It is time for part 4 of the ultimate Microsoft Defender for Endpoint (MDE) series. All previous parts were focused on the initial Defender for Endpoint onboarding. Now it is time for the initial configuration of the additional components part of Defender for Endpoint; one of the main components is Defender Antivirus, also known as next-generation protection.
NOTE: The blog series focuses on features in Microsoft Defender for Endpoint P2 all Microsoft Defender for Endpoint P1 features are available in P2.
Specific question or content idea part of Defender for Endpoint? Use the contact submission form and share the post ideas.
Introduction
Defender for Endpoint contains lots of features that are part of MDE or AV policies which are part of the Defender AV/ NGAV solution. After the initial deployment of Defender for Endpoint there is a configuration required for the additional recommended protection, a common mistake from organizations where the servers are onboarded via Defender for Cloud without any additional configuration for Defender AV or environments where devices are only onboarded without Cloud Protection/ Network Protection and more critical features configured.
Microsoft Defender Antivirus is Microsoft Defender for Endpoint’s ‘next-generation protection component‘ that combines machine learning, big data analysis, threat research, and Microsoft’s cloud infrastructure to protect devices more in-depth with additional layers based on behavior, heuristics, and real-time protection.
In comparison with other vendors (Crowdstrike/ Symantec e.d) MDE integrates into the kernel from the Windows system. For many OS versions Defender AV is part of the OS and deeply integrated into the kernel for providing additional protections. Defender relies on the built-in Windows Registry items for the settings which can be delivered based on multiple tools.
What are the additional configurations?
Next to the configuration in Defender for Endpoint (security.microsoft.com), there are more additional configurations available related to Defender for Endpoint.
Next-generation protection/ Defender AV
- Cloud protection
- Real-time protection
- Block at first sight
- Signature update settings
- Scan settings
- Additional AV configuration
Attack surface reduction
- Attack Surface Reduction (ASR) Rules
- Controlled folder access
- Device control
- Exploit protection
- Network protection
- Web protection
- Ransomware protection
- Application control
- HW-based isolation
Additional Defender protections
- Windows Defender Credential Guard
- Microsoft Defender SmartScreen
- Windows Defender Firewall
As you can see; there is quite a list of additional features which can be configured. Defender AV/ Next-generation protection and Attack surface reduction increase the protection factor and collect additional events for MDE.
Why Defender Antivirus/ next-generation protection?
Defender AV/ next-generation protection is critical for Defender for Endpoint and protects against new modern threats/ fileless threats. Next-generation protection contains multiple levels of protection based on machine learning, big data analysis, in-depth research, and multiple methods of cloud protection and enables multiple features which can be used in Defender for Endpoint. (Image source: Microsoft)

