Enabling antivirus on Intune primarily involves configuring and deploying Microsoft Defender Antivirus settings to your managed devices. Microsoft Defender Antivirus is built into Windows and typically enabled by default, but Intune provides centralized management to ensure consistent and robust protection across your organization.
Enabling and Configuring Microsoft Defender Antivirus Policies in Intune
To effectively "enable" and manage antivirus protection through Intune, you'll work with Microsoft Defender Antivirus policies. These policies allow you to define various settings, from real-time protection and cloud-delivered protection to scan schedules and exclusions.
Creating a New Microsoft Defender Antivirus Policy
If you don't yet have a specific policy configured for antivirus settings, follow these steps to create one:
- Sign in to the Microsoft Intune admin center.
- Navigate to Endpoint security > Antivirus.
- Click Create Policy.
- For Platform, select Windows and later.
- For Profile, select Microsoft Defender Antivirus.
- Click Create.
- On the Basics tab, provide a descriptive Name (e.g., "Company-Wide Defender Antivirus Policy") and an optional Description, then click Next.
- On the Configuration settings tab, expand the various sections (e.g., Real-time Protection, Cloud Protection, Scans, Exclusions) and configure your desired antivirus settings. (See "Key Antivirus Settings to Manage" below for more details.)
- Click Next.
- On the Scope tags tab, add any relevant scope tags if your organization uses them, then click Next.
- On the Assignments tab, choose the user or device groups to whom this policy will apply.
- On the Review + create tab, review your settings, and then click Create.
Configuring an Existing Microsoft Defender Antivirus Policy
To modify the settings of an antivirus policy that is already in place, use the following steps:
- Sign in to the Microsoft Intune admin center.
- Navigate to Endpoint security > Antivirus.
- Select the Microsoft Defender Antivirus policy you wish to configure from the list.
- Under the Manage section, choose Properties.
- Next to Configuration settings, choose Edit.
- Expand the relevant sections (e.g., Scan, Real-time Protection, Cloud Protection, Exclusions) to review or edit your desired settings.
- For example, if you want to adjust how and when scans run, expand the Scan section. Here you can configure options such as:
- Enabling or disabling a scheduled daily quick scan.
- Setting the exact time for a daily quick scan.
- Specifying if a quick scan should run after a definition update.
- Allowing users to initiate on-demand scans.
- Configuring whether to scan archive files.
- Ensure that core protection features like Real-time Protection are set to Enabled for continuous monitoring.
- For example, if you want to adjust how and when scans run, expand the Scan section. Here you can configure options such as:
- After making your changes, click Review + save and then Save to apply them to the policy.
Key Antivirus Settings to Manage
Effective antivirus management involves configuring several critical settings. Here's an overview:
| Setting Category | Description | Practical Insight |
|---|---|---|
| Real-time Protection | Continuously monitors files, processes, and behavior on your devices for malware and other threats. | Absolutely essential for immediate threat detection. Ensure this is always enabled to provide always-on protection. |
| Cloud-delivered Protection | Leverages Microsoft's vast cloud security intelligence to provide near-instant detection and blocking of new and emerging threats (zero-day attacks). | Highly recommended for robust, up-to-date protection. It significantly enhances the speed at which new threats are identified and mitigated. |
| Scans | Defines how and when Microsoft Defender Antivirus performs scans (e.g., quick scans, full scans). You can schedule scans, specify scan types, and configure actions for detected threats. | Regular scheduled scans are vital for catching dormant threats. Quick scans are often sufficient for daily checks, while full scans provide deeper analysis and should be scheduled periodically (e.g., weekly) outside of peak work hours. |
| Exclusions | Allows you to specify files, folders, processes, or file types that Microsoft Defender Antivirus should intentionally not scan. | Use with extreme caution. Exclusions can create security gaps. Only exclude items known to be safe or those that cause legitimate performance issues for critical applications, and always keep exclusions to a minimum. |
| Definition Updates | Ensures that Microsoft Defender Antivirus has the latest signatures and threat intelligence to identify new and evolving malware. | Crucial for maintaining effective protection. Intune can manage the frequency and sources of these updates, ensuring devices always have the most current definitions. |
| Remediation Actions | Configures what action Microsoft Defender Antivirus should take when a threat is detected (e.g., quarantine, remove, allow). | Set default actions to automatically handle threats, reducing the need for manual intervention and speeding up containment. |
Assigning the Antivirus Policy
After configuring the desired settings within your policy, you must assign it to the appropriate user or device groups:
- While creating or editing a policy, navigate to the Assignments tab.
- Under "Included groups," select the user or device groups (e.g., "All Devices," "HR Department Devices") that should receive these antivirus settings.
- You can optionally use "Excluded groups" to prevent the policy from applying to specific groups.
- Review your assignments and then click Review + save (or Next if creating a new policy).
Monitoring Antivirus Status
Once policies are deployed, you can monitor their compliance and the overall antivirus status of your devices within the Intune admin center. Navigate to Endpoint security > Antivirus and then check the Device status or User status tabs for an overview of policy application and potential issues. You can also view detailed reports under Reports > Endpoint security to track threat detections and antivirus health.
