How to Enable Advanced Ransomware Protection in Microsoft Intune 2026

Start by logging into the Microsoft Intune admin center where you'll create the ransomware protection policy.

Open your browser and navigate to https://endpoint.microsoft.com. Sign in using your administrator credentials that have Intune management permissions.

Once logged in, navigate to the device configuration section:

1. Click Devices in the left navigation pane
2. Select Configuration from the submenu
3. Click the + Create button
4. Choose New policy from the dropdown

This opens the policy creation wizard where you'll configure the ransomware protection settings.

Configure the policy foundation by selecting the appropriate platform and protection profile type.

In the "Create a profile" dialog:

1. Set Platform to Windows 10 and later
2. Under Profile type, select Templates
3. Choose Endpoint protection from the template list
4. Click Create to proceed

The endpoint protection template provides comprehensive security settings including the advanced ransomware protection we need to configure.

Alternatively, if you prefer the Settings catalog approach:

1. Select Profile type as Settings catalog
2. This gives you more granular control but requires more configuration steps

Establish clear policy identification and description for easy management and troubleshooting.

On the "Basics" page, configure the following:

• Name: Advanced Ransomware Protection - Windows Devices
• Description: Enables Microsoft Defender advanced ransomware protection with Block-level enforcement for all managed Windows 10/11 devices. Automatically stops ransomware-like activities using client and cloud heuristics.

Use a consistent naming convention that includes:

• The security feature being configured
• The target device platform
• The enforcement level (Block, Audit, Warn)

Example naming patterns:

Advanced Ransomware Protection - Block Mode - Windows
Ransomware Defense - Audit Only - Test Group
Defender Ransomware - Warn Mode - Pilot Devices

Click Next to proceed to the configuration settings.

Locate and access the specific ransomware protection settings within the endpoint protection configuration.

On the "Configuration settings" page, you'll see multiple categories of security settings. Navigate to the ransomware protection options:

1. Scroll down to find Microsoft Defender Antivirus section
2. Expand the section if it's collapsed
3. Look for Rules to protect against ransomware or similar wording
4. Click to expand this subsection

If using the Settings catalog approach instead:

1. Click + Add settings
2. In the settings picker, search for ransomware
3. Select Defender > Use advanced protection against ransomware
4. Click Add to include it in your policy

The ransomware protection setting controls how Microsoft Defender responds to potential ransomware activities on managed devices.

Set the appropriate protection level based on your organization's security requirements and risk tolerance.

In the ransomware protection setting, you'll see these options:

For maximum protection, configure the setting:

1. Click the dropdown for Use advanced protection against ransomware
2. Select Block for the highest security level
3. This enables automatic blocking of ransomware-like behaviors using both client-side and cloud-based heuristics

The Block setting provides:

• Real-time protection against file encryption attempts
• Automatic quarantine of suspicious processes
• Integration with Microsoft's cloud intelligence
• Immediate threat response without user intervention

Optimize the ransomware protection by configuring complementary security settings and necessary exclusions.

While still in the Microsoft Defender Antivirus section, review and configure these related settings:

Tamper Protection (Recommended)

1. Find Tamper Protection setting
2. Set to Enable to prevent local changes to security settings
3. This prevents ransomware from disabling Defender protection

Cloud Protection Level

1. Locate Cloud-delivered protection level
2. Set to High or High plus for enhanced detection
3. This improves ransomware detection using Microsoft's cloud intelligence

File and Folder Exclusions (If Needed)

If your organization has legitimate applications that might trigger false positives:

Example exclusions (configure only if necessary):
C:\MyApp\Data\*
*.myappextension
C:\LegitimateBackupTool\

Additional recommended settings:

• Real-time protection: Enable
• Behavior monitoring: Enable
• Network inspection system: Enable
• Script scanning: Enable

Deploy the ransomware protection policy to the appropriate device groups in your organization.

Click Next to reach the "Assignments" page. Here you'll specify which devices receive this protection policy.

