Anavem
EnglishFrancais
Anavem
Languagefr
How to Configure Suspicious File Blocking in Microsoft Defender Using Intune

How to Configure Suspicious File Blocking in Microsoft Defender Using Intune

Learn to create and deploy Microsoft Defender Antivirus policies in Intune to control suspicious file blocking levels, from balanced protection to zero tolerance, for enhanced endpoint security.

April 16, 2026 15 min
mediummicrosoft-defender 9 steps 15 min

Why Configure Suspicious File Blocking in Microsoft Defender?

Modern cyber threats increasingly rely on unknown or suspicious files that traditional signature-based detection cannot identify. Microsoft Defender's suspicious file blocking capability leverages cloud-based machine learning and behavioral analysis to identify and block potentially malicious files before they can execute on your endpoints.

The Cloud Block Level feature in Microsoft Defender Antivirus provides granular control over how aggressively the system blocks unknown files. By configuring this through Microsoft Intune, you can centrally manage protection levels across your entire Windows fleet, from balanced protection that minimizes false positives to zero-tolerance blocking that stops all unknown executables.

What Makes Cloud-Based File Blocking Effective?

Unlike traditional antivirus that relies solely on known malware signatures, cloud-based suspicious file blocking analyzes file behavior, reputation, and metadata in real-time. When a user attempts to execute an unknown file, Defender queries Microsoft's cloud intelligence platform, which processes millions of samples daily to make informed blocking decisions within seconds.

This approach is particularly effective against zero-day threats, fileless malware, and sophisticated attack techniques that attempt to evade traditional detection methods. The integration with Microsoft Defender for Endpoint further enhances this capability by providing additional context and automated response actions.

How Does Intune Simplify Defender Management?

Managing Microsoft Defender settings across hundreds or thousands of endpoints traditionally required complex Group Policy configurations or manual interventions. Intune's endpoint security policies streamline this process by providing a centralized, cloud-based management platform that can deploy consistent security configurations regardless of device location or domain membership.

The integration between Intune and Microsoft Defender for Endpoint creates a unified security management experience where policy deployment, compliance monitoring, and threat response can all be managed from a single console. This tutorial will walk you through the complete process of implementing enterprise-grade suspicious file blocking using these integrated Microsoft security tools.

Implementation Guide

Full Procedure

01

Access Microsoft Intune Admin Center and Navigate to Endpoint Security

Start by signing into the Microsoft Intune admin center where you'll create and manage your Defender policies.

Open your web browser and navigate to https://intune.microsoft.com. Sign in with your admin credentials that have Intune Administrator or Global Administrator permissions.

Once logged in, locate the left navigation panel and click on Endpoint security. This section contains all security-related policies including antivirus configurations.

Under the Manage section, click on Antivirus. This is where you'll create your suspicious file blocking policy.

Pro tip: Bookmark the Intune admin center for quick access. You'll be using it frequently for policy management and monitoring.

Verification: You should see the Antivirus policies overview page with options to create new policies and view existing ones.

02

Create a New Microsoft Defender Antivirus Policy

Now you'll create a new antivirus policy specifically for configuring suspicious file blocking settings.

Click the Create Policy button at the top of the Antivirus policies page.

In the policy creation wizard:

  • Select Platform: Windows 10 and later
  • Choose Profile: Microsoft Defender Antivirus
  • Click Create

On the Basics page, enter the following information:

Name: Suspicious File Block - High Level Protection
Description: Configures Microsoft Defender to aggressively block suspicious files using cloud-based detection with High block level (0x2)

Click Next to proceed to the configuration settings.

Warning: Choose descriptive names for your policies. You'll likely have multiple Defender policies, and clear naming helps with management and troubleshooting.

Verification: You should now be on the Configuration settings page with various Microsoft Defender options available.

03

Configure Cloud Block Level Settings

This is the core step where you'll configure the suspicious file blocking behavior. The Cloud Block Level determines how aggressively Defender blocks unknown or suspicious files.

Scroll through the configuration settings to locate the Cloud Block Level option. This setting controls the CSP value (CloudBlockLevel) that determines blocking aggressiveness.

Configure the following essential settings:

Cloud Block Level: High (0x2)
Allow cloud protection: Yes
Cloud Extended Timeout: 10 seconds

Here's what each Cloud Block Level means:

LevelValueDescriptionUse Case
Not configured0x0System default, minimal blockingBasic protection
High0x2Aggressive blocking, optimized performanceRecommended for most environments
High Plus0x4More aggressive, may impact performanceHigh-security environments
Zero Tolerance0x6Blocks all unknown executablesMaximum security, high false positives

For most organizations, High (0x2) provides the best balance of security and usability.

