Merge pull request #3352 from YongRhee-MSFT/docs-editor/mde-security-settings-manageme-1743615967

Ruchika-mittal01 · web-flow · commit 71af62ef21b4 · 2025-04-03T02:26:07.000+05:30
Update mde-security-settings-management.md
diff --git a/defender-endpoint/mde-security-settings-management.md b/defender-endpoint/mde-security-settings-management.md
@@ -8,7 +8,7 @@ manager: deniseb
 ms.service: defender-endpoint
 ms.subservice: ngp
 ms.topic: how-to
-ms.date: 02/18/2025
+ms.date: 04/02/2025
 ms.collection: 
 - m365-security
 - tier2
@@ -35,14 +35,14 @@ ms.custom:
 - macOS
 - Linux
 
-Use the Microsoft Defender for Endpoint Security Settings Management to manage Microsoft Defender Antivirus security policies on devices. 
+This article describes how to manage Microsoft Defender Antivirus security policies on devices with Defender for Endpoint Security Settings Management (in the [Microsoft Defender portal](https://security.microsoft.com)). 
 
-### Prerequisites:
+### Prerequisites
 
 Review the prerequisites [here](/mem/intune/protect/mde-security-integration). 
 
 > [!NOTE]
-> The **Endpoint Security Policies** page in  the Microsoft Defender portal is available only for [users with the Security Administrator role assigned](assign-portal-access.md). Any other user role, such as Security Reader, can't access the portal. When a user has the required permissions to view policies in the Microsoft Defender portal, the data is presented based on Intune permissions. If the user is in the scope for Intune role-based access control, it applies to the list of policies presented in the Microsoft Defender portal. We recommend granting security administrators with the [Intune built-in role, "Endpoint Security Manager"](/mem/intune/fundamentals/role-based-access-control#built-in-roles) to effectively align the level of permissions between Intune and the Microsoft Defender portal.
+> The **Endpoint Security Policies** page in the Microsoft Defender portal is available only for [users with the Security Administrator role assigned](assign-portal-access.md). Any other user role, such as Security Reader, can't access the portal. When a user has the required permissions to view policies in the Microsoft Defender portal, the data is presented based on Intune permissions. If the user is in the scope for Intune role-based access control, it applies to the list of policies presented in the Microsoft Defender portal. We recommend granting security administrators with the [Intune built-in role, "Endpoint Security Manager"](/mem/intune/fundamentals/role-based-access-control#built-in-roles) to effectively align the level of permissions between Intune and the Microsoft Defender portal.
 
 As a security administrator, you can configure different Microsoft Defender Antivirus security policy settings in the [Microsoft Defender portal](https://security.microsoft.com).
 
@@ -67,7 +67,7 @@ The following list provides a brief description of each endpoint security policy
 
 ## Create an endpoint security policy
 
-1. Sign in to the [Microsoft Defender portal](https://security.microsoft.com) using at least a Security Administrator role.
+1. Sign in to the [Microsoft Defender portal](https://security.microsoft.com) using an account with at least the Security Administrator role assigned.
 
 2. Select **Endpoints** > **Configuration management** > **Endpoint security policies** and then select **Create new Policy**. 
 
@@ -130,13 +130,14 @@ During an investigation, you can also view the **Security policies** tab in the
 |Allow On Access Protection|Allowed|
 |PUA Protection|PUA Protection on|
 
-For more information, see:
+For more information, see the following articles:
+
 - [Advanced technologies at the core of Microsoft Defender Antivirus](/defender-endpoint/adv-tech-of-mdav)
 - [Enable and configure Microsoft Defender Antivirus always-on protection](/defender-endpoint/configure-real-time-protection-microsoft-defender-antivirus)
 - [Behavior monitoring in Microsoft Defender Antivirus](/defender-endpoint/behavior-monitor)
 - [Detect and block potentially unwanted applications](/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus)
 
-1. **Cloud protection features**:
+**Cloud protection features**:
 
 |Description|Setting|
 |---|---|
@@ -168,19 +169,18 @@ For more information, see [Configure Microsoft Defender Antivirus scanning optio
 |Description|Setting|
 |---|---|
 |Signature Update Interval|Configured, 4|
-|Signature Update Fallback Order|InternalDefinitionUpdateServer |
-|MicrosoftUpdateServer | MMPC|
+|Signature Update Fallback Order| MicrosoftUpdateServer <br/> InternalDefinitionUpdateServer <br/> MMPC|
 |Signature Update File Shares Sources | Not configured|
 |Metered Connection Updates | Not allowed (default)|
 |Security Intelligence Updates Channel | Not configured|
 
 > [!NOTE]
-> Where:
-> 'InternalDefinitionUpdateServer' is WSUS with Microsoft Defender Antivirus updates allowed.
-> 'MicrosoftUpdateServer' is Microsoft Update (formerly Windows Update).
-> 'MMPC' is Microsoft Defender security intelligence center (WDSI formerly Microsoft Malware Protection Center) https://www.microsoft.com/en-us/wdsi/definitions.
+> `InternalDefinitionUpdateServer` is WSUS with Microsoft Defender Antivirus updates allowed.
+> `MicrosoftUpdateServer` is Microsoft Update (formerly Windows Update).
+> `MMPC` is Microsoft Defender security intelligence center (WDSI formerly Microsoft Malware Protection Center) https://www.microsoft.com/en-us/wdsi/definitions.
+
+For more information, see the following articles:
 
-For more information, see:
 - [Microsoft Defender Antivirus security intelligence and product updates](/defender-endpoint/microsoft-defender-antivirus-updates)
 - [Update channels for security intelligence updates](/defender-endpoint/manage-gradual-rollout)
 
@@ -238,7 +238,8 @@ For more information, see [Manage the gradual rollout process for Microsoft Defe
 > In this example, a quick scan runs for Windows clients on Wednesday's at 5:00 PM. (1020).
 > And for Windows Servers, on Saturday's at 1:00 AM. (60)
 
-For more information, see:
+For more information, see the following articles:
+
 - [Configure scheduled quick or full Microsoft Defender Antivirus scans](/defender-endpoint/schedule-antivirus-scans)
 - [Microsoft Defender Antivirus full scan considerations and best practices](/defender-endpoint/mdav-scan-best-practices)
 
@@ -250,31 +251,26 @@ For more information, see:
 |Remediation action for Severe threats|Quarantine|
 |Remediation action for Low severity threats|Quarantine|
 |Remediation action for Moderate severity threats|Quarantine|
-
-|Description|Setting|
-|---|---|
 |Days To Retain Cleaned Malware|Configured, 60|
-|Allow User UI Access|Allowed.  Let users access UI.|
+|Allow User UI Access|Allowed. Let users access UI.|
 
 For more information, see [Configure remediation for Microsoft Defender Antivirus detections](/defender-endpoint/configure-remediation-microsoft-defender-antivirus).
 
 **Antivirus exclusions:**
 
 ***Local administrator merge behavior***:
 
-Disable local administrator AV settings such as exclusions, and set the policies from the Microsoft Defender for Endpoint Security Settings Management as described in the following table:
+Disable local administrator antivirus settings, such as exclusions, and set the policies using Defender for Endpoint Security Settings Management, as described in the following table:
 
 |Description|Setting|
 |---|---|
 |Disable Local Admin Merge|Disable Local Admin Merge|
-
-|Description|Setting|
-|---|---|
 |Excluded Extensions | Add as needed for working around false positives (FPs) and/or troubleshooting high cpu utilizations in MsMpEng.exe |
 |Excluded Paths | Add as needed for working around false positives (FPs) and/or troubleshooting high cpu utilizations in MsMpEng.exe |
 |Excluded Processes | Add as needed for working around false positives (FPs) and/or troubleshooting high cpu utilizations in MsMpEng.exe|
 
-For more information, see:
+For more information, see the following articles:
+
 - [Prevent or allow users to locally modify Microsoft Defender Antivirus policy settings](/defender-endpoint/configure-local-policy-overrides-microsoft-defender-antivirus)
 - [Configure custom exclusions for Microsoft Defender Antivirus](/defender-endpoint/configure-exclusions-microsoft-defender-antivirus)
 
@@ -303,22 +299,32 @@ For more information, see [Microsoft Defender Core service overview](/defender-e
 For more information, see [Use network protection to help prevent connections to malicious or suspicious sites](/defender-endpoint/network-protection).
 
 1. When you're done configuring settings, select **Next**.
+
 2. On the **Assignments** tab, select **Device Group** or **User Group** or **All devices** or **All Users**.
+
 3. Select **Next**.
+
 4. On the **Review + create** tab, review your policy settings, and then select **Save**.
 
