-
Notifications
You must be signed in to change notification settings - Fork 356
Expand file tree
/
Copy pathedr-block-mode-faqs.yml
More file actions
119 lines (94 loc) · 7.57 KB
/
edr-block-mode-faqs.yml
File metadata and controls
119 lines (94 loc) · 7.57 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
### YamlMime:FAQ
metadata:
title: Endpoint detection and response (EDR) in block mode frequently asked questions (FAQ)
description: Find answers to frequently asked questions about Microsoft Defender for Endpoint's attack surface reduction rules.
ms.service: defender-endpoint
ms.subservice: ngp
ms.localizationpriority: medium
audience: ITPro
author: batamig
ms.author: bagol
ms.reviewer: sugamar, kausd
manager: bagol
ms.custom:
- asr
- partner-contribution
ms.topic: faq
ms.collection: m365-security
ms.date: 05/22/2025
title: Endpoint detection and response (EDR) in block mode frequently asked questions (FAQ)
summary: |
**Applies to:**
- [Microsoft Defender for Endpoint Plan 2](microsoft-defender-endpoint.md)
- [Microsoft Defender XDR](/defender-xdr)
sections:
- name: Ignored
questions:
- question: |
Can I specify exclusions for EDR in block mode?
answer: |
If you get a false positive, you can submit the file for analysis at the [Microsoft Security Intelligence submission site](https://www.microsoft.com/en-us/wdsi/filesubmission).
You can also define an exclusion for Microsoft Defender Antivirus. See [Configure and validate exclusions for Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md).
- question: |
Do I need to turn EDR in block mode on if I have Microsoft Defender Antivirus running on devices?
answer: |
No, Microsoft recommends disabling EDR in block mode, when the primary antivirus software on the system is Microsoft Defender Antivirus. The primary purpose of EDR in block mode is to remediate post-breach detections that were missed by a non-Microsoft antivirus product.
- question: |
Will EDR in block mode affect a user's antivirus protection?
answer: |
EDR in block mode doesn't affect non-Microsoft antivirus protection running on users' devices. EDR in block mode works if the primary antivirus solution misses something, or if there's a post-breach detection. EDR in block mode works just like Microsoft Defender Antivirus in passive mode, except that EDR in block mode also blocks and remediates malicious artifacts or behaviors that are detected.
- question: |
Why do I need to keep Microsoft Defender Antivirus up to date?
answer: |
Because Microsoft Defender Antivirus detects and remediates malicious items, it's important to keep it up to date. For EDR in block mode to be effective, it uses the latest device learning models, behavioral detections, and heuristics. The [Defender for Endpoint](microsoft-defender-endpoint.md) stack of capabilities works in an integrated manner. To get best protection value, you should keep Microsoft Defender Antivirus up to date. See [Manage Microsoft Defender Antivirus updates and apply baselines](microsoft-defender-antivirus-updates.md).
- question: |
Why do we need cloud protection (MAPS) on?
answer: |
Cloud protection is needed to turn on the feature on the device. Cloud protection allows [Defender for Endpoint](microsoft-defender-endpoint.md) to deliver the latest and greatest protection based on our breadth and depth of security intelligence, along with behavioral and device learning models.
- question: |
What is the difference between active and passive mode?
answer: |
For endpoints running Windows 10, Windows 11, Windows Server version 1803 or later, Windows Server 2019 and later, or Azure Stack HCI OS, version 23H2 and later, when Microsoft Defender Antivirus is in active mode, it's used as the primary antivirus on the device. When running in passive mode, Microsoft Defender Antivirus isn't the primary antivirus product. In this case, threats aren't remediated by Microsoft Defender Antivirus in real time.
> [!NOTE]
> Microsoft Defender Antivirus can run in passive mode only when the device is onboarded to Microsoft Defender for Endpoint.
For more information, see [Microsoft Defender Antivirus compatibility](microsoft-defender-antivirus-compatibility.md).
- question: |
How do I confirm Microsoft Defender Antivirus is in active or passive mode?
answer: |
To confirm whether Microsoft Defender Antivirus is running in active or passive mode, you can use Command Prompt or PowerShell on a device running Windows.
|Method|Procedure|
|---|---|
|PowerShell|1. Select the Start menu, begin typing `PowerShell`, and then open Windows PowerShell in the results.<br/><br/>2. Type `Get-MpComputerStatus`.<br/><br/>3. In the list of results, in the **AMRunningMode** row, look for one of the following values:<br/>- `Normal`<br/>- `Passive Mode`<br/><br/>To learn more, see [Get-MpComputerStatus](/powershell/module/defender/get-mpcomputerstatus).|
|Command Prompt|<ol><li>Select the Start menu, begin typing `Command Prompt`, and then open Windows Command Prompt in the results.</li><li>Type `sc query windefend`.</li><li>In the list of results, in the **STATE** row, confirm that the service is running.</li></ol>|
- question: |
How do I confirm that EDR in block mode is turned on with Microsoft Defender Antivirus in passive mode?
answer: |
You can use PowerShell to confirm that EDR in block mode is turned on with Microsoft Defender Antivirus running in passive mode.
1. Select the Start menu, begin typing `PowerShell`, and then open Windows PowerShell in the results.
2. Type `Get-MPComputerStatus|select AMRunningMode`.
3. Confirm that the result, `EDR Block Mode`, is displayed.
> [!TIP]
> If Microsoft Defender Antivirus is in active mode, you'll see `Normal` instead of `EDR Block Mode`. To learn more, see [Get-MpComputerStatus](/powershell/module/defender/get-mpcomputerstatus).
- question: |
Is EDR in block mode supported on Windows Server 2016 and Windows Server 2012 R2?
answer: |
If Microsoft Defender Antivirus is running in active mode or passive mode, EDR in block mode is supported of the following versions of Windows:
- Windows 11
- Windows 10 (all releases)
- Windows Server, version 1803 or newer
- Windows Server 2022
- Windows Server 2019
- Windows Server 2016 and Windows Server 2012 R2 (with the new unified client solution)
With the [new unified client solution](onboard-server.md#functionality-in-the-modern-unified-solution-for-windows-server-2016-and-windows-server-2012-r2) for Windows Server 2016 and Windows Server 2012 R2, you can run EDR in block mode in either passive mode or active mode.
> [!NOTE]
> Windows Server 2016 and Windows Server 2012 R2 must be onboarded using the instructions in [Onboard Windows servers](onboard-server.md) for this feature to work.
- question: |
How much time does it take for EDR in block mode to be disabled?
answer: |
If you choose to disable EDR in block mode, it can take up to 30 minutes for the system to disable this capability.
- question: |
See also
answer: |
- [Endpoint detection and response in block mode](edr-in-block-mode.md)
- [Tech Community blog: Introducing EDR in block mode: Stopping attacks in their tracks](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/introducing-edr-in-block-mode-stopping-attacks-in-their-tracks/ba-p/1596617)
- [Behavioral blocking and containment](behavioral-blocking-containment.md)