Windows Defender AntiVirus with Intune

Brass Contributor
Hello 
Windows Defender antivirus is enabled with Intune(Co-managed deployment) Antivirus policy, Our organization normally had Symantec and did not use Defender.
 
However the below is showing in Virus and Threat Protection.
 
 
AhmedSHMK_0-1717147878144.png

 

 
AhmedSHMK_1-1717147878144.png

 

 
 
 
Basic settings are used in the policy: 
Allow Archive Scanning
 
Allowed. Scans the archive files.
Allow Behavior Monitoring
 
Allowed. Turns on real-time behavior monitoring.
Allow Cloud Protection
 
Allowed. Turns on Cloud Protection.
Allow Email Scanning
 
Not allowed. Turns off email scanning.
Allow Full Scan On Mapped Network Drives
 
Not allowed. Disables scanning on mapped network drives.
Allow Full Scan Removable Drive Scanning
 
Allowed. Scans removable drives.
 
Allow scanning of all downloaded files and attachments
 
Allowed.
Allow Realtime Monitoring
 
Allowed. Turns on and runs the real-time monitoring service.
Allow Scanning Network Files
 
Not allowed. Turns off scanning of network files.
Allow Script Scanning
 
Allowed.
Allow User UI Access
 
Allowed. Lets users access UI.
Avg CPU Load Factor
 
50
 
 
Check For Signatures Before Running Scan
 
Enabled
Cloud Block Level
 
High
Cloud Extended Timeout
 
50
Days To Retain Cleaned Malware
 
0
Disable Catchup Full Scan
 
Disabled
Disable Catchup Quick Scan
 
Disabled
Enable Low CPU Priority
 
Disabled
Enable Network Protection
 
Enabled (block mode)
 
 
 
PUA Protection
 
PUA Protection on. Detected items are blocked. They will show in history along with other threats.
Real Time Scan Direction
 
Monitor all files (bi-directional).
Scan Parameter
 
Quick scan
Schedule Quick Scan Time
 
720
Schedule Scan Day
 
Monday
 
 
 
Signature Update Interval
 
4
Submit Samples Consent
 
Send safe samples automatically.
 
5 Replies
Scheduled scans do not work in passive mode. Also, MS does not support using this feature in Enterprise environments. https://learn.microsoft.com/en-us/defender-endpoint/limited-periodic-scanning-microsoft-defender-ant...

@rahuljindal-MVP Quick scan I can see is working already in passive mode. That is not really my question, My question is that Defender AV does not show enabled in security providers in Virus and threat protection.

 

From PowerShell:

 

Get-MpComputerStatus |Fl *abled*


AMServiceEnabled : True
AntispywareEnabled : True
AntivirusEnabled : True
BehaviorMonitorEnabled : True
IoavProtectionEnabled : False
NISEnabled : False
OnAccessProtectionEnabled : False
RealTimeProtectionEnabled : True

 

===========

Get-MpComputerStatus |Fl *scan*


FullScanAge : 4294967295
FullScanEndTime :
FullScanOverdue : False
FullScanRequired : False
FullScanSignatureVersion :
FullScanStartTime :
LastFullScanSource : 0
LastQuickScanSource : 2
QuickScanAge : 0
QuickScanEndTime : 5/31/2024 12:43:13 PM
QuickScanOverdue : False
QuickScanSignatureVersion : 1.411.383.0
QuickScanStartTime : 5/31/2024 12:33:52 PM
RealTimeScanDirection : 0

“However the below is showing in Virus and Threat Protection.” - There was no question. I had to interpret what you might want to ask and the screenshot highlighted periodic scanning.

“My question is that Defender AV does not show enabled in security providers in Virus and threat protection.” - Are your devices onboarded on to Defender for Endpoint or are you just managing Defender AV?
Yes I realized, Sorry for that, I dont think pictures can be added here for some reason, Generally speaking Defender AV works with Intune, Passive mode and does not show in security providers likely since Symantec AV is in place and is taking the action, I assume once symantec is removed, Defender AV will be in active mode? or maybe something else will be needed
Yes, when the non MS security solution is removed then Defender AV will switch to active mode.