Managing your Antivirus in Endpoint Manager is now in preview.

Hello there,

When looking at my Microsoft Endpoint Manager dashboard today, I noticed a number of new preview features have arrived. First up, I am going to be looking at Antivirus capabilities via Endpoint Security.

Microsoft Endpoint Manager has a new home

Access to the Microsoft Endpoint Manager now has a new URL http://endpoint.microsoft.com replacing http://devicemanagement.microsoft.com

This new preview feature supports the following scenarios;

Windows 10 and later (Microsoft Defender Antivirus)

Configuration Settings

Cloud Protection

SettingActionDefinition
Turn on cloud-delivered protection Not configured / Yes / No When set to Yes, Defender will send information to Microsoft about any problems it finds. If set to Not configured, the client will return to default which enables the feature but allows the user to disable it.
Cloud-delivered protection level Not configured / High / High plus / Zero tolerance Specify the level of cloud-delivered protection. Not Configured uses the default Microsoft Defender Antivirus blocking level and provides strong detection without increasing the risk of detecting legitimate files. High applies a strong level of detection. High + uses the High level and applies addition protection measures (may impact client performance). Zero tolerance blocks all unknown executables While unlikely, setting to High may cause some legitimate files to be detected. We recommend you set this to the default level (Not configured).
Defender Cloud Extended Timeout In Seconds

Microsoft Defender Antivirus Exclusions

SettingActionDefinition
Defender Processes To Exclude
File extensions to exclude from scans and real-time protection
Defender Files And Folders To Exclude

Real-time protection

SettingActionDefinition
Turn on real-time protection Not configured / Yes / No When this setting is set to Yes, real-time monitoring will be enforced and the user cannot disable it. When set to Not configured, the setting is returned to client default which is on, but the user can change it.
Enable on access protection Not configured / Yes / No Virus protection that’s continuously active, as opposed to on demand.
Monitoring for incoming and outgoing files Monitor all files / Only monitor incoming files / Only monitor outgoing files Configure this setting to determine which NTFS file and program activity is monitored. Monitor all files is the default, but for certain specific scenarios you may want to configure scanning for only incoming or outgoing files (i.e., server scenarios)
Turn on behavior monitoring Not configured / Yes / No When this setting is set to Yes, behavior monitoring will be enforced and the user cannot disable it. When set to Not configured, the setting is returned to client default which is on, but the user can change it.
Turn on network protection Not configured / Yes / No When this setting is set to Yes, behavior monitoring will be enforced and the user cannot disable it. When set to Not configured, the setting is returned to client default which is on, but the user can change it.
Scan all downloaded files and attachments Not configured / Yes / No
Scan scripts that are used in Microsoft browsers Not configured / Yes / No When this setting is set to Yes, all downloaded files and attachments will be scanned. When set to Not configured, the setting is returned to client default which is on, but the user chan change it.
Scan network files Not configured / Yes / No When this setting is set to Yes, the Windows Defender Script Scanning functionality will be enforced and the user cannot turn them off. When set to Not configured, the setting is returned to client default which is to enable script scanning, however the user can turn it off.
Scan emails Not configured / Yes / No When set to Yes, e-mail mailbox and mail files such as PST, DBX, MNX, MIME and BINHEX will be scanned. When Not configured, the setting will return to client default of e-mail files not being scanned.

Remediation

SettingActionDefinition
Number of days (0-90) to keep quarantined malware Configure this setting to determine the number of days items should be keeps in the quarantine folder before being removed. Leaving this Not configured or setting it to 0 will result in quarantined files never being removed.
Submit samples consent
Action to take on potentially unwanted apps Specify the level of protection for potentially Unwanted applications (PUA’s). Not configured configures the client to default, which is PUA Protection Off. Block turns PUA Protection On, and blocks potentially unwanted applications. Audit allows PUA to detect potentially unwanted applications, but takes no action.
Actions for detected threats Configured / Not configured Allow to specify any valid threat severity levels and the corresponding default action to take. Only enforced in Windows 10 for desktop.

