Microsoft Endpoint Manager – Creating a MDAV Policy

This is John Barbare and I am a Sr Premier Field Engineer at Microsoft focusing on all things in the Cybersecurity space. In this tutorial I will walk you through the steps of creating a Microsoft Defender (MDAV) policy for your Windows Operating Systems. This is a two part series which will cover  a MDAV policy and Attack Surface Reduction rule policy to your endpoints. So be on the lookout for more to come.

If you are wondering what is Microsoft Endpoint Manager (MEM), then let me provide a brief overview of the cloud solution platform that unifies several technologies. It is not a new license. The services are licensed according to their individual license's terms. For more information, see the product licensing terms.

If you currently use Configuration Manager, you also get Microsoft Intune to co-manage your Windows devices. For other platforms, such as iOS/iPadOS and Android, then you will need a separate Intune license. In most scenarios, Microsoft 365 may be the best option, as it gives you Endpoint Manager, and Office 365. For more information, see Microsoft 365. The below picture indicates a brief overview and more information can be found here.

About Microsoft Endpoint ManagerAbout Microsoft Endpoint Manager

Creating a new MDAV Policy
The first item we want to do is make sure that all the devices we want to push the new MDAV policy are showing up inside MEM amin center. This paper assumes you have enrolled all the devices for your preferred method and we are checking to make sure the devices are shown before creating or pushing out a new policy.

Navigate to the Microsoft Endpoint Manager and login with your credentials at

Login ScreenLogin Screen

Once logged in you will arrive at the home page.

Home page of Microsoft Endpoint ManagerHome page of Microsoft Endpoint Manager

Select “Devices” and then “All devices” to make sure the device you will be applying the new MDAV Policy has been synced.

Selecting the All Devices TabSelecting the All Devices Tab

Next, we will select the “Endpoint Security” tab which is under the “Device” tab.

Endpoint Security TabEndpoint Security Tab

This will bring you into the main policy dashboard to create the new WDAV policy. First you will select “” under the “Manage” tab. Select “create policy” at the top, and then a window will open to pick the operating system “Platform” and “Profile”. For
“Platform”, select Windows 10 and later and for “Profile”, select Microsoft Defender and click “Create” at the bottom.

Creating the WDAV PolicyCreating the WDAV Policy

This will bring you to the creation of the profile for WDAV. Name the profile in the “basics” tab and then provide a brief description and click next.

Creating the ProfileCreating the Profile

The next tab, “Configuration settings” is where you will configure the policy according to your company's .

Configuring the WDAV ProfileConfiguring the WDAV Profile

In the past, I have always recommended to my clients to reference MEM Baselines, Microsoft Security Baselines, and the Microsoft Security Configuration Framework. Below is shown with the settings inside MEM on the left and on the right is the Microsoft security baselines for Windows 10 1909 for a comparison.

Microsoft Security Baseline ComparisonMicrosoft Security Baseline Comparison

Microsoft recommends that you implement an industry-standard configuration that is broadly known and well-tested, such as Microsoft security baselines, as opposed to creating a baseline yourself. This helps increase flexibility and reduce costs. For example, there are over 3,000 settings for Windows 10 1909. Of those 3,000 settings, only some of those are security related. While Microsoft provides extensive guidance on different security features, going through each of them can take a long time. You would have to determine the security impact of each setting on your own. After you have done that, you still need to determine what values each of these settings should be.

In modern organizations, the security threat landscape is constantly evolving. IT pros and policy makers must keep current with security threats and changes to Microsoft security settings to help mitigate these threats. To help faster deployments and increase the ease of managing Windows, Microsoft provides customers with security baselines that are available in formats that can be consumed.

Some of my clients use both Microsoft security baselines and internal baselines. These include Federal, DoD, and other benchmarks like the Defense Information Systems Agency Security Technical Implementation Guide (DISA STIGs) and the Center for Internet Security (CIS) Benchmarks.

When you are finished inputting and selecting the configurations for your settings in the drop-down arrows, select next.

Completing the WDAV SettingsCompleting the WDAV Settings

In the next window you will select any scope tags you have assigned for any of your devices and click next.

Selecting Scope TagsSelecting Scope Tags

When you create or update a profile, you can add scope tags and applicability rules to the profile.

Scope tags are a terrific way to filter profiles to specific groups. Some would include scope tags such as The_Citadel-Bulldogs IT Team, JohnBarbare_ITDepartment, or Test-OU. Use RBAC and scope tags for distributed IT which has more information.

On Windows 10 devices, you can add applicability rules so the profile only applies to a specific OS version or a specific Windows edition. Applicability rules has more information.

Next, we will have the option to assign the policy to select groups, all users, all devices, or all users and devices. Here we are targeting just a select group and will pick the IT Group for this new policy. Selecting the groups to include and IT Group will target the devices inside the group and then click select and then click next. This is the equivalent to applying a policy to an organizational unit in Objects.

Targeting the Assignments for the WDAV PolicyTargeting the Assignments for the WDAV Policy

Many users ask when to use user groups and when to use device groups. The answer depends on your goal. Here is some guidance to get you started.

Device groups

If you want to apply settings on a device, regardless of who is signed in, then assign your profiles to a devices group. Settings applied to device groups always go with the device, not the user.
Device groups are useful for managing devices that do not have a dedicated user. For example, you have devices that print tickets, scan inventory, are shared by shift workers, are assigned to a specific warehouse, and so on. Put these devices in a devices group, and assign your profiles to this devices group.

User groups

Profile settings applied to user groups always go with the user, and go with the user when signed in to their many devices. It is normal for users to have many devices, such as a Surface Pro for work, and a personal iOS/iPadOS device. And, it is normal for a person to access email and other organization resources from these devices.

For example: You want to put a Help Desk icon for all users on all their devices. In this scenario, put these users in a users group, and assign your Help Desk icon profile to this users group.

To summarize, use device groups when you do not care who is signed in on the device, or if anyone is signed in. You want your settings to always be on the device. Use user groups when you want your settings and rules to always go with the user, whatever device they use.

Now let's head over to finishing the newly created profile on the Create profile page. You will see all the settings for your new policy, and you can confirm before selecting create.

Summary of the new WDAV PolicySummary of the new WDAV Policy

The next page will bring you to the summary page where you can view the new WDAV policy you just created.

Viewing the newly created WDAV PolicyViewing the newly created WDAV Policy

When you select the policy name that you have created, you will be redirected to the overview page which will display more detailed information. When you select a tile from this view, MEM displays additional details for that profile if they are available. In this case, it applied my new WDAV policy to all devices I targeted successfully.

Viewing the newly applied WDAV Policy to the targeting machinesViewing the newly applied WDAV Policy to the targeting machines


Thanks for taking the time to read this article and I hope you had fun reading create a MDAV policy using the new MEM console. The next blog I will show you setup and configure Attack Surface Reduction in MEM.  Hope to see you in the next blog and always protect your endpoints!

Hope to see you in my next blog and always protect your endpoints!  

Thanks for reading and have a great Cybersecurity day!  

Follow my Microsoft Security Blogs:  and also on LinkedIn.  


This article was originally published by Microsoft's Secure Blog. You can find the original article here.