EDR in block mode on Server 2016?

%3CLINGO-SUB%20id%3D%22lingo-sub-2093524%22%20slang%3D%22en-US%22%3EEDR%20in%20block%20mode%20on%20Server%202016%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2093524%22%20slang%3D%22en-US%22%3E%3CP%3EEDR%20block%20mode%20is%20listed%20as%20supported%20on%20Windows%20Server%202016%20and%20later.%20This%20appears%20a%20bit%20strange%20since%202016%20is%20onboarded%20in%20MDE%2FATP%20with%20MMA%20agent%20so%20how%20does%20the%20EDR%20block%20mode%20policy%20apply%20on%202016%3F%20For%202019%20it%20is%20different%20as%20the%20Sense%20agent%20is%20onboarded%20directly.%20Additionally%2C%20it%20appears%20to%20be%20no%20way%20to%20control%20which%20systems%20get%20EDR%20block%20mode%2C%20there%20is%20no%20way%20to%20exclude%20servers%20and%20apply%20to%20desktops%20only%2C%20or%20subset%20of%20pilot%20systems.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2097523%22%20slang%3D%22en-US%22%3ERe%3A%20EDR%20in%20block%20mode%20on%20Server%202016%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2097523%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F572349%22%20target%3D%22_blank%22%3E%40Tsachev%3C%2FA%3E%26nbsp%3BEDR%20is%20associated%20with%20Microsoft%20Defender%20Antivirus.%20%3CSPAN%3EMicrosoft%20Defender%20Antivirus%26nbsp%3Buses%20the%20latest%20device%20learning%20models%2C%20behavioral%20detections%2C%20and%20heuristics%20to%20detect%20and%20remediate%20malicious%20items.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENow%2C%20since%20Windows%20Server%202016%20already%20comes%20with%20built-in%20Microsoft%20Defender%20Antivirus%2C%20this%20feature%20is%20applicable%20to%20Server%202016%20as%20well.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20of%20now%2C%20there%20is%20no%20way%20to%20push%20EDR%20in%20block%20mode%20to%20only%20specific%20devices%20as%20it%20is%20just%20a%20radio%20button%20which%20needs%20to%20be%20turned%20on%20from%20Microsoft%20Defender%20Security%20Center.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2101462%22%20slang%3D%22en-US%22%3ERe%3A%20EDR%20in%20block%20mode%20on%20Server%202016%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2101462%22%20slang%3D%22en-US%22%3EIf%20the%20functionality%20depends%20on%20Defender%20AV%20how%20is%20agent%20receiving%20the%20policy%20from%20Defender%20Security%20Center%20on%202016%20OS%3F%3C%2FLINGO-BODY%3E
New Contributor

EDR block mode is listed as supported on Windows Server 2016 and later. This appears a bit strange since 2016 is onboarded in MDE/ATP with MMA agent so how does the EDR block mode policy apply on 2016? For 2019 it is different as the Sense agent is onboarded directly. Additionally, it appears to be no way to control which systems get EDR block mode, there is no way to exclude servers and apply to desktops only, or subset of pilot systems. 

2 Replies

@Tsachev EDR is associated with Microsoft Defender Antivirus. Microsoft Defender Antivirus uses the latest device learning models, behavioral detections, and heuristics to detect and remediate malicious items.

 

Now, since Windows Server 2016 already comes with built-in Microsoft Defender Antivirus, this feature is applicable to Server 2016 as well.

 

As of now, there is no way to push EDR in block mode to only specific devices as it is just a radio button which needs to be turned on from Microsoft Defender Security Center.

If the functionality depends on Defender AV how is agent receiving the policy from Defender Security Center on 2016 OS?