Microsoft Defender Compliance Checklist: Hardening Settings for Federal and Defense Environments

Why Microsoft Defender Configuration Is a Compliance Issue, Not Just a Security Issue

Most defense contractors and federal agency IT teams treat Microsoft Defender as a checkbox. It ships with Windows, it runs in the background, and the assumption is that default settings are good enough. They are not. In regulated environments operating under CMMC, NIST SP 800-171, DFARS 252.204-7012, or ITAR, the default configuration of Microsoft Defender leaves meaningful gaps that assessors will find and document.

This checklist is written for compliance managers and IT leads who need to move beyond default settings and harden Microsoft Defender in ways that satisfy federal and defense requirements. Every item below maps to real control families that auditors examine. If you are preparing for a C3PAO assessment or a DIBCAC review, start here.

For a broader look at how endpoint tools fit your overall security posture, our post on endpoint security fundamentals provides useful context before you work through this checklist.

Understanding the Regulatory Landscape Before You Configure

Before touching a single setting, your team needs clarity on which frameworks govern your environment. Defense contractors handling Controlled Unclassified Information must satisfy NIST SP 800-171 and, increasingly, CMMC Level 2. Federal agencies operate under FISMA and NIST SP 800-53. If your organization touches ITAR-controlled technical data, your Microsoft 365 environment may also need to operate within GCC High rather than commercial Microsoft 365 tenants.

Microsoft Defender compliance requirements differ slightly across these frameworks, but the core hardening actions overlap significantly. The checklist below is organized to address the broadest applicable set of controls. Our team regularly addresses these configurations as part of CMMC, CUI, and DFARS compliance engagements, and the settings listed here reflect what assessors are actively testing in 2025 and 2026.

Microsoft Defender Compliance Checklist: Core Hardening Settings

1. Enable and Verify Real-Time Protection

Real-time protection must be enabled and confirmed active across all endpoints. This is not optional under CMMC Level 2 or NIST SP 800-171. Verify the setting through Microsoft Intune or Group Policy, and confirm that users cannot disable it without administrative credentials. Document your enforcement method in your System Security Plan.

• Confirm Real-Time Protection is set to Enabled via Intune compliance policy or Group Policy Object
• Block user-level disablement through endpoint protection profiles
• Alert on any disablement attempt through Microsoft Defender for Endpoint's alerting pipeline

2. Configure Cloud-Delivered Protection and Automatic Sample Submission

Cloud-delivered protection improves detection speed significantly. However, in environments handling CUI or ITAR-controlled data, automatic sample submission requires careful review. Samples may contain fragments of sensitive files. In GCC High environments, ensure that sample submission is configured to route within the FedRAMP-authorized boundary.

• Enable Cloud-Delivered Protection at the High or Not Configured level (not Disabled)
• Set Cloud Protection Timeout to 50 seconds or higher for thorough scanning
• Review and document your Automatic Sample Submission setting based on data classification requirements
• For CUI environments, consider setting sample submission to Send safe samples automatically rather than all samples

3. Enable Attack Surface Reduction Rules

Attack Surface Reduction (ASR) rules are among the most frequently misconfigured components in Microsoft Defender. Many organizations leave them in audit mode indefinitely. For CMMC compliance, audit mode does not satisfy the intent of the control. Rules must be enforced in block mode for the control to count toward your SPRS score.

• Block executable content from email clients and webmail
• Block all Office applications from creating child processes
• Block Office applications from creating executable content
• Block JavaScript and VBScript from launching downloaded executable content
• Block execution of potentially obfuscated scripts
• Block Win32 API calls from Office macros
• Block credential stealing from the Windows local security authority subsystem
• Block process creations originating from PSExec and WMI commands

Transition rules from Audit to Block mode systematically, testing each rule in a pilot group before broad deployment. Document exceptions with justification in your POA&M.

4. Configure Tamper Protection

Tamper Protection prevents unauthorized changes to Defender settings, including disabling real-time protection or modifying exclusions. This is a direct control requirement under NIST SP 800-171 system and communications protection domains. Enable it via Microsoft Intune for managed devices. If you are managing Tamper Protection through Group Policy alone in a cloud-managed environment, you are likely doing it incorrectly.

• Enable Tamper Protection through Microsoft Intune tenant-wide
• Verify that Tamper Protection status is visible in the Microsoft Defender Security Center
• Confirm that local administrator accounts cannot override Tamper Protection settings

5. Harden Exclusions and Review Them Regularly

Exclusions are one of the most common findings in defense contractor endpoint assessments. Every exclusion represents a blind spot. Assessors will ask you to justify each one. If your exclusion list was built by an IT vendor years ago and has never been reviewed, you have a compliance problem.

