List of the settings in the Microsoft Defender for Endpoint security baseline in Intune
This article is a reference for the settings that are available in the different versions of the Microsoft Defender for Endpoint security baseline that you can deploy with Microsoft Intune. Use the tabs to select and view the settings in the most recent baseline version and a few older versions that might still be in use.
For each setting this reference identifies the baselines default configuration, which is also the recommended configuration for that setting provided by the relevant security team. Because products and the security landscape evolve, the recommended defaults in one baseline version might not match the defaults you find in later versions of the same baseline. Different baseline types, like the MDM security and the Defender for Endpoint baselines, can also set different defaults.
When the Intune UI includes a Learn more link for a setting, you’ll find that here as well. Use that link to view the settings policy configuration service provider (CSP) or relevant content that explains the settings operation.
When a new version of a baseline becomes available, it replaces the previous version. Profiles instances that are created prior to the availability of a new version:
- Become read-only. You can continue to use those profiles but can't edit them to change their configuration.
- Can be updated to the latest version. After you update a profile to the current baseline version, you can edit the profile to modify settings.
To learn more about using security baselines, see Use security baselines. In that article you'll also find information about how to:
- Change the baseline version for a profile to update a profile to use the latest version of that baseline.
Microsoft Defender for Endpoint baseline version 24H1
Microsoft Defender for Endpoint baseline for December 2020 - version 6
Microsoft Defender for Endpoint baseline for September 2020 - version 5
Microsoft Defender for Endpoint baseline for April 2020 - version 4
Microsoft Defender for Endpoint baseline for March 2020 - version 3
The Microsoft Defender for Endpoint baseline is available when your environment meets the prerequisites for using Microsoft Defender for Endpoint.
This baseline is optimized for physical devices and isn't recommended for use on virtual machines (VMs) or VDI endpoints. Certain baseline settings can affect remote interactive sessions on virtualized environments. For more information, see Increase compliance to the Microsoft Defender for Endpoint security baseline in the Windows documentation.
Administrative Templates
System > Device Installation > Device Installation Restrictions
Prevent installation of devices using drivers that match these device setup classes
Baseline default: Enabled
Learn morePrevented Classes
Baseline default: d48179be-ec20-11d1-b6b8-00c04fa372a7Also apply to matching devices that are already installed.
Baseline default: False
Windows Components > BitLocker Drive Encryption
Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)
Baseline default: Enabled
Learn moreSelect the encryption method for removable data drives:
Baseline default: AES-CBC 128-bit (default)Select the encryption method for operating system drives:
Baseline default: XTS-AES 128-bit (default)Select the encryption method for fixed data drives:
Baseline default: XTS-AES 128-bit (default)
Windows Components > BitLocker Drive Encryption > Fixed Data Drives
Choose how BitLocker-protected fixed drives can be recovered
Baseline default: Enabled
Learn moreDo not enable BitLocker until recovery information is stored to AD DS for fixed data drives
Baseline default: TrueAllow data recovery agent
Baseline default: TrueConfigure storage of BitLocker recovery information to AD DS:
Baseline default: Backup recovery passwords and key packagesValue: Allow 256-bit recovery key
Save BitLocker recovery information to AD DS for fixed data drives
Baseline default: TrueOmit recovery options from the BitLocker setup wizard
Baseline default: TrueConfigure user storage of BitLocker recovery information:
Baseline default: Allow 48-digit recovery password
Deny write access to fixed drives not protected by BitLocker
Baseline default: Enabled
Learn moreEnforce drive encryption type on fixed data drives
Baseline default: Enabled
Learn more- Select the encryption type: (Device)
Baseline default: Used Space Only encryption
- Select the encryption type: (Device)
Windows Components > BitLocker Drive Encryption > Operating System Drives
Allow devices compliant with InstantGo or HSTI to opt out of pre-boot PIN.
Baseline default: Disabled
Learn moreAllow enhanced PINs for startup
Baseline default: Disabled
Learn moreChoose how BitLocker-protected operating system drives can be recovered
Baseline default: Enabled
Learn moreOmit recovery options from the BitLocker setup wizard
Baseline default: TrueAllow data recovery agent
Baseline default: TrueValue: Allow 256-bit recovery key
Configure storage of BitLocker recovery information to AD DS:
Baseline default: Store recovery passwords and key packagesDo not enable BitLocker until recovery information is stored to AD DS for operating system drives
Baseline default: TrueSave BitLocker recovery information to AD DS for operating system drives
Baseline default: TrueConfigure user storage of BitLocker recovery information:
Baseline default: Allow 48-digit recovery password
Enable use of BitLocker authentication requiring preboot keyboard input on slates
Baseline default: Enabled
Learn moreEnforce drive encryption type on operating system drive
Baseline default: Enabled
Learn more- Select the encryption type: (Device)
Baseline default: Used Space Only encryption
- Select the encryption type: (Device)
Require additional authentication at startup
Baseline default: Enabled
Learn moreConfigure TPM startup key and PIN:
Baseline default: Do not allow startup key and PIN with TPMConfigure TPM startup:
Baseline default: Allow TPMAllow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive)
Baseline default: FalseConfigure TPM startup PIN:
Baseline default: Allow startup PIN with TPMConfigure TPM startup key:
Baseline default: Do not allow startup key with TPM
Windows Components > BitLocker Drive Encryption > Removable Data Drives
Control use of BitLocker on removable drives
Baseline default: Enabled
Learn moreAllow users to apply BitLocker protection on removable data drives (Device)
Baseline default: TrueEnforce drive encryption type on removable data drives
Baseline default: Enabled
Learn more- Select the encryption type: (Device)
Baseline default: Used Space Only encryption
- Select the encryption type: (Device)
Allow users to suspend and decrypt BitLocker protection on removable data drives (Device)
Baseline default: False
Deny write access to removable drives not protected by BitLocker
Baseline default: Enabled
Learn more- Do not allow write access to devices configured in another organization
Baseline default: False
- Do not allow write access to devices configured in another organization
Windows Components > File Explorer
Configure Windows Defender SmartScreen
Baseline default: Enabled
Learn more- Pick one of the following settings: (Device)
Baseline default: Warn and prevent bypass
- Pick one of the following settings: (Device)
Windows Components > Internet Explorer
Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet
Baseline default: Enabled
Learn morePrevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet (User)
Baseline default: Enabled
Learn morePrevent managing SmartScreen Filter
Baseline default: Enabled
Learn more- Select SmartScreen Filter mode
Baseline default: On
- Select SmartScreen Filter mode
BitLocker
Allow Warning For Other Disk Encryption
Baseline default: Enabled
Learn moreConfigure Recovery Password Rotation
Baseline default: Refresh on for both Azure AD-joined and hybrid-joined devices
Learn moreRequire Device Encryption
Baseline default: Enabled
Learn more
Defender
Allow Archive Scanning
Baseline default: Allowed. Scans the archive files.
Learn moreAllow Behavior Monitoring
Baseline default: Allowed. Turns on real-time behavior monitoring.
Learn moreAllow Cloud Protection
Baseline default: Allowed. Turns on Cloud Protection.
Learn moreAllow Email Scanning
Baseline default: Allowed. Turns on email scanning.
Learn moreAllow Full Scan Removable Drive Scanning
Baseline default: Allowed. Scans removable drives.
Learn moreAllow On Access Protection
Baseline default: Allowed.
Learn moreAllow Realtime Monitoring
Baseline default: Allowed. Turns on and runs the real-time monitoring service.
Learn moreAllow Scanning Network Files
Baseline default: Allowed. Scans network files.
Learn moreAllow scanning of all downloaded files and attachments
Baseline default: Allowed.
Learn moreAllow Script Scanning
Baseline default: Allowed.
Learn moreAllow User UI Access
Baseline default: Allowed. Lets users access UI.
Learn moreBlock execution of potentially obfuscated scripts
Baseline default: Block
Learn moreBlock Win32 API calls from Office macros
Baseline default: Block
Learn moreBlock executable files from running unless they meet a prevalence, age, or trusted list criterion
Baseline default: Block
Learn moreBlock Office communication application from creating child processes
Baseline default: Block
Learn moreBlock all Office applications from creating child processes
Baseline default: Block
Learn moreBlock Adobe Reader from creating child processes
Baseline default: Block
Learn moreBlock credential stealing from the Windows local security authority subsystem
Baseline default: Block
Learn moreBlock JavaScript or VBScript from launching downloaded executable content
Baseline default: Block
Learn moreBlock Webshell creation for Servers
Baseline default: Block
Learn moreBlock untrusted and unsigned processes that run from USB
Baseline default: Block
Learn moreBlock persistence through WMI event subscription
Baseline default: Audit
Learn more[PREVIEW] Block use of copied or impersonated system tools
Baseline default: Block
Learn moreBlock abuse of exploited vulnerable signed drivers (Device)
Baseline default: Block
Learn moreBlock process creations originating from PSExec and WMI commands
Baseline default: Audit
Learn moreBlock Office applications from creating executable content
Baseline default: Block
Learn moreBlock Office applications from injecting code into other processes
Baseline default: Block
Learn more[PREVIEW] Block rebooting machine in Safe Mode
Baseline default: Block
Learn moreUse advanced protection against ransomware
Baseline default: Block
Learn moreBlock executable content from email client and webmail
Baseline default: Block
Learn more
Check For Signatures Before Running Scan
Baseline default: Enabled
Learn moreCloud Block Level
Baseline default: High
Learn moreCloud Extended Timeout
Baseline default: Configured
Value: 50
Learn moreDisable Local Admin Merge
Baseline default: Enable Local Admin Merge
Learn moreEnable Network Protection
Baseline default: Enabled (block mode)
Learn moreHide Exclusions From Local Admins
Baseline default: If you enable this setting, local admins will no longer be able to see the exclusion list in Windows Security App or via PowerShell.
Learn moreHide Exclusions From Local Users
Baseline default: If you enable this setting, local users will no longer be able to see the exclusion list in Windows Security App or via PowerShell.
Learn moreOobe Enable Rtp And Sig Update
Baseline default: If you enable this setting, real-time protection and Security Intelligence Updates are enabled during OOBE.
Learn morePUA Protection
Baseline default: PUA Protection on. Detected items are blocked. They will show in history along with other threats.
Learn moreReal Time Scan Direction
Baseline default: Monitor all files (bi-directional).
Learn moreScan Parameter
Baseline default: Quick scan
Learn moreSchedule Quick Scan Time
Baseline default: Configured
Value: 120
Learn moreSchedule Scan Day
Baseline default: Every day
Learn moreSchedule Scan Time
Baseline default: Configured
Value: 120
Learn moreSignature Update Interval
Baseline default: Configured
Value: 4
Learn moreSubmit Samples Consent
Baseline default: Send all samples automatically.
Learn more
Device Guard
- Credential Guard
Baseline default: (Enabled with UEFI lock) Turns on Credential Guard with UEFI lock.
Learn more
Dma Guard
- Device Enumeration Policy
Baseline default: Block all (Most restrictive)
Learn more
Firewall
Certificate revocation list verification
Baseline default: None
Learn moreDisable Stateful Ftp
Baseline default: True
Learn moreEnable Domain Network Firewall
Baseline default: True
Learn moreAllow Local Ipsec Policy Merge
Baseline default: True
Learn moreDisable Stealth Mode
Baseline default: False
Learn moreDisable Inbound Notifications
Baseline default: True
Learn moreDisable Unicast Responses To Multicast Broadcast
Baseline default: False
Learn moreGlobal Ports Allow User Pref Merge
Baseline default: True
Learn moreDisable Stealth Mode Ipsec Secured Packet Exemption
Baseline default: True
Learn moreAllow Local Policy Merge
Baseline default: True
Learn more
Enable Packet Queue
Baseline default: Configured
Value: Disabled
Learn moreEnable Private Network Firewall
Baseline default: True
Learn moreDefault Inbound Action for Private Profile
Baseline default: Block
Learn moreDisable Unicast Responses To Multicast Broadcast
Baseline default: False
Learn moreDisable Stealth Mode
Baseline default: False
Learn moreGlobal Ports Allow User Pref Merge
Baseline default: True
Learn moreAllow Local Ipsec Policy Merge
Baseline default: True
Learn moreDisable Stealth Mode Ipsec Secured Packet Exemption
Baseline default: True
Learn moreDisable Inbound Notifications
Baseline default: True
Learn moreAllow Local Policy Merge
Baseline default: True
Learn moreDefault Outbound Action
Baseline default: Allow
Learn moreAuth Apps Allow User Pref Merge
Baseline default: True
Learn more
Enable Public Network Firewall
Baseline default: True
Learn moreDisable Stealth Mode
Baseline default: False
Learn moreDefault Outbound Action
Baseline default: Allow
Learn moreDisable Inbound Notifications
Baseline default: True
Learn moreDisable Stealth Mode Ipsec Secured Packet Exemption
Baseline default: True
Learn moreAllow Local Policy Merge
Baseline default: True
Learn moreAuth Apps Allow User Pref Merge
Baseline default: True
Learn moreDefault Inbound Action for Public Profile
Baseline default: Block
Learn moreDisable Unicast Responses To Multicast Broadcast
Baseline default: False
Learn moreGlobal Ports Allow User Pref Merge
Baseline default: True
Learn moreAllow Local Ipsec Policy Merge
Baseline default: True
Learn more
Preshared Key Encoding
Baseline default: UTF8
Learn moreSecurity association idle time
Baseline default: Configured
Value: 300
Learn more
Microsoft Edge
Configure Microsoft Defender SmartScreen
Baseline default: EnabledConfigure Microsoft Defender SmartScreen to block potentially unwanted apps
Baseline default: EnabledEnable Microsoft Defender SmartScreen DNS requests
Baseline default: EnabledEnable new SmartScreen library
Baseline default: EnabledForce Microsoft Defender SmartScreen checks on downloads from trusted sources
Baseline default: EnabledPrevent bypassing Microsoft Defender SmartScreen prompts for sites
Baseline default: EnabledPrevent bypassing of Microsoft Defender SmartScreen warnings about downloads
Baseline default: Enabled
Attack Surface Reduction Rules
Attack surface reduction rules support a merger of settings from different policies, to create a superset of policy for each device. Only the settings that aren't in conflict are merged. Settings that are in conflict are not added to the superset of rules. Previously, if two policies included conflicts for a single setting, both policies were flagged as being in conflict, and no settings from either profile would be deployed.
Attack surface reduction rule merge behavior is as follows:
- Attack surface reduction rules from the following profiles are evaluated for each device the rules apply to:
- Devices > Configuration policy > Endpoint protection profile > Microsoft Defender Exploit Guard > Attack Surface Reduction
- Endpoint security > Attack surface reduction policy > Attack surface reduction rules
- Endpoint security > Security baselines > Microsoft Defender for Endpoint Baseline > Attack Surface Reduction Rules.
- Settings that don't have conflicts are added to a superset of policy for the device.
- When two or more policies have conflicting settings, the conflicting settings aren't added to the combined policy, while settings that don’t conflict are added to the superset policy that applies to a device.
- Only the configurations for conflicting settings are held back.
To learn more, see Attack surface reduction rules in the Microsoft Defender for Endpoint documentation.
Block Office communication apps from creating child processes
Baseline default: Enable
Learn moreBlock Adobe Reader from creating child processes
Baseline default: Enable
Learn moreBlock Office applications from injecting code into other processes
Baseline default: Block
Learn moreBlock Office applications from creating executable content
Baseline default: Block
Learn moreBlock JavaScript or VBScript from launching downloaded executable content
Baseline default: Block
Learn moreEnable network protection
Baseline default: Enable
Learn moreBlock untrusted and unsigned processes that run from USB
Baseline default: Block
Learn moreBlock credential stealing from the Windows local security authority subsystem (lsass.exe)
Baseline default: Enable
Learn moreBlock executable content download from email and webmail clients
Baseline default: Block
Learn moreBlock all Office applications from creating child processes
Baseline default: Block
Learn moreBlock execution of potentially obfuscated scripts (js/vbs/ps)
Baseline default: Block
Learn moreBlock Win32 API calls from Office macro
Baseline default: Block
Learn more
Application Guard
For more information, see WindowsDefenderApplicationGuard CSP in the Windows documentation.
When you use Microsoft Edge, Microsoft Defender Application Guard protects your environment from sites that aren't trusted by your organization. When users visit sites that aren't listed in your isolated network boundary, the sites open in a Hyper-V virtual browsing session. Trusted sites are defined by a network boundary.
Turn on Application Guard for Edge (Options)
Baseline default: Enabled for Edge
Learn moreBlock external content from non-enterprise approved sites
Baseline default: Yes
Learn moreClipboard behavior
Baseline default: Block copy and paste between PC and browser
Learn more
Windows network isolation policy
Baseline default: Configure
Learn more- Network domains
Baseline default: securitycenter.windows.com
- Network domains
BitLocker
Require storage cards to be encrypted (mobile only)
Baseline default: Yes
Learn moreNote
Support for Windows 10 Mobile and Windows Phone 8.1 ended in August of 2020.
Enable full disk encryption for OS and fixed data drives
Baseline default: Yes
Learn moreBitLocker system drive policy
Baseline default: Configure
Learn more- Configure encryption method for Operating System drives
Baseline default: Not configured
Learn more
- Configure encryption method for Operating System drives
BitLocker fixed drive policy
Baseline default: Configure
Learn moreBlock write access to fixed data-drives not protected by BitLocker
Baseline default: Yes
Learn more
This setting is available when BitLocker fixed drive policy is set to Configure.Configure encryption method for fixed data-drives
Baseline default: AES 128bit XTS
Learn more
BitLocker removable drive policy
Baseline default: Configure
Learn moreConfigure encryption method for removable data-drives
Baseline default: AES 128bit CBC
Learn moreBlock write access to removable data-drives not protected by BitLocker
Baseline default: Not configured
Learn more
Standby states when sleeping while on battery Baseline default: Disabled
Learn moreStandby states when sleeping while plugged in
Baseline default: Disabled
Learn moreEnable full disk encryption for OS and fixed data drives
Baseline default: Yes
Learn moreBitLocker system drive policy
Baseline default: Configure
Learn moreStartup authentication required
Baseline default: Yes
Learn moreCompatible TPM startup PIN
Baseline default: Allowed
Learn moreCompatible TPM startup key
Baseline default: Required
Learn moreDisable BitLocker on devices where TPM is incompatible
Baseline default: Yes
Learn moreConfigure encryption method for Operating System drives
Baseline default: Not configured
Learn more
BitLocker fixed drive policy
Baseline default: Configure
Learn moreBlock write access to fixed data-drives not protected by BitLocker
Baseline default: Yes
Learn more
This setting is available when BitLocker fixed drive policy is set to Configure.Configure encryption method for fixed data-drives
Baseline default: AES 128bit XTS
Learn more
BitLocker removable drive policy
Baseline default: Configure
Learn moreConfigure encryption method for removable data-drives
Baseline default: AES 128bit CBC
Learn moreBlock write access to removable data-drives not protected by BitLocker
Baseline default: Not configured
Learn more
BitLocker system drive policy
Baseline default: Configure
Learn moreStartup authentication required
Baseline default: Yes
Learn moreCompatible TPM startup PIN
Baseline default: Allowed
Learn moreCompatible TPM startup key
Baseline default: Required
Learn moreDisable BitLocker on devices where TPM is incompatible
Baseline default: Yes
Learn moreConfigure encryption method for Operating System drives
Baseline default: Not configured
Learn more
Standby states when sleeping while on battery Baseline default: Disabled
Learn moreStandby states when sleeping while plugged in
Baseline default: Disabled
Learn moreEnable full disk encryption for OS and fixed data drives
Baseline default: Yes
Learn moreBitLocker fixed drive policy
Baseline default: Configure
Learn moreBlock write access to fixed data-drives not protected by BitLocker
Baseline default: Yes
Learn more
This setting is available when BitLocker fixed drive policy is set to Configure.Configure encryption method for fixed data-drives
Baseline default: AES 128bit XTS
Learn more
BitLocker removable drive policy
Baseline default: Configure
Learn moreConfigure encryption method for removable data-drives
Baseline default: AES 128bit CBC
Learn moreBlock write access to removable data-drives not protected by BitLocker
Baseline default: Not configured
Learn more
Browser
Require SmartScreen for Microsoft Edge
Baseline default: Yes
Learn moreBlock malicious site access
Baseline default: Yes
Learn moreBlock unverified file download
Baseline default: Yes
Learn more
Data Protection
- Block direct memory access
Baseline default: Yes
Learn more
Device Guard
- Turn on credential guard
Baseline default: Enable with UEFI lock
Learn more
Device Installation
Hardware device installation by device identifiers
Baseline default: Block hardware device installation
Learn moreRemove matching hardware devices Baseline default: Yes
Hardware device identifiers that are blocked
Baseline default: Not configured by default. Manually add one or more device identifiers.
Hardware device installation by setup classes
Baseline default: Block hardware device installation
Learn moreRemove matching hardware devices Baseline default: Not configured
Hardware device identifiers that are blocked Baseline default: Not configured by default. Manually add one or more device identifiers.
Block hardware device installation by setup classes:
Baseline default: Yes
Learn moreRemove matching hardware devices:
Baseline default: YesBlock list
Baseline default: Not configured by default. Manually add one or more setup class globally unique identifiers.
DMA Guard
- Enumeration of external devices incompatible with Kernel DMA Protection
Baseline default: Block all
Learn more
- Enumeration of external devices incompatible with Kernel DMA Protection
Baseline default: Not configured
Learn more
Endpoint Detection and Response
Sample sharing for all files
Baseline default: Yes
Learn moreExpedite telemetry reporting frequency
Baseline default: Yes
Learn more
Firewall
Stateful File Transfer Protocol (FTP)
Baseline default: Disabled
Learn moreNumber of seconds a security association can be idle before it's deleted
Baseline default: 300
Learn morePreshared key encoding
Baseline default: UTF8
Learn moreCertificate revocation list (CRL) verification
Baseline default: Not configured
Learn morePacket queuing
Baseline default: Not configured
Learn moreFirewall profile private
Baseline default: Configure
Learn moreInbound connections blocked
Baseline default: Yes
Learn moreUnicast responses to multicast broadcasts required
Baseline default: Yes
Learn moreOutbound connections required
Baseline default: Yes
Learn moreInbound notifications blocked
Baseline default: Yes
Learn moreGlobal port rules from group policy merged
Baseline default: Yes
Learn moreFirewall enabled
Baseline default: Allowed
Learn moreAuthorized application rules from group policy not merged
Baseline default: Yes
Learn moreConnection security rules from group policy not merged
Baseline default: Yes
Learn moreIncoming traffic required
Baseline default: Yes
Learn morePolicy rules from group policy not merged
Baseline default: Yes
Learn more
- Stealth mode blocked
Baseline default: Yes
Learn more
Firewall profile public
Baseline default: Configure
Learn moreInbound connections blocked
Baseline default: Yes
Learn moreUnicast responses to multicast broadcasts required
Baseline default: Yes
Learn moreOutbound connections required
Baseline default: Yes
Learn moreAuthorized application rules from group policy not merged
Baseline default: Yes**
Learn moreInbound notifications blocked
Baseline default: Yes
Learn moreGlobal port rules from group policy merged
Baseline default: Yes
Learn moreFirewall enabled
Baseline default: Allowed
Learn moreConnection security rules from group policy not merged
Baseline default: Yes
Learn moreIncoming traffic required
Baseline default: Yes
Learn morePolicy rules from group policy not merged
Baseline default: Yes
Learn more
- Stealth mode blocked
Baseline default: Yes
Learn more
Firewall profile domain
Baseline default: Configure
Learn moreUnicast responses to multicast broadcasts required
Baseline default: Yes
Learn moreAuthorized application rules from group policy not merged
Baseline default: Yes
Learn moreInbound notifications blocked
Baseline default: Yes
Learn moreGlobal port rules from group policy merged
Baseline default: Yes
Learn moreFirewall enabled
Baseline default: Allowed
Learn moreConnection security rules from group policy not merged
Baseline default: Yes
Learn morePolicy rules from group policy not merged
Baseline default: Yes
Learn more
- Stealth mode blocked
Baseline default: Yes
Learn more
Microsoft Defender
Turn on real-time protection
Baseline default: Yes
Learn moreAdditional amount of time (0-50 seconds) to extend cloud protection timeout
Baseline default: 50
Learn moreScan all downloaded files and attachments
Baseline default: Yes
Learn moreScan type
Baseline default: Quick scan
Learn moreDefender schedule scan day:
Baseline default: EverydayDefender scan start time:
Baseline default: Not configuredDefender sample submission consent
Baseline default: Send safe samples automatically
Learn moreCloud-delivered protection level
Baseline default: High
Learn moreScan removable drives during full scan
Baseline default: Yes
Learn moreDefender potentially unwanted app action
Baseline default: Block
Learn moreTurn on cloud-delivered protection
Baseline default: Yes
Learn more
Turn on real-time protection
Baseline default: Yes
Learn moreAdditional amount of time (0-50 seconds) to extend cloud protection timeout
Baseline default: 50
Learn moreScan all downloaded files and attachments
Baseline default: Yes
Learn moreScan type
Baseline default: Quick scan
Learn moreDefender sample submission consent
Baseline default: Send safe samples automatically
Learn moreCloud-delivered protection level
Baseline default: High
Learn moreScan removable drives during full scan
Baseline default: Yes
Learn moreDefender potentially unwanted app action
Baseline default: Block
Learn moreTurn on cloud-delivered protection
Baseline default: Yes
Learn more
Run daily quick scan at
Baseline default: 2 AM
Learn moreScheduled scan start time
Baseline default: 2 AMConfigure low CPU priority for scheduled scans
Baseline default: Yes
Learn moreBlock Office communication apps from creating child processes
Baseline default: Enable
Learn moreBlock Adobe Reader from creating child processes
Baseline default: Enable
Learn moreScan incoming email messages
Baseline default: Yes
Learn moreTurn on real-time protection
Baseline default: Yes
Learn moreNumber of days (0-90) to keep quarantined malware
Baseline default: 0
Learn moreDefender system scan schedule
Baseline default: User defined
Learn moreAdditional amount of time (0-50 seconds) to extend cloud protection timeout
Baseline default: 50
Learn moreScan mapped network drives during a full scan
Baseline default: Yes
Learn moreTurn on network protection
Baseline default: Yes
Learn moreScan all downloaded files and attachments
Baseline default: Yes
Learn moreBlock on access protection
Baseline default: Not configured
Learn moreScan browser scripts
Baseline default: Yes
Learn moreBlock user access to Microsoft Defender app
Baseline default: Yes
Learn moreMaximum allowed CPU usage (0-100 percent) per scan
Baseline default: 50
Learn moreScan type
Baseline default: Quick scan
Learn moreEnter how often (0-24 hours) to check for security intelligence updates
Baseline default: 8
Learn moreDefender sample submission consent
Baseline default: Send safe samples automatically
Learn moreCloud-delivered protection level
Baseline default: *Not configured
Learn moreScan archive files
Baseline default: Yes
Learn moreTurn on behavior monitoring
Baseline default: Yes
Learn moreScan removable drives during full scan
Baseline default: Yes
Learn moreScan network files
Baseline default: Yes
Learn moreDefender potentially unwanted app action
Baseline default: Block
Learn moreTurn on cloud-delivered protection
Baseline default: Yes
Learn moreBlock Office applications from injecting code into other processes
Baseline default: Block
Learn moreBlock Office applications from creating executable content
Baseline default: Block
Learn moreBlock JavaScript or VBScript from launching downloaded executable content
Baseline default: Block
Learn moreEnable network protection
Baseline default: Audit mode
Learn moreBlock untrusted and unsigned processes that run from USB
Baseline default: Block
Learn moreBlock credential stealing from the Windows local security authority subsystem (lsass.exe)
Baseline default: Enable
Learn moreBlock executable content download from email and webmail clients
Baseline default: Block
Learn moreBlock all Office applications from creating child processes
Baseline default: Block
Learn moreBlock execution of potentially obfuscated scripts (js/vbs/ps)
Baseline default: Block
Learn moreBlock Win32 API calls from Office macro
Baseline default: Block
Learn more
Run daily quick scan at
Baseline default: 2 AM
Learn moreScheduled scan start time
Baseline default: 2 AMConfigure low CPU priority for scheduled scans
Baseline default: Yes
Learn moreBlock Office communication apps from creating child processes
Baseline default: Enable
Learn moreBlock Adobe Reader from creating child processes
Baseline default: Enable
Learn moreScan incoming email messages
Baseline default: Yes
Learn moreTurn on real-time protection
Baseline default: Yes
Learn moreNumber of days (0-90) to keep quarantined malware
Baseline default: 0
Learn moreDefender system scan schedule
Baseline default: User defined
Learn moreAdditional amount of time (0-50 seconds) to extend cloud protection timeout
Baseline default: 50
Learn moreScan mapped network drives during a full scan
Baseline default: Yes
Learn moreTurn on network protection
Baseline default: Yes
Learn moreScan all downloaded files and attachments
Baseline default: Yes
Learn moreBlock on access protection
Baseline default: Not configured
Learn moreScan browser scripts
Baseline default: Yes
Learn moreBlock user access to Microsoft Defender app
Baseline default: Yes
Learn moreMaximum allowed CPU usage (0-100 percent) per scan
Baseline default: 50
Learn moreScan type
Baseline default: Quick scan
Learn moreEnter how often (0-24 hours) to check for security intelligence updates
Baseline default: 8
Learn moreDefender sample submission consent
Baseline default: Send safe samples automatically
Learn moreCloud-delivered protection level
Baseline default: *Not configured
Learn moreScan archive files
Baseline default: Yes
Learn moreTurn on behavior monitoring
Baseline default: Yes
Learn moreScan removable drives during full scan
Baseline default: Yes
Learn moreScan network files
Baseline default: Yes
Learn moreDefender potentially unwanted app action
Baseline default: Block
Learn moreTurn on cloud-delivered protection
Baseline default: Yes
Learn moreBlock Office applications from injecting code into other processes
Baseline default: Block
Learn moreBlock Office applications from creating executable content
Baseline default: Block
Learn moreBlock JavaScript or VBScript from launching downloaded executable content
Baseline default: Block
Learn moreEnable network protection
Baseline default: Audit mode
Learn moreBlock untrusted and unsigned processes that run from USB
Baseline default: Block
Learn moreBlock credential stealing from the Windows local security authority subsystem (lsass.exe)
Baseline default: Enable
Learn moreBlock executable content download from email and webmail clients
Baseline default: Block
Learn moreBlock all Office applications from creating child processes
Baseline default: Block
Learn moreBlock execution of potentially obfuscated scripts (js/vbs/ps)
Baseline default: Block
Learn moreBlock Win32 API calls from Office macro
Baseline default: Block
Learn more
Microsoft Defender Security Center
- Block users from editing the Exploit Guard protection interface
Baseline default: Yes
Learn more
Smart Screen
Block users from ignoring SmartScreen warnings
Baseline default: Yes
Learn moreTurn on Windows SmartScreen
Baseline default: Yes
Learn moreRequire SmartScreen for Microsoft Edge
Baseline default: Yes
Learn moreBlock malicious site access
Baseline default: Yes
Learn moreBlock unverified file download
Baseline default: Yes
Learn moreConfigure Microsoft Defender SmartScreen
Baseline default: EnabledPrevent bypassing Microsoft Defender SmartScreen prompts for sites
Baseline default: EnabledPrevent bypassing of Microsoft Defender SmartScreen warnings about downloads
Baseline default: EnabledConfigure Microsoft Defender SmartScreen to block potentially unwanted apps
Baseline default: Enabled
Require apps from store only
Baseline default: YesTurn on Windows SmartScreen
Baseline default: Yes
Learn more
Windows Hello for Business
For more information, see PassportForWork CSP in the Windows documentation.
Block Windows Hello for Business
Baseline default: DisabledLowercase letters in PIN Baseline default: Allowed
Special characters in PIN Baseline default: Allowed
Uppercase letters in PIN Baseline default: Allowed