Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article explains how to enable and test the key protection features in Microsoft Defender Antivirus and Microsoft Defender Exploit Guard in current versions of Microsoft Windows and Windows Server.
Prerequisites
Supported operating systems
- Windows 10 or later
- Windows Server 2016 or later
Use Microsoft Defender Antivirus using Group Policy to enable the features
This section describes how to use a Group Policy Central Store to configure Microsoft Defender Antivirus for evaluation.
Download the latest Administrative Template files from Links to download the Administrative Templates files based on the operating system version.
Tip
Check the System Requirements section on the individual download pages:
- Most downloads support Windows clients and Windows servers.
- Get the latest available and applicable download.
Do one of the following procedures to create a Central Store to host the latest .admx and .adml templates:
Domains:
- Create a new OU to block policy inheritance.
- Open the Group policy Management Console (gpmc.msc).
- Go to Group Policy Objects and create a new group policy.
- Right-click on the new group policy and then select Edit.
- Go to Computer Configuration > Policies > Administrative Templates > Windows Components > Microsoft Defender Antivirus.
Workgroups:
- Open the Group Policy Editor (gpedit.msc).
- Go to Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus.
For more information, see Create and manage Central Store - Windows Client.
MDAV and potentially unwanted applications (PUA)
Root:
| Description | Setting |
|---|---|
| Turn off Microsoft Defender Antivirus | Disabled |
| Configure detection for potentially unwanted applications | Enabled - Block |
Real-time protection (always-on protection, real-time scanning)
Real-time protection:
| Description | Setting |
|---|---|
| Turn off real-time protection | Disabled |
| Configure monitoring for incoming and outgoing file and program activity | Enabled, bi-directional (full on-access) |
| Turn on Behavior Monitoring | Enabled |
| Monitor file and program activity on your computer | Enabled |
Cloud protection features
Standard security intelligence updates can take hours to prepare and deliver; our cloud-delivered protection service can deliver this protection in seconds.
For more information, see Use next-gen technologies in Microsoft Defender Antivirus through cloud-delivered protection.
MAPS:
| Description | Setting |
|---|---|
| Join Microsoft MAPS | Enabled, Advanced MAPS |
| Configure the 'Block at First Sight' feature | Enabled |
| Send file samples when further analysis is required | Enabled, Send all samples |
MpEngine:
| Description | Setting |
|---|---|
| Select cloud protection level | Enabled, High blocking level |
| Configure extended cloud check | Enabled, 50 |
Scans
| Description | Setting |
|---|---|
| Turn on Heuristics | Enabled |
| Turn on e-mail scanning | Enabled |
| Scan all downloaded files and attachments | Enabled |
| Turn on script scanning | Enabled |
| Scan archive files | Enabled |
| Scan packed executables | Enabled |
| Configure scanning of network files (Scan Network Files) | Enabled |
| Scan removable drives | Enabled |
| Turn on reparse point scanning | Enabled |
Security Intelligence updates
| Description | Setting |
|---|---|
| Specify the interval to check for security intelligence updates | Enabled, 4 |
| Define the order of sources for downloading security intelligence updates | Enabled, under 'Define the order of sources for downloading security intelligence updates'
|
Disable local administrator AV settings
Disable local administrator AV settings such as exclusions, and enforce the policies from the Microsoft Defender for Endpoint Security Settings Management.
Root:
| Description | Setting |
|---|---|
| Configure local administrator merge behavior for lists | Disabled |
| Control whether or not exclusions are visible to local admins | Enabled |
Threat Severity Default Action
Threats:
| Description | Setting | Alert level | Action |
|---|---|---|---|
| Specify threat alert levels at which default action shouldn't be taken when detected | Enabled | ||
| 5 (Severe) | 2 (Quarantine) | ||
| 4 (High) | 2 (Quarantine) | ||
| 2 (Medium) | 2 (Quarantine) | ||
| 1 (Low) | 2 (Quarantine) |
Quarantine:
| Description | Setting |
|---|---|
| Configure removal of items from Quarantine folder | Enabled, 60 |
Client Interface:
| Description | Setting |
|---|---|
| Enable headless UI mode | Disabled |
Network Protection
Microsoft Defender Exploit Guard\Network Protection:
| Description | Setting |
|---|---|
| Prevent users and apps from accessing dangerous websites | Enabled, Block |
| This settings controls whether Network Protection can be configured into block or audit mode on Windows Server | Enabled |
To enable Network Protection for Windows Servers, for now, please use PowerShell:
| OS | PowerShell command |
|---|---|
| Windows Server 2012 R2 and later | Set-MpPreference -AllowNetworkProtectionOnWinServer $true |
| Windows Server 2016 and Windows Server 2012 R2 unified MDE client | Set-MpPreference -AllowNetworkProtectionOnWinServer $true -AllowNetworkProtectionDownLevel $true |
Attack surface reduction rules
Go to Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack Surface Reduction.
