• PowerShell

• Windows 2019 (admin account)
• Active Directory domain controller

In this lab, I will implement an antivirus policy. An antivirus policy determines which controls will be used to combat viruses and malware. It sets rules for which settings users can adjust from the default antivirus settings and whether controls are required on each device.

A basic antivirus policy may look something like this:

1. Approved 3rd-party antivirus/antimalware solutions are allowed, but only in addition to the use of Microsoft Defender.
2. Settings for the virus protection software must not be altered in a manner that will reduce the software effectiveness
3. Virus protection software must not be disabled or bypassed
4. End users are aware of the security policies enforced on their workstations

This lab will use Windows Defender Antivirus (also known as Windows Security) to implement an antivirus policy. Windows Defender Antivirus is a full-scale anti-malware sofware solution that can protect computers and devices from viruses, spyware, trojans, bots and many other types of malware.

Log into your machine as the administrator. From the Windows Start icon, click on the Settings button.

Type Virus in the Search field, the select Virus & threat protection

This will open up the Virus & threat protection setting page. Clink Manage settings link.<

Scroll down to the Tamper Protection settings and click the button to turn on tamper protection. This prevents others from making adjustments to virus and threat protection settings.

If a user attempts to turn off Real-time, Cloud delivered, and Tamper Protection, they will be unable to do so. We (the administrator) have set up a policy that prevents any changes to these settings. Local management only allows administrators to change settings for that particular workstation. These changes will not be implemented across the entire organization. Using Advance Directory makes it easy to change settings once and these changes will be deployed to several computers automatically. The next steps will show how to use the Group Policy Management Console to manage Windows Defender settings centrally from the domain controller.

Login to Windows Server account. From the taskbar click the Windows Start icon, then click the Server Manager button to open the Server Manager application.

From the Server Manager menu bar, select Tools > Group Policy Management

Locate the Group Policy Management Console in the left pane. From here, navigate to Domains > Group Policy Objects > Default Domain Policy to open the Default Domain Policy.

Right click Default Domain Policy and select Edit to open the Group Policy Management Editor.

Navigate to Computer Configuration > Policies > Administrative Templates: Policy definitions (ADMX files) retrieved from the local computer > Windows Defender Antivirus > Real-time protectionto Real-time protection settings.

In the right pane, locate and double-click Turn off real-time protection

In the Properties dialog box, click the Disabled radio button then OK

We will use Windows PowerShell to immediately update changes for all of the Group Policies. From the taskbar, click the Windows PowerShell. At the PowerShell prompt, type gpupdate /force then press enter.