Defender Manager

Defender Manager controls how Microsoft Defender–related protection, detection, and response settings are managed within Kaseya MDR. These settings govern endpoint protection behavior such as reporting levels, scanning schedules, default threat actions, and exclusions.

Because Defender Manager directly affects endpoint security posture, changes should be made carefully and reviewed periodically by administrators with appropriate permissions.

Defender Manager is accessed from Settings > Application Configurations > Defender Manager.

IMPORTANT  This article explains what each configuration area influences and why you might adjust it. It does not describe detection algorithms, override Microsoft security baselines, or guarantee alert outcomes.

Prerequisites and assumptions

Defender Manager configures Microsoft Defender behavior on endpoints that are already protected by Microsoft Defender.

Before using Defender Manager, ensure that:

  • Managed endpoints are running Windows and have Microsoft Defender available

  • Microsoft Defender for Endpoint is licensed and active for those devices

  • Devices are already onboarded and visible within Kaseya MDR

Defender Manager does not establish Microsoft tenant connections or validate licensing.

Feature availability and behavior may vary depending on Microsoft licensing and endpoint configuration.

For current Microsoft licensing details, refer to Microsoft documentation.

Scope and boundaries

Defender Manager:

  • Controls Microsoft Defender configuration behavior applied to managed endpoints

  • Applies persistent configuration changes

  • Influences protection, scanning, and default threat handling behavior

Defender Manager does not:

  • Replace MDR detection logic

  • Guarantee alerts, detections, or response outcomes

  • Replace SOC authorization or response workflows

Detection, investigation, and response decisions remain governed by MDR detections, investigation workflows, and SOC configuration.

Where Defender Manager fits in Kaseya MDR

Defender Manager is one of several application‑level configurations available under Settings > Application Configurations.

Application configurations define how specific components behave within Kaseya MDR. Defender Manager focuses specifically on endpoint protection posture, not on detection logic or investigation workflows.

Configuration model

Defender Manager uses the same global default and organization override model as other application configurations.

  • Global defaults define Defender Manager behavior for all organizations unless an override exists.

  • Organization overrides allow Defender Manager behavior to be customized for a specific organization.

Changes apply only after selecting Save.

Configuration areas

Defender Manager exposes configuration options through a tab‑based configuration dialog:

  • General

  • Real‑time protection

  • Cloud protection

  • Scans

  • Threat actions

  • Advanced

  • Exclusions

Each tab controls a specific aspect of Defender behavior, described below.

General

The General tab controls user interface and notification behavior related to Microsoft Defender.

Notifications and UI

These settings control which Defender‑related interfaces and notifications are visible to users, including:

  • Security Center notifications

  • Windows Defender UI

  • Windows Defender notifications

  • Windows Defender enhanced notifications

These options affect presentation only and do not change detection logic or protection behavior.

Signatures

  • Update signature frequency (hours): Defines how often Defender signatures are updated

  • Check for signature update before running scan: When enabled, signatures are updated before a scheduled scan runs.

Real‑time protection

The Real‑time protection tab controls continuous monitoring behavior on protected endpoints.

Available controls include:

  • Real‑time monitoring

  • Behavioral monitoring

  • Scan all downloaded files and attachments

  • Script scanning

NTFS file direction scanning

Controls how file activity is evaluated:

  • Scan both incoming and outgoing files

  • Scan incoming files only

  • Scan outgoing files only

These options influence how file activity is inspected during real‑time protection.

Cloud protection

The Cloud protection tab manages Microsoft Defender cloud‑based protection features.

Active protection services

  • Block at first sight: Allows cloud‑based protection to block suspicious files before full analysis completes

Reporting level

Defines how Defender reports cloud‑based detection data:

  • Disabled

  • Basic membership

  • Advanced membership

Automatic sample submission

Controls how suspicious files are submitted for analysis:

  • Send all samples automatically

  • Send safe samples automatically

  • Always prompt

  • Never send

Potentially unwanted applications (PUA)

Controls PUA handling:

  • Disabled

  • Audit mode

  • Enabled

These settings influence how Defender leverages Microsoft cloud intelligence and reporting.

Scans

The Scans tab controls scanning behavior and scheduling.

Available options include:

  • Only scan when idle

  • Perform catch‑up quick scans

  • Perform catch‑up full scans

  • Scan removable drives

  • Scan mapped network drives during full scans

  • Scan archive files

  • Email scan

  • Perform catchup full scans

  • Scan restore points

  • Scan network files

These options affect how and when scans are executed, not how detections are evaluated.

