Windows Defender is the built-in antivirus and threat protection suite on Windows 10 and 11.
Mobile Guardian supports managing Windows Defender policy on enrolled devices through a dashboard-based approach using Windows MDM Settings, and through Intune configuration profiles for administrators who need more granular control.
Both methods push settings through Microsoft Intune to enrolled devices.
What You Will Learn
- How Windows Defender policy maps to Profiles in Mobile Guardian
- How to configure Defender settings using the dashboard (Windows MDM Settings)
- How to configure Defender using the Intune Settings Catalog for advanced control
- How to verify Defender status on enrolled devices
Prerequisites
- Windows 10/11 Pro or higher
- Devices enrolled in Mobile Guardian via Microsoft Intune (see Windows OS Onboarding: Part 1)
- Admin access to the Mobile Guardian Dashboard
- Admin access to Microsoft Intune (for advanced configuration)
How Windows Defender Policy Fits Into Mobile Guardian Profiles
Windows Defender configuration in Mobile Guardian is applied at the profile level, not per-device. Defender policy is defined once and pushed to all Windows devices assigned to that profile.
Recommended profile structure for Defender:
| Profile Type | Use Case |
| Baseline Profile | Apply a standard Defender policy to all enrolled Windows devices: real-time protection on, cloud protection enabled, scheduled scans active |
| Conditional Profile | Apply stricter Defender settings to a defined group (e.g. devices used off-site or on untrusted networks) based on tags or device ownership |
Note: All devices will have a baseline profile applied. Use a conditional profile when Defender settings need to differ from the school-wide default.
Method 1: Dashboard-Based Configuration (Windows MDM Settings)
This method uses the built-in Windows MDM settings in the Mobile Guardian dashboard. It covers the most common Defender settings and is the recommended starting point for most schools.
Step 1: Access Windows MDM Settings
- Navigate to Settings in the left-hand menu
- Select Windows MDM Settings
Step 2: Configure Windows Defender Settings
Under the Security or Windows Defender section, configure the following:
Real-Time Protection
| Setting | Options | Recommendation |
| Real-time protection | Enabled / Disabled | Enabled (always on) |
| Cloud-delivered protection | Enabled / Disabled | Enabled for faster threat identification |
| Automatic sample submission | Enabled / Disabled | Enabled for school-managed devices |
| Behaviour monitoring | Enabled / Disabled | Enabled to detect suspicious activity |
| On-access protection | Enabled / Disabled | Enabled to scan files when opened |
Scan Settings
| Setting | Options | Recommendation |
| Scan type | Quick scan / Full scan | Quick scan for daily scheduled scans |
| Scheduled scan day | Every day / Specific day | Every day for student devices |
| Scheduled scan time | Time of day | Outside teaching hours (e.g. 12:00 or during lunch break) |
| Scan removable drives | Enabled / Disabled | Enabled if students use USB drives |
Exclusions
| Setting | Description |
| Excluded file extensions | File types to skip during scans (e.g. .iso, .vhdx) |
| Excluded paths | Folders to skip (e.g. paths used by development or lab software) |
| Excluded processes | Processes to skip (e.g. specific education software that triggers false positives) |
Important: Only add exclusions when a known false positive is occurring with trusted software. Each exclusion reduces the protection surface. Document any exclusions added and review them periodically.
Step 3: Configure Firewall Settings
If firewall settings are available under Windows MDM Settings:
| Setting | Options | Recommendation |
| Enable firewall | Enabled / Disabled | Enabled (all profiles: Domain, Private, Public) |
| Block inbound connections | Enabled / Disabled | Enabled for Public profile |
| Stealth mode | Enabled / Disabled | Enabled to prevent the device from responding to unsolicited traffic |
Step 4: Save and Apply
- Click Save Changes at the bottom of the Windows MDM Settings page
- The policy will be pushed to enrolled devices on their next Intune sync (typically within 15 minutes)
Method 2: Intune Settings Catalog (Advanced Configuration)
This method provides access to the full range of Windows Defender CSP settings through the Intune Settings Catalog. Use this when you need settings not exposed in the MG dashboard, or when deploying standardised security baselines across multiple tenants.
