Advice Request How to configure Microsoft Defender with Local Group Policy Editor

Please provide comments and solutions that are helpful to the author of this topic.

oldschool

Level 81
Thread author
Verified
Top Poster
Well-known
Mar 29, 2018
7,044
Microsoft Defender is the built-in, free antivirus from Microsoft on Windows 10. It may be used by well-informed internet users for protection without the need for 3rd party security applications. Microsoft (circa 2020) officially changed the name Windows Defender to M$ Defender Antivirus. It may be configured via Powershell or Group Policy. I've configured Microsoft Defender via Group Policy. Someone asked if I have a list of settings, so I've made one. This setup is equivalent to @Andy Ful's ConfigureDefender HIGH setting, with blocking level set to "High" and includes 13 Attack Surface Reduction rules + Network Protection. I'm a relative noob with Group Policy so please explore gpedit on your own, and post any corrections or suggestions, etc. as needed to this guide.

Please note: Setup of M$ Defender via GPO is best suited for the user who does not make frequent changes to certain settings and can import/create a custom log to Event Viewer.

So, let's get started ...

In Local Group Policy Editor, go to Computer Configuration > Administrative Templates >Windows Components > Microsoft Defender Antivirus >

MAPS >
  • Configure Block At First Sight > Enabled
  • Join M$ MAPS > Enabled
  • Send file samples when further analysis is required > Enabled
M$ Defender Exploit Guard >
  • Configure attack surface reduction rules > Enabled + Show and then add ASR GUIDs as desired from this list. I have 13 of them not including the two I find most troublesome: Block executable files from running unless they meet a prevalence, etc. (You may enable or audit if you use only widely-used, signed, etc. software. Depends on your system.) Block credential stealing ... , etc. (You may enable depending on installed software/system configuration.)
  • Controlled Folder Access > Configure if desired. See gpedit setting for additional info from M$
  • Network Protection > Prevent users and apps from accessing dangerous websites
MpEngine >
  • Enable file hash computation feature > Enabled
  • Configure extended cloud check > Choose your preference (mine is set @ 30 sec.)
  • Select cloud protection level > High (or choose as desired)
Network Inspection System > Turn on protocol recognition > Not configured. "This policy setting allows you to configure protocol recognition for network protection against exploits of known vulnerabilities. If you enable or do not configure this setting, protocol recognition will be enabled."

Quarantine > Not configured
  • Configure local setting override for removal of items from quarantine folder (if desired)
  • Configure removal of items from quarantine folder (if desired)

Turn on real-time protection > Default protections enabled when not configured/enabled:
  • Turn on behavior monitoring
  • Scan
Remediation > Not configured

Reporting > Not configured

Scan >
  • Turn on email scanning > Enabled
  • Turn on removal of scan history folder > Enable to set number of days, otherwise default value is 30 days.
  • Turn on interval to run quick scan per day > Optional as desired.
  • Specify time for daily quick scan > Enable if desired
  • Note: other optional settings are available. See GUI list.
Security Intelligence Updates >
  • Allow security intelligence updates from M$ Updates > Enabled
  • Allow real-time security intelligence updates based on reporting to MAPS > Enabled
  • Specify the interval to check for security intelligence updates > Enable to configure as desired
  • Check for the latest virus and spyware security intelligence on startup > Enable if desired
Threats > Not configured

Configure detection for PUAs > Not needed as included by default in M$ Defender W10 2004. Enable if on 1909 or earlier.
_________________________________________________________________________________________

Note from @oldschool: Now you have a guide to get started. And it's actually pretty easy to do. Thanks to @Protomartyr for the suggestion because compiling the list increased my own understanding. Please post any corrections, suggestions, etc. And remember: Stay safe, not paranoid! (y):D
 
Last edited:

simmerskool

Level 31
Verified
Top Poster
Well-known
Apr 16, 2017
2,094
noob2 asks (comments): I set my WD or MSD with ConfigureDefender, so doing it manually is good for learning but other than that, what's the advantage, if any, over using CD? I think this vm is up to date, but perhaps not with most current version of win10 2004. (someone suggested to wait a few months...?) I still see many references to WD here. Is MSD only installed with 2004, or it should be running here? Does CD configure this latest verison, now MSDAV?
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
noob2 asks (comments): I set my WD or MSD with ConfigureDefender, so doing it manually is good for learning but other than that, what's the advantage, if any, over using CD? I think this vm is up to date, but perhaps not with most current version of Windows 10 2004. (someone suggested to wait a few months...?) I still see many references to WD here. Is MSD only installed with 2004, or it should be running here? Does CD configure this latest verison, now MSDAV?
ConfigureDefender uses the native PowerShell cmdlets so it is supposed to work on any new Windows version (GPO too). Applying GPO is a different method and it does not use the native WD settings but configures the policies that override (but not overwrite) the native Windows settings. Both ConfigureDefender and GPO use the methods promoted by Microsoft, but ConfigureDefender is focused on the most important settings. The main difference is that ConfigureDefender is not a native front end and it is much easier than GPO for most users. There is no need to use ConfigureDefender on Windows Pro when one knows how to do it via GPO, does not change frequently the settings, and can customize the Event Log View to see the WD events.(y)

Edit.
The main functionality of ConfigureDefender can be reproduced by a PowerShell script.
 
