Maximising Security and Performance with Microsoft Defender Antivirus and Intel TDT

Maximizing Security and Performance with Microsoft Defender Antivirus and Intel TDT – Digital landscape with endpoints protected by Microsoft Defender Antivirus, showcasing high-performance computing with Intel TDT. Include abstract representations of cybersecurity tools and performance metrics, with a futuristic, secure, and technologically advanced theme.

In today’s digital landscape, protecting endpoints against sophisticated threats while maintaining performance is paramount. Microsoft Defender Antivirus (MDAV), part of Microsoft Defender for Endpoint, leverages advanced hardware acceleration technologies like Intel Threat Detection Technology (TDT) to enhance security without compromising on system resources. Here’s how you can optimize your setup using Microsoft Intune for better performance and security.


Understanding Hardware Acceleration in Microsoft Defender Antivirus

Microsoft Defender Antivirus has evolved to include hardware acceleration features, notably through its integration with Intel TDT. Hardware acceleration, particularly through Intel TDT, involves:

  • Accelerated Memory Scanning (AMS): This feature offloads CPU-intensive memory scanning to the integrated GPU, reducing power consumption and potentially extending battery life on devices like laptops and tablets.
  • Cryptojacking Detection: Intel TDT utilizes the CPU’s performance monitoring unit (PMU) to detect cryptojacking malware by identifying the signature of repeated mathematical operations, which are offloaded to the GPU for processing. This approach not only enhances detection but does so with minimal overhead.

These capabilities are enabled by default when MDAV is running, which means your systems are already benefiting from this synergy without additional configuration. However, for those managing large fleets of devices, especially through platforms like Microsoft Intune, there’s more you can do to fine-tune this setup.


Configuring Microsoft Defender Antivirus with Intune

Microsoft Intune provides robust endpoint security policies that can be tailored to optimize both security and performance:

  • Enabling Intel TDT: While Intel TDT (Threat Detection Technology) is automatically enabled when a threat is detected as per ADMX/CSP documentation, explicitly configuring this for consistent behavior across all managed devices requires interaction with Microsoft Graph API..
    • How to Enable: Intune > Devices > Configuration > Create profile > Search for TDT > Select intel TDT Enabled.
  • File Hash Computation: For environments utilizing Microsoft Defender for Endpoint (MDE), enabling File Hash Computation can significantly enhance threat detection capabilities by calculating hashes for files, aiding in the quick identification of known threats.
    • How to Enable: Intune > Devices > Configuration > Create profile > Search for hash > Select Enable file hash computation

To modify or check these settings, you’ll need to use Microsoft Graph API calls to interact with the device management configuration policies.

Here’s an example JSON payload for configuring these settings via Microsoft Graph:

{
    "@odata.context": "https://graph.microsoft.com/beta/$metadata#deviceManagement/configurationPolicies/$entity",
    "createdDateTime": "2024-11-15T06:23:24.5400129Z",
    "creationSource": null,
    "description": "Policy to supplement missing settings from Endpoint security",
    "lastModifiedDateTime": "2024-11-15T06:41:44.5149584Z",
    "name": "Defender AV - Supplemental for ES policies",
    "platforms": "windows10",
    "priorityMetaData": null,
    "roleScopeTagIds": [
        "0"
    ],
    "settingCount": 2,
    "technologies": "mdm",
    "id": "2e01cbbb-8a81-40e3-90a1-0390ada7a9af",
    "templateReference": {
        "templateId": "",
        "templateFamily": "none",
        "templateDisplayName": null,
        "templateDisplayVersion": null
    },
    "settings": [
        {
            "id": "6",
            "settingInstance": {
                "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
                "settingDefinitionId": "device_vendor_msft_defender_configuration_hideexclusionsfromlocaladmins",
                "settingInstanceTemplateReference": null,
                "choiceSettingValue": {
                    "settingValueTemplateReference": null,
                    "value": "device_vendor_msft_defender_configuration_hideexclusionsfromlocaladmins_1",
                    "children": []
                }
            }
        },
        {
            "id": "9",
            "settingInstance": {
                "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
                "settingDefinitionId": "device_vendor_msft_defender_configuration_oobeenablertpandsigupdate",
                "settingInstanceTemplateReference": null,
                "choiceSettingValue": {
                    "settingValueTemplateReference": null,
                    "value": "device_vendor_msft_defender_configuration_oobeenablertpandsigupdate_1",
                    "children": []
                }
            }
        }
    ]
}

Best Practices for Deployment

  • Regular Policy Review: Check your configuration regularly. Posts on platforms like X, LinkedIn and MVP community indicate that sometimes these features are not enabled by default in all environments or might be toggled off inadvertently during updates or other policy changes.
  • Performance Monitoring: After enabling these features, monitor system performance. Hardware acceleration should reduce CPU load, but it’s wise to verify this with system diagnostics or performance monitoring tools.
  • Training and Awareness: Ensure that your IT team understands the implications of hardware-based security features. Training sessions or documentation updates can help in