Scan

SettingActionDefinition
Scan archive files Not configured / Yes / No When set to Yes, archive files such as ZIP or CAB file scanning will be enforced. When set to Not configured, the setting will be returned back to client default which is to scan archived files, however the user may disable this.
Use low CPU priority for scheduled scans Not configured / Yes / No When this setting is set to Yes, scheduled scans will be run with low CPU priority. When set to Not configured, the setting is returned to client default in which no changes to CPU priority will be made.
Disable catch-up full scan Not configured / Yes / No When this setting is set to Yes, catch-up scans for full scans will be enforced and the user cannot disable them. When set to Not configured, the setting is returned to client default which is to enable catch-up scans for full scans, however the user can turn them off.
Disable Catchup Quick Scan Not configured / Yes / No When this setting is set to Yes, catch-up scans for quick scans will be enforced and the user cannot disable them. When set to Not configured, the setting is returned to client default which is to enable catch-up scans for quick scans, however the user can turn them off.
CPU usage limit per scan Configure this with a value that represents the maximum CPU percentage allowed for a scan. The default (and recommended) is 50%.
Scan mapped network drives during full scan Not configured / Yes / No When set to Yes, during a full scan, mapped network drives will be included. When set to not configured, the client will be returned to default which is disabling scanning on mapped network drives.
Run daily quick scan at Not configured / Yes / No Provide a time of day that Windows Defender quick scan should run. This setting is dependent on the scan type selected being ‘quick scan’
Scan type Not configured / Yes / No Specify the scan type to use for a schedule scan
Day of week to run a scheduled scan Not configured / Yes / No Scheduled day for scan.
Time of day to run a scheduled scan Not configured / Yes / No Specify the time for scan to run.

Update

SettingActionDefinition
Enter how often (0-24 hours) to check for security intelligence updates Configure this setting to determine how often to check for signatures. A value of 1 means checking every hour, 2 for every two hours and so on. Selecting Do not check will disable signature updates. When set to Not configured, client default of 8 hours is applied.

User Experience

SettingActionDefinition
Allow user access to Microsoft Defender app Not configured / Yes / No When set to No, the Windows Defender User Interface (UI) will be inaccessible and notifications will be surprised. When set to Not configured, the setting will return to client default in which UI and notifications will be allowed

Once you have selected your required configuration

Define the Scope Tags (if in use within your environment
Define the Assignment to your selected groups
Review and Create

Windows 10 and later (Windows Security experience)

