Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

MDATP in passive mode

Copper Contributor
Hello everyone,

I am currently using 3rd party AV, will having MDATP installed in passive mode allows blocking unsanctioned apps ?
5 Replies
I believe this requires active mode
This can be achieved through "EDR in block mode". But this functionality is limited to OS versions.
Thanks man, do you mean that this only works on windows OS ?
The blocking settings for Unsanctioned App set in MCAS are applied to the Indicator settings of Defender for Endpoints.
I understand that the Defender for Endpoints Indicator settings currently work well on Windows 10 1709 and above or iOS.
And, I think that enabling Network Protection is a prerequisite for Windows 10.
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/indicator-ip-domain?view=o...

Even if Defender for Endpoints is in Block mode, it is stated that Defender AV must be running in Active mode in order to use Network Protection, resulting in Defender AV in Active mode. Will be needed.
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o36...

EDR in Block Mode Requirements:
Devices must be running one of the following versions of Windows:
Windows 10 (all releases)
Windows Server, version 1803 or newer
Windows Server 2019
Windows Server 2016 (only when Microsoft Defender Antivirus is in active mode).
Supported Linux server distributions and x64 (AMD64/EM64T) versions:
Red Hat Enterprise Linux 7.2 or higher
CentOS 7.2 or higher
Ubuntu 16.04 LTS or higher LTS
Debian 9 or higher
SUSE Linux Enterprise Server 12 or higher
Oracle Linux 7.2 or higher