Get started with Defender AV - Part 2

This is the second post on switching to Defender Anti-Virus and using the Security Baselines published in Endpoint Manager to create a good starting point for your Defender AV settings. This post will focus on the settings in the Security Baseline for Windows 10 and later and how to create an AV only policy based on these settings.

Security Baseline

Security Baseline is available in the Endpoint Manager portal, in the Endpoint Security section. There are actually several Security Baselines available to choose from, but in this post we are going to focus on the Security Baseline for Windows 10 and later settings. You can review Part 1 of this series for information on using the Microsoft Defender for Endpoint Baseline.

Security Baselines

Getting the settings

The simplest way to get the settings is to create a security baseline policy, assign it to nothing, and then look at the various settings under Microsoft Defender to duplicate them to your AV policy.

There is a challenge here, the labels in Security Baseline don’t match up with the Windows 10, Windows 11, and Server Defender AV Policy. Security Baseline’s labels also don’t match up to the Windows 10, Windows 11, and Windows Server (ConfigMgr) Antivirus Policy. So some translation of the settings is required which is what the table below does: identifies the settings and their values.

Decoding the Security Baseline settings

Below are two tables that identify the Security Baseline Label and Value and provide the Policy’s Label and Value. There is also a table that maps the Security Baseline values to the CSP attributes. Italicized lines indicate a policy is new or different from the Microsoft Defender for Endpoint Baseline policy set.

Note: There is something different about the Defender settings in the Security Baseline for Windows 10 and later vs. Microsoft for Endpoint Baseline. When you evaluate the two baselines, one thing you should notice is that the Security Baseline for Windows includes a number of the Attack Surface Reduction rules mixed in with the AV settings. As such, we will ignore those for now because we are focused on the AV settings, but I will come back to the ASR policies and do a a similar breakdown at a later date.

Security Baseline to Windows 10, Windows 11, and Windows Server AV Policy

Security Baseline Value Defender AV Value
Ender how often (0-24) to check for security intelligence updates 4 Signature Update Interval Configured (switch) and 4
Scan type Quick Scan Scan Parameter Quick scan
Defender schedule scan day Everyday Schedule Scan Day Every day
Scheduled scan start time Not configured Schedule Scan Time Not Configured (switch)
Cloud-delivered protection level High Cloud Block Level High
Scan network files Yes Allow Scanning Network Files Allowed. Scans network files.
Turn on real-time protection Yes Allow Realtime Monitoring Allowed. Thurs on and runs the real-time monitoring service.
Scan scripts that are used in Microsoft browsers Yes Allow Script Scanning Allowed.
Scan archive files Yes Allow Archive Scanning Allowed. Scans the archive files.
Turn on behavior monitoring Yes Allow Behavior Monitoring Allowed. Turns on real-time behavior monitoring.
Turn on cloud-delivered protection Yes Allow Cloud Protection Allowed. Turns on Microsoft Active Protection Service.
Scan incoming email messages Yes Allow Email Scanning Allowed. Turns on email scanning.
Scan removable drives during full scan Yes Allow Full Scan Removable Drive Scanning Allowed. Scans removable drives
Defender potentially unwanted app action Block PUA Protection PUA Protection on. Detected items are blocked. They will show in history along with other threats.
Enable network protection Enable Enable Network Protection Enabled (block mode)
Defender sample submission consent Send safe samples automatically Submit Samples Consent Send safe samples automatically

Security Baseline to Windows 10, Windows 11, and Windows Server (ConfigMgr)

Security Baseline Value Windows 10, 11, Server (ConfigMgr) Value
Ender how often (0-24) to check for security intelligence updates 4    
Scan type Quick Scan Scan » Scan Type Quick scan
Defender schedule scan day Everyday Scan » Day of week to run a scheduled scan Every day
Scheduled scan start time Not configured Scan » Time of day to run a scheduled scan Not Configured
Cloud-delivered protection level High Cloud Protection » Cloud-delivered protection level High
Scan network files Yes Real-time protection » Scan network files Yes
Turn on real-time protection Yes Real-time protection » Turn on real-time protection Yes
Scan scripts that are used in Microsoft browsers Yes Real-time protection » Scan scripts that are used in Microsoft browsers Yes
Scan archive files Yes Scan » Scan archive files Yes
Turn on behavior monitoring Yes Real-time protection » Turn on behavior monitoring Yes
Turn on cloud-delivered protection Yes Cloud Protection » Turn on cloud-delivered protection Yes
Scan incoming email messages Yes Real-time protection » Scan emails Yes
Scan removable drives during full scan Yes Scan » Scan removable drives during full scan Yes
Defender potentially unwanted app action Block Remediation » Action to take on potentially unwanted apps Enable
Enable network protection Enable Use the ASR Web protection policy Enable Network Protection (Device) Enabled (block mode)
Defender sample submission consent Send safe samples automatically Remediation » Submit Samples Consent Send safe samples automatically.

Security Baseline to CSP

Security Baseline Value CSP Value
Ender how often (0-24) to check for security intelligence updates 4 Defender/SignatureUpdateInterval 4
Scan type Quick Scan Defender/ScanParameter 1
Defender schedule scan day Everyday Defender/ScheduleScanDay 0
Scheduled scan start time Not configured Defender/ScanParameter 120
Cloud-delivered protection level High Defender/CloudBlockLevel 0x2
Scan network files yes Defender/AllowScanningNetworkFiles 1
Turn on real-time protection Yes Defender/AllowRealtimeMonitoring 1
Scan scripts that are used in Microsoft browsers Yes Defender/AllowScriptScanning 1
Scan archive files Yes Defender/AllowArchiveScanning 1
Turn on behavior monitoring Yes Defender/AllowBehaviorMonitoring 1
Turn on cloud-delivered protection Yes Defender/AllowCloudProtection 1
Scan incoming email messages Yes Defender/AllowEmailScanning 1
Scan removable drives during full scan Yes Defender/AllowFullScanRemovableDriveScanning 1
Defender potentially unwanted app action Block Defender/PUAProtection 1
Enable network protection Enable Defender/EnableNetworkProtection 1
Defender sample submission consent Send safe samples automatically Defender/SubmitSamplesConsent 1
Share Post
Follow Me

Posts in this series