Managed Antivirus offers two modes in which to manage Microsoft Defender Antivirus on your endpoints. The mode determines whether you are using Managed Antivirus for visibility only or active configuration of Microsoft Defender Antivirus. The mode only determines if you want Huntress to be the tool enforcing Microsoft Defender policies. Regardless of the mode, the Huntress 24/7 SOC will be reviewing any suspicious Defender activity that occurs.
Audit Mode is the read-only default mode for all endpoints. This mode provides visibility into the current state of Microsoft Defender Antivirus on your managed endpoints.
In this mode, Huntress does not make changes to any settings that are on the endpoint. Any configuration that is set in the Policy Configuration modal is not applied.
Enforce mode is what allows Huntress to begin actively changing and enforcing Defender settings. In this mode, Huntress compares what currently exists on the endpoint and what is set in the Huntress Managed AV Policy Configuration modal for the host.
In this mode, if there are settings that do not match, Huntress will actively set the setting on the host to match what is configured in the Policy Configuration.
Policy Mode Inheritance
Partners now have the ability to set the Enforce and Audit mode at an Account or Organization level. When set at this level, hosts that are configured to Inherit will receive the mode that is set at the Account or Organization levels.
More information on Inheritance for Managed Antivirus can be found here.
What mode does a new host receive when it is added to Huntress?
Inheritance for the Enforce / Audit mode allows new hosts to immediately receive the setting that is set at the Account or Organization levels. New hosts by default will be added with "Inherit" as its mode setting in order to easily ensure the mode is properly set for all new hosts.
How do I set multiple hosts to inherit their policy mode?
A bulk action is available on the Managed AV dashboard at either an Account or Organization level. By bulk selecting multiple hosts, you can use the MAV Actions on the top right of the table and select "Inherit Policy Mode"; this will ensure that all hosts will inherit their Policy Mode setting from their Organization or Account.
What if I do not want to inherit the mode for some of my hosts?
All hosts also have an option for a host-level override where you can explicitly set the mode for each individual host. This can be done by going into the Host Antivirus page under Policy Status
For partners who had Managed AV prior to inheritance, the mode for all hosts is preserved with a host-level override.