Windows Defender Configuration for Cyber Essentials
Windows Defender Configuration for Cyber Essentials
Every few weeks someone asks me whether they need to buy antivirus software for Cyber Essentials. The answer is no. Windows Defender, which Microsoft now calls Microsoft Defender Antivirus, has been included in Windows since version 8 and it meets every requirement in the Malware Protection control. I have certified over 800 organisations and never once failed someone for using Defender instead of a paid product. The assessor checks that it is turned on, updating, and scanning. That is the whole test.
Here's what actually causes failures: it is not the absence of paid antivirus. It is Defender being misconfigured, accidentally disabled, or out of date. Here is what goes wrong and how to fix it.
What I check during a CE assessment
The Malware Protection control boils down to four things:
Anti-malware software must be installed and running. On Windows, Defender satisfies both conditions simultaneously because it is part of the OS.
Real-time protection must be active and working. This means Defender scans files as they are opened, downloaded, or executed. If real-time protection has been switched off, files can arrive on the machine without being checked, and that is a failure.
Signature definitions must also be current and recently updated. Microsoft publishes new malware signatures multiple times a day. If your machine's definitions are a week old because Windows Update is broken, the assessor will flag it. I check the signature date on sampled machines during CE Plus, and anything older than 48 hours gets a question.
Automatic scanning of downloads and email attachments must be enabled. This is the IOAV (Internet On-Access Virus) protection setting. It is enabled by default, but it can be disabled through Group Policy or PowerShell, and some organisations have done exactly that during troubleshooting and never turned it back on.
Checking the current state
Open PowerShell as Administrator and run:
Get-MpComputerStatus | Select RealTimeProtectionEnabled, AntivirusSignatureLastUpdated, AMServiceEnabled, BehaviorMonitorEnabled
Four values, all should be True except the signature date, which should be within the last 24 hours. If any of them are wrong, fix them below. If RealTimeProtectionEnabled shows False, treat it as urgent because that machine is completely unprotected.
Getting the configuration right
Enabling the settings that matter
Set-MpPreference -DisableRealtimeMonitoring $false
Set-MpPreference -DisableBehaviorMonitoring $false
Set-MpPreference -DisableIOAVProtection $false
Set-MpPreference -DisableScriptScanning $false
Set-MpPreference -MAPSReporting Advanced
Set-MpPreference -SubmitSamplesConsent SendAllSamples
The MAPS (Microsoft Active Protection Service) setting enables cloud-delivered protection, which gives Defender access to Microsoft's threat intelligence in real time. It is not strictly required for CE, but there is no good reason to leave it off.
Signature update schedule
Set-MpPreference -SignatureUpdateInterval 4
Set-MpPreference -CheckForSignaturesBeforeRunningScan $true
This checks for new definitions every four hours and always updates before running a scheduled scan. The default interval is 8 hours, which is fine for CE, but 4 gives you better coverage with no noticeable performance impact.
Forcing an immediate update
Update-MpSignature
Run this if the signature date is stale. It pulls the latest definitions from Microsoft immediately.
Group Policy deployment for domain environments
If you are managing more than a handful of machines, use Group Policy to enforce Defender settings consistently:
- Open Group Policy Management and create or edit a GPO linked to your workstation and server OUs
- Go to Computer Configuration then Administrative Templates then Windows Components then Microsoft Defender Antivirus
- Set "Turn off Microsoft Defender Antivirus" to Disabled (this prevents anything from switching Defender off)
- Under Real-Time Protection, enable: behaviour monitoring, scan all downloaded files and attachments, and monitor file and program activity
- Under MAPS, set "Join Microsoft MAPS" to Advanced MAPS
- Under Signature Updates, set the update interval to 4 hours
Group Policy is the right approach for any domain environment because it prevents individual users or applications from disabling protection. Without it, a user who finds Defender annoying during a large file transfer can switch real-time protection off and forget to turn it back on. I see this during assessments more than I would like.
Tamper Protection
Tamper Protection stops malware (or users) from disabling Defender through the registry, PowerShell, or Group Policy. It is on by default in Windows 10 and 11, but worth verifying:
Open Windows Security, click Virus and threat protection, then Manage settings under the Virus and threat protection settings section. Confirm that the Tamper Protection toggle is On.
When Tamper Protection is enabled, the only way to change Defender settings is through the Windows Security app or Microsoft Endpoint Manager. This is exactly the behaviour you want. Ransomware frequently tries to disable antivirus as its first action, and Tamper Protection blocks that.
One thing to be aware of: Tamper Protection can interfere with Group Policy deployment of Defender settings in some configurations. If you find that GPO changes are not applying to Defender, check whether Tamper Protection is overriding them. Microsoft's documentation covers the interaction between the two, and the short version is that Tamper Protection takes precedence.
The problems I keep finding
Defender disabled by a trial antivirus. Someone installed a 30-day trial of Norton or McAfee, the trial expired, and Defender stayed dormant because the third-party product was technically still installed. Uninstalling the trial product usually reactivates Defender, but not always. Check with Get-MpComputerStatus after removing any third-party antivirus.
Definitions that are weeks old. Windows Update is paused, broken, or blocked by a firewall rule, and Defender's signatures stopped updating with it. The machine shows Defender as "active" but the definitions are from three weeks ago. During CE Plus, I check the signature date. If it is more than a few days old, that is a finding.
Real-time protection switched off for troubleshooting. A developer disables it to run a build tool that Defender flags as suspicious, and never re-enables it. Without Group Policy enforcement, nobody knows until the assessment.
