Chapter 8 – Windows Defender & Microsoft Defender Antivirus Policies

 Windows Server Group Policy (GPO) Master Handbook

Chapter 8 – Windows Defender & Microsoft Defender Antivirus Policies

Learning Objectives

Learn how to manage Microsoft Defender Antivirus through Group Policy, secure Windows endpoints, configure enterprise protection, and troubleshoot Defender issues.

1. GPO Path

Computer Configuration → Administrative Templates → Windows Components → Microsoft Defender Antivirus

2. Microsoft Defender Overview

Microsoft Defender Antivirus is the built-in endpoint protection platform for Windows Server and Windows 10/11. It provides real-time malware protection, cloud intelligence, exploit mitigation, and integration with Microsoft Defender for Endpoint.

3. Core Policies

Enable real-time protection, cloud-delivered protection, automatic sample submission, scheduled scans, behavior monitoring, network protection, SmartScreen, and Controlled Folder Access.

4. Recommended Enterprise Configuration

Real-time Protection: Enabled
Cloud Protection: Enabled
Automatic Sample Submission: Send safe samples automatically
Behavior Monitoring: Enabled
PUA Protection: Enabled
Network Protection: Enabled
Tamper Protection: Manage centrally where supported.

5. Exclusions

Configure file, folder, process, and extension exclusions only when required by supported business applications such as SQL Server, Oracle Database, Exchange Server, Hyper-V, or backup software.

6. Attack Surface Reduction (ASR)

Use ASR rules to block Office macros, executable content from email, credential theft, script abuse, and ransomware behavior. Test in Audit mode before enabling Block mode.

7. Controlled Folder Access

Protect important folders from unauthorized modification. Add trusted applications where necessary after testing.

8. Microsoft Defender Firewall

Manage inbound and outbound firewall rules through Group Policy. Use separate profiles for Domain, Private, and Public networks.

9. Monitoring & Event Logs

Review Windows Security, Microsoft-Windows-Windows Defender/Operational logs, Windows Security Center, and Microsoft Defender portal (if integrated).

10. PowerShell Commands

Get-MpComputerStatus
Get-MpPreference
Set-MpPreference
Start-MpScan -ScanType QuickScan
Update-MpSignature

11. Troubleshooting

Verify the Defender service is running, confirm no third-party antivirus has disabled Defender, run gpupdate /force, check Event Viewer, review Get-MpComputerStatus, update signatures, and confirm GPO precedence.

12. Best Practices

Enable cloud protection, keep signatures updated, minimize exclusions, enable ASR rules gradually, audit changes, and review Defender alerts regularly.

13. Interview Questions

What is Microsoft Defender Antivirus? Explain Tamper Protection. What are ASR rules? What is Controlled Folder Access? How do you verify Defender status using PowerShell?

14. Practical Lab

Create a GPO to enable Defender real-time protection and cloud protection, force a policy update, verify with Get-MpComputerStatus, and perform a quick scan.

Common Defender Policies

Policy

Recommended

GPO Category

Real-time Protection

Enabled

Microsoft Defender Antivirus

Cloud-delivered Protection

Enabled

MAPS

Behavior Monitoring

Enabled

Real-time Protection

PUA Protection

Enabled

Microsoft Defender Antivirus

Controlled Folder Access

Enabled (Test First)

Windows Security

Network Protection

Enabled

Microsoft Defender Exploit Guard

Automatic Signature Updates

Enabled

Security Intelligence

Scheduled Scan

Daily

Scan

Microsoft Learn References

Microsoft Defender Antivirus

Defender Antivirus Group Policy

Attack Surface Reduction Rules

Microsoft Defender for Endpoint

Comments

Popular posts from this blog

IIS Installation and Application configuration windows swerver

IIS Self Signed

Here’s a step-by-step guide on configuring WDS on Windows Server