Windows Defender Policies
  • 27 Sep 2023
  • 10 Minutes to read
  • PDF

Windows Defender Policies

  • PDF

Article summary

Microsoft's Windows Defender, now known as Microsoft Defender Antivirus provides real-time protection of Windows devices against software threats like viruses, malware, and spyware across email, apps, cloud, and the web.

With Scalefusion MDM, administrators can now configure and push various Windows Defender policies on their managed Windows devices. With Windows Defender feature, admins can configure policies ranging from scanning, real-time monitoring, signature updates to certain advanced ones like cloud protection and more, thereby protecting the systems from malware threats.

The document below describes all Windows Defender policies and how they can be configured.

Before You Begin

  1. Defender policies work on Windows 10 version 1809 and above, and on Windows Pro, Business, Enterprise, Education editions.
  2. The devices should be enrolled.

Configuring Defender Policies

  1. Sign In to Scalefusion Dashboard
  2. Navigate to Device Profiles & Policies > Device Profiles. Click on a Windows Device profile and edit, or create a new Windows Device profile.
  3. Once in the Device Profile wizard, click on the Settings > Security Settings > Windows Defender section to configure Defender policies.
  4. To configure Defender policies, toggle ON Configure Defender Policies. This allows you to start configuring various settings and also prompt the end users that they need to configure policies.
  5. There are four baselines provided here, viz Basic, Medium, Advanced and Custom which get enabled after toggling on Configure Defender Policies.
  6. Select Custom, to finetune the policies as per your enterprise requirements. Once you select Custom, the various policies categorized into sections get enabled. Below is a description of the policies and the options available.
    Note:
    To learn more about Windows Defender policies, please visit Policy CSP - Defender
    1. Scan: This section lets you configure policies which apply at the time of scanning the device.

      Setting

      Description

      Archive Scanning

      Configure scanning of archives with the following options:

      • Block (default) - Blocks scanning of archived files
      • Allow - Scans archived files
      • User Control - User controls scanning of archives

      Email Scanning

      Configure scanning of emails with the following options:

      • Block (default) - Blocks scanning of emails
      • Allow - Scans emails
      • User Control - User controls scanning of emails

      Full Scan OnMapped Network Drives

      Configure full scan of mapped network drives with the following options:

      • Block (default) - Blocks scanning of mapped network drives
      • Allow - Scans mapped network drives
      • User Control - User controls scanning of mapped network drives

      Full Scan Removable Drive Scanning

      Configure full scan of removable drives with the following options:

      • Block - Blocks scanning of removable drives
      • Allow (default) - Scans removable drives
      • User Control - User controls scanning of removable drives

      Scanning Network Files

      Configure scanning of network files with the following options:

      • Block (default) - Blocks scanning of network files
      • Allow - Scans network files
      • User Control - User controls scanning of network files

      Check For Signatures Before Running Scan

      Use this policy to manage whether a check for new virus and spyware definitions have to be done before running a scan. Following options are available:

      • Disabled (default) - The scan will start using the existing definitions
      • Enabled - A check for new definitions will occur before running a scan
      • User Control - User controls whether a check for new definitions has to be performed or not.

      Catchup Full Scan

      Use this policy to configure catch-up scans (for scheduled full scans) which is initiated because a regularly scheduled scan was missed if a computer is offline for two consecutive scheduled scans.

      Following options are available:

      • Disabled (default) - Catchup scans for scheduled full scan do not take place.
      • Enabled - Catch-up scans for scheduled full scans will be turned on
      • User Control - User controls whether to perform catch-up scans for scheduled full scans.

      Catchup Quick Scan

      Use this policy to configure catch-up scans (for scheduled quick scans) which is initiated because a regularly scheduled scan was missed.

      Following options are available:

      • Disabled (default) - Catchup scans for scheduled quick scan do not take place.
      • Enabled - Catch-up scans for scheduled quick scans will be turned on
      • User Control - User controls whether to perform catch-up scans for scheduled quick scans.

      Scan Parameter

      Configure a scan type with the following options:

      • Quick Scan (default) - Performs quick scan
      • Full Scan - Performs full scan
      • User control - User controls quick scan or full scan

      Schedule QuickScan Time

      Specify the time of day when the Windows Defender quick scan should run. Time has to be entered in the form of values like 0, 60, 120 etc. By default it is 120.

