Windows Defender Protection

Windows Defender is Microsoft's built-in endpoint protection platform, and on most managed Windows fleets it is the primary defence against malware and ransomware. When real-time protection is disabled, tamper protection is off, or cloud-delivered protection is not configured, malicious code can execute on endpoints without triggering any detection.

Ransomware operators and commodity malware loaders routinely attempt to disable or degrade Defender as a first step after gaining a foothold. Without tamper protection enforced via Intune, a compromised user or local admin can turn Defender off silently, leaving the entire device unprotected while appearing healthy in basic inventory tools.

Defender's cloud-delivered protection and automatic sample submission significantly reduce the time between a new threat appearing in the wild and detection on your endpoints. Organisations that leave these features off are relying solely on local signature updates, which can lag by hours or days on a fast-moving threat.

When Defender protection is degraded or disabled, attackers can:

• Execute malware and ransomware payloads without triggering any endpoint detection or response alert.
• Deploy credential harvesting tools (Mimikatz, LaZagne) that would normally be caught by real-time protection or behaviour monitoring.
• Persist on endpoints for extended periods while security teams see a clean Defender status in dashboards, because tamper protection is not preventing local changes.
• Move laterally across the network using tools and techniques Defender would otherwise block (e.g. LSASS memory reads, pass-the-hash, malicious PowerShell execution).

The combination of disabled real-time protection and no cloud-delivered protection creates a window where novel malware variants can run undetected until signature databases catch up, which for fast-moving ransomware campaigns can be too late.

Deploy and enforce Windows Defender protection settings via Intune Endpoint Security:

1. Audit current state — in Intune, navigate to Reports → Endpoint Security → Microsoft Defender Antivirus. Review devices where real-time protection or cloud protection is reporting as off or not configured.
2. Create an Antivirus policy — in Endpoint Security → Antivirus, create a new policy for Windows 10/11. Set: Real-time protection = Enabled, Cloud-delivered protection = Enabled (High), Automatic sample submission = Enabled, PUA protection = Block.
3. Enable tamper protection — in the same policy or via a separate Security Baseline, set Tamper Protection = Enabled. This prevents local changes to Defender settings even by local admins.
4. Target a pilot group first — assign the policy to a test group of 10–20 devices. Monitor for 48 hours. Check for any line-of-business applications flagged as PUA or blocked by real-time protection.
5. Create exclusions where needed — if legitimate software is flagged, add path or process exclusions in a targeted way. Avoid broad folder exclusions (e.g. C:\ or C:\Program Files) as these are commonly abused by attackers.
6. Roll out to all managed devices — once the pilot is clean, assign the policy to your full device groups. Monitor the Antivirus report for compliance drift.
7. Create a compliance policy — in Intune Compliance, add a condition requiring real-time protection to be enabled. Mark non-compliant devices as non-compliant for Conditional Access purposes.