Worklet: Windows Defender Remote Work - RTM, Removable Drives, and other scan configurations

Its important that Windows devices are abiding by endpoint protection schemes now that so many more people are working remotely. It can also be hard to enforce standards around removable devices.

That’s why we use the following to ensure the proper configurations are in place for Windows Defender (see comments for details on each item):

#To enable real-time monitoring:
Set-MpPreference -DisableRealtimeMonitoring $false

#Making sure to catch removable USB drives as scan-able:
Set-MpPreference -DisableRemovableDriveScanning $false

#Making sure that email scanning (attachments) is enabled
Set-MpPreference -DisableEmailScanning $false

#Disable the scan of network files, which can cause issues remotely
Set-MpPreference -DisableScanningNetworkFiles $false

#Making sure to scan scripts as well
Set-MpPreference -DisableScriptScanning $false

#Make it so that before a scan runs Defender checks for new/the latest threat signatures
Set-MpPreference -CheckForSignaturesBeforeRunningScan $true

Feel free to comment out the ones you don’t want for your threat model :slight_smile:

2 Likes