Recommended Assignment Strategy

1. Click + Add groups under "Included groups"
2. Select your target groups:

Recommended group assignments:
- All Windows Devices (for organization-wide protection)
- Critical Business Systems (for high-value targets)
- Executive Devices (for high-risk users)
- Finance Department Devices (for sensitive data access)

Phased Deployment Approach

For large organizations, consider a phased rollout:

1. Phase 1: IT Department devices (10-20 devices)
2. Phase 2: Pilot group (100-200 devices)
3. Phase 3: Department by department
4. Phase 4: Organization-wide deployment

Exclusion Groups (If Needed)

If certain devices need different protection levels:

1. Click + Add groups under "Excluded groups"
2. Select groups that should not receive this policy
3. Example: Test devices, kiosk systems, or devices with conflicting security software

Perform a final review of all policy settings before deployment to ensure correct configuration.

Click Next to reach the "Review + create" page. This page displays a comprehensive summary of your policy configuration.

Review Checklist

Verify the following settings are correct:

• Policy name: Clear and descriptive
• Platform: Windows 10 and later
• Ransomware protection: Set to "Block" (or your chosen level)
• Tamper protection: Enabled
• Cloud protection: High level
• Target groups: Appropriate device groups selected
• Exclusions: Minimal and justified

Policy Configuration Summary

{
  "policyName": "Advanced Ransomware Protection - Windows Devices",
  "platform": "Windows 10 and later",
  "profileType": "Endpoint protection",
  "ransomwareProtection": "Block",
  "tamperProtection": "Enabled",
  "cloudProtection": "High",
  "assignedGroups": ["All Windows Devices"],
  "excludedGroups": []
}

Once you've verified all settings:

1. Click Create to deploy the policy
2. The policy will be created and begin deploying to assigned devices
3. You'll be redirected to the policy overview page

Track the policy deployment progress and verify that devices are receiving and applying the ransomware protection settings.

Monitor Deployment Status

1. In the Intune admin center, navigate to Devices > Configuration
2. Click on your "Advanced Ransomware Protection" policy
3. Review the Overview tab for deployment statistics

The overview shows:

• Assignment status: Success, Error, Conflict counts
• Device status: Compliant vs non-compliant devices
• User status: Users affected by the policy

Check Individual Device Status

1. Click the Device status tab
2. Review individual device compliance
3. Look for devices showing "Error" or "Conflict" status

Common status indicators:

✓ Success: Policy applied successfully
⚠ Pending: Policy deployment in progress
✗ Error: Policy failed to apply
⚡ Conflict: Conflicting policies detected

Verify Protection in Microsoft Defender Portal

1. Navigate to https://security.microsoft.com
2. Go to Settings > Endpoints > Advanced features
3. Verify that ransomware protection is active
4. Check the Vulnerability management dashboard for security posture

Get-MpPreference | Select-Object EnableControlledFolderAccess, AttackSurfaceReductionRules_RuleSpecificExclusions

Perform controlled testing to ensure the ransomware protection is working correctly without disrupting business operations.

Safe Testing Methods

Use Microsoft's official testing tools and methods:

1. EICAR Test File: Download the EICAR anti-malware test file
2. PowerShell Test: Run controlled suspicious activities
3. Defender ATP Demo: Use Microsoft's demo scenarios

PowerShell Ransomware Simulation

Run this safe test on a non-production device:

# Create a test file
New-Item -Path "C:\temp\testfile.txt" -ItemType File -Force
Add-Content -Path "C:\temp\testfile.txt" -Value "This is a test file"

# Attempt to encrypt (this should be blocked)
try {
    $content = Get-Content "C:\temp\testfile.txt"
    $encrypted = [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($content))
    Set-Content -Path "C:\temp\testfile.encrypted" -Value $encrypted
    Write-Host "WARNING: Encryption was not blocked!" -ForegroundColor Red
} catch {
    Write-Host "SUCCESS: Ransomware protection blocked the action" -ForegroundColor Green
}

Monitor Test Results

1. Check Windows Event Viewer for Defender events
2. Review alerts in the Microsoft Defender portal
3. Verify blocked actions appear in security reports

Event Log Verification

Check these event logs for ransomware protection activity:

Event Log Locations:
- Applications and Services Logs > Microsoft > Windows > Windows Defender
- Event ID 1116: Malware detected
- Event ID 1117: Action taken on malware
- Event ID 5007: Configuration changed

Validate User Experience

1. Test legitimate file operations to ensure no false positives
2. Verify users can perform normal business activities
3. Document any applications that require exclusions