Microsoft Defender for Endpoint (MDE) P2 - Deployed to endpoints by only enabling Tamper Protection?

Brass Contributor


Our Tenant is predominately M365 E3.  It is a hybrid ADDS/AZureAD with Configuration Manager and Intune (co-managed).

We have a few MDE P2 licenses as well.  


Our desired outcome is to run MDE P1 or Windows Defender in basic AV passive-mode only.


We have a non-MS EDR sensor product (CB).  We also have some 3rd party endpoints, joined to our domain that have a different EDR (XDR).

We had set up the GPO to run MS Defender in passive mode.  Recently I discovered that the MDE on our endpoints was running in active mode.  After digging and digging - It looks like one of our IT folks ran the endpoint device wizard on the tenant.  This enabled "Tamper Protection".  I did find some MS articles that mention if tamper protection is enabled - the MDE runs in "Active Mode".

There are no M365 Defender endpoint rules or policy's configured.

The only settings are those configured when running the initial endpoint security wizard, without specifying the options when doing so.


Those under then --- Settings > Endpoints > Advanced features.  Most of these may have been disabled - but "Tamper Protection" remains enabled.

My question is - If we tun off tamper protection - will our GPO reapply MDE in "passive mode"?

--- Our desired outcome is to run MDE P1 or Windows Defender in basic AV passive-mode only.


Thanks in advance.


5 Replies

Tamper protection will not enable MDE plan 2 features. You need the license itself for this. As far as I know MDE will only run in passive mode if a third party AV is detected. Do you have a third party AV installed or just the EDR? Also, how are you onboarding the devices on MDE?

Hello @rahuljindal-MVP.
They were acquired before our EDR managed solution engagement. but.. we have 180+ license's for MDE p2. We show two assigned via the tenant (subscription products) assigned licensing. Likewise - reporting via Azure licensing reports the same.
However, within the endpoints > licensing the report indicates: 255 /183 used.
I will check with the team to ask if the onboarding to our tenant happens via Intune/configuration manager or scripted.  Only ADDS joined "Windows" systems show as onboarded.  There is currently no AV installed other then WDE/MDE. We intended, and still very much desire to use Windows Defender or MDE P1 as our AV on the endpoints - not P2.
Since we have P2 licenses MS automatically deploys this as it is of a higher level than our P1 licenses. It looks like the options to set P1 specifically vs. the higher level P2 is available (in preview).

Below is the link I have used to discover the active / passive mode and relation to "Tamper Protection".

The only reference I found to Tamper protection in the link you shared is not switching to passive mode when already in active mode, that too being applicable to Windows Server 2012 R2. Defender AV is part of the Windows OS. When you onboard using MDE, then AV is also managed under MDE. How are you checking for active state on the onboarded devices?
Hello, Thanks again for the help.
Looks like a whole bunch of badgers needed the same solution as MS has a configuration in preview: We are going to take advantage of the Defender For Endpoint P1 and P2 mixed tenant (in preview) as it looks to address our needs and desired outcome.
This is the PowerShell command we run to verify status. Get-MpComputerStatus | select AMRunningMode
This article references Windows Server and Workstation OS'. I believe the ForceDefenderPassiveMode works with Windows 10/11 too? However, when Tamper Protection is turned on - it disables passive mode and changes the registry setting to 0 (active) from 1 (passive)
Can you share the output of Get-MpComputerStatus?