Windows Security

SettingActionDefinition
Enable tamper protection to prevent Microsoft Defender being disabled Not configured / Enable / Disabled Not Configured state is default and will have no impact.
Enabled will enable the Tamper Protection restrictions.
Disabled will disable the Tamper Protection restrictions.
When the Enabled or Disabled state exists on a client, deploying Not configured will have no impact on the setting. To change the state from currently Enabled/Disabled, you must deploy the opposite setting to have effect
Hide the Virus and threat protection area in the Windows Security app Yes / Not Configured By setting this to Yes, the virus and threat protection area in the Windows Security app will be hidden from end-users. Also, virus and threat protection related notifications will be supressed. By setting this to Not configured, the setting will return to client default which is to allow user access and notifications.
Hide the Ransomware data recovery option in the Windows Security app Yes / Not Configured By setting this to Yes, the virus and threat protection area in the Windows Security app will be hidden from end-users. Also, virus and threat protection related notifications will be supressed. By setting this to Not configured, the setting will return to client default which is to allow user access and notifications.
Hide the Account protection area in the Windows Security app Yes / Not Configured By setting this to Yes, the Account protection area in the Windows Security app will be hidden from end-users. Also, account protection-related notifications will be suppressed. By setting this to Not configured, the setting will return to client default which is to allow user access and notifications.
Hide the Firewall and network protection area in the Windows Security app Yes / Not Configured By setting this to Yes, the firewall and network protection area in the Windows Security app will be hidden from end-users. Also, firewall and network protection-related notifications will be suppressed. By setting this to Not configured, the setting will return to client default which is to allow user access and notifications.
Hide the App and browser control area in the Windows Security app Yes / Not Configured By setting this to Yes, the app and browser control area in the Windows Security app will be hidden from end-users. Also, app and browser control-related notifications will be suppressed. By setting this to Not configured, the setting will return to client default which is to allow user access and notifications.
Hide the Device security area in the Windows Security app Yes / Not Configured By setting this to Yes, the hardware protection area in the Windows Security app will be hidden from end-users. Also, hardware protection-related notifications will be suppressed. By setting this to Not configured, the setting will return to client default which is to allow user access and notifications.
Hide the Device performance and health area in the Windows Security app Yes / Not Configured By setting this to Yes, the device performance and health area in the Windows Security app will be hidden from end-users. Also, device performance and health related notifications will be supressed. By setting this to Not configured, the setting will return to client default which is to allow user access and notifications.
Hide the Family options area in the Windows Security app Yes / Not Configured By setting this to Yes, the family options area in the Windows Security app will be hidden from end-users. Also, family options related notifications will be supressed. By setting this to Not configured, the setting will return to client default which is to allow user access and notifications.
Windows Security app notifications Not configured / Block non-critical notifications / Block all notifications You can control Windows Security app notifications per feature by using the proceeding settings. Alternatively, use this setting to block all Windows Security notifications from your users. By setting Not configured, all Windows Security app notifications that are not controlled by another setting will be allowed. By setting Block non-critical notifications, notifications such as scan completions will be blocked. By setting Block all notifications, critical and non-critical notifications will be blocked for all Windows Security features.
Hide the Windows Security icon from the notification area Yes / Not Configured Setting this to Yes will hide the Windows Security icon from the users system tray. Not configured will return the client to default which is to show the icon. For this setting to take effect, the user needs to either sign out/in, or reboot the computer.
Disable the Clear TPM option in the Windows Security app Yes / Not Configured Setting this to Yes will disable access to the clear TPM button in the Windows Security app. Setting it to Not configured will return the setting to client default, which is to allow access to the button.
Prompt users to update TPM firmware if vulnerability is discovered Yes / Not Configured Setting this to Yes will allow Windows to prompt end-users when a potential vulnerability is found in their TPM firmware. They will then be encouraged to run firmware updates to resolve the vulnerability. Setting this to Not configured will return the setting to client default, which is to not prompt users.
Organization’s support contact information Not configured / Display in app and in notifications / Display only in app / Display only in notifications Declare where you would like your IT organization information displayed in the Windows Security app and notifications.

Once you have selected your required configuration

Define the Scope Tags (if in use within your environment
Define the Assignment to your selected groups
Review and Creat

macOS (Antivirus)

Microsoft Defender ATP

SettingActionDefinition
Real-time protection Not configured / Configured / DisabledLocates and stops malware from installing or running on your device. You can turn off this setting for a short time before it turns back on automatically.
Cloud-delivered protection Not configured / Configured / Disabled Provides increased, faster protection with access to the latest protection data in the cloud. Works best with automatic sample submission turned on.
Automatic sample submission Not configured / Configured / Disabled Sends sample files to Microsoft to help protect device users and your organization from potential threats.
Diagnostic data collection Not configured / Required / Optional We encourage you to share your diagnostic and usage data with us to help improve Microsoft products and services.
Folders excluded from scan
Files excluded from scan
File types excluded from scan
Processes excluded from scan

Once you have selected your required configuration

Define the Scope Tags (if in use within your environment
Define the Assignment to your selected groups
Review and Create

This completes the list of configurations available in Microsoft Endpoint Manager for Antivirus.

Regards,
The Author – Blogabout.Cloud

Leave a Reply

Your email address will not be published. Required fields are marked *