Windows 10: Managing Windows Defender With Intune
Since Microsoft released support for Windows 10 management through Intune we have been able to manage the settings for Defender through custom OMA-URI settings in the Intune portal. The experience around this har been OK, but not optimal.
In the latest update release for Intune it is now possible to manage all settings for Windows Defender directly from the General Windows 10 Policy template. In this blogpost I will show how this new feature work.
I have a Windows 10 Azure AD joined machine who is managed by Intune. Now we have to go into the Intune portal – Policy – Configuration Policies and create a new General Configuration (Windows 10 Desktop and Mobile and later) policy. Note that the policy settings on Windows Defender only applies to Desktops and not Windows 10 Mobile.
The settings for Defender is found far down on the policy selections under the category Endpoint Protection.
As you can see there is a lot of settings to consider and I will explain what each settings does. Each setting that you chose to configure is set on the client itself and the user will not be able to change the setting afterwards. This is how a policy should work of course.
Allow real-time monitoring:
This setting you will enable real-time scanning for malware, spyware, and other unwanted software.
Allow behavior monitoring
This setting will configure Defender to check for certain known patterns of suspicious activity on devices.
Enable Network Inspection System
This setting will enable the Network Inspection System in Defender. The Network Inspection System (NIS) helps to protect devices against network-based exploits by using the signatures of known vulnerabilities from the Microsoft Endpoint Protection Center to help detect and block malicious traffic.
Scan all downloads
This setting controls whether Defender scans all files downloaded from the Internet.
Allow script scanning
Lets Defender scan scripts that are used in Internet Explorer.
Monitor file and program activity
The setting configures Defender to monitor file and program activity on devices. Available options are: Monitor only incoming files, Monitor only outgoing files, Monitor all files.
Days to track resolved malware
This setting configures Defender to continue to track resolved malware for the number of days you specify so that you can manually check previously affected devices. If you set the number of days to 0, malware remains in the Quarantine folder and is not automatically removed.If you set it to something else it will automatically remove it from Quarantine after the set number of days.
Allow client UI access
This setting controls whether the Windows Defender user interface is available for end users or not.When this setting is changed, it will take effect the next time the end user’s PC is restarted.
Schedule a daily quick scan
This setting lets you schedule a quick scan that occurs daily at the time you select.
Schedule a system scan
This setting lets you schedule a full or quick system scan that occurs regularly on the day and time you select
Limit CPU usage during a scan
Lets you limit the amount of CPU that scans are allowed to use (from 1 to 100)
Scan archive files
This settings allows Defender to scan archived files such as Zip or Cab files.
Scan email messages
This setting allows Defender to scan email messages as they arrive on the device.
Scan removable drives
This setting lets Defender scan removable drives like USB sticks.
Scan mapped network drives
This setting lets Defender scan files on mapped network drive.
If the files on the drive are read-only, Defender will be unable to remove any malware found in them.
Scan files opened from network shared folders
This setting lets Defender scan files on shared network drives (for instance, those accessed from a UNC path.)
If the files on the drive are read-only, Defender will be unable to remove any malware found in them.
Signature update interval
This setting specify the interval at which Defender will check for new signature files. I recommend you to specify this to update signatures at least twice a day.
Allow cloud protection
This setting allow or block the Microsoft Active Protection Service from receiving information about malware activity from devices you manage. This information is used to improve the service in the future.
Prompt users for samples submission
Controls whether files that might require further analysis by Microsoft to determine if they are malicious are automatically sent to Microsoft.
Files and folders to exclude when running a scan or using real-time protection
Add one or more files and folders like C:\Path or %ProgramFiles%\Path\filename.exe to the exclusions list. These files and folders will not be included in any real-time, or scheduled scans.
File extensions to exclude when running a scan or using real-time protection
Add one or more file extensions like jpg or txt to the exclusions list. Any files with these extensions will not be included in any real-time, or scheduled scans.
Processes to exclude when running a scan or using real-time protection
Add one or more processes of the type .exe, .com, or .scr to the exclusions list. These processes will not be included in any real-time, or scheduled scans.
That concludes the settings. I will now just close up this blogpost by showing how a few of this setting look on the computer after you have applied the policy.
First I will show how Defender looks in the Settings app after the policy is applied.
As you can see “Some settings are managed by your organization” and I have no option to changes these settings.
Now I will try to open the Defender UI which I have configured to not be available to the end user. The result is as expected.
And at last I will show you the File extensions to exclude when running a scan or using real-time protection policy. I have added an extension called “testfile” in my policy. And this is visible in the settings app aswell to the users.
Here you can see that the file extension “testfile” has been excluded and that I am not able to add or change any of these settings.
Take care and protect your Windows 10 PC’s with Intune.
Filed under: Client, Cloud, Endpoint Protection, Intune, Security, Windows 10 Tagged: EMS, Endpoint Protection, Intune, Lumagate, Microsoft, Windows 10, Windows Defender