This article leads you through troubleshooting steps when migrating from an Endpoint Detection and Response (EDR) product to Microsoft Defender for Endpoint (MDE).
Prerequisites
Before planning the migration from your current EDR/AV platform to Microsoft Defender for Endpoint, please read Migrate to Microsoft Defender for Endpoint from non-Microsoft Endpoint Protection.
Note: Ensure you have all the recommended Exclusions in place in both products to help avoid interoperability issues.
It's important to know the following:
- When you install the MDE Sensor alongside any other EDR/AV device, the MDE Sensor will switch to “Passive Mode” as soon as the sensor detects the other product on Windows 10 and Windows 11.
Note: The MDE Sensor will not automatically flip to Passive Mode on the Windows Server. Learn more about how Microsoft provides a Registry hack to put the Agent into Passive Mode. - You can check the status of the MDE Sensor by opening a Powershell prompt and entering Get-mpcomputerstatus.
- If the Sensor is Active it will show “Active”.
- If the Sensor is in Passive Mode it will show “Passive’.
- If the Sensor is in EDR in Block Mode (i.e., the MDE Sensor is taking over the EDR functionality) it will show “EDR in Block Mode”.
- If you run the MDE Sensor on macOS and LInux Endpoints, ensure you have all of the recommended Exclusions in place. The Mac and Linux Sensors should also automatically flip to Passive Mode.
When you check in your MDE console, the Sensors may show that they are in a “Misconfigured” state. Keep the Sensors in the Misconfigured state until you are ready to completely migrate to MDE. All you should have to do now is remove/uninstall your other EDR/AV (i.e., non-Microsoft Endpoint Protection) product, and the MDE Sensors will switch to an Active/Configured state.
Comments
0 comments
Please sign in to leave a comment.