Windows Defender Policies
Microsoft's Windows Defender, now known as Microsoft Defender Antivirus provides real-time protection of Windows devices against software threats like viruses, malware, and spyware across email, apps, cloud, and the web.
With Scalefusion MDM, administrators can now configure and push various Windows Defender policies on their managed Windows devices. With Windows Defender feature, admins can configure policies ranging from scanning, real-time monitoring, signature updates to certain advanced ones like cloud protection and more, thereby protecting the systems from malware threats.
The document below describes all Windows Defender policies and how they can be configured.
Before You Begin
- Defender policies work on Windows 10 version 1809 and above, and on Windows Pro, Business, Enterprise, Education editions.
- The devices should be enrolled.
Configuring Defender Policies
- Sign In to Scalefusion Dashboard
- Navigate to Device Management > Device Profiles. Click on a Windows Device profile and edit, or create a new Windows Device profile.
- Once in the Device Profile wizard, click on the Settings > Windows Defender section to configure Defender policies.
- To configure Defender policies, toggle ON Configure Defender Policies. This allows you to start configuring various settings and also prompt the end users that they need to configure policies.
- There are four baselines provided here, viz Basic, Medium, Advanced and Custom which get enabled after toggling on Configure Defender Policies.
Basic, Medium and Advanced have policies pre-configured. Select any one baseline to see the presets and once you have reviewed them, update profile to enforce these settings on device.
The Custom baseline lets admins define their policies as per requirements.
- Select Custom, to finetune the policies as per your enterprise requirements. Once you select Custom, the various policies categorized into sections get enabled. Below is a description of the policies and the options available.
- Scan: This section lets you configure policies which apply at the time of scanning the device.
Configure scanning of archives with the following options:
Configure scanning of emails with the following options:
Full Scan OnMapped Network Drives
Configure full scan of mapped network drives with the following options:
Full Scan Removable Drive Scanning
Configure full scan of removable drives with the following options:
Scanning Network Files
Configure scanning of network files with the following options:
Check For Signatures Before Running Scan
Use this policy to manage whether a check for new virus and spyware definitions have to be done before running a scan. Following options are available:
Catchup Full Scan
Use this policy to configure catch-up scans (for scheduled full scans) which is initiated because a regularly scheduled scan was missed if a computer is offline for two consecutive scheduled scans.
Following options are available:
Catchup Quick Scan
Use this policy to configure catch-up scans (for scheduled quick scans) which is initiated because a regularly scheduled scan was missed.
Following options are available:
Configure a scan type with the following options:
Schedule QuickScan Time
Specify the time of day when the Windows Defender quick scan should run. Time has to be entered in the form of values like 0, 60, 120 etc. By default it is 120.
A value of 0=12:00AM, a value of 60=1:00AM, a value of 120=2:00, and so on, up to a value of 1380=11:00PM
Schedule Scan Day
Select a day when the Windows Defender quick scan should run, with the following options:
For scheduled scans (quick scan or otherwise), the operating system can override the scan time. The scan usually runs when the CPU usage is low on the system.
Average CPU Load Factor
This value represents the average CPU load factor for the Windows Defender scan (in percent). By default it is 50.
Low CPU Priority
Configure low CPU priority for scheduled scans, with the following options;
- Realtime Monitor: Configure policies for real time monitoring.
Use this setting to configure Windows Defender Realtime Monitoring functionality. Following options are available:
Use this setting to configure Windows Defender Behavior Monitoring functionality. Following options are available:
Use this setting to configure Windows Defender IOAV Protection functionality. Following options are available:
Intrusion Prevention System
Use this setting to configure Windows Defender Intrusion Prevention functionality. Following options are available:
On Access Protection
Use this setting to configure Windows Defender On Access Protection functionality. Following options are available:
With this you can configure and specify the level of detection for potentially unwanted applications (PUAs), with the following options:
Real-Time Scan Direction
Specify the configuration that can be used to monitor specific files, with the following options:
- Exclusions: Use this section to configure policies for excluding extensions, paths, processes etc. at the time of scan.