Threat actions

The Threat actions tab defines default actions taken when threats are detected.

You can specify default actions for:

  • Unknown threats

  • Low threats

  • Moderate threats

  • High threats

  • Severe threats

Available actions include:

  • Clean

  • Quarantine

  • Remove

  • Allow

  • Block

  • No Action

Default threat actions determine how detected threats are handled. These settings should align with organizational security policies and operational risk tolerance.

Advanced

The Advanced tab exposes attack surface reduction (ASR) and advanced protection controls.

Attack surface reduction

Examples of configurable protections include:

  • Blocking executable content from email and webmail

  • Office applications creating child processes or executable content

  • Office applications injecting into other processes

  • Blocking execution of potentially obfuscated scripts

  • Blocking credential theft from LSASS

  • Blocking process creation from PsExec and WMI

  • Blocking untrusted or unsigned processes from USB devices

Network protection and ransomware features

  • Blocking persistence through WMI event subscriptions

  • Blocking certain application child‑process behavior

  • Enabling advanced protection against ransomware

Controlled folder access

When enabled, controls unauthorized changes to protected folders using:

  • Protected folders

  • Trusted executables

These settings are intended for advanced protection scenarios and should be configured by experienced administrators.

Exclusions

The Exclusions tab defines exceptions applied to Microsoft Defender protection.

Supported exclusion categories include:

  • Process exclusions

  • Path exclusions

  • Extension exclusions

  • Attack surface reduction exclusions

Exclusions prevent specific processes, paths, extensions, or behaviors from being evaluated by Defende

IMPORTANT  Exclusions reduce protection coverage. Add exclusions when the activity is well understood and necessary.

Organization‑level overrides

Defender Manager supports organization‑specific overrides using the standard Application Configurations model.

When to use an organization override

Organization overrides are commonly used when:

  • A specific organization requires Defender behavior different from the global standard

  • Endpoint protection must be adjusted without affecting other organizations

  • Testing or phased rollout of Defender configuration changes is required

  • Organizational policies or risk tolerance differ

Once an override exists, the organization no longer inherits the global Defender Manager configuration.

Creating an organization override

  1. From the side navigation menu, select Settings.

  2. Select Application Configurations.

  3. In Organization overrides, select + New override.

  4. Select the target organization.

  5. Select Defender Manager as the application.

  6. Select Confirm.

This opens an organization‑scoped Defender Manager configuration.

Organization‑scoped configuration interface

An organization override displays:

  • An Organization details panel (organization name, group, PSA status, last online)

  • The same configuration tabs as the global Defender Manager:

    • General

    • Real‑time protection

    • Cloud protection

    • Scans

    • Threat actions

    • Advanced

    • Exclusions

There is no reduced or alternate UI for overrides.

Override behavior and precedence

  • Organization overrides fully replace the global Defender Manager configuration for that organization

  • Overrides do not merge with global defaults

  • Changes apply only to the selected organization

  • Other organizations continue to use the global configuration

Best practices for Defender Manager

  • Start with existing settings and adjust only when necessary

  • Change one configuration category at a time

  • Observe impact before making additional adjustments

  • Align threat actions and exclusions with organizational policy

  • Document why exclusions or advanced settings are configured

  • Review Defender Manager settings periodically and after onboarding new organizations

Related articles

Use the following articles to understand how Defender Manager fits into broader Kaseya MDR administration, detection, and response workflows:

  • Application Configurations: Learn how application‑level configurations in Kaseya influence detection behavior, ingestion, and visibility, and how Defender Manager fits within this model alongside other configurable applications.

  • Global defaults and organization‑level behavior: Understand how global default settings and organization overrides determine which Defender Manager configurations apply, and why behavior may differ between environments.

  • Advanced agent settings and organization overrides: Review how agent‑level behavior and diagnostics are governed separately from Defender Manager, using the same global and organization override model.

  • Configuring SOC settings: Learn how SOC authorization boundaries, escalation preferences, and communication settings are defined, and how they differ from application‑level configuration such as Defender Manager.

  • Using Kaseya MDR: Understand how alerts, investigation, and response workflows operate in practice, and how endpoint protection context contributes to investigation without guaranteeing detection or alert outcomes.