The antivirus uses both client-side and cloud machine learning (ML) models. With the help of these two models, artificial intelligence enables in-depth integrations. The first layer of the machine learning part of Defender AV is a lightweight ML model built into Defender Antivirus which runs locally on the computer. Many of these models are specialized for file types commonly abused by malware authors (Javascript, Visual Basic Script, Office Macro, and other portable executable files).
Recommended read; some historic background (older Microsoft post) of the artificial intelligence concept behind Defender. In the last years, Microsoft improves a lot since the publishment of the blog; it gives some ideas on how Microsoft created the artificial intelligence layer.
Cloud protection
- Metadata-based machine learning
- Reputation machine learning
- File classification machine learning
- Detonation-based machine learning
- Reputation machine learning
- Smart rules
Client protection
- Heuristics
- Emulation
- Client-side machine learning
- Behavior monitoring
- AMSI integration
- Memory scanning
- Network monitoring
More detailed information: View the ninja show Episode 5 where Microsoft employees explain Next-generation protection more in detail.
What is cloud protection?
Cloud-delivered protection combines client learning models with cloud-based learning. Important to know critical features and capabilities depend on cloud protection:
- Checking against metadata in the cloud
- Cloud protection and sample submission
- Tamper Protection (Enabled from service settings)
- Block at first sight
- Emergency signature updates
- EDR in block mode
- Attack surface reduction rules
- Block executable files from running unless they meet a prevalence, age, or trusted list criteria
- Use advanced protection against ransomware
- Block untrusted programs from running from removable drives
Defender part of the system?
Recent versions of Windows 10/11 and Windows Servers are built-in with Microsoft Defender Antivirus. Previously Server 2012R2 was only supported with SCEP; the new unified agent supports Windows Servers 2012R2 and enabled similar features in comparison with other versions.
OS | Antivirus built-in? | Unified agent required? |
---|---|---|
Windows 10 | ✅ | |
Windows 11 | ✅ | |
Windows Server 2008R2 | ❌ | Only SCEP is available |
Windows Server 2012R2 | ❌ | ✅ |
Windows Server 2016 (1) | ✅ | ✅ |
Windows Server 2019 | ✅ | |
Windows Server 2022 | ✅ |
(1) Defender Antivirus is part of Server 2016. The built-in version is based on an older version. For enabling the latest features it is required to install the new unified agent. For the unified agent, the built-in AV must be enabled and updated. More information: Install the new unified Microsoft Defender for Endpoint agent on Server 2012R2 and 2016
Passive or Active
To use the full feature set of Microsoft Defender for Endpoint and gain more visibility in the complete threat landscape, it is recommended to use Microsoft Defender Antivirus as the main and only antivirus solution. The power starts when Defender Antivirus is combined with the Defender for Endpoint capabilities. For AV migrations the different modes can be enabled to easily replace the already installed AV solution without any lack of protection. For example; when migrating from non-Microsoft protection solutions:
- Prepare environment (network/ proxy/ access)
- Enable Microsoft Defender Antivirus in passive mode
- Configure policy and settings
- Onboard Defender for Endpoint in passive mode
- Update/ validate Defender
- Remove non-Microsoft protection and remove the passive key
- Reboot
More information: Make the switch from non-Microsoft endpoint protection to Microsoft Defender for Endpoint | Microsoft Learn
The following AV modes are available:
- Active mode
- Passive mode
- EDR in block mode
- Disabled
Recommended: Use Defender AV in active mode in combination with Defender for Endpoint. When there is no 3rd party AV solution; NEVER use passive mode or disabled mode for Defender AV – which makes the system unstable and unprotected. When using Defender AV in combination with 3rd party AV solution; configure EDR in block mode for additional protection. Important: Never disable capabilities such as real-time protection, and cloud-delivered protection when using passive/ EDR in block mode. |
# | Active mode | Passive mode | EDR Block mode | Disabled |
---|---|---|---|---|
Protection | ||||
Detection information | ✅ | ❌ | ❌ | ❌ |
File scanning | ✅ | ✅ Limited | ✅ | ❌ |
Threat remediation | ✅ | ❌ | ✅ | ❌ |
Alert detection in MDE | ✅ | ❌ | ✅ | ❌ |
Cloud-delivered protection | ✅ | ❌ | ❌ | ❌ |
Network protection | ✅ | ❌ | ❌ | ❌ |
Attack Surface Reduction | ✅ | ❌ | ❌ | ❌ |
Real-time protection | ✅ | ❌ | ❌ | ❌ |
Updating | ||||
Update antimalware updates | ✅ | ✅ | ✅ | ❌ |
Update product update | ✅ | ✅ | ✅ | ❌ |
More information: How Microsoft Defender Antivirus affects Defender for Endpoint functionality
On Windows 10/ 11 Defender AV is automatically configured in passive or EDR in block mode based on the installed AV solution. On Windows Server 2019 and higher and Windows Server 2012R2/2016 with the unified agent, Microsoft Defender Antivirus doesn’t enter passive mode automatically when you install a non-Microsoft antivirus product. For Windows Server, it is needed to configure manually the passive mode with the use of the following key when using Defender for Endpoint. NOTE: Defender for Endpoint onboarding is required.
Path: HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection
Name: ForceDefenderPassiveMode
Type: REG_DWORD
Value: 1
More information: Microsoft Defender Antivirus and non-Microsoft antivirus/antimalware solutions
What is EDR in block mode?
EDR in block mode makes it possible to remediate threats that are post-breach detected. With the use of EDR in block mode additional protection is added when MDAV is not the primary antivirus product.
When the primary agent missed the artifacts; Defender for Endpoint (EDR) is allowed to remediate Defender Antivirus by taking post-breach actions. EDR in block mode works if the primary antivirus solution missed something; or during post-breach detections.
For using EDR in block mode the following is important:
- Cloud-delivered protection agent
- Antivirus platform version must be up to date
- Antivirus engine version must be up to date
- Unified agent for Server 2012R2 and 2016
- EDR in block mode enabled in service settings (See Part 2)
More information: Endpoint detection and response (EDR) in block mode
Validate Defender AV mode
Defender Antivirus mode and installed versions can be validated using the PowerShell command; Get-MpComputerStatus (AMRunningMode contains the AV mode), AMProductVersion contains the Product version.

