Forum Discussion
Defender ATP and Defender Antivirus
We are looking to replace our current AV provider (CrowdStrike) with Defender ATP on our workstations. Currently all of our Workstations have Windows 10 and have been onboarded into ATP with CrowdStrike still installed. My understanding is that when we remove CrowdStrike, Windows Defender Antivirus will then go into active mode as opposed to passive mode that it is currently in. Is that correct?
So far as configuring Defender Antivirus settings we are currently using SCCM so we would configure that by making an Anti-Malware policy?
Thank you.
2 Replies
You are on the right track. I am also working on similar project (my AV is not CrowdStrike) and after reading all the documentation available online, you have to use SCCM/Intune or both to enable Defender ATP. My Defender is running in passive mode but it still picks up some files and sends it to cloud (if you have cloud protection on) to verify.
In SCCM, you need Defender ATP onboarding policy to register endpoint to defender tenant (on-board) and anti malware policy to enable AV features.
I am also looking at enabling Defender exploit guard policy to enable ASR rules, network protection/web protection.
So far the issue is managing multiple portals/places:
1. SCCM
2. Intune
3. securitycenter.windows.com
4. security.microsoft.com (to look at ASR rules)
kp_3up_u Just wondering if you might be able to help - I'm trying to find out what "Defender AV" exclusion rules are needed to enable Defender AV in passive mode when being used alongside another 3rd party AV tool?
