Configuring Microsoft Defender Antivirus in Corporate Environments

Configuring Microsoft Defender Antivirus in Corporate Environments

09/08/2024

This technical and educational article aims to guide security analysts, IT administrators, and systems engineers in effectively configuring and managing Microsoft Defender Antivirus (MDAV) in enterprise environments. MDAV, which is an integral part of the Windows operating system, has evolved from a basic solution to a robust and fundamental component of Microsoft's security strategy, offering next-generation endpoint protection against a wide range of threats, including malware, ransomware and fileless attacks [1].

Introduction

In an ever-evolving cyber threat landscape, having a reliable and well-configured antivirus solution is the first line of defense for any organization. Microsoft Defender Antivirus, when centrally managed, delivers powerful protection that integrates seamlessly with the Microsoft ecosystem, providing unified visibility and control. This guide will cover the most common methods for configuring Defender AV in enterprise environments, ensuring your organization is protected consistently and effectively.

Management Tools

There are several ways to manage Microsoft Defender AV in an enterprise environment. The most common are:

  • Microsoft Intune (Recommended): For organizations using modern cloud-based management. Provides a centralized interface in the Microsoft Endpoint Manager portal to create and deploy security policies.
  • Group Policy (GPO): For organizations with an on-premises Active Directory infrastructure. Allows configuration through Group Policy Objects.
  • Microsoft Endpoint Configuration Manager (MECM/SCCM): For large-scale management, often in hybrid environments.
  • PowerShell: For granular or bulk automation and configurations.

This guide will focus on the two most popular methods: Intune and GPO.

Prerequisites

  • Operating System: Windows 10, Windows 11 or Windows Server 2016 and later.
  • Administrative Access: Intune Administrator (for Intune) or Domain Administrator (for GPO) permissions.
  • Licensing: Defender AV is included with Windows. Advanced features (such as Microsoft Defender for Endpoint) require additional licensing (ex: Microsoft 365 E5).

Configuring Defender AV with Microsoft Intune

This is the modern and recommended approach for cloud-managed devices.

  1. Go to the Microsoft Intune portal: https://intune.microsoft.com.
  2. Navigate to Endpoint Security > Antivirus.
  3. Click Create Policy.
  4. Select:
    • Platform: Windows 10 and later
    • Profile: Microsoft Defender Antivirus
  5. Click Create.
  6. Basics: Give the policy a name (ex: Windows - Defender AV Default Policy) and a description. Click Next.
  7. Configuration Settings: This is the most important step. Configure the following sections with best practices:
    • Cloud Protection:
      • Enable cloud-delivered protection: Yes. Essential for real-time threat intelligence.
      • Level of protection provided in the cloud: High. Offers more aggressive detection.
      • Extended Defender Cloud Timeout: 50 seconds. It gives the cloud service more time to analyze suspicious files.
    • Real-Time Protection:
      • Enable real-time protection: Yes. The core of Defender protection.
      • Enable behavior monitoring: Yes.
      • Scan all downloaded files and attachments: Yes.
    • Verification:
      • Schedule a daily quick check: Set a low usage time (ex: 12:00).
      • Scheduled scan type: Quick scan.
    • Exclusions: Configure exclusions carefully to avoid security breaches. Use the Microsoft Defender Antivirus Exclusions policy to manage this centrally.
  8. Assignments: Assign the policy to a group of Azure AD devices.
  9. Review + create: Review and create the policy.

Configuring Defender AV with Group Policy (GPO)

For environments with local Active Directory.

  1. Open the Group Policy Management Editor.
  2. Create one onvo GPO or edit an existing one and link it to the desired OU (Organizational Unit).
  3. Navigate to Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus.
  4. Configure the following policies (set to Enabled and adjust the options):
    • Disable Microsoft Defender Antivirus: Set to Disabled to ensure it is always on.
    • Real-Time Protection:
      • Enable behavior monitoring
      • Scan all downloaded files and attachments
      • Monitor the activity of files and programs on your computer
    • MAPS (equivalent to Cloud Protection):
      • Join Microsoft MAPS: Select Advanced MAPS.
      • Configure 'Block at First Sight' feature: Enabled.
    • Verification:
      • Configure scheduled scan options such as Scan Type and Scan Day.

Validation and Monitoring

  • Locally: On a client device, open the Windows Security app to verify that the "Virus and Threat Protection" settings are managed by your organization.
  • Via PowerShell: Run the Get-MpComputerStatus command to see the antivirus status, including AMRunningMode (should be "Normal") and signature dates.
  • Microsoft 365 Defender Portal: If you have Defender for Endpoint, the portal (security.microsoft.com) offers detailed reports on antivirus health across all your devices under Reports > Device Health.

Conclusion

Correctly configuring Microsoft Defender Antivirus is a fundamental step in protecting an organization's endpoints. Whether through modern management with Microsoft Intune or traditional management with GPOs, consistent application of security policies ensures that your company's first line of defense is robust, resilient, and always up to date against the latest threats. Continuous monitoring through Microsoft portals closes the loop, providing the visibility needed to ensure the compliance and security of your environment.

References

[1] Microsoft. (2023). Microsoft Defender Antivirus in Windows. [2] Microsoft. (2023). Manage Microsoft Defender Antivirus with Microsoft Intune. [3] Microsoft. (2023). Use Group Policy settings to configure and manage Microsoft Defender Antivirus.