Windows Defender Protection

Why this risk matters

Windows Defender is Microsoft's built-in endpoint protection platform, and on most managed Windows fleets it is the primary defence against malware and ransomware. When real-time protection is disabled, tamper protection is off, or cloud-delivered protection is not configured, malicious code can execute on endpoints without triggering any detection.

Ransomware operators and commodity malware loaders routinely attempt to disable or degrade Defender as a first step after gaining a foothold. Without tamper protection enforced via Intune, a compromised user or local admin can turn Defender off silently, leaving the entire device unprotected while appearing healthy in basic inventory tools.

Defender's cloud-delivered protection and automatic sample submission significantly reduce the time between a new threat appearing in the wild and detection on your endpoints. Organisations that leave these features off are relying solely on local signature updates, which can lag by hours or days on a fast-moving threat.

What happens if this is abused

When Defender protection is degraded or disabled, attackers can:

  • Execute malware and ransomware payloads without triggering any endpoint detection or response alert.
  • Deploy credential harvesting tools (Mimikatz, LaZagne) that would normally be caught by real-time protection or behaviour monitoring.
  • Persist on endpoints for extended periods while security teams see a clean Defender status in dashboards, because tamper protection is not preventing local changes.
  • Move laterally across the network using tools and techniques Defender would otherwise block (e.g. LSASS memory reads, pass-the-hash, malicious PowerShell execution).

The combination of disabled real-time protection and no cloud-delivered protection creates a window where novel malware variants can run undetected until signature databases catch up, which for fast-moving ransomware campaigns can be too late.

When this is expected or acceptable

Degraded or disabled Defender protection is only acceptable in a small number of documented configurations.

  • If a third-party EDR platform is deployed (e.g., CrowdStrike Falcon, SentinelOne), Windows Defender may be intentionally placed in passive mode. This is expected behaviour — passive mode means Defender defers real-time scanning to the third-party tool while continuing to provide some protection. Confirm the third-party agent is active and reporting before closing this finding.
  • Specific Defender exclusions for known enterprise applications (backup agents, database processes, developer build tools) may be legitimate. These should be documented, scoped narrowly to specific paths or processes, and reviewed regularly. Broad exclusions covering entire drives or parent process trees are not acceptable.
  • Tamper protection being temporarily disabled is only acceptable in very narrow scenarios where a management workflow requires it. It should be re-enabled immediately after the operation completes. Any extended period of disabled tamper protection should be treated as a high-priority finding.

Checks to perform before taking action

Before modifying Defender configuration or escalating:

  • Is a third-party EDR agent deployed on this device? Check Intune or your security console for CrowdStrike, SentinelOne, or another approved alternative. If deployed and active, confirm it is reporting detections before concluding that Defender passive mode is a risk.
  • Which Defender components are affected? Real-time protection, cloud-delivered protection, tamper protection, and network protection each have different remediation paths. Identify exactly which are disabled or degraded.
  • Are there existing documented exclusions? Review Defender exclusions applied via Intune policy for this device or its group. Flag exclusions that are excessively broad (full drive paths, parent processes, temp directories).
  • Is tamper protection disabled? If so, identify when it was disabled and by what process. Unauthorised tamper protection disablement may indicate an active compromise and should be treated as an incident, not a routine configuration fix.
  • Are there any existing Defender alerts or incidents on this device? Check Microsoft Defender for Endpoint or the Microsoft 365 Defender portal before modifying protection settings.

Safe remediation steps

Deploy and enforce Windows Defender protection settings via Intune Endpoint Security:

  1. Audit current state — in Intune, navigate to Reports → Endpoint Security → Microsoft Defender Antivirus. Review devices where real-time protection or cloud protection is reporting as off or not configured.
  2. Create an Antivirus policy — in Endpoint Security → Antivirus, create a new policy for Windows 10/11. Set: Real-time protection = Enabled, Cloud-delivered protection = Enabled (High), Automatic sample submission = Enabled, PUA protection = Block.
  3. Enable tamper protection — in the same policy or via a separate Security Baseline, set Tamper Protection = Enabled. This prevents local changes to Defender settings even by local admins.
  4. Target a pilot group first — assign the policy to a test group of 10–20 devices. Monitor for 48 hours. Check for any line-of-business applications flagged as PUA or blocked by real-time protection.
  5. Create exclusions where needed — if legitimate software is flagged, add path or process exclusions in a targeted way. Avoid broad folder exclusions (e.g. C:\ or C:\Program Files) as these are commonly abused by attackers.
  6. Roll out to all managed devices — once the pilot is clean, assign the policy to your full device groups. Monitor the Antivirus report for compliance drift.
  7. Create a compliance policy — in Intune Compliance, add a condition requiring real-time protection to be enabled. Mark non-compliant devices as non-compliant for Conditional Access purposes.

How Overe Helps

Overe actively monitors and remediates this risk area. The following controls can be deployed and tracked in app.overe.io:

  • Windows Defender — Ensures Windows devices are actively protected against malware and endpoint threats with up-to-date defenses.
  • Windows Defender Antivirus Configuration — Keeps Windows devices continuously protected against malware, ransomware, and network-based threats with automatic threat removal.
  • Windows Defender Antivirus Additional Configuration — Strengthens Defender Antivirus on Windows with additional protection settings and admin-only exclusion controls.
  • Windows Defender Antivirus Security Experience — Manages the Windows Security app experience with tamper protection and controlled notification settings.

Supporting documentation

Microsoft: Configure Microsoft Defender Antivirus using Microsoft Intune - https://learn.microsoft.com/en-us/defender-endpoint/use-intune-config-manager-microsoft-defender-antivirus

Microsoft: Microsoft Defender Antivirus compatibility with other security products - https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-antivirus-compatibility

Microsoft: Protect security settings with tamper protection - https://learn.microsoft.com/en-us/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection

Related risks and follow-on checks

After reviewing Windows Defender protection status, also check these related risk areas:

Free Microsoft 365 assessment

Check this risk in your own tenant

This recommendation explains what should be configured. Overe shows you where the gaps actually exist.

Find risky users, devices, apps, policies and tenant settings in minutes.

No agents. No heavy setup. Clear results in minutes.