Endpoint detection and response (EDR) in block mode

Applies to:

Want to experience Defender for Endpoint? Sign up for a free trial.

What is EDR in block mode?

Endpoint detection and response (EDR) in block mode provides protection from malicious artifacts, even when Microsoft Defender Antivirus is running in passive mode. When turned on, EDR in block mode blocks malicious artifacts or behaviors that are detected on a device. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post breach.

EDR in block mode is also integrated with threat & vulnerability management. Your organization's security team will get a security recommendation to turn EDR in block mode on if it isn't already enabled.

recommendation to turn on EDR in block mode

Note

To get the best protection, make sure to deploy Microsoft Defender for Endpoint baselines.

What happens when something is detected?

When EDR in block mode is turned on, and a malicious artifact is detected, Microsoft Defender for Endpoint blocks and remediates that artifact. You'll see detection status as Blocked or Prevented as completed actions in the Action center.

The following image shows an instance of unwanted software that was detected and blocked through EDR in block mode:

EDR in block mode detected something

Enable EDR in block mode

Important

Make sure the requirements are met before turning on EDR in block mode.

  1. Go to the Microsoft Defender Security Center (https://securitycenter.windows.com) and sign in.

  2. Choose Settings > Advanced features.

  3. Turn on EDR in block mode.

Note

EDR in block mode can be turned on only in the Microsoft Defender Security Center. You cannot use registry keys, Intune, or group policies to enable or disable EDR in block mode.

Requirements for EDR in block mode

Requirement Details
Permissions Global Administrator or Security Administrator role assigned in Azure Active Directory. See Basic permissions.
Operating system One of the following versions:
- Windows 10 (all releases)
- Windows Server, version 1803 or newer
- Windows Server 2019
Windows E5 enrollment Windows E5 is included in the following subscriptions:
- Microsoft 365 E5
- Microsoft 365 E3 together with the Identity & Threat Protection offering

See Components and features and capabilities for each plan.
Microsoft Defender Antivirus Microsoft Defender Antivirus must be installed and running in either active mode or passive mode. (You can use Microsoft Defender Antivirus alongside a non-Microsoft antivirus solution.) Confirm Microsoft Defender Antivirus is in active or passive mode.
Cloud-delivered protection Make sure Microsoft Defender Antivirus is configured such that cloud-delivered protection is enabled.
Microsoft Defender Antivirus antimalware client Make sure your client is up to date. Using PowerShell, run the Get-MpComputerStatus cmdlet as an administrator. In the AMProductVersion line, you should see 4.18.2001.10 or above.
Microsoft Defender Antivirus engine Make sure your engine is up to date. Using PowerShell, run the Get-MpComputerStatus cmdlet as an administrator. In the AMEngineVersion line, you should see 1.1.16700.2 or above.

Important

To get the best protection value, make sure your antivirus solution is configured to receive regular updates and essential features, and that your exclusions are configured. EDR in block mode respects exclusions that are defined for Microsoft Defender Antivirus.

Frequently asked questions

Do I need to turn EDR in block mode on even when I have Microsoft Defender Antivirus running on devices?

We recommend keeping EDR in block mode on, whether Microsoft Defender Antivirus is running in passive mode or in active mode. EDR in block mode provides another layer of defense with Microsoft Defender for Endpoint. It allows Defender for Endpoint to take actions based on post-breach behavioral EDR detections.

Will EDR in block mode have any impact on a user's antivirus protection?

EDR in block mode does not affect third-party antivirus protection running on users' devices. EDR in block mode works if the primary antivirus solution misses something, or if there is a post-breach detection. EDR in block mode works just like Microsoft Defender Antivirus in passive mode, except it also blocks and remediates malicious artifacts or behaviors that are detected.

Why do I need to keep Microsoft Defender Antivirus up to date?

Because Microsoft Defender Antivirus detects and remediates malicious items, it's important to keep it up to date. For EDR in block mode to be effective, it uses the latest device learning models, behavioral detections, and heuristics. The Defender for Endpoint stack of capabilities works in an integrated manner. To get best protection value, you should keep Microsoft Defender Antivirus up to date.

Why do we need cloud protection on?

Cloud protection is needed to turn on the feature on the device. Cloud protection allows Defender for Endpoint to deliver the latest and greatest protection based on our breadth and depth of security intelligence, along with behavioral and device learning models.

How do I set Microsoft Defender Antivirus to passive mode?

See Enable Microsoft Defender Antivirus and confirm it's in passive mode.

How do I confirm Microsoft Defender Antivirus is in active or passive mode?

To confirm whether Microsoft Defender Antivirus is running in active or passive mode, you can use Command Prompt or PowerShell on a device running Windows.

Use PowerShell

  1. Select the Start menu, begin typing PowerShell, and then open Windows PowerShell in the results.

  2. Type Get-MpComputerStatus.

  3. In the list of results, in the AMRunningMode row, look for one of the following values:

    • Normal
    • Passive Mode
    • SxS Passive Mode

To learn more, see Get-MpComputerStatus.

Use Command Prompt

  1. Select the Start menu, begin typing Command Prompt, and then open Windows Command Prompt in the results.

  2. Type sc query windefend.

  3. In the list of results, in the STATE row, confirm that the service is running.

How much time does it take for EDR in block mode to be disabled?

If you chose to disable EDR in block mode it can take up to 30 minutes for the system to disable this capability.

See also