Introduction

In this blog, I walk through key Microsoft Defender Antivirus configurations, why they matter, and how to apply them using Intune or Group Policy. These are the same proven best practices I use in the field with my clients.

Core Protection Components

Defender Antivirus includes several core security features:

• Cloud Protection
• Real-time Protection
• Signature Updates
• PUA Protection (Potentially Unwanted Applications)
• Scan Settings
• Network Protection

Cloud Protection

Cloud protection is essential for identifying new or unknown threats. When local analysis falls short, Defender submits file metadata (and in some cases the file itself) to the Microsoft cloud for further inspection.

When you enable both Cloud Protection and Real-time Protection, you activate BAFS (Block At First Sight).

Cloud Protection Levels:

• Not Configured
• Zero Tolerance – Blocks all unknown executables. Best for highly secure environments.
• High – Balanced protection, suitable for most organizations.
• High Plus – Includes additional heuristics and deeper inspection.

Recommendation: Set to High Plus or at least High. Never leave unconfigured or disabled.

Supporting Settings:

• Allow Cloud Protection – Enables the cloud backend for real-time response.
• Cloud Block Level – Set to the second-highest option for optimal results.
• Cloud Extended Timeout – Extend default block time (10s) by up to 50s to allow for deeper cloud inspection.

Recommendation: 50

Sample Submission

Controls how Defender handles potentially suspicious files:

• Send safe samples automatically – Safe, low-risk option
• Always prompt – User consent required before submission
• Send all samples automatically – Most aggressive
• Do not send – Disables BAFS functionality

Recommended setting: Send safe samples automatically.

Real-Time Monitoring & Behavior Protection

Real-Time Monitoring continuously watches for malicious activity and intervenes immediately.

Behavior Monitoring analyzes how applications behave and flags suspicious patterns, helping catch unknown malware based on runtime actions rather than known signatures.

Recommendation: Enable both features for full real-time protection.

Signature Update Interval

Defender AV uses frequent signature updates provided multiple times per day via the Microsoft cloud. These updates ensure the antivirus engine stays current with the latest malware definitions.

Recommendation: Signature interval 1

Scan Settings

Modern Defender setups rely less on scheduled full scans thanks to real-time and cloud-based protections.

Setting	Value
Allow Archive Scanning	Allowed
Allow Behavior Monitoring	Allowed
Allow Cloud Protection	Allowed
Allow Email Scanning	Allowed
Allow scanning of all downloaded files and attachments	Allowed
Allow Realtime Monitoring	Allowed
Allow Script Scanning	Allowed
Allow User UI Access	Not allowed
Avg CPU Load Factor	20
Check For Signatures Before Running Scan	Enabled
Enable Low CPU Priority	Enabled
Real Time Scan Direction	Monitor all files (bi-directional)
Allow On Access Protection	Allowed

 

PUA Protection

Potentially Unwanted Applications (PUAs) can introduce risk without being classified as malware. Examples include CCleaner, toolbar software, and bundled installers.

Recommendation: Enable in audit mode first, evaluate logs, and then enforce in blocking mode.

Network Protection

Essential for defending against malicious or unauthorized web traffic. Works in conjunction with Defender for Endpoint’s network indicators and content filtering.

Requirements for full coverage:

• Enable in block mode
• SmartScreen must be enabled (especially for Edge)

Feature	Edge	3rd-party Browsers	Non-browser Apps (e.g., PowerShell)
Web Threat Protection	SmartScreen	NP block mode	NP block mode
Custom Indicators	SmartScreen	NP block mode	NP block mode
Web Content Filtering	SmartScreen	NP block mode	Not Supported

For servers you need to add some additional configuration the setting. According to Jeffrey Appel’s MDE series, you should always test the setting AllowDatagramProcessingOnWinServer, as it affects the inspection of UDP traffic on high-load Windows Servers such as Exchange or SQL Server. Improper configuration may impact performance under heavy network usage. I never came across this issue.

---

Advanced Configuration

If you use the Endpoint Management Experience you cannot push these additional configurations to servers because Microsoft did not update their baseline yet. There for you are forced to use for example GPO.

For clients you can use the configuration profile.

For GPO see the settings below

FileHashComputation

Generates hashes for files to:

• Improve detection speed
• Increase accuracy
• Strengthen behavioral analysis

Centralized Exclusions

Prevent local admins from overriding exclusion policies by enabling:

• Disable Local Admin Merge – Blocks merging of local and central settings
• DisableExclusionsLocalAdmin – Prevents exclusion changes via PowerShell or registry

Recommendation: Enabled

OOBE Settings (Intune Only)

When enabled, this setting automatically turns on Real-time Protection and Security Intelligence Updates during OOBE, providing immediate security from the first boot.

Recommendation: Enabled

Quick Scan Exclusions

Defender’s quick scan includes excluded files to detect malicious items that may have been wrongly allowed.

Recommendation: Enabled

Final Thoughts

Microsoft Defender Antivirus is a powerful tool but with these tweaks you can leverage the full potential of Microsoft Defender for antivirus. I hope this helps.

 

Source:

Microsoft Defender for Endpoint in Depth: Take any organization’s endpoint security to the next level: Paul Huijbregts, Joe Anich, Justen Graves: 9781804615461: Amazon.com: Books

Microsoft Defender for Endpoint series – Define the AV policy baseline – Part4A