Tenant setup 19 — Defender for Endpoint AV configuration, part 2
A week's pause but we're back. Walking through the rest of the Defender AV settings — exclusions, PUA protection, scan schedule, signature updates, Threat Severity actions, and the network/protocol parsing controls.
This article is part of the series. Full series + screenshots in one document: download PDF. (PDF is currently in Czech.)
A week's pause but we're back. We're returning to Defender for Endpoint AV configuration. Let's go straight into the remaining settings.
Excluded Extensions — file types that are skipped during scans.
Excluded Paths — folders or files specified by path that are skipped.
Excluded Processes — processes whose I/O is not scanned.
PUA Protection — what Defender does with potentially unwanted apps. Audit: warns the user but allows install. On: blocks and creates an incident. Goal: keep On; sometimes false-positives are an issue.
Real Time Scan Direction — which files are scanned in real time. Not configured isn't ideal; bi-directional is recommended.
Scan Parameter — full scan or quick scan.
Schedule Scan Day / Time — when scheduled scans run.
Signature Update Fallback Order / File Shares Sources — order Defender tries when fetching signature updates. I leave defaults.
Signature Update Interval — hours between signature updates. Set to 24.
Submit Samples Consent — I'm fine with sending safe samples automatically.
Disable Local Admin Merge — prevents local admins from overriding Intune-pushed values.
Allow On Access Protection — real-time file/process behavior monitoring.
The first 4 of Threat Severity Default Action drive what happens after a threat is categorized into one of four severities.
Allow Network Protection Down Level — networking protection on older Windows 10 builds (1703).
Allow Datagram Processing On Win Server — networking protection on Windows Server.
Disable Dns Over Tcp Parsing / Disable Http Parsing / Disable Ssh Parsing / Disable Tls Parsing — protocol parsing controls. SSH off (we don't run many Linux endpoints); HTTP/DNS/TLS on.
Engine Updates Channel / Platform Updates Channel / Security Intelligence Updates Channel — release channels for engine, platform, and intelligence updates.
Metered Connection Updates — should Defender update on metered connections.
That should be everything for security in the simple sense — if anything in M365 can be called simple. In the next few articles we'll tackle the great unknown for most: integrating Apple devices with Intune via Apple Business Manager.