Windows Defender Configuration for Cyber Essentials
Windows Defender Configuration for Cyber Essentials
Every few weeks someone asks me whether they need to buy antivirus software for Cyber Essentials. The answer is no. Windows Defender, which Microsoft now calls Microsoft Defender Antivirus, has been included in Windows since version 8 and it meets every requirement in the Malware Protection control. I have certified over 800 organisations and never once failed someone for using Defender instead of a paid product. The assessor checks that it is turned on, updating, and scanning. That is the whole test.
Here's what actually causes failures: it is not the absence of paid antivirus. It is Defender being misconfigured, accidentally disabled, or out of date. Here is what goes wrong and how to fix it.
What I check during a CE assessment
The Malware Protection control boils down to four things:
Anti-malware software must be installed and running. On Windows, Defender satisfies both conditions simultaneously because it is part of the OS.
Real-time protection must be active and working. This means Defender scans files as they are opened, downloaded, or executed. If real-time protection has been switched off, files can arrive on the machine without being checked, and that is a failure.
Signature definitions must also be current and recently updated. Microsoft publishes new malware signatures multiple times a day. If your machine's definitions are a week old because Windows Update is broken, the assessor will flag it. I check the signature date on sampled machines during CE Plus, and anything older than 48 hours gets a question.
Automatic scanning of downloads and email attachments must be enabled. This is the IOAV (Internet On-Access Virus) protection setting. It is enabled by default, but it can be disabled through Group Policy or PowerShell, and some organisations have done exactly that during troubleshooting and never turned it back on.
Checking the current state
Open PowerShell as Administrator and run:
Get-MpComputerStatus | Select RealTimeProtectionEnabled, AntivirusSignatureLastUpdated, AMServiceEnabled, BehaviorMonitorEnabled
Four values, all should be True except the signature date, which should be within the last 24 hours. If any of them are wrong, fix them below. If RealTimeProtectionEnabled shows False, treat it as urgent because that machine is completely unprotected.
Getting the configuration right
Enabling the settings that matter
Set-MpPreference -DisableRealtimeMonitoring $false
Set-MpPreference -DisableBehaviorMonitoring $false
Set-MpPreference -DisableIOAVProtection $false
Set-MpPreference -DisableScriptScanning $false
Set-MpPreference -MAPSReporting Advanced
Set-MpPreference -SubmitSamplesConsent SendAllSamples
The MAPS (Microsoft Active Protection Service) setting enables cloud-delivered protection, which gives Defender access to Microsoft's threat intelligence in real time. It is not strictly required for CE, but there is no good reason to leave it off.
Signature update schedule
Set-MpPreference -SignatureUpdateInterval 4
Set-MpPreference -CheckForSignaturesBeforeRunningScan $true
This checks for new definitions every four hours and always updates before running a scheduled scan. The default interval is 8 hours, which is fine for CE, but 4 gives you better coverage with no noticeable performance impact.
Forcing an immediate update
Update-MpSignature
Run this if the signature date is stale. It pulls the latest definitions from Microsoft immediately.
Group Policy deployment for domain environments
If you are managing more than a handful of machines, use Group Policy to enforce Defender settings consistently:
- Open Group Policy Management and create or edit a GPO linked to your workstation and server OUs
- Go to Computer Configuration then Administrative Templates then Windows Components then Microsoft Defender Antivirus
- Set "Turn off Microsoft Defender Antivirus" to Disabled (this prevents anything from switching Defender off)
- Under Real-Time Protection, enable: behaviour monitoring, scan all downloaded files and attachments, and monitor file and program activity
- Under MAPS, set "Join Microsoft MAPS" to Advanced MAPS
- Under Signature Updates, set the update interval to 4 hours
Group Policy is the right approach for any domain environment because it prevents individual users or applications from disabling protection. Without it, a user who finds Defender annoying during a large file transfer can switch real-time protection off and forget to turn it back on. I see this during assessments more than I would like.
Tamper Protection
Tamper Protection stops malware (or users) from disabling Defender through the registry, PowerShell, or Group Policy. It is on by default in Windows 10 and 11, but worth verifying:
Open Windows Security, click Virus and threat protection, then Manage settings under the Virus and threat protection settings section. Confirm that the Tamper Protection toggle is On.
When Tamper Protection is enabled, the only way to change Defender settings is through the Windows Security app or Microsoft Endpoint Manager. This is exactly the behaviour you want. Ransomware frequently tries to disable antivirus as its first action, and Tamper Protection blocks that.
One thing to be aware of: Tamper Protection can interfere with Group Policy deployment of Defender settings in some configurations. If you find that GPO changes are not applying to Defender, check whether Tamper Protection is overriding them. Microsoft's documentation covers the interaction between the two, and the short version is that Tamper Protection takes precedence.
The problems I keep finding
Defender disabled by a trial antivirus. Someone installed a 30-day trial of Norton or McAfee, the trial expired, and Defender stayed dormant because the third-party product was technically still installed. Uninstalling the trial product usually reactivates Defender, but not always. Check with Get-MpComputerStatus after removing any third-party antivirus.
Definitions that are weeks old. Windows Update is paused, broken, or blocked by a firewall rule, and Defender's signatures stopped updating with it. The machine shows Defender as "active" but the definitions are from three weeks ago. During CE Plus, I check the signature date. If it is more than a few days old, that is a finding.
Real-time protection switched off for troubleshooting. A developer disables it to run a build tool that Defender flags as suspicious, and never re-enables it. Without Group Policy enforcement, nobody knows until the assessment.
Exclusions that are too broad. Some IT teams add entire drive letters or large directory trees to the exclusion list to fix performance issues. An exclusion for C:\ effectively disables scanning for the entire system drive. Exclusions should be narrow and documented: a specific application path, a specific file type for a known false positive. (referenced in the comprehensive threshold benchmarking report).
Running Windows without security updates. Defender's effectiveness depends on getting regular signature updates, and the OS itself needs to be a supported version. Windows 10 versions before 22H2 are approaching or past end of support. Windows 8.1 and earlier are already unsupported. An out-of-support OS fails the Secure Configuration control regardless of Defender's status.
What to document for the assessment
For each Windows machine in scope, the assessor wants to see:
- Defender is installed and the service is running
- Real-time protection is enabled and actively scanning
- Definitions were updated within the last 24 hours
- The configuration is enforced via Group Policy in domain environments
- Any exclusions are documented with business justifications
A screenshot of Get-MpComputerStatus showing everything enabled and current definitions is the standard evidence for CE Plus. For basic CE, you answer the malware protection questions on the self-assessment questionnaire, but you should still have the evidence ready in case the assessor asks for clarification.
If you are spending money on third-party antivirus purely for Cyber Essentials compliance, stop. Defender does the job on its own. Spend the money on something that actually improves your security posture.
Need help getting your Windows Defender configuration ready for assessment? Get in touch or request a quote to discuss your setup.
Related articles
- Windows Firewall Configuration for CE
- SMBv1: Why It Needs Disabling
- Cyber Essentials: The Five Controls Explained
- Danzell Readiness Checklist: Are You Ready for CE v3.3?
Get cybersecurity insights delivered
Join our newsletter for practical security guidance, Cyber Essentials updates, and threat alerts. No spam, just actionable advice for UK businesses.
Related Guides
Cyber Essentials Plus in 5 Days: NHS Wales Contractor Case Study
How Net Sec Group delivered Cyber Essentials and CE Plus certification to an NHS Wales contractor in 5 days to meet a contract deadline. The full process from scoping to certification.
How Long Does a Cyber Essentials Plus Assessment Take?
CE Plus testing takes 1-3 days depending on your sample size. But the timeline starts at basic CE and has mandatory windows you can't compress.
Cyber Essentials Plus Assessment Process: What Actually Happens
Five test cases, a sampling methodology, and a 30-day remediation window. Here's what the CE Plus assessment covers and what to expect.
Ready to get certified?
Book your Cyber Essentials certification or check your readiness with a free quiz.