We’re running a course in Defender XDR and the students were surprised to learn that you should not change the threat actions in your anti-virus policy. They should be left at non-configured. Here’s why.
In creating your custom policy, you’ll eventually reach the section that ask you to configure what you would like Defender to do with various threat that it might encounter.
For each of these, you have several choices.
- Clean
- Quarantine
- Remove
- Allow
- User defined
- Block
But I’m going to ask you to not make a choice and leave these as Not configured. When you leave them not configured, the policy action will be governed by actions defined by the detection mechanism. They will be applied in this order.
- Default behavior: Defender falls back to its built-in default actions for that threat severity level.
- Local device settings: Any local settings configured on the device itself will take precedence.
- Signature-defined action: The action specified in the threat signature itself may be used to determine the response.
- Automatic remediation: By default, Defender will automatically take action on detected threats after a short delay (approximately 5 seconds) if no other configuration prevents this.
If you have specified a default action, then it will take precedence over the recommended action contained in the detection mechanism. Essentially, what you are saying is that you know better than Microsoft security does, today and all days going forward, on how to manage a threat that Microsoft Defender detects.
All we do is support IT professionals. Help for IT Pros, M365 admin News, Security community, Mentor-led Mastermind groups, MSP training and more. https://www.thirdtier.net
