Disclaimer: This content is not affiliated with, endorsed by, or produced in collaboration with the National Cyber Security Centre (NCSC).
Many organisations want to follow UK National Cyber Security Centre (NCSC) hardening guidance but quickly run into a practical problem: the published configuration packs are increasingly delivered as Microsoft Intune import files.
That creates friction for organisations running domain-joined Windows environments, standalone PCs, or hybrid estates that are not fully cloud managed.
The good news is this:
You do not need Intune to implement the NCSC Microsoft Defender Antivirus baseline.
Most of the settings inside the NCSC Windows Defender Antivirus configuration are standard Microsoft Defender security controls exposed through:
- Group Policy (GPO)
- Local Group Policy
- PowerShell
- Microsoft Defender policy management
- Registry-backed Microsoft Defender policies
This guide explains how to implement the 2025 NCSC Microsoft Defender Antivirus configuration for Windows without Intune, based on the NCSC configuration pack for Microsoft Defender Antivirus.
We will cover:
- Domain-joined Windows devices
- Standalone Windows PCs
- Verification
- Rollback considerations
- Real-world operational advice
What Is the NCSC Defender Antivirus Configuration?
The NCSC publishes Windows hardening configuration packs designed to help organisations align with recommended security controls.
The file used in this guide is: 2025-NCSC-Defender-Antivirus.json
This is a Microsoft Graph export of a deviceManagementConfigurationPolicy for Microsoft Defender Antivirus. It is technically an Intune / Microsoft Endpoint Manager configuration policy export, but the settings underneath are standard Microsoft Defender Antivirus controls that also exist in Windows Group Policy and PowerShell.
What This NCSC Defender Baseline Configures
The 2025 NCSC Defender Antivirus profile enables or hardens the following protections.
Real-Time Threat Protection
The profile enables:
- Real-time monitoring
- Behaviour monitoring
- On-access scanning
- Downloaded file scanning (IOAV)
- Script scanning
- Email scanning
- Archive scanning
- Network file scanning
- Intrusion-prevention-related inspection protection
Cloud Protection
The baseline enables:
- Cloud-delivered protection
- High cloud block level
- Extended cloud timeout of 50 seconds
- Signature checks before running scans
- Safe sample submission
Threat Mitigation
The baseline configures:
- Potentially unwanted application (PUA) blocking
- Automatic quarantine for low, moderate, high, and severe threats
Defender Operational Settings
The baseline also includes:
- Signature updates every hour
- Scheduled scans at 18:00
- Quick scan scheduling
- Local administrator Defender policy merge disabled
- Cleaned malware retention set to 0 days
Before You Start
Before deploying the NCSC baseline, confirm the following.
Windows Version
You should be running:
- Windows 10 Enterprise or Professional
- Windows 11 Enterprise or Professional
- Windows Server where Microsoft Defender Antivirus is active
Administrative Templates
Ensure your central store contains recent Windows ADMX templates.
Older ADMX templates may not expose newer Defender settings.
Test First
Do not push these settings directly into production.
Create a staged rollout:
- Pilot OU
- Test machines
- Validation
- Production rollout
This matters particularly for:
- Network Protection
- PUA protection
- Script scanning
- Network file scanning
- Cloud block level
These settings can occasionally impact legacy software or internal tools.
Part 1: Implementing NCSC Defender Hardening Using Group Policy
For domain-joined environments, Group Policy should be your primary deployment method.
Step 1: Open Group Policy Management
Open Group Policy Management.
Create a new GPO named: NCSC – Microsoft Defender Antivirus Baseline
Then link it to a pilot OU first.
Tip: Do not link the GPO directly to your production OU until you have tested the impact on business applications.
Step 2: Configure Real-Time Protection
Navigate to: Computer Configuration → Policies → Administrative Templates → Windows Components → Microsoft Defender Antivirus → Real-time Protection
Configure the following:
| Setting | Value |
|---|---|
| Turn off real-time protection | Disabled |
| Turn on behaviour monitoring | Enabled |
| Scan all downloaded files and attachments | Enabled |
| Turn on script scanning | Enabled |
| Monitor file and program activity on your computer | Enabled |
Why the NCSC enables these
This combination catches:
- malware droppers
- malicious scripts
- macro payloads
- browser-delivered attacks
- fileless attacks
Operational note: Disabling behaviour monitoring or script scanning significantly reduces Defender effectiveness against modern threats.
