🎯 Purpose
✅ Establish a strong baseline antivirus posture for all Windows devices under the Initial Baseline Protection (IBP) program
✅ Meet Essential Eight – Malware Protection requirements
✅ Ensure consistent, cloud‑assisted, real‑time threat detection with no local weakening
➡️ This policy defines the minimum enterprise‑grade antivirus standard for all Windows endpoints.
👥 Who is affected
✅ Devices: All Windows 10 / 11 devices
🚫 Exclusions: None
➡️ Every Windows device receives the same Defender Antivirus baseline.
🛡️ What protection is enforced
✅ Microsoft Defender Antivirus enabled
✅ Real‑time, on‑access malware scanning
✅ Behaviour monitoring for fileless and script‑based attacks
✅ Cloud‑assisted detection and blocking
✅ Potentially Unwanted Application (PUA) protection
✅ Email, network, removable media, and archive scanning
➡️ All common malware delivery paths are covered.
🔐 How protection is enforced
✅ Real‑time monitoring enabled (scan on read and write)
✅ High cloud protection level with extended cloud timeout
✅ Automatic sample submission for unknown threats
✅ Explicit default actions for all threat severities
✅ Local admin override blocked
➡️ Users and local administrators cannot weaken antivirus protection.
⚙️ Performance & user impact
✅ CPU usage throttled to maintain performance
✅ Low‑CPU priority scanning enabled
✅ Scheduled quick scans with catch‑up scanning if missed
➡️ Strong protection with minimal user disruption.
🚫 What this policy does NOT enforce
🚫 Firewall configuration
🚫 Attack Surface Reduction (ASR) rules
🚫 Device compliance decisions
🚫 Conditional Access enforcement
➡️ These controls are handled by separate IBP security baselines.
🟢 Policy status
✅ Assigned to all devices
✅ Actively enforcing
✅ Managed via Intune (MDM) and Microsoft Defender for Endpoint
📘 Essential Eight Alignment
✅ Malware Protection – Essential Eight
✅ Real‑time antivirus enabled
✅ Cloud‑based detection enabled
✅ Automatic updates and remediation enforced
ℹ️ Advanced threat protection and attack surface reduction are addressed in higher maturity baselines
📘 Practical Interpretation (Executive‑Friendly)
This Defender Antivirus policy ensures that:
✅ Every Windows device
✅ Is protected by Microsoft Defender Antivirus
✅ With real‑time, cloud‑assisted malware detection
✅ And no ability for users or admins to disable or weaken protection
This establishes a consistent, enterprise‑grade antivirus baseline aligned to Essential Eight expectations and provides a stable foundation for uplift into higher maturity security controls.