Complete Guide to Creating Antivirus Policies in Microsoft Intune (2025)

By /

In-Depth Guide: Designing and Deploying Antivirus Policies in Microsoft Intune

A robust antivirus policy balances strong protection with minimal disruption. Microsoft Intune’s Endpoint Security framework lets you craft central policies for Microsoft Defender Antivirus across Windows 10/11 and Server devices—whether managed directly via MDM or through Configuration Manager tenant attach. This guide walks through planning, policy design, deployment, and ongoing management for enterprise-grade antivirus coverage.

1. Planning Your Antivirus Strategy

Before creating policies, define your protection goals and deployment approach:

  • Risk Assessment: Identify high-risk systems (e.g., finance, R&D) and standard workstations. Decide if they need stricter or relaxed scan schedules.
  • Deployment Rings: Organize devices into rings—evaluation (test lab), pilot (representative users), and broad rollout. This phased method catches issues early and reduces support load.
  • Operational Windows: Determine off-peak hours for full scans. Align with maintenance schedules to avoid performance conflicts.
  • Compliance Requirements: Map policy settings to regulatory standards (e.g., PCI DSS, HIPAA) that dictate malware protection levels and reporting needs.

Document these parameters before building the policy to ensure clarity and consistency.

2. Core Policy Configuration Areas

Antivirus policies cover five main areas, each with detailed options to fine-tune behavior:

2.1 Real-Time Protection

Real-time scanning intercepts threats as they execute or load. Key settings:

  • File and Process Scanning: Enable scanning of all file types and running processes.
  • Behavior Monitoring: Turn on behavioral analysis to catch new or obfuscated malware that signature scans miss.
  • Script and Macro Scanning: Inspect PowerShell, JavaScript, VBScript, and Office macros to block script-based attacks.
  • Network Files and Removable Drives: Scan shared network locations and USB devices to prevent lateral movement.

2.2 Cloud-Delivered Protection

Leveraging Microsoft’s threat intelligence in real time:

  • Cloud Protection Toggle: Activate real-time lookups of unknown files.
  • Block Level Settings: Set aggressiveness (low, medium, high) to balance false positives vs. risk tolerance.
  • MAPS Participation: Enroll in Microsoft Active Protection Service to share anonymous telemetry for improved global detection.

2.3 Scheduled Scan Behavior

Define when and how Defender performs deeper scans:

  • Full Scan Frequency: Weekly or daily scans, ideally during off-hours.
  • Quick Scan Triggers: At sign-in or on schedule to catch emerging threats at launch.
  • Archive and Email Attachment Scanning: Unpack and scan ZIP, RAR, and common email file types.
  • Resource Throttling: Limit CPU use (e.g., 20–50%) and set maximum archive depth to reduce scan time.

2.4 Exclusions and Overrides

Prevent performance or compatibility issues by excluding safe items:

  • File and Folder Paths: Exclude application directories (e.g., database data folders).
  • Process Names: Skip scanning of trusted services (e.g., backup or antivirus management agents).
  • File Extensions: Omit large or non-executable types (.iso, .bak).
  • Policy Merge (Tenant Attach): Combine exclusions from Intune and Configuration Manager without conflicts.

2.5 User Experience Controls

Choose how much user visibility and control is permitted:

  • UI Access: Decide if end users can open the Defender dashboard or view alerts.
  • Notification Suppression: Hide non-critical pop-ups to reduce helpdesk calls.
  • Tamper Protection: Prevent users or local admins from disabling protections or altering settings.

3. Building the Antivirus Policy in Intune

Follow these steps to translate your design into an Intune policy:

  1. In Microsoft Intune Admin Center, select Endpoint Security → Antivirus → Create Policy.
  2. Choose Platform (Windows 10/11 or Windows Server) and Profile (Microsoft Defender Antivirus).
  3. Name the policy (e.g., “Corp Antivirus – Pilot”) and document its purpose and scope.
  4. Configure each section:
    1. Under Real-Time Protection, enable file, script, and network scanning.
    1. In Cloud Protection, turn on cloud-delivered protection, set block level to Medium, and join MAPS.
    1. For Scan Settings, schedule full scans weekly at 2:00 AM, quick scans at logon, and limit CPU to 30%.
    1. Add exclusions for known safe paths and processes.
    1. Under User Experience, disable UI access, suppress notifications, and enable tamper protection.
  5. Assign the policy to your evaluation ring group.
  6. Review settings and create the policy.

4. Phased Deployment and Validation

After creating the policy:

  • Evaluation Ring: Monitor CPU impact, false positives, and support tickets for a small lab group. Adjust exclusions or scan schedules as needed.
  • Pilot Ring: Expand to 5–10% of endpoints across various departments. Validate that cloud protection and MAPS reporting work without network issues.
  • Broad Rollout: Once pilot results are satisfactory, assign the policy to all remaining device groups.

Use Intune’s Device Status and Reports to track policy application success and remediation actions.

5. Monitoring, Reporting, and Continuous Improvement

Antivirus is not “set and forget.” Ongoing tasks include:

  • Threat Reports: In Endpoint Security → Antivirus → Reports, review active malware detections, agent health, and scan coverage.
  • Alerting: Configure email or Teams notifications for high-severity detections.
  • Exclusion Audits: Quarterly review of exclusion lists to ensure they remain necessary and safe.
  • Policy Updates: Adjust block levels or scan frequencies based on emerging threats or performance data.
  • Integration Checks: For tenant attach, confirm Configuration Manager collections receive the same policy settings without override.

6. Troubleshooting Common Issues

  • Policy Not Applying: Verify device enrollment status and group assignments. Check that devices check in with MDM regularly.
  • High CPU During Scans: Lower CPU throttle, reduce archive depth, or reschedule full scans to less busy times.
  • False Positives: Identify affected files/processes and add targeted exclusions.
  • Cloud Protection Errors: Ensure devices can reach Microsoft’s cloud endpoints and have correct time synchronization.

By methodically planning, configuring detailed settings, validating in phased rings, and monitoring outcomes, you’ll deploy Microsoft Defender Antivirus policies that deliver strong protection without compromising system performance or user productivity. Continuous review and adjustment ensure your antivirus posture evolves alongside your organization’s needs and the threat landscape.

LinkedInCopyPinterestRedditTelegram

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by
Scroll to Top