Step 3: Enable Email Scanning
Navigate to: Microsoft Defender Antivirus → Scan
Enable: Turn on e-mail scanning
Why this matters
This improves detection of:
- malicious attachments
- phishing payloads
- weaponised documents
If you already use email security gateways, this still adds useful endpoint protection.
Step 4: Enable Archive Scanning
Navigate to: Microsoft Defender Antivirus → Scan
Enable: Scan archive files
Why this matters
Attackers frequently hide payloads inside:
- ZIP files
- RAR archives
- compressed installers
Archive scanning allows Defender to inspect these before execution.
Step 5: Enable Network File Scanning
Navigate to: Microsoft Defender Antivirus → Scan
Enable: Scan network files
Operational note: This can slightly increase file server access latency, particularly in environments with heavy SMB usage or large file shares.
Step 6: Configure Cloud-Delivered Protection
Navigate to: Microsoft Defender Antivirus → MAPS
Configure:
- Enable:
Join Microsoft MAPS - Choose:
Advanced MAPS membership - Enable:
Send file samples when further analysis is required - Choose:
Send all samples
Why this matters
Cloud-delivered protection dramatically improves zero-day detection because Defender can query Microsoft’s intelligence systems in real time.
JSON note: The policy includes
submitsamplesconsent, so sample submission is part of the intended baseline.
Step 7: Configure High Cloud Block Level
Navigate to: Microsoft Defender Antivirus → MpEngine
Enable: Select cloud protection level
Choose: High blocking level
Why NCSC uses high blocking
High blocking increases Defender sensitivity against suspicious behaviour and emerging threats.
In enterprise environments, this usually provides better protection without excessive false positives, but it should still be piloted.
JSON note: The policy explicitly sets the cloud block level to the “2” choice value associated with high blocking.
Step 8: Configure Extended Cloud Timeout
Still under: Microsoft Defender Antivirus → MpEngine
Enable: Configure extended cloud check
Set: 50 seconds
Why this exists
When Defender encounters suspicious files, it pauses execution briefly while cloud analysis occurs.
The NCSC baseline uses: Cloud extended timeout = 50
This gives cloud protection more time to return a verdict before the file is allowed to run.
Step 9: Enable PUA Protection
Navigate to: Microsoft Defender Antivirus
Enable: Configure detection for potentially unwanted applications
Choose: Block
What PUA protection stops
This blocks:
- browser toolbars
- adware
- fake optimisers
- bundled software
- suspicious installers
Operational note: PUA protection is particularly useful for SMB environments, but it can surface installer-related edge cases. Test first.
Step 10: Configure Threat Actions
Navigate to: Microsoft Defender Antivirus → Threats
Enable: Specify threat alert levels at which default action should not be taken when detected.
Set:
| Severity | Action |
|---|---|
| Low (1) | Quarantine (2) |
| Moderate (2) | Quarantine (2) |
| High (4) | Quarantine (2) |
| Severe (5) | Quarantine (2) |
Why quarantine?
Quarantine is safer than “Allow” and less destructive than immediate deletion.
It allows investigation and recovery if required.
JSON note: The policy explicitly configures all severity actions to quarantine.
Step 11: Configure Network Protection
Navigate to: Microsoft Defender Antivirus → Windows Defender Exploit Guard →Network Protection
Enable: Prevent users and apps from accessing dangerous websites
Choose: Block
What Network Protection actually does
This is not a firewall feature.
It blocks:
- malicious URLs
- phishing domains
- command-and-control servers
- malware hosting locations
Why it matters:
This is one of the strongest protections in the NCSC baseline, but it is also one of the most likely to reveal legacy app dependencies during testing.
Step 12: Enable Network Inspection System
The NCSC baseline enables Microsoft Defender Network Inspection System (NIS), a Defender capability that inspects network traffic for exploit activity and malicious payload delivery. Unlike many Defender controls, this setting does not always present as a simple standalone Group Policy object in current Windows Administrative Templates.
