Enterprise Defense-in-Depth : Implementing Defender EDR in Block Mode Alongside Third-Party AV

Why This Matters

In many enterprise environments, Microsoft Defender for Endpoint (MDE) is onboarded for its EDR sensor, advanced hunting, and Microsoft Defender XDR integration, but a third-party antivirus such as CrowdStrike Falcon, SentinelOne, or Trend Micro is the registered primary AV. The moment that third-party product registers itself with the Windows Security Center, Microsoft Defender Antivirus drops into passive mode.

Passive mode is a quiet but consequential state. The Defender AV engine stops actively scanning the filesystem: real-time protection, on-access scanning, and the protection features bound to that engine, including Attack Surface Reduction (ASR) rules, no longer enforce anything. Your devices are still onboarded to MDE and still send telemetry, but a whole class of preventive controls silently goes dark.

This is the exact gap EDR in block mode was built to close.

Conceptual Overview

Think of the two layers Defender provides on an endpoint:

  • The AV engine (next-gen protection) : pre-execution, real-time scanning. Disabled when in passive mode.
  • The EDR sensor : behavioral detection and response, post-breach. Always active once onboarded, independent of AV mode.

By default, when Defender is in passive mode and the EDR sensor detects a malicious artifact, it can detect and alert , but it does not remediate. It assumes the primary AV (CrowdStrike, Trend, SentinelOne…) owns the blocking decision. If that primary AV misses the threat, the malicious artifact survives.

EDR in block mode changes this behavior. It authorizes the Defender EDR layer to block and remediate malicious artifacts it detects through behavioral analysis , even when Defender AV is passive and a third-party AV is primary. It becomes a post-breach backstop: if the primary AV (CrowdStrike, Trend, SentinelOne…) misses something, Microsoft’s behavioral engine can still contain it.

Critically, EDR in block mode operates on post-breach detections. It is not a substitute for pre-execution prevention (which is what ASR rules and real-time AV provide). It is a complementary second line of defense.

Prerequisites

Before enabling EDR in block mode, confirm the following :

Licences

  • Microsoft 365 Business PremiumMicrosoft 365 E5.
  • Microsoft Defender for Endpoint Plan 2 in addition to another license (E3, …).

Administrator roles

  • An account with the Global Administrator or Intune Administrator role to access the Microsoft Intune Admin Center.
  • An account with the Global Administrator or Security Administrator role to access the Microsoft Defender Portal.

Antivirus mode

  • Defender AV in passive mode, not disabled. If disabled, the engine cannot perform remediation even with block mode on.
  • Validate the AV running mode on a device with PowerShell:
Get-MpComputerStatus | Select-Object AMRunningMode, RealTimeProtectionEnabled, IsTamperProtected, AntivirusEnabled

If AMRunningMode returns Passive mode , you are in the scenario where EDR in block mode delivers its value. If it returns Not running or the engine is disabled, fix that first. Tamper Protection should be enabled to prevent local tampering.

How to Enable It (Defender XDR Portal)

EDR in block mode is a tenant-level setting. Enable it once and it applies to all eligible onboarded devices:

  1. Go to the Microsoft Defender portal (security.microsoft.com).
  2. In the left navigation, expand System.
  3. Select Settings.
  4. Choose Endpoints.
  5. Under General, open Advanced features.
  6. Toggle Enable EDR in block mode to On.
  7. Click Save preferences.

That single toggle activates the post-breach blocking backstop across your estate. As Microsoft notes in the portal itself, to get the best protection you should still apply the security baselines in Intune alongside it.

How to Enable It (Intune Admin Center)

  • Sign in to the Microsoft Intune Admin Center by opening your web browser to https://intune.microsoft.com.
  • In the left menu, click Endpoint security
  • Then Endpoint detection and response
  • Then select EDR Onboarding Status
  • Click Deploy preconfigured policy. (keeping all the default options)

Click Save

After a few minutes, the policy is deployed on the device.