Daily/ Monthly Updates
Defender for Endpoint/ Defender AV needs to be updated with recent updates. The following updates are important:
More information for the signature updates in the next part of this series.
Update | KB | Description |
---|---|---|
Update for Defender antimalware platform (AmProductVersion) | KB4052623 | It is critical to make sure Defender platform is updated with the latest version, for getting latest technology and features |
Security Intelligence updates | KB2267602 | Defender AV requires Security Intelligence Updates/ Signature updates |
Update for EDR sensor (2012R2/ 2016) | KB5005292 | This update includes updates and fixes to the EDR sensor that is used by MDE for 2012R2/ 2016 |
How to manage Defender AV and additional configurations?
The question I keep getting is “How to manage Defender AV and additional configuration?”. Defender for Endpoint can be deployed with the use of multiple management systems and techniques; currently the following most common methods;
- Microsoft Intune
- Microsoft Configuration Manager
- Security Management for Microsoft Defender for Endpoint
- Group Policy
- PowerShell
- Desired State Configuration (DSC)
Microsoft Intune
Microsoft Intune is the most common and modern method for managing Defender for Endpoint and Defender Antivirus. Intune integrates perfectly with Defender for Endpoint and can be used for additional compliance controls. In Intune there are multiple ways available to manage the same setting, let’s summarize the available options;
- Device Configuration profiles ( Templates/ ADMX/ Setting catalog)
- Security Baselines
- Endpoint Security profiles
Important: The Endpoint Security profiles are the most frequent profiles that are supported for the new features. Always use the Endpoint Security profiles. Endpoint security profiles are supported for MDM,/ microsoftSense and are based on the latest schema and settings. |
Location Endpoint Security policies: Endpoint.microsoft.com -> Endpoint security.

Security Baselines or Security profiles
Security baselines are pre-configured groups of settings and default values that are recommended by the Microsoft security teams. It’s a template that consists of multiple profiles. They are created based on the best practices and recommendations – for organizations a good starting point to quickly secure devices and configure all configurations which are needed for Defender for Endpoint.

Avoid conflicts; Based on experience; there is a difference between the channel used for Endpoint Security and Security Baselines. Avoid conflicts from multiple profiles with the same setting or different settings (ASR gives some issues when using the same setting in baselines and Endpoint security profiles. |
Personally, I use the security baselines for the hardening/ additional settings and remove all Defender AV-related settings which can be easily created with Endpoint security policies. I find it’s easier to manage multiple policies and give some extra options to include and exclude policies for specific groups.
The latest ASR rules are not part of the security baselines and support for MDE management is not yet added. Don’t forget to use the setting part of the Windows 10 security baseline for hardening and reducing the TVM recommendations in MDE.