Step 1: Create a New Configuration Profile
Sign in to the Microsoft Intune Admin Centre and navigate to:
- Devices
- Manage Devices (drop-down)
- Configuration
- Create > New Policy
On the Create Profile window:
- Platform: Windows 10 and later
- Profile type: Settings catalog
- Click Create
Step 2: Complete the Basics
- Name: Enter a descriptive name (e.g. Mobile Guardian Windows Defender Policy)
- Description: Optional but recommended
- Click Next
Step 3: Add Defender Settings
Click Add settings and search for the following categories in the Settings picker:
Defender (Antivirus)
Search for Defender and add:
| Setting | Recommended Value |
| Allow Realtime Monitoring | Allow |
| Allow Behavior Monitoring | Allow |
| Allow Cloud Protection | Allow |
| Allow On Access Protection | Allow |
| Allow Scanning All Downloaded Files And Attachments | Allow |
| Cloud Block Level | High |
| Cloud Extended Timeout | 50 (seconds) |
| Submit Samples Consent | Send safe samples automatically |
| Schedule Scan Day | Every day |
| Schedule Scan Time | 720 (minutes after midnight, i.e. 12:00) |
| Scan Parameter | Quick scan |
| Allow Scanning Network Files | Not allowed (to avoid performance impact on shared drives) |
| PUA Protection | PUA Protection on |
Firewall
Search for Firewall and add:
| Setting | Recommended Value |
| Enable Firewall (Domain Profile) | True |
| Enable Firewall (Private Profile) | True |
| Enable Firewall (Public Profile) | True |
| Default Inbound Action (Public Profile) | Block |
| Disable Stealth Mode | False (stealth mode on) |
Click the X to close the Settings picker once all settings are added. Configure each setting to the values above.
Click Next.
Step 4: Skip Scope Tags
Click Next on the Scope Tags tab. No changes required.
Step 5: Assign to a Group
Under the Included groups section:
- Click Add groups
- Select the Azure AD group corresponding to your student or staff devices
- Click Next
Step 6: Review and Create
Review your settings and click Create. The policy will sync to enrolled devices within approximately 15 minutes of the next Intune check-in.
Step 7: Link Back to Mobile Guardian Profiles
Once the Intune policy is deployed:
- Navigate to Profiles in the Mobile Guardian left-hand menu
- Select the Baseline Profile (for school-wide enforcement) or the relevant Conditional Profile
- Under the What section of the profile, select restrictions
- Confirm that Windows device settings are active for the assigned group
- The Intune policy will apply automatically to any device enrolled in the matching Azure AD group
Verifying Defender Status
From the Mobile Guardian Dashboard
- Navigate to Devices in the left-hand menu
- Select All Devices and locate the Windows device
- Click the eye icon to open the Device Information view
- Confirm the device is enrolled and active
Note: The Mobile Guardian dashboard confirms device enrolment status, not the state of individual Intune policies. Use Microsoft Intune to verify that Defender policy has been applied successfully.
From the Device Directly
On the Windows device:
- Open Windows Security (search for “Windows Security” in the Start menu)
- Select Virus & threat protection
- Confirm:
- “Real-time protection is on”
- “Cloud-delivered protection is on”
- The last scan date and next scheduled scan time are shown
- Select Firewall & network protection to confirm firewall is active on all profiles
From Microsoft Intune
Per-policy view:
- Navigate to Devices > Configuration in the Intune Admin Centre
- Select the Defender policy profile you created
- Select Device and user check-in status
- Confirm the device shows a state of Succeeded
Per-device view:
- Navigate to Devices > All Devices
- Select the device
- Under Monitor, select Configuration
- Locate the Defender policy profile and confirm the state shows Succeeded
Troubleshooting
| Issue | Likely Cause | Resolution |
| Real-time protection showing as off on device | Policy not assigned to the correct Azure AD group, or a conflicting Group Policy is overriding Intune | Check group assignment in Intune; check for local or domain GPOs overriding Defender settings |
| Scheduled scan not running | Device is powered off or in sleep at the configured scan time | Adjust the scan schedule to align with device usage hours, or enable “Start the scheduled scan only when computer is on but not in use” |
| Legitimate software being blocked | Defender flagging a false positive | Add the specific file path or process to the exclusions list in Windows MDM Settings or via Intune; report the false positive to Microsoft |
| Defender policy showing as Not Applicable | Device running Windows Home edition | Windows Home does not support MDM Defender policy. Requires Pro or higher |
| Cloud protection not functioning | Device cannot reach Microsoft cloud endpoints | Ensure the following URLs are not blocked by your network firewall: *.wdcp.microsoft.com, *.wd.microsoft.com, *.smartscreen.microsoft.com |
| Firewall settings not applying | Conflicting third-party firewall or security software | Remove or disable third-party firewall software; Windows Defender Firewall cannot coexist with most third-party firewalls |
Please let us know if you found this helpful.
Thanks for reading!