Use this setting to specify a list of file type extensions to ignore during a scan. Each file type in the list must be separated by a |. For example, "lib|obj".
Use this setting to specify a list of directory paths to ignore during a scan. Each path in the list must be separated by a |. For example, "C:\Example|C:\Example1".
Use this setting to specify a list of files opened by processes to ignore during a scan. Each file type must be separated by a |. For example, "C:\Example.exe|C:\Example1.exe".
- Signature Updates: In this section you can set configurations related to signature updates.
Signature Update Interval
Use this setting to specify the interval (in hours) that will be used to check for signatures. The value can be between 0-24 where 0 means no check for new signatures, a value of 1 means to check every hour and so on.
By default, value is 8.
Signature UpdateFile Shares Sources
This allows you to configure UNC file share sources for downloading definition updates. Sources will be contacted in the order specified. The value of this setting should be entered as a pipe-separated string enumerating the definition update sources.
For example: \unc1\Signatures | \unc2\Signatures
Signature Update Fallback Order
This allows you to define the order in which different definition update sources should be contacted.
Following are the values:
Multiple values can be selected
- Windows Defender Exploit: In this section you can configure policies on Attack Surface reduction rules, folder access, network protection and more.
Attack Surface Reduction Rules
This policy enables setting the state (Block/Audit/Off) for each Attack surface reduction (ASR) rule. Each ASR rule listed can be set to one of the following states (Block/Audit/Off). Each entry must be listed as a name value pair. The name defines a valid ASR rule ID, while the value contains the status ID indicating the status of the rule.
For more information on Attack Surface Reduction Rules, visit here
Attack Surface Reduction Only Exclusions
This policy setting allows you to prevent Attack Surface reduction rules from matching on files under the paths specified or for the fully qualified resources specified. Paths should be added under the Options for this setting.
As an example, a path might be defined as: "c:\Windows" to exclude all files in this directory. A fully qualified resource name might be defined as: "C:\Whitelisted.exe"..
Controlled Folder Access
Use this setting to configure the state (On/Off/Audit) for the controlled folder access feature.
Controlled FolderAccess Protected Folders
Use this setting to allow user-specified folder locations to the controlled folder access feature. These folders will complement the system defined folders such as My Documents and My Pictures.
Controlled Folder Access Allowed Applications
This allows user-specified applications to the controlled folder access feature. Adding an allowed application means the controlled folder access feature will allow the application to modify or delete content in certain folders such as My Documents.
Use this setting to configure turning network protection on (block/audit) or off.
- Advanced: This section contains advanced policies on cloud protection etc. that you can configure.
Use this setting to control if Windows Defender should send information to Microsoft about any problems it finds. Following options are available:
Submit Samples Consent
This setting checks for the user consent level in Windows Defender to send data, with following options:
Cloud Block Level
This allows you to set a blocking level regarding how aggressive Microsoft Defender Antivirus will be in blocking and scanning suspicious files. Following options are available:
Cloud Extended Timeout
Specify the time (in seconds) limit up to which Microsoft Defender Antivirus can block a suspicious file, and scan it in the cloud to make sure it's safe. By default time is set to 10. It can be set up to 60.
Configure Windows Defender Script Scanning functionality with the following options:
User UI Access
Use this setting to control user access to the Windows Defender UI. If disallowed, all Windows Defender notifications will also be suppressed. Following options are available:
Threat Severity Default Action
With this you can specify any valid threat severity levels and the corresponding default action ID to take.
This value is a list of threat severity level IDs and corresponding actions, separated by a |
By default the level is set to 2-2
Days To Retain Cleaned Malware
Specify the time period (in days) for which quarantine items will be stored on the system. The default value is 0, which keeps items in quarantine, and does not automatically remove them. It can be between 0-90.
- Once you have configured Windows Defender policies, click on Update Profile to save these settings. The changes will be automatically pushed to the devices where this profile is applied.