In most modern Windows builds, NIS is enabled automatically when Microsoft Defender Antivirus is active.
Step 13: Configure Signature Checks Before Running Scans
Navigate to: Microsoft Defender Antivirus → Scan
Enable: Check for the latest virus and spyware definitions before running a scheduled scan
Why this matters
This setting helps Defender use the latest available definitions before scans begin.
JSON note: This control is explicitly included in the export and should be mentioned separately from general signature update frequency.
Step 14: Configure Signature Updates
Navigate to: Microsoft Defender Antivirus → Signature Updates
Enable: Specify interval to check for definition updates
Set: 1 hour
Why this matters
Frequent updates matter because Defender signatures change continuously.
JSON note: The policy explicitly sets
signatureupdateintervalto1.
Step 15: Configure Scheduled Scan Type
Navigate to: Microsoft Defender Antivirus → Scan
Enable: Specify the scan type to use for a scheduled scan
Choose: Quick Scan
Why this matters
The NCSC baseline intentionally uses quick scans for scheduled scanning to reduce endpoint performance impact.
Operational note: This is a deliberate trade-off between coverage and usability.
Step 16: Configure Scheduled Scan Day and Time
Navigate to: Microsoft Defender Antivirus → Scan
- Enable:
Specify the day of the week to run a scheduled scan - Choose:
Saturday (0x7) - Enable:
Specify the time for a daily quick scan - Choose:
1080
This corresponds to a scheduled scan configuration aligned to:
- Day 7
- 18:00
- Quick scan time at 18:00
The policy sets the scheduled scan time values to 1080 minutes, which equals 18:00, and uses the scan day value configured in the export.
Why this matters
This preserves accuracy without overclaiming a particular UI interpretation if the local Defender interface renders the value differently.
Step 17: Disable Local Administrator Merge
Navigate to: Microsoft Defender Antivirus
Disable: Configure local administrator merge behavior for lists
Why this matters
The NCSC baseline disables local administrator merge so locally configured Defender exclusions do not combine with centrally managed exclusions.
This prevents administrators on endpoints from weakening centrally enforced antivirus protections.
Disabling merge ensures:
- central policy wins
- local exclusions do not override the baseline
- ransomware resilience is improved
JSON note: This is one of the policy’s explicit security hardening decisions.
Step 18: Configure Malware Remediation Retention
Navigate to: Microsoft Defender Antivirus → Quarantine
Enable: Configure removal of items from Quarantine folder
Set: 0 days
Operational note: The NCSC baseline minimises retention of cleaned malware artefacts. Organisations that require forensic review may wish to extend this temporarily during investigations.
JSON note: The policy uses
daystoretaincleanedmalware = 0.
Step 19: Finalise and Link the GPO
Once all settings are configured:
- Save the GPO
- Link it to the pilot OU
- Allow policy refresh on test machines
- Review event logs and application impact
- Expand to production after validation
Part 2: PowerShell Implementation for Standalone or Scripted Deployment
For standalone systems or scripted deployments, PowerShell is a practical alternative.
Important: Some Defender settings are best enforced through Group Policy because PowerShell support and behaviour can vary by Windows build. Use this method carefully and validate the results with
Get-MpPreference.
Step 1: Enable Core Defender Protections
Run PowerShell as Administrator and apply the following:
powershell
Set-MpPreference -DisableRealtimeMonitoring $false
Set-MpPreference -DisableBehaviorMonitoring $false
Set-MpPreference -DisableIOAVProtection $false
Set-MpPreference -DisableScriptScanning $false
Set-MpPreference -DisableArchiveScanning $false
Set-MpPreference -DisableScanningNetworkFiles $falseWhat these settings do
These enable:
- real-time protection
- behaviour monitoring
- IOAV protection
- script scanning
- archive scanning
- network file scanning
Step 2: Enable Cloud Protection
powershell
Set-MpPreference -MAPSReporting Advanced
Set-MpPreference -SubmitSamplesConsent SendSafeSamples
Set-MpPreference -EnableNetworkProtection EnabledNotes
MAPSReporting Advancedaligns with advanced cloud protection membershipSubmitSamplesConsent SendSafeSamplesaligns with sending safe samples automaticallyEnableNetworkProtection Enabledenables Defender Network Protection in block mode
Caution: Cloud block level, extended cloud timeout, and scheduled scan parameters are often better controlled through policy tooling than through standalone scripting. If you script them, validate the result on your target build before broad deployment.
