Windows Defender Advanced Configuration

2 min read Infrastructure & DevOps Security

Windows Defender Advanced Configuration

Windows Defender has evolved into a comprehensive security platform, Microsoft Defender Antivirus, providing enterprise-grade protection integrated deeply with the Windows operating system. Understanding advanced configuration options enables administrators to maximize protection while minimizing performance impact and false positives.

Configure Windows Defender through Group Policy for centralized management across domain environments. Key policy settings reside under Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus. Enable cloud-delivered protection for real-time threat intelligence:

Set-MpPreference -MAPSReporting Advanced
Set-MpPreference -SubmitSamplesConsent SendAllSamples
Set-MpPreference -CloudBlockLevel High
Set-MpPreference -CloudExtendedTimeout 50

Exploit protection applies mitigation techniques preventing common exploitation methods. Configure exploit protection through Windows Security app or PowerShell:

# Apply exploit protection settings
Set-ProcessMitigation -System -Enable DEP,SEHOP,HeapTerminate
Set-ProcessMitigation -Name "chrome.exe" -Enable BlockRemoteImageLoads,BlockLowIntegrityImageLoads

# Export and import configurations
Get-ProcessMitigation -RegistryConfigFilePath exploit-protection-settings.xml
Set-ProcessMitigation -PolicyFilePath exploit-protection-settings.xml

Controlled folder access prevents unauthorized applications from modifying protected folders, defending against ransomware. Enable and configure protected folders:

Set-MpPreference -EnableControlledFolderAccess Enabled
Add-MpPreference -ControlledFolderAccessProtectedFolders "C:\CriticalData"
Add-MpPreference -ControlledFolderAccessAllowedApplications "C:\TrustedApp\app.exe"

Monitor blocked attempts through event logs and adjust allowed applications as needed.

Attack surface reduction (ASR) rules block behaviors commonly associated with malware. Enable ASR rules progressively, starting in audit mode:

# Enable all ASR rules in audit mode
$rules = Get-MpPreference | Select -ExpandProperty AttackSurfaceReductionRules_Ids
foreach ($rule in $rules) {
    Add-MpPreference -AttackSurfaceReductionRules_Ids $rule -AttackSurfaceReductionRules_Actions AuditMode
}

# Enable specific rules in block mode after testing
Add-MpPreference -AttackSurfaceReductionRules_Ids "BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550" -AttackSurfaceReductionRules_Actions Enabled