How to bock 365 Defender defaulting to passive mode?

Not applicable

365 Defender managed by InTune and GPO.  How to block 365 Defender defaulting to passive mode due to a third party AV install? 


In passive mode, Microsoft Defender Antivirus is not used as the primary antivirus app on the device. Files are scanned, and detected threats are reported, but threats are not remediated by Microsoft Defender Antivirus.


365 Defender should always be active irrelevant to the third party AV install from either good / bad actor. 

1 Reply

@Deleted you need to use the endpoint detection and response in block mode when Defender is not your primary antivirus product and its running in passive mode. artifacts might have been missed by the primary, non-Microsoft antivirus product. EDR in block mode allows Microsoft Defender Antivirus to take actions on post-breach, behavioral EDR detections.


Refer to the below link for more details 


Endpoint detection and response in block mode | Microsoft Learn