Microsoft Defender Passive Mode: What Is It and How to Use It

There is no shortage of tools for the modern security team. However, building a comprehensive set of tools typically requires antivirus (AV) and endpoint detection and response (EDR) solutions. The Microsoft suite includes Microsoft Defender and Defender for Endpoint, which provide both of those capabilities.

However, there are scenarios where Microsoft Defender might operate in what's known as Passive Mode, requiring teams to understand the when, why, and how to manage it effectively to avoid any unexpected security gaps.

What is Passive Mode in Microsoft Defender? 

Passive Mode allows Microsoft Defender Antivirus (MDAV) to operate in a monitoring-only capacity. While it scans incoming files and fires detections, it does not actively block those malicious files, unlike when operating in Active Mode. 

Only devices that are onboarded to Defender for Endpoint (MDE) can be set into Passive Mode, making it useful for Microsoft security environments where MDAV will not serve as the primary antivirus solution. Passive Mode is most often deployed in a handful of scenarios:

• Coexistence with a third-party antivirus: Organizations deploying the Microsoft security ecosystem may elect to leverage an alternative solution in place of MDAV but elect to use MDE as their EDR solution. Passive Mode ensures compatibility, allowing uninterrupted protection without resource conflicts or system degradation. 
  
  • In this circumstance, MDAV continues to collect telemetry and feed threat intelligence but doesn't take any preventative action, deferring to the primary AV solution.
• Temporary state during migrations: During transitions from another AV solution to MDAV, Passive Mode can act as a bridge where multiple AV solutions will be deployed on a device. It ensures that all endpoints are still monitored throughout the switch, eliminating downtime in security visibility. 

Passive Mode ensures that two AV systems cannot run on the same system simultaneously, avoiding excessive CPU and memory usage, and preventing conflicts with two systems taking preventative actions which could lead to false positives or system instability.

For maximum efficacy, Passive Mode is best deployed alongside the EDR in Block Mode setting in MDE. As telemetry is still collected and run through MDE while MDAV is in Passive Mode, the EDR component continues to monitor behavior, analyze threats, and trigger automatic blocking if malicious activity is detected and not handled by the primary AV.

Why else might a device enter Passive Mode? 

Devices typically enter and exit Passive Mode based on whether Windows Security Center (WSC) detects another active AV on a device. When that is found, devices are automatically placed into Passive Mode to avoid conflict.

However, there are instances where devices may unintentionally find themselves in this state, creating an unnecessary gap in antivirus protection:

• Dynamic policy configuration: Policies enforced through Group Policy or Microsoft Intune can automatically place devices in Passive Mode, such as by setting the ForceDefenderPassiveMode registry key to “1”. 
• Manual configuration: Admins can manually place devices into Passive Mode using a PowerShell command: `Set-MpPreference -PassiveMode $true`. 
• Residual third-party antivirus: Residual registry entries from improperly uninstalled third-party antivirus solutions can cause Microsoft Defender to remain in Passive Mode, assuming another antivirus is active. 
• WSC configuration issues: Misconfigured or disabled Windows Security Center (WSC) can prevent Defender from detecting changes in antivirus status, leaving it stuck in Passive Mode when it should be active

Devices don’t always stay in Passive Mode intentionally. Policy updates, software conflicts, or misconfigurations can unexpectedly shift devices into this state. Frequent monitoring ensures no endpoint becomes unintentionally unprotected. 

By regularly monitoring Passive Mode devices, security administrators can verify all devices are fully running AV and maintain full visibility into the status of their endpoint defense.

How to identify devices in Passive Mode 

Depending on the nature of your environment, Passive Mode may be a known commodity, especially in the case of leveraging another antivirus solution. During acquisitions, mergers, or instances that lead to multi-tool environments such as platform migrations regularly checking for devices in Passive Mode is essential to ensure comprehensive security coverage.

Here are a few ways to identify such devices:

1. Microsoft Defender Security Center: Use the Device Inventory and Antivirus Reports in the Microsoft Defender Security Center. These provide a clear overview of all endpoints, highlighting devices in Passive Mode.
2. PowerShell Command: On individual devices, you can run the following command in PowerShell to check a device's MDAV status: Get-MpComputerStatus | select AMRunningMode. The output will indicate whether the device is in Normal (Active), Passive, or EDR Block mode. 
3. Windows Security app: On individual endpoints, open the Windows Security App. Navigate to Virus & Threat Protection and check for notices stating that another AV is active, signaling that Defender is in Passive Mode. 
4. Prelude control monitoring: The Prelude platform continuously monitors your Defender environment to surface and notify of any devices running in Passive Mode, without EDR, without AV policies, and more.

How to resolve devices stuck in Passive Mode 

In the circumstance where devices end up in Passive Mode without having another primary AV on the device, there are a handful of ways to resolve this. This can occur most frequently following a migration, acquisition, or after a manual policy change forces the device into Passive Mode.

• Check for third-party AV remnants: Following a migration from another AV tool, you should leverage the original vendor's included cleanup tools to ensure all registry entries, services, and components are fully removed from the impacted device which may be causing WSC to view the device with another active AV.
• Verify configuration policies: Inspect your Group Policy or Intune settings for registry values (e.g., ForceDefenderPassiveMode) that force Passive Mode on the device. In some circumstances, dynamic groups may exist that place devices in this state outside of the automatic placement leveraged by WSC.
• Restart Windows Security Center (WSC): Restarting the WSC service can prompt it to detect any changes in AV presence and switch to the correct mode in either direction
• Manually reboot MDAV on the device: If Passive Mode persists, manually enable Microsoft Defender as the primary antivirus using PowerShell or your organization’s security configuration tools: Set-MpPreference -PassiveMode $false

Stay confident in your Microsoft deployment

Microsoft Defender Passive Mode provides the flexibility to integrate Defender’s EDR capabilities with third-party antivirus solutions. When used effectively, it ensures comprehensive threat detection and telemetry collection without conflicts. 

Like any control configuration, this also comes with management responsibilities. Regular reviews, policy checks, and proactive monitoring are essential to ensure that any of those devices in Passive Mode still have an active antivirus on the device. Combining Passive Mode with EDR in Block Mode and another antivirus tool while actively reviewing devices in that state can ensure an effective configuration with Microsoft's security tools.