Microsoft Defender Antivirus
Written by Kali Patrick
Updated at November 11th, 2024
Table of Contents
Syncro provides integrations with several antivirus providers to help you protect your customers' assets. Microsoft's Defender Antivirus (formerly Windows Defender) is one of them.
You can take full control of Microsoft's Defender Antivirus on your Windows endpoints and keep your customers protected by remotely monitoring and remediating threat detections directly through Syncro.
With Syncro's Managed Microsoft Defender Antivirus integration, you'll get:
- Time-saving, centralized management of Microsoft’s built-in Defender Antivirus,
- Scan schedules, protection settings, exclusions, and more, which you can set in your Syncro policies,
- The ability to initiate remote scans with a single click,
- Timely notifications and remediations for threat detections, and
- An affordable, managed antivirus solution that helps you negotiate better contracts with your customers and pursue new revenue opportunities.
See the Features That Syncro's Integration Supports for more details.
Note: Syncro's Managed Microsoft Defender Antivirus has a small monthly cost per workstation, which you'll see during the set up process.
System Requirements
Syncro's Managed Windows Defender has the following operating system requirements:
- Windows 10+
- Windows Server 2016+
- Managed Defender Antivirus Version Requirements
Syncro's integration is developed for the free, built-in Microsoft Defender Antivirus for the operating systems listed above. However, our integration can also manage a limited set of core functions for the following versions:
- Defender for Endpoint
- Defender for Business
To avoid conflicts between Syncro's integration and the versions described above, adjust your Syncro Managed Windows Defender policy settings to mirror your configurations in Microsoft Defender Antivirus for Endpoint or Microsoft Defender Antivirus for Business.
Activate Managed Windows Defender
To use Managed Windows Defender in your Syncro policies, follow these steps:
- Navigate to Admin > Integration - App Center, and select click the Managed Windows Defender tile:
Tip: Click the Security link or enter criteria in the Search App Center bar at the top to narrow the list of tiles. - Check the “Enable Managed Windows Defender” box, then click Save:
Managed Windows Defender is now available for use as an antivirus in your Syncro policies. - From a new policy or an existing asset policy, click the Antivirus section on the left side, then select “Windows Defender” from the “Add an Antivirus” dropdown menu:
Note: The Syncro integration can't remotely activate Microsoft Defender Antivirus if it has previously been manually deactivated (due to the “Tamper Detection” setting). This means you'll see a warning prompt:
If Microsoft Defender Antivirus was manually deactivated on the endpoint previously, then you must reactivate Defender in Windows to activate Syncro's managed integration. If Microsoft Defender Antivirus was automatically disabled by another antivirus at install, it should automatically reactivate when the other antivirus is removed.
- While Syncro pre-populates the majority of the Microsoft Defender Antivirus settings with recommended defaults, you can adjust these however you’d like using the following policy settings sections:
- Interface: Optionally, suppress the ability for your end-customer to access the Microsoft Defender Antivirus UI and Microsoft Defender Antivirus notifications on your managed endpoints.
- Protection: While the majority of protection settings are enforced when Microsoft Defender Antivirus is active, you can optionally manage Defender’s Cloud Protection and Automatic Sample Submission behavior.
- Quick Scan Schedule: Specify the recurring Quick Scan schedule for your endpoints inheriting this policy. Choose from Every Day, or a specific day of the week.
- Scan Behavior: Fine-tune your device scans.
- Scan Exclusions: Specify one or more scan exclusions by File, Folder, File Type, or Process.
- Signatures & Updates: Fine-tune the update interval (in hours) and catch up behavior (in days) of signature definitions.
- Advanced: Set the quarantine purge frequency (in days) and manage NIS definition settings.
- Click Save Policy.
NOTE: To stop Syncro from managing Windows Defender on your assets, simply remove the Windows Defender Antivirus item from the appropriate policy.
View Defender Information on Assets
In the Overview Subtab
Any assets inheriting a policy where the Defender antivirus has been activated reflect the status in the “Overview” section on the Asset's Details Page "Overview" subtab:
In the Antivirus Subtab
In the "Antivirus" subtab for an asset, you'll find information about Windows Defender’s protection status, including any threat detections present on the system:
-
Protection Status: A high-level overview of the protection status of Defender Antivirus on the endpoint. A green-check shield indicates the setting is active; an orange icon indicates that the module is disabled. If a protection module is ever disabled, Syncro generates an RMM alert to notify you and your team.
-
Manual Scans: Here you can initiate manual Quick or Full Scans for the asset. For each manual scan run, Syncro logs the five (5) most recent scans in the table. For more scan history, Syncro conditionally displays a link to the asset audit report so you can view the full manual scan history. If a manual scan fails for any reason, Syncro generates an RMM alert to notify you and your team.
Tip: In addition to running scans manually per-asset, you can run manual scans in bulk for any assets that have Managed Windows Defender activated. Select one or more assets on the Assets tab/module, then click the Bulk Actions button and choose “Run Windows Defender Scan”:
Choose the Scan Type from the pop-up that appears, then click Scan:
-
Threat Detections: Syncro logs all threat detections for the device in this section. Click the More (triple-dot) icon and select “View Details” to open the Threat Details pop-up and learn more about the detection:
Note: If a detected threat is shown here, Syncro also generates an RMM alert so you and your team stay notified and can remediate. - Signatures: Displays the signature version and age of the Anti-malware, Anti-spyware, and Network Inspection signature engines
- Exclusions: Displays the exclusions currently specified in Microsoft Defender Antivirus. This includes any exclusions set in your Syncro policies, as well as any managed outside of Syncro directly on the asset.
Using a Saved Asset Search
To help determine which assets have Syncro's Managed Microsoft Defender Antivirus active in their policies, you can also use the “Missing Managed Windows Defender” or “Has Managed Windows Defender” criteria in any Saved Asset Search.
Features That Syncro's Integration Supports
| Feature | Supported? |
|---|---|
| Remote Activation |
No—Because of the "Tamper Protection" setting, Microsoft Defender Antivirus cannot be remotely activated or deactivated with Syncro's Managed Microsoft Defender.
|
| Scheduled Quick Scans | Yes |
| Scheduled Full Scans | No—Per Microsoft’s recommended best practices, full scan schedules are not supported in this integration. More information available here. |
| Manual Quick and Full Scans | Yes |
| Bulk Quick and Full Scans | Yes |
| Signature Update Schedule | Yes |
| Bulk AV Scans | Yes |
| Scan Exclusions | Yes |
| Asset Saved Search | Yes |
| Protection Engine Management | Partial—Because of the "Tamper Protection" setting in Microsoft Defender Antivirus, only the cloud protection engine and automatic sample submission can be managed in Syncro's integration. You must manually manage all other protection modules. |
| RMM Alerts |
Yes—Syncro generates RMM Alerts for the following events when Managed Defender is active:
|
| Automated Remediation | Yes—Use the “Trigger Category” Condition of “Windows Defender AV Detection” in any new or existing automated remediations. See also Automated Remediations Reference. |
