What Is Microsoft Defender Passive Mode?

Passive mode means Microsoft Defender Antivirus is present on the device but is not the primary active antivirus engine. It can be expected in managed environments, especially when another security product or policy controls endpoint protection. If you need the broader symptom map first, use the common Defender problems pillar.

Passive mode does not always mean the endpoint is unprotected.

It means Defender is not currently leading the protection path in the same way it would in fully active mode. Another antivirus or security policy may be doing that job instead.

• A third-party antivirus product is active.
• Organization policy intentionally sets Defender behavior.
• Microsoft Defender for Endpoint or related management controls are shaping runtime mode.
• The endpoint is in a transition state after product changes or policy updates.

The clearest quick check is AMRunningMode from Get-MpComputerStatus.

PS> Get-MpComputerStatus | Select-Object AMRunningMode, AntivirusEnabled, RealTimeProtectionEnabled

Use that together with Windows Security so you can see both the reported provider and the Defender operating state.

Passive mode is often normal when another approved antivirus product is meant to be primary or when the device is governed by a broader organization security policy. In those cases, the question is not 'how do I force Defender on' but 'which product should own protection here?'

Passive mode becomes a problem when your intended primary protection is missing, the other antivirus was removed incorrectly, or policy no longer matches the actual endpoint standard. That is when endpoints can drift into confusing partial-protection states.

1. Confirm whether another antivirus is still installed.
2. Check whether the device is managed by work or school policy.
3. Validate Windows Security provider status.
4. Use the third-party antivirus guide or the organization-protection guide based on what you find.

Describe passive mode as a control-state question, not automatically a security failure. Stakeholders mainly need to know whether the device still has an intended primary protection engine and whether current policy matches that expectation.