Let’s discuss how to configure Check for Signatures Before Running Scan policy using Intune. This policy setting lets you control whether Microsoft Defender Antivirus checks for the latest virus and spyware security intelligence updates right before it runs a scan.
The Defender profile in Intune lets admins easily set up and apply Windows Defender security rules on company devices. This helps make sure all devices meet the organization’s security needs, creating a strong shield against online threats.
Check for Signatures Before Running Scan setting only affects scheduled scans. It would not impact scans you start manually from the user interface or those initiated via the command line using mpcmdrun-Scan. If you enable this setting, your system will automatically check for the latest security intelligence updates before it runs a scan.
If you disable or don’t configure this setting, the scan will proceed using the security intelligence already present on your system. This blog post offers step-by-step instructions on how to configure the Check for Signatures Before Running Scan policy using Microsoft Intune and OMA-URI Settings.
Table of Contents
What are the Advantages of Enabling Check for Signatures Before Running Scan Policy in Windows devices?
Enabling Check for Signatures Before Running Scan setting improves scan efficiency and overall security. It ensures that Microsoft Defender Antivirus always uses the very latest threat definitions.
It leading to more accurate detection and removal of malware. With the latest updates, scans are more effective at finding and removing malware, making the system safer.
Windows CSP Details – Defender
Windows 10 and 11 use a tool called Policy CSP to help companies set and enforce rules for their computers, making sure they all work consistently. The Check for Signatures Before Running Scan policy is under Defender category. The following table showing the Description framework properties of this policy.
| Property Name | Property Value |
|---|---|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
Allowed Values: When configuring a setting in Intune, the Allowed Values represent the only available choices of that particular setting. The following table showcases the allowed values and its features of the Check for Signatures Before Running Scan policy.
| Value | Description | Features |
|---|---|---|
| 0 (Default) | Disabled | The scan uses existing security updates. |
| 1 | Enabled | New security updates will be checked before a scan. |
- Intune Integration With Microsoft Defender For Endpoint
- Methods For Allow Or Disallow Real-time Protection For Microsoft Defender Antivirus In Windows 11
- 3 Ways To Configure Microsoft Defender Antivirus Policies For Windows 11 Using Group Policy Intune Policy
How to Configure Check for Signatures Before Running Scan Policy
We can easily configure the Check for Signatures Before Running Scan policy on Windows devices using either Microsoft Intune or by setting a custom OMA-URI. This guide will show you how to do both.
Steps to Configuring the Check for Signatures Before Running Scan Policy using Intune
To start deploying Check for Signatures Before Running Scan Policy in Intune, we first sign in to the Microsoft Intune admin center. Once there, navigate to Devices > Configuration> Policies> Create >New Policy.
- In the Create a Profile window, select the Platform as Windows 10 and later
- Choose Settings catalog as the Profile type.
- Click Create for further step.
In the Basics step, we can define our policy’s core information. First, give it a Name for easy identification. Then, add a brief Description outlining its purpose. The Platform setting is pre-configured, so we don’t need to change anything there.
Now, let’s set up the Configuration Settings, where we can define the policy’s actions. Click Add Settings to open the Settings Picker. In the search bar, type Defender, then select Check for Signatures Before Running Scan from the results.
After we select Check for Signatures Before Running Scan and close the Settings Picker, we will see it listed on the Configuration Settings page. By default, its status will appear as Disabled, meaning scans will use the security updates already present on your system.
To ensure my system automatically checks for the latest security intelligence updates before each scan, I have enabled the Check For Signatures Before Running Scan policy by toggling it to left side.
In Intune, Scope Tags are used to manage who can view and change this policy. They are optional, so if you don’t need to assign them, just click Next.
On the Assignments section, we can specify which users or devices get this policy. Under Include Groups, click Add Groups and select the group from tnhe given list. The chosen group will then appear in the assignments section.
- For example, I am assigning this policy to Test_HTMD_Policy group.
- After the group selection, click Next to proceed.
On the Review + Create page, we can see a complete summary of our new policy. Check everything, which we are set in the previous steps. If there is any changes, just click Previous and modified it. Click Create to finalize the policy.
