Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Microsoft Defender
How to configure Microsoft Defender with Local Group Policy Editor
Message
<blockquote data-quote="oldschool" data-source="post: 893798" data-attributes="member: 71262"><p>Microsoft Defender is the built-in, free antivirus from Microsoft on Windows 10. It may be used by well-informed internet users for protection without the need for 3rd party security applications. Microsoft (circa 2020) officially changed the name Windows Defender to M$ Defender Antivirus. It may be configured via Powershell or Group Policy. I've configured Microsoft Defender via Group Policy. Someone asked if I have a list of settings, so I've made one. This setup is equivalent to [USER=32260]@Andy Ful[/USER]'s ConfigureDefender HIGH setting, with blocking level set to "High" and includes 13 Attack Surface Reduction rules + Network Protection. I'm a relative noob with Group Policy so please explore gpedit on your own, and post any corrections or suggestions, etc. as needed to this guide.</p><p></p><p><em>Please note: Setup of M$ Defender via GPO is best suited for the user who does not make frequent changes to certain settings and can import/create a custom log to Event Viewer.</em></p><p></p><p>So, let's get started ...</p><p></p><p>In Local Group Policy Editor, go to Computer Configuration > Administrative Templates >Windows Components > Microsoft Defender Antivirus ></p><p></p><p>MAPS ></p><ul> <li data-xf-list-type="ul">Configure Block At First Sight > Enabled</li> <li data-xf-list-type="ul">Join M$ MAPS > Enabled</li> <li data-xf-list-type="ul">Send file samples when further analysis is required > Enabled</li> </ul><p>M$ Defender Exploit Guard ></p><ul> <li data-xf-list-type="ul">Configure attack surface reduction rules > Enabled + Show and then add ASR GUIDs as desired from <a href="https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-credential-stealing-from-the-windows-local-security-authority-subsystem" target="_blank">this list</a>. I have 13 of them <em>not including</em> the two I find most troublesome: Block executable files from running unless they meet a prevalence, etc. (You may enable or audit if you use only widely-used, signed, etc. software. Depends on your system.) Block credential stealing ... , etc. (You may enable depending on installed software/system configuration.)</li> <li data-xf-list-type="ul">Controlled Folder Access > Configure if desired. See gpedit setting for additional info from M$</li> <li data-xf-list-type="ul">Network Protection > Prevent users and apps from accessing dangerous websites</li> </ul><p>MpEngine ></p><ul> <li data-xf-list-type="ul">Enable file hash computation feature > Enabled</li> <li data-xf-list-type="ul">Configure extended cloud check > Choose your preference (mine is set @ 30 sec.)</li> <li data-xf-list-type="ul">Select cloud protection level > High (or choose as desired)</li> </ul><p>Network Inspection System > Turn on protocol recognition > Not configured. "This policy setting allows you to configure protocol recognition for network protection against exploits of known vulnerabilities. If you enable or do not configure this setting, protocol recognition will be enabled."</p><p></p><p>Quarantine > Not configured</p><ul> <li data-xf-list-type="ul">Configure local setting override for removal of items from quarantine folder (if desired)</li> <li data-xf-list-type="ul">Configure removal of items from quarantine folder (if desired)</li> </ul><p></p><p>Turn on real-time protection > <em>Default protections enabled when not configured/enabled:</em></p><ul> <li data-xf-list-type="ul">Turn on behavior monitoring</li> <li data-xf-list-type="ul">Scan</li> </ul><p>Remediation > Not configured</p><p></p><p>Reporting > Not configured</p><p></p><p>Scan ></p><ul> <li data-xf-list-type="ul">Turn on email scanning > Enabled</li> <li data-xf-list-type="ul">Turn on removal of scan history folder > Enable to set number of days, otherwise default value is 30 days.</li> <li data-xf-list-type="ul">Turn on interval to run quick scan per day > Optional as desired.</li> <li data-xf-list-type="ul">Specify time for daily quick scan > Enable if desired</li> <li data-xf-list-type="ul"><em>Note: other optional settings are available. See GUI list.</em></li> </ul><p>Security Intelligence Updates ></p><ul> <li data-xf-list-type="ul">Allow security intelligence updates from M$ Updates > Enabled</li> <li data-xf-list-type="ul">Allow real-time security intelligence updates based on reporting to MAPS > Enabled</li> <li data-xf-list-type="ul">Specify the interval to check for security intelligence updates ><em> Enable to configure as desired</em></li> <li data-xf-list-type="ul">Check for the latest virus and spyware security intelligence on startup > Enable <em>if desired</em></li> </ul><p>Threats > Not configured</p><p></p><p>Configure detection for PUAs > Not needed as <em>included by default in M$ Defender W10 2004. </em>Enable if on 1909 or earlier.</p><p>_________________________________________________________________________________________</p><p></p><p>Note from [USER=71262]@oldschool[/USER]: Now you have a guide to get started. And it's actually pretty easy to do. Thanks to [USER=82599]@Protomartyr[/USER] for the suggestion because compiling the list increased my own understanding. Please post any corrections, suggestions, etc. And remember:<em> Stay safe, not paranoid! <img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" class="smilie smilie--sprite smilie--sprite130" alt="(y)" title="Thumbs up (y)" loading="lazy" data-shortname="(y)" /><img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" class="smilie smilie--sprite smilie--sprite116" alt=":D" title="Big grin :D" loading="lazy" data-shortname=":D" /></em></p></blockquote><p></p>
