Forum Discussion

Kiril's avatar
Kiril
Steel Contributor
Apr 01, 2022

Explanation of Endpoint security > Microsoft Defender Antivirus policy > Scan settings

I am trying to configure the Scan settings for devices but having trouble to understand the wording:

 

 

Disable catch-up * scans: "Yes" means they are not disabled and will be conducted after two missed scans, right?

 

Run daily quick scan at, Scan type, Day of week to run a scheduled scan, Time of day to run a scheduled scan: I want to run a daily Quick scan. How can I do that? I have a feeling that those settings will be conflicting and nothing will be scanned.

 

Also: are there any best practices here?

  • I agree the wording (or order or indentation or something) isn't very clear.

     

    First things first: "Disable catch-up [...] scan" will disable the feature if set to "Yes" and enable the feature if set to "No". It's the confusing GPO-settings all over again :).

     

    The next question is a little trickier. See, the "daily quick scan" and "scheduled scan" operate independent from each other.

     

    A daily quick scan is always performed. The "Run daily quick scan at" setting merely allows you to tell Defender AV at what time it should run.

     

    Additionally, you can perform a scheduled scan (which, to add to the confusion, can also be of type "Quick scan"). You should interpret the "Scan type" setting as "Scan type to use for a scheduled scan" (which is, coincidentally, its name in GPO-land).

     

    Little tip: if settings (and their docs) aren't clear, I always try to find the GPO it originated from. Those descriptions are sometimes clearer. Don't be fooled though, as the settings in GPO might be turned around. For example: the "Disable catch-up [...] scan" settings are called "Turn on catch-up [...] scan" in GPO-speak. 

Resources