            A value of 0=12:00AM, a value of 60=1:00AM, a value of 120=2:00, and so on, up to a value of 1380=11:00PM

      Schedule Scan Day

      Select a day when the Windows Defender quick scan should run, with the following options:

      • EveryDay (default)
      • Sunday
      • Monday
      • Tuesday
      • Wednesday
      • Thursday
      • Friday
      • Saturday
      • No Scheduled - No scheduled scan


             For scheduled scans (quick scan or otherwise), the operating system can override the scan time. The scan usually runs when the CPU usage is low on the system.

      Average CPU Load Factor

      This value represents the average CPU load factor for the Windows Defender scan (in percent). By default it is 50.

      Low CPU Priority

      Configure low CPU priority for scheduled scans, with the following options;

      • Enabled - Low CPU priority is used during scheduled scans
      • Disabled (default) - No changes are made to CPU priority for scheduled scans
      • User Control - User controls the low CPU priority for scheduled scans
    2. Realtime Monitor: Configure policies for real time monitoring.
    3. Setting

      Description

      Realtime Monitoring

      Use this setting to configure Windows Defender Realtime Monitoring functionality. Following options are available:

      • Allow (default) - Runs the real-time monitoring service
      • Block - Turns off the real-time monitoring service
      • User Control - User controls whether to run realtime monitoring service or not

      Behavior Monitoring

      Use this setting to configure Windows Defender Behavior Monitoring functionality. Following options are available:

      • Allow (default) - Turns on the real-time Behavior monitoring service
      • Block - Turns off the Behavior monitoring service
      • User Control - User controls whether to run Behavior monitoring service or not

      IOAV Protection

      Use this setting to configure Windows Defender IOAV Protection functionality. Following options are available:

      • Allow (default) - Allows IOAV Protection
      • Block - Disallows IOAV Protection
      • User Control - User controls whether to allow or block IOAV Protection

      Intrusion Prevention System

      Use this setting to configure Windows Defender Intrusion Prevention functionality. Following options are available:

      • Allow - Allows Intrusion Prevention
      • Block (default) - Disallows Intrusion Prevention
      • User Control - User controls whether to allow or block Intrusion Prevention

      On Access Protection

      Use this setting to configure Windows Defender On Access Protection functionality. Following options are available:

      • Allow (default) - Allows On Access Protection
      • Block - Disallows On Access Protection
      • User Control - User controls whether to allow or block On Access Protection

      PUA Protection

      With this you can configure and specify the level of detection for potentially unwanted applications (PUAs), with the following options:

      • Protection On (default) - Windows Defender protects against potentially unwanted applications by blocking detected items. They will show in history along with other threats.
      • Protection Off - Windows Defender does not protect against potentially unwanted applications
      • Audit Mode - Windows Defender will detect potentially unwanted applications, but take no action.
      • User Control - User controls whether to protect against potentially unwanted applications or not.

      Real-Time Scan Direction

      Specify the configuration that can be used to monitor specific files, with the following options:

      • Monitor All Files (default) - Monitors all files
      • Monitor Incoming Files - Monitors only incoming files
      • User Control - User controls which files are to be monitored
    4. Exclusions: Use this section to configure policies for excluding extensions, paths, processes etc. at the time of scan.

      Setting

      Description

      Excluded Extensions

      Use this setting to specify a list of file type extensions to ignore during a scan. Each file type in the list must be separated by a |. For example, "lib|obj".

      Excluded Paths

      Use this setting to specify a list of directory paths to ignore during a scan. Each path in the list must be separated by a |. For example, "C:\Example|C:\Example1".

      Excluded Processes

      Use this setting to specify a list of files opened by processes to ignore during a scan. Each file type must be separated by a |. For example, "C:\Example.exe|C:\Example1.exe".

    5. Signature Updates: In this section you can set configurations related to signature updates.

      Setting

      Description

      Signature Update Interval

      Use this setting to specify the interval (in hours) that will be used to check for signatures. The value can be between 0-24 where 0 means no check for new signatures, a value of 1 means to check every hour and so on.

      By default, value is 8.

      Signature UpdateFile Shares Sources

      This allows you to configure UNC file share sources for downloading definition updates. Sources will be contacted in the order specified. The value of this setting should be entered as a pipe-separated string enumerating the definition update sources.

      For example: \unc1\Signatures | \unc2\Signatures

      Signature Update Fallback Order

      This allows you to define the order in which different definition update sources should be contacted.

      Following are the values:

      • Internal Definition Update Server
      • Microsoft Update Server
      • MMPC
      • File Shares
           Multiple values can be selected
    6. Windows Defender Exploit: In this section you can configure policies on Attack Surface reduction rules, folder access, network protection and more.

