MDATP – EDR in block mode [Public Preview]
When EDR in block mode is enabled, Microsoft Defender ATP leverages behavioral blocking and containment capabilities by blocking malicious artifacts or behaviors that are observed through post-breach protection.
EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.
When EDR in block mode detects malicious behaviors or artifacts, it stops related running processes, blocking the attack from progressing. These blocks are reported in Microsoft Defender Security Center, where security teams can see details of the threat and remediation status, and use Microsoft Defender ATP’s rich set of capabilities to further investigate and hunt for similar threats as necessary.
|Permissions||Global Administrator or Security Administrator role assigned in Azure Active Directory. See Basic permissions.|
|Operating system||One of the following versions:|
– Windows 10 (all releases)
– Windows Server 2016 or later
|Windows E5 enrollment||Windows E5 is included in the following subscriptions:|
– Microsoft 365 E5
– Microsoft 365 E3 together with the Identity & Threat Protection offering
See Components and features and capabilities for each plan.
|Cloud-delivered protection||Make sure Microsoft Defender Antivirus is configured such that cloud-delivered protection is enabled.|
See Enable cloud-delivered protection.
|Microsoft Defender Antivirus antimalware client||Make sure your client is up to date. Using PowerShell, run the Get-MpComputerStatus cmdlet as an administrator.|
In the AMProductVersion line, you should see 4.18.2001.10 or above.
|Microsoft Defender Antivirus engine||Make sure your engine is up to date. Using PowerShell, run the Get-MpComputerStatus cmdlet as an administrator.|
In the AMEngineVersion line, you should see 1.1.16700.2 or above
To get the best protection, make sure to apply security baselines in Intune.
- Go to the Microsoft Defender Security Center (https://securitycenter.windows.com) and sign in.
- Choose Settings > Advanced features.
- Turn on EDR in block mode.
EDR in block mode can be turned on only in the Microsoft Defender Security Center. You cannot use registry keys, Intune, or group policies to enable or disable EDR in block mode.