Windows Defender Passive mode

Question

We need to set defender for endpoint to passive mode and on this article 'https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility?view=o365-worldwide' we must onboarded first.

So, i have several question regarding this :

• We need to turn off the tamper to change to passive mode? If yes, how we can disable tamper protection while the device onboarded to MDM?
• If passive mode already enable, will all protection such as Behavior Monitor, On Access Protection, Real Time Protection will be disabled?

Answer 1

Hi Handian,

In order to disable tamper protection for a single asset, I would login to the security.microsoft.com portal > devices and disable it for that server.

If passive mode is enabled, then AV is disabled. All of the features you mentioned depend on AV being enabled:

hope that helps.

Answer 2

@Handian Sudianto

To disable passive mode on windows server:

1. Open Registry Editor, and then navigate to Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection.
2. Edit (or create) a DWORD entry called ForceDefenderPassiveMode, and specify the following settings:
   • Set the DWORD's value to 0.

        - Under **Base**, select **Hexadecimal**.
     

   Alternatively, you can turn on Microsoft Defender Antivirus by toggling on the Cloud-delivered protection and Real-time protection under the Virus & threat protection settings. Thanks, Akshay Kaushik