diff --git a/windows/keep-secure/WDAV-working/configure-local-policy-overrides-windows-defender-antivirus.md b/windows/keep-secure/WDAV-working/configure-local-policy-overrides-windows-defender-antivirus.md index fa9624b2f8..8f64cd0ee1 100644 --- a/windows/keep-secure/WDAV-working/configure-local-policy-overrides-windows-defender-antivirus.md +++ b/windows/keep-secure/WDAV-working/configure-local-policy-overrides-windows-defender-antivirus.md @@ -1,7 +1,7 @@ --- -title: -description: -keywords: +title: Configure local overrides for Windows Defender AV settings +description: Enable or disable users from locally changing settings in Windows Defender AV. +keywords: local override, local policy, group policy, gpo, lockdown,merge, lists search.product: eADQiWindows 10XVcnh ms.pagetype: security ms.prod: w10 @@ -12,7 +12,7 @@ localizationpriority: medium author: iaanw --- -# Prevent users from locally modifying policy settings +# Prevent or allow users to locally modify policy settings **Applies to:** @@ -22,12 +22,80 @@ author: iaanw - Enterprise security administrators +**Manageability available with** + +- Group Policy + + +By default, settings that are deployed via a Group Policy Object to the endpoints in your network will prevent users from locally changing the settings. You can change this in some instances. + +For example, it may be necessary to allow certain user groups (such as security researchers and threat investigators) further control over individual settings on the endpoints they use. + +## Configure local overrides for Windows Defender AV settings + +The default setting for these policies is **Disabled**. + +If they are set to **Enabled**, users on endpoints can make changes to the associated setting with the [Windows Defender Security Center](windows-defender-security-center-antivirus.md) app, local Group Policy settings, and PowerShell cmdlets (where appropriate). + +The following table lists each of the override policy setting and the configuration instructions for the associated feature or setting. + +To configure these settings: + +1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +3. In the **Group Policy Management Editor** go to **Computer configuration**. + +4. Click **Policies** then **Administrative templates**. + +5. Expand the tree to **Windows components > Windows Defender Antivirus** and then the **Location** specified in the table below. + +6. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings. + +7. Deploy the Group Policy Object as usual. + +Location | Setting | Impact if **Enabled** | Configuration topic +---|---|---|--- +MAPS | Configure local setting override for reporting to Microsoft MAPS | User can disable cloud protection | [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) +Quarantine | Configure local setting override for the removal of items from Quarantine folder | User can change the number of days threats are kept in the quarantine folder before being removed |[Configure remediation for scans](configure-remediation-windows-defender-antivirus.md) +Real-time protection | Configure local setting override for monitoring file and program activity on your computer | User can disable real-time protection | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md) +Real-time protection | Configure local setting override for monitoring for incoming and outgoing file activity | User can change direction for file activity monitoring | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md) +Real-time protection | Configure local setting override for scanning all downloaded files and attachments | Allow user to disable scans of downloaded files and attachments | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md) +Real-time protection | Configure local setting override for turn on behavior monitoring | User | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md) +Real-time protection | Configure local setting override to turn on real-time protection | xxx | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md) +Remediation | Configure local setting override for the time of day to run a scheduled full scan to complete remediation | xxx | [Configure remediation for scans](configure-remediation-windows-defender-antivirus.md) +Scan | Configure local setting override for maximum percentage of CPU utilization | xxx | [Configure and run scans](run-scan-windows-defender-antivirus.md) +Scan | Configure local setting override for schedule scan day | xxx | [Configure scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md) +Scan | Configure local setting override for scheduled quick scan time | xxx | [Configure scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md) +Scan | Configure local setting override for scheduled scan time | xxx | [Configure scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md) +Scan | Configure local setting override for the scan type to use for a scheduled scan | xxx | [Configure scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md) +## Configure how locally and globally defined threat remediation and exclusions lists are merged + +You can also configure how locally defined lists are combined or merged with globally defined lists. This setting applies to [exclusion lists](configure-exclusions-windows-defender-antivirus.md) and [specified remediation lists](configure-remediation-windows-defender-antivirus). + +By