Configure Microsoft Defender Antivirus with Intune
Microsoft Defender Antivirus is a component of Microsoft Defender for Endpoint, previously Microsoft Defender Advanced Threat Protection. But Microsoft Defender Antivirus does not require Microsoft Defender for Endpoint.
I personally think those sentences are incredibly confusing, which is part of the reason I’m writing this blog post now. As you may know, Microsoft Defender is built in to Windows 10 and provides native antivirus functionality. It doesn’t require a client to be installed or deployed, Defender is entirely built in. But since it is a component of Microsoft Defender for Endpoint (MDfE), if you’re using MDfE you get additional functionality.
Microsoft Defender for Endpoint is Microsoft’s Threat Protection solution that centers around 6 pillars – Threat & Vulnerability Management, Attack Surface Reduction, Next-generation protection, Endpoint detection and response, Automated investigation and remediation, and Microsoft Threat Experts. There’s a lot to unpack here, and certainly worth it’s own blog post. Start on this docs article if you have a few hours. For our purposes here is all you need to know – Microsoft Defender Antivirus is the Next-generation protection pillar. It sends data to Microsoft Defender for Endpoint for antivirus signals, threat analytics, gathering details about blocked malware, and more (which you can read about here). But Microsoft Defender Antivirus can also be used independent of MDfE.
So if you’re looking to use Intune to configure Microsoft Defender Antivirus and you don’t have a license for MDfE, you can absolutely do that. And if you don’t configure Microsoft Defender Antivirus, it is still native to the system and will still be default to enabled. It’s just that if you want advanced analytics and all of the goodies that MDfE has, you need MDfE.
Let’s jump to configuring Microsoft Defender Antivirus. First, open the MEM portal and select Endpoint security > Antivirus > + Create Policy:
Then, select Windows 10 and later and Microsoft Defender Antivirus from the dropdowns.
Notice how it mentions Microsoft Defender ATP in the description. Just to show you that ATP/MDfE really is not required, here’s a screenshot of how I don’t have licenses for it.
Once you click Create and provide a name for your policy, you’ll see a list of options for configuring Microsoft Defender:
The usual guidance is to configure these settings as dictated by your organization/security team. If you’d like to use my personal configuration as a starting point, the next few screenshots provide each setting grouped by category.
Starting with Cloud protection, I turn this on with the High protection level and an extended timeout of 50 seconds. This provides real time scanning without impacting client performance (and was previously called “Microsoft Active Protection Service”).
For Exclusions, here you would enter files to exclude from scanning and real-time protection. Generally this would be for other security software or management agents. No need to include any by default.
For Real Time Protection, I basically enable every setting. I don’t enable scan network files because Microsoft Defender Antivirus running on fileservers provides the same benefit.
For Remedation, I use the following:
For Scan, we’ll actually be affecting the user experience a lot. Outside what I’ve selected, I would also consider: settings your daily and scheduled scan’s to after work hours for desktops (the below settings are better for laptops, which may be off at night), as well as increasing your CPU usage limit up to 50% is you don’t see any impact.
For Updates, the default 8 hrs or 12 hrs is often enough. The other settings can be configured as required, like the exclusion settings.
And then the final settings page, User Experience. So I will go ahead and say I leave this as not configured, but you may want to block users from the Microsoft Defender app if you don’t want them to add their own Exclusions. I have heard of this happening before, so it may be useful to block.
And that’s it! Once you have the policy assigned to your users, they will notice that some settings are managed by your administrator in the Windows Security app.
And hey, even though we don’t have Windows Defender ATP, we still see the Windows Defender AV policy as successfully deployed:
Now you’ve deployed Defender Antivirus in your environment. Happy securing! đźš“
Hi, great write-up as I have not seen any detail like yours. I would like to ask, for the assignment. Do you assign to users or devices?
Your last comment “Once you have the policy assigned to your users…”. So that’s my question if create a group and throw machines in there or users. Also, I noticed there is an option for “Add all devices” as well. Just wondering what is the best practice or method.
Thanks,
I generally target user groups but it’s mostly a matter of preference. My rationale for user groups is that if I target a user with a policy and they get a new device (can enroll personal/BYOD, for example) I don’t need to worry about adding that new device to a group or policy. I could be using dynamic device groups to get around that, but the evaluation for those groups isn’t instant.
