Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Always-on protection consists of real-time protection, behavior monitoring, and heuristics to identify malware based on known suspicious and malicious activities. Suspicious and malicious activities include events, such as processes making unusual changes to existing files, modifying or creating automatic startup registry keys and startup locations (also known as autostart extensibility points, or ASEPs), and other changes to the file system or file structure. Always-on protection is an important part of your antivirus protection and should be enabled.
Note
Tamper protection helps keep always-on protection and other security settings from being changed. As a result, when tamper protection is enabled, any changes made to tamper-protected settings are ignored. If you must make changes to a device and those changes are blocked by tamper protection, we recommend using troubleshooting mode to temporarily disable tamper protection on the device. Note that after troubleshooting mode ends, any changes made to tamper-protected settings are reverted to their configured state. If a file that contains a threat is placed in an Azure file share, it's not remediated when placed. A user has to open the file for it to be detected by real-time protection.
Prerequisites
Supported operating systems
The following operating systems support always-on protection:
- Windows
Manage antivirus settings with Microsoft Intune
You can use Intune to configure antivirus policies, and then apply those policies across devices in your organization. Antivirus policies help security admins focus on managing the discrete group of antivirus settings for managed devices. Each antivirus policy includes several profiles. Each profile contains only the settings that are relevant for Microsoft Defender Antivirus for macOS and Windows devices, or for the user experience in the Windows Security app on Windows devices. For more information, see Antivirus policy for endpoint security in Intune.
To create a new policy and manage antivirus settings with Intune, see Create an endpoint security policy (opens in a new tab in the Intune documentation). When creating a new policy for Windows, choose the following options:
- Policy type: Antivirus
- Platform: Windows 10, Windows 11, and Windows Server
- Profile: Microsoft Defender Antivirus
- Basics: Type a name and description for your policy.
- Configuration settings: Expand Defender and select the settings you want to use for your policy. To get help with your settings, refer to Policy CSP - Defender.
- Scope tags: Choose Select scope tags to open the Select tags pane to assign scope tags to the profile.
- Assignments: Select the groups to receive this profile. For more information on assigning profiles, see Assign user and device profiles.
When creating a new policy for macOS, choose the following options:
- Platform: macOS
- Profile: Antivirus
- Basics: Type a name and description for your policy. On the
- Configuration settings: Select the settings you want to use for your policy. To get help with your settings, refer to Set preferences for Microsoft Defender for Endpoint on macOS.
- Scope tags: Choose Select scope tags to open the Select tags pane to assign scope tags to the profile
- Assignments: Select the groups to receive this profile. For more information on assigning profiles, see Assign user and device profiles
To edit an existing policy for Windows devices, see Modify existing policies (opens in a new tab in the Intune documentation). Select your policy, expand Defender, and edit settings for your policy. To get help with your settings, refer to Policy CSP - Defender.
To edit an existing policy for macOS devices, select your policy, select Properties, and choose Edit next to Configuration settings. Edit the policy settings under Microsoft Defender for Endpoint. To get help with your settings, refer to Set preferences for Microsoft Defender for Endpoint on macOS.
Are you using Group Policy?
Important
We recommend using Microsoft Intune to manage Microsoft Defender Antivirus settings for your organization. With Intune, you can control where tamper protection is enabled (or disabled) through policies. You can also protect Microsoft Defender Antivirus exclusions. For more information, see Protect Microsoft Defender Antivirus exclusions from tampering.
You can use Group Policy to manage some Microsoft Defender Antivirus settings. If tamper protection is enabled in your organization, any changes made to tamper-protected settings are ignored. You can't turn off tamper protection by using Group Policy.
If you must make changes to a device and those changes are blocked by tamper protection, we recommend using troubleshooting mode to temporarily disable tamper protection on the device. After troubleshooting mode ends, any changes made to tamper-protected settings are reverted to their configured state.
You can use Local Group Policy Editor to enable and configure Microsoft Defender Antivirus always-on protection settings.
Enable and configure always-on protection using Group Policy
This procedure applies to Windows 10 and Windows 11 devices.
Use the following steps to enable and configure always-on protection using Local Group Policy Editor:
Open Local Group Policy Editor, as follows:
In the left pane of Local Group Policy Editor, expand the tree to Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus.
Configure the Microsoft Defender Antivirus antimalware service policy setting.
In the Microsoft Defender Antivirus details pane on right, double-click Allow antimalware service to start up with normal priority, and set it to Enabled.
Then select OK.
Configure the Microsoft Defender Antivirus real-time protection policy settings, as follows:
In the Microsoft Defender Antivirus details pane, double-click Real-time Protection. Or, from the Microsoft Defender Antivirus tree on left pane, select Real-time Protection.
In the Real-time Protection details pane on right, double-click the policy setting as specified in Real-time protection policy settings.
Configure the setting as appropriate, and select OK.
Repeat the previous steps for each setting in the table.
Configure the Microsoft Defender Antivirus scanning policy setting, as follows:
From the Microsoft Defender Antivirus tree on left pane, select Scan.
In the Scan details pane on right, double-click Turn on heuristics, and set it to Enabled.
Select OK.
Close Local Group Policy Editor.
Real-time protection policy settings
For the most current settings, get the latest ADMX files in the Group Policy Central Store. See How to create and manage the Central Store for Group Policy Administrative Templates in Windows and download the latest files.
Disable real-time protection in Group Policy
Warning
Disabling real-time protection drastically reduces the protection on your endpoints and is not recommended. In addition, if tamper protection is enabled, you cannot turn it off by using Group Policy. If you must make changes to a device and those changes are blocked by tamper protection, we recommend using troubleshooting mode to temporarily disable tamper protection on the device. Note that after troubleshooting mode ends, any changes made to tamper-protected settings are reverted to their configured state.
Open Local Group Policy Editor.
In your Windows 10 or Windows 11 taskbar search box, type
gpedit.Under Best match, select Edit group policy to launch Local Group Policy Editor.
In the left pane of Local Group Policy Editor, expand the tree to Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Real-time Protection.
In the Real-time Protection details pane on right, double-click Turn off real-time protection.
In the Turn off real-time protection setting window, set the option to Enabled.
select OK.
Close Local Group Policy Editor.
See also
Related content
- Configure behavioral, heuristic, and real-time protection
- Microsoft Defender Antivirus in Windows 10
Other platforms
If you're looking for antivirus-related information for other platforms, see:
- Set preferences for Microsoft Defender for Endpoint on macOS
- Microsoft Defender for Endpoint on Mac
- macOS Antivirus policy settings for Microsoft Defender Antivirus for Intune
- Set preferences for Microsoft Defender for Endpoint on Linux
- Microsoft Defender for Endpoint on Linux
- Configure Defender for Endpoint on Android features
- Configure Microsoft Defender for Endpoint on iOS features