Browse all topics
All guidesGlossary
Microsoft Defender (Security)

Microsoft Defender Antivirus configuration

How to configure Microsoft Defender Antivirus for Windows endpoints — the settings that matter and how to manage them.

Microsoft Defender Antivirus is the built-in antivirus engine in Windows 10 and Windows 11. It's been the default since Windows 8, has matured into a genuinely competitive AV product, and is the default for any Microsoft 365-managed Windows estate. Configured well, it requires no third-party AV.

Core capabilities

Defender Antivirus provides:

  • Real-time protection — file system monitoring with synchronous scanning.
  • Cloud-delivered protection — telemetry to Microsoft's cloud for fast detection updates.
  • Behaviour-based detection — process behaviour patterns flagged regardless of signature.
  • Tamper protection — prevents attackers (and admins) from disabling defences locally.
  • Network protection — blocks connections to malicious destinations.
  • Controlled folder access — anti-ransomware behaviour blocking unauthorised changes to protected folders.
  • Potentially unwanted application (PUA) protection — blocks adware, crapware, riskware.

Configuration surfaces

Defender Antivirus can be configured via:

  • Intune configuration profiles — the recommended method for cloud-managed estates. Profile types: Antivirus, Attack Surface Reduction, Endpoint Detection and Response.
  • Group Policy — for on-prem-managed estates using ADMX templates.
  • PowerShellSet-MpPreference cmdlets for ad-hoc or scripted configuration.
  • Configuration Manager — for hybrid management.

Settings configured in Intune flow to Defender Antivirus via the Intune Management Extension.

Settings that matter

Settings worth getting right:

Cloud protection level

Five levels from Default to Block. Higher levels are more aggressive (block on lower confidence) at the cost of slightly more false positives. High is the right balance for most.

Cloud check timeout

How long Defender waits for cloud-side verdict before deciding locally. Default is short; extend to 50 seconds for stronger detection on suspicious files.

Submit samples

Allow Defender to upload suspicious samples for analysis. Set to "Send safe samples" for the best detection feedback loop.

Tamper protection

On. Always. Tamper protection prevents local admin (and malware running as admin) from disabling Defender. There's no good reason to leave it off.

Real-time monitoring

On. Always.

Exclusions

Minimal. Every exclusion is a hole. Some apps require exclusions (some database engines, some line-of-business apps); document each exclusion with justification and review periodically.

Definition updates

Set to update frequently (default every 4 hours is fine). For devices behind a strict proxy, ensure update endpoints are reachable.

ASR rules

Attack Surface Reduction (ASR) rules are a separate set of policies that block specific high-risk attack techniques regardless of malware detection:

  • Block macro abuse — Office can't run executable scripts from email attachments.
  • Block credential theft from lsass.exe.
  • Block process creation by Office, Adobe Reader, scripts.
  • Block executable files unless they meet a prevalence / age / trusted-list criteria.
  • Block Win32 API calls from Office macros.

Roll out in audit mode first for each rule; review what would have been blocked; convert to block mode for the safe ones.

Integration with Defender for Endpoint

When Defender for Endpoint is deployed, Defender Antivirus becomes one component of a much richer story:

  • Antivirus detections feed Defender XDR alerts.
  • EDR (post-breach detection) supplements antivirus (pre-breach prevention).
  • Vulnerability management surfaces the bigger risk picture.
  • Automated investigation can remediate detected malware without analyst intervention.

For Microsoft 365-managed Windows estates, this stack is the default. Third-party AV adds operational friction without meaningful security improvement in most scenarios.