- What’s your ENow AppGov Score? Free Microsoft Entra ID app security assessment - Thu, Nov 30 2023
- Docker logs tail: Troubleshoot Docker containers with real-time logging - Wed, Sep 13 2023
- dsregcmd: Troubleshoot and manage Azure Active Directory (Microsoft Entra ID) joined devices - Thu, Aug 31 2023
Although you can use Microsoft Defender Antivirus as a standalone product, as it comes preinstalled with modern Windows versions, it is more powerful with Microsoft Defender for Endpoint (MDfE), Microsoft's complete cloud-based security platform for protecting your endpoints. It is an umbrella product that includes Microsoft Defender Antivirus as the enterprise endpoint security component.
At least in terms of central administration, you can have many of MDfE's capabilities by simply managing the Antivirus engine shipped with Windows in Intune. This especially applies to remotely activating Defender features and monitoring.
Microsoft Defender Antivirus monitoring and reporting
Organizations using Microsoft Defender Antivirus in Windows across the board need an effective way to monitor and report on the solution to secure their endpoints. You can use PowerShell to perform basic status checks using the Get-MpComputerStatus cmdlet. With the cmdlet, you can query various types of information regarding engine and product version, service and antispyware enabled, full scan age, or behavior monitor status.
Although you can use PowerShell to query the status of Microsoft Defender Antivirus, it may be a bit cumbersome to use across an organization and does not scale when you have endpoints outside of the corporate network.
Monitoring using Microsoft Endpoint Manager
For endpoints onboarded into Microsoft Endpoint Manager with Intune, you get rich monitoring and reporting for Microsoft Defender Antivirus. The endpoint security dashboard provides a summary of your device estate and the status of Microsoft Defender Antivirus, including clients with pending operations such as updates, full scan, restarts, manual steps, or offline scan. In addition, you are informed about critical failures, inactive agents, and unknown status.
In addition to the overall status dashboard, you get dashboards displaying Unhealthy endpoints and Active malware, allowing IT admins to pinpoint devices with critical security issues quickly. You can also create robust AV policies, allowing you to configure and create settings to cover the general configuration of Defender Antivirus, exclusions, etc.
Intune also provides reporting capabilities to help generate and provide reports for compliance, SecOps, and other purposes. If you navigate to Microsoft Endpoint Manager admin center > Reports > Microsoft Defender Antivirus, you will see the Summary tab displaying similar information as the Endpoint Security > Antivirus dashboard shown above.
If you click the Reports tab, you will see the Antivirus agent status report and the Detected malware report available to run.
- Antivirus agent status—Shows the agent status of your devices and which devices have real-time or network protection
- Detected malware—Shows the state of devices and indicates any devices with detected malware; also provides details about the malware
We see the output from running the Antivirus agent status report in Intune.
You can also run the Detected malware report, which displays any malware detected and the details of the malicious application.
Both reports offer IT admins visibility into the state of endpoint security, as well as any malware detected in the environment, so the security team can monitor and manage Microsoft Defender in the organization.
Configuring the Microsoft Defender scan engine and other settings
In addition to the settings and dashboards in Intune that provide visibility and monitoring of Microsoft Defender Antivirus, Intune also enables controlling various settings with the antivirus scan engine. Using a configuration profile under the endpoint security configuration, admins can configure many aspects of the antivirus engine and scanning behaviors.
Navigate to Endpoint Security > Antivirus and create a new configuration profile. In the Create profile wizard under configure settings, note the various configurable settings:
- Archive scanning
- Behavior monitoring
- Cloud protection
- Email scanning
- Intrusion prevention
- Attachment scanning
- Potentially unwanted programs
- Real-time scanning
- On-access protection
Here, we are configuring PUA protection, real-time scanning direction, and on-access protection.
Microsoft Defender Antivirus is a powerful solution built into modern versions of Windows. However, it is a different product than Microsoft Defender for Endpoint, as this cloud-based solution includes Defender Antivirus as the endpoint security component.
Although it can operate in a standalone configuration, Microsoft Defender Antivirus is more powerful when combined with the monitoring, reporting, and configuration capabilities you get with Endpoint Manager.
Subscribe to 4sysops newsletter!
Admins get multiple monitors for agent status, malware, and other metrics, as well as reports they can generate for agent status and detected malware. In addition, you can configure many aspects of Microsoft Defender Antivirus scan engine settings and behaviors.