Category filter

How to enable Microsoft Defender settings for Windows PC?

Microsoft Defender is an anti-malware tool designed to protect Windows devices from malware and threats. Hexnode UEM helps administrators to configure various Microsoft Defender settings on devices enrolled in the portal. With Hexnode’s Threat Management feature Microsoft Windows Defender, users can use and access their devices without any fear of viruses, spyware, malware, or any other threats.

Windows Defender Security Center (WDSC)

For Windows 10 (v1703+) and later, the Windows Defender settings are controlled in the Windows Defender Security Center (WDSC). WDSC is a built-in Universal Windows Platform (UWP) app that provides a robust suite of security features to provide ongoing and real-time protection for Windows devices.

Note:

  • For Windows 10 (v1809+) and later, Windows Defender Security Center is renamed as Windows Security.

Configure Windows Defender Security Center settings using Hexnode MDM

Microsoft Defender Application Guard

With Hexnode, you can also configure Microsoft Defender Application Guard settings for Windows 10/11 devices. It is a security tool designed to protect devices from security attacks by enforcing browser isolation. It means that if a user tries to access a site that is not trusted by the organization, the Microsoft Defender Application Guard opens the site in an isolated browsing session. No attacker will be able to access your enterprise data as this approach makes the browsing session anonymous.

Notes:

  • Microsoft Defender Application Guard is supported on Windows 10 (v1709+) and later.
  • It works on Internet Explorer and Microsoft Edge.

Enable Microsoft Defender settings using Hexnode UEM

Hexnode UEM allows you to configure settings for both Microsoft Defender Application Guard and Windows Defender Security Center. To enable real-time protection of Windows devices against malware with Microsoft Defender, follow the steps mentioned below:

  1. Navigate to the Policies tab on your Hexnode UEM portal.
  2. Create a new policy by clicking on the New Policy button or select an existing policy.
  3. Go to Windows > Threat Management > Microsoft Defender > Configure. Configure the below settings based on your requirements.
  4. Microsoft Defender Application Guard Settings
    Settings Description
    Microsoft Defender Application Guard
    (Windows 10 (v1709+)/Windows 11)
    Enable this option to turn on Windows Defender Application Guard in Enterprise Mode. If enabled, Microsoft Edge or Internet Explorer will open untrusted sites only in an isolated browser container separated from the host OS. This feature prevents malicious attackers from stealing your enterprise data.
    Clipboard behavior Specify the direction in which content can be copied and pasted. The available options include:
    1. Completely turn off the clipboard functionality for the Application Guard: Selecting this option will disallow users from copying and pasting contents between their PC and browser.
    2. Turn On clipboard operation from an isolated session to the host: Select this option to allow users to copy and paste content only from their browser to PC.
    3. Turn On clipboard operation from the host to an isolated session: Allows users to copy and paste content only from their PC to the browsers.
    4. Turn On clipboard operation in both the directions: Allows users to copy and paste content between their PC and browsers.

    Warning:
    • Hexnode UEM doesn’t recommend copying contents from Microsoft Edge into Application Guard as it can cause potential security risks.

    Clipboard settings
    (Windows 10 (v1709+)/Windows 11)
    Defines the type of content that the users can copy and paste between the host OS and the Application Guard environment. The available settings include:
    1. Allow copying texts: Users can copy only texts.
    2. Allow copying images: Users can copy images only.
    3. Allow copying texts and images: Users can copy both texts and images.
    Print behavior Configure this setting to decide the allowed print types while in Application Guard. You can disable all print functionality or allow any combinations of XPS, PDF, Local, and Network printing.
    1. PDF: Allows users to print as PDF and save the resulting file on the host.
    2. XPS: Allows users to print as XPS and save the resulting file on the host.
    3. Local Printers: Enable printing to local printers.
    4. Network Printers: Enable printing to existing network printers.
    Block non-enterprise content Specify whether to allow network traffic from Internet Explorer/Microsoft Edge to non-enterprise sites.
    Data persistence Enable this option to allow Application Guard to save user-downloaded files, cookies, favorites, and more, for use in future sessions. If this option is left unchecked, all user data within the Application Guard is reset during machine restart or user log-off.
    Virtual GPU
    (Windows 10 (v1803+)/Windows 11)
    Enable this setting to allow Application Guard to use the virtual GPU to provide improved PC performance and battery life. If disabled, the Application Guard uses the CPU to support rendering graphics and will not interact with any third-party graphics drivers/hardware.
    Save files to host Specify whether users can save downloaded files from Edge in the container to the host operating system.
    Certificate Thumbprints
    (Windows 10 (v1809+)/Windows 11)
    Enter your certificate thumbprints to share root certificates with the Windows Defender Application Guard container. Certificates with a thumbprint matching the ones specified will be transferred into the container. You can enter multiple certificate thumbprints separated by a comma.
    Access Camera and Microphone
    (Windows 10 (v1809+)/Windows 11)
    Choose whether applications inside Windows Defender Application Guard will be able to access the camera and microphone on the user’s device.

