Defender Antivirus is Microsoft's built-in antivirus, available in Windows 10/11 and Windows Server. You can manage this security component using Group Policies, PowerShell, or the Settings app. However, reporting and monitoring capabilities are only provided via the subscription-based Defender for Endpoint. Alternatively, you can use Intune for this purpose.

Although you can use Microsoft Defender Antivirus as a standalone product, as it comes preinstalled with modern Windows versions, it is more powerful with Microsoft Defender for Endpoint (MDfE), Microsoft's complete cloud-based security platform for protecting your endpoints. It is an umbrella product that includes Microsoft Defender Antivirus as the enterprise endpoint security component.

At least in terms of central administration, you can have many of MDfE's capabilities by simply managing the Antivirus engine shipped with Windows in Intune. This especially applies to remotely activating Defender features and monitoring.

Microsoft Defender Antivirus monitoring and reporting ^

Organizations using Microsoft Defender Antivirus in Windows across the board need an effective way to monitor and report on the solution to secure their endpoints. You can use PowerShell to perform basic status checks using the Get-MpComputerStatus cmdlet. With the cmdlet, you can query various types of information regarding engine and product version, service and antispyware enabled, full scan age, or behavior monitor status.

Running the Get MpComputerStatus cmdlet to check Microsoft Defender Antivirus

Running the Get MpComputerStatus cmdlet to check Microsoft Defender Antivirus

Although you can use PowerShell to query the status of Microsoft Defender Antivirus, it may be a bit cumbersome to use across an organization and does not scale when you have endpoints outside of the corporate network.

Monitoring using Microsoft Endpoint Manager

For endpoints onboarded into Microsoft Endpoint Manager with Intune, you get rich monitoring and reporting for Microsoft Defender Antivirus. The endpoint security dashboard provides a summary of your device estate and the status of Microsoft Defender Antivirus, including clients with pending operations such as updates, full scan, restarts, manual steps, or offline scan. In addition, you are informed about critical failures, inactive agents, and unknown status.

Endpoint security reporting provided by Endpoint Manager endpoint security dashboard

Endpoint security reporting provided by Endpoint Manager endpoint security dashboard

In addition to the overall status dashboard, you get dashboards displaying Unhealthy endpoints and Active malware, allowing IT admins to pinpoint devices with critical security issues quickly. You can also create robust AV policies, allowing you to configure and create settings to cover the general configuration of Defender Antivirus, exclusions, etc.

Create Endpoint security antivirus policies

Create Endpoint security antivirus policies

Intune reporting

Intune also provides reporting capabilities to help generate and provide reports for compliance, SecOps, and other purposes. If you navigate to Microsoft Endpoint Manager admin center > Reports > Microsoft Defender Antivirus, you will see the Summary tab displaying similar information as the Endpoint Security > Antivirus dashboard shown above.

Intune Microsoft Defender Antivirus summary

Intune Microsoft Defender Antivirus summary

If you click the Reports tab, you will see the Antivirus agent status report and the Detected malware report available to run.

  • Antivirus agent status—Shows the agent status of your devices and which devices have real-time or network protection
  • Detected malware—Shows the state of devices and indicates any devices with detected malware; also provides details about the malware
Microsoft Defender Antivirus Reports tab in Intune

Microsoft Defender Antivirus Reports tab in Intune

We see the output from running the Antivirus agent status report in Intune.

Antivirus agent status report

Antivirus agent status report

You can also run the Detected malware report, which displays any malware detected and the details of the malicious application.

Detected malware report in Microsoft Intune

Detected malware report in Microsoft Intune

Both reports offer IT admins visibility into the state of endpoint security, as well as any malware detected in the environment, so the security team can monitor and manage Microsoft Defender in the organization.

Configuring the Microsoft Defender scan engine and other settings ^

In addition to the settings and dashboards in Intune that provide visibility and monitoring of Microsoft Defender Antivirus, Intune also enables controlling various settings with the antivirus scan engine. Using a configuration profile under the endpoint security configuration, admins can configure many aspects of the antivirus engine and scanning behaviors.

Navigate to Endpoint Security > Antivirus and create a new configuration profile. In the Create profile wizard under configure settings, note the various configurable settings:

  • Archive scanning
  • Behavior monitoring
  • Cloud protection
  • Email scanning
  • Intrusion prevention
  • Attachment scanning
  • Potentially unwanted programs
  • Real-time scanning
  • On-access protection
Creating a new antivirus configuration profile in Intune

Creating a new antivirus configuration profile in Intune

Here, we are configuring PUA protection, real-time scanning direction, and on-access protection.

Configuring PUA protection real time scanning and many other settings in Microsoft Defender

Configuring PUA protection real time scanning and many other settings in Microsoft Defender

Wrapping up ^

Microsoft Defender Antivirus is a powerful solution built into modern versions of Windows. However, it is a different product than Microsoft Defender for Endpoint, as this cloud-based solution includes Defender Antivirus as the endpoint security component.

Although it can operate in a standalone configuration, Microsoft Defender Antivirus is more powerful when combined with the monitoring, reporting, and configuration capabilities you get with Endpoint Manager.

Subscribe to 4sysops newsletter!

Admins get multiple monitors for agent status, malware, and other metrics, as well as reports they can generate for agent status and detected malware. In addition, you can configure many aspects of Microsoft Defender Antivirus scan engine settings and behaviors.

avatar
0 Comments

Leave a reply

Your email address will not be published.

*

© 4sysops 2006 - 2022

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account