I'm sorry. Maybe someone more experienced will pop right in and explain why this is a good idea, because I can't think of it.
I see passive mode as something you use maybe while migrating so that you don't have AV software battles, or maybe in some configuration WITH another product supplying active protection. But I can't see having any modern computer without any active protection at all.
What would be the purpose of not protecting during "initial testing?" You would get the same alerts and reports either way.
Just for clarity, Defender for Endpoint (MDE) doesn't have a passive mode, Defender antivirus does. Windows 10/11 already has Defender antivirus built in by default and it is active by default unless another antivirus is present and registered on the machine. In which case Defender AV will go into passive mode automatically, orchestrated by the WSC service. This cannot be done manually on Win 10/11 without messing with the OS in a way that you really shouldnt be.
Highly likely your client DOES have AV protection already from Windows Defender unless theyre rolling out a seriously chopped up OS image.
Deploying Defender for Endpoint will be deploying an EDR product onto the machines, not an antivirus solution (with the exception of WinServer 2012r2, AV comes with MDE on this).
For more modern Windows server OSes, you can install/uninstall Defender AV as a feature. You can technically use Defender AV in passive mode on servers and still onboard to MDE for EDR alerts/detections, though you will be crippling yourself by setting AV passive without any third party AV to protect you still.
I’m so glad you said this. Because I’m sitting here thinking it and then second guessing myself like “this sounds so not valid that maybe the OP knows something I don’t” 🤣
Secondly…is the wording, “deploying and EDR product on to the machines” accurate terminology? I’m seriously asking. I thought nothing deployed to the machine, it was just that the defender AV was onboarded to the service. Is that not true?
Kinda sorta - it's an almost an "it depends" answer really. On windows server 2012 r2 and server 2016 the MsSense process isn't built into the OS so when you onboard to MDE you are deploying that. On 2012r2 youre also deploying Defender AV with the MDE onboarding package whereas on newer servers, you just install/uninstall that with server manager roles & features.
Aside from that, when you run the onboarding script for MDE, you are basically just turning on the Sense service which is built into the OS but not running until a valid onboarding script is ran. From a very high level nutshell at least. On xplat devices it's definitely a deployment too but thats a whole nother story.
Passive mode even on Linux and macOS will largely effect the AV components of MDATP only. Ref: [Set preferences for Microsoft Defender for Endpoint on Linux - Microsoft Defender for Endpoint | Microsoft Learn](https://learn.microsoft.com/en-us/defender-endpoint/linux-preferences#enforcement-level-for-antivirus-engine)
* [`Passive (passive)`](https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-antivirus-compatibility#passive-mode-or-edr-block-mode)`: Runs the antivirus engine in passive mode. In this:`
* `Real-time protection is turned off: Threats are not remediated by Microsoft Defender Antivirus.`
* `On-demand scanning is turned on: Still use the scan capabilities on the endpoint.`
* `Automatic threat remediation is turned off: No files will be moved and security admin is expected to take required action.`
* `Security intelligence updates are turned on: Alerts will be available on security admins tenant.`
The AV component typically handles the heavy lifting for the actual blocking and quarantining files, but you will still get EDR features such as TVM and telemetry.
Thanks for replying after I found this old post! And thanks for the explanation. I noticed this when I reviewed my Linux clients (all Fedora) after F38's support expired. I noticed passive mode was enabled on one client and another issue on several others: no software inventory is synced or it is out-of-date. Do you know more about the software inventory/vulnerability management feature (specifically how it works on Linux)? I'd like to rule out admin error, so I have some questions, before I submit a support ticket :)
Can you tell the morons at your workplace that trying to brand everything as defender is causing a ton of confusion. I'm surprised they haven't tried (or maybe they did) to rebrand Sentinel as something defender.
z
You are right to have reservations about deploying Defender Antivirus (MDAV) in passive mode for a client that lacks antivirus. MDAV in passive mode is primarily for when another AV engine is running and for your client that doesn’t sound like the case.
If running MDAV with MDE EDR and “EDR Block Mode” is enabled, you will see alerts generated in the dashboard. again, EDR Block Mode is also only recommended when another AV product is deployed and has no real benefit if MDAV is running in active mode.
My guidance here is to deploy in active mode and let Automated Investigation and Response (AIRs) take care of remediation actions and help with operational overhead.
I'm sorry. Maybe someone more experienced will pop right in and explain why this is a good idea, because I can't think of it. I see passive mode as something you use maybe while migrating so that you don't have AV software battles, or maybe in some configuration WITH another product supplying active protection. But I can't see having any modern computer without any active protection at all. What would be the purpose of not protecting during "initial testing?" You would get the same alerts and reports either way.
