How to Deploy Microsoft Defender for Endpoint in Passive Mode

Microsoft Defender for Endpoint (MDE) can run in Passive mode when you want to keep Defender available for EDR detection and reporting while another antivirus solution handles real-time protection. This setup is common in enterprise environments, during security tool migrations, or when running Defender alongside a third-party antivirus.

In most cases, Defender for Endpoint not entering Passive mode is caused by incorrect onboarding, antivirus conflicts, wrong policy configuration, or unsupported Windows versions, not a Defender malfunction. This guide explains what Passive mode is, when to use it, and how to deploy it correctly step by step.

What Is Defender for Endpoint Passive Mode?

In Passive mode:

• Microsoft Defender Antivirus does not provide real-time protection
• Defender still collects telemetry and threat data
• Alerts are sent to the Microsoft 365 Defender portal
• Another antivirus remains the primary protection engine

This mode is ideal when Defender is used for endpoint detection and response (EDR) only.

Requirements Before Enabling Passive Mode

Before deploying Passive mode, make sure the following conditions are met:

1. Devices are licensed for Microsoft Defender for Endpoint
2. Windows version supports Passive mode:
   • Windows 10 1703 or later
   • Windows 11 (all supported editions)
3. A third-party antivirus is installed and active
4. Defender for Endpoint onboarding is completed successfully

Without a primary antivirus, Defender may switch back to active mode.

How to Deploy Defender for Endpoint in Passive Mode

Follow the steps in order. After each major step, verify the Defender state before proceeding.

1. Onboard the Device to Defender for Endpoint

Passive mode is only available after onboarding.

1. Sign in to the Microsoft 365 Defender portal
2. Go to Settings > Endpoints > Onboarding
3. Choose your operating system
4. Download the onboarding package:
   • Script
   • Group Policy
   • Microsoft Intune
5. Deploy the onboarding package to target devices

Confirm onboarding by checking device status in the portal.

2. Install and Enable a Third-Party Antivirus

Defender switches to Passive mode automatically when another AV is detected.

1. Install the approved third-party antivirus
2. Ensure real-time protection is enabled
3. Verify the AV is registered with Windows Security Center

If no antivirus is detected, Defender will remain active.

3. Verify Defender Is in Passive Mode (Critical Step)

Check the current Defender mode on the endpoint.

1. Open PowerShell as Administrator
2. Run:

Get-MpComputerStatus

3. Check the value of:

AMRunningMode

Expected result:

Passive Mode

If it shows Normal, Passive mode is not active yet.

4. Force Passive Mode Using Registry (Optional / Controlled Environments)

Use this only when required for testing or strict control.

Use caution when editing the registry.

1. Open Registry Editor
2. Navigate to:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender

3. Create or set the following DWORD:

ForcePassiveMode = 1

4. Restart the device

This forces Defender Antivirus into Passive mode.

5. Deploy Passive Mode via Group Policy

For domain-joined devices.

1. Open Group Policy Management
2. Edit the target policy
3. Go to:

Computer Configuration  
> Administrative Templates  
> Windows Components  
> Microsoft Defender Antivirus

4. Enable Turn off Microsoft Defender Antivirus
5. Apply the policy and run:

gpupdate /force

6. Restart the device

This ensures Defender AV does not become active.

6. Deploy Passive Mode Using Microsoft Intune

For Intune-managed devices.

1. Go to Intune Admin Center
2. Create a Configuration Profile
3. Choose Settings catalog
4. Search for Defender Antivirus
5. Configure policies to disable real-time protection
6. Assign the profile to target devices

This works well for cloud-managed endpoints.

7. Confirm EDR Is Still Active

Passive mode should not disable EDR.

1. Go to the Microsoft 365 Defender portal
2. Open a device profile
3. Confirm:
   • Sensor health = Active
   • Alerts are reporting
   • Timeline data is present

If EDR is missing, onboarding is incomplete.

Final Thoughts

Deploying Microsoft Defender for Endpoint in Passive mode is the correct approach when you want EDR visibility without replacing an existing antivirus solution. In most environments, Passive mode activates automatically once Defender for Endpoint is onboarded and a third-party antivirus is present.