 ### Attack Surface Reduction rules
 
 To enable Attack Surface Reduction (ASR) rules using the endpoint security policies, perform the following steps:
 
 1. Sign in to [Microsoft Defender XDR](https://sip.security.microsoft.com/).
-1. Go to **Endpoints > Configuration management > Endpoint security policies > Windows policies > Create new policy**.
-1. Select **Windows 10, Windows 11, and Windows Server** from the **Select Platform** drop-down list.
-1. Select **Attack Surface Reduction Rules** from the **Select Template** drop-down list.
-1. Select **Create policy**.
-1. On the **Basics** page, enter a name and description for the profile; then, choose **Next**.
-1. On the **Configuration settings** page, expand the groups of settings and configure the settings that you want to manage with this profile.
-1. Set the policies based on the following recommended settings:
+
+2. Go to **Endpoints > Configuration management > Endpoint security policies > Windows policies > Create new policy**.
+
+3. Select **Windows 10, Windows 11, and Windows Server** from the **Select Platform** drop-down list.
+
+4. Select **Attack Surface Reduction Rules** from the **Select Template** drop-down list.
+
+5. Select **Create policy**.
+
+6. On the **Basics** page, enter a name and description for the profile; then, choose **Next**.
+
+7. On the **Configuration settings** page, expand the groups of settings and configure the settings that you want to manage with this profile.
+
+8. Set the policies based on the following recommended settings:
 
    |Description|Setting|
    |---|---|
@@ -343,41 +349,53 @@ To enable Attack Surface Reduction (ASR) rules using the endpoint security polic
    |[PREVIEW] Block rebooting machine in Safe Mode|Block|
    |Enable Controlled Folder Access|Enabled|
 
-> [!TIP]
-> Any of the rules might block behavior you find acceptable in your organization. In these cases, add the per-rule exclusions named "Attack Surface Reduction Only Exclusions." Additionally, change the rule from **Enabled** to **Audit** to prevent unwanted blocks.
+   > [!TIP]
+   > Any of the rules might block behavior you find acceptable in your organization. In these cases, add the per-rule exclusions named "Attack Surface Reduction Only Exclusions." Additionally, change the rule from **Enabled** to **Audit** to prevent unwanted blocks.
+
+   For more information, see [Attack surface reduction rules deployment overview](/defender-endpoint/attack-surface-reduction-rules-deployment).
 
-For more information, see [Attack surface reduction rules deployment overview](/defender-endpoint/attack-surface-reduction-rules-deployment).
+9. Select **Next**.
 
-1. Select **Next**.
-1. On the **Assignments** tab, select **Device Group** or **User Group** or **All devices** or **All Users**.
-1. Select **Next**.
-1. On the **Review + create** tab, review your policy settings, and then select **Save**.
+10. On the **Assignments** tab, select **Device Group** or **User Group** or **All devices** or **All Users**.
+
+11. Select **Next**.
+
+12. On the **Review + create** tab, review your policy settings, and then select **Save**.
 
 
 #### Enable Tamper Protection
 
 1. Sign in to [Microsoft Defender XDR](https://sip.security.microsoft.com/).
-1. Go to **Endpoints > Configuration management > Endpoint security policies > Windows policies > Create new policy**.
-1. Select **Windows 10, Windows 11, and Windows Server** from the **Select Platform** drop-down list.
-1. Select **Security Experience** from the **Select Template** drop-down list.
-1. Select **Create policy**. The **Create a new policy** page appears.
-1. On the **Basics** page, enter a name and description for the profile in the **Name** and **Description** fields, respectively.
-1. Select **Next**.
-1. On the **Configuration settings** page, expand the groups of settings.
-1. From these groups, select the settings that you want to manage with this profile.
-1. Set the policies for the chosen groups of settings by configuring them as described in the following table:
+
+2. Go to **Endpoints > Configuration management > Endpoint security policies > Windows policies > Create new policy**.
+
+3. Select **Windows 10, Windows 11, and Windows Server** from the **Select Platform** drop-down list.
+
+4. Select **Security Experience** from the **Select Template** drop-down list.
+
+5. Select **Create policy**. The **Create a new policy** page appears.
+
+6. On the **Basics** page, enter a name and description for the profile in the **Name** and **Description** fields, respectively.
+
+7. Select **Next**.
+
+8. On the **Configuration settings** page, expand the groups of settings.
+
+9. From these groups, select the settings that you want to manage with this profile.
+
+10. Set the policies for the chosen groups of settings by configuring them as described in the following table:
 
    |Description| Setting|
    | -------- | -------- |
    | TamperProtection (Device) | On|
 
-For more information, see [Protect security settings with tamper protection](/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection).
+   For more information, see [Protect security settings with tamper protection](/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection).
 
