Configure Microsoft Defender Antivirus with Intune

Microsoft Defender Antivirus is a component of Microsoft Defender for Endpoint, previously Microsoft Defender Advanced Threat Protection. But Microsoft Defender Antivirus does not require Microsoft Defender for Endpoint.

I personally think those sentences are incredibly confusing, which is part of the reason I’m writing this blog post now. As you may know, Microsoft Defender is built in to Windows 10 and provides native antivirus functionality. It doesn’t require a client to be installed or deployed, Defender is entirely built in. But since it is a component of Microsoft Defender for Endpoint (MDfE), if you’re using MDfE you get additional functionality.

Microsoft Defender for Endpoint is Microsoft’s Threat Protection solution that centers around 6 pillars – Threat & Vulnerability Management, Attack Surface Reduction, Next-generation protection, Endpoint detection and response, Automated investigation and remediation, and Microsoft Threat Experts. There’s a lot to unpack here, and certainly worth it’s own blog post. Start on this docs article if you have a few hours. For our purposes here is all you need to know – Microsoft Defender Antivirus is the Next-generation protection pillar. It sends data to Microsoft Defender for Endpoint for antivirus signals, threat analytics, gathering details about blocked malware, and more (which you can read about here). But Microsoft Defender Antivirus can also be used independent of MDfE.

So if you’re looking to use Intune to configure Microsoft Defender Antivirus and you don’t have a license for MDfE, you can absolutely do that. And if you don’t configure Microsoft Defender Antivirus, it is still native to the system and will still be default to enabled. It’s just that if you want advanced analytics and all of the goodies that MDfE has, you need MDfE.

Let’s jump to configuring Microsoft Defender Antivirus. First, open the MEM portal and select Endpoint security > Antivirus > + Create Policy:

Create a Microsoft Defender Antivirus policy

Then, select Windows 10 and later and Microsoft Defender Antivirus from the dropdowns.

Create Policy screen

Notice how it mentions Microsoft Defender ATP in the description. Just to show you that ATP/MDfE really is not required, here’s a screenshot of how I don’t have licenses for it.

Microsoft Defender Security Center no subscription screen

Once you click Create and provide a name for your policy, you’ll see a list of options for configuring Microsoft Defender:

Microsoft Defender Antivirus Configuration settings

The usual guidance is to configure these settings as dictated by your organization/security team. If you’d like to use my personal configuration as a starting point, the next few screenshots provide each setting grouped by category.

Starting with Cloud protection, I turn this on with the High protection level and an extended timeout of 50 seconds. This provides real time scanning without impacting client performance (and was previously called “Microsoft Active Protection Service”).

Cloud Protection configuration settings

For Exclusions, here you would enter files to exclude from scanning and real-time protection. Generally this would be for other security software or management agents. No need to include any by default.

For Real Time Protection, I basically enable every setting. I don’t enable scan network files because Microsoft Defender Antivirus running on fileservers provides the same benefit.

For Remedation, I use the following:

Remediation settings

For Scan, we’ll actually be affecting the user experience a lot. Outside what I’ve selected, I would also consider: settings your daily and scheduled scan’s to after work hours for desktops (the below settings are better for laptops, which may be off at night), as well as increasing your CPU usage limit up to 50% is you don’t see any impact.

Scan settings

For Updates, the default 8 hrs or 12 hrs is often enough. The other settings can be configured as required, like the exclusion settings.

Updates settings

And then the final settings page, User Experience. So I will go ahead and say I leave this as not configured, but you may want to block users from the Microsoft Defender app if you don’t want them to add their own Exclusions. I have heard of this happening before, so it may be useful to block.

User experience settings

And that’s it! Once you have the policy assigned to your users, they will notice that some settings are managed by your administrator in the Windows Security app.

Windows Security app on Windows 10

And hey, even though we don’t have Windows Defender ATP, we still see the Windows Defender AV policy as successfully deployed:

Now you’ve deployed Defender Antivirus in your environment. Happy securing! ?

You may also like...

24 Responses

  1. smell spam says:

    Hi, great write-up as I have not seen any detail like yours. I would like to ask, for the assignment. Do you assign to users or devices?

    Your last comment “Once you have the policy assigned to your users…”. So that’s my question if create a group and throw machines in there or users. Also, I noticed there is an option for “Add all devices” as well. Just wondering what is the best practice or method.


    • Janusz says:

      I generally target user groups but it’s mostly a matter of preference. My rationale for user groups is that if I target a user with a policy and they get a new device (can enroll personal/BYOD, for example) I don’t need to worry about adding that new device to a group or policy. I could be using dynamic device groups to get around that, but the evaluation for those groups isn’t instant.

