Microsoft Defender Antivirus: Catch(up) me if you can!
Update: Microsoft confirmed this behavior and will correct this in the next Microsoft Intune update release, most probably the March update 2003.
If you are using Microsoft Defender Antivirus and managing your Windows 10 clients via co-management (Microsoft Endpoint Configuration Manager (MECM) or Microsoft Endpoint Manager (MEM), this blog might be interesting for you.
During an end-to-end multi-platform migration (including Windows 10, macOS, Windows Servers and Linux) of a 3rd party AV solution to Microsoft Defender (ATP) we noticed some striking behavior.
The real catch
During acceptance tests we noticed the catch-up scans didn’t occur for both quick- and full scans on Windows 10 clients.
Based on the Microsoft Endpoint Manager UI and provided outline, Not configured implies a catch-up scan is enabled. If you set Block catch-up scan will be turned off. However, in practice this appeared to be the exact opposite. A block results in a $False which effectively enables the catch-up scan, which is confusing and might lead to unintentional configuration(s)
The default OS configuration/behavior, catch-up scans for both quick- or full scans are turned off.
Catch-up scan explained
This policy setting allows you to configure catch-up scans for scheduled scans (quick- or full scan). A catch-up scan is a scan that is initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the computer was turned off at the scheduled time.
If you enable this setting, catch-up scans for scheduled scans will be turned on. If a computer is offline for two consecutive scheduled scans, a catch-up scan is started the next time someone logs on to the computer. If there is no scheduled scan configured, there will be no catch-up scan run.
If you disable or do not configure this setting, catch-up scans for scheduled quick scans will be turned off.
This setting may conflict with the Time to perform a daily quick scan setting. Some recommendations:
- If you want to schedule a daily quick scan, and a weekly full scan,
- Configure the Time to perform a daily quick scan setting.
- Configure the Type of system scan to perform to do a full scan.
- If you only want one quick scan daily (no full scan), then use either setting: Time to perform a daily quick scan or Type of system scan to perform. For example, to run a quick scan every Tuesday at 6 AM, configure the Type of system scan to perform setting.
- Don’t configure the Time to perform a daily quick scan setting simultaneously with the Type of system scan to perform set to Quick scan. These settings may conflict, and a scan may not run.
- In Windows Defender Antivirus: Randomize the start time of the scan to any interval from 0 to 4 hours.
Please revise your Microsoft Defender Antivirus configuration as part of the device restriction policy in Microsoft Endpoint Manager, this to ensure the intended configuration of Microsoft Defender have actually been applied.
NOTE: the Microsoft Endpoint Manager (aka Microsoft Intune) product team has been informed of this UI glitch and toke note of it. They have been advised to update the UI according the effective configuration (Enable/Not Configured). A side note to this is that I would expect Microsoft Defender Antivirus configuration as part of the Endpoint configuration policy instead of the device restriction policy.
Furthermore I also want to give the credits to my colleague Siebren Mossel for catching the UI glitch.
Leave a Reply