Windows Defender Status via Microsoft Intune
Microsoft Intune, Windows Defender, and Windows Defender ATP work together to minimize the attack area and to limit the impact of breaches within the organization.
Microsoft Intune allow you to add, manage and monitor Windows Defender and Windows Defender ATP and the Endpoint protection lets you control different security features on your devices, including firewall, BitLocker, allowing and blocking apps, encryption and many other features. You can configure these settings in Microsoft Intune using device profiles.
The Windows Defender itself is an antivirus with the built-in antimalware solution that provides next-generation protection for desktops, portable computers, and servers.
Windows Defender Antivirus includes:
- Cloud-delivered Protection – for near-instant detection and blocking of new and emerging threats. Along with machine learning and the Intelligent Security Graph – and cloud-delivered protection is part of the next-gen technologies that power Windows Defender Antivirus.
- Real-Time Protection – for always-on scanning, using advanced file and process behavior monitoring and other heuristics.
- Dedicated protection updates based on machine-learning, human and automated big-data analysis, and in-depth threat resistance research.
Because the Windows Defender Antivirus client is installed as a core part of Windows 10, traditional deployment of a client to your endpoints does not apply. You can deploy, manage, and report on Windows Defender Antivirus in a number of ways.
The Windows Defender settings in Microsoft Intune provides many settings such as:
- Allow real-time monitoring – This setting you will enable real-time scanning for malware, spyware, and other unwanted software.
- Allow behavior monitoring – This setting will configure Defender to check for certain known patterns of suspicious activity on devices.
- Enable Network Inspection System – This setting will enable the Network Inspection System in Defender. The Network Inspection System (NIS) helps to protect devices against network-based exploits by using the signatures of known vulnerabilities from the Microsoft Endpoint Protection Center to help detect and block malicious traffic.
- Scan all downloads – This setting controls whether Defender scans all files downloaded from the Internet.
- Allow script scanning – Lets Defender scan scripts that are used in Internet Explorer.
- Monitor file and program activity – The setting configures Defender to monitor file and program activity on devices. Available options are: Monitor only incoming files, Monitor only outgoing files, Monitor all files.
- Days to track resolved malware – This setting configures Defender to continue to track resolved malware for the number of days you specify so that you can manually check previously affected devices. If you set the number of days to 0, malware remains in the Quarantine folder and is not automatically removed. If you set it to something else it will automatically remove it from Quarantine after the set number of days.
- Allow client UI access – This setting controls whether the Windows Defender user interface is available for end users or not. When this setting is changed, it will take effect the next time the end user’s PC is restarted.
- Schedule a daily quick scan – This setting lets you schedule a quick scan that occurs daily at the time you select.
- Schedule a system scan – This setting lets you schedule a full or quick system scan that occurs regularly on the day and time you select
- Limit CPU usage during a scan – Lets you limit the amount of CPU that scans are allowed to use (from 1 to 100)
- Scan archive files – This setting allows Defender to scan archived files such as Zip or Cab files.
- Scan email messages – This setting allows Defender to scan email messages as they arrive on the device.
- Scan removable drives – This setting lets Defender scan removable drives like USB sticks.
- Scan mapped network drives – This setting lets Defender scan files on a mapped network drive. If the files on the drive are read-only, Defender will be unable to remove any malware found in them.
- Scan files opened from a network shared folders – This setting lets Defender scan files on shared network drives (for instance, those accessed from a UNC path.)If the files on the drive are read-only, Defender will be unable to remove any malware found in them.
- Signature update interval – This setting specifies the interval at which Defender will check for new signature files. I recommend you to specify this to update signatures at least twice a day.
- Allow cloud protection – This setting allows or blocks the Microsoft Active Protection Service from receiving information about malware activity from devices you manage. This information is used to improve the service in the future.
- Prompt users for samples submission – Controls whether files that might require further analysis by Microsoft to determine if they are malicious are automatically sent to Microsoft.
- Files and folders to exclude when running a scan or using real-time protection – Add one or more files and folders like C:\Path or %ProgramFiles%\Path\filename.exe to the exclusions list. These files and folders will not be included in any real-time, or scheduled scans.
- File extensions to exclude when running a scan or using real-time protection – Add one or more file extensions like jpg or text to the exclusions list. Any files with these extensions will not be included in any real-time, or scheduled scans.
- Processes to exclude when running a scan or using real-time protection – Add one or more processes of the type .exe, .com, or .scr to the exclusions list. These processes will not be included in any real-time, or scheduled scans.
How to Monitor Devices with Intune
Note: Its recommended to monitor Windows devices in state Azure AD Joined device or Intune MDM Enroll device.
There are few ways and settings to monitor devices but first thing first is the Intune Threat agent status and go to the following report via Azure Portal – Intune – Device compliance blade and click on Threat agent status.
There are no options to perform actions from this specific page and only to view the Threat agent status. an If you’ve devices with status pending, old check-in or another status you can take actions from the All Device page.
To take actions on Windows Defender navigate to Azure Portal – Intune – Devices – All Devices
Note: It’s recommended that managed devices will be in status MDM before taking any action.
Once you’ve MDM device you can take the following actions to update, sync and make sure that device is updated with the latest signature:
- Update Windows Defender signature
- Quick Scan
- Full Scan
- Restart the device