Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Microsoft Defender for endpoint - device running in EDR block mode

Copper Contributor

Good day Team

On Microsoft Defender for endpoints - one of my device is running EDR in block mode in. We want to move out the device to make running in active mode. what are the steps to exit the device EDR from block mode to active mode. OS running on the device is Windows server 2019.

 

11 Replies
Hello, EDR in block mode is either set on the tenant level (all devices will have it enabled) or via a custom policy (CSPs) in Intune. What do you mean by saying "exit block mode to active mode"?
As I looked over my MDE device's health status, I noticed that one of the device showing 'Defender Antivirus mode as EDR in block mode,' while the other devices are showing 'Defender Antivirus mode - active.' I would like assistance in enabling Defender Antivirus mode - active on the device.
Looks like on the one device showing EDR block mode, there is 3rd party AV installed.
Here is what the different modes mean:
Active = Defender Antivirus is the primary AV - EDR block isn't relevant, as Defender Antivirus is active.
Passive = Defender Antivirus isn't the primary and a 3rd party AV is
EDR Block = the same as Passive but with EDR Block mode enabled, which means Defender Antivirus can 'wake up' and stop a threat if the 3rd party AV missed it.

So you will either uninstall your 3rd party AV on that device, or leave it with EDR block enabled.

"On the device, Sysmantec was initially installed but later uninstalled, and Defender Antivirus took over. However, a week later, the server status transitioned to EDR in block mode. I am seeking advice on troubleshooting the issue.

Asheeshonroute_0-1705410099033.png

 

 

Can you please run this command and share the results? https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/edr-block-mode-faqs?view=...

I am suspecting, that Defender AV did not register properly as the primary AV (for whatever reason)

AV mode on Server OS is controlled manually by the registry and not auto detected like it is on W10/W11.

Check this article and the associated reg key

https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/switch-to-mde-troubleshoo...

Hey Heike
Here is the result / output ---

PS C:\WINDOWS\system32> Get-MpComputerStatus


AMEngineVersion : 1.1.23110.2
AMProductVersion : 4.18.23110.3
AMRunningMode : Normal
AMServiceEnabled : True
AMServiceVersion : 4.18.23110.3
AntispywareEnabled : True
AntispywareSignatureAge : 0
AntispywareSignatureLastUpdated : 2024-02-07 05:23:14 AM
AntispywareSignatureVersion : 1.403.3357.0
AntivirusEnabled : True
AntivirusSignatureAge : 0
AntivirusSignatureLastUpdated : 2024-02-07 05:23:13 AM
AntivirusSignatureVersion : 1.403.3357.0
BehaviorMonitorEnabled : True
ComputerID : XXXXXXXXXXXXXXXXXXXXXXXX
ComputerState : 0
DefenderSignaturesOutOfDate : False
DeviceControlDefaultEnforcement :
DeviceControlPoliciesLastUpdated : 2023-03-03 08:07:12 AM
DeviceControlState : Disabled
FullScanAge : 29
FullScanEndTime : 2024-01-08 04:05:21 PM
FullScanOverdue : False
FullScanRequired : False
FullScanSignatureVersion : 1.403.1830.0
FullScanStartTime : 2024-01-08 03:31:09 PM
InitializationProgress : ServiceStartedSuccessfully
IoavProtectionEnabled : True
IsTamperProtected : False
IsVirtualMachine : True
LastFullScanSource : 1
LastQuickScanSource : 1
NISEnabled : True
NISEngineVersion : 1.1.23110.2
NISSignatureAge : 0
NISSignatureLastUpdated : 2024-02-07 05:23:13 AM
NISSignatureVersion : 1.403.3357.0
OnAccessProtectionEnabled : True
ProductStatus : 524416
QuickScanAge : 57
QuickScanEndTime : 2023-12-11 02:43:22 PM
QuickScanOverdue : True
QuickScanSignatureVersion : 1.403.317.0
QuickScanStartTime : 2023-12-11 02:42:12 PM
RealTimeProtectionEnabled : True
RealTimeScanDirection : 0
RebootRequired : False
SmartAppControlExpiration :
SmartAppControlState : Off
TamperProtectionSource : Signatures
TDTMode : N/A
TDTSiloType : N/A
TDTStatus : N/A
TDTTelemetry : N/A
TroubleShootingDailyMaxQuota : 480
TroubleShootingDailyQuotaLeft : 480
TroubleShootingEndTime : INFINITE
TroubleShootingExpirationLeft : INFINITE
TroubleShootingMode : Disabled
TroubleShootingModeSource : Service
TroubleShootingQuotaResetTime : N/A
TroubleShootingStartTime : N/A
PSComputerName :
Here is the output:

PS C:\WINDOWS\system32> Get-MpComputerStatus


AMEngineVersion : 1.1.23110.2
AMProductVersion : 4.18.23110.3
AMRunningMode : Normal
AMServiceEnabled : True
AMServiceVersion : 4.18.23110.3
AntispywareEnabled : True
AntispywareSignatureAge : 0
AntispywareSignatureLastUpdated : 2024-02-07 05:23:14 AM
AntispywareSignatureVersion : 1.403.3357.0
AntivirusEnabled : True
AntivirusSignatureAge : 0
AntivirusSignatureLastUpdated : 2024-02-07 05:23:13 AM
AntivirusSignatureVersion : 1.403.3357.0
BehaviorMonitorEnabled : True
ComputerID : XXXXXXXXXXXXXXXXXXXXXXXX
ComputerState : 0
DefenderSignaturesOutOfDate : False
DeviceControlDefaultEnforcement :
DeviceControlPoliciesLastUpdated : 2023-03-03 08:07:12 AM
DeviceControlState : Disabled
FullScanAge : 29
FullScanEndTime : 2024-01-08 04:05:21 PM
FullScanOverdue : False
FullScanRequired : False
FullScanSignatureVersion : 1.403.1830.0
FullScanStartTime : 2024-01-08 03:31:09 PM
InitializationProgress : ServiceStartedSuccessfully
IoavProtectionEnabled : True
IsTamperProtected : False
IsVirtualMachine : True
LastFullScanSource : 1
LastQuickScanSource : 1
NISEnabled : True
NISEngineVersion : 1.1.23110.2
NISSignatureAge : 0
NISSignatureLastUpdated : 2024-02-07 05:23:13 AM
NISSignatureVersion : 1.403.3357.0
OnAccessProtectionEnabled : True
ProductStatus : 524416
QuickScanAge : 57
QuickScanEndTime : 2023-12-11 02:43:22 PM
QuickScanOverdue : True
QuickScanSignatureVersion : 1.403.317.0
QuickScanStartTime : 2023-12-11 02:42:12 PM
RealTimeProtectionEnabled : True
RealTimeScanDirection : 0
RebootRequired : False
SmartAppControlExpiration :
SmartAppControlState : Off
TamperProtectionSource : Signatures
TDTMode : N/A
TDTSiloType : N/A
TDTStatus : N/A
TDTTelemetry : N/A
TroubleShootingDailyMaxQuota : 480
TroubleShootingDailyQuotaLeft : 480
TroubleShootingEndTime : INFINITE
TroubleShootingExpirationLeft : INFINITE
TroubleShootingMode : Disabled
TroubleShootingModeSource : Service
TroubleShootingQuotaResetTime : N/A
TroubleShootingStartTime : N/A
PSComputerName :
Checked the registry key - Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection -- ForceDefenderPassiveMode REG_DWORD entry have value 1, changed the value to 0 and rebooted the server and observed value changed to 1. This server is managed by SCCM. Later deleted ForceDefenderPassiveMode this and rebooted the server, post server reboot - ForceDefenderPassiveMode is there with value 1. On MDE portal - server status is still showing as Device running in EDR mode. Kindly suggest.
I worked with MDE for many years and never seen a server show EDR Block Mode in the portal and Get-MpComputerStatus shows AMRunningMode : Normal.

That server is definitely not in EDR Block Mode regardless of what the portal says?

Are you sure the device you are looking at in the portal is the same device you are looking at locally? Can you verify the Device ID in the portal matches the one in the servers registry?
The issue is fixed by offboarding the device and uninstalling the Windows Defender features and again installed the Windows Defender features and onboarded the device and its working fine now. I appreciate your input - thanks a ton..