Edit

Share via

Microsoft Defender for Endpoint security baseline settings reference for Microsoft Intune

This article is a reference for the settings that are available in the Microsoft Defender for Endpoint security baseline for Microsoft Intune.

About this reference article

Each security baseline is a group of preconfigured Windows settings that help you apply and enforce granular security settings that the relevant security teams recommend. You can also customize each baseline you deploy to enforce only those settings and values you require. When you create a security baseline profile in Intune, you're creating a template that consists of multiple device configuration settings.

The details that display in this article are based on baseline version you select at the top of the article. For each version, this article displays:

  • A list of each setting with its configuration as found in the default instance of that baseline version.
  • When available, a link to the underlying configuration service provider (CSP) documentation or other related content from the relevant product group that provides context and possibly additional details for a settings use.

When a new version of a baseline becomes available, it replaces the previous version. Profile instances that you’ve created prior to the availability of a new version:

  • Become read-only. You can continue to use those profiles but can't edit them to change their configuration.
  • Can be updated to the current version. After you update a profile to the current baseline version, you can edit the profile to modify settings.

To learn more about using security baselines, see:

Microsoft Defender for Endpoint baseline version 24H1

Microsoft Defender for Endpoint baseline for December 2020 - version 6

Microsoft Defender for Endpoint baseline for September 2020 - version 5

Microsoft Defender for Endpoint baseline for April 2020 - version 4

Microsoft Defender for Endpoint baseline for March 2020 - version 3

The Microsoft Defender for Endpoint baseline is available when your environment meets the prerequisites for using Microsoft Defender for Endpoint.

This baseline is optimized for physical devices and isn't recommended for use on virtual machines (VMs) or VDI endpoints. Certain baseline settings can affect remote interactive sessions on virtualized environments. For more information, see Increase compliance to the Microsoft Defender for Endpoint security baseline in the Windows documentation.

Administrative Templates

System > Device Installation > Device Installation Restrictions

  • Prevent installation of devices using drivers that match these device setup classes Baseline default: Enabled Learn more

    • Prevented Classes Baseline default: d48179be-ec20-11d1-b6b8-00c04fa372a7

    • Also apply to matching devices that are already installed. Baseline default: False

Windows Components > BitLocker Drive Encryption

  • Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later) Baseline default: Enabled Learn more

    Important

    On October 14, 2025, Windows 10 is reaching end of support and will stop receiving quality and feature updates. After October 14, 2025, Windows 10 becomes an "allowed" version in Intune. Devices running this version can still enroll in Intune and use eligible features, but functionality won't be guaranteed and can vary.

    • Select the encryption method for removable data drives: Baseline default: AES-CBC 128-bit (default)

    • Select the encryption method for operating system drives: Baseline default: XTS-AES 128-bit (default)

    • Select the encryption method for fixed data drives: Baseline default: XTS-AES 128-bit (default)

Windows Components > BitLocker Drive Encryption > Fixed Data Drives

  • Choose how BitLocker-protected fixed drives can be recovered Baseline default: Enabled Learn more

    • Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives Baseline default: True

    • Allow data recovery agent Baseline default: True

    • Configure storage of BitLocker recovery information to AD DS Baseline default: Backup recovery passwords and key packages

      Value: Allow 256-bit recovery key

    • Save BitLocker recovery information to AD DS for fixed data drives Baseline default: True

    • Omit recovery options from the BitLocker setup wizard Baseline default: True

    • Configure user storage of BitLocker recovery information: Baseline default: Allow 48-digit recovery password

  • Deny write access to fixed drives not protected by BitLocker Baseline default: Enabled Learn more

  • Enforce drive encryption type on fixed data drives Baseline default: Enabled Learn more

    • Select the encryption type: (Device) Baseline default: Used Space Only encryption

Windows Components > BitLocker Drive Encryption > Operating System Drives

  • Allow devices compliant with InstantGo or HSTI to opt out of pre-boot PIN. Baseline default: Disabled Learn more

  • Allow enhanced PINs for startup Baseline default: Disabled Learn more

  • Choose how BitLocker-protected operating system drives can be recovered Baseline default: Enabled Learn more

