Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community
SOLVED

Onboarding Windows Server 2022 to MDE.

Copper Contributor

Currently we are preparing to to move from a non-Microsoft endpoint protection solution to Microsoft Defender for Endpoint. On Windows Server 2022 we did set the registry key to enable passive mode(ForceDefenderPassiveMode = 1). Behavior is 2022 servers are in passive mode, but when we check the state using Powershell(Get-MpComputerStatus | select AMRunningMode) it is giving Mode =Normal.

We expect Mode is "Passive" instead of "Normal". 

Is this all correct or should it be as expected("Passive" Mode)?

4 Replies
best response confirmed by basvhoof (Copper Contributor)
Solution

Hi @basvhoof,

 

You are correct about Normal mode. Normal mode means Defender is acting as the primary AV. It is not enough to set up just the registry key, you also need a server to be onboarded to Defender for Endpoint before it can go to the passive mode. Has this server been onboarded to the MDE? https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-antivi... 

Thanks for your reply, server is not onboarded yet. Primary AV at this moment is a non-Microsoft antivirus/antimalware solution. So we assumed it should be in Passive mode using the PowerShell command.
Very helpful thanks. Does that mean though that should still set the registry key to enable passive mode ahead prior to be being onboarded into MDE, and it will then activate passive mode once onboarded?

Or only set that registry after onboarded?

@gilblumberg, that's correct. You need to set the registry key first, and once onboarded, the passive mode gets activated. Migrate to Microsoft Defender for Endpoint - Setup | Microsoft Learn

 

If you try to do this later, the tamper protection will prevent you from changing the registry. And you do not want to disable the tamper protection. Therefore, it is best to have the registry key before you have onboarded a server.

1 best response

Accepted Solutions
best response confirmed by basvhoof (Copper Contributor)
Solution

Hi @basvhoof,

 

You are correct about Normal mode. Normal mode means Defender is acting as the primary AV. It is not enough to set up just the registry key, you also need a server to be onboarded to Defender for Endpoint before it can go to the passive mode. Has this server been onboarded to the MDE? https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-antivi... 

View solution in original post