Microsoft Defender has come a long way since the first few releases to become a leader in all all-things security-related. What was originally a standard antivirus solution has evolved into a full product suite.

If you are looking to configure Microsoft Defender(Endpoint protection) with Configuration Manager, see our guide that is available in our shop

This post will focus on configuring Microsoft Defender for Endpoint Security Antivirus by using Intune.

Prerequisites

• Windows 10 or Windows 11
• Aside from the Intune various licensing option you’ll need to manage your devices, there are no other requirements to use this feature.

Create Microsoft Defender for Endpoint antivirus security profiles

• Connect to the Endpoint portal
• Browse to Endpoint Security/ Antivirus

• Click Create Policy.
  • At this point, the Antivirus policies are split into 3 distinct sections.
    • Microsoft Defender Antivirus
      • This will essentially manage the core features.
    • Microsoft Defender Antivirus Exclusions
      • This will be the various exclusions that are common configurations for antivirus solutions
    • Windows Security Experience
      • This is related to user experience and gives the ability to lock down what users can see or not in the Windows 10/11 settings pane for Defender Security Antivirus.

• Without going into all the details of each setting, here are the most commonly used for the Microsoft Defender Antivirus profile. Take the time to evaluate each setting with the little information bubble.
  • Real-time Scan and Scheduled Scan

• Signature Update Interval and sources

• Remediation actions

ConfigMgr vs normal profiles

The profiles with (ConfigMgr) are made to be used with Tenant attach. This is just another way to get it configured and managed. Even if you’re environment is using ConfigMgr, it is not mandatory to use those profiles.

If you use the non-ConfigMgr profiles and have ConfigMgr with CoManagement enabled, make sure the slider for the workload about Windows Defender is set at least in Pilot to Intune. This post is focusing on the non-ConfigMgr profiles.

For more details on this method, see Microsoft docs.

• Once the profiles are created simply assign them to user/devices like any other policies in Intune.

Managing Windows Client

To validate if policies are applied, the following can be reviewed.

• Under Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Policy Manager the various settings should be visible. While not all are easy to figure out, some like exclusions can be reviewed.

• In the event viewer, under Applications And Services logs/Microsoft/Windows/Windows Defender/Operational, events will show the various settings being applied as well as Definition updates processing.

Microsoft Defender Endpoint Security – Additional components

There are other sub-component under Endpoint Security that can be enabled to manage built-in components of Windows 10/11

• Disk Encryption is everything related to BitLocker management
• Firewall is to manage the Windows Firewall
• Endpoint detection and response provide near-real-time attack detection
• Attack Surface Reduction helps minimize the vulnerabilities of your environment
• Account Protection is to manage built-in groups.

Microsoft Defender for Endpoint is Defender ATP, which requires additional licenses.

Reporting

There are a few built-in reports directly in Intune.

• Browse to Reports/Endpoint Security

For more details about Microsoft Defender Endpoint Security Antivirus, see Microsoft docs