Understand next-generation configuration settings in Microsoft Defender for Business
Next-generation protection in Defender for Business includes robust antivirus and antimalware protection. The default policies are designed to protect your devices and users without hindering productivity. You can also customize the policies to suit your business needs. And, if you're using Microsoft Intune, you can use the Microsoft Endpoint Manager admin center to manage your security policies.
This article describes:
- Next-generation protection settings and options
- Other preconfigured settings in Defender for Business
- Defender for Business default settings and Microsoft Intune
Next-generation protection settings and options
The following table lists settings and options.
|Turn on real-time protection||Enabled by default, real-time protection locates and stops malware from running on devices. We recommend keeping real-time protection turned on. When real-time protection is turned on, it configures the following settings:|
|Block at first sight||Enabled by default, block at first sight blocks malware within seconds of detection, increases the time (in seconds) allowed to submit sample files for analysis, and sets your detection level to High. We recommend keeping block at first sight turned on.
When block at first sight is turned on, it configures the following settings for Microsoft Defender Antivirus:
Important If block at first sight is turned off, it affects
|Turn on network protection||When turned on, network protection helps protect against phishing scams, exploit-hosting sites, and malicious content on the internet. It also prevents users from turning network protection off.
Network protection can be set to the following modes:
|Action to take on potentially unwanted apps (PUA)||PUA can include advertising software; bundling software that offers to install other, unsigned software; and evasion software that attempts to evade security features. Although PUA isn't necessarily a virus, malware, or other type of threat, it can affect device performance. PUA protection blocks items that are detected as PUA. You can set PUA protection to the following:
|Scheduled scan type||Consider running a weekly antivirus scan on your devices. You can choose from the following scan type options:
Learn more about scan types.
|Day of week to run a scheduled scan||Select a day for your regular, weekly antivirus scans to run.|
|Time of day to run a scheduled scan||Select a time to run your regularly scheduled antivirus scans to run.|
|Use low performance||This setting is turned off by default. We recommend keeping this setting turned off. However, you can turn on this setting to limit the device memory and resources that are used during scheduled scans. Important If you turn on Use low performance, it configures the following settings for Microsoft Defender Antivirus:
|Allow users to access the Windows Security app||Turn on this setting to enable users to open the Windows Security app on their devices. Users won't be able to override settings that you configure in Defender for Business, but they'll be able to run a quick scan or view any detected threats.|
|Antivirus exclusions||Exclusions are processes, files, or folders that are skipped by Microsoft Defender Antivirus scans. In general, you shouldn't need to define exclusions. Microsoft Defender Antivirus includes many automatic exclusions that are based on known operating system behavior and typical management files. Learn more about exclusions.|
|Process exclusions||Process exclusions prevent files that are opened by specific processes from being scanned by Microsoft Defender Antivirus. Learn more about process exclusions.|
|File extension exclusions||File extension exclusions prevent files with specific extensions from being scanned by Microsoft Defender Antivirus. Learn more about file extension exclusions.|
|File and folder exclusions||File and folder exclusions prevent files that are in specific folders from being scanned by Microsoft Defender Antivirus. Learn more about file and folder exclusions.|
Other preconfigured settings in Defender for Business
The following security settings are preconfigured in Defender for Business:
- Scanning of removable drives is turned on (AllowFullScanRemovableDriveScanning).
- Daily quick scans don't have a preset time (ScheduleQuickScanTime).
- Security intelligence updates are checked before an antivirus scan runs (CheckForSignaturesBeforeRunningScan).
- Security intelligence checks occur every four hours (SignatureUpdateInterval).
Defender for Business default settings and Microsoft Intune
The following table describes settings that are preconfigured for Defender for Business and how those settings correspond to what you might see in Intune (managed in the Microsoft Endpoint Manager admin center). If you're using the simplified configuration process in Defender for Business, you don't need to edit these settings.
|Cloud protection||Sometimes referred to as cloud-delivered protection or Microsoft Advanced Protection Service (MAPS), cloud protection works with Microsoft Defender Antivirus and the Microsoft cloud to identify new threats, sometimes even before a single device is affected. By default, AllowCloudProtection is turned on. Learn more about cloud protection.|
|Monitoring for incoming and outgoing files||To monitor incoming and outgoing files, RealTimeScanDirection is set to monitor all files.|
|Scan network files||By default, AllowScanningNetworkFiles isn't enabled, and network files aren't scanned.|
|Scan email messages||By default, AllowEmailScanning isn't enabled, and email messages aren't scanned.|
|Number of days (0-90) to keep quarantined malware||By default, the DaysToRetainCleanedMalware setting is set to zero (0) days. Artifacts that are in quarantine aren't removed automatically.|
|Submit samples consent||By default, SubmitSamplesConsent is set to send safe samples automatically. Examples of safe samples include
|Scan removable drives||By default, AllowFullScanRemovableDriveScanning is configured to scan removable drives, such as USB thumb drives on devices. Learn more about antimalware policy settings.|
|Run daily quick scan time||By default, ScheduleQuickScanTime is set to 2:00 AM. Learn more about scan settings.|
|Check for signature updates before running scan||By default, CheckForSignaturesBeforeRunningScan is configured to check for security intelligence updates prior to running antivirus/antimalware scans. Learn more about scan settings and Security intelligence updates.|
|How often (0-24 hours) to check for security intelligence updates||By default, SignatureUpdateInterval is configured to check for security intelligence updates every four hours. Learn more about scan settings and Security intelligence updates.|
- View and manage incidents in Defender for Business
- Respond to and mitigate threats in Defender for Business
- Review remediation actions in the Action center
Submit and view feedback for