If you are using Microsoft Defender Antivirus and managing your Windows 10 clients via co-management (Microsoft Endpoint Configuration Manager (MECM) or Microsoft Endpoint Manager (MEM), this blog might be interesting for you.

The catch-up scan block results in the opposite configuration the UI implies.

During an end-to-end multi-platform migration (including Windows 10, macOS, Windows Servers and Linux) of a 3rd party AV solution to Microsoft Defender (ATP) we noticed some striking behavior.

The real catch

During acceptance tests we noticed the catch-up scans didn’t occur for both quick- and full scans on Windows 10 clients.

Based on the Microsoft Endpoint Manager UI and provided outline, Not configured implies a catch-up scan is enabled. If you set Block catch-up scan will be turned off. However, in practice this appeared to be the exact opposite. A block results in a $False which effectively enables the catch-up scan, which is confusing and might lead to unintentional configuration(s)

The effective catch-up scan configuration on a Windows 10 client.

The default OS configuration/behavior, catch-up scans for both quick- or full scans are turned off.

Catch-up scan value as part of the device restriction policy export.

Catch-up scan explained

This policy setting allows you to configure catch-up scans for scheduled scans (quick- or full scan). A catch-up scan is a scan that is initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the computer was turned off at the scheduled time.

If you enable this setting, catch-up scans for scheduled scans will be turned on. If a computer is offline for two consecutive scheduled scans, a catch-up scan is started the next time someone logs on to the computer. If there is no scheduled scan configured, there will be no catch-up scan run.

If you disable or do not configure this setting, catch-up scans for scheduled quick scans will be turned off.

Common practice

This setting may conflict with the Time to perform a daily quick scan setting. Some recommendations:

  • If you want to schedule a daily quick scan, and a weekly full scan,
  1. Configure the Time to perform a daily quick scan setting.
  2. Configure the Type of system scan to perform to do a full scan.
  • If you only want one quick scan daily (no full scan), then use either setting: Time to perform a daily quick scan or Type of system scan to perform. For example, to run a quick scan every Tuesday at 6 AM, configure the Type of system scan to perform setting.
  • Don’t configure the Time to perform a daily quick scan setting simultaneously with the Type of system scan to perform set to Quick scan. These settings may conflict, and a scan may not run.
  • In Windows Defender Antivirus: Randomize the start time of the scan to any interval from 0 to 4 hours.

Conclusion

Please revise your Microsoft Defender Antivirus configuration as part of the device restriction policy in Microsoft Endpoint Manager, this to ensure the intended configuration of Microsoft Defender have actually been applied.

The ‘right’ configuration to enable catch-up scan for both quick- and full scan.

NOTE: the Microsoft Endpoint Manager (aka Microsoft Intune) product team has been informed of this UI glitch and toke note of it. They have been advised to update the UI according the effective configuration (Enable/Not Configured). A side note to this is that I would expect Microsoft Defender Antivirus configuration as part of the Endpoint configuration policy instead of the device restriction policy.

Furthermore I also want to give the credits to my colleague Siebren Mossel for catching the UI glitch.

Sources

Previous articlePower Platform: How to use Templates in Power Automate
Next articlePower Platform: Save email attachments to OneDrive with Power Automate
avatar
Ronny works as principal consultant for InSpark, the #1 Dutch Microsoft Partner specialized in Datacenter & Apps, Modern Workplace, Data/AI, Security & Managed Services. As principal consultant Ronny is member of the Technology Board, which is responsible for technology innovation, strategy & vision of InSpark. Ronny’s primary focus is on Microsoft 365 (Identity-, Modern Workplace-, Security & Threat protection. He‘s responsible for a great team of highly skilled consultant’s helping customers to accelerate by innovation. In his role as Microsoft Valuable Professional (MVP) he’s working closely with various Microsoft product groups to provide (customer) feedback, product improvements & most important, his contribution to the community by sharing knowledge & experience. His presence at various international (community) events like Tech Summit, Expertslive Europe, TechDays & various user group meetings are dedicated by meeting people & again sharing knowledge.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.