Pro tip: Start with High level and monitor for false positives before considering High Plus or Zero Tolerance. You can always increase the security level later.

Verification: Ensure Cloud Block Level is set to High and Allow cloud protection is enabled before proceeding.

04

Configure Additional Protection Settings

Beyond the core Cloud Block Level, configure additional settings that enhance suspicious file detection and blocking capabilities.

Locate and configure these additional settings in the same policy:

Block at First Sight: Yes
Submit samples consent: Send all samples automatically
Cloud Extended Timeout: 10 seconds
Potentially Unwanted Application Protection: Enabled

These settings work together to provide comprehensive protection:

  • Block at First Sight: Immediately blocks files that have never been seen before while cloud analysis occurs
  • Submit samples consent: Allows automatic sample submission for better threat intelligence
  • Cloud Extended Timeout: Gives cloud analysis more time for thorough scanning (10-50 seconds recommended)
  • PUA Protection: Blocks potentially unwanted applications like adware and browser hijackers
Warning: If tamper protection is enabled on target devices, these policy changes may not apply. You'll need to disable tamper protection first or configure it through Intune as well.

Verification: Review all configured settings to ensure they align with your security requirements before proceeding to assignments.

05

Assign the Policy to Target Groups

Now you'll assign your suspicious file blocking policy to specific device or user groups to control which endpoints receive these settings.

Click Next to reach the Assignments page.

Choose your assignment strategy:

Include groups: Select target groups
- All Windows Devices (for organization-wide deployment)
- Pilot Group - Security Testing (for initial testing)
- High Security Workstations (for sensitive environments)

Exclude groups: (Optional)
- Developer Workstations (if they need different settings)
- Legacy Systems (if compatibility issues exist)

Click Select groups to include and choose your target groups. For initial deployment, consider starting with a pilot group:

  • Search for and select your pilot group (e.g., "IT Security Team")
  • Click Select to confirm

If you need to exclude specific groups, click Select groups to exclude and follow the same process.

Pro tip: Always test new security policies with a small pilot group first. This helps identify potential issues before organization-wide deployment.

Verification: Confirm your selected groups appear in the assignments summary before proceeding.

06

Review and Deploy the Policy

Before deploying your suspicious file blocking policy, review all configurations to ensure they meet your security requirements.

Click Next to reach the Review + create page.

Carefully review the policy summary:

Policy Details:
- Name: Suspicious File Block - High Level Protection
- Platform: Windows 10 and later
- Profile: Microsoft Defender Antivirus
- Cloud Block Level: High (0x2)
- Target Groups: [Your selected groups]
- Additional Settings: Block at First Sight, PUA Protection enabled

If everything looks correct, click Create to deploy the policy.

The policy will now be created and begin deploying to assigned devices. This process typically takes 15-60 minutes depending on device check-in frequency.

Warning: Once deployed, this policy will immediately start blocking suspicious files on target devices. Ensure your help desk is prepared for potential user reports of blocked legitimate software.

Verification: You should see a confirmation message that the policy was created successfully, and it will appear in your Antivirus policies list.

07

Configure Microsoft Defender for Endpoint Integration (Optional but Recommended)

For enhanced protection and better visibility, integrate your suspicious file blocking with Microsoft Defender for Endpoint (MDE) if you have the appropriate licensing.

Navigate to Endpoint security > Endpoint detection and response in the Intune admin center.

Click on EDR Onboarding Status tab, then select Deploy preconfigured policy.

Configure the EDR onboarding policy:

Platform: Windows 10 and later
Profile: Endpoint detection and response
Configuration method: Auto from connector
Sample Sharing: All
Block level: Low (balanced approach)
Telemetry reporting frequency: Normal

This integration provides several benefits:

  • Enhanced threat detection and response capabilities
  • Centralized security event monitoring
  • Automated investigation and remediation
  • Better context for suspicious file blocking decisions

Assign this policy to the same groups as your antivirus policy for consistent coverage.

Pro tip: MDE integration significantly improves your security posture. The additional telemetry helps fine-tune your suspicious file blocking policies based on real threat data.

Verification: Check the EDR Onboarding Status to confirm devices are successfully onboarded to Defender for Endpoint.

08

Monitor Policy Deployment and Compliance

After deploying your suspicious file blocking policy, monitor its deployment status and device compliance to ensure proper implementation.

Return to Endpoint security > Antivirus and click on your newly created policy.

