Configure Windows Defender via policy

Microsoft Defender Antivirus settings for managed Windows devices live inside a policy, under the Windows tab. This guide shows the shape of a minimal Defender setup: enable the feature, add one exclusion, and schedule a weekly scan. The Defender surface is much broader than these three steps — see Chapter 6.6 for the full reference including every scanner toggle, all eight notification categories, and the complete exclusion-type list.

Before you start

• A policy already exists (see Guide H.4).
• An automation already routes the policy to at least one Windows device, or you will add one after saving.
• Required permission: policies_enabled and the role flag that gates policy editing in your deployment.

Steps

Enable Defender on the policy

1. Open Policies from the navigation.
2. On Manage Policies, click Manage on the policy you want to edit.
3. Open the Windows tab, then Microsoft Defender Antivirus, then Configuration.
4. Tick the master Enabled checkbox at the top of the panel. Without this, none of the settings below are applied to devices.

Add an exclusion

1. In the Configuration sub-tab, scroll to the Exclusions section.
2. Click Add to open the Add Exclusion dialog.
3. Pick a Type — one of File, Directory, File Type (extension), or Process.
4. Enter the Exclusion value for that type (for example a directory path like C:\Program Files\VendorApp).
5. Add an optional Description so future admins know why the exclusion exists.
6. Save. The new entry appears in the Exclusions table.

Schedule a weekly scan

1. Still on the Configuration sub-tab, scroll to the Scan Jobs section.
2. Click Add to open the Add Scan Job dialog.
3. Fill in:
   • Enabled — on.
   • Name and Description — for example Weekly full scan.
   • Schedule Type — pick a day-of-week schedule.
   • Day toggles — tick one day (for example Sunday).
   • Time — pick an off-hours time.
   • Scan Mode — pick the mode that fits (quick versus full).
   • Set the CPU Usage % cap, and the Scan on Battery, Network Drives, Removable Disks, and Update Signatures toggles to your preference.
4. Save. The scan-job row appears in the table.
5. Use the Add Scan Job Directory dialog from inside the scan-job editor to add the directory list the scan covers. Most deployments want the full system drive.

Save and let the automation route it

Save the policy. Devices that receive this policy through an automation apply the Defender configuration on their next sync. If no automation routes the policy yet, create one — see Guide H.4 stage 2.

Verify it worked

• On the policy's detail view, the Windows → Microsoft Defender Antivirus → Configuration sub-tab shows the Enabled checkbox ticked, the exclusion in the table, and the scan job in the schedule table.
• In Events, filter by a targeted device and look for entries reflecting the Defender configuration push.
• Locally on the device, Windows Security shows Defender active, the new exclusion listed under Virus & threat protection settings → Exclusions, and a scheduled task entry corresponding to the scan job.

Troubleshooting

• No Defender changes on the device. Confirm the device is assigned the right policy (Devices → <device> → detail view → Assigned policy). If the field says no_assigned_policy_found, create or fix an automation.
• Scan never runs. Open the scan job in the policy and confirm Enabled is on, the day toggle matches today's plan, and the time has not already passed for this week.
• Exclusion is ignored. Defender exclusions are case-sensitive on some paths. Re-check the value in the exclusion row against the actual path on the device.

Related

• Chapter 6.6 — Microsoft Defender Antivirus — the complete reference for the Defender sub-section.
• Guide H.4 — Build and apply a policy — how to route this policy to the right devices.
• Chapter 5 — Automations — the policy-routing layer.