    Windows Defender Security Center
    Settings Description Supported On
    Enable account protection UI Specify whether users can see the Account protection area in Windows Defender Security Center. Windows 10 (v1803+)/Windows 11
    Enable app and browser protection UI Specify whether users can see the App and browser protection area in Windows Defender Security Center. Windows 10 (v1709+)/Windows 11
    Disallow exploit protection override
    (Available only when the option ‘Enable app and browser protection UI’ is enabled)
    Enable to prevent users from customizing the Exploit protection settings in Windows Defender Security Center. Windows 10 (v1709+)/Windows 11
    Enable Device security UI Specify whether users can see the Device security area in Windows Defender Security Center. Windows 10 (v1803+)/Windows 11
    Disable TPM Firmware update warning
    (Available only if the option ‘Enable Device security UI’ is enabled)
    If left unchecked, users will see a recommendation to update their TPM firmware if Windows Defender Security Center detects a vulnerable firmware. Windows 10 (v1809+)/Windows 11
    Show the Security processor (TPM) troubleshooting area
    (Available only if the option ‘Enable Device security UI’ is enabled)
    Enable this option to show the Security processor troubleshooting area in Windows Defender Security Center (Windows Security). Windows 10 (v1803+)/Windows 11
    Disable Clear TPM button
    (Available only if the options ‘Enable Device security UI’ and ‘Show the Security processor (TPM) troubleshooting area’ are enabled)
    Specify whether to restrict users from using the Clear TPM button available in Device security > Security processor details > Security processor troubleshooting. Windows 10 (v1809+)/Windows 11
    Hide the Secure boot area
    (Available only if the option ‘Enable Device security UI’ is enabled)
    Enable this option to hide the Secure boot area in Windows Defender Security Center. Windows 10 (v1803+)/Windows 11
    Notifications This setting specifies how notifications are displayed to the users by the Windows Defender Security Center. The available options include:
    • Display all notifications
    • Display only critical notifications
    • Disable all notifications
    Windows 10 (v1709+)/Windows 11
    Enable family UI Specify whether users can see the family options area in Windows Defender Security Center. Windows 10 (v1709+)/Windows 11
    Enable health UI Specify whether users can see the device performance and health area in Windows Defender Security Center. Windows 10 (v1709+)/Windows 11
    Enable network UI Specify whether users can see the firewall and network protection area in Windows Defender Security Center. Windows 10 (v1709+)/Windows 11
    Enable virus UI Specify whether users can see the virus and threat protection area in Windows Defender Security Center. If this option is disabled, ‘Display all notifications’ chosen under ‘Notifications’ will have no effect. Windows 10 (v1709+)/Windows 11
    Hide the Ransomware data recovery area
    (Available only if the option ‘Enable virus UI’ is enabled)
    Enable this option to hide the Ransomware data recovery area in Windows Defender Security Center. Windows 10 (v1803+)/Windows 11
    Enable customized toasts Check this option to display your contact information and company name in the notifications. If you disable this option or do not provide your Company name and at least one contact information (Phone number/Skype ID, Email address, Help portal URL), Windows Defender Security Center will display a default notification text. Windows 10 (v1709+)/Windows 11
    Enable in-app customization Check this option to display your contact information and company name in a contact card flyout notification in Windows Defender Security Center. If you disable this option or do not provide your Company name and at least one contact information (Phone number/Skype ID, Email address, Help portal URL), Windows Defender Security Center will not display the contact card flyout notification. Windows 10 (v1709+)/Windows 11
    Company name Enter your company name that is displayed to the users. The options ‘Enable customized toasts’ and ‘Enable in-app customization’ require this field to display the contact information.

    Note:


    The devices will not display the contact options if:

    • The Company name is not provided.
    • The option ‘Enable customized toasts’ or ‘Enable in-app customization’ is unchecked.

    Windows 10 (v1709+)/Windows 11
    Email address Specify the email address that is displayed to the users. Email actions are generally initiated using the default mail app.

    Note:


    The devices will not display the contact options if:

    • An Email address is not provided.
    • The option ‘Enable customized toasts’ or ‘Enable in-app customization’ is unchecked.

    Windows 10 (v1709+)/Windows 11
    Phone number/Skype ID Specify the phone number or Skype ID that is displayed to the users. Calls are generally initiated using the Skype app.

    Note:


    The devices will not display the contact options if:

    • A Phone number/Skype ID is not provided.
    • The option ‘Enable customized toasts’ or ‘Enable in-app customization’ is unchecked.

    Windows 10 (v1709+)/Windows 11
    Help portal URL Specify the help portal URL that is displayed to the users. The default browser will be used to load the help portal URL. It should start with https://, http://, or ftp://.

    Note:


    The devices will not display the contact options if:

    • The Help portal URL is not provided.
    • The option ‘Enable customized toasts’ or ‘Enable in-app customization’ is unchecked.

    Windows 10 (v1709+)/Windows 11
    Hide Windows Security notification area control Enable this setting to hide the Windows Security notification area control.

    Note:


    For this feature to work, the user has to either sign out and sign in or restart the computer.

    Windows 10 (v1809+)/Windows 11

  5. Next, navigate to Policy Targets to associate the policy with the target devices.
  6. Select the required Devices/Device Groups/Users/User Groups/Domains with which the policy is to be associated.
  7. Click Save.

  • Managing Windows Devices