Manage Windows Defender, of Windows 10, via OMA-DM

A couple of weeks ago I did a blog post about the different management options for Windows 8.1. In that specific post I already mentioned OMA-DM as a very valid method to manage Windows 8.1 and Windows 10 devices. To refresh the memories, OMA Device Management (OMA-DM) is an open management standard designed for mobile devices. The nice thing is that OMA-DM is also fully utilized in Windows 10, even the desktop version. That means that OMA-DM can be used to fully manage specific parts of a Windows 10 device.

In this post I’ll show how OMA-DM can be used to fully manage Windows Defender in Windows 10. For Windows 10 it’s possible to manage all the settings available for Windows Defender. This includes everything, from managing exclusions until blocking the access to the user interface. Managing Windows Defender can be very useful for Windows 10 devices connecting to the work resources. Also, this level of management can be useful for both personal and company owned devices.

Disclaimer: This blog post is based on a technical preview build of Windows 10 (build 10122). The configurations described in this post might change in future releases. I’ll update this post, if needed, with the next release.

Configuration

Now let’s have a look at the configuration. Actually it doesn’t differ a lot from the configurations required for managing settings on Windows Phone 8.1, but I’ll go through the required configurations anyway. I’ll go through the required configurations for both, Microsoft Intune standalone and Microsoft Intune hybrid.

Microsoft Intune standalone

The first configuration steps are for Microsoft Intune standalone. I’ll go through the high-level steps for creating the required policies and the required deployment. It shows the creation of a single OMA-URI setting, which can be used to (not) allow real-time monitoring. The creation of the other OMA-URI settings is similar and can be created by repeating step 2. A complete list of available settings can be found later in this post.

Step Configuration
1 Windows10DefenderBaseline_Conditions_The first step is to create a new Windows Custom Policy (Windows 10 and Windows 10 Mobile). Simply provide a valid name for the new configuration policy and it’s all ready for adding OMA-URI settings.
2 AllowRealtimeMonitoring_SettingThe second step is to add OMA-URI settings. This can be done by clicking the Add button and simply providing the required information. In this example I’ll create an OMA-URI setting for allowing real-time monitoring.
Setting name: Allow Realtime Monitoring
Setting description: Allows or disallows Defender’s Realtime Monitoring functionality.
Data type: Integer
OMA-URI (case sensitive): ./Vendor/MSFT/Policy/Config/Defender/AllowRealtimeMonitoring
Value: 1
3 Windows10DefenderBaseline_Deployment_The third step is to create a deployment for the configuration policy. The nice thing is that this is simply the last step after providing the right configurations. Simply click the Save Policy button, click Yes and select a group.

Microsoft Intune hybrid

The last configuration steps are for Microsoft Intune hybrid. I’ll go through the high-level steps for creating the required configuration items, the required configuration baseline and the required deployment. It shows the creation of a single configuration item, that’s used for a single OMA-URI setting, which can be used to (not) allow real-time monitoring. The creation of the other configuration items is similar and can be created be repeating step 1 and 2. A complete list of available settings can be found later in this post.

Step Configuration
1 AllowRealtimeMonitoring_GeneralThe first step is to create a Configuration Item that contains the OMA URI setting. Personally, I prefer to use a configuration item per setting. In this example I’ll create an OMA-URI setting for allowing real-time monitoring.
Name: Allow Realtime Monitoring
Description: Allows or disallows Defender’s Realtime Monitoring functionality.
Setting type: OMA URI
Data type: Integer
OMA-URI (case sensitive): ./Vendor/MSFT/Policy/Config/Defender/AllowRealtimeMonitoring
2 AllowRealtimeMonitoring_RuleThe second step is to add a Compliance Rule for the OMA-URI setting. In this example I’ll also create an compliance rule for allowing real-time monitoring.
Name: Rule for Allow Realtime Monitoring
Description: The following list shows the supported values:
•0 – Not allowed.
•1 (default) – Allowed.
This setting must comply with the following rule: Allow Realtime Monitoring Equals 1
Select Remediate noncompliant rules when supported.
3 Windows10DefenderBaseline_ConditionsThe third step is to create a Configuration Baseline for the created configuration items. Simply provide a valid name and use Add > Configuration Item to add the created configuration items.
4 Windows10DefenderBaseline_DeploymentThe fourth step is to create a deployment for the configuration baseline. Make sure that the configuration has Remediate noncompliant rules when supported and Allow remediation outside maintenance window selected. Also, don’t forget to add a compliance evaluation schedule, but only use every 1 hours for testing purposes.

Result

There is nothing better than looking at the results, especially with something relatively new. Below are two screenshots of the settings of Windows Defender. The first screenshot is before applying the OMA-URI settings and the second screenshot is after applying the configured OMA-URI settings. It shows that every configured setting can also not be changed anymore (besides the configuration of the exceptions). The best thing is that once the Windows 10 device is un-enrolled, the before-state will be applicable again.

Before After
10222_DefenderBefore 10222_DefenderResult

Windows Defender Settings

There are more than 30(!) settings available that can be configured via OMA-URI and are specifically targeted on Windows Defender. All of these settings are configurable via the path of ./Vendor/MSFT/Policy/Config/Defender/<PolicyName>. The following table shows the available policies including the supported and valid values. Many of these values are also available in the documentation, but I’ve noticed that many of the Allowed/ Not allowed values are switched.

PolicyName Values
AllowCloudProtection
To best protect your PC, Windows Defender will send information to Microsoft about any problems it finds.
Supported values (Integer):

  • 0 – Not allowed;
  • 1 (default) – Allowed.
AVGCPULoadFactor
Represents the average CPU load factor for the scan (in percent).
Valid values (Integer): 0–100.
DaysToRetainCleanedMalware
Time period (in days) that quarantine items will be stored on the system.
Valid values (Integer): 0–90.
AllowArchiveScanning
Allows or disallows scanning of archives.
Supported values (Integer):

  • 0 – Not allowed;
  • 1 (default) – Allowed.
AllowBehaviorMonitoring
Allows or disallows Defender’s Behavior Monitoring functionality.
Supported values (Integer):

  • 0 – Not allowed;
  • 1 (default) – Allowed.
AllowEmailScanning
Allows or disallows scanning of email.
Supported values (Integer):

  • 0 – Not allowed;
  • 1 (default) – Allowed.
AllowFullScanOnMappedNetworkDrives
Allows or disallows a full scan of mapped network drives.
Supported values (Integer):

  • 0 – Not allowed;
  • 1 (default) – Allowed.
AllowFullScanRemovableDriveScanning
Allows or disallows a full scan of removable drives.
Supported values (Integer):

  • 0 – Not allowed;
  • 1 (default) – Allowed.
AllowIntrusionPreventionSystem
Allows or disallows Defender’s Intrusion Prevention functionality.
Supported values (Integer):

  • 0 – Not allowed;
  • 1 (default) – Allowed.
AllowIOAVProtection
Allows or disallows Defender’s IOAVP Protection functionality.
Supported values (Integer):

  • 0 – Not allowed;
  • 1 (default) – Allowed.
AllowOnAccessProtection
Allows or disallows Defender’s On Access Protection functionality.
Supported values (Integer):

  • 0 – Not allowed;
  • 1 (default) – Allowed.
AllowRealtimeMonitoring
Allows or disallows Defender’s Realtime Monitoring functionality.
Supported values (Integer):

  • 0 – Not allowed;
  • 1 (default) – Allowed.
AllowScanningNetworkFiles
Allows or disallows a scanning of network files.
Supported values (Integer):

  • 0 – Not allowed;
  • 1 (default) – Allowed.
AllowScriptScanning
Allows or disallows Defender’s Script Scanning functionality.
Supported values (Integer):

  • 0 – Not allowed;
  • 1 (default) – Allowed.
AllowUserUIAccess
Allows or disallows user access to the Defender UI. If disallowed, all Defender notifications will also be suppressed.
Supported values (Integer):

  • 0 – Not allowed;
  • 1 (default) – Allowed.
ExcludedExtensions
Allows an administrator to specify a list of file type extensions to ignore during a scan.
Each file type in the list must be separated by | (String). For example, zip|exe.
ExcludedPaths
Allows an administrator to specify a list of directory paths to ignore during a scan.
Each path in the list must be separated by | (String). For example, C:\Data|C:\Temp.
ExcludedProcesses
Allows an administrator to specify a list of files opened by processes to ignore during a scan.
Each file type must be separated by a | (String). For example, C:\Program Files\7-Zip\7zG.exe|C:\Program Files (x86)\Foxit Software\Foxit Reader\FoxitReader.exe.
RealTimeScanDirection
Controls which sets of files should be monitored.
Supported values (Integer):

  • 0 (default) – Monitor all files (bi-directional).
  • 1 – Monitor incoming files.
  • 2 – Monitor outgoing files.
ScanParameter
Selects whether to perform a quick scan or full scan.
Supported values (Integer):

  • 1 (default) – Quick scan;
  • 2 – Full scan.
ScheduleQuickScanTime
Selects the time of day (in minutes) that the Defender quick scan should run.
Valid values (Integer): 0–1380
ScheduleScanDay
Selects the day that the Defender scan should run.
Supported values (Integer):

  • 0 (default) – Every day;
  • 1 – Monday;
  • 2 – Tuesday
  • 3 – Wednesday;
  • 4 – Thursday;
  • 5 – Friday;
  • 6 – Saturday;
  • 7 – Sunday;
  • 8 – No scheduled scan
ScheduleScanTime
Selects the time of day (in minutes) that the Defender scan should run.
Valid values: 0–1380 (Integer).
SignatureUpdateInterval
Specifies the interval (in hours) that will be used to check for signatures.
Valid values: 0–24 (Integer).
SubmitSamplesConsent
Checks for the user consent level in Defender to send data. If the required consent has already been granted, Defender submits them.
Supported values (Integer):

  • 0 – Always prompt;
  • 1 (default) – Send safe samples automatically;
  • 2 – Never send;
  • 3 – Send all samples automatically.

More information

For more information about all the possible configuration policies in Windows 10, see the Policy Configuration Service Provider documentation: https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962%28v=vs.85%29.aspx

4 thoughts on “Manage Windows Defender, of Windows 10, via OMA-DM

  1. Hi,
    thank you for this guide.
    Is Microsoft Intune Endpoint Protection going to be replaced by Windows Defender in the Windows 10 Final Edition?

Leave a Comment