Managing Defender AV in Passive Mode with MEM

%3CLINGO-SUB%20id%3D%22lingo-sub-1845120%22%20slang%3D%22en-US%22%3EManaging%20Defender%20AV%20in%20Passive%20Mode%20with%20MEM%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1845120%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20just%20deployed%20MDATP%20and%20are%20looking%20at%20EDR%20in%20block%20mode%20but%20need%20Defender%20AV%20in%20passive%20mode%20and%20updating%20for%20this%20to%20work.%20Can%20we%20deploy%20an%20Endpoint%20Protection%20policy%20from%20ConfigMgr%20with%20just%20the%20Cloud%20Protection%20and%20Security%20Intelligence%20updates%20configured%3F%20Right%20now%20MDATP%20is%20showing%20the%20AV%20as%20disabled%20and%20not%20updating%20which%20appears%20to%20be%20because%20of%20a%20massively%20outdated%20engine%20and%20there%20being%20no%20update%20schedule%20defined.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1845120%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EEndpoint%20protection%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2024707%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20Defender%20AV%20in%20Passive%20Mode%20with%20MEM%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2024707%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F255877%22%20target%3D%22_blank%22%3E%40SimonR%3C%2FA%3E%26nbsp%3BDid%20you%20ever%20figure%20this%20out%3F%20We%20are%20in%20a%20similar%20boat%20here%2C%20trying%20to%20run%20defender%20in%20passive%20mode%20w%2F%20EDR%20block%20mode%20enabled.%20Except%2C%20Defender%20is%20NOT%20moving%20into%20passive%20mode%20that%20I%20can%20tell%20when%20running%20the%20get-mpcomputerstatus%20cmdlet.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

We have just deployed MDATP and are looking at EDR in block mode but need Defender AV in passive mode and updating for this to work. Can we deploy an Endpoint Protection policy from ConfigMgr with just the Cloud Protection and Security Intelligence updates configured? Right now MDATP is showing the AV as disabled and not updating which appears to be because of a massively outdated engine and there being no update schedule defined.

1 Reply

@SimonR Did you ever figure this out? We are in a similar boat here, trying to run defender in passive mode w/ EDR block mode enabled. Except, Defender is NOT moving into passive mode that I can tell when running the get-mpcomputerstatus cmdlet.