Validate the Block Mode

In the left menu, click Assets, then Devices.

The device is now visible in the Defender console.

It is also possible to verify the successful deployment via the following PowerShell command :

Get-MpComputerStatus

As you can see, the AMRunningMode attribute returns the value EDR Block Mode.

Best Practices

  • Treat it as defense-in-depth, not redundancy. EDR in block mode complements the primary AV (CrowdStrike, Trend, SentinelOne…) it does not compete with it. Both layers detecting independently increases your odds of catching what one misses.
  • Maintain Tamper Protection. It prevents local processes (or an attacker) from flipping Defender out of its intended state.
  • Apply Intune security baselines. Microsoft explicitly recommends pairing block mode with the MDE security baseline for full coverage.
  • Monitor in Defender XDR. Block mode remediation actions surface in the portal as automated remediations, review them to confirm the backstop is firing and to tune any exclusions in coordination with your primary AV policy (CrowdStrike, Trend, SentinelOne…).
  • Coordinate exclusions across both products. A path excluded in the primary AV (CrowdStrike, Trend, SentinelOne…) but blocked by Defender (or vice versa) creates confusing dual-verdict scenarios. Align exclusion lists deliberately.

Errors to Avoid

  • The ASR Rule Illusion : ASR rules do not work when Defender is in passive mode, creating a false sense of compliance. You must use third-party AV for surface reduction and rely on Microsoft only as a behavioral backstop.
  • “Passive” vs. “Disabled” : Do not confuse a passive Defender engine with a disabled one. If Defender is completely turned off, EDR in block mode cannot remediate threats; the passive state is mandatory.
  • Post-Breach, Not Pre-Execution : Block mode acts on post-breach behavioral detections after a threat has bypassed primary defenses. It is not a real-time scanner and cannot replace third-party AV pre-execution engine.
  • The “Set and Forget” Mistake : Deploying this feature without monitoring telemetry in Defender XDR creates a major blind spot. Without active review, you won’t know if your backstop is actually working until an incident occurs.

Conclusion

When a third-party AV (CrowdStrike, Trend, SentinelOne…) owns the primary slot, Microsoft Defender Antivirus retreats into passive mode and a meaningful set of preventive controls , real-time scanning and ASR rules among them , stops enforcing. EDR in block mode is the one toggle that restores active protection value from the Microsoft side in that exact configuration, authorizing the behavioral EDR engine to block and remediate threats that slip past your primary AV.

It is not a replacement for third-party AV (CrowdStrike, Trend, SentinelOne…), and it is not a workaround for ASR. It is a focused, post-breach safety net , and in a defense-in-depth, Zero-Trust-aligned architecture, it’s a setting you should turn on deliberately, monitor actively, and pair with your Intune security baselines.

Thanks

Post Views: 191
Aymen EL JAZIRI (Microsoft MVP)
Aymen EL JAZIRI (Microsoft MVP)

Hi, I’m Aymen El Jaziri , a passionate System Administrator and Microsoft MVP, with years of hands-on experience in managing and securing modern IT infrastructures.
This blog is where I share technical guides, automation scripts, product reviews, and real-world solutions that help IT professionals simplify their day-to-day work and stay ahead in a fast-evolving cloud ecosystem.
Whether you’re here to troubleshoot an issue, improve your automation game, or learn new best practices , welcome in my blog !
Let’s build a stronger, smarter IT community together.
Feel free to connect with me on LinkedIn for more content, discussions, or collaboration opportunities.

Thanks

Aymen

Articles: 154

Related Posts

Trending now

Why it’s important to to disable user application consent in Microsoft 365
Intune Security Deep Dive : Enable Tamper Protection to Secure Defender Settings on Windows Devices
Unlock Your Microsoft 365 Tenant after Conditional Access misconfiguration in One Click
Maximize RDS Collection Efficiency : PowerShell Automation for Seamless Maintenance