Step 3: Enable PUA Protection
Set-MpPreference -PUAProtection Enabled
This blocks potentially unwanted applications such as adware, bundled software, and suspicious installers.
Step 4: Configure Signature Update Interval
Set-MpPreference -SignatureUpdateInterval 1
This sets Defender to check for definition updates every hour.
Step 5: Configure Scheduled Scans
The JSON includes:
- scheduled scan day = 7
- scheduled scan time = 1080
- quick scan time = 1080
- scan parameter = quick scan
For a standalone environment, use the closest supported Defender configuration method available on your build.
If your environment supports it, align your scheduled scan timing to:
- 18:00
- Quick Scan
- The intended scan cadence reflected by your organisation’s policy
Important: Defender PowerShell parameters can differ across Windows versions. Validate the exact available parameters on your target build before using them broadly.
Step 6: Configure Malware Retention
The JSON sets cleaned malware retention to 0 days.
If your available Defender build supports the equivalent preference, align malware/quarantine retention accordingly.
Operational note: If your organisation requires forensic retention, you may wish to change this temporarily during incident response.
Validate the Configuration
After deployment, verify everything applied correctly.
Run Get-MpPreference
Get-MpPreference
Check for:
PUAProtectionMAPSReportingCloudBlockLevelEnableNetworkProtectionDisableRealtimeMonitoringDisableScriptScanningDisableArchiveScanningSignatureUpdateIntervalSubmitSamplesConsent
Run Get-MpComputerStatus
Get-MpComputerStatus
Confirm:
- Defender is active
- real-time protection is on
- the protection engine is functioning normally
For Domain Devices: Check GPO Application
gpresult /h c:\temp\defender-gpo.html
Open the report and confirm the Defender GPO applied.
Common Issues
Defender Settings Not Applying
Check for:
- conflicting third-party antivirus
- tamper protection conflicts
- outdated ADMX templates
- WMI filter issues
- policy precedence issues
- local policy conflicts
Network Protection Not Working
Verify:
Get-MpComputerStatusAMRunningMode = Normal- the endpoint is actually receiving Defender policy
- there is no third-party security stack overriding Defender
PUA or Script Scanning Causes Application Issues
Test:
- line-of-business applications
- scripts and automation
- software deployment tools
- engineering applications
- mapped drives
- remote administration tools
Important: PUA protection and Network Protection are the settings most likely to surface edge-case issues.
What to Test Before Production
Before rolling out the baseline broadly, test the following:
- internal line-of-business applications
- scripts and automation
- software deployment tools
- engineering applications
- mapped drives
- remote administration tools
- installers and update packages
- web applications that rely on embedded or less common URLs
Especially test:
- PUA protection
- Network Protection
- archive scanning
- network file scanning
- script scanning
- cloud block level
- scheduled scan timing
Final Thoughts
The biggest misconception around NCSC configuration packs is that they require Intune.
They do not.
The NCSC Defender Antivirus baseline is fundamentally a collection of standard Microsoft Defender settings that can be implemented through:
- Group Policy
- Local Group Policy
- PowerShell
- Traditional Windows administration
For organisations running Active Directory, GPO remains the cleanest implementation method.
For standalone devices, PowerShell provides an effective alternative.
The important part is not the management platform. It is implementing the security controls consistently.
FAQ
Do I need Intune to implement the NCSC Defender baseline?
No. The published NCSC JSON is an Intune configuration export, but the settings underneath are standard Microsoft Defender controls available in Group Policy and PowerShell.
Can I deploy this through Active Directory?
Yes. Group Policy is the recommended approach for domain-joined Windows environments.
Will these settings slow down PCs?
In most environments, performance impact is minimal. Network file scanning and archive scanning may introduce slight overhead on file-heavy workloads.
Should I enable everything immediately?
No. Pilot the configuration first, especially Network Protection and PUA blocking.