• Audit and document all current exclusions by type: path, extension, process
• Remove exclusions that lack documented business justification
• Restrict the ability to add exclusions to privileged administrator accounts only
• Schedule a quarterly exclusion review and document results

6. Enable Microsoft Defender for Endpoint Plan 2 Features Where Required

Base Defender antivirus is not sufficient for CMMC Level 2 or environments with significant CUI exposure. Microsoft Defender for Endpoint Plan 2 adds capabilities that directly map to NIST SP 800-171 controls, including endpoint detection and response, automated investigation, and threat and vulnerability management.

• Enable Endpoint Detection and Response (EDR) and confirm sensor deployment on all in-scope devices
• Configure Automated Investigation and Remediation to at least semi-automated mode
• Enable Threat and Vulnerability Management and establish a remediation SLA for critical findings
• Integrate Defender for Endpoint alerts into your SIEM or security monitoring workflow

This level of capability is also discussed in our post on aligning Microsoft Defender with CMMC Level 2 requirements.

7. Configure Network Protection

Network Protection extends Defender's capabilities to block connections to known malicious domains and IP addresses at the OS level. This is particularly relevant for defense environments where outbound exfiltration and command-and-control communications represent real threat vectors.

• Set Network Protection to Enabled (Block mode), not Audit mode
• Confirm enforcement through Intune or Group Policy
• Review network protection alerts in Defender Security Center weekly

8. Enforce Device Compliance Policies Through Intune Integration

Defender alone is not sufficient. Compliance posture must be enforced at the device level through Microsoft Intune. A device that is not compliant with your Intune policy should be blocked from accessing corporate resources, including Microsoft 365 and any systems storing CUI.

• Create Intune compliance policies that require Defender to be active and reporting healthy
• Integrate compliance policy with Conditional Access to block non-compliant devices
• Configure compliance policy to require minimum OS versions and encryption status

This integration is covered in detail in our post on enforcing device compliance policies in Microsoft Intune for CMMC and DFARS.

9. Enable and Monitor Microsoft Defender Audit Logs

Audit logging is non-negotiable under NIST SP 800-171 and CMMC. Defender generates substantial event data, but many organizations fail to route it to a central log repository or retain it for the required period.

• Route Defender for Endpoint alerts and events to Microsoft Sentinel or your existing SIEM
• Retain logs for a minimum of 90 days online and one year in archive, consistent with federal retention expectations
• Establish alert triage procedures and assign ownership for Defender alert queues
• Document log retention and review procedures in your SSP

10. Document Everything in Your System Security Plan

Technical controls mean nothing to an assessor if they are not documented. Your SSP must reflect the current state of your Defender configuration, including which settings are enforced, how, and through what management tool. If you have open items, they belong in your POA&M with realistic remediation dates.

For a deeper dive into what SSP and POA&M documentation must include, our post on SSP and POA&M as critical compliance components is a practical starting point.

Common Microsoft Defender Compliance Gaps We See in Defense Environments

Based on assessments conducted across the defense industrial base, these are the most frequently cited Defender-related findings:

• ASR rules left in Audit mode for months or years with no remediation plan
• Tamper Protection disabled on servers and workstations that were exempted during initial deployment
• Unreviewed exclusion lists containing broad path exclusions added during legacy application migrations
• No EDR deployment on servers, leaving a significant detection gap for lateral movement
• Defender alerts not routed to any monitoring tool, rendering the detection capability functionally useless
• Missing documentation connecting Defender configuration to specific NIST SP 800-171 controls

If any of these sound familiar, the risk is real. Our federal risk assessment services are designed to surface exactly these gaps before an assessor does.

Microsoft Defender Compliance in the Context of Your Broader Security Program

Hardening Microsoft Defender is one layer of a defense-in-depth strategy. It does not replace data loss prevention, identity governance, or network segmentation. For organizations managing CUI, the Defender configuration needs to be viewed alongside your Microsoft Purview settings, your Conditional Access policies, and your data loss prevention strategy.

For defense contractors in the aerospace and defense sector, endpoint hardening also intersects with ITAR requirements around technical data access controls. Our work with clients in the federal and defense industry consistently shows that Defender hardening is most effective when it is embedded in a broader compliance program rather than treated as a standalone IT task.

Take the Next Step Toward Microsoft Defender Compliance

If your organization is preparing for a CMMC assessment, a DIBCAC audit, or simply needs to validate that your Microsoft Defender configuration meets current federal and defense standards, Cleared Systems can help. Our team provides hands-on configuration support, gap assessments, and ongoing regulatory vCISO services that keep your endpoint posture aligned with evolving requirements. Request a quote today and let us help you close the gaps before your assessor finds them.