    • Omit recovery options from the BitLocker setup wizard Baseline default: True

    • Allow data recovery agent Baseline default: True

      Value: Allow 256-bit recovery key

    • Configure storage of BitLocker recovery information to AD DS: Baseline default: Store recovery passwords and key packages

    • Do not enable BitLocker until recovery information is stored to AD DS for operating system drives Baseline default: True

    • Save BitLocker recovery information to AD DS for operating system drives Baseline default: True

    • Configure user storage of BitLocker recovery information: Baseline default: Allow 48-digit recovery password

  • Enable use of BitLocker authentication requiring preboot keyboard input on slates Baseline default: Enabled Learn more

  • Enforce drive encryption type on operating system drive Baseline default: Enabled Learn more

    • Select the encryption type: (Device) Baseline default: Used Space Only encryption

  • Require additional authentication at startup Baseline default: Enabled Learn more

    • Configure TPM startup key and PIN: Baseline default: Do not allow startup key and PIN with TPM

    • Configure TPM startup: Baseline default: Allow TPM

    • Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive) Baseline default: False

    • Configure TPM startup PIN: Baseline default: Allow startup PIN with TPM

    • Configure TPM startup key: Baseline default: Do not allow startup key with TPM

Windows Components > BitLocker Drive Encryption > Removable Data Drives

  • Control use of BitLocker on removable drives Baseline default: Enabled Learn more

    • Allow users to apply BitLocker protection on removable data drives (Device) Baseline default: True

      • Enforce drive encryption type on removable data drives Baseline default: Enabled Learn more

        • Select the encryption type: (Device) Baseline default: Used Space Only encryption

    • Allow users to suspend and decrypt BitLocker protection on removable data drives (Device) Baseline default: False

  • Deny write access to removable drives not protected by BitLocker Baseline default: Enabled Learn more

    • Do not allow write access to devices configured in another organization Baseline default: False

Windows Components > File Explorer

  • Configure Windows Defender SmartScreen Baseline default: Enabled Learn more

    • Pick one of the following settings: (Device) Baseline default: Warn and prevent bypass

Windows Components > Internet Explorer

  • Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet Baseline default: Enabled Learn more

  • Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet (User) Baseline default: Enabled Learn more

  • Prevent managing SmartScreen Filter Baseline default: Enabled Learn more

    • Select SmartScreen Filter mode Baseline default: On

BitLocker

  • Allow Warning For Other Disk Encryption Baseline default: Enabled Learn more

  • Configure Recovery Password Rotation Baseline default: Refresh on for both Azure AD-joined and hybrid-joined devices Learn more

  • Require Device Encryption Baseline default: Enabled Learn more

Defender

  • Allow Archive Scanning Baseline default: Allowed. Scans the archive files. Learn more

  • Allow Behavior Monitoring Baseline default: Allowed. Turns on real-time behavior monitoring. Learn more

  • Allow Cloud Protection Baseline default: Allowed. Turns on Cloud Protection. Learn more

  • Allow Email Scanning Baseline default: Allowed. Turns on email scanning. Learn more

  • Allow Full Scan Removable Drive Scanning Baseline default: Allowed. Scans removable drives. Learn more

  • Allow On Access Protection Baseline default: Allowed. Learn more

  • Allow Realtime Monitoring Baseline default: Allowed. Turns on and runs the real-time monitoring service. Learn more

  • Allow Scanning Network Files Baseline default: Allowed. Scans network files. Learn more

  • Allow scanning of all downloaded files and attachments Baseline default: Allowed. Learn more

  • Allow Script Scanning Baseline default: Allowed. Learn more

  • Allow User UI Access Baseline default: Allowed. Lets users access UI. Learn more

    • Block execution of potentially obfuscated scripts Baseline default: Block Learn more

    • Block Win32 API calls from Office macros Baseline default: Block Learn more

    • Block executable files from running unless they meet a prevalence, age, or trusted list criterion Baseline default: Block Learn more

    • Block Office communication application from creating child processes Baseline default: Block Learn more

    • Block all Office applications from creating child processes Baseline default: Block Learn more

    • Block Adobe Reader from creating child processes Baseline default: Block Learn more

    • Block credential stealing from the Windows local security authority subsystem Baseline default: Block Learn more

    • Block JavaScript or VBScript from launching downloaded executable content Baseline default: Block Learn more

    • Block Webshell creation for Servers Baseline default: Block Learn more

    • Block untrusted and unsigned processes that run from USB Baseline default: Block Learn more

    • Block persistence through WMI event subscription Baseline default: Audit Learn more

    • [PREVIEW] Block use of copied or impersonated system tools Baseline default: Block Learn more

    • Block abuse of exploited vulnerable signed drivers (Device) Baseline default: Block Learn more

    • Block process creations originating from PSExec and WMI commands Baseline default: Audit Learn more

    • Block Office applications from creating executable content Baseline default: Block Learn more

    • Block Office applications from injecting code into other processes Baseline default: Block Learn more

    • [PREVIEW] Block rebooting machine in Safe Mode Baseline default: Block Learn more

    • Use advanced protection against ransomware Baseline default: Block Learn more

    • Block executable content from email client and webmail Baseline default: Block Learn more

  • Check For Signatures Before Running Scan Baseline default: Enabled Learn more

  • Cloud Block Level Baseline default: High Learn more

  • Cloud Extended Timeout Baseline default: Configured Value: 50 Learn more

  • Disable Local Admin Merge Baseline default: Enable Local Admin Merge Learn more

  • Enable Network Protection Baseline default: Enabled (block mode) Learn more

  • Hide Exclusions From Local Admins Baseline default: If you enable this setting, local admins will no longer be able to see the exclusion list in Windows Security App or via PowerShell. Learn more

  • Hide Exclusions From Local Users Baseline default: If you enable this setting, local users will no longer be able to see the exclusion list in Windows Security App or via PowerShell. Learn more

  • Oobe Enable Rtp And Sig Update Baseline default: If you enable this setting, real-time protection and Security Intelligence Updates are enabled during OOBE. Learn more

  • PUA Protection Baseline default: PUA Protection on. Detected items are blocked. They will show in history along with other threats. Learn more

  • Real Time Scan Direction Baseline default: Monitor all files (bi-directional). Learn more

  • Scan Parameter Baseline default: Quick scan Learn more

  • Schedule Quick Scan Time Baseline default: Configured Value: 120 Learn more

  • Schedule Scan Day Baseline default: Every day Learn more

  • Schedule Scan Time Baseline default: Configured Value: 120 Learn more

  • Signature Update Interval Baseline default: Configured Value: 4 Learn more

  • Submit Samples Consent Baseline default: Send all samples automatically. Learn more

Device Guard

  • Credential Guard Baseline default: (Enabled with UEFI lock) Turns on Credential Guard with UEFI lock. Learn more

Dma Guard

  • Device Enumeration Policy Baseline default: Block all (Most restrictive) Learn more

Firewall

  • Certificate revocation list verification Baseline default: None Learn more

  • Disable Stateful Ftp Baseline default: True Learn more

  • Enable Domain Network Firewall Baseline default: True Learn more

    • Allow Local Ipsec Policy Merge Baseline default: True Learn more

    • Disable Stealth Mode Baseline default: False Learn more

    • Disable Inbound Notifications Baseline default: True Learn more

    • Disable Unicast Responses To Multicast Broadcast Baseline default: False Learn more

    • Global Ports Allow User Pref Merge Baseline default: True Learn more

    • Disable Stealth Mode Ipsec Secured Packet Exemption Baseline default: True Learn more

    • Allow Local Policy Merge Baseline default: True Learn more

  • Enable Packet Queue Baseline default: Configured Value: Disabled Learn more

  • Enable Private Network Firewall Baseline default: True Learn more

    • Default Inbound Action for Private Profile Baseline default: Block Learn more

    • Disable Unicast Responses To Multicast Broadcast Baseline default: False Learn more

    • Disable Stealth Mode Baseline default: False Learn more

    • Global Ports Allow User Pref Merge Baseline default: True Learn more

    • Allow Local Ipsec Policy Merge Baseline default: True Learn more

    • Disable Stealth Mode Ipsec Secured Packet Exemption Baseline default: True Learn more

    • Disable Inbound Notifications Baseline default: True Learn more

    • Allow Local Policy Merge Baseline default: True Learn more

    • Default Outbound Action Baseline default: Allow Learn more

    • Auth Apps Allow User Pref Merge Baseline default: True Learn more

  • Enable Public Network Firewall Baseline default: True Learn more

    • Disable Stealth Mode Baseline default: False Learn more

    • Default Outbound Action Baseline default: Allow Learn more

    • Disable Inbound Notifications Baseline default: True Learn more

    • Disable Stealth Mode Ipsec Secured Packet Exemption Baseline default: True Learn more

    • Allow Local Policy Merge Baseline default: True Learn more

    • Auth Apps Allow User Pref Merge Baseline default: True Learn more

    • Default Inbound Action for Public Profile Baseline default: Block Learn more

    • Disable Unicast Responses To Multicast Broadcast Baseline default: False Learn more

    • Global Ports Allow User Pref Merge Baseline default: True Learn more

    • Allow Local Ipsec Policy Merge Baseline default: True Learn more

  • Preshared Key Encoding Baseline default: UTF8 Learn more

  • Security association idle time Baseline default: Configured Value: 300 Learn more

Microsoft Edge

  • Configure Microsoft Defender SmartScreen Baseline default: Enabled

  • Configure Microsoft Defender SmartScreen to block potentially unwanted apps Baseline default: Enabled

  • Enable Microsoft Defender SmartScreen DNS requests Baseline default: Enabled

  • Enable new SmartScreen library Baseline default: Enabled

  • Force Microsoft Defender SmartScreen checks on downloads from trusted sources Baseline default: Enabled

  • Prevent bypassing Microsoft Defender SmartScreen prompts for sites Baseline default: Enabled

  • Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads Baseline default: Enabled

Attack Surface Reduction Rules

Attack surface reduction rules support a merger of settings from different policies, to create a superset of policy for each device. Only the settings that aren't in conflict are merged. Settings that are in conflict are not added to the superset of rules. Previously, if two policies included conflicts for a single setting, both policies were flagged as being in conflict, and no settings from either profile would be deployed.

Attack surface reduction rule merge behavior is as follows:

  • Attack surface reduction rules from the following profiles are evaluated for each device the rules apply to:
    • Devices > Configuration policy > Endpoint protection profile > Microsoft Defender Exploit Guard > Attack Surface Reduction
    • Endpoint security > Attack surface reduction policy > Attack surface reduction rules
    • Endpoint security > Security baselines > Microsoft Defender for Endpoint Baseline > Attack Surface Reduction Rules.
  • Settings that don't have conflicts are added to a superset of policy for the device.
  • When two or more policies have conflicting settings, the conflicting settings aren't added to the combined policy, while settings that don’t conflict are added to the superset policy that applies to a device.
  • Only the configurations for conflicting settings are held back.

To learn more, see Attack surface reduction rules in the Microsoft Defender for Endpoint documentation.

  • Block Office communication apps from creating child processes Baseline default: Enable Learn more

  • Block Adobe Reader from creating child processes Baseline default: Enable Learn more

  • Block Office applications from injecting code into other processes Baseline default: Block Learn more

  • Block Office applications from creating executable content Baseline default: Block Learn more

  • Block JavaScript or VBScript from launching downloaded executable content Baseline default: Block Learn more

  • Enable network protection Baseline default: Enable Learn more

  • Block untrusted and unsigned processes that run from USB Baseline default: Block Learn more

  • Block credential stealing from the Windows local security authority subsystem (lsass.exe) Baseline default: Enable Learn more

  • Block executable content download from email and webmail clients Baseline default: Block Learn more

  • Block all Office applications from creating child processes Baseline default: Block Learn more

  • Block execution of potentially obfuscated scripts (js/vbs/ps) Baseline default: Block Learn more

  • Block Win32 API calls from Office macro Baseline default: Block Learn more

Application Guard

For more information, see WindowsDefenderApplicationGuard CSP in the Windows documentation.

When you use Microsoft Edge, Microsoft Defender Application Guard protects your environment from sites that aren't trusted by your organization. When users visit sites that aren't listed in your isolated network boundary, the sites open in a Hyper-V virtual browsing session. Trusted sites are defined by a network boundary.

  • Turn on Application Guard for Edge (Options) Baseline default: Enabled for Edge Learn more

    • Block external content from non-enterprise approved sites Baseline default: Yes Learn more

    • Clipboard behavior Baseline default: Block copy and paste between PC and browser Learn more

  • Windows network isolation policy Baseline default: Configure Learn more

    • Network domains Baseline default: securitycenter.windows.com

BitLocker

  • Require storage cards to be encrypted (mobile only) Baseline default: Yes Learn more

    Note

    Support for Windows 10 Mobile and Windows Phone 8.1 ended in August of 2020.

  • Enable full disk encryption for OS and fixed data drives Baseline default: Yes Learn more

  • BitLocker system drive policy Baseline default: Configure Learn more

    • Configure encryption method for Operating System drives Baseline default: Not configured Learn more

  • BitLocker fixed drive policy Baseline default: Configure Learn more

    • Block write access to fixed data-drives not protected by BitLocker Baseline default: Yes Learn more This setting is available when BitLocker fixed drive policy is set to Configure.

    • Configure encryption method for fixed data-drives Baseline default: AES 128bit XTS Learn more

  • BitLocker removable drive policy Baseline default: Configure Learn more

    • Configure encryption method for removable data-drives Baseline default: AES 128bit CBC Learn more

    • Block write access to removable data-drives not protected by BitLocker Baseline default: Not configured Learn more

  • Standby states when sleeping while on battery Baseline default: Disabled Learn more

  • Standby states when sleeping while plugged in Baseline default: Disabled Learn more

  • Enable full disk encryption for OS and fixed data drives Baseline default: Yes Learn more

  • BitLocker system drive policy Baseline default: Configure Learn more

    • Startup authentication required Baseline default: Yes Learn more

    • Compatible TPM startup PIN Baseline default: Allowed Learn more

    • Compatible TPM startup key Baseline default: Required Learn more

    • Disable BitLocker on devices where TPM is incompatible Baseline default: Yes Learn more

    • Configure encryption method for Operating System drives Baseline default: Not configured Learn more

  • BitLocker fixed drive policy Baseline default: Configure Learn more

    • Block write access to fixed data-drives not protected by BitLocker Baseline default: Yes Learn more This setting is available when BitLocker fixed drive policy is set to Configure.

    • Configure encryption method for fixed data-drives Baseline default: AES 128bit XTS Learn more

  • BitLocker removable drive policy Baseline default: Configure Learn more

    • Configure encryption method for removable data-drives Baseline default: AES 128bit CBC Learn more

    • Block write access to removable data-drives not protected by BitLocker Baseline default: Not configured Learn more

  • BitLocker system drive policy Baseline default: Configure Learn more

    • Startup authentication required Baseline default: Yes Learn more

    • Compatible TPM startup PIN Baseline default: Allowed Learn more

    • Compatible TPM startup key Baseline default: Required Learn more

    • Disable BitLocker on devices where TPM is incompatible Baseline default: Yes Learn more

    • Configure encryption method for Operating System drives Baseline default: Not configured Learn more

  • Standby states when sleeping while on battery Baseline default: Disabled Learn more

  • Standby states when sleeping while plugged in Baseline default: Disabled Learn more

  • Enable full disk encryption for OS and fixed data drives Baseline default: Yes Learn more

  • BitLocker fixed drive policy Baseline default: Configure Learn more

    • Block write access to fixed data-drives not protected by BitLocker Baseline default: Yes Learn more This setting is available when BitLocker fixed drive policy is set to Configure.

    • Configure encryption method for fixed data-drives Baseline default: AES 128bit XTS Learn more

  • BitLocker removable drive policy Baseline default: Configure Learn more

    • Configure encryption method for removable data-drives Baseline default: AES 128bit CBC Learn more

    • Block write access to removable data-drives not protected by BitLocker Baseline default: Not configured Learn more

Browser

  • Require SmartScreen for Microsoft Edge Baseline default: Yes Learn more

  • Block malicious site access Baseline default: Yes Learn more

  • Block unverified file download Baseline default: Yes Learn more

Data Protection

  • Block direct memory access Baseline default: Yes Learn more

Device Guard

  • Turn on credential guard Baseline default: Enable with UEFI lock Learn more

Device Installation

  • Hardware device installation by device identifiers Baseline default: Block hardware device installation Learn more

    • Remove matching hardware devices Baseline default: Yes

    • Hardware device identifiers that are blocked Baseline default: Not configured by default. Manually add one or more device identifiers.

  • Hardware device installation by setup classes Baseline default: Block hardware device installation Learn more

    • Remove matching hardware devices Baseline default: Not configured

    • Hardware device identifiers that are blocked Baseline default: Not configured by default. Manually add one or more device identifiers.

  • Block hardware device installation by setup classes: Baseline default: Yes Learn more

    • Remove matching hardware devices: Baseline default: Yes

    • Block list Baseline default: Not configured by default. Manually add one or more setup class globally unique identifiers.

DMA Guard

  • Enumeration of external devices incompatible with Kernel DMA Protection Baseline default: Block all Learn more
  • Enumeration of external devices incompatible with Kernel DMA Protection Baseline default: Not configured Learn more

Endpoint Detection and Response

  • Sample sharing for all files Baseline default: Yes Learn more

  • Expedite telemetry reporting frequency Baseline default: Yes Learn more

Firewall

  • Stateful File Transfer Protocol (FTP) Baseline default: Disabled Learn more

  • Number of seconds a security association can be idle before it's deleted Baseline default: 300 Learn more

  • Preshared key encoding Baseline default: UTF8 Learn more

  • Certificate revocation list (CRL) verification Baseline default: Not configured Learn more

  • Packet queuing Baseline default: Not configured Learn more

  • Firewall profile private Baseline default: Configure Learn more

    • Inbound connections blocked Baseline default: Yes Learn more

    • Unicast responses to multicast broadcasts required Baseline default: Yes Learn more

    • Outbound connections required Baseline default: Yes Learn more

    • Inbound notifications blocked Baseline default: Yes Learn more

    • Global port rules from group policy merged Baseline default: Yes Learn more

    • Firewall enabled Baseline default: Allowed Learn more

    • Authorized application rules from group policy not merged Baseline default: Yes Learn more

    • Connection security rules from group policy not merged Baseline default: Yes Learn more

    • Incoming traffic required Baseline default: Yes Learn more

    • Policy rules from group policy not merged Baseline default: Yes Learn more

  • Stealth mode blocked Baseline default: Yes Learn more

  • Firewall profile public Baseline default: Configure Learn more

    • Inbound connections blocked Baseline default: Yes Learn more

    • Unicast responses to multicast broadcasts required Baseline default: Yes Learn more

    • Outbound connections required Baseline default: Yes Learn more

    • Authorized application rules from group policy not merged Baseline default: Yes** Learn more

    • Inbound notifications blocked Baseline default: Yes Learn more

    • Global port rules from group policy merged Baseline default: Yes Learn more

    • Firewall enabled Baseline default: Allowed Learn more

    • Connection security rules from group policy not merged Baseline default: Yes Learn more

    • Incoming traffic required Baseline default: Yes Learn more

    • Policy rules from group policy not merged Baseline default: Yes Learn more

  • Stealth mode blocked Baseline default: Yes Learn more

  • Firewall profile ___domain Baseline default: Configure Learn more

    • Unicast responses to multicast broadcasts required Baseline default: Yes Learn more

    • Authorized application rules from group policy not merged Baseline default: Yes Learn more

    • Inbound notifications blocked Baseline default: Yes Learn more

    • Global port rules from group policy merged Baseline default: Yes Learn more

    • Firewall enabled Baseline default: Allowed Learn more

    • Connection security rules from group policy not merged Baseline default: Yes Learn more

    • Policy rules from group policy not merged Baseline default: Yes Learn more

  • Stealth mode blocked Baseline default: Yes Learn more

Microsoft Defender

  • Turn on real-time protection Baseline default: Yes Learn more

  • Additional amount of time (0-50 seconds) to extend cloud protection timeout Baseline default: 50 Learn more

  • Scan all downloaded files and attachments Baseline default: Yes Learn more

  • Scan type Baseline default: Quick scan Learn more

  • Defender schedule scan day: Baseline default: Everyday

  • Defender scan start time: Baseline default: Not configured

  • Defender sample submission consent Baseline default: Send safe samples automatically Learn more

  • Cloud-delivered protection level Baseline default: High Learn more

  • Scan removable drives during full scan Baseline default: Yes Learn more

  • Defender potentially unwanted app action Baseline default: Block Learn more

  • Turn on cloud-delivered protection Baseline default: Yes Learn more

  • Turn on real-time protection Baseline default: Yes Learn more

  • Additional amount of time (0-50 seconds) to extend cloud protection timeout Baseline default: 50 Learn more

  • Scan all downloaded files and attachments Baseline default: Yes Learn more

  • Scan type Baseline default: Quick scan Learn more

  • Defender sample submission consent Baseline default: Send safe samples automatically Learn more

  • Cloud-delivered protection level Baseline default: High Learn more

  • Scan removable drives during full scan Baseline default: Yes Learn more

  • Defender potentially unwanted app action Baseline default: Block Learn more

  • Turn on cloud-delivered protection Baseline default: Yes Learn more

  • Run daily quick scan at Baseline default: 2 AM Learn more

  • Scheduled scan start time Baseline default: 2 AM

  • Configure low CPU priority for scheduled scans Baseline default: Yes Learn more

  • Block Office communication apps from creating child processes Baseline default: Enable Learn more

  • Block Adobe Reader from creating child processes Baseline default: Enable Learn more

  • Scan incoming email messages Baseline default: Yes Learn more

  • Turn on real-time protection Baseline default: Yes Learn more

  • Number of days (0-90) to keep quarantined malware Baseline default: 0 Learn more

  • Defender system scan schedule Baseline default: User defined Learn more

  • Additional amount of time (0-50 seconds) to extend cloud protection timeout Baseline default: 50 Learn more

  • Scan mapped network drives during a full scan Baseline default: Yes Learn more

  • Turn on network protection Baseline default: Yes Learn more

  • Scan all downloaded files and attachments Baseline default: Yes Learn more

  • Block on access protection Baseline default: Not configured Learn more

  • Scan browser scripts Baseline default: Yes Learn more

  • Block user access to Microsoft Defender app Baseline default: Yes Learn more

  • Maximum allowed CPU usage (0-100 percent) per scan Baseline default: 50 Learn more

  • Scan type Baseline default: Quick scan Learn more

  • Enter how often (0-24 hours) to check for security intelligence updates Baseline default: 8 Learn more

  • Defender sample submission consent Baseline default: Send safe samples automatically Learn more

  • Cloud-delivered protection level Baseline default: *Not configured Learn more

  • Scan archive files Baseline default: Yes Learn more

  • Turn on behavior monitoring Baseline default: Yes Learn more

  • Scan removable drives during full scan Baseline default: Yes Learn more

  • Scan network files Baseline default: Yes Learn more

  • Defender potentially unwanted app action Baseline default: Block Learn more

  • Turn on cloud-delivered protection Baseline default: Yes Learn more

  • Block Office applications from injecting code into other processes Baseline default: Block Learn more

  • Block Office applications from creating executable content Baseline default: Block Learn more

  • Block JavaScript or VBScript from launching downloaded executable content Baseline default: Block Learn more

  • Enable network protection Baseline default: Audit mode Learn more

  • Block untrusted and unsigned processes that run from USB Baseline default: Block Learn more

  • Block credential stealing from the Windows local security authority subsystem (lsass.exe) Baseline default: Enable Learn more

  • Block executable content download from email and webmail clients Baseline default: Block Learn more

  • Block all Office applications from creating child processes Baseline default: Block Learn more

  • Block execution of potentially obfuscated scripts (js/vbs/ps) Baseline default: Block Learn more

  • Block Win32 API calls from Office macro Baseline default: Block Learn more

  • Run daily quick scan at Baseline default: 2 AM Learn more

  • Scheduled scan start time Baseline default: 2 AM

  • Configure low CPU priority for scheduled scans Baseline default: Yes Learn more

  • Block Office communication apps from creating child processes Baseline default: Enable Learn more

  • Block Adobe Reader from creating child processes Baseline default: Enable Learn more

  • Scan incoming email messages Baseline default: Yes Learn more

  • Turn on real-time protection Baseline default: Yes Learn more

  • Number of days (0-90) to keep quarantined malware Baseline default: 0 Learn more

  • Defender system scan schedule Baseline default: User defined Learn more

  • Additional amount of time (0-50 seconds) to extend cloud protection timeout Baseline default: 50 Learn more

  • Scan mapped network drives during a full scan Baseline default: Yes Learn more

  • Turn on network protection Baseline default: Yes Learn more

  • Scan all downloaded files and attachments Baseline default: Yes Learn more

  • Block on access protection Baseline default: Not configured Learn more

  • Scan browser scripts Baseline default: Yes Learn more

  • Block user access to Microsoft Defender app Baseline default: Yes Learn more

  • Maximum allowed CPU usage (0-100 percent) per scan Baseline default: 50 Learn more

  • Scan type Baseline default: Quick scan Learn more

  • Enter how often (0-24 hours) to check for security intelligence updates Baseline default: 8 Learn more

  • Defender sample submission consent Baseline default: Send safe samples automatically Learn more

  • Cloud-delivered protection level Baseline default: *Not configured Learn more

  • Scan archive files Baseline default: Yes Learn more

  • Turn on behavior monitoring Baseline default: Yes Learn more

  • Scan removable drives during full scan Baseline default: Yes Learn more

  • Scan network files Baseline default: Yes Learn more

  • Defender potentially unwanted app action Baseline default: Block Learn more

  • Turn on cloud-delivered protection Baseline default: Yes Learn more

  • Block Office applications from injecting code into other processes Baseline default: Block Learn more

  • Block Office applications from creating executable content Baseline default: Block Learn more

  • Block JavaScript or VBScript from launching downloaded executable content Baseline default: Block Learn more

  • Enable network protection Baseline default: Audit mode Learn more

  • Block untrusted and unsigned processes that run from USB Baseline default: Block Learn more

  • Block credential stealing from the Windows local security authority subsystem (lsass.exe) Baseline default: Enable Learn more

  • Block executable content download from email and webmail clients Baseline default: Block Learn more

  • Block all Office applications from creating child processes Baseline default: Block Learn more

  • Block execution of potentially obfuscated scripts (js/vbs/ps) Baseline default: Block Learn more

  • Block Win32 API calls from Office macro Baseline default: Block Learn more

Microsoft Defender Security Center

  • Block users from editing the Exploit Guard protection interface Baseline default: Yes Learn more

Smart Screen

  • Block users from ignoring SmartScreen warnings Baseline default: Yes Learn more

  • Turn on Windows SmartScreen Baseline default: Yes Learn more

  • Require SmartScreen for Microsoft Edge Baseline default: Yes Learn more

  • Block malicious site access Baseline default: Yes Learn more

  • Block unverified file download Baseline default: Yes Learn more

  • Configure Microsoft Defender SmartScreen Baseline default: Enabled

  • Prevent bypassing Microsoft Defender SmartScreen prompts for sites Baseline default: Enabled

  • Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads Baseline default: Enabled

  • Configure Microsoft Defender SmartScreen to block potentially unwanted apps Baseline default: Enabled

  • Require apps from store only Baseline default: Yes

  • Turn on Windows SmartScreen Baseline default: Yes Learn more

Windows Hello for Business

For more information, see PassportForWork CSP in the Windows documentation.

  • Block Windows Hello for Business Baseline default: Disabled

    • Lowercase letters in PIN Baseline default: Allowed

    • Special characters in PIN Baseline default: Allowed

    • Uppercase letters in PIN Baseline default: Allowed

Next steps