To use these settings, the co-management workload slider for Endpoint Protection must be set to Intune. Profile: Microsoft Defender Antivirus exclusions - Manage policy settings for only Antivirus exclusions. With this policy, you can manage settings for the following Microsoft Defender Antivirus configuration service providers CSPs that define Antivirus exclusions:. These CSPs for antivirus exclusion are also managed by Microsoft Defender Antivirus policy, which includes identical settings for exclusions.
Settings from both policy types Antivirus and Antivirus exclusions are subject to policy merge , and create a super set of exclusions for applicable devices and users.
Profile: Windows Security experience - Manage the Windows Security app settings that end users can view in the Microsoft Defender Security center and the notifications they receive. The Windows security app is used by a number of Windows security features to provide notifications about the health and security of the machine. Security app notifications include firewalls, antivirus products, Windows Defender SmartScreen, and others. The settings in this profile apply to devices that are enrolled to Endpoint Manager with Intune or Microsoft Defender for Endpoint.
The settings in this profile apply to devices that are enrolled to Endpoint Manager with Microsoft Defender for Endpoint. Manage Antivirus settings for Configuration Manager devices , when you use tenant attach. Some Antivirus policy settings support policy merge.
Policy merge helps avoid conflicts when multiple policies apply to the same devices and configure the same setting. Intune evaluates the settings that policy merge supports, for each user or device as taken from all applicable policies. Those settings are then merged into a single superset of policy. For example, you create three separate antivirus policies that define different antivirus file path exclusions. Eventually, all three policies are assigned to the same user.
Because the Microsoft Defender file path exclusion CSP supports policy merge, Intune evaluates and combines the file exclusions from all applicable policies for the user. Conflicts can result in the user or device not receiving any policy for the setting. Microsoft Defender Antivirus policies. Antivirus policy reports display status details about your endpoint security Antivirus policies and device status.
These reports are available in the Endpoint security node of the Microsoft Endpoint Manager admin center. To view the reports, in the Microsoft Endpoint Manager admin center , go to Endpoint security and select Antivirus. Successful implementation of these recommendations depends upon your antivirus vendor and your security team. Consult them to get more specific recommendations. This article contains antivirus exclusions.
It is important to understand that antivirus exclusions and optimizations increase the attack surface of a system and might expose computers to various security threats. However, the following guidelines typically represent the best trade-off between security and performance. Citrix does not recommend implementing any of these exclusions or optimizations until rigorous testing has been conducted in a lab environment to thoroughly understand the tradeoffs between security and performance.
Citrix also recommends that organizations engage their antivirus and security teams to review the following guidelines before proceeding with any type of production deployment. Agent software that is installed on every provisioned virtual machine usually needs to register with a central site for management, reporting of status and other activities.
For registration to be successful, each agent needs to be uniquely identifiable. With machines provisioned from a single image using technologies such as Provisioning Services PVS or Machine Creation Services MCS , it is important to understand how each agent is identified - and if there are any instructions required for virtualized environments.
Some vendors use dynamic information such as the MAC address or computer name for machine identification. Others use the more traditional approach of a random string generated during installation.
To prevent conflicting registrations, each machine needs to generate a unique identifier. Registration in non-persistent environments is often done using a startup script that automatically restores machine identification data from a persistent location.
In more dynamic environments, it is also important to understand how de-provisioning of machines behaves, if cleanup is a manual operation, or if it is performed automatically. Some vendors offer integration with hypervisors or even delivery controllers where machines can be automatically created or deleted as they are provisioned.
If registration requires more steps for environments with single-image management, include these steps in your image sealing instructions, preferably as a fully automated script. Timely consistently updated signatures are one of the most important aspects of endpoint security solutions.
Most vendors use locally cached, incrementally updated signatures that are stored on each of the protected devices. With non-persistent machines, it is important to understand how signatures are updated and where they are stored. This enables you to understand and minimize the window of opportunity for malware to infect the machine.
Especially in a situation in which updates are not incremental and can reach significant size, you might consider a deployment in which persistent storage is attached to each of the non-persistent machines to keep the update cache intact between resets and image updates. Using this approach, the window of opportunity and the performance impact of a definitions update is minimized.
Aside from signature updates for each of the provisioned machines, it is also important to define a strategy for updating the master image. Automating this process is recommended, so is updating the master image regularly with the latest signatures. This is especially important for incremental updates in which you are minimizing the amount of traffic required for each virtual machine. Another approach to managing signature updates in virtualized environments is to completely replace the nature of the decentralized signatures with a centralized scanning engine.
While this is primarily done to minimize the performance impact of an antivirus, it has the side benefit of centralizing signature updates as well. Recommendation: Ask your security vendor how signatures are updated in your antivirus. What is the expected size and frequency, and are updates incremental?
Are there any recommendations for non-persistent environments? An antivirus, especially if improperly configured, can have a negative impact on scalability and overall user experience. It is, therefore, important to understand the performance impact to determine what is causing it and how it can be minimized. Available performance optimization strategies and approaches are different for various antivirus vendors and implementations.
One of the most common and effective approaches is to provide centralized offloading antivirus scanning capabilities. Rather than each machine being responsible for scanning often identical samples, scanning is centralized and performed only once.
This approach is optimized for virtualized environments; however, make sure you understand its impact on high-availability. Offloading scans to a dedicated appliance can be highly effective in virtualized environments. Another approach is based on pre-scanning of read-only portions of the disks, performed on the master images before provisioning. It is important to understand how this affects the window of opportunity for example, what if a disk already contains infected files but signatures are not available during pre-scan phase?
Often, a good compromise is to combine real-time scans optimized with scheduled scans full scans of the system. The most common scan optimization is to focus only on the differences between virtual machines.
If you want to check the state of Microsoft Defender Antivirus on your device, you can use one of several methods, such as the Windows Security app or Windows PowerShell. On your Windows device, select the Start menu, and begin typing Security. Then open the Windows Security app in the results. Select the Start menu, and begin typing PowerShell. Then open Windows PowerShell in the results. Passive mode is only available for devices that are onboarded to Microsoft Defender for Endpoint and that meet certain requirements.
To learn more, see Requirements for Microsoft Defender Antivirus to run in passive mode. Microsoft releases regular updates to help ensure that your devices have the latest technology to protect against new malware and attack techniques.
To learn more, see Manage Microsoft Defender Antivirus updates and apply baselines. Skip to main content. This browser is no longer supported.
0コメント