Antivirus
Evaluating Windows Defender Antivirus with ConfigMgr
A standard today’s threat landscape is to not rely on antivirus alone and other mechanisms of endpoint security should be in place to mitigate threats. However, having a solid AV is still beneficial. In the past year, Windows Defender Antivirus (WDAV) in Windows 10 and Server 2016 has made great strides to provide next-generation antivirus protection. More and more organizations are beginning to realize this and consider using it to displace their age-old, costly platforms.
If you’re in the same position and are wondering how you might approach an evaluation of WDAV, consider the following high-level steps as I envision it. First and foremost however, Microsoft has also published prescriptive guidance for evaluating WDAV outside of ConfigMgr, including a downloadable PDF. I recommend reviewing that information in it’s entirety before taking action. It is also highly advised that you watch the recent session from Ignite 2017 – Next-Gen AV: Windows Defender Antivirus unleashed – BRK3063.
- Upgrade ConfigMgr to the current branch model to support the latest Windows 10 releases (note: please first ensure that you’re licensed for ConfigMgr current branch!!)
- Review and pre-determine the desired WDAV settings, such as:
- Network bandwidth to override any BITS restrictions – note that any BITS client settings defined in these clients settings will override other client settings only if given a higher priority and will impact the rest of BITS configurations
- Auto-uninstall other AV products
- Real-time protection exclusions (ConfigMgr has templates available as well)
- WDAV specific capabilities available in Win10 1703, such as:
- Cloud protection options
- Potentially unwanted programs
- WDAV offline scanning
- End-user interactions with the WDAV interface
- End-user notifications
- Follow the 5 steps outlined for setup of ConfigMgr for WDAV management, which includes instructions for both server and clients, but does not include common instructions such as using collections, reporting, or setup of RBAC
https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-protection-configure - Additional ConfigMgr server/client setup considerations:
- Setup RBAC for ConfigMgr to provide separate administration for WDAV and SCEP
https://docs.microsoft.com/en-us/sccm/core/understand/fundamentals-of-role-based-administration - Setup of separate collections for testing on non-production systems
- Setup RBAC for ConfigMgr to provide separate administration for WDAV and SCEP
- Optional: Deployment guide for Windows Defender Antivirus in a virtual desktop infrastructure (VDI) environment
https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus
To test the WDAV deployment and functionality:
- Assign the WDAV ConfigMgr client policy to the collection
- Ensure policy is delivered and has the appropriate priority to take effect
- Verify prior AV is uninstalled and WDAV becomes active
- Monitor the user experience as well as one potential risk may be that the uninstall of prior AV may need a restart of Windows to ‘unload’ executions in memory
- Perform AV protection tests as desired using the WDAV testground (hosted by Microsoft) as well as other standard testing by your security personnel
- Review alerts in the ConfigMgr console and reports
Note: to learn more about the security defense in-depth, see some of these recent sessions.
- Microsoft Ignite 2017 – Enhance your security posture on Windows 10 – BRK3069
https://www.youtube.com/watch?v=TKascj5vi38 - Learn more on how Windows 10 Enterprise Security Defense stack, Windows Defender & Advanced Threat Protection provides a “protect way to go” by attending this webcast (November 2016)
https://info.microsoft.com/ME-MSFT-WBNR-FY17-11Nov-06-Windows10SecurityDefenseStack-268987_Registration.html - WDAV monitoring with Windows Analytics Update Compliance
https://blogs.technet.microsoft.com/windowsitpro/2017/08/10/new-demo-windows-analytics-update-compliance
t3chn1ck 