Review the policy overview dashboard which shows:

Deployment Status:
- Assignment success: X devices
- Assignment pending: Y devices
- Assignment failed: Z devices
- Not applicable: N devices

Compliance Status:
- Compliant: Devices properly configured
- Non-compliant: Devices with configuration issues
- Error: Devices with deployment errors

Click on Device status to see detailed per-device information. Look for:

  • Devices showing "Success" status
  • Any devices with "Error" or "Conflict" status that need attention
  • Last check-in times to ensure devices are actively managed

For devices showing errors, common issues include:

  • Tamper protection blocking policy application
  • Conflicting Group Policy settings
  • Device not properly enrolled in Intune
Warning: Non-compliant devices may not have proper suspicious file blocking protection. Address compliance issues promptly to maintain security coverage.

Verification: Run this PowerShell command on a target device to confirm the policy applied:

Get-MpPreference | Select-Object CloudBlockLevel, MAPSReporting, SubmitSamplesConsent
09

Test and Validate Suspicious File Blocking

Validate that your suspicious file blocking policy is working correctly by testing with safe methods and monitoring security events.

Use the EICAR test file to verify antivirus functionality (this is a harmless test file recognized by all antivirus solutions):

# Download EICAR test file (safe test)
Invoke-WebRequest -Uri "https://secure.eicar.org/eicar.com.txt" -OutFile "C:\temp\eicar.txt"

This should be immediately blocked and quarantined by Defender.

Monitor suspicious file blocking events through multiple channels:

Windows Event Viewer:

Event Log: Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational
Event IDs to monitor:
- 1116: Malware detected
- 1117: Action taken on malware
- 2001: Real-time protection configuration changed

Microsoft 365 Defender Portal:

  • Navigate to https://security.microsoft.com
  • Go to Incidents & alerts > Alerts
  • Filter for Microsoft Defender Antivirus alerts
  • Review blocked file events and their details

Intune Reporting:

  • Check Reports > Endpoint security > Antivirus
  • Review detected threats and policy compliance
Pro tip: Set up automated alerts in the Microsoft 365 Defender portal to notify your security team when suspicious files are blocked. This helps with incident response and policy tuning.

Verification: Confirm that test files are blocked and that you can see the events in both Windows Event Viewer and the Microsoft 365 Defender portal.

Frequently Asked Questions

What is the difference between High and Zero Tolerance cloud block levels in Microsoft Defender?+
High block level (0x2) provides aggressive blocking of suspicious files while maintaining optimized performance and reasonable false positive rates. Zero Tolerance (0x6) blocks all unknown executables regardless of reputation, providing maximum security but significantly higher false positive rates. High is recommended for most organizations as it balances security and usability effectively.
Why might my Microsoft Defender suspicious file blocking policy not apply to some devices?+
The most common reason is tamper protection being enabled on target devices, which prevents policy changes from external sources. Other causes include conflicting Group Policy settings, devices not properly enrolled in Intune, or cloud protection being disabled. Check the device compliance status in Intune and verify tamper protection settings through the Microsoft 365 Defender portal.
How long does it take for suspicious file blocking policies to apply after deployment in Intune?+
Intune policies typically apply within 15-60 minutes after deployment, depending on device check-in frequency. Devices check for policy updates every 8 hours by default, but you can force immediate sync through the Intune admin center or by running 'Get-ScheduledTask | Where-Object {$_.TaskName -eq "PushLaunch"} | Start-ScheduledTask' on the target device.
Can I exclude specific files or applications from suspicious file blocking in Microsoft Defender?+
Yes, you can create separate Microsoft Defender Antivirus exclusion policies in Intune to exclude specific processes, file extensions, or paths. Configure exclusions for ExcludedProcesses, ExcludedExtensions (like .lib or .obj), or ExcludedPaths. However, use exclusions sparingly as they can create security gaps. Always document exclusions and review them regularly.
What Microsoft licenses are required for suspicious file blocking with Intune and Defender?+
You need Microsoft Intune licensing (included in Microsoft 365 E3/E5 or standalone) for policy management and deployment. Microsoft Defender Antivirus is included with Windows 10/11 at no additional cost. For enhanced features like EDR integration and advanced threat hunting, Microsoft Defender for Endpoint P1 or P2 licensing is required. Microsoft 365 E5 includes all necessary components.
Tags
#microsoft-defender#intune#endpoint-security

Further Intelligence

Deepen your knowledge with related resources

How to Get Windows 11 26H1: What It Is, Who It's For, and How to Install It
tutorial
Windows

How to Get Windows 11 26H1: What It Is, Who It's For, and How to Install It

Deep Dive
How to Configure Suspicious File Blocking in Microsoft Defender Using Intune
tutorial
Cybersecurity

How to Configure Suspicious File Blocking in Microsoft Defender Using Intune

Deep Dive
How to Control Windows Start Menu Shortcuts Using Microsoft Intune
tutorial
Cloud Computing

How to Control Windows Start Menu Shortcuts Using Microsoft Intune

Deep Dive

Discussion

Share your thoughts and insights

Sign in to join the discussion

Sign inCreate account