Antivirus

Configure Microsoft Defender Antivirus policies through Intune endpoint security. Manage real-time protection, cloud-delivered protection, scan schedules, and exclusions.

Real-Time Protection

Cloud-Delivered Protection

• Cloud protection level — High, High+, or Zero Tolerance
• Cloud extended timeout — Up to 60 seconds
• Block at first sight — Block suspicious files until cloud verdict
• Sample submission — Send safe samples automatically

Scan Schedules

Quick Scan

Checks common malware locations: running processes, startup locations, system directories. Recommended: Daily.

Full Scan

Scans all files and running programs. All drives and archive files. Recommended: Weekly during off-hours.

Exclusions

• File Extensions — Exclude by extension
• File Paths — Exclude specific files or folders
• Processes — Exclude processes by name or path

Warning: Minimize exclusions. Each one reduces protection coverage.

Tamper Protection

Prevent unauthorized changes to Defender settings. Blocks disabling real-time protection and cloud protection.

Defender Updates

• Update interval — Hours between definition checks
• Update sources — Microsoft Update, WSUS, file share
• Security intelligence — Automatic (recommended)

Reporting

• Antivirus agent status per device
• Detected malware with severity and remediation
• Out-of-date definitions
• Protection disabled devices

Best Practices

• Enable real-time protection on all devices
• Use cloud protection at High level
• Enable tamper protection
• Schedule daily quick scans and weekly full scans
• Review and minimize exclusions

API Reference

• GET /api/devices/security/antivirus/status — Get status
• GET /api/devices/security/antivirus/detections — List detections
• POST /api/devices/security/antivirus/policies — Create policy
• GET /api/devices/security/antivirus/policies/:id/status — Get deployment status