default, lists that have been configured in local group policy and the Windows Defender Security Center app are merged with lists that are defined by the appropriate GPO that you have deployed on your network. Where there are conflicts, the globally defined list takes precendence. + +You can disable this setting to ensure that only globally defined lists (such as those from any deployed GPOs) are used. + + +**Use Group Policy to disable local list merging:** + +1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +3. In the **Group Policy Management Editor** go to **Computer configuration**. + +4. Click **Policies** then **Administrative templates**. + +5. Expand the tree to **Windows components > Windows Defender Antivirus**. + +6. Double-click the **Configure local administrator merge behavior for lists** setting and set the option to **Enabled**. Click **OK**. + + ## Related topics diff --git a/windows/keep-secure/WDAV-working/images/defender/wdav-headless-mode-1607.png b/windows/keep-secure/WDAV-working/images/defender/wdav-headless-mode-1607.png new file mode 100644 index 0000000000..7ccaf5d0ff Binary files /dev/null and b/windows/keep-secure/WDAV-working/images/defender/wdav-headless-mode-1607.png differ diff --git a/windows/keep-secure/WDAV-working/images/defender/wdav-headless-mode-1703.png b/windows/keep-secure/WDAV-working/images/defender/wdav-headless-mode-1703.png new file mode 100644 index 0000000000..d4288ca82c Binary files /dev/null and b/windows/keep-secure/WDAV-working/images/defender/wdav-headless-mode-1703.png differ diff --git a/windows/keep-secure/WDAV-working/images/defender/wdav-headless-mode-off-1703.png b/windows/keep-secure/WDAV-working/images/defender/wdav-headless-mode-off-1703.png new file mode 100644 index 0000000000..d5599ce99b Binary files /dev/null and b/windows/keep-secure/WDAV-working/images/defender/wdav-headless-mode-off-1703.png differ diff --git a/windows/keep-secure/WDAV-working/prevent-end-user-interaction-windows-defender-antivirus.md b/windows/keep-secure/WDAV-working/prevent-end-user-interaction-windows-defender-antivirus.md index 6b48d84cb5..e074a1c553 100644 --- a/windows/keep-secure/WDAV-working/prevent-end-user-interaction-windows-defender-antivirus.md +++ b/windows/keep-secure/WDAV-working/prevent-end-user-interaction-windows-defender-antivirus.md @@ -1,7 +1,7 @@ --- -title: -description: -keywords: +title: Hide the Windows Defender Antivirus interface +description: You can hide virus and threat protection tile in the Windows Defender Security Center app. +keywords: ui lockdown, headless mode, hide app, hide settings, hide interface search.product: eADQiWindows 10XVcnh ms.pagetype: security ms.prod: w10 @@ -21,14 +21,53 @@ author: iaanw - Enterprise security administrators +**Manageability available with** + +- Group Policy +You can use Group Policy to prevent users on endpoints from seeing the Windows Defender Antivirus interface. You can also prevent them from pausing scans. + +## Hide the Windows Defender Antivirus interface + +In Windows 10, versions 1703, hiding the interface will prevent the Virus & threat protection tile from appearing in the Windows Defender Security Center app. + +With the setting set to **Enabled**: + +![Screenshot of Windows Defender Security Center without the shield icon and virus and threat protection section](images/defender/wdav-headless-mode-1703.png) + +With the setting set to **Disabled** or not configured: + +![Scheenshot of Windows Defender Security Center showing the shield icon and virus and threat protection section](images/defender/wdav-headless-mode-off-1703.png) +In earlier versions of Windows 10, the setting will hide the Windows Defender client interface. If the user attempts to open it, they will receive a warning "Your system administrator has restricted access to this app.": +![Warning message when headless mode is enabled in Windows 10, versions earlier than 1703 that says Your system administrator has restricted access to this app](images/defender/wdav-headless-mode-1607.png) + +Also see the [Prevent users from locally modifying policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) topic for more options on preventing users form modifying protection on their PCs. + +## Prevent users from pausing a scan + +You can prevent users from pausing scans. This can be helpful to ensure scheduled or on-demand scans are not interrupted by users. + + +**Use Group Policy to hide the prevent users from pausing a scan:** + +1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +3. In the **Group Policy Management Editor** go to **Computer configuration**. + +4. Click **Policies** then **Administrative templates**. + +5. Expand the tree to **Windows components > Windows Defender Antivirus > Scan**. + +6. Double-click the **Allow users to pause scan** setting and set the option to **Disabled**. Click **OK**. ## Related topics -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) -- [Configure end-user interaction with Windows Defender AV](configure-end-user-interaction-windows-defender-antivirus.md) \ No newline at end of file + +- [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md) +- [Configure end-user interaction with Windows Defender AV](configure-end-user-interaction-windows-defender-antivirus.md) +- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) \ No newline at end of file