Endpoint detection and response (EDR) in block mode
What is EDR in block mode?
When endpoint detection and response (EDR) in block mode is turned on, Microsoft Defender ATP blocks malicious artifacts or behaviors that are observed through post-breach protection. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected, post breach.
EDR in block mode is also integrated with threat & vulnerability management. Your organization's security team will get a security recommendation to turn EDR in block mode on if it isn't already enabled.
What happens when something is detected?
When EDR in block mode is turned on, and a malicious artifact is detected, blocking and remediation actions are taken. You'll see detection status as Blocked or Remediated as completed actions in the Action center.
The following image shows an instance of unwanted software that was detected and blocked through EDR in block mode:
Enable EDR in block mode
Make sure the requirements are met before turning on EDR in block mode.
Go to the Microsoft Defender Security Center (https://securitycenter.windows.com) and sign in.
Choose Settings > Advanced features.
Turn on EDR in block mode.
EDR in block mode can be turned on only in the Microsoft Defender Security Center. You cannot use registry keys, Intune, or group policies to enable or disable EDR in block mode.
Requirements for EDR in block mode
|Permissions||Global Administrator or Security Administrator role assigned in Azure Active Directory. See Basic permissions.|
|Operating system||One of the following versions:
- Windows 10 (all releases)
- Windows Server 2016 or later
|Windows E5 enrollment||Windows E5 is included in the following subscriptions:
- Microsoft 365 E5
- Microsoft 365 E3 together with the Identity & Threat Protection offering
See Components and features and capabilities for each plan.
|Cloud-delivered protection||Make sure Microsoft Defender Antivirus is configured such that cloud-delivered protection is enabled.
See Enable cloud-delivered protection.
|Microsoft Defender Antivirus antimalware client||Make sure your client is up to date. Using PowerShell, run the Get-MpComputerStatus cmdlet as an administrator.
In the AMProductVersion line, you should see 4.18.2001.10 or above.
|Microsoft Defender Antivirus engine||Make sure your engine is up to date. Using PowerShell, run the Get-MpComputerStatus cmdlet as an administrator.
In the AMEngineVersion line, you should see 1.1.16700.2 or above.
To get the best protection value, make sure your antivirus solution is configured to receive regular updates and essential features, and that your exclusions are defined.
Frequently asked questions
Will EDR in block mode have any impact on a user's antivirus protection?
No. EDR in block mode does not affect third-party antivirus protection running on users' devices. EDR in block mode kicks in if the primary antivirus solution misses something, or if there is a post-breach detection. EDR in block mode works just like Microsoft Defender Antivirus in passive mode, with the additional steps of blocking and remediating malicious artifacts or behaviors that are detected.
Why do I need to keep Microsoft Defender Antivirus up to date?
Because Microsoft Defender Antivirus detects and remediates malicious items, it's important to keep it up to date to leverage the latest device learning models, behavioral detections, and heuristics for EDR in block mode to be most effective. The Microsoft Defender ATP stack of capabilities works in an integrated manner, and to get best protection value, you should keep Microsoft Defender Antivirus up to date.
Why do we need cloud protection on?
Cloud protection is needed to turn on the feature on the device. Cloud protection allows Microsoft Defender ATP to deliver the latest and greatest protection based on our breadth and depth of security intelligence, along with behavioral and device learning models.