In some cases you will need to configure Defender for Endpoint without the cloud support of Intune. This guide will help you to get a local GPO in-place.

Prerequisites

Start and create a GPO. If you do not see Computer configuration > Policies > Administrative templates: Policy definitions > Windows Components > Microsoft Defender Antivirus

If you have this folder you can skip the rest of this prerequisites part.

When you use GPO in an Active Directory you have probably a setup of central store. This means that you will need to copy the configuration and language files to your SYSVOL folder. You can find a guide here and also the latest ADMX files.

https://learn.microsoft.com/en-us/troubleshoot/windows-client/group-policy/create-and-manage-central-store

Download the newest templates. If you support different languages for OS than make sure that you have an ADML file for each language.

The Important files for us to copy to central store is windowsdefender.admx and windowsdefender.adml.

Create GPO

When you start configuration I recommend that you start to apply each GPO to a security group. This means that you can

  • Control which clients that will be affected and make a controlled rollout
  • Use different settings for clients/servers
  • Configure in Audit mode before changing to block mode

Open Group Policy Management and create a new policy under Group Policy Objects

In my case i call it MDE-Standard-Policy+ASR+PUA

Now you create a AD Group that match this policy according to your naming convention. Double click the GPO and select Delegations in the button right corner click the Advanced. Please remove the Authenticated users to make sure this policy will not be applied to all objects. Next step is to Add the security group you just created and make sure you give it permission Read, Apply Group Policy.

Now you can just adjust the policy and connect it to any OU that will hit your intended target. Than you just ADD the clients to the security group to apply the settings. And off course create different GPO:s for example Exchange Servers, SQL Servers and similar servers that needs a special configuration of Defender.

Don’t forget to configure your settings in the GPO.