Configure Microsoft Defender Antivirus with Intune

Microsoft Defender Antivirus is a component of Microsoft Defender for Endpoint, previously Microsoft Defender Advanced Threat Protection. But Microsoft Defender Antivirus does not require Microsoft Defender for Endpoint.

I personally think those sentences are incredibly confusing, which is part of the reason I’m writing this blog post now. As you may know, Microsoft Defender is built in to Windows 10 and provides native antivirus functionality. It doesn’t require a client to be installed or deployed, Defender is entirely built in. But since it is a component of Microsoft Defender for Endpoint (MDfE), if you’re using MDfE you get additional functionality.

Microsoft Defender for Endpoint is Microsoft’s Threat Protection solution that centers around 6 pillars – Threat & Vulnerability Management, Attack Surface Reduction, Next-generation protection, Endpoint detection and response, Automated investigation and remediation, and Microsoft Threat Experts. There’s a lot to unpack here, and certainly worth it’s own blog post. Start on this docs article if you have a few hours. For our purposes here is all you need to know – Microsoft Defender Antivirus is the Next-generation protection pillar. It sends data to Microsoft Defender for Endpoint for antivirus signals, threat analytics, gathering details about blocked malware, and more (which you can read about here). But Microsoft Defender Antivirus can also be used independent of MDfE.

So if you’re looking to use Intune to configure Microsoft Defender Antivirus and you don’t have a license for MDfE, you can absolutely do that. And if you don’t configure Microsoft Defender Antivirus, it is still native to the system and will still be default to enabled. It’s just that if you want advanced analytics and all of the goodies that MDfE has, you need MDfE.

Let’s jump to configuring Microsoft Defender Antivirus. First, open the MEM portal and select Endpoint security > Antivirus > + Create Policy:

Create a Microsoft Defender Antivirus policy

Then, select Windows 10 and later and Microsoft Defender Antivirus from the dropdowns.

Create Policy screen

Notice how it mentions Microsoft Defender ATP in the description. Just to show you that ATP/MDfE really is not required, here’s a screenshot of how I don’t have licenses for it.

Microsoft Defender Security Center no subscription screen

Once you click Create and provide a name for your policy, you’ll see a list of options for configuring Microsoft Defender:

Microsoft Defender Antivirus Configuration settings

The usual guidance is to configure these settings as dictated by your organization/security team. If you’d like to use my personal configuration as a starting point, the next few screenshots provide each setting grouped by category.

Starting with Cloud protection, I turn this on with the High protection level and an extended timeout of 50 seconds. This provides real time scanning without impacting client performance (and was previously called “Microsoft Active Protection Service”).

Cloud Protection configuration settings

For Exclusions, here you would enter files to exclude from scanning and real-time protection. Generally this would be for other security software or management agents. No need to include any by default.

For Real Time Protection, I basically enable every setting. I don’t enable scan network files because Microsoft Defender Antivirus running on fileservers provides the same benefit.

For Remedation, I use the following:

Remediation settings

For Scan, we’ll actually be affecting the user experience a lot. Outside what I’ve selected, I would also consider: settings your daily and scheduled scan’s to after work hours for desktops (the below settings are better for laptops, which may be off at night), as well as increasing your CPU usage limit up to 50% is you don’t see any impact.

Scan settings

For Updates, the default 8 hrs or 12 hrs is often enough. The other settings can be configured as required, like the exclusion settings.

Updates settings

And then the final settings page, User Experience. So I will go ahead and say I leave this as not configured, but you may want to block users from the Microsoft Defender app if you don’t want them to add their own Exclusions. I have heard of this happening before, so it may be useful to block.

User experience settings

And that’s it! Once you have the policy assigned to your users, they will notice that some settings are managed by your administrator in the Windows Security app.

Windows Security app on Windows 10

And hey, even though we don’t have Windows Defender ATP, we still see the Windows Defender AV policy as successfully deployed:

Now you’ve deployed Defender Antivirus in your environment. Happy securing! 🚓

You may also like...

7 Responses

  1. smell spam says:

    Hi, great write-up as I have not seen any detail like yours. I would like to ask, for the assignment. Do you assign to users or devices?

    Your last comment “Once you have the policy assigned to your users…”. So that’s my question if create a group and throw machines in there or users. Also, I noticed there is an option for “Add all devices” as well. Just wondering what is the best practice or method.


    • Janusz says:

      I generally target user groups but it’s mostly a matter of preference. My rationale for user groups is that if I target a user with a policy and they get a new device (can enroll personal/BYOD, for example) I don’t need to worry about adding that new device to a group or policy. I could be using dynamic device groups to get around that, but the evaluation for those groups isn’t instant.

      • Smell spam says:

        Gotcha, Thanks for the explanation. I think I might try out the “Add all devices” for the assignments. Hope that would work the same and I wouldn’t have to worry about missing any machines.

  2. Not an Azure Bot says:

    Great guide! I have a question, i followed the guide and if i go to the overview of the Defender policy it gives me no information. And if i go to “Device Status” it shows my test machines but under “Assignment Status” its shows the status as “Pending.” I left it like this overnight but it still shows as pending. I’d appreciate any help. Thanks!

    • Janusz says:

      It should be fairly instant as long as the device has an active network connection. If it’s pending for too long, it’s likely worth opening a support ticket with Microsoft.

  1. October 13, 2020

    […] our last blog post, Configure Microsoft Defender Antivirus with Intune, we talked about how even though Defender Antivirus is a component of Defender for Endpoint, it […]

  2. December 16, 2020

    […] Manager provides a ton of functionality for managing Defender Antivirus. In a previous post we dived into configuring Defender Antivirus, so today we’ll be reviewing some of the specifics around Signature updates. Maybe your […]

Leave a Reply

Your email address will not be published. Required fields are marked *