In this post, we’ll see how we can configure Windows Defender Antivirus using Microsoft Intune. There are lots of settings you can configure for Windows Defender Antivirus. Listing and discussing all the settings is difficult. you can however visit https://docs.microsoft.com/en-us/intune/configuration/device-restrictions-windows-10 and check Microsoft Defender Antivirus section for details. The reason why I am configuring this is to exempt one folder from real time scan. This folder will be used to keep some files which might be malicious.
Existing setup done:
- Two Local users created
- Azure AD Connect configured
- Seamless Single Sign-On (IE) configured
- Seamless Single Sign-On (Firefox) configured
- Hybrid Azure AD Join configured
- Intune enrollment – Domain Joined Windows 10 devices
- Azure AD Join
- Office 365 Pro Plus Application
- Sample SharePoint Team Site
- OneDrive Known Folder Migration and SharePoint library sync
- Copy necessary files (Win32 App)
- Set Desktop Background, Lock Screen and Screensaver
- Adding applications to StartUp folder
- Adding some 3rd Party applications (Browsers)
- Microsoft Store for Business configuration and integration and Store Apps.
- Windows Defender Application Guard configuration
- Extend Application Guard to Mozilla Firefox and Google Chrome
- SkyDC: Machine with ADDS, DNS, DHCP role
- SkyCON: Machine where we will install Azure AD Connect
- SkyCM: Machine with Configuration Manager Current Branch
- SkyTEN1: Domain Joined Windows 10 machine
- SkyTEN2: Domain Joined Windows 10 machine
- SkyTEN3i: Domain Joined Windows 10 machine (Intune Managed)
- SkyTEN4i: Domain Joined Windows 10 machine (Intune Managed)
- SkyTEN5i: Azure AD Joined Windows 10 (Intune Managed)
- SkyTEN6i: Azure AD Joined Windows 10 (Intune Managed)
- SkyTEN7i: Azure AD Joined Windows 10 (Cloud User, Intune Managed)
- SkyTEN8i: Azure AD Joined Windows 10 (Cloud User, Intune Managed)
Login to Azure portal.
Navigate to Intune -> Device configuration -> Profiles. Click on +Create profile.
Enter appropriate Name and Description. I have entered:
Name: Win 10 WDAV Policy
Description: Windows 10 : Windows Defender Antivirus Policy
In Platform, select Windows 10 and later.
In Profile type, select Device restrictions.
Configure the settings appropriately and click OK.
If you leave a setting as Not configured, Intune does not touch it. In this scenario, for most of the settings the OS turns ON the setting by default, and allows user to change it.
If you enable the setting, and then change it back to Not configured, then Intune leaves the setting in it’s previously configured state.
So, even if you are not enabling any settings explicitly, then most of the settings are already enabled by the OS by default.
For more detailed information on each setting, kindly check the section “Microsoft Defender Antivirus” in the below article:
For example, to block access to Antivirus section in Microsoft Defender Security Center, we can block End-user access to Defender. I have not enabled this setting.
Note: The primary reason why we are configuring this policy is adding a folder in the exclusion list. This folder will be used in subsequent labs for testing some features. This will make sure that the Antivirus engine does not delete those files.
Click on Microsoft Defender Antivirus Exclusions.
In Files and folders, enter one test folder path and click on Add. In my case, it’s C:\Lab
Note: Please do NOT do this in production as this is only for testing certain features.
Click on Create.
Click on Assignments and then click on appropriate option.
I have selected All Devices.
After the group is selected, click Save to deploy the policy.
Sync the machine
Open Microsoft Defender Security Center.
Click on Virus & threat protection.
Click on Manage settings.
Scroll down and click on Add or remove exclusions.
The folder that we added in the policy is listed in the exclusion list.