18.10.43.5.1 Ensure 'Enable file hash computation feature' is set to 'Enabled'

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

This setting determines whether hash values are computed for files scanned by Microsoft Defender.

The recommended state for this setting is: Enabled.

Rationale:

When running an antivirus solution such as Microsoft Defender Antivirus, it is important to ensure that it is configured to monitor for suspicious and known malicious activity. File hashes are a reliable way of detecting changes to files, and can speed up the scan process by skipping files that have not changed since they were last scanned and determined to be safe. A changed file hash can also be cause for additional scrutiny.

Impact:

This setting could cause performance degradation during initial deployment and for users where new executable content is frequently being created (such as software developers), or where applications are frequently installed or updated.

For more information on this setting, please visit Security baseline (FINAL): Windows 10 and Windows Server, version 2004 - Microsoft Tech Community - 1543631.

Note: The impact of this setting should be monitored closely during deployment to ensure user and system performance impact is within acceptable limits.

Solution

To establish the recommended configuration, set the following Device Configuration Policy to Enabled:

To access the Device Configuration Policy from the Intune Home page:

Click Devices

Click Configuration profiles

Click Create profile

Select the platform (Windows 10 and later)

Select the profile (Administrative Templates)

Click Create

Enter a Name

Click Next

Configure the following Setting

Path: Computer Configuration\Windows Components\Microsoft Defender Antivirus\MpEngine
Setting Name: Enable file hash computation feature
Configuration: Enabled

Select OK

Continue through the Wizard to complete the creation of the profile (profile assignments, applicability etc.)

Note: More than one configuration setting from each of the Configuration profiles (ex: Administrative Templates, Custom etc.) can be added to each Device Configuration Policy.

Default Value:

Disabled. (File hash values are not computed during scans.)

See Also

https://workbench.cisecurity.org/benchmarks/14664