Home

Windows Defender Management

%3CLINGO-SUB%20id%3D%22lingo-sub-80704%22%20slang%3D%22en-US%22%3EWindows%20Defender%20Management%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-80704%22%20slang%3D%22en-US%22%3E%3CP%3ELet's%20say%20a%20company%20wanted%20to%20make%20full%20use%20of%20defender%20and%20get%20rid%20of%20its%20anti%20virus%20software.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDo%20you%20advice%20against%20getting%20rid%20of%20antivirus%20in%20favor%20of%20defender%3F%20Is%20there%20a%20trial%20on%20the%20horizon%2C%20because%20Antivirus%20companies%20feel%20you%20are%20steeling%20their%20business%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20a%20management%20application%20for%20file%20signatures%2C%20updates%2C%20threat%20evaluation%20etc.%3F%20...%20so%20one%20can%20manage%20thousands%20of%20hosts%20using%20defender%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-80773%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20Defender%20Management%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-80773%22%20slang%3D%22en-US%22%3E%3CP%3EThanks...this%20has%20just%20confirmed%20our%20thinking%20and%20we%20are%20currently%20in%20the%20process%20of%20moving%20from%20GPO%20to%20SCCM%20policy.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-80758%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20Defender%20Management%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-80758%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Michael%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EGreat%20question%2C%20here's%20my%20take%20as%20a%20product%20manager%20on%20the%20Windows%20Defender%20team%3A%3C%2FP%3E%0A%3CP%3EWe%20don't%20force%20or%20necessarily%20recommend%20one%20over%20the%20other.%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThat%20said%20with%20SCCM%20you%20get%20a%20few%20nice%20benefits%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E1.%20We%20only%20surface%20the%20important%2C%20common%20config%20knobs%2C%20so%20it%20makes%20for%20an%20easier%20config%20experience.%20You%20don't%20need%20to%20go%20into%20the%20weeds%20of%20obscure%20seldom%20used%20settings%20like%20in%20GPO.%3C%2FP%3E%0A%3CP%3E2.%20If%20you%20already%20use%20SCCM%20for%20your%20other%20management%2FIT%20tasks%2C%20it's%20great%20to%20do%20everything%20in%20one%20place.%3CBR%20%2F%3E%203.%20SCCM%20also%20has%20a%20dashboard%2C%20reporting%20%26amp%3B%20compliance%20over%20antivirus%20data%2C%20so%20it's%20not%20just%20deploy%2Fconfigure%20and%20forget.%3CBR%20%2F%3E%204.%20And%20of%20course%2C%20SCCM%20also%20does%20deployment%2C%20so%20in%20the%20case%20of%20Windows%207%2F8%2C%20you%20would%20want%20to%20use%20it%20to%20actually%20deploy%20the%20SCEP%20(%22System%20Center%20Endpoint%20Protection%22)%20agent.%20This%20isn't%20needed%20for%20Windows%2010.%20Also%20SCCM%20has%20licenses%20for%20AV%20for%20Linux%20and%20Mac%20(though%20basic%2C%20and%20with%20no%20reporting).%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20Bottom%20line%20-%20I'd%20start%20with%20SCCM%20(or%20Intune%20btw)%2C%20and%20if%20you%20find%20yourself%20needing%20some%20of%20the%20uncommon%20GP%20settings%2C%20use%20GPO%2FPowerShell%2FWMI%20for%20them.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAmitai%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-80743%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20Defender%20Management%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-80743%22%20slang%3D%22en-US%22%3ESCCM%2C%20purely%20because%20of%20the%20reporting%20it%20would%20offer.%20Group%20Policies%20have%20no%20reporting%20built%20in%20for%20this%2C%20specifically.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-80738%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20Defender%20Management%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-80738%22%20slang%3D%22en-US%22%3E%3CP%3EIt%20may%20depend%20also%20on%20your%20org%20structure.%20If%20you%20have%20all%20clients%20in%20ConfigManager%2C%20I%20would%20go%20with%20CM.%20You%20have%20also%20RBAC%2C%20so%20you%20can%20assign%20the%20WD%20task%20to%20a%20separate%20team%20and%20you%20have%20all%20the%20reporting%20in%20CM.%20So%20one%20tool%20that%20handles%20all.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-80725%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20Defender%20Management%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-80725%22%20slang%3D%22en-US%22%3EDeployment%20monitoring%20and%20reporting%20live%20in%20SCCM%20and%20Intune%2C%20and%20then%20if%20you%20have%20E5%20there%20is%20also%20detailed%20data%20in%20the%20Advanced%20Threat%20Protection%20portal.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-80721%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20Defender%20Management%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-80721%22%20slang%3D%22en-US%22%3E%3CP%3EIf%20you%20have%20both%20SCCM%20(1702)%20and%20GPOs%2C%20which%20would%20you%20recommend%20to%20manage%20the%20Windows%20Defender%20policies%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-80715%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20Defender%20Management%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-80715%22%20slang%3D%22en-US%22%3E%3CP%3EThere%20are%20several%20methods%20of%20managing%20Windows%20Defender%20in%20the%20enterprise%2C%20depending%20on%20the%20technologies%20you%20have%20currently%20and%20what%20you%20plan%20to%20invest%20in.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%204%20minute%20article%20summaries%20it%20all%3A%26nbsp%3BDeploy%2C%20manage%2C%20and%20report%20on%20Windows%20Defender%20Antivirus%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fthreat-protection%2Fwindows-defender-antivirus%2Fdeploy-manage-report-windows-defender-antivirus%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fthreat-protection%2Fwindows-defender-antivirus%2Fdeploy-manage-report-windows-defender-antivirus%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20example%2C%20with%20Group%20Policies%2C%20you%20have%20no%20method%20of%20reporting%2C%20but%20if%20you%20had%20WSUS%20would%20could%20at%20least%20manage%20the%20updates.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20you%20want%20full%20control%2C%20it's%20a%20toss%20between%20Intune%20and%20SCCM.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-80710%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20Defender%20Management%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-80710%22%20slang%3D%22en-US%22%3EHey%20Christian%2C%20there%20are%20a%20few%20options%20for%20management%2C%20including%20SCCM%20%26amp%3B%20Intune%20-%20see%20here%20for%20some%20more%20info%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fthreat-protection%2Fwindows-defender-antivirus%2Fdeploy-manage-report-windows-defender-antivirus%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fthreat-protection%2Fwindows-defender-antivirus%2Fdeploy-manage-report-windows-defender-antivirus%3C%2FA%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Let's say a company wanted to make full use of defender and get rid of its anti virus software.

