Microsoft Defender Antivirus Policies with Intune

 

Defender Antivirus is built into Windows and tightly integrated with Microsoft 365, but it’s not enough to just “have it installed.”

If you’re managing devices with Intune, you should be using Defender AV policies to enforce protection, control exclusions, and align with Microsoft’s recommended baselines.

In this guide, we’ll walk through:

  • How Defender AV fits into the endpoint security stack
  • Where to configure Defender policies in Intune
  • What to include in your baseline
  • Exclusion rules to be careful with
  • How to monitor and audit results

Defender Antivirus vs. Defender for Endpoint

Let’s clarify the difference:

  • Defender Antivirus: The anti-malware engine running locally on Windows. This is what you configure with Intune AV policies.
  • Defender for Endpoint: The cloud-based XDR solution that analyzes alerts and reports risk.

Even if you don’t have Defender for Endpoint licenses, you can still manage Defender Antivirus centrally using Intune.

Where to Configure Defender Antivirus in Intune

Steps:

  1. Go to Intune Admin Center > Endpoint security > Antivirus
  2. Click + Create Policy
  3. Choose: Platform: Windows 10 and Later & Profile: Microsoft Defender Antivirus
  4. Configure settings such as:

  • Real-time protection
  • Cloud-delivered protection
  • Automatic sample submission
  • Scheduled scans
  • Exclusions (files, folders, processes)

Assign the policy to your device groups and monitor deployment status.

Article content

Recommended Baseline Settings

If you want a secure starting point, Microsoft’s Security Baselines for Defender AV are a great reference.

Key settings to include:

  • Enable real-time protection
  • Enable behavior monitoring
  • Enable cloud-based protection
  • Disable scanning of mapped network drives
  • Require daily quick scans
  • Set scan time during off-hours
  • Submit unknown samples automatically
  • Turn off end-user tampering (e.g., disable settings changes)

You can also use the Security Baselines option in Intune for Defender if you want a pre-built profile to start with.

Exclusions: Be Intentional, Not Lazy

It’s tempting to exclude large folders (like entire C:\Program Files), but this can leave you exposed.

Safe exclusion practices:

  • Only exclude specific processes or known safe paths
  • Never exclude %TEMP%, user profiles, or external drives
  • Regularly review and document all exclusions
  • Don’t use wildcards unless absolutely necessary

If a line-of-business app requires exclusions, get details from the vendor and limit them as narrowly as possible.

Monitoring Defender Antivirus

You can monitor Defender AV health using:

  • Device compliance status
  • Windows Security Center integration (users see “Your device is being monitored by your organization”)
  • Log Analytics or Endpoint analytics (if integrated)
  • Event Viewer > Microsoft-Windows-Windows Defender/Operational

Also, consider enabling Defender Antivirus reports via the Microsoft Defender portal if your licensing includes it.

Don’t leave Defender Antivirus on default settings.

With just a few policy profiles in Intune, you can enforce Microsoft’s security recommendations, lock down your endpoints, and ensure malware protection stays active and up to date, even across remote fleets.

Start with a baseline. Then customize based on your business needs.

Comments

Post a Comment

Popular posts from this blog

4 Most common Issues while registering devices with Microsoft Intune MDM

Image
  The built-in Mobile Device Management (MDM) for Office 365 helps you secure and manage your users' mobile devices like iPhones, iPads, Androids, and Windows phones. You can create and manage device security policies, remotely wipe a device, and view detailed device reports. During implementation or deployment, there are some common issues which occur in many of the environment  1-   Windows Update Sometimes you will notice that Windows Update is showing-Up-To-Date but in actual, the version needed for the MDM Registration is not updating automatically and eventually fails every time in the loop Solution Suggested Go to this  link  upgrade your Windows 10 to the latest version You will find a home page like the screenshot below. Click on UPDATE Now button. It will download a .exe file. Run the file and click on UPDATE Now button and press YES. Here it will update your Windows 10 to the Latest Version Note:  You can still work during downloading a...
Read more

Managing Windows Updates with Intune: Best Practices with Update Rings

Image
  Keeping Windows devices up to date is one of the most critical, and often most overlooked, aspects of endpoint security. With Microsoft Intune, you can manage Windows updates centrally using Update Rings , giving you control over when updates install, how users experience restarts, and how you test updates before broad deployment. In this guide, I’ll walk you through: What update rings are Why they’re essential for patch compliance How to configure them in Intune Best practices for rollout and user experience 1. What Are Windows Update Rings in Intune? Update rings in Intune allow you to: Define when and how Windows updates are delivered Set deadlines for installation and restarts Delay feature updates (e.g., to test before production) Control user experience during updates They apply to Windows 10 and 11 devices enrolled in Intune, including those provisioned via Autopilot. 2. Why Update Management Matters Without structured update management, you risk: Devices missing crit...
Read more

The Intune Device Lifecycle: From Onboarding to Retirement (Best Practices)

  Managing endpoints isn’t just about deployment, it’s about handling the entire device lifecycle : from onboarding and day-to-day management to secure deprovisioning when a device is no longer in use. Microsoft Intune provides a streamlined, policy-driven approach to each phase of this lifecycle, and when done right, it reduces IT overhead, increases security, and improves the user experience. In this post, I’ll walk you through the key stages of managing a device in Intune from start to finish, and how to handle each one effectively. Stage 1: Provisioning & Onboarding This is where the device journey begins, and it sets the tone for everything that follows. Tools and features to use: Windows Autopilot for zero-touch setup Enrollment Status Page (ESP) to control setup sequence Dynamic groups to assign configurations automatically Baseline security policies (compliance, Defender, encryption) Goal: Make the first experience smooth, secure, and consistent for every user. Sta...
Read more