Chapter 8 – Windows Defender & Microsoft Defender Antivirus Policies
Windows Server Group Policy (GPO) Master Handbook
Chapter 8 – Windows Defender & Microsoft Defender Antivirus Policies
Learning Objectives
Learn how to manage Microsoft Defender Antivirus through Group Policy, secure Windows endpoints, configure enterprise protection, and troubleshoot Defender issues.
1. GPO Path
Computer Configuration → Administrative Templates → Windows Components → Microsoft Defender Antivirus
2. Microsoft Defender Overview
Microsoft Defender Antivirus is the built-in endpoint protection platform for Windows Server and Windows 10/11. It provides real-time malware protection, cloud intelligence, exploit mitigation, and integration with Microsoft Defender for Endpoint.
3. Core Policies
Enable real-time protection, cloud-delivered protection, automatic sample submission, scheduled scans, behavior monitoring, network protection, SmartScreen, and Controlled Folder Access.
4. Recommended Enterprise Configuration
Real-time Protection: Enabled
Cloud Protection: Enabled
Automatic Sample Submission: Send safe samples automatically
Behavior Monitoring: Enabled
PUA Protection: Enabled
Network Protection: Enabled
Tamper Protection: Manage centrally where supported.
5. Exclusions
Configure file, folder, process, and extension exclusions only when required by supported business applications such as SQL Server, Oracle Database, Exchange Server, Hyper-V, or backup software.
6. Attack Surface Reduction (ASR)
Use ASR rules to block Office macros, executable content from email, credential theft, script abuse, and ransomware behavior. Test in Audit mode before enabling Block mode.
7. Controlled Folder Access
Protect important folders from unauthorized modification. Add trusted applications where necessary after testing.
8. Microsoft Defender Firewall
Manage inbound and outbound firewall rules through Group Policy. Use separate profiles for Domain, Private, and Public networks.
9. Monitoring & Event Logs
Review Windows Security, Microsoft-Windows-Windows Defender/Operational logs, Windows Security Center, and Microsoft Defender portal (if integrated).
10. PowerShell Commands
Get-MpComputerStatus
Get-MpPreference
Set-MpPreference
Start-MpScan -ScanType QuickScan
Update-MpSignature
11. Troubleshooting
Verify the Defender service is running, confirm no third-party antivirus has disabled Defender, run gpupdate /force, check Event Viewer, review Get-MpComputerStatus, update signatures, and confirm GPO precedence.
12. Best Practices
Enable cloud protection, keep signatures updated, minimize exclusions, enable ASR rules gradually, audit changes, and review Defender alerts regularly.
13. Interview Questions
What is Microsoft Defender Antivirus? Explain Tamper Protection. What are ASR rules? What is Controlled Folder Access? How do you verify Defender status using PowerShell?
14. Practical Lab
Create a GPO to enable Defender real-time protection and cloud protection, force a policy update, verify with Get-MpComputerStatus, and perform a quick scan.
Common Defender Policies
Policy | Recommended | GPO Category |
Real-time Protection | Enabled | Microsoft Defender Antivirus |
Cloud-delivered Protection | Enabled | MAPS |
Behavior Monitoring | Enabled | Real-time Protection |
PUA Protection | Enabled | Microsoft Defender Antivirus |
Controlled Folder Access | Enabled (Test First) | Windows Security |
Network Protection | Enabled | Microsoft Defender Exploit Guard |
Automatic Signature Updates | Enabled | Security Intelligence |
Scheduled Scan | Daily | Scan |
Microsoft Learn References
Defender Antivirus Group Policy
Comments
Post a Comment