Type something to search...
to navigateto selectESC to close
How to activate Defender EDR in "Block Mode"

How to activate Defender EDR in "Block Mode"

Introduction

In a context of constantly evolving cyber threats, antivirus solutions are no longer sufficient to effectively protect workstations. Microsoft Defender for Endpoint’s Block Mode is an often overlooked but essential feature for strengthening endpoint protection in a Microsoft 365 environment. It allows EDR (Endpoint Detection and Response) to intervene even on devices using third-party antivirus software, actively blocking detected threats instead of simply reporting them. By enabling Block Mode, you empower Defender to act as an additional layer of protection, capable of stopping a malicious executable or post-exploitation activity as soon as it is identified.

Prerequisites

A Windows 10/11 PC

  • A Windows 10/11 PC enrolled in Intune.

An Entra ID group

  • An Entra ID security group that contains the relevant PCs.

Licences nécessaires

  • Microsoft 365 Business Premium, Microsoft 365 E5.
  • Microsoft Defender for Endpoint Plan 2 in addition to another license (E3, …).

Administrator role

  • An account with the Global Administrator or Intune Administrator role to access the Microsoft Intune Admin Center.
  • An account with the Global Administrator or Security Administrator role to access the Microsoft Defender Portal.
Step 1 : Sign in to the Microsoft Defender Portal

Sign in to the Microsoft Defender Portal by opening your web browser to https://security.microsoft.com.

Step 2 : Activate Block Mode

In the left menu, click System, then Settings.

image

Click Endpoints, then General, and Advanced features.

Activate the Enable EDR in block mode switch.

image

Step 3 : Sign in to the Microsoft Intune Admin Center

Sign in to the Microsoft Intune Admin Center by opening your web browser to https://intune.microsoft.com.

Step 4 : Activate the Endpoint Detection and Response policy

In the left menu, click Endpoint security, then Endpoint detection and response.

Click Deploy preconfigured policy, and create a policy for the Windows platform, keeping all the default options.

image

After a few minutes, the policy is deployed on the device.

image

Step 5 : Validate the Block Mode

In the left-hand menu, click Assets, then Devices.

The device is now visible in the Defender console.

image

It is also possible to verify the successful deployment via the following PowerShell command :

Get-MpComputerStatus

As you can see on my computer, the AMRunningMode attribute returns the value EDR Block Mode. You can also see in my taskbar that I have two antivirus softwares, Avast and Defender.

image

Conclusion

You now know how to enable Defender EDR in Block Mode.

Sources

Microsoft Learn - Endpoint detection and response in Block Mode

Did you enjoy this post ? If you have any questions, comments or suggestions, please feel free to send me a message from the contact form.

Don’t forget to follow us and share this post.

Tags :
Share :

Related Posts

Email verification of external Teams participants

Email verification of external Teams participants

Introduction Microsoft Teams Premium introduces a new feature to enhance the security and reliability of your meetings: email verification for external participants. This feature allows mee

Read More
How to activate Microsoft 365 Passkey in Entra ID

How to activate Microsoft 365 Passkey in Entra ID

Introduction Microsoft 365 Passkey is an authentication method that replaces passwords with more secure options like facial recognition, fingerprint, or a PIN.Prerequisites **<

Read More
How to sign in with Passkey to Microsoft 365

How to sign in with Passkey to Microsoft 365

Introduction Microsoft 365 Passkey is an authentication method that replaces passwords with more secure options like facial recognition, fingerprint, or a PIN.Prerequisites **<

Read More
How to enable LAPS on the MTR Admin account via Intune

How to enable LAPS on the MTR Admin account via Intune

Introduction Microsoft's LAPS (Local Administrator Password Solution) is a free tool designed to improve password security for local administrator accounts on workstations, servers and

Read More
Impact analysis of Entra conditional access policies

Impact analysis of Entra conditional access policies

Introduction Conditional access in Entra is a security policy that allows administrators to control access to applications and resources based on specific conditions. These conditions can i

Read More
How to create a Windows local admin account via Intune LAPS

How to create a Windows local admin account via Intune LAPS

Introduction I wrote an article last February on how to replace the password of your MTR's local account using LAPS (Local Administrator Password Solution) in Intune. I concluded my article

Read More
New security approach for non-compliant emails

New security approach for non-compliant emails

Introduction Microsoft has announced a major update to Defender for Office 365 that strengthens email security by improving the handling of non-RFC compliant emails. This initiative is

Read More
Blocking screenshots during Teams meetings

Blocking screenshots during Teams meetings

Introduction Microsoft Teams continues to strengthen the privacy and security of online meetings. Starting in July 2025, a new feature will be rolled out to prevent screenshots during meeti

Read More
"Anti-Tampering" certification for Defender for Endpoint (2025)

"Anti-Tampering" certification for Defender for Endpoint (2025)

Introduction Microsoft recently announced that Microsoft Defender for Endpoint has successfully passed the 2025 anti-tampering tests conducted by AV-Comparatives, a recognized independe

Read More
Entra Private Access for Domain Controllers

Entra Private Access for Domain Controllers

Introduction Microsoft has announced the Public Preview of Microsoft Entra Private Access for Active Directory Domain Controllers, a major step forward in strengthening the security of

Read More