      Setting

      Description

      Attack Surface Reduction Rules

      This policy enables setting the state (Block/Audit/Off) for each Attack surface reduction (ASR) rule. Each ASR rule listed can be set to one of the following states (Block/Audit/Off). Each entry must be listed as a name value pair. The name defines a valid ASR rule ID, while the value contains the status ID indicating the status of the rule.

      For more information on Attack Surface Reduction Rules, visit here

      Attack Surface Reduction Only Exclusions

      This policy setting allows you to prevent Attack Surface reduction rules from matching on files under the paths specified or for the fully qualified resources specified. Paths should be added under the Options for this setting.

      As an example, a path might be defined as: "c:\Windows" to exclude all files in this directory. A fully qualified resource name might be defined as: "C:\Allowed.exe"..

      Controlled Folder Access

      Use this setting to configure the state (On/Off/Audit) for the controlled folder access feature.

      • Enabled - If enabled, this feature removes modify and delete permissions from untrusted applications to certain folders such as My Documents.
      • Disabled (default) - Does not remove modify and delete permissions from untrusted applications
      • Audit Mode - Identifies untrusted applications but no action is taken
      • User Control - User controls whether controlled folder access features.

      Controlled FolderAccess Protected Folders

      Use this setting to allow user-specified folder locations to the controlled folder access feature. These folders will complement the system defined folders such as My Documents and My Pictures. 

      Controlled Folder Access Allowed Applications

      This allows user-specified applications to the controlled folder access feature. Adding an allowed application means the controlled folder access feature will allow the application to modify or delete content in certain folders such as My Documents.

      Network Protection

      Use this setting to configure turning network protection on (block/audit) or off.

      • Enabled (default) - Protects users using any app from accessing phishing scams, exploit-hosting sites, and malicious content on the Internet.
      • Disabled - Users/apps will not be blocked from connecting to dangerous domains.
      • Audit Mode - Users/apps will not be blocked from connecting to dangerous domains. However, you will still see this activity in Windows Defender Security Center.
      • User Control - User controls network protection behavior
    7. Advanced: This section contains advanced policies on cloud protection etc. that you can configure.

      Setting

      Description

      Cloud Protection

      Use this setting to control if Windows Defender should send information to Microsoft about any problems it finds. Following options are available:

      • Allow (default) - Turns on the Microsoft Active Protection Service
      • Block - Turns off the Microsoft Active Protection Service
      • User Control - User controls if the service has to be allowed or not

      Submit Samples Consent

      This setting checks for the user consent level in Windows Defender to send data, with following options:

      • Send Safe Sample Automatically (default)
      • Never Send
      • Send All Sample Automatically
      • Always Prompt
      • User Control

      Cloud Block Level

      This allows you to set a blocking level regarding how aggressive Microsoft Defender Antivirus will be in blocking and scanning suspicious files. Following options are available:

      • High (default) - aggressively blocks unknowns while optimizing client performance
      • Aggressively - aggressively blocks unknowns and apply additional protection measures
      • Zero Tolerance - blocks all unknown executables
      • Default - Default windows defender blocking level
      • User Control - User controls in setting the blocking level

      Cloud Extended Timeout

      Specify the time (in seconds) limit up to which Microsoft Defender Antivirus can block a suspicious file, and scan it in the cloud to make sure it's safe. By default time is set to 10. It can be set up to 60.

      Script Scanning

      Configure Windows Defender Script Scanning functionality with the following options:

      • Allow (default) - Allows script scanning
      • Block - Disallows script scanning
      • User Control - User controls script scanning

      User UI Access

      Use this setting to control user access to the Windows Defender UI. If disallowed, all Windows Defender notifications will also be suppressed. Following options are available:

      • Allow (default) - Allows users to access UI
      • Block - Prevents users from accessing UI
      • User Control - User controls access to UI

      Threat Severity Default Action

      With this you can specify any valid threat severity levels and the corresponding default action ID to take.

      This value is a list of threat severity level IDs and corresponding actions, separated by a |

      By default the level is set to 2-2

      Days To Retain Cleaned Malware

      Specify the time period (in days) for which quarantine items will be stored on the system. The default value is 0, which keeps items in quarantine, and does not automatically remove them. It can be between 0-90.

  7. Once you have configured Windows Defender policies, click on Update Profile to save these settings. The changes will be automatically pushed to the devices where this profile is applied.

Was this article helpful?