[QUOTE="oldschool, post: 893798, member: 71262"] Microsoft Defender is the built-in, free antivirus from Microsoft on Windows 10. It may be used by well-informed internet users for protection without the need for 3rd party security applications. Microsoft (circa 2020) officially changed the name Windows Defender to M$ Defender Antivirus. It may be configured via Powershell or Group Policy. I've configured Microsoft Defender via Group Policy. Someone asked if I have a list of settings, so I've made one. This setup is equivalent to [USER=32260]@Andy Ful[/USER]'s ConfigureDefender HIGH setting, with blocking level set to "High" and includes 13 Attack Surface Reduction rules + Network Protection. I'm a relative noob with Group Policy so please explore gpedit on your own, and post any corrections or suggestions, etc. as needed to this guide. [I]Please note: Setup of M$ Defender via GPO is best suited for the user who does not make frequent changes to certain settings and can import/create a custom log to Event Viewer.[/I] So, let's get started ... In Local Group Policy Editor, go to Computer Configuration > Administrative Templates >Windows Components > Microsoft Defender Antivirus > MAPS > [LIST] [*]Configure Block At First Sight > Enabled [*]Join M$ MAPS > Enabled [*]Send file samples when further analysis is required > Enabled [/LIST] M$ Defender Exploit Guard > [LIST] [*]Configure attack surface reduction rules > Enabled + Show and then add ASR GUIDs as desired from [URL='https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-credential-stealing-from-the-windows-local-security-authority-subsystem']this list[/URL]. I have 13 of them [I]not including[/I] the two I find most troublesome: Block executable files from running unless they meet a prevalence, etc. (You may enable or audit if you use only widely-used, signed, etc. software. Depends on your system.) Block credential stealing ... , etc. (You may enable depending on installed software/system configuration.) [*]Controlled Folder Access > Configure if desired. See gpedit setting for additional info from M$ [*]Network Protection > Prevent users and apps from accessing dangerous websites [/LIST] MpEngine > [LIST] [*]Enable file hash computation feature > Enabled [*]Configure extended cloud check > Choose your preference (mine is set @ 30 sec.) [*]Select cloud protection level > High (or choose as desired) [/LIST] Network Inspection System > Turn on protocol recognition > Not configured. "This policy setting allows you to configure protocol recognition for network protection against exploits of known vulnerabilities. If you enable or do not configure this setting, protocol recognition will be enabled." Quarantine > Not configured [LIST] [*]Configure local setting override for removal of items from quarantine folder (if desired) [*]Configure removal of items from quarantine folder (if desired) [/LIST] Turn on real-time protection > [I]Default protections enabled when not configured/enabled:[/I] [LIST] [*]Turn on behavior monitoring [*]Scan [/LIST] Remediation > Not configured Reporting > Not configured Scan > [LIST] [*]Turn on email scanning > Enabled [*]Turn on removal of scan history folder > Enable to set number of days, otherwise default value is 30 days. [*]Turn on interval to run quick scan per day > Optional as desired. [*]Specify time for daily quick scan > Enable if desired [*][I]Note: other optional settings are available. See GUI list.[/I] [/LIST] Security Intelligence Updates > [LIST] [*]Allow security intelligence updates from M$ Updates > Enabled [*]Allow real-time security intelligence updates based on reporting to MAPS > Enabled [*]Specify the interval to check for security intelligence updates >[I] Enable to configure as desired[/I] [*]Check for the latest virus and spyware security intelligence on startup > Enable [I]if desired[/I] [/LIST] Threats > Not configured Configure detection for PUAs > Not needed as [I]included by default in M$ Defender W10 2004. [/I]Enable if on 1909 or earlier. _________________________________________________________________________________________ Note from [USER=71262]@oldschool[/USER]: Now you have a guide to get started. And it's actually pretty easy to do. Thanks to [USER=82599]@Protomartyr[/USER] for the suggestion because compiling the list increased my own understanding. Please post any corrections, suggestions, etc. And remember:[I] Stay safe, not paranoid! (y):D[/I] [/QUOTE]
Insert quotes…
Verification
Post reply
Top