For this baseline; I remove the Bitlocker, Firewall, Microsoft Defender, and SmartScreen settings and create separate policies in Intune.
Important: Avoid conflicts and always test/ review each setting part of the Security baseline. It can easily block functions. |
Microsoft Configuration Manager
When using Microsoft Configuration Manager, previously known as SCCM there are multiple ways to manage AV settings. Ideally; workstations are part of Intune for applying the configuration. When not possible there are a couple of options for managing endpoints;
- Use co-management and manage with Intune (workstations)
- Use tenant-attach and manage with Intune (server)
- Use endpoint protection Role in SCCM (server)
The downside of tenant-attach and the endpoint protection role in Microsoft Configuration Manager; not all settings are built-in available. Ideally, use co-management and manage the workstations via the more modern method.
Important: The endpoint protection role and client settings are needed for managing AV settings. Without the role and client settings, the AV settings are not getting deployed on the system. Good to know – not all settings are available via the built-in SCCM policies, the latest ASR rules are not available – same for some more advanced settings for performance optimization/ audit collection. |
More information: Endpoint Protection
Group Policy
Group Policy can be used for managing all additional settings in Defender. When using GPO my personal preference is always to use different profiles for exclusions and different profiles for the AV configuration. Avoid deploying exclusions – if it’s not necessary.
Important: Before starting with Group Policy use always the latest available ADMX template for Windows 10/11 and Windows Servers. |
More information: Use Group Policy settings to configure and manage Microsoft Defender Antivirus
PowerShell / DSC
It is not recommended but PowerShell can be used if there are no other options for managing Defender configurations. For environments with machines hosted in Azure where Security Management is no option, the management with the use of Desired State Configuration can be used. All policies can be packaged in DSC configuration files to keep track of changes and always push the same configuration.
Security Management for Microsoft Defender for Endpoint
Security Management for Microsoft Defender for Endpoint is the new method for managing security settings for devices and servers that are not enrolled yet in Intune. With the new feature, it is possible to deploy configurations from Intune directly to MDE onboarded devices without the need to completely onboard devices in Intune.
Microsoft releases recently the new V2 version of Security settings management. The new version improves the capabilities and removes the prerequisite of the AAD join requirement. Another improvement is the support for macOS and Linux.
New situation
Now the good news; Microsoft has listened and collected all the feedback and improved the flow with new improvements. I have been involved from the start of the development; after many feedback sessions and preview releases, the new solution is way more flexible and future-proof.
What has changed? With the new solution, Microsoft changed the management capabilities and launched a new simplified device onboarding. The full Azure AD join requirement is no longer needed, it can be managed now without joining machines with Azure AD. So no longer changes in Azure AD connect/ sync rules and complexity across domains when one single MDE instance and Azure AD are used.
The new solution is not only supported for Windows 10/11/ Windows Server. Microsoft expanded the scope to macOS and Linux devices and all without the need to join Azure AD or Intune via the normal flow. So now we are finally able to manage Defender for Endpoint via Microsoft 365 Defender for macOS/ Windows and Linux. Sounds cool right – let’s deep dive further into the new solution.
In general with the new feature Microsoft released the following capabilities:
- Simplified device onboarding (Removal of Azure Active Directory hybrid join)
- Native security settings management in Defender for Endpoint
- Create policies directly from Microsoft 365 Defender portal
- Visibility in Microsoft 365 Defender portal in all settings
- Policies synced automatically between Microsoft 365 Defender and Intune
- Applied policies visible via device page
For Windows the following flow is used: View larger version here

For macOS and Linux the following flow is used: View larger version here

Which profile is needed in Intune?
For configuring Defender for Endpoint using the new management option, use the Endpoint security profiles part of Intune – Endpoint Security.

Currently, not all security settings are supported for the new feature. The below configurations are currently supported:
- Antivirus policies
- Firewall policies
- Firewall rule policies
- Endpoint detection and response policies
- Attack Surface Reduction Rules
Sync timings
When the device is successfully enrolled and managed by MDE it will take some time before the first initial sync is applied. When the enrollment is succeded the cadence (of 10 minutes) starts immediately when the enrollment succeeds – the first policy sync is after +-10 minutes. After the first policy sync, the policies will be synced based on a 90 minutes interval with Microsoft Intune.
Hopefully, in the future, Microsoft support more options for the policy sync. It would be great when it is possible to sync the policy in bulk (device group) or force a complete policy sync via the policy (emergency changes).Jeffreyappel.nl
With the use of the Policy Sync button from the MDE device page it is possible to enforce the policy refresh and receive the new policies (immediately sync in worst case up to 5/10 minutes). The policy sync button is available via the device page:

Simplified sync flow timings:

More information is explained more in-depth in the following blog, since this topic is a large one with multiple decisions. Blog: Manage Defender for Endpoint for Windows, macOS, and Linux via Security settings management
Do we need Firewall policies for MDE?
Another common question; do we need to enable Firewall policies for MDE – the answer is yes. Many organizations don’t realize the importance of Windows Firewall in combination with Defender for Endpoint.
NOTE: The enablement of additional auditing events can increase the collected size of events. When connected with a SIEM/ Sentinel or other data warehouse; it is good to check the extra data and cost. Both success+failure generate more events and data. |
Microsoft Defender for Endpoint supports different layers of network reporting and insights based on network traffic including native network detection and events in the DeviceNetworkEvents table.
Important to make sure Windows Firewall is enabled for all zones including the following audit events:
Intune:

PowerShell:
auditpol /set /subcategory:"Filtering Platform Packet Drop" /failure:enable
auditpol /set /subcategory:"Filtering Platform Connection" /failure:enable
What do we have after enabling and integrating the correct events?
After enabling the Firewall profiles and additional events, the following data is monitored:
- Remote IP
- Remote Port
- Local Port
- Local IP
- Computer Name
- Process across inbound and outbound connections
Conclusion
Part4 of the Microsoft Defender for Endpoint series is completed – focussed on the explanation of the additional configuration in Defender AV. In the next part; 4A, more information will be shared about the policies and best practices for the optional configuration. With the answer; do we need local admin merge, PUA protection, MAPS reporting, schedule scans, and more enabled?
Searching for specific Defender for Endpoint information? Use the contact submission form and share the post ideas or contact using Linkedin or Twitter. I will take all suggestions into the Defender for Endpoint series and help the community as far as possible.
View previous part – Microsoft Defender for Endpoint series – Onboard using MECM/ GPO – Part3D
View next part – Define the AV policy baseline – Part4A
Sources
Microsoft: Defender Ninja Show
Microsoft: Overview of Next-generation overview
Looking forward to 4a. Thank you!
Part 4A and 4B are published. See; https://jeffreyappel.nl/tag/mde-series/
So if we want to use MDE Security for our servers Server 2019 and 2022 , we need to Sync the OU where the servers are to Azure AD?
Correct; via AD Connect domain joined machines needed to be synced.
See; https://jeffreyappel.nl/managing-microsoft-defender-for-endpoint-with-the-new-security-management-feature-in-mem/ for more detailed information scoped on Active Directory joined devices.
Attack Surface Reduction is not supported with MDE Security , do you know if network protection , web control indicators via Defender portal still work on the endpoint / server ?
Hi! Thanks!
I’ve some devices with the “Other” status for “Defender Antivirus Mode”. It’s in the “Device Health Status” on the Security Console.
Devices never had other third party AV.
After some weeks, the status stay in Other.
Other devices are well onboarded and Active with the same policy.
Do you know what is it plz and how to remediate this ?
Thanks 😉
When you post full implementation MDE using proxy?
Do you mean the configuration of MDE using one of the proxy methods?
How do you accomplish this; For this baseline; I remove the Bitlocker, Firewall, Microsoft Defender, and SmartScreen settings and create separate policies in Intune. Do you create all new configuration profiles that replicate the baselines with out those settings? Or do you leave everything not configured in the security baseline?
Hi,
Thanks for this great series!
What is the solution for managing DC’s and Server Core? You would still onboard them but never tag them with MDE-Management and just manage exclusions, etc. another way, is that right? What are the options for managing these? Any other best practices around these ‘MDE Attach’ unsupported Servers?
– Group Policy
– PowerShell Script
– Azure Arc (not sure how this works but we do use this as an MMA replacement)
– SCCM – Co-Mgmt / Tennant Attach then create AV policy for configmgr like this: https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/how-to-manage-microsoft-defender-on-windows-server-via-intune/ba-p/3713195
Thanks
When possible I prefer to use the GPO for server core/ DCs. Not a huge fan of PowerShell custom scripting since the policy can be overruled.
Hopefully in the future MDE-Management is supporting DCs and Server Core.
Thank you!
Looks like they’ve just made a change. Server Core is supported on Server 2022 (but still not on Server 2019). Domain Controllers are supported now also (but in preview)
Hi Jeffrey,
Thank you for the detailed articles, Please share your thoughts , My question is related to windows defender updates (SIU, Av engine and Platform updates)
In my case, automatic windows updates are disabled through GPO for windows client machines. I understand that Microsoft Defender updates are also part of windows updates. Provided my windows client machines already have the required internet connectivity, then in my case does the windows client machines can automatically fetch up the defender updates as per the Intune settings applied to take the defender updates from the update location “Microsoft Update” ?
Else for these type of cases, the below two patches always have to deployed through third party patching solutions to windows client machines to keep Defender platform, AV engine and SIU up to date in windows client machines ?
Hi,
You mentioned – Security Management for Microsoft Defender for Endpoint can be used to manage on-prem Servers and Desktops policies in one place without hybrid aad join. How do you assign the policy?
Do we still need co-management sccm for desktops and do we need azure arc for servers?
Co-Management or SCCM/ Azure Arc is not needed.
This blog gives all the details in-depth.
https://jeffreyappel.nl/manage-mde-for-windows-macos-and-linux-via-security-settings-management/
Hi,
Are Intune Device Configuration profiles supported by Security Settings Management devices or only Endpoint Security profiles?
I noticed that configuration profiles aren’t visible in the Defender Portal.
Hi Jefferey,
Great article. I was reading the documentation from Microsoft but I always have the feeling it`s missing some (key) parts or it`s not as clear. This article helped a lot, especially the drawing and explanation.
Thanks