Last edited:

imuade

Level 12
Verified
Top Poster
Well-known
Jul 29, 2018
566
Windows Defender is the built-in, free antivirus from Microsoft on Windows 10. It may be used by well-informed internet users for protection without the use of 3rd party security applications. Microsoft (circa 2020) officially changed the name Windows Defender to M$ Defender Antivirus. It may be configured via Powershell or Group Policy. I've configured Microsoft Defender via Group Policy. Someone asked if I have a list of settings, so I've made one. This setup is equivalent to @Andy Ful's ConfigureDefender HIGH setting, with blocking level set to "High" and includes 13 Attack Surface Reduction rules + Network Protection. I'm a relative noob with Group Policy so please explore gpedit on your own, and post any corrections or suggestions, etc. as needed to this guide. So, let's get started ...

In Local Group Policy Editor, go to Computer Configuration > Administrative Templates >Windows Components > Microsoft Defender Antivirus >

MAPS >
  • Configure Block At First Sight > Enabled
  • Join M$ MAPS > Enabled
  • Send file samples when further analysis is required > Enabled
M$ Defender Exploit Guard >
  • Configure attack surface reduction rules > Enabled + Show and then add ASR GUIDs as desired from this list. I have 13 of them not including the two I find most troublesome: Block executable files from running unless they meet a prevalence, etc. (You may enable or audit if you use only widely-used, signed, etc. software. Depends on your system.) Block credential stealing ... , etc. (You may enable depending on installed software/system configuration.)
  • Controlled Folder Access > Configure if desired. See gpedit setting for additional info from M$
  • Network Protection > Prevent users and apps from accessing dangerous websites
MpEngine >
  • Enable file hash computation feature > Enabled
  • Configure extended cloud check > Choose your preference (mine is set @ 30 sec.)
  • Select cloud protection level > High (or choose as desired)
Network Inspection System > Turn on protocol recognition > Not configured. "This policy setting allows you to configure protocol recognition for network protection against exploits of known vulnerabilities. If you enable or do not configure this setting, protocol recognition will be enabled."

Quarantine > Not configured
  • Configure local setting override for removal of items from quarantine folder (if desired)
  • Configure removal of items from quarantine folder (if desired)

Turn on real-time protection > Default protections enabled when not configured/enabled:
  • Turn on behavior monitoring
  • Scan
Remediation > Not configured

Reporting > Not configured

Scan >
  • Turn on email scanning > Enabled
  • Turn on removal of scan history folder > Enable to set number of days, otherwise default value is 30 days.
  • Turn on interval to run quick scan per day > Optional as desired.
  • Specify time for daily quick scan > Enable if desired
  • Note: other optional settings are available. See GUI list.
Security Intelligence Updates >
  • Allow security intelligence updates from M$ Updates > Enabled
  • Allow real-time security intelligence updates based on reporting to MAPS > Enabled
  • Specify the interval to check for security intelligence updates > Enable to configure as desired
  • Check for the latest virus and spyware security intelligence on startup > Enable if desired
Threats > Not configured

Configure detection for PUAs > Not needed as included by default in M$ Defender W10 2004. Enable if on 1909 or earlier.
_________________________________________________________________________________________

Note from @oldschool: Now you have a guide to get started. And it's actually pretty easy to do. Thanks to @Protomartyr for the suggestion because compiling the list increased my own understanding. Please post any corrections, suggestions, etc. And remember: Stay safe, not paranoid! (y):D
Great guide my friend (y)
 

brigantes

Level 1
Jun 22, 2020
40
@oldchool

Such an amaaazing guide. It's soooo cool.

This is just more evidence that Microsoft is moving forward making clear distinctions between Microsoft Defender, Exploit Guard and Windows Defender Application Control (enhanced SRP with more features and integration with other Microsoft security services such as Windows Defender ATP).

Microsoft Defender has long since reached the point where people really do not need 3rd party software. 3rd party software are optional at this point. And going forward, Microsoft is going to make the argument for 3rd party software even less. At this point the evidence shows that the vast majority of people do not use 3rd party software and there is no evidence whatsoever that those people are getting infected at a statistically higher rate as compared to 3rd party software.

Just like Tavis Ormandy said "Microsoft gets it right whereas 3rd party vendors don't." All the 3rd parties have been playing catch-up while Microsoft forges ahead at a pace at which the 3rd party vendors cannot compete.

Thank you so much for this amaaaazing tutorial.
 
Last edited:

simmerskool

Level 31
Verified
Top Poster
Well-known
Apr 16, 2017
2,094
ConfigureDefender uses the native PowerShell cmdlets so it is supposed to work on any new Windows version (GPO too). Applying GPO is a different method and it does not use the native WD settings but configures the policies that override (but not overwrite) the native Windows settings. Both ConfigureDefender and GPO use the methods promoted by Microsoft, but ConfigureDefender is focused on the most important settings. The main difference is that ConfigureDefender is not a native front end and it is much easier than GPO for most users. There is no need to use ConfigureDefender on Windows Pro when one knows how to do it via GPO, does not change frequently the settings, and can customize the Event Log View to see the WD events.(y)

Edit.
The main functionality of ConfigureDefender can be reproduced by a PowerShell script.

thank you!
 

plat

Level 29
Top Poster
Sep 13, 2018
1,793
This guide is wonderful, thanks oldschool. 🌼

If you want to revert any policies to defaults, here is one guide to try to do so. There are several if you search.

Or use an image taken pre-gpedit. I've had gpedit fail me one time and didn't have an image. I could not get rid of "Some settings are managed by your organization" in one crucial area (updates) so I had to re-install Windows. This was a while ago but it could have been yesterday. :mad:
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top