Gotcha, Thanks for the explanation. I think I might try out the “Add all devices” for the assignments. Hope that would work the same and I wouldn’t have to worry about missing any machines.
Great guide! I have a question, i followed the guide and if i go to the overview of the Defender policy it gives me no information. And if i go to “Device Status” it shows my test machines but under “Assignment Status” its shows the status as “Pending.” I left it like this overnight but it still shows as pending. I’d appreciate any help. Thanks!
It should be fairly instant as long as the device has an active network connection. If it’s pending for too long, it’s likely worth opening a support ticket with Microsoft.
Hi All,
Can we use a third-party antivirus Like Trend Micro Apex One with Microsoft Endpoint Manager (intune Device), is there a special setting or exclusions required, because facing performance issues. And it starts after implementing to MEM devices, before it all things working fine.
Please reply to my mail id, if possible – dineshhcl7@gmail.com
Anyone please help, thanks in advance.
Yeah, you can absolutely use a third party antivirus with a MEM managed device. It might be worth contacting Trend Micro to troubleshoot performance. Or alternatively take a fresh device and enroll it into Intune before installing Trend Micro Apex One and seeing what is causing the slowdown.
Thank you so such a detailed post! Would love to see something like this to configure MS defender for endpoint! I know it’s a huge monster of policies but MS does not provide structured guidance on this. I had to fish for info all over the place and still having a hard time understanding what policies fall under what…Can you recommend any resources? Thx!!
Thanks for the feedback! I’ll put that on the to-do list, I think it would make a great post. If you’re still looking for MDfE setup articles I would start with the Tech Community post: https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/microsoft-endpoint-manager-enable-endpoint-protection/ba-p/1801197
Thank you for this great, clear and thorough post, I had been struggling with this topic and all the different terms but if I not mistaken we can put it this way:
MDFE / MDATP = whole threat protection solution
MD = Antivirus solution is is included in the MDFE solution But also works as standalone if we don’t own a MDFE subscription
Yes, that’s right! But just to be picky, I would specify that MDfE isn’t a WHOLE threat protection solution, it’s an endpoint solution. Microsoft’s 365 E5 license that includes the whole suite of security products (MDfE, Sentinel, Azure Defender, Cloud App Security, Defender for Identity, etc.) is the all up solution. If you want to know how all those pieces fit together then take a look at the Microsoft Cybersecurity Reference Architecture
Hi Janusz,
Fantastic write up, i too was unclear on Windows Defender and Microsoft Defender for Endpoint. Just a quick question, is there anyway to put our business Support contact details some where in the Seurity area?
thankks
There is not, as far as I know. Closest I can think of is adding your support contact info in the Intune Company Portal app.
Hi, great sharing! I have a question: After configure Microsoft Defender Antivirus with Intune, can we see the virus alert and AV definition version on intune or somewhere?
Yup, you’ll see it in the MEM console under Reports > Microsoft Defender Antivirus. You can generate a detailed report that has the definition versions and more.
I want to configure daily quick scan at 11:00 AM everyday and weekly full scan at 12:00 PM every Thursday. But these settings don`t seem to be working as per your explained in the scan section of this article.
Run daily quick scan at : 11:00 AM
Scan type : Full Scan
Day of week to run a scheduled scan : Thursday
Time of day to run a scheduled scan : 12:00 PM
Might be worth opening a case with Microsoft to investigate what’s going on. It should be possible to configure those scans as per the settings you have.
Hi Rahul,
Have you ever figured out how to do this?
Have you ever had to disable the Defender temporarily to test if it blocks something? If so, do you have an easy way to do so (ex. PS or cmd)?
Great summary.
We have the issue that the setting “Check for signature updates before running scan” has the status ERROR on a lot of devices – Error Code -2016281112.
Any ideas what could cause this? I was not able to find information on the error code.
Thanks
Please Add RSS feeds to this. That will help us to get the latest posts updated. Thanks
Sure – I’ve added the link to our RSS feed in the social media icons area. Can access the feed here: https://deviceadvice.io/feed/