Microsoft Defender has come a long way since the first few releases to become a leader in all all-things security-related. What was originally a standard antivirus solution has evolved into a full product suite.

If you are looking to configure Microsoft Defender(Endpoint protection) with Configuration Manager, see our guide that is available in our shop

This post will focus on configuring Microsoft Defender for Endpoint Security Antivirus by using Intune.

Prerequisites

  • Windows 10 or Windows 11
  • Aside from the Intune various licensing option you’ll need to manage your devices, there are no other requirements to use this feature.
Other types of Microsoft Defender licenses

One of the most complex things about Microsoft Defender is likely the branding and associated licensing models.

The Security Antivirus included in Intune is not related to Microsoft Defender for Endpoint (aka Defender ATP).

Create Microsoft Defender for Endpoint antivirus security profiles

Microsoft Defender Endpoint Security
  • Click Create Policy.
    • At this point, the Antivirus policies are split into 3 distinct sections.
      • Microsoft Defender Antivirus
        • This will essentially manage the core features.
      • Microsoft Defender Antivirus Exclusions
        • This will be the various exclusions that are common configurations for antivirus solutions
      • Windows Security Experience
        • This is related to user experience and gives the ability to lock down what users can see or not in the Windows 10/11 settings pane for Defender Security Antivirus.
Microsoft Defender Endpoint Security
  • Without going into all the details of each setting, here are the most commonly used for the Microsoft Defender Antivirus profile. Take the time to evaluate each setting with the little information bubble.
    • Real-time Scan and Scheduled Scan
Microsoft Defender Endpoint Security
  • Signature Update Interval and sources
Microsoft Defender Endpoint Security
  • Remediation actions
Microsoft Defender Endpoint Security
ConfigMgr vs normal profiles

Microsoft Defender Endpoint Security

The profiles with (ConfigMgr) are made to be used with Tenant attach. This is just another way to get it configured and managed. Even if you’re environment is using ConfigMgr, it is not mandatory to use those profiles.

If you use the non-ConfigMgr profiles and have ConfigMgr with CoManagement enabled, make sure the slider for the workload about Windows Defender is set at least in Pilot to Intune. This post is focusing on the non-ConfigMgr profiles.

Microsoft Defender Endpoint Security

For more details on this method, see Microsoft docs.

  • Once the profiles are created simply assign them to user/devices like any other policies in Intune.

Managing Windows Client

To validate if policies are applied, the following can be reviewed.

  • Under Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Policy Manager the various settings should be visible. While not all are easy to figure out, some like exclusions can be reviewed.
  • In the event viewer, under Applications And Services logs/Microsoft/Windows/Windows Defender/Operational, events will show the various settings being applied as well as Definition updates processing.

Microsoft Defender Endpoint Security – Additional components

There are other sub-component under Endpoint Security that can be enabled to manage built-in components of Windows 10/11

  • Disk Encryption is everything related to BitLocker management
  • Firewall is to manage the Windows Firewall
  • Endpoint detection and response provide near-real-time attack detection
  • Attack Surface Reduction helps minimize the vulnerabilities of your environment
  • Account Protection is to manage built-in groups.
Danger

Be careful when playing with those additional components. While the Antivirus part is fairly risk-free in most environments to roll out, those components can have a huge impact on end-users in many different forms or shapes if missed configured.

Testing is key!

Microsoft Defender for Endpoint is Defender ATP, which requires additional licenses.

Reporting

There are a few built-in reports directly in Intune.

  • Browse to Reports/Endpoint Security

For more details about Microsoft Defender Endpoint Security Antivirus, see Microsoft docs

Comments (0)