Windows-Setup/Group Policies Objects/Default Domain Policy/Microsoft Defender Antivirus.md

# Microsoft Defender Antivirus

**MAPS and features dependent on it disabled using this policy. It is quite invasive so I will only enable it for certain OUs.**

`Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender Antivirus`

## MAPS

`Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\MAPS`
- Join Microsoft MAPS -> Enabled -> Disabled

## Controlled Folder Access

`Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Controlled Folder Access`

- Configure Controlled folder access -> Enabled -> Block

## Attack Surface Reduction

`Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Attack surface reduction`

- Configure Attack Surface Reduction rules -> Add all rules from the [GUID Matrix](https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#asr-rule-to-guid-matrix) except `01443614-cd74-433a-b99e-2ecdc07bfc25`. Set their value to 1.

Rationale: `01443614-cd74-433a-b99e-2ecdc07bfc25` depends on Microsoft Cloud Protection (MAPS). The only place where I use MAPS is my gaming machine, and it needs to be able to run not-so-reputable programs anyways.

## MpEngine

`Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\MpEngine`

- Enable file hash computation feature -> Enabled

## Quarantine

`Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Quarantine`

- Configure local settings override for the removal of items from Quarantine folder -> Enabled
- Configure removal of items from Quarantine folder -> 1 day

## Scan

`Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Scan`

- Scan for the latest virus and spyware security intelligence before running a scheduled scan -> Enabled
- Turn on catch-up quick scan -> Enabled

## Security Intelligence Updates

- Check for the latest virus and spyware security intelligence on startup -> Enabled
Update policies Signed-off-by: Tommy <contact@tommytran.io> 2023-12-30 23:54:28 -05:00			`# Microsoft Defender Antivirus`

Redo SmartScreen/MAPS setup Signed-off-by: Tommy <contact@tommytran.io> 2024-01-07 03:30:05 -05:00			`MAPS and features dependent on it disabled using this policy. It is quite invasive so I will only enable it for certain OUs.`
Update Defender policies Signed-off-by: Tommy <contact@tommytran.io> 2024-01-04 08:40:19 -05:00
Fix policy path to match AD Signed-off-by: Tommy <contact@tommytran.io> 2024-01-06 06:43:40 -05:00			`Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender Antivirus`
Update policies Signed-off-by: Tommy <contact@tommytran.io> 2023-12-30 23:54:28 -05:00
Move MAPS Signed-off-by: Tommy <contact@tommytran.io> 2023-12-31 00:40:58 -05:00			`## MAPS`

			`Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\MAPS`
Redo SmartScreen/MAPS setup Signed-off-by: Tommy <contact@tommytran.io> 2024-01-07 03:30:05 -05:00			`- Join Microsoft MAPS -> Enabled -> Disabled`
Update Defender policies Signed-off-by: Tommy <contact@tommytran.io> 2024-01-04 08:40:19 -05:00
			`## Controlled Folder Access`

			`Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Controlled Folder Access`
Move MAPS Signed-off-by: Tommy <contact@tommytran.io> 2023-12-31 00:40:58 -05:00
Update Defender policies Signed-off-by: Tommy <contact@tommytran.io> 2024-01-04 08:40:19 -05:00			`- Configure Controlled folder access -> Enabled -> Block`
Update policies Signed-off-by: Tommy <contact@tommytran.io> 2023-12-30 23:54:28 -05:00
Add ASR rules Signed-off-by: Tommy <contact@tommytran.io> 2024-04-26 03:06:19 -04:00			`## Attack Surface Reduction`

			`Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Attack surface reduction`

			- Configure Attack Surface Reduction rules -> Add all rules from the [GUID Matrix](https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#asr-rule-to-guid-matrix) except `01443614-cd74-433a-b99e-2ecdc07bfc25`. Set their value to 1.

			Rationale: `01443614-cd74-433a-b99e-2ecdc07bfc25` depends on Microsoft Cloud Protection (MAPS). The only place where I use MAPS is my gaming machine, and it needs to be able to run not-so-reputable programs anyways.

Update Defender policies Signed-off-by: Tommy <contact@tommytran.io> 2024-01-04 08:40:19 -05:00			`## MpEngine`
Update policies Signed-off-by: Tommy <contact@tommytran.io> 2023-12-30 23:54:28 -05:00
Update Defender policies Signed-off-by: Tommy <contact@tommytran.io> 2024-01-04 08:40:19 -05:00			`Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\MpEngine`

			`- Enable file hash computation feature -> Enabled`

			`## Quarantine`

			`Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Quarantine`

			`- Configure local settings override for the removal of items from Quarantine folder -> Enabled`
			`- Configure removal of items from Quarantine folder -> 1 day`

			`## Scan`

			`Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Scan`

			`- Scan for the latest virus and spyware security intelligence before running a scheduled scan -> Enabled`
			`- Turn on catch-up quick scan -> Enabled`

			`## Security Intelligence Updates`
Update policies Signed-off-by: Tommy <contact@tommytran.io> 2023-12-30 23:54:28 -05:00
Update Defender policies Signed-off-by: Tommy <contact@tommytran.io> 2024-01-04 08:40:19 -05:00			`- Check for the latest virus and spyware security intelligence on startup -> Enabled`