Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

We have some Sophos Endpoints, what would happen if I enrolled them into the MS Defender cloud?

Copper Contributor

We have a small percentage of high value users that we upgraded standard endpoint to Sophos Endpoint with Intercept X.  For the remainder of the devices, I have begun enrolling them into MS 365 Defender.  The visibility I now get for the Defender clients is excellent.  What would happen if I extended the enrollment script for 365 Defender to those devices?  Would Sophos disable Defender anti virus (tampering has been turned on) for those clients?  


Thanks for any thoughts on this.

4 Replies

Sorry I don't have an answer but I am also interested to know whether we can have the advantages of device visibility in MS 365 Defender alongside a Sophos endpoint installation.

I've researched further and found this:

In that article it says:
Defender for Endpoint includes capabilities that further extend the antivirus protection that is installed on your endpoint. You can benefit from running Microsoft Defender Antivirus alongside another antivirus solution.

For example, Endpoint detection and response (EDR) in block mode provides added protection from malicious artifacts even if Microsoft Defender Antivirus is not the primary antivirus product. Such capabilities require Microsoft Defender Antivirus to be installed and running in passive mode or active mode.
It would work fine, Defender would show as being in EDR Block Mode, Sophos would still be the active AV.
To switch tamper off on Sophos, uninstall anmd then Defender (after reboot) would become the active AV.
We're mid migrating all devices off of Sophos so are familiar with how it works. If Sophos is active AV, you still get most of the rich info from Defender, and a little bit of extended protection from EDR block mode (which is a post infection detection defence, as opposed to the proactive that the AV is providing)

If Sophos is just AV, it will work fine as others have mentioned.
MDE does not support environments with other EDR software installed(or so I was told by support in the past), so you should check if Intercept X includes EDR functionality though.

I do not have any experience with Sophos, but looking at the link below it looks like EDR might be included.