      • Smell spam says:

        Gotcha, Thanks for the explanation. I think I might try out the “Add all devices” for the assignments. Hope that would work the same and I wouldn’t have to worry about missing any machines.

  2. Not an Azure Bot says:

    Great guide! I have a question, i followed the guide and if i go to the overview of the Defender policy it gives me no information. And if i go to “Device Status” it shows my test machines but under “Assignment Status” its shows the status as “Pending.” I left it like this overnight but it still shows as pending. I’d appreciate any help. Thanks!

    • Janusz says:

      It should be fairly instant as long as the device has an active network connection. If it’s pending for too long, it’s likely worth opening a support ticket with Microsoft.

  3. Dinesh Kumar says:

    Hi All,

    Can we use a third-party antivirus Like Trend Micro Apex One with Microsoft Endpoint Manager (intune Device), is there a special setting or exclusions required, because facing performance issues. And it starts after implementing to MEM devices, before it all things working fine.
    Please reply to my mail id, if possible –
    Anyone please help, thanks in advance.

    • Janusz says:

      Yeah, you can absolutely use a third party antivirus with a MEM managed device. It might be worth contacting Trend Micro to troubleshoot performance. Or alternatively take a fresh device and enroll it into Intune before installing Trend Micro Apex One and seeing what is causing the slowdown.

  4. Delilah says:

    Thank you so such a detailed post! Would love to see something like this to configure MS defender for endpoint! I know it’s a huge monster of policies but MS does not provide structured guidance on this. I had to fish for info all over the place and still having a hard time understanding what policies fall under what…Can you recommend any resources? Thx!!

  5. Will says:

    Thank you for this great, clear and thorough post, I had been struggling with this topic and all the different terms but if I not mistaken we can put it this way:

    MDFE / MDATP = whole threat protection solution
    MD = Antivirus solution is is included in the MDFE solution But also works as standalone if we don’t own a MDFE subscription

    • Janusz says:

      Yes, that’s right! But just to be picky, I would specify that MDfE isn’t a WHOLE threat protection solution, it’s an endpoint solution. Microsoft’s 365 E5 license that includes the whole suite of security products (MDfE, Sentinel, Azure Defender, Cloud App Security, Defender for Identity, etc.) is the all up solution. If you want to know how all those pieces fit together then take a look at the Microsoft Cybersecurity Reference Architecture

  6. Fult Z says:

    Hi Janusz,
    Fantastic write up, i too was unclear on Windows Defender and Microsoft Defender for Endpoint. Just a quick question, is there anyway to put our business Support contact details some where in the Seurity area?


    • Janusz says:

      There is not, as far as I know. Closest I can think of is adding your support contact info in the Intune Company Portal app.

  7. chinzaghi says:

    Hi, great sharing! I have a question: After configure Microsoft Defender Antivirus with Intune, can we see the virus alert and AV definition version on intune or somewhere?

    • Janusz says:

      Yup, you’ll see it in the MEM console under Reports > Microsoft Defender Antivirus. You can generate a detailed report that has the definition versions and more.

  8. Rahul says:

    I want to configure daily quick scan at 11:00 AM everyday and weekly full scan at 12:00 PM every Thursday. But these settings don`t seem to be working as per your explained in the scan section of this article.

    Run daily quick scan at : 11:00 AM
    Scan type : Full Scan
    Day of week to run a scheduled scan : Thursday
    Time of day to run a scheduled scan : 12:00 PM

  9. Florian says:

    Have you ever had to disable the Defender temporarily to test if it blocks something? If so, do you have an easy way to do so (ex. PS or cmd)?

  10. John says:

    Great summary.
    We have the issue that the setting “Check for signature updates before running scan” has the status ERROR on a lot of devices – Error Code -2016281112.
    Any ideas what could cause this? I was not able to find information on the error code.

  11. Vinod says:

    Please Add RSS feeds to this. That will help us to get the latest posts updated. Thanks

  1. October 13, 2020

    […] our last blog post, Configure Microsoft Defender Antivirus with Intune, we talked about how even though Defender Antivirus is a component of Defender for Endpoint, it […]

  2. December 16, 2020

    […] Manager provides a ton of functionality for managing Defender Antivirus. In a previous post we dived into configuring Defender Antivirus, so today we’ll be reviewing some of the specifics around Signature updates. Maybe your […]

Leave a Reply

Your email address will not be published. Required fields are marked *