This is John Barbare and I am a Sr Premier Field Engineer at Microsoft focusing on all things in the Cybersecurity space. In this tutorial I will walk you through the steps of creating a Windows Defender Antivirus (WDAV) policy for your Windows Operating Systems. This is a two part series which will cover a WDAV policy and Attack Surface Reduction rule policy to your endpoints. So be on the lookout for more to come.
If you are wondering what is Microsoft Endpoint Manager (MEM), then let me provide a brief overview of the cloud solution platform that unifies several technologies. It is not a new license. The services are licensed according to their individual license’s terms. For more information, see the product licensing terms.
If you currently use Configuration Manager, you also get Microsoft Intune to co-manage your Windows devices. For other platforms, such as iOS/iPadOS and Android, then you will need a separate Intune license. In most scenarios, Microsoft 365 may be the best option, as it gives you Endpoint Manager, and Office 365. For more information, see Microsoft 365. The below picture indicates a brief overview and more information can be found here.
Creating a new WDAV Policy
The first item we want to do is make sure that all the devices we want to push the new WDAV policy are showing up inside MEM amin center. This paper assumes you have enrolled all the devices for your preferred method and we are checking to make sure the devices are shown before creating or pushing out a new policy.
Navigate to the Microsoft Endpoint Manager admin center and login with your credentials at https://endpoint.microsoft.com.
Once logged in you will arrive at the home page.
Select “Devices” and then “All devices” to make sure the device you will be applying the new WDAV Policy has been synced.
Next, we will select the “Endpoint Security” tab which is under the “Device” tab.
This will bring you into the main policy dashboard to create the new WDAV policy. First you will select “Antivirus” under the “Manage” tab. Select “create policy” at the top, and then a window will open to pick the operating system “Platform” and “Profile”. For
“Platform”, select Windows 10 and later and for “Profile”, select Microsoft Defender Antivirus and click “Create” at the bottom.
This will bring you to the creation of the profile for WDAV. Name the profile in the “basics” tab and then provide a brief description and click next.
The next tab, “Configuration settings” is where you will configure the policy according to your company’s best practices.
In the past, I have always recommended to my clients to reference MEM Baselines, Microsoft Security Baselines, and the Microsoft Security Configuration Framework. Below is shown with the settings inside MEM on the left and on the right is the Microsoft security baselines for Windows 10 1909 for a comparison.
Microsoft recommends that you implement an industry-standard configuration that is broadly known and well-tested, such as Microsoft security baselines, as opposed to creating a baseline yourself. This helps increase flexibility and reduce costs. For example, there are over 3,000 Group Policy settings for Windows 10 1909. Of those 3,000 settings, only some of those are security related. While Microsoft provides extensive guidance on different security features, going through each of them can take a long time. You would have to determine the security impact of each setting on your own. After you have done that, you still need to determine what values each of these settings should be.
In modern organizations, the security threat landscape is constantly evolving. IT pros and policy makers must keep current with security threats and changes to Microsoft security settings to help mitigate these threats. To help faster deployments and increase the ease of managing Windows, Microsoft provides customers with security baselines that are available in formats that can be consumed.
Some of my clients use both Microsoft security baselines and internal baselines. These include Federal, DoD, and other benchmarks like the Defense Information Systems Agency Security Technical Implementation Guide (DISA STIGs) and the Center for Internet Security (CIS) Benchmarks.
When you are finished inputting and selecting the configurations for your settings in the drop-down arrows, select next.
In the next window you will select any scope tags you have assigned for any of your devices and click next.
When you create or update a profile, you can add scope tags and applicability rules to the profile.
Scope tags are a terrific way to filter profiles to specific groups. Some would include scope tags such as The_Citadel-Bulldogs IT Team, JohnBarbare_ITDepartment, or Test-OU. Use RBAC and scope tags for distributed IT which has more information.
On Windows 10 devices, you can add applicability rules so the profile only applies to a specific OS version or a specific Windows edition. Applicability rules has more information.
Next, we will have the option to assign the policy to select groups, all users, all devices, or all users and devices. Here we are targeting just a select group and will pick the IT Group for this new policy. Selecting the groups to include and IT Group will target the devices inside the group and then click select and then click next. This is the equivalent to applying a policy to an organizational unit in Group Policy Objects.
Many users ask when to use user groups and when to use device groups. The answer depends on your goal. Here is some guidance to get you started.
If you want to apply settings on a device, regardless of who is signed in, then assign your profiles to a devices group. Settings applied to device groups always go with the device, not the user.
Device groups are useful for managing devices that do not have a dedicated user. For example, you have devices that print tickets, scan inventory, are shared by shift workers, are assigned to a specific warehouse, and so on. Put these devices in a devices group, and assign your profiles to this devices group.
Profile settings applied to user groups always go with the user, and go with the user when signed in to their many devices. It is normal for users to have many devices, such as a Surface Pro for work, and a personal iOS/iPadOS device. And, it is normal for a person to access email and other organization resources from these devices.
For example: You want to put a Help Desk icon for all users on all their devices. In this scenario, put these users in a users group, and assign your Help Desk icon profile to this users group.
To summarize, use device groups when you do not care who is signed in on the device, or if anyone is signed in. You want your settings to always be on the device. Use user groups when you want your settings and rules to always go with the user, whatever device they use.
Now let’s head over to finishing the newly created profile on the Create profile page. You will see all the settings for your new policy, and you can confirm before selecting create.
The next page will bring you to the summary page where you can view the new WDAV policy you just created.
When you select the policy name that you have created, you will be redirected to the overview page which will display more detailed information. When you select a tile from this view, MEM displays additional details for that profile if they are available. In this case, it applied my new WDAV policy to all devices I targeted successfully.
Thanks for taking the time to read this article and I hope you had fun reading how to create a WDAV policy using the new MEM console. The next blog I will show you how to setup and configure Attack Surface Reduction in MEM. Hope to see you in the next blog and always protect your endpoints!
Thanks for reading and have a great Cybersecurity day!