he might look for things by default, but unless you gave him authority to BLOCK things (Like if you were in an Alert/Investigation, or Popup from Defender and selected the "Quarantine" or "Remediate" option!) they won't ACT on much by default.