Skip to main content
This Library Item is available for Windows devices
The Microsoft Defender Library Item lets you configure and enforce settings for Microsoft Defender on Windows devices. This profile helps you manage antivirus, antispyware, and threat protection policies, along with configuration options for scanning, monitoring, network protection, updates, and exclusions. This ensures consistent endpoint protection across your organization.
For detailed information on functionality, settings, and deployment considerations, see Microsoft’s official Microsoft Defender for Endpoint documentation.

Create a Microsoft Defender Profile Library Item

To add this Library Item to your Iru Endpoint Library, follow the steps outlined in the Library Overview article.
1

Navigate to Library

Navigate to the Library and select Add Library Item.
2

Select Microsoft Defender

Search for and select Microsoft Defender.
3

Configure the Library Item

Give the Library Item a Name.
4

Assign to Blueprints

Assign it to one or more Blueprints.

Settings

The following settings are available for Microsoft Defender.
  • Allow archive scanning Scans for malicious software and unwanted software in archive files such as .ZIP or .CAB.
  • Allow behavior monitoring Enables behavior monitoring.
  • Allow cloud protection Joins Microsoft MAPS to send information about malicious or potentially unwanted software.
  • Allow email scanning Enables e-mail scanning to parse mailboxes and attachments.
  • Allow full scan on mapped network drives Enables scanning of mapped network drives.
  • Allow full scan on removable drive scanning Controls whether removable drives (e.g., USB) are included in scans.
  • Allow intrusion prevention system Allow or disallow Intrusion Prevention functionality.
  • Allow IO AV protection Enables scanning for all downloaded files and attachments.
  • Allow on access protection Enables monitoring for file and program activity.
  • Allow realtime monitoring Allow or disallow Defender real-time monitoring functionality.
  • Allow scanning network files Allow scanning of network files.
  • Allow script scanning Allow or disallow Defender script scanning functionality.
  • Allow user UI access Controls whether the Defender UI is visible to users.
  • Attack surface reduction only exclusions Exclude files and paths from Attack Surface Reduction (ASR) rules.
  • Configure Average CPU load factor Configure maximum CPU utilization during a scan.
  • Check for signatures before running scan Manage whether a check for new security intelligence occurs before running scans.
  • Specify days to retain cleaned malware Define the number of days items remain in Quarantine before removal.
  • Disable catchup full scan Configure catch-up scans for missed scheduled full scans.
  • Disable catchup quick scan Configure catch-up scans for missed scheduled quick scans.
  • Enable controlled folder access Enable or disable controlled folder access for untrusted applications.
  • Enable low CPU priority Enable low CPU priority for scheduled scans.
  • Enable network protection Enable or disable Exploit Guard network protection.
  • Excluded extensions Specify file extensions to ignore during a scan. One extension per line.
  • Excluded paths Specify file paths to ignore during a scan. One directory path per line.
  • Excluded processes Specify processes to ignore during a scan. One process per line.
  • PUA protection Enable or disable detection for potentially unwanted applications.
  • Scan parameter Specify the scan type for scheduled scans.
  • Schedule quick scan time Specify the time of day to perform a daily quick scan.
  • Schedule scan day Specify the day(s) of the week for scheduled scans.
  • Schedule scan time Specify the time of day for scheduled scans.
  • Threat severity default action (Low, Medium, High, Severe) Customize which automatic remediation action will be taken for each threat alert level.
  • Engine updates channel Specify when devices receive Defender engine updates.
  • Platform updates channel Specify when devices receive Defender platform updates.
  • Security intelligence updates channel Specify when devices receive security intelligence updates.
  • Security intelligence update day Specify the day of the week for security intelligence updates.
  • Security intelligence update time Specify the time of day for security intelligence updates.
  • Signature update file shares sources Configure UNC file share sources for security intelligence updates.
  • Signature update interval Specify the interval in hours for security intelligence updates.
  • Allow metered connection updates Allow managed devices to update through metered connections.
  • Archive max depth Specify maximum folder depth to extract from archive files.
  • Archive max size Specify maximum archive file size to scan.
  • CPU throttling Apply CPU usage limits to scans.
  • Days until aggressive catchup quick scan Configure how many days can pass before an aggressive catch-up scan is triggered.
  • Disable cache maintenance Configure whether cache maintenance is performed.
  • Disable core ECS integration Turn off ECS integration for Defender core service.
  • Disable core service telemetry Stop Defender core service telemetry collection.
  • Disable CPU throttle on idle scans Configure whether CPU is throttled for idle-time scans.
  • Disable gradual release Disable staged rollout of Defender updates.
  • Disable local admin merge Prevent local admins from overriding policy with preference settings.
  • Enable file hash computation Enable or disable computation of file hashes for scanned files.
  • Enable performance mode Configure Defender performance mode.
  • Excluded IP addresses for wdnisdrv packet inspection Exclude IP addresses from packet inspection. One IP per line.
  • Hide exclusions from local users Control whether exclusions are visible to local users.
  • Intel TDT integration level Configure Intel TDT integration level.
  • OOBE: Enable RTP and signature updates Configure whether real-time protection and updates are enabled during Out of Box Experience.
  • Passive remediation Configure automatic remediation for Sense scans.
  • Scan excluded files and directories during quick scans Configure whether excluded items are included in quick scans.
  • Randomize schedule task times Randomize the start time of scheduled scans by 0–23 hours.
  • Scan only if idle Run scheduled scans only if the system is idle.
  • Enable Device Control Control the Device Control feature.
  • Allow network protection down level Configure whether network protection can be set on down-level Windows.
  • Allow switch to async inspection Configure whether to use asynchronous inspection.
  • Disable UDP processing for Network Protection Disable UDP inspection.
  • Disable DNS over TCP parsing Disable DNS over TCP parsing.
  • Disable DNS parsing Disable DNS parsing.
  • Disable FTP parsing Disable FTP parsing.
  • Disable HTTP parsing Disable HTTP parsing.
  • Disable inbound connection filtering Disable inbound connection filtering.
  • Disable network protection performance telemetry Disable network protection telemetry.
  • Disable QUIC parsing Disable QUIC parsing.
  • Disable RDP parsing Disable RDP parsing.
  • Disable SMTP parsing Disable SMTP parsing.
  • Disable SSH parsing Disable SSH parsing.
  • Disable TLS parsing Disable TLS parsing.
  • Convert warn to block Configure whether network protection blocks traffic instead of displaying a warning.
  • Enable UDP receive offload Enable UDP receive offload.
  • Enable UDP segmentation offload Enable UDP segmentation offload.
  • Network Protection reputation mode Set reputation mode engine for Network Protection.
  • Brute Force protection mode Detect and block brute-force attempts to forcibly sign in and initiate sessions.
  • Remote encryption protection mode Detect and block attempts to replace local files with encrypted versions from another device.
  • Allow datagram processing on Windows server Control Datagram inspection on Windows Server.
  • Allow network protection on Windows server Configure whether Network Protection can be set on Windows Server.
  • Real time scan direction Configure monitoring for incoming and outgoing files on servers.

Deployment Notes

Review exclusions carefully to avoid reducing security coverage. Review information on how to configure exclusions in the Microsoft Defender documentation.
Coordinate Defender policy settings with any third-party endpoint protection to prevent conflicts.
Test configurations in a pilot group before broad deployment.