Skip to Content
SecurityDefender Policies

Defender Policies

Configure Microsoft Defender for Endpoint policies to protect devices from malware, exploits, and advanced threats. Manage antivirus settings, firewall rules, attack surface reduction, and device control across your endpoint fleet.

Note: Defender policies require Microsoft Defender for Endpoint licensing (included in Microsoft 365 E5 or as standalone Plan 1/Plan 2).

Policy Categories

Antivirus

Real-time protection, scan schedules, exclusions, cloud-delivered protection, and remediation actions.

Attack Surface Reduction

ASR rules to block common attack techniques, exploit protection, and controlled folder access.

Firewall

Windows Defender Firewall settings, profiles (Domain, Private, Public), and custom rules.

Endpoint Detection and Response

EDR configuration, sample collection, telemetry settings, and advanced hunting capabilities.

Device Control

USB device restrictions, removable storage control, and Bluetooth policies.

Web Protection

Network protection, SmartScreen settings, and web content filtering.

Antivirus Settings

Real-Time Protection

  • Enable real-time protection — Scan files as they’re accessed
  • Monitor behavior — Detect suspicious process behavior
  • Scan all downloads — Check downloaded files before opening
  • Scan scripts — Inspect PowerShell, VBScript, JavaScript

Cloud Protection

  • Cloud-delivered protection — Use Microsoft cloud for latest definitions
  • Block at first sight — Block unknown files while analyzing
  • Extended cloud check timeout — Wait longer for cloud verdict
  • Sample submission — Auto-submit samples for analysis

Scan Settings

  • Scan type — Quick scan vs full scan schedule
  • Scan day/time — When scheduled scans run
  • CPU limit — Max CPU during scans (50% default)
  • Scan archives — Check inside ZIP, RAR files
  • Scan removable drives — Include USB drives

Attack Surface Reduction Rules

Block common attack techniques used by malware:

Office Application Rules

  • Block Office from creating executable content
  • Block Office from creating child processes
  • Block Office from injecting into processes
  • Block Win32 imports from Office macros

Script Rules

  • Block obfuscated scripts
  • Block JavaScript/VBScript launching executables
  • Block untrusted/unsigned processes from USB

Email Rules

  • Block executable content from email
  • Block execution of potentially obfuscated scripts

Ransomware Protection

  • Use advanced protection against ransomware
  • Block credential stealing from LSASS
  • Block persistence through WMI subscription

Rule Modes

  • Not Configured — Rule disabled
  • Audit — Log but don’t block
  • Block — Prevent action

Firewall Policies

Firewall Profiles

  • Domain — Applied when connected to corporate domain network.
  • Private — Home or trusted networks marked as private.
  • Public — Untrusted networks like coffee shops, airports.

Firewall Rules

  • Inbound and outbound rules
  • Protocol (TCP, UDP, ICMP)
  • Local and remote ports/addresses
  • Action (Allow, Block)
  • Application path filtering

Device Control

Control removable media and peripheral access:

Removable Storage

  • Block all removable storage
  • Read-only access to USB drives
  • Allow specific device IDs only
  • Block by hardware class

Printer Control

  • Block USB printers
  • Allow corporate printers only
  • Audit printer usage

Exclusions

Warning: Use Exclusions Carefully. Exclusions reduce protection. Only add them when necessary for application compatibility. Document why each exclusion exists.

File Exclusions

Exclude specific file paths from scanning. Use for known performance issues with LOB applications.

Folder Exclusions

Exclude entire directories. Common for database folders, backup locations, and development directories.

Process Exclusions

Exclude files opened by specific processes. Better than folder exclusions for performance-sensitive apps.

Extension Exclusions

Exclude files by extension (.mdf, .log). Use sparingly as malware can use any extension.

Best Practices

  • Enable cloud-delivered protection — Cloud protection provides fastest response to new threats.
  • Use ASR rules in audit first — Test ASR rules in audit mode before enforcing to avoid business impact.
  • Block legacy protocols — Disable SMBv1, disable Office macros where not needed.
  • Minimize exclusions — Each exclusion creates a gap in protection. Review and justify each one.

API Reference

  • GET /api/security/defender-policies — List all Defender policies
  • GET /api/security/defender-policies/antivirus — Get antivirus configuration
  • GET /api/security/defender-policies/asr — Get ASR rules configuration
  • PUT /api/security/defender-policies/:id — Update policy settings
  • GET /api/security/defender-policies/exclusions — List configured exclusions
Last updated on
Security AlertsSecurity Recommendations