 

Do you advice against getting rid of antivirus in favor of defender? Is there a trial on the horizon, because Antivirus companies feel you are steeling their business?

 

Is there a management application for file signatures, updates, threat evaluation etc.? ... so one can manage thousands of hosts using defender?

 

8 Replies
Highlighted
Hey Christian, there are a few options for management, including SCCM & Intune - see here for some more info https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/deploy-manage-...
Highlighted

There are several methods of managing Windows Defender in the enterprise, depending on the technologies you have currently and what you plan to invest in.

 

This 4 minute article summaries it all: Deploy, manage, and report on Windows Defender Antivirus https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/deploy-manage-...

 

For example, with Group Policies, you have no method of reporting, but if you had WSUS would could at least manage the updates. 

 

If you want full control, it's a toss between Intune and SCCM.

 

 

Highlighted

If you have both SCCM (1702) and GPOs, which would you recommend to manage the Windows Defender policies?

Highlighted
Deployment monitoring and reporting live in SCCM and Intune, and then if you have E5 there is also detailed data in the Advanced Threat Protection portal.
Highlighted

It may depend also on your org structure. If you have all clients in ConfigManager, I would go with CM. You have also RBAC, so you can assign the WD task to a separate team and you have all the reporting in CM. So one tool that handles all.

Highlighted
SCCM, purely because of the reporting it would offer. Group Policies have no reporting built in for this, specifically.
Highlighted

Hi Michael,

 

Great question, here's my take as a product manager on the Windows Defender team:

We don't force or necessarily recommend one over the other. 

That said with SCCM you get a few nice benefits:

 

1. We only surface the important, common config knobs, so it makes for an easier config experience. You don't need to go into the weeds of obscure seldom used settings like in GPO.

2. If you already use SCCM for your other management/IT tasks, it's great to do everything in one place.
3. SCCM also has a dashboard, reporting & compliance over antivirus data, so it's not just deploy/configure and forget.
4. And of course, SCCM also does deployment, so in the case of Windows 7/8, you would want to use it to actually deploy the SCEP ("System Center Endpoint Protection") agent. This isn't needed for Windows 10. Also SCCM has licenses for AV for Linux and Mac (though basic, and with no reporting).

Bottom line - I'd start with SCCM (or Intune btw), and if you find yourself needing some of the uncommon GP settings, use GPO/PowerShell/WMI for them.

 

Amitai

Highlighted

Thanks...this has just confirmed our thinking and we are currently in the process of moving from GPO to SCCM policy.