- Mar 29, 2018
- 7,675
Microsoft Defender is the built-in, free antivirus from Microsoft on Windows 10. It may be used by well-informed internet users for protection without the need for 3rd party security applications. Microsoft (circa 2020) officially changed the name Windows Defender to M$ Defender Antivirus. It may be configured via Powershell or Group Policy. I've configured Microsoft Defender via Group Policy. Someone asked if I have a list of settings, so I've made one. This setup is equivalent to @Andy Ful's ConfigureDefender HIGH setting, with blocking level set to "High" and includes 13 Attack Surface Reduction rules + Network Protection. I'm a relative noob with Group Policy so please explore gpedit on your own, and post any corrections or suggestions, etc. as needed to this guide.
Please note: Setup of M$ Defender via GPO is best suited for the user who does not make frequent changes to certain settings and can import/create a custom log to Event Viewer.
So, let's get started ...
In Local Group Policy Editor, go to Computer Configuration > Administrative Templates >Windows Components > Microsoft Defender Antivirus >
MAPS >
Quarantine > Not configured
Turn on real-time protection > Default protections enabled when not configured/enabled:
Reporting > Not configured
Scan >
Configure detection for PUAs > Not needed as included by default in M$ Defender W10 2004. Enable if on 1909 or earlier.
_________________________________________________________________________________________
Note from @oldschool: Now you have a guide to get started. And it's actually pretty easy to do. Thanks to @Protomartyr for the suggestion because compiling the list increased my own understanding. Please post any corrections, suggestions, etc. And remember: Stay safe, not paranoid!
Please note: Setup of M$ Defender via GPO is best suited for the user who does not make frequent changes to certain settings and can import/create a custom log to Event Viewer.
So, let's get started ...
In Local Group Policy Editor, go to Computer Configuration > Administrative Templates >Windows Components > Microsoft Defender Antivirus >
MAPS >
- Configure Block At First Sight > Enabled
- Join M$ MAPS > Enabled
- Send file samples when further analysis is required > Enabled
- Configure attack surface reduction rules > Enabled + Show and then add ASR GUIDs as desired from this list. I have 13 of them not including the two I find most troublesome: Block executable files from running unless they meet a prevalence, etc. (You may enable or audit if you use only widely-used, signed, etc. software. Depends on your system.) Block credential stealing ... , etc. (You may enable depending on installed software/system configuration.)
- Controlled Folder Access > Configure if desired. See gpedit setting for additional info from M$
- Network Protection > Prevent users and apps from accessing dangerous websites
- Enable file hash computation feature > Enabled
- Configure extended cloud check > Choose your preference (mine is set @ 30 sec.)
- Select cloud protection level > High (or choose as desired)
Quarantine > Not configured
- Configure local setting override for removal of items from quarantine folder (if desired)
- Configure removal of items from quarantine folder (if desired)
Turn on real-time protection > Default protections enabled when not configured/enabled:
- Turn on behavior monitoring
- Scan
Reporting > Not configured
Scan >
- Turn on email scanning > Enabled
- Turn on removal of scan history folder > Enable to set number of days, otherwise default value is 30 days.
- Turn on interval to run quick scan per day > Optional as desired.
- Specify time for daily quick scan > Enable if desired
- Note: other optional settings are available. See GUI list.
- Allow security intelligence updates from M$ Updates > Enabled
- Allow real-time security intelligence updates based on reporting to MAPS > Enabled
- Specify the interval to check for security intelligence updates > Enable to configure as desired
- Check for the latest virus and spyware security intelligence on startup > Enable if desired
Configure detection for PUAs > Not needed as included by default in M$ Defender W10 2004. Enable if on 1909 or earlier.
_________________________________________________________________________________________
Note from @oldschool: Now you have a guide to get started. And it's actually pretty easy to do. Thanks to @Protomartyr for the suggestion because compiling the list increased my own understanding. Please post any corrections, suggestions, etc. And remember: Stay safe, not paranoid!
Last edited: