![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(28.799999999999997, 76%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJB%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Defender | Other
Additional Microsoft Defender tools and services that provide security across various platforms and environments
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 38%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMP%3C/text%3E%3C/svg%3E)
When Microsoft Defender Antivirus is in passive mode because another primary AV is registered, real-time protection, on-access scanning, and most traditional AV enforcement components are not actively scanning the file system. However, Defender is still present, signatures can still be updated, the engine is still available, and EDR in block mode can take action when Defender for Endpoint detects post-breach activity. The goal in your scenario would be to keep Defender fully healthy and ready so that if the third-party AV fails or is removed, Defender can transition to active mode without requiring reconfiguration, while still leveraging EDR in block mode today.
For Antivirus policy in Intune, configure Defender as you would for an active deployment, but understand that real-time protection settings will not be enforced while passive mode is in effect. Do not disable real-time protection, behavior monitoring, IOAV protection, or cloud protection in policy. Keep cloud-delivered protection enabled and set the cloud block level to High or High+ (depending on your risk tolerance), and enable automatic sample submission. Keep security intelligence updates on a frequent schedule and ensure the engine and platform updates are deployed regularly. Configure scheduled quick scans (for example daily) and optionally weekly full scans; while passive mode suppresses real-time protection, scheduled scans can still run if Defender is not completely disabled. This ensures the engine remains operational and signatures are exercised. Avoid exclusions unless absolutely necessary - exclusions configured now will persist if Defender becomes active later.
Since you have already enabled EDR in block mode at the tenant level, ensure that the endpoint-level configuration allows it. Verify that Defender Antivirus is set to passive mode (not disabled) so that EDR in block mode can use the Defender engine for remediation. The key setting is:
Set-MpPreference -DisableRealtimeMonitoring $false
and ensure the product state reflects passive mode rather than disabled. You can validate status with:
Get-MpComputerStatus | Select AMRunningMode, RealTimeProtectionEnabled, IsTamperProtected
AMRunningMode should show Passive. Tamper Protection should be enabled to prevent local modification of Defender settings.
For ASR rules, in your scenario, consider configuring them as if Defender were active, because ASR enforcement does not depend on Defender being the primary AV; it depends on the Defender engine and MDE. Most ASR rules function with Defender in passive mode as long as the device is onboarded to Defender for Endpoint. Deploy ASR rules in block mode for high-confidence rules such as blocking credential stealing from LSASS, blocking executable content from email and webmail clients, blocking Office from creating child processes, and blocking process creation from PSExec and WMI commands if appropriate for your environment. For rules that could affect server workloads, start in audit mode, monitor Advanced Hunting and alert data, then move to block once validated. The important point is not to leave ASR unconfigured simply because Defender AV is passive; ASR provides independent attack surface reduction that complements your third-party EDR.
For Firewall, Microsoft Defender Firewall is independent of Defender Antivirus and should remain fully enabled unless your third-party EDR includes its own host firewall that replaces it. In most enterprise deployments, best practice is to keep Defender Firewall enabled for Domain, Private, and Public profiles with default inbound block and outbound allow, then layer explicit allow rules for required server roles. Configure logging for dropped packets and successful connections to support investigation. Do not disable the firewall simply because another EDR is installed; the Windows firewall stack is tightly integrated with the OS and Defender for Endpoint telemetry.
If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.
hth
Marcin