Forum Discussion

MiSum83's avatar
MiSum83
Brass Contributor
Nov 15, 2022

Intune + Defender - Configure Quick and Full scan

Hello experts,   I'm starting with Intune... been playing with it for few weeks already and want to start deploying some policies to my testing devices.   These days, I'm struggling to find out h...
antivirus scans
defender
Intune
Greg_Brown's avatar
Greg_Brown
Copper Contributor
Nov 10, 2023

VladanOEI 

This one was definitely confusing as hell. I ended up just testing it all myself to see how it behaved.

The following settings relate to a single scan type of your choosing:
"Scan Parameter" Choose Quick or Full
"Schedule Scan Day" Choose Day
Schedule  Scan Time" Choose Time

The following is it's own daily quick scan:
"Schedule Quick Scan Time" Pick the time of day that your daily quick scan will run. 

If you want a quick scan only once a week, and a Full scan once a week as well, you'll need to apply TWO separate policies and use the following three settings in each policy:
"Scan Parameter" Choose Quick or Full
"Schedule Scan Day" Choose Day
Schedule  Scan Time" Choose Time

This will give you a quick scan that only runs once a week in one policy, and a full scan that only runs once a week in the other policy. 

I understand this is dumb. But in saying that, the quick scans are not even noticable across my servers. I would advise just running a quick scan daily, and then a scheduled full scan once a week within a single policy. 

I hope this makes as much sense as possible on a subject that seems engineered to be confusing. 


VladanOEI's avatar
VladanOEI
Copper Contributor
Nov 10, 2023
We did exactly what you suggested but it doesn't work 😞
We made 2 rules.
First rule:
"Scan Parameter" : Quick
"Schedule Scan Day" : Thru
Schedule Scan Time" 9 AM
Second rule:
"Scan Parameter" : Full
"Schedule Scan Day" : Fri
Schedule Scan Time" 9 AM

and Intune Antivirus did not run any of the configured tasks.

Microsoft never knew how to make simple things work properly. They are able to build "towers and cities", something that others cannot, and then they "fall" on such simple things like this.
  • Bas_de_Bruijn's avatar
    Bas_de_Bruijn
    Copper Contributor
    Mar 01, 2024

    VladanOEI I walked into the same situation and solved it the following way.

    It's either a QuickScan(Default) or a FullScan config in Intune. You can not configure them both.

    I chose to configure a QuickScan(Default) with these settings.

    Scantype: Quickscan

    Schedule Scanday: Every day (Default)

    Schedule Scan Time: 720

     

    I created a powershell script to create a scheduled task in Windows 10 to do a Full scan every Wednesday at 12:00 PM

     

    # Define task name and command
    $taskName = "Microsoft Defender Full Scan"
    $command = "powershell.exe -ExecutionPolicy Bypass -Command Start-MpScan -ScanType FullScan"

    # Create a trigger for Wednesday at 12:00 PM
    $trigger = New-ScheduledTaskTrigger -Weekly -DaysOfWeek Wednesday -At 12pm

    # Create action to run the command
    $action = New-ScheduledTaskAction -Execute "powershell.exe" -Argument $command

    # Register the scheduled task
    Register-ScheduledTask -TaskName $taskName -Trigger $trigger -Action $action -Description "Runs a full antivirus scan using Microsoft Defender" -RunLevel Highest -Force

     

     

     

    • WiingreenMorten's avatar
      WiingreenMorten
      Copper Contributor
      Mar 21, 2024
      @bas_de_Bruijn
      Is it not possible to schedule a Quick Scan in One policy and a full scan in a different Policy?
      • Bas_de_Bruijn's avatar
        Bas_de_Bruijn
        Copper Contributor
        Mar 22, 2024

        WiingreenMorten Configuration Profiles pointing to the same object on Windows 10 towards Microsoft Defender results in errors and conflicts reporting in Intune. I solved it in my situation the following way. In both Profiles I configured a QuickScan(Default) Everyday 12:00PM (720) And deployed the PowerShell script I posted earlier through platform scripts in Intune that creates a scheduled task that runs a powershell command to start the desired Full Scan Every Wednesday at 12:00PM.

    • Bas_de_Bruijn's avatar
      Bas_de_Bruijn
      Copper Contributor
      Mar 06, 2024

      Bas_de_Bruijn MiSum83 I created a Powershell script for Intune distribution towards Windows 10 machines. as wel.

       

      # Start transcript for logging
      Start-Transcript -Path "C:\Temp\Microsoft_Defender_TaskSc.txt" -Append

      # Set up variables for the full scan schedule
      $FullScanTrigger = New-ScheduledTaskTrigger -Weekly -DaysOfWeek Wednesday -At 12pm
      $FullScanAction = New-ScheduledTaskAction -Execute 'powershell.exe' -Argument '-Command "& { Start-MpScan -ScanType FullScan }"'
      $FullScanSettings = @{
      TaskName = 'Windows Defender Full Scan'
      Trigger = $FullScanTrigger
      Action = $FullScanAction
      Principal = New-ScheduledTaskPrincipal -UserId "NT AUTHORITY\SYSTEM" -LogonType ServiceAccount
      }

      # Create the full scan scheduled task
      Register-ScheduledTask @FullScanSettings

      # Output redirection for errors
      $ErrorActionPreference = "Stop"
      $LogFile = "C:\Temp\Defender_Error_Log.txt"

      # Try block to catch errors
      try {
      # Your script code here
      }
      catch {
      # Write error to log file
      $_.Exception.Message | Out-File -FilePath $LogFile -Append
      }

      # Stop transcript
      Stop-Transcript

      • Bas_de_Bruijn's avatar
        Bas_de_Bruijn
        Copper Contributor
        Mar 30, 2024
        VladanOEI MiSum83 WiingreenMorten
        I was just reading through the script I posted here and still missed 2 lines. Here is the updated script with lines that starts the Transcript loggin. Copy Paste save as ps1 file and upload to PlatformScript in Intune and Deploy accordingly.

        # Start transcript for logging
        Start-Transcript -Path "C:\Temp\Microsoft_Defender_TaskSc.txt" -Append

        # Set up variables for the full scan schedule
        $FullScanTrigger = New-ScheduledTaskTrigger -Weekly -DaysOfWeek Wednesday -At 12pm
        $FullScanAction = New-ScheduledTaskAction -Execute 'powershell.exe' -Argument '-Command "& { Start-MpScan -ScanType FullScan }"'
        $FullScanSettings = @{
        TaskName = 'Windows Defender Full Scan'
        Trigger = $FullScanTrigger
        Action = $FullScanAction
        Principal = New-ScheduledTaskPrincipal -UserId "NT AUTHORITY\SYSTEM" -LogonType ServiceAccount
        }

        # Create the full scan scheduled task
        Register-ScheduledTask @FullScanSettings

        # Output redirection for errors
        $ErrorActionPreference = "Stop"
        $LogFile = "C:\Temp\Defender_Error_Log.txt"

        # Try block to catch errors
        try {
        # Your script code here
        }
        catch {
        # Write error to log file
        $_.Exception.Message | Out-File -FilePath $LogFile -Append
        }

        # Stop transcript
        Stop-Transcript

Resources