Explanation of Endpoint security > Microsoft Defender Antivirus policy > Scan settings

Iron Contributor

I am trying to configure the Scan settings for devices but having trouble to understand the wording:

 

Kiril_0-1648799923102.png

 

Disable catch-up * scans: "Yes" means they are not disabled and will be conducted after two missed scans, right?

 

Run daily quick scan at, Scan type, Day of week to run a scheduled scan, Time of day to run a scheduled scan: I want to run a daily Quick scan. How can I do that? I have a feeling that those settings will be conflicting and nothing will be scanned.

 

Also: are there any best practices here?

1 Reply

I agree the wording (or order or indentation or something) isn't very clear.

 

First things first: "Disable catch-up [...] scan" will disable the feature if set to "Yes" and enable the feature if set to "No". It's the confusing GPO-settings all over again :).

 

The next question is a little trickier. See, the "daily quick scan" and "scheduled scan" operate independent from each other.

 

A daily quick scan is always performed. The "Run daily quick scan at" setting merely allows you to tell Defender AV at what time it should run.

 

Additionally, you can perform a scheduled scan (which, to add to the confusion, can also be of type "Quick scan"). You should interpret the "Scan type" setting as "Scan type to use for a scheduled scan" (which is, coincidentally, its name in GPO-land).

 

Little tip: if settings (and their docs) aren't clear, I always try to find the GPO it originated from. Those descriptions are sometimes clearer. Don't be fooled though, as the settings in GPO might be turned around. For example: the "Disable catch-up [...] scan" settings are called "Turn on catch-up [...] scan" in GPO-speak.