Announcing EDR in block mode general availability

Published Dec 09 2020 09:00 AM 11.3K Views

We’re very excited to announce today that endpoint detection and response (EDR) in block mode is generally available.


As we announced in our public preview blog, EDR in block mode is a feature in Microsoft Defender for Endpoint that turns EDR detections into blocking and containment of malicious behaviors. This capability uses Microsoft Defender for Endpoint’s industry-leading visibility and detection capabilities and Microsoft Defender Antivirus’s built-in blocking function to provide an additional layer of post-breach blocking of malicious behavior, malware, and other artifacts that your primary antivirus (AV) solution might miss.


This feature has already helped a number of organizations stop a variety of threats where Microsoft was not their primary AV and we’re thrilled to make it now generally available for all customers.


Recently, EDR in block mode was responsible for helping to thwart the IcedID campaign. EDR in block mode kicked in and was able to protect the device from several malicious activities including evasive attacker techniques like process hollowing and steganography that lead to the deployment of the info stealing IcedID malware. Read all about how this attack went down and was stopped “ice cold” in its tracks here: EDR in block mode stops IcedID cold.


To learn more about this capability and learn now it also stopped a NanoCore RAT attack, watch the video below and check out our documentation for guidance on how to enable the feature.



We’re excited to bring this new functionality to our customers and look forward to hearing your feedback!


If you’re not yet taking advantage of Microsoft’s industry leading optics and endpoint detection capabilities, sign up for a free trial of Microsoft Defender Endpoint today.


Is EDR in Block Mode also recommended if Defender ist the primary antivirus solution and no 3rd Party antivirus is used?

Senior Member

Hello :waving_hand:

I see from the docs:

Operating system One of the following versions:

- Windows 10 (all releases)

- Windows Server 2016 or later


But no mention of specifically Mac OS or mobile OS's can you provide an idea of when this will be cross platform. It's a great product but easy to forget the 3rd party OS's make up an important part of its usefulness.


@SteBeSec Thank you very much for reading through the post and question. We recommend to keep EDR block on for both the cases, when Defender AV is in Passive mode and when it is in active mode, while you get added layer of defense when Microsoft Defender AV is not primary AV on the box,  it also allows to act based on post breach behavioral detections. 


@garyg - Great feedback and yes, its on our roadmap. 

New Contributor

Is it possible to activate EDR block mode on subset of managed devices?

Senior Member

I really miss the option assign this feature to a device group. First I do not like to push feature globally with 1 one click. Additionally I would like to exclude this feature as example for our developers.

Is there a plan to give us this capability?


@raphael1974  - Thanks for sharing feedback. We are in the discussion and looking at the possibilities. Will share more details once we have firm commitments.  

New Contributor

Does it really apply on Server 2016 since it's onboarded with MMA agent?

Occasional Visitor

@Shweta Jha any word on block mode support for MacOS?


@fqalexmcg Extending this capability to macOS is on the roadmap

Occasional Contributor

Hi @Shweta Jha has it been implemented ? to assign EDR block mode feature to a specific device group ? 

Version history
Last update:
‎Dec 09 2020 09:03 AM
Updated by: