Anti-Malware: Managing Defender from Intune

**DISCLOSURE: While I am contracted to Microsoft Corporation, I am not an employee. The articles that I write are not meant to represent the company, nor are they meant to represent me as an employee or spokesman for the company. As has always been the case, all articles on this website represent me and nobody else.

In 2006 Microsoft announced that the Windows Vista operating system would include built-in anti-malware software. This concerned a lot of people for a number of reasons:

  1. Microsoft was not, at the time, a trusted source for secure computing; and
  2. The anti-virus industry was an $11B/year industry, and the Microsoft partners that lived in that space stood to lose a lot of money if that happened.

While the plan to include it in the OS was scrubbed, Microsoft did, nonetheless, release an anti-malware solution called Live OneCare. The product eventually morphed into Windows Defender, which is now the overarching name for all of Microsoft’s security offerings.

When I was first introduced to Microsoft Intune, I found the greatest benefits were patch management and anti-malware. I was primarily using the offering to protect the computers of a few family and friends, and those were the two issues that I had spent most of my efforts with their machines.

SecurityToday, I use Intune for much larger environments, and for many more things. However, anti-malware and patch management are still a big part of it. I have covered patch management in other posts; let’s enable anti-malware for our clients.

First, let’s log into our Microsoft Endpoint Manager admin center ( In the navigation pane, click on Endpoint Security.

When the Endpoint Security | Overview screen appears, look in the navigation pane under Manage and click Antivirus.


In the middle of the Endpoint Security | Antivirus screen, under AV policies, click + Create policy.

In the Create a profile sidebar, select the platform Windows 10 and later from the dropdown list (or Windows 10 and Windows Server (ConfigMgr) if you want the policy to apply to servers as well). In the Profile dropdown select Microsoft Defender Antivirus. Click Create.

In the Basics tab, enter a name (and if you want, a description),a nd then click Next.

Most of our profile configuration will be set in the Configuration settings tab. There are sections for:

  • Cloud protection
  • Microsoft Defender Antivirus Exclusions
  • Real-time protection
  • Remediation
  • Scan
  • Updates
  • User experience

I will not advise which of these you should enable, but go through them and configure it as you see fit for your environment. In my Review and Create you will see the options I chose for my demo tenant. Click Next.

On the Scope tags tab either select scope tags, or click Next.

On the Assignments tab, you can pick any of these options:

Either add specific groups, or add all users or all devices. You can also add groups to the Excluded list as you see fit. Click Next.

On the Review + Create tab you can verify your choices, and when you are satisfied, click Create. This is what I got:






Use Microsoft Defender to protect machines against malware


Windows 10 and later

Configuration settings

Turn on cloud-delivered protection


Cloud-delivered protection level


Defender Cloud Extended Timeout In Seconds


Turn on real-time protection


Enable on access protection


Turn on behavior monitoring


Turn on intrusion prevention


Scan all downloaded files and attachments


Scan scripts that are used in Microsoft browsers


Scan network files


Scan emails


Number of days (0-90) to keep quarantined malware


Submit samples consent

Send safe samples automatically

Action to take on potentially unwanted apps

Audit mode

Actions for detected threats


Scan archive files


Use low CPU priority for scheduled scans


Scan mapped network drives during full scan


Run daily quick scan at

9 PM

Scan type

Quick scan

Day of week to run a scheduled scan


Time of day to run a scheduled scan

10 PM

Check for signature updates before running scan


Enter how often (0-24 hours) to check for security intelligence updates


Allow user access to Microsoft Defender app


Scope tags



Included groups

All devices

All users

Excluded groups

That is your policy. Make sure you check out my previous article on connecting Microsoft Defender for Endpoint to Intune in the Microsoft Defender Security Center!


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: