|
| 1 | +--- |
| 2 | +title: Microsoft Defender for Endpoint passive mode |
| 3 | +ms.topic: conceptual |
| 4 | +description: Understand how Microsoft Defender for Endpoint passive mode works and when to use it. |
| 5 | +ms.service: defender-endpoint |
| 6 | +author: KesemSharabi |
| 7 | +ms.author: kesharab |
| 8 | +ms.localizationpriority: high |
| 9 | +audience: ITPro |
| 10 | +ms.collection: |
| 11 | +- m365-security |
| 12 | +- tier1 |
| 13 | +- mde-ngp |
| 14 | +ms.subservice: ngp |
| 15 | +search.appverid: met150 |
| 16 | +ms.date: 03/26/2025 |
| 17 | +--- |
| 18 | + |
| 19 | +# Defender for Endpoint passive mode |
| 20 | + |
| 21 | +Microsoft Defender for Endpoint is a comprehensive security solution designed to protect your devices from evolving threats. One of its key features is *passive mode*, which enables Microsoft Defender Antivirus to coexist with non-Microsoft antivirus solutions while still providing valuable endpoint detection and response capabilities. |
| 22 | + |
| 23 | +Some of the key benefits of passive mode are: |
| 24 | + |
| 25 | +* **Endpoint Detection and Response (EDR)** - Microsoft Defender for Endpoint monitors activity and provides alerts about malicious artifacts post-breach. In block mode, EDR can detect and remediate threats even if the primary antivirus solution fails to prevent an attack. |
| 26 | + |
| 27 | +* **Threat Scanning** - Files are scanned, and detection information is shared with the Defender for Endpoint service. |
| 28 | + |
| 29 | +* **Security intelligence updates** - Microsoft Defender Antivirus continues to receive updates to stay aware of the latest threats. |
| 30 | + |
| 31 | +* **Data Loss Prevention (DLP)** - Endpoint DLP functionalities operate normally, ensuring sensitive data is safeguarded. |
| 32 | + |
| 33 | +>[!NOTE] |
| 34 | +>Passive mode disables Microsoft Defender Antivirus scheduled scans unless specific configurations are applied. |
| 35 | +
|
| 36 | +## Prerequisites |
| 37 | + |
| 38 | +* Operating system |
| 39 | + * Windows 10 or newer |
| 40 | + * Windows Server 2012 R2 |
| 41 | + * Windows Server 2016, or newer (requires onboarding using the modern unified solution) |
| 42 | + |
| 43 | +* The endpoint must be onboarded to Microsoft Defender for Endpoint |
| 44 | + |
| 45 | +* Microsoft Defender Antivirus has to be installed on the endpoint |
| 46 | + |
| 47 | +## Configure passive mode |
| 48 | + |
| 49 | +Follow the instructions in this section to configure passive mode for Microsoft Defender for Endpoint. |
| 50 | + |
| 51 | +### Set the registry key |
| 52 | + |
| 53 | +To avoid conflicts between Microsoft Defender Antivirus and a third-party antivirus solution, if you're using Windows Server, set the following registry key before onboarding the device to Microsoft Defender for Endpoint: |
| 54 | + |
| 55 | +* **Path** - HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection |
| 56 | + |
| 57 | +* **Name** - ForceDefenderPassiveMode |
| 58 | + |
| 59 | +* **Type** - REG_DWORD |
| 60 | + |
| 61 | +* **Value** - 1 |
| 62 | + |
| 63 | +### Enable EDR in block mode |
| 64 | + |
| 65 | +When Microsoft Defender Antivirus is in passive mode, EDR in block mode can provide post-breach protection by detecting and remediating threats. Ensure this feature is enabled in Defender for Endpoint. |
| 66 | + |
| 67 | +### Avoid service modifications |
| 68 | + |
| 69 | +Don't disable, stop, or modify associated services such as `wscsvc`, `WinDefend`, or `MsMpEng`. Stopping these services can cause instability and make your device vulnerable to threats. |
| 70 | + |
| 71 | +### Exclude Defender binaries in third-party antivirus |
| 72 | + |
| 73 | +To prevent performance issues or conflicts, add Microsoft Defender Antivirus and Defender for Endpoint binaries to the exclusion list of your third-party antivirus solution. |
| 74 | + |
| 75 | +## Verify that passive mode is enabled |
| 76 | + |
| 77 | +This section describes how to confirm whether Microsoft Defender Antivirus is in passive mode. |
| 78 | + |
| 79 | +### Windows PowerShell |
| 80 | + |
| 81 | +Run the following PowerShell cmdlet: |
| 82 | + |
| 83 | +```powershell |
| 84 | +Get-MpComputerStatus | select AMRunningMode |
| 85 | +``` |
| 86 | + |
| 87 | +The `AMRunningMode` value indicates the current Defender Antivirus state: |
| 88 | + |
| 89 | +* **Normal** - Active mode |
| 90 | + |
| 91 | +* **Passive** - Passive mode |
| 92 | + |
| 93 | +* **EDR Block Mode** - EDR is operating in block mode |
| 94 | + |
| 95 | +### Windows security app |
| 96 | + |
| 97 | +Follow these steps to verify the Microsoft Defender Antivirus is in passive mode. |
| 98 | + |
| 99 | +1. Open the Windows Security app. |
| 100 | + |
| 101 | +2. Select **Virus & threat protection**. |
| 102 | + |
| 103 | +3. Under **Who’s protecting me?**, select **Manage providers**. |
| 104 | + |
| 105 | +4. On the *Security providers* page, verify the antivirus provider and state. |
| 106 | + |
| 107 | +## Additional resources |
| 108 | + |
| 109 | +[Microsoft Defender Antivirus compatibility with other security products](microsoft-defender-antivirus-compatibility) |
0 commit comments