Creating Defender Policies with GPOs

Zehadi Alam

Introduction

UGA IT units that are not leveraging Microsoft Intune to manage Defender policies can utilize group policy to do so. To onboard devices to Defender for Endpoint using group policy, see the following article: Defender Onboarding using Group Policy. This article provides guidance on locating and configuring Defender settings in the group policy management console that are suitable for enterprise environments. The goal of this article is to offer a foundational starting point for setting up these configurations, rather than providing an exhaustive guide.

Sample Defender Settings & Configuration

Computer Configuration > Policies > Administrative Templates > Windows Components > Microsoft Defender Antivirus

• Configure detection for potentially unwanted applications -> Enabled -> Block

Computer Configuration > Policies > Administrative Templates > Windows Components > Microsoft Defender Antivirus > MAPS

• Join Microsoft MAPS -> Enabled -> Advanced MAPS
• Send file samples when further analysis is required -> Enabled -> Send safe samples

Note: Above settings turn on cloud protection

Computer Configuration > Policies > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Real-time Protection

• Turn on behavior monitoring -> Enabled
• Scan all downloaded files and attachments -> Enabled
• Monitor file and program activity on your computer -> Enabled
• Turn on process scanning whenever real-time protection is enabled -> Enabled
• Turn on script scanning -> Enabled

Computer Configuration > Policies > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Scan

• Check for the latest virus and spyware security intelligence before running a scheduled scan -> Enabled
• Scan archive files -> Enabled
• Turn on email scanning -> Enabled
• Scan packed executables -> Enabled
• Scan removable drives -> Enabled
• Scan network files -> Enabled

Sample Attack Surface Reduction Rules & Configuration

Attack surface reduction rules help to further enhance the security posture of an organization by minimizing avenues to be exploited by malicious actors. These can be configured under Computer Configuration > Policies > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack Surface Reduction

• Configure Attack Surface Reduction rules -> Enabled -> Set the state for each ASR rule -> Show

When configured with group policy, attack surface reduction rules must be specified by the setting's GUID and a numerical value corresponding to the state of the setting. The following is a table of sample settings and their GUIDs:

For a complete list of attack surface reduction rules with their GUID mappings, see Microsoft's documentation ASR rule to GUID matrix.

Settings have four states: Disable, Block, Audit, Warn. These correspond to 0, 1, 2, and 6, respectively.
Note: Block means the same thing as "enable" in the context of setting the state of the rule.

To configure the above settings as enabled, the Show Contents window will reflect the following:

Settings Availability

Certain settings cannot be managed using GPOs due to their unavailability. For example, Tamper protection can only be managed using Intune, Configuration Manager, or the Defender Portal. UGA InfoSec has already enabled Tamper protection in the Defender Portal, which applies at the tenant level.

Devices onboarded to Defender for Endpoint should have the setting reflected as follows in the Windows security app under Virus & Threat Protection > Manage settings