Anti-Malware: Managing Defender from Intune

**DISCLOSURE: While I am contracted to Microsoft Corporation, I am not an employee. The articles that I write are not meant to represent the company, nor are they meant to represent me as an employee or spokesman for the company. As has always been the case, all articles on this website represent me and nobody else.

In 2006 Microsoft announced that the Windows Vista operating system would include built-in anti-malware software. This concerned a lot of people for a number of reasons:

  1. Microsoft was not, at the time, a trusted source for secure computing; and
  2. The anti-virus industry was an $11B/year industry, and the Microsoft partners that lived in that space stood to lose a lot of money if that happened.

While the plan to include it in the OS was scrubbed, Microsoft did, nonetheless, release an anti-malware solution called Live OneCare. The product eventually morphed into Windows Defender, which is now the overarching name for all of Microsoft’s security offerings.

When I was first introduced to Microsoft Intune, I found the greatest benefits were patch management and anti-malware. I was primarily using the offering to protect the computers of a few family and friends, and those were the two issues that I had spent most of my efforts with their machines.

SecurityToday, I use Intune for much larger environments, and for many more things. However, anti-malware and patch management are still a big part of it. I have covered patch management in other posts; let’s enable anti-malware for our clients.

First, let’s log into our Microsoft Endpoint Manager admin center (https://endpoint.microsoft.com). In the navigation pane, click on Endpoint Security.

When the Endpoint Security | Overview screen appears, look in the navigation pane under Manage and click Antivirus.

image

In the middle of the Endpoint Security | Antivirus screen, under AV policies, click + Create policy.

In the Create a profile sidebar, select the platform Windows 10 and later from the dropdown list (or Windows 10 and Windows Server (ConfigMgr) if you want the policy to apply to servers as well). In the Profile dropdown select Microsoft Defender Antivirus. Click Create.

In the Basics tab, enter a name (and if you want, a description),a nd then click Next.

Most of our profile configuration will be set in the Configuration settings tab. There are sections for:

  • Cloud protection
  • Microsoft Defender Antivirus Exclusions
  • Real-time protection
  • Remediation
  • Scan
  • Updates
  • User experience

I will not advise which of these you should enable, but go through them and configure it as you see fit for your environment. In my Review and Create you will see the options I chose for my demo tenant. Click Next.

On the Scope tags tab either select scope tags, or click Next.

On the Assignments tab, you can pick any of these options:
image

Either add specific groups, or add all users or all devices. You can also add groups to the Excluded list as you see fit. Click Next.

On the Review + Create tab you can verify your choices, and when you are satisfied, click Create. This is what I got:

Summary

Basics

Name

Anti-virus

Description

Use Microsoft Defender to protect machines against malware

Platform

Windows 10 and later

Configuration settings

Turn on cloud-delivered protection

Yes

Cloud-delivered protection level

High

Defender Cloud Extended Timeout In Seconds

30

Turn on real-time protection

Yes

Enable on access protection

Yes

Turn on behavior monitoring

Yes

Turn on intrusion prevention

Yes

Scan all downloaded files and attachments

Yes

Scan scripts that are used in Microsoft browsers

Yes

Scan network files

Yes

Scan emails

Yes

Number of days (0-90) to keep quarantined malware

15

Submit samples consent

Send safe samples automatically

Action to take on potentially unwanted apps

Audit mode

Actions for detected threats

{“lowSeverity”:”allow”,”moderateSeverity”:”quarantine”,”highSeverity”:”clean”,”severeSeverity”:”remove”}

Scan archive files

Yes

Use low CPU priority for scheduled scans

Yes

Scan mapped network drives during full scan

No

Run daily quick scan at

9 PM

Scan type

Quick scan

Day of week to run a scheduled scan

Everyday

Time of day to run a scheduled scan

10 PM

Check for signature updates before running scan

Yes

Enter how often (0-24 hours) to check for security intelligence updates

12

Allow user access to Microsoft Defender app

Yes

Scope tags

Default

Assignments

Included groups

All devices

All users

Excluded groups

That is your policy. Make sure you check out my previous article on connecting Microsoft Defender for Endpoint to Intune in the Microsoft Defender Security Center!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s