Exclusions that are too broad. Some IT teams add entire drive letters or large directory trees to the exclusion list to fix performance issues. An exclusion for C:\ effectively disables scanning for the entire system drive. Exclusions should be narrow and documented: a specific application path, a specific file type for a known false positive. (referenced in the comprehensive threshold benchmarking report).
Running Windows without security updates. Defender's effectiveness depends on getting regular signature updates, and the OS itself needs to be a supported version. Windows 10 versions before 22H2 are approaching or past end of support. Windows 8.1 and earlier are already unsupported. An out-of-support OS fails the Secure Configuration control regardless of Defender's status.
What to document for the assessment
For each Windows machine in scope, the assessor wants to see:
- Defender is installed and the service is running
- Real-time protection is enabled and actively scanning
- Definitions were updated within the last 24 hours
- The configuration is enforced via Group Policy in domain environments
- Any exclusions are documented with business justifications
A screenshot of Get-MpComputerStatus showing everything enabled and current definitions is the standard evidence for CE Plus. For basic CE, you answer the malware protection questions on the self-assessment questionnaire, but you should still have the evidence ready in case the assessor asks for clarification.
If you are spending money on third-party antivirus purely for Cyber Essentials compliance, stop. Defender does the job on its own. Spend the money on something that actually improves your security posture.
Need help getting your Windows Defender configuration ready for assessment? Get in touch or request a quote to discuss your setup.
Related articles
- Windows Firewall Configuration for CE
- SMBv1: Why It Needs Disabling
- Cyber Essentials: The Five Controls Explained
- Danzell Readiness Checklist: Are You Ready for CE v3.3?
Get cybersecurity insights delivered
Join our newsletter for practical security guidance, Cyber Essentials updates, and threat alerts. No spam, just actionable advice for UK businesses.
Related Guides
Cyber 365: Why Year-Round Vulnerability Scanning Is the New Cyber Essentials Baseline
The Danzell scheme platform that came in April 2026 made year-round vulnerability scanning and managed patching the new Cyber Essentials baseline, not the upgrade. What that operationally means, what it covers, and how the Cyber 365 programme delivers it.
Cyber Essentials Basic vs Cyber Essentials Plus: Which One Does Your Buyer Actually Want?
Cyber Essentials Basic is a self-assessment certificate. Cyber Essentials Plus adds an external assessor sampling the controls in your estate. Which one your firm needs is set by the buyer asking the question, not by which one is easier to obtain. The differences, the costs, the timelines, and how to read the procurement requirement correctly.
Cyber Essentials Plus vs PCI DSS Self-Assessment: Which Cyber Standard Does Your Card-Handling Firm Actually Need?
Cyber Essentials Plus is the UK government scheme for the IT estate. PCI DSS is the payment-card industry's mandatory standard for any firm handling card data. They cover different scopes and run alongside each other, not as alternatives. The differences, the overlap, and how UK retailers handle both.
Cyber Essentials vs Cyber Assessment Framework (CAF): Which UK Cyber Standard Does Your Sector Actually Need?
Cyber Essentials is the UK government scheme for general business. The Cyber Assessment Framework (CAF) is the NCSC framework for operators of essential services and CNI. Which one your firm needs is set by sector classification, not by which is harder. The differences, the overlap, and the procurement context.
Cyber Essentials vs NIST CSF: Which Cyber Framework Do UK Firms with US Exposure Actually Need?
Cyber Essentials is the UK government scheme. NIST CSF is the US federal cybersecurity framework. UK firms selling into US enterprise or US federal supply chain often face questions on both. The differences, the overlap, and how to read the requirement correctly.
Cyber Essentials Plus vs SOC 2: Which Cyber Standard Does Your Customer Base Actually Need?
Cyber Essentials Plus is the UK government scheme. SOC 2 is the global SaaS attestation standard. Both prove cyber controls. Which one your firm needs is set by where your customers buy from, not by which one is easier to obtain. The two standards side by side, the cost and timeline reality, and the cases where holding both is the right answer.
The Danzell Question Set Guide: What Changed in the April 2026 Cyber Essentials Update
The Danzell assessment platform replaced Marlin in April 2026, bringing year-round scanning and patching into explicit scope. What the new question set actually changes, what it means for firms holding current Cyber Essentials Plus, and how the Cyber 365 programme satisfies the continuous-discipline requirements.
IASME Cyber Assurance vs Cyber Essentials Plus: Which IASME Tier Does Your Procurement Actually Want?
IASME Cyber Assurance is IASME's audit-based cybersecurity standard. Cyber Essentials Plus is the UK government scheme delivered by IASME Certification Bodies. Both come from IASME. They prove different things. The differences, the procurement context, and the 2026 framework changes.
PPN 09/14 Compliance Guide: How UK Suppliers Meet the Cabinet Office Cyber Essentials Floor
Procurement Policy Note 09/14 set Cyber Essentials as the procurement floor for UK central government suppliers handling personal data or providing certain ICT services. What PPN 09/14 actually requires, where CE Plus fits in the framework, and how UK suppliers satisfy the cyber section of central government bid questionnaires.
Willow to Danzell Migration Guide: What UK Firms Need to Do Between Cyber Essentials Platform Versions
The Willow scheme version led into the Danzell platform from April 2026. What changed between Willow and Danzell, what the migration means for firms holding current Cyber Essentials, and how the Cyber 365 programme bridges the year-round-discipline expectation Danzell now makes explicit.
Ready to get certified?
Book your Cyber Essentials certification or check your readiness with a free quiz.