- We will then receive a confirmation that the policy, Check for Signatures Before Running Scan, was created successfully.
Monitoring the Policy through Device and User Check-in Status
We can verify the policy’s status directly in the Intune Portal. Policy deployment usually takes about 8 hours. To avoid the time consumption, try a manual sync from the Company Portal app on the device, then recheck the status.
- Navigate to Devices, then Configuration.
- Select the Check for Signatures Before Running Scan policy.
- We can see its status as succeeded (2).
Client Side Verification
To check if the policy applied, use the Event Viewer on the client device. Navigate to Applications and Services Logs>Microsoft>Windows>Device Management>Enterprise Diagnostic Provider>Admin. This section lists policy-related events. To easily find the specific policy information, use the Filter Current Log option in the right pane.
- Here, the policy details were located under Event ID 813.
MDM PolicyManager: Set policy int, Policy: (CheckForSignaturesBeforeRunningScan), Area: (Defender), EnrollmentID requesting merge: (B1E9301C-8666-412A-BA2F-3BF8A55BFA62), Current User: (Device), Int: (0x1), Enrollment Type: (0x6), Scope: (0x0).
How to Remove Assigned Group from Check for Signatures Before Running Scan Policy in Intune
We can easily remove groups from a policy. Just open the policy from the Configuration section , then click the Edit button on the Assignments. From there, click the Remove button to unassign the policy from the desired groups.
For detailed information, you can refer to our previous post – Learn How to Delete or Remove App Assignment from Intune using by Step-by-Step Guide.
How to Delete Check for Signatures Before Running Scan Policy from the Intune Portal
To delete a policy, first, sign in to the Microsoft Intune Admin Center. Go to Devices > Configuration profiles, then select the policy you wish to delete. On the policy details page, click the three-dot menu and choose Delete from the given option. The following screenshot provided for reference.
For more information, you can refer to our previous post – How to Delete Allow Clipboard History Policy in Intune Step by Step Guide.
Steps to Configuring the Check for Signatures Before Running Scan Policy OMA-URI Settings
An OMA-URI is a unique address that points to a specific setting managed by a Configuration Service Provider (CSP). It is a text string used to apply custom configurations on Windows 10 and 11 devices, with its format varying based on the CSP. This section is a brief guide about how to configuring the Check for Signatures Before Running Scan Policy OMA-URI Settings.
Sign in to Microsoft Intune. Go to Devices > Configuration > Create > New policy. Choose the platform as Windows 10 and later, For Profile type, select Templates and then choose Custom and Click on the Create Button.
The OMA-URI Settings Basic sectiom works much like the Settings Catalog. Here, we can provide a Name (which is required) and an optional Description for your policy. Click on the Next Button.
| Name of the Policy | Description |
|---|---|
| Check for Signatures Before Running Scan | This policy setting controls whether your device checks for the latest virus and spyware definitions before running a scan. |
On the Configuration Settings window, click + Add to configure the specific setting. We can complete this section by adding the Name, Description, OMA-URI, Data Type, and Value. Follow these steps to configure the OMA-URI setting:
- Settings Name: Check for Signatures Before Running Scan
- Description: This policy setting controls whether your device checks for the latest virus and spyware definitions before running a scan.
- OMA-URI path : ./Device/Vendor/MSFT/Policy/Config/Defender/CheckForSignaturesBeforeRunningScan
- Data type: Integer.
- Enter the value
- 0 : Disabled
- 1 : Enabled
- After entering the above details, click Save.
Need Further Assistance or Have Technical Questions?
Join the LinkedIn Page and Telegram group to get the latest step-by-step guides and news updates. Join our Meetup Page to participate in User group meetings. Also, Join the WhatsApp Community to get the latest news on Microsoft Technologies. We are there on Reddit as well.
Author
Anoop C Nair has been Microsoft MVP for 10 consecutive years from 2015 onwards. He is a Workplace Solution Architect with more than 22+ years of experience in Workplace technologies. He is a Blogger, Speaker, and Local User Group Community leader. His primary focus is on Device Management technologies like SCCM and Intune. He writes about technologies like Intune, SCCM, Windows, Cloud PC, Windows, Entra, Microsoft Security, Career, etc.