Select Next.
* If you use Microsoft Configuration Manager (formerly known as Microsoft Endpoint Configuration Manager and Microsoft System Center Configuration Manager) or other management tools that use WMI, use the value 2 (Audit). The Configuration Manager client relies heavily on WMI.
Tip
Some rules might block behavior you find acceptable in your organization. In these cases, change the rule from 1 (Block) to 2 (Audit) to prevent unwanted blocks.
Controlled Folder Access
Navigate to Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack Surface Reduction.
| Description | Setting |
|---|---|
| Configure Controlled Folder Access | Enabled, Block |
Assign the policies to the OU where the test machines are located.
Enable Tamper Protection
In the Microsoft Defender portal at https://security.microsoft.com, go to Settings > Endpoints > Advanced features > Tamper Protection > On.
For more information, see How do I configure or manage tamper protection?.
Check the Cloud Protection network connectivity
It's important to verify that Cloud Protection network connectivity is working during your penetration testing.
In an elevated Command Prompt (a Command Prompt window you opened by selecting Run as administrator), run the following commands:
Tip
The first command changes the directory to the latest version of <antimalware platform version> in %ProgramData%\Microsoft\Windows Defender\Platform\<antimalware platform version>. If that path doesn't exist, it goes to %ProgramFiles%\Windows Defender.
(set "_done=" & if exist "%ProgramData%\Microsoft\Windows Defender\Platform\" (for /f "delims=" %d in ('dir "%ProgramData%\Microsoft\Windows Defender\Platform" /ad /b /o:-n 2^>nul') do if not defined _done (cd /d "%ProgramData%\Microsoft\Windows Defender\Platform\%d" & set _done=1)) else (cd /d "%ProgramFiles%\Windows Defender")) >nul 2>&1
MpCmdRun.exe -ValidateMapsConnection
For more information, see Configure and manage Microsoft Defender Antivirus with the MpCmdRun command-line tool.
Check the Platform Update version
The latest 'Platform Update' version Production channel (GA) is available here:
To see the installed version of 'Platform Update', run the following command in an elevated PowerShell session (a PowerShell window you opened by selecting Run as administrator):
Get-MpComputerStatus | Format-Table AMProductVersion
Check the Security Intelligence Update version
The latest 'Security Intelligence Update' version is available here:
To see the installed version of 'Security Intelligence Update', run the following command in an elevated PowerShell session:
Get-MpComputerStatus | Format-Table AntivirusSignatureVersion
Check the Engine Update version
The latest scan 'engine update' version is available here:
To see the installed version of 'Engine Update', run the following command in an elevated PowerShell session:
Get-MpComputerStatus | Format-Table AMEngineVersion
If your settings don't take effect, you might have a conflict. To resolve conflicts, see Troubleshoot Microsoft Defender Antivirus settings.
For False Negatives (FNs) submissions
If you have any questions about a detection that Microsoft Defender AV makes, or you discover a missed detection, you can submit a file to us.
If you have Microsoft XDR, Microsoft Defender for Endpoint P2/P1, or Microsoft Defender for Business: refer Submit files in Microsoft Defender for Endpoint.
If you have Microsoft Defender Antivirus, see Submit files for analysis.
Microsoft Defender AV indicates a detection through standard Windows notifications. You can also review detections in the Microsoft Defender AV app.
The Windows event log also records detection and engine events. See the Microsoft Defender Antivirus events article for a list of event IDs and their corresponding actions.
If your settings aren't applied properly, find out if there are conflicting policies that are enabled in your environment. For more information, see Troubleshoot Microsoft Defender Antivirus settings.
If you need to open a Microsoft support case: Contact Microsoft Defender for Endpoint support.