 #### Check the Cloud Protection network connectivity
 
 It's important to check that the Cloud Protection network connectivity is working during your penetration testing.
 
-CMD (Run as admin)
+Open Command Prompt as an administrator, and then run the following command: 
 
 ```powershell
 cd "C:\Program Files\Windows Defender"
@@ -388,29 +406,29 @@ For more information, see [Use the cmdline tool to validate cloud-delivered prot
 
 #### Check the platform update version
 
-The latest "Platform Update" version Production channel (GA) is available in [Microsoft Update Catalog](https://www.catalog.update.microsoft.com/Search.aspx?q=KB4052623+update).
+The latest Platform Update version Production channel (GA) is available in [Microsoft Update Catalog](https://www.catalog.update.microsoft.com/Search.aspx?q=KB4052623+update).
 
-To check which "Platform Update" version you have installed, run the following command in PowerShell using the privileges of an administrator:
+To check which Platform Update version you have installed, run the following command in PowerShell using the privileges of an administrator:
 
 ```powershell
 Get-MPComputerStatus | Format-Table AMProductVersion
 ```
 
 #### Check the Security Intelligence Update version
 
-The latest "Security Intelligence Update" version is available in [Latest security intelligence updates for Microsoft Defender Antivirus and other Microsoft anti-malware - Microsoft Security Intelligence](https://www.microsoft.com/wdsi/defenderupdates).
+The latest Security Intelligence Update version is available in [Latest security intelligence updates for Microsoft Defender Antivirus and other Microsoft anti-malware - Microsoft Security Intelligence](https://www.microsoft.com/wdsi/defenderupdates).
 
-To check which "Security Intelligence Update" version you have installed, run the following command in PowerShell using the privileges of an administrator:
+To check which Security Intelligence Update version you have installed, run the following command in PowerShell using the privileges of an administrator:
 
 ```powershell
 Get-MPComputerStatus | Format-Table AntivirusSignatureVersion
 ```
 
 #### Check the Engine Update version
 
-The latest scan "engine update" version is available in [Latest security intelligence updates for Microsoft Defender Antivirus and other Microsoft anti-malware - Microsoft Security Intelligence](https://www.microsoft.com/wdsi/defenderupdates).
+The latest scan engine update version is available in [Latest security intelligence updates for Microsoft Defender Antivirus and other Microsoft anti-malware - Microsoft Security Intelligence](https://www.microsoft.com/wdsi/defenderupdates).
 
-To check which "Engine Update" version you have installed, run the following command in PowerShell using the privileges of an administrator:
+To check which Engine Update version you have installed, run the following command in PowerShell as an administrator:
 
 ```powershell
 Get-MPComputerStatus | Format-Table AMEngineVersion
@@ -420,27 +438,20 @@ If you find that your settings aren't taking effect, you might have a conflict.
 
 #### For False Negatives (FNs) submissions
 
-To information on how to make False Negatives (FNs) submissions, see:
+To report False Negatives (FNs), see the following articles:
 
 - [Submit files in Microsoft Defender for Endpoint](admin-submissions-mde.md) if you have Microsoft XDR, Microsoft Defender for Endpoint P2/P1, or Microsoft Defender for Business.
 - [Submit files for analysis](/unified-secops-platform/submission-guide) if you have Microsoft Defender Antivirus.
+
 ## **See also**
 
 - [Troubleshoot Microsoft Defender Antivirus settings](/defender-endpoint/troubleshoot-settings)
-
 - [Troubleshoot Microsoft Defender Antivirus Security intelligence not getting updated](/defender-endpoint/troubleshoot-security-intelligence-not-updated)
-
 - [Troubleshooting Security Intelligence Updates from Microsoft Update source](/defender-endpoint/security-intelligence-update-tshoot)
-
 - [Troubleshoot attack surface reduction rules](/defender-endpoint/troubleshoot-asr)
-
 - [Troubleshoot network protection](/defender-endpoint/troubleshoot-np)
-
 - [Troubleshoot problems with tamper protection](/defender-endpoint/troubleshoot-problems-with-tamper-protection)
-
 - [Troubleshoot performance issues related to real-time protection](/defender-endpoint/troubleshoot-performance-issues)
-
 - [Run the client analyzer on Windows](/defender-endpoint/run-analyzer-windows)
-
 - [Performance analyzer for Microsoft Defender Antivirus](/defender-endpoint/tune-performance-defender-antivirus)
-  
+