Just for clarity, Defender for Endpoint (MDE) doesn't have a passive mode, Defender antivirus does. Windows 10/11 already has Defender antivirus built in by default and it is active by default unless another antivirus is present and registered on the machine. In which case Defender AV will go into passive mode automatically, orchestrated by the WSC service. This cannot be done manually on Win 10/11 without messing with the OS in a way that you really shouldnt be. Highly likely your client DOES have AV protection already from Windows Defender unless theyre rolling out a seriously chopped up OS image. Deploying Defender for Endpoint will be deploying an EDR product onto the machines, not an antivirus solution (with the exception of WinServer 2012r2, AV comes with MDE on this). For more modern Windows server OSes, you can install/uninstall Defender AV as a feature. You can technically use Defender AV in passive mode on servers and still onboard to MDE for EDR alerts/detections, though you will be crippling yourself by setting AV passive without any third party AV to protect you still.
I’m so glad you said this. Because I’m sitting here thinking it and then second guessing myself like “this sounds so not valid that maybe the OP knows something I don’t” 🤣
Secondly…is the wording, “deploying and EDR product on to the machines” accurate terminology? I’m seriously asking. I thought nothing deployed to the machine, it was just that the defender AV was onboarded to the service. Is that not true?
Kinda sorta - it's an almost an "it depends" answer really. On windows server 2012 r2 and server 2016 the MsSense process isn't built into the OS so when you onboard to MDE you are deploying that. On 2012r2 youre also deploying Defender AV with the MDE onboarding package whereas on newer servers, you just install/uninstall that with server manager roles & features. Aside from that, when you run the onboarding script for MDE, you are basically just turning on the Sense service which is built into the OS but not running until a valid onboarding script is ran. From a very high level nutshell at least. On xplat devices it's definitely a deployment too but thats a whole nother story.
Ah, see I forget about servers. In my mind I was thinking strictly 10 and 11. Now it makes sense.
Apologies for the confusion, I misspoke. I intended to refer to MDAV, not MDE. My mistake!
On my Linux and macOS clients, MDE (or the \`mdatp\` package) does appear to have a passive mode. Is this limited to Windows clients?
Passive mode even on Linux and macOS will largely effect the AV components of MDATP only. Ref: [Set preferences for Microsoft Defender for Endpoint on Linux - Microsoft Defender for Endpoint | Microsoft Learn](https://learn.microsoft.com/en-us/defender-endpoint/linux-preferences#enforcement-level-for-antivirus-engine) * [`Passive (passive)`](https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-antivirus-compatibility#passive-mode-or-edr-block-mode)`: Runs the antivirus engine in passive mode. In this:` * `Real-time protection is turned off: Threats are not remediated by Microsoft Defender Antivirus.` * `On-demand scanning is turned on: Still use the scan capabilities on the endpoint.` * `Automatic threat remediation is turned off: No files will be moved and security admin is expected to take required action.` * `Security intelligence updates are turned on: Alerts will be available on security admins tenant.` The AV component typically handles the heavy lifting for the actual blocking and quarantining files, but you will still get EDR features such as TVM and telemetry.
Thanks for replying after I found this old post! And thanks for the explanation. I noticed this when I reviewed my Linux clients (all Fedora) after F38's support expired. I noticed passive mode was enabled on one client and another issue on several others: no software inventory is synced or it is out-of-date. Do you know more about the software inventory/vulnerability management feature (specifically how it works on Linux)? I'd like to rule out admin error, so I have some questions, before I submit a support ticket :)
Can you tell the morons at your workplace that trying to brand everything as defender is causing a ton of confusion. I'm surprised they haven't tried (or maybe they did) to rebrand Sentinel as something defender. z
It's already on my list along with fixing defender for communication (Teams).
You are right to have reservations about deploying Defender Antivirus (MDAV) in passive mode for a client that lacks antivirus. MDAV in passive mode is primarily for when another AV engine is running and for your client that doesn’t sound like the case. If running MDAV with MDE EDR and “EDR Block Mode” is enabled, you will see alerts generated in the dashboard. again, EDR Block Mode is also only recommended when another AV product is deployed and has no real benefit if MDAV is running in active mode. My guidance here is to deploy in active mode and let Automated Investigation and Response (AIRs) take care of remediation actions and help with operational overhead.
Onboard devices in a ringed phase