Announcing EDR in block mode general availability
Published Dec 09 2020 09:00 AM 18.4K Views

We’re very excited to announce today that endpoint detection and response (EDR) in block mode is generally available.


As we announced in our public preview blog, EDR in block mode is a feature in Microsoft Defender for Endpoint that turns EDR detections into blocking and containment of malicious behaviors. This capability uses Microsoft Defender for Endpoint’s industry-leading visibility and detection capabilities and Microsoft Defender Antivirus’s built-in blocking function to provide an additional layer of post-breach blocking of malicious behavior, malware, and other artifacts that your primary antivirus (AV) solution might miss.


This feature has already helped a number of organizations stop a variety of threats where Microsoft was not their primary AV and we’re thrilled to make it now generally available for all customers.


Recently, EDR in block mode was responsible for helping to thwart the IcedID campaign. EDR in block mode kicked in and was able to protect the device from several malicious activities including evasive attacker techniques like process hollowing and steganography that lead to the deployment of the info stealing IcedID malware. Read all about how this attack went down and was stopped “ice cold” in its tracks here: EDR in block mode stops IcedID cold.


To learn more about this capability and learn now it also stopped a NanoCore RAT attack, watch the video below and check out our documentation for guidance on how to enable the feature.



We’re excited to bring this new functionality to our customers and look forward to hearing your feedback!


If you’re not yet taking advantage of Microsoft’s industry leading optics and endpoint detection capabilities, sign up for a free trial of Microsoft Defender Endpoint today.

Version history
Last update:
‎Dec 09 2020 09:03 AM
Updated by: