From 1252ea0791958596da552d1a03598ed6debcd43b Mon Sep 17 00:00:00 2001
From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com>
Date: Wed, 2 Nov 2022 13:05:26 -0400
Subject: [PATCH] Add Defender CSP & update metadata
---
windows/client-management/mdm/defender-csp.md | 4234 ++++++++++++++---
windows/client-management/mdm/defender-ddf.md | 3027 ++++++++----
.../mdm/policies-in-policy-csp-admx-backed.md | 5 +-
...in-policy-csp-supported-by-group-policy.md | 5 +-
.../policy-configuration-service-provider.md | 5 +-
.../mdm/policy-csp-admx-mss-legacy.md | 5 +-
.../mdm/policy-csp-admx-qos.md | 5 +-
.../mdm/policy-csp-admx-sam.md | 5 +-
.../mdm/policy-csp-admx-tabletpcinputpanel.md | 5 +-
.../mdm/policy-csp-cloudpc.md | 5 +-
.../mdm/policy-csp-defender.md | 5 +-
.../mdm/policy-csp-msslegacy.md | 5 +-
.../mdm/policy-csp-settingssync.md | 5 +-
.../mdm/policy-csp-stickers.md | 5 +-
.../mdm/policy-csp-tenantdefinedtelemetry.md | 5 +-
.../mdm/policy-csp-tenantrestrictions.md | 5 +-
16 files changed, 5746 insertions(+), 1585 deletions(-)
diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md
index 53f26f9b51..d6cf51c3ac 100644
--- a/windows/client-management/mdm/defender-csp.md
+++ b/windows/client-management/mdm/defender-csp.md
@@ -1,445 +1,3100 @@
---
title: Defender CSP
-description: Learn how the Windows Defender configuration service provider is used to configure various Windows Defender actions across the enterprise.
-ms.reviewer:
+description: Learn more about the Defender CSP Policy
+author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.topic: article
-ms.prod: w10
-ms.technology: windows
-author: vinaypamnani-msft
+ms.date: 11/02/2022
ms.localizationpriority: medium
-ms.date: 02/22/2022
+ms.prod: windows-client
+ms.technology: itpro-manage
+ms.topic: reference
---
+
+
+
# Defender CSP
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|Yes|Yes|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+
+
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+The following example shows the Defender configuration service provider in tree format.
-The Windows Defender configuration service provider is used to configure various Windows Defender actions across the enterprise.
-
-The following example shows the Windows Defender configuration service provider in tree format.
+```text
+./Device/Vendor/MSFT/Defender
+--- Configuration
+------ AllowDatagramProcessingOnWinServer
+------ AllowNetworkProtectionDownLevel
+------ AllowNetworkProtectionOnWinServer
+------ ASROnlyPerRuleExclusions
+------ DataDuplicationDirectory
+------ DataDuplicationRemoteLocation
+------ DefaultEnforcement
+------ DeviceControl
+--------- PolicyGroups
+------------ {GroupId}
+--------------- GroupData
+--------- PolicyRules
+------------ {RuleId}
+--------------- RuleData
+------ DeviceControlEnabled
+------ DisableCpuThrottleOnIdleScans
+------ DisableDnsOverTcpParsing
+------ DisableDnsParsing
+------ DisableFtpParsing
+------ DisableGradualRelease
+------ DisableHttpParsing
+------ DisableInboundConnectionFiltering
+------ DisableLocalAdminMerge
+------ DisableNetworkProtectionPerfTelemetry
+------ DisableRdpParsing
+------ DisableSshParsing
+------ DisableTlsParsing
+------ EnableDnsSinkhole
+------ EnableFileHashComputation
+------ EngineUpdatesChannel
+------ ExcludedIpAddresses
+------ HideExclusionsFromLocalAdmins
+------ MeteredConnectionUpdates
+------ PassiveRemediation
+------ PauseUpdateExpirationTime
+------ PauseUpdateFlag
+------ PauseUpdateStartTime
+------ PlatformUpdatesChannel
+------ SchedulerRandomizationTime
+------ SecurityIntelligenceUpdatesChannel
+------ SupportLogLocation
+------ TamperProtection
+------ TDTFeatureEnabled
+------ ThrottleForScheduledScanOnly
+--- Detections
+------ {ThreatId}
+--------- Category
+--------- CurrentStatus
+--------- ExecutionStatus
+--------- InitialDetectionTime
+--------- LastThreatStatusChangeTime
+--------- Name
+--------- NumberOfDetections
+--------- Severity
+--------- URL
+--- Health
+------ ComputerState
+------ DefenderEnabled
+------ DefenderVersion
+------ EngineVersion
+------ FullScanOverdue
+------ FullScanRequired
+------ FullScanSigVersion
+------ FullScanTime
+------ IsVirtualMachine
+------ NisEnabled
+------ ProductStatus
+------ QuickScanOverdue
+------ QuickScanSigVersion
+------ QuickScanTime
+------ RebootRequired
+------ RtpEnabled
+------ SignatureOutOfDate
+------ SignatureVersion
+------ TamperProtectionEnabled
+--- OfflineScan
+--- RollbackEngine
+--- RollbackPlatform
+--- Scan
+--- UpdateSignature
```
-./Vendor/MSFT
-Defender
-----Detections
---------ThreatId
-------------Name
-------------URL
-------------Severity
-------------Category
-------------CurrentStatus
-------------ExecutionStatus
-------------InitialDetectionTime
-------------LastThreatStatusChangeTime
-------------NumberOfDetections
-----EnableNetworkProtection
---------AllowNetworkProtectionDownLevel
---------AllowNetworkProtectionOnWinServer
---------DisableNetworkProtectionPerfTelemetry
---------DisableDatagramProcessing
---------DisableInboundConnectionFiltering
---------EnableDnsSinkhole
---------DisableDnsOverTcpParsing
---------DisableHttpParsing
---------DisableRdpParsing
---------DisableSshParsing
---------DisableTlsParsing
-----Health
---------ProductStatus (Added in Windows 10 version 1809)
---------ComputerState
---------DefenderEnabled
---------RtpEnabled
---------NisEnabled
---------QuickScanOverdue
---------FullScanOverdue
---------SignatureOutOfDate
---------RebootRequired
---------FullScanRequired
---------EngineVersion
---------SignatureVersion
---------DefenderVersion
---------QuickScanTime
---------FullScanTime
---------QuickScanSigVersion
---------FullScanSigVersion
---------TamperProtectionEnabled (Added in Windows 10, version 1903)
---------IsVirtualMachine (Added in Windows 10, version 1903)
-----Configuration (Added in Windows 10, version 1903)
---------TamperProtection (Added in Windows 10, version 1903)
---------EnableFileHashComputation (Added in Windows 10, version 1903)
---------SupportLogLocation (Added in the next major release of Windows 10)
---------PlatformUpdatesChannel (Added with the 4.18.2106.5 Defender platform release)
---------EngineUpdatesChannel (Added with the 4.18.2106.5 Defender platform release)
---------SecurityIntelligenceUpdatesChannel (Added with the 4.18.2106.5 Defender platform release)
---------DisableGradualRelease (Added with the 4.18.2106.5 Defender platform release)
---------PassiveRemediation (Added with the 4.18.2202.X Defender platform release)
-----Scan
-----UpdateSignature
-----OfflineScan (Added in Windows 10 version 1803)
+
+
+
+## Configuration
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Configuration
```
-**Detections**
+
+
+
+An interior node to group Windows Defender configuration information.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### Configuration/AllowDatagramProcessingOnWinServer
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/AllowDatagramProcessingOnWinServer
+```
+
+
+
+This settings controls whether Network Protection is allowed to enable datagram processing on Windows Server. If false, the value of DisableDatagramProcessing will be ignored and default to disabling Datagram inspection.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 1 | Datagram processing on Windows Server is enabled. |
+| 0 | Datagram processing on Windows Server is disabled. |
+
+
+
+
+
+
+
+
+
+### Configuration/AllowNetworkProtectionDownLevel
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/AllowNetworkProtectionDownLevel
+```
+
+
+
+This settings controls whether Network Protection is allowed to be configured into block or audit mode on windows downlevel of RS3. If false, the value of EnableNetworkProtection will be ignored.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 1 | Network protection will be enabled downlevel. |
+| 0 | Network protection will be disabled downlevel. |
+
+
+
+
+
+
+
+
+
+### Configuration/AllowNetworkProtectionOnWinServer
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/AllowNetworkProtectionOnWinServer
+```
+
+
+
+This settings controls whether Network Protection is allowed to be configured into block or audit mode on Windows Server. If false, the value of EnableNetworkProtection will be ignored.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 1 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 1 (Default) | Allow |
+| 0 | Disallow |
+
+
+
+
+
+
+
+
+
+### Configuration/ASROnlyPerRuleExclusions
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/ASROnlyPerRuleExclusions
+```
+
+
+
+Apply ASR only per rule exclusions.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+### Configuration/DataDuplicationDirectory
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/DataDuplicationDirectory
+```
+
+
+
+Define data duplication directory for device control.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+### Configuration/DataDuplicationRemoteLocation
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/DataDuplicationRemoteLocation
+```
+
+
+
+Define data duplication remote location for device control.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+### Configuration/DefaultEnforcement
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/DefaultEnforcement
+```
+
+
+
+Control Device Control default enforcement. This is the enforcement applied if there are no policy rules present or at the end of the policy rules evaluation none were matched.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 1 | Default Allow Enforcement |
+| 2 | Default Deny Enforcement |
+
+
+
+
+
+
+
+
+
+### Configuration/DeviceControl
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/DeviceControl
+```
+
+
+
+
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### Configuration/DeviceControl/PolicyGroups
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups
+```
+
+
+
+
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+##### Configuration/DeviceControl/PolicyGroups/{GroupId}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/{GroupId}
+```
+
+
+
+
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+###### Configuration/DeviceControl/PolicyGroups/{GroupId}/GroupData
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/{GroupId}/GroupData
+```
+
+
+
+
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### Configuration/DeviceControl/PolicyRules
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules
+```
+
+
+
+
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+##### Configuration/DeviceControl/PolicyRules/{RuleId}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/{RuleId}
+```
+
+
+
+
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+###### Configuration/DeviceControl/PolicyRules/{RuleId}/RuleData
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/{RuleId}/RuleData
+```
+
+
+
+
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+### Configuration/DeviceControlEnabled
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/DeviceControlEnabled
+```
+
+
+
+Control Device Control feature.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 1 | |
+| 0 | |
+
+
+
+
+
+
+
+
+
+### Configuration/DisableCpuThrottleOnIdleScans
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/DisableCpuThrottleOnIdleScans
+```
+
+
+
+Indicates whether the CPU will be throttled for scheduled scans while the device is idle. This feature is enabled by default and will not throttle the CPU for scheduled scans performed when the device is otherwise idle, regardless of what ScanAvgCPULoadFactor is set to. For all other scheduled scans this flag will have no impact and normal throttling will occur.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 1 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 1 (Default) | Disable CPU Throttle on idle scans |
+| 0 | Enable CPU Throttle on idle scans |
+
+
+
+
+
+
+
+
+
+### Configuration/DisableDnsOverTcpParsing
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/DisableDnsOverTcpParsing
+```
+
+
+
+This setting disables DNS over TCP Parsing for Network Protection.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 1 | DNS over TCP parsing is disabled |
+| 0 (Default) | DNS over TCP parsing is enabled |
+
+
+
+
+
+
+
+
+
+### Configuration/DisableDnsParsing
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/DisableDnsParsing
+```
+
+
+
+This setting disables DNS Parsing for Network Protection.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 1 | DNS parsing is disabled |
+| 0 (Default) | DNS parsing is enabled |
+
+
+
+
+
+
+
+
+
+### Configuration/DisableFtpParsing
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/DisableFtpParsing
+```
+
+
+
+This setting disables FTP Parsing for Network Protection.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 1 | FTP parsing is disabled |
+| 0 (Default) | FTP parsing is enabled |
+
+
+
+
+
+
+
+
+
+### Configuration/DisableGradualRelease
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/DisableGradualRelease
+```
+
+
+
+Enable this policy to disable gradual rollout of Defender updates.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 1 | Gradual release is disabled |
+| 0 | Gradual release is enabled |
+
+
+
+
+
+
+
+
+
+### Configuration/DisableHttpParsing
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/DisableHttpParsing
+```
+
+
+
+This setting disables HTTP Parsing for Network Protection.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 1 | HTTP parsing is disabled |
+| 0 (Default) | HTTP parsing is enabled |
+
+
+
+
+
+
+
+
+
+### Configuration/DisableInboundConnectionFiltering
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/DisableInboundConnectionFiltering
+```
+
+
+
+This setting disables Inbound connection filtering for Network Protection.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 1 | Inbound connection filtering is disabled |
+| 0 | Inbound connection filtering is enabled |
+
+
+
+
+
+
+
+
+
+### Configuration/DisableLocalAdminMerge
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/DisableLocalAdminMerge
+```
+
+
+
+When this value is set to false, it allows a local admin the ability to specify some settings for complex list type that will then merge /override the Preference settings with the Policy settings
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 1 | Disable Local Admin Merge |
+| 0 | Enable Local Admin Merge |
+
+
+
+
+
+
+
+
+
+### Configuration/DisableNetworkProtectionPerfTelemetry
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/DisableNetworkProtectionPerfTelemetry
+```
+
+
+
+This setting disables the gathering and send of performance telemetry from Network Protection.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 1 | Network protection telemetry is disabled |
+| 0 | Network protection telemetry is enabled |
+
+
+
+
+
+
+
+
+
+### Configuration/DisableRdpParsing
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/DisableRdpParsing
+```
+
+
+
+This setting disables RDP Parsing for Network Protection.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 1 | RDP Parsing is disabled |
+| 0 | RDP Parsing is enabled |
+
+
+
+
+
+
+
+
+
+### Configuration/DisableSshParsing
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/DisableSshParsing
+```
+
+
+
+This setting disables SSH Parsing for Network Protection.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 1 | SSH parsing is disabled |
+| 0 (Default) | SSH parsing is enabled |
+
+
+
+
+
+
+
+
+
+### Configuration/DisableTlsParsing
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/DisableTlsParsing
+```
+
+
+
+This setting disables TLS Parsing for Network Protection.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 1 | TLS parsing is disabled |
+| 0 (Default) | TLS parsing is enabled |
+
+
+
+
+
+
+
+
+
+### Configuration/EnableDnsSinkhole
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/EnableDnsSinkhole
+```
+
+
+
+This setting enables the DNS Sinkhole feature for Network Protection, respecting the value of EnableNetworkProtection for block vs audit, does nothing in inspect mode.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 1 | DNS Sinkhole is disabled |
+| 0 | DNS Sinkhole is enabled |
+
+
+
+
+
+
+
+
+
+### Configuration/EnableFileHashComputation
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/EnableFileHashComputation
+```
+
+
+
+Enables or disables file hash computation feature. When this feature is enabled Windows defender will compute hashes for files it scans.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Disable |
+| 1 | Enable |
+
+
+
+
+
+
+
+
+
+### Configuration/EngineUpdatesChannel
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/EngineUpdatesChannel
+```
+
+
+
+Enable this policy to specify when devices receive Microsoft Defender engine updates during the monthly gradual rollout.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices. |
+| 2 | Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices. |
+| 3 | Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments. |
+| 4 | Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%). |
+| 5 | Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). |
+| 6 | Critical - Time delay: Devices will be offered updates with a 48-hour delay. Suggested for critical environments only. |
+
+
+
+
+
+
+
+
+
+### Configuration/ExcludedIpAddresses
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/ExcludedIpAddresses
+```
+
+
+
+This node contains a list of values specifying any IP addresses that wdnisdrv will ignore when intercepting traffic.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | List (Delimiter: `|`) |
+
+
+
+
+
+
+
+
+
+### Configuration/HideExclusionsFromLocalAdmins
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/HideExclusionsFromLocalAdmins
+```
+
+
+
+This policy setting controls whether or not exclusions are visible to local admins. For end users (that are not local admins) exclusions are not visible, whether or not this setting is enabled.
+
+
+
+
+> [!NOTE]
+> Applying this setting won't remove exclusions from the device registry, it will only prevent them from being applied/used. This is reflected in Get-MpPreference.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 1 | If you enable this setting, local admins will no longer be able to see the exclusion list in Windows Security App or via PowerShell. |
+| 0 | If you disable or do not configure this setting, local admins will be able to see exclusions in the Windows Security App and via PowerShell. |
+
+
+
+
+
+
+
+
+
+### Configuration/MeteredConnectionUpdates
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/MeteredConnectionUpdates
+```
+
+
+
+Allow managed devices to update through metered connections. Default is 0 - not allowed, 1 - allowed
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 1 | Allowed |
+| 0 (Default) | Not Allowed |
+
+
+
+
+
+
+
+
+
+### Configuration/PassiveRemediation
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/PassiveRemediation
+```
+
+
+
+Setting to control automatic remediation for Sense scans.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Flag | Description |
+|:--|:--|
+| 0x1 | PASSIVE_REMEDIATION_FLAG_SENSE_AUTO_REMEDIATION: Passive Remediation Sense AutoRemediation |
+| 0x2 | PASSIVE_REMEDIATION_FLAG_RTP_AUDIT: Passive Remediation Realtime Protection Audit |
+| 0x4 | PASSIVE_REMEDIATION_FLAG_RTP_REMEDIATION: Passive Remediation Realtime Protection Remediation |
+
+
+
+
+
+
+
+
+
+### Configuration/PauseUpdateExpirationTime
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/PauseUpdateExpirationTime
+```
+
+
+
+Pause update until the UTC time in ISO string format without milliseconds, for example, 2022-02-24T00:03:59Z.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+### Configuration/PauseUpdateFlag
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/PauseUpdateFlag
+```
+
+
+
+Setting to control automatic remediation for Sense scans.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Update not paused |
+| 1 | Update paused |
+
+
+
+
+
+
+
+
+
+### Configuration/PauseUpdateStartTime
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/PauseUpdateStartTime
+```
+
+
+
+Pause update from the UTC time in ISO string format without milliseconds, for example, 2022-02-24T00:03:59Z.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+### Configuration/PlatformUpdatesChannel
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/PlatformUpdatesChannel
+```
+
+
+
+Enable this policy to specify when devices receive Microsoft Defender platform updates during the monthly gradual rollout.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices. |
+| 2 | Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices. |
+| 3 | Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments. |
+| 4 | Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%). |
+| 5 | Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). |
+| 6 | Critical - Time delay: Devices will be offered updates with a 48-hour delay. Suggested for critical environments only. |
+
+
+
+
+
+
+
+
+
+### Configuration/SchedulerRandomizationTime
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/SchedulerRandomizationTime
+```
+
+
+
+This setting allows you to configure the scheduler randomization in hours. The randomization interval is [1 - 23] hours. For more information on the randomization effect please check the RandomizeScheduleTaskTimes setting.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[1-23]` |
+| Default Value | 4 |
+
+
+
+
+
+
+
+
+
+### Configuration/SecurityIntelligenceUpdatesChannel
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/SecurityIntelligenceUpdatesChannel
+```
+
+
+
+Enable this policy to specify when devices receive Microsoft Defender security intelligence updates during the daily gradual rollout.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices. |
+| 4 | Current Channel (Staged): Devices will be offered updates after the release cycle. Suggested to apply to a small, representative part of production population (~10%). |
+| 5 | Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). |
+
+
+
+
+
+
+
+
+
+### Configuration/SupportLogLocation
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/SupportLogLocation
+```
+
+
+
+The support log location setting allows the administrator to specify where the Microsoft Defender Antivirus diagnostic data collection tool (MpCmdRun.exe) will save the resulting log files. This setting is configured with an MDM solution, such as Intune, and is available for Windows 10 Enterprise.
+
+
+
+
+Intune Support Log Location setting UI supports three states:
+
+- Not configured (default) - Doesn't have any impact on the default state of the device.
+- 1 - Enabled. Enables the Support log location feature. Requires admin to set custom file path.
+- 0 - Disabled. Turns off the Support log location feature.
+
+When enabled or disabled exists on the client and admin moves the setting to not configured, it won't have any impact on the device state. To change the state to either enabled or disabled would require to be set explicitly.
+
+More details:
+
+- [Microsoft Defender Antivirus diagnostic data](/microsoft-365/security/defender-endpoint/collect-diagnostic-data)
+- [Collect investigation package from devices](/microsoft-365/security/defender-endpoint/respond-machine-alerts#collect-investigation-package-from-devices)
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+### Configuration/TamperProtection
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/TamperProtection
+```
+
+
+
+Tamper protection helps protect important security features from unwanted changes and interference. This includes real-time protection, behavior monitoring, and more. Accepts signed string to turn the feature on or off. Settings are configured with an MDM solution, such as Intune and is available in Windows 10 Enterprise E5 or equivalent subscriptions. Send off blob to device to reset tamper protection state before setting this configuration to "not configured" or "unassigned" in Intune. The data type is a Signed blob.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+### Configuration/TDTFeatureEnabled
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/TDTFeatureEnabled
+```
+
+
+
+This policy setting configures the integration level for Intel TDT integration for Intel TDT-capable devices.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | If you do not configure this setting, the default value will be applied. The default value is set to control by signatures. TDT will be enabled based on particular signatures that are released by Microsoft. |
+| 2 | If you configure this setting to disabled, Intel TDT integration will be turned off. |
+
+
+
+
+
+
+
+
+
+### Configuration/ThrottleForScheduledScanOnly
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/ThrottleForScheduledScanOnly
+```
+
+
+
+A CPU usage limit can be applied to scheduled scans only, or to scheduled and custom scans. The default value applies a CPU usage limit to scheduled scans only.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 1 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 1 (Default) | If you enable this setting, CPU throttling will apply only to scheduled scans. |
+| 0 | If you disable this setting, CPU throttling will apply to scheduled and custom scans. |
+
+
+
+
+
+
+
+
+
+## Detections
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Detections
+```
+
+
+
An interior node to group all threats detected by Windows Defender.
+
-Supported operation is Get.
+
+
+
-**Detections/***ThreatId*
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### Detections/{ThreatId}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Detections/{ThreatId}
+```
+
+
+
The ID of a threat that has been detected by Windows Defender.
+
-Supported operation is Get.
+
+
+
-**Detections/*ThreatId*/Name**
-The name of the specific threat.
+
+**Description framework properties**:
-The data type is a string.
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+| Dynamic Node Naming | ClientInventory |
+
-Supported operation is Get.
+
+
+
-**Detections/*ThreatId*/URL**
-URL link for more threat information.
+
-The data type is a string.
+
+#### Detections/{ThreatId}/Category
-Supported operation is Get.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-**Detections/*ThreatId*/Severity**
-Threat severity ID.
+
+```Device
+./Device/Vendor/MSFT/Defender/Detections/{ThreatId}/Category
+```
+
-The data type is integer.
+
+Threat category ID. Supported values:
-The following list shows the supported values:
+| Value | Description |
+|:--|:--|
+| 0 | Invalid |
+| 1 | Adware |
+| 2 | Spyware |
+| 3 | Password stealer |
+| 4 | Trojan downloader |
+| 5 | Worm |
+| 6 | Backdoor |
+| 7 | Remote access Trojan |
+| 8 | Trojan |
+| 9 | Email flooder |
+| 10 | Keylogger |
+| 11 | Dialer |
+| 12 | Monitoring software |
+| 13 | Browser modifier |
+| 14 | Cookie |
+| 15 | Browser plugin |
+| 16 | AOL exploit |
+| 17 | Nuker |
+| 18 | Security disabler |
+| 19 | Joke program |
+| 20 | Hostile ActiveX control |
+| 21 | Software bundler |
+| 22 | Stealth modifier |
+| 23 | Settings modifier |
+| 24 | Toolbar |
+| 25 | Remote control software |
+| 26 | Trojan FTP |
+| 27 | Potential unwanted software |
+| 28 | ICQ exploit |
+| 29 | Trojan telnet |
+| 30 | Exploit |
+| 31 | File sharing program |
+| 32 | Malware creation tool |
+| 33 | Remote control software |
+| 34 | Tool |
+| 36 | Trojan denial of service |
+| 37 | Trojan dropper |
+| 38 | Trojan mass mailer |
+| 39 | Trojan monitoring software |
+| 40 | Trojan proxy server |
+| 42 | Virus |
+| 43 | Known |
+| 44 | Unknown |
+| 45 | SPP |
+| 46 | Behavior |
+| 47 | Vulnerability |
+| 48 | Policy |
+| 49 | EUS (Enterprise Unwanted Software) |
+| 50 | Ransomware |
+| 51 | ASR Rule |
+
-- 0 = Unknown
-- 1 = Low
-- 2 = Moderate
-- 4 = High
-- 5 = Severe
+
+
+
-Supported operation is Get.
+
+**Description framework properties**:
-**Detections/*ThreatId*/Category**
-Threat category ID.
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
-The data type is integer.
+
+
+
-The following table describes the supported values:
-
+
-| Value | Description |
-|-------|-----------------------------|
-| 0 | Invalid |
-| 1 | Adware |
-| 2 | Spyware |
-| 3 | Password stealer |
-| 4 | Trojan downloader |
-| 5 | Worm |
-| 6 | Backdoor |
-| 7 | Remote access Trojan |
-| 8 | Trojan |
-| 9 | Email flooder |
-| 10 | Key logger |
-| 11 | Dialer |
-| 12 | Monitoring software |
-| 13 | Browser modifier |
-| 14 | Cookie |
-| 15 | Browser plugin |
-| 16 | AOL exploit |
-| 17 | Nuker |
-| 18 | Security disabler |
-| 19 | Joke program |
-| 20 | Hostile ActiveX control |
-| 21 | Software bundler |
-| 22 | Stealth modifier |
-| 23 | Settings modifier |
-| 24 | Toolbar |
-| 25 | Remote control software |
-| 26 | Trojan FTP |
-| 27 | Potential unwanted software |
-| 28 | ICQ exploit |
-| 29 | Trojan telnet |
-| 30 | Exploit |
-| 31 | File sharing program |
-| 32 | Malware creation tool |
-| 33 | Remote control software |
-| 34 | Tool |
-| 36 | Trojan denial of service |
-| 37 | Trojan dropper |
-| 38 | Trojan mass mailer |
-| 39 | Trojan monitoring software |
-| 40 | Trojan proxy server |
-| 42 | Virus |
-| 43 | Known |
-| 44 | Unknown |
-| 45 | SPP |
-| 46 | Behavior |
-| 47 | Vulnerability |
-| 48 | Policy |
-| 49 | EUS (Enterprise Unwanted Software)|
-| 50 | Ransomware |
-| 51 | ASR Rule |
+
+#### Detections/{ThreatId}/CurrentStatus
-Supported operation is Get.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-**Detections/*ThreatId*/CurrentStatus**
-Information about the current status of the threat.
+
+```Device
+./Device/Vendor/MSFT/Defender/Detections/{ThreatId}/CurrentStatus
+```
+
-The data type is integer.
+
+Information about the current status of the threat. The following list shows the supported values:
-The following list shows the supported values:
+| Value | Description |
+|:--|:--|
+| 0 | Active |
+| 1 | Action failed |
+| 2 | Manual steps required |
+| 3 | Full scan required |
+| 4 | Reboot required |
+| 5 | Remediated with noncritical failures |
+| 6 | Quarantined |
+| 7 | Removed |
+| 8 | Cleaned |
+| 9 | Allowed |
+| 10 | No Status ( Cleared) |
+
-- 0 = Active
-- 1 = Action failed
-- 2 = Manual steps required
-- 3 = Full scan required
-- 4 = Reboot required
-- 5 = Remediated with noncritical failures
-- 6 = Quarantined
-- 7 = Removed
-- 8 = Cleaned
-- 9 = Allowed
-- 10 = No Status (Cleared)
+
+
+
-Supported operation is Get.
+
+**Description framework properties**:
-**Detections/*ThreatId*/CurrentStatus**
-Information about the current status of the threat.
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
-The data type is integer.
+
+
+
-The following list shows the supported values:
+
-- 0 = Active
-- 1 = Action failed
-- 2 = Manual steps required
-- 3 = Full scan required
-- 4 = Reboot required
-- 5 = Remediated with noncritical failures
-- 6 = Quarantined
-- 7 = Removed
-- 8 = Cleaned
-- 9 = Allowed
-- 10 = No Status (Cleared)
+
+#### Detections/{ThreatId}/ExecutionStatus
-Supported operation is Get.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-**Detections/*ThreatId*/ExecutionStatus**
+
+```Device
+./Device/Vendor/MSFT/Defender/Detections/{ThreatId}/ExecutionStatus
+```
+
+
+
Information about the execution status of the threat.
+
-The data type is integer.
+
+
+
-The following list shows the supported values:
+
+**Description framework properties**:
-- 0 = Unknown
-- 1 = Blocked
-- 2 = Allowed
-- 3 = Running
-- 4 = Not running
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
-Supported operation is Get.
+
+
+
-**Detections/*ThreatId*/InitialDetectionTime**
+
+
+
+#### Detections/{ThreatId}/InitialDetectionTime
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Detections/{ThreatId}/InitialDetectionTime
+```
+
+
+
The first time this particular threat was detected.
+
-The data type is a string.
+
+
+
-Supported operation is Get.
+
+**Description framework properties**:
-**Detections/*ThreatId*/LastThreatStatusChangeTime**
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### Detections/{ThreatId}/LastThreatStatusChangeTime
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Detections/{ThreatId}/LastThreatStatusChangeTime
+```
+
+
+
The last time this particular threat was changed.
+
-The data type is a string.
+
+
+
-Supported operation is Get.
+
+**Description framework properties**:
-**Detections/*ThreatId*/NumberOfDetections**
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### Detections/{ThreatId}/Name
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Detections/{ThreatId}/Name
+```
+
+
+
+The name of the specific threat.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### Detections/{ThreatId}/NumberOfDetections
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Detections/{ThreatId}/NumberOfDetections
+```
+
+
+
Number of times this threat has been detected on a particular client.
+
-The data type is integer.
+
+
+
-Supported operation is Get.
+
+**Description framework properties**:
-**EnableNetworkProtection**
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
-The Network Protection Service is a network filter that helps to protect you against web-based malicious threats, including phishing and malware. The Network Protection service contacts the SmartScreen URL reputation service to validate the safety of connections to web resources.
-The acceptable values for this parameter are:
-- 0: Disabled. The Network Protection service won't block navigation to malicious websites, or contact the SmartScreen URL reputation service. It will still send connection metadata to the antimalware engine if behavior monitoring is enabled, to enhance AV Detections.
-- 1: Enabled. The Network Protection service will block connections to malicious websites based on URL Reputation from the SmartScreen URL reputation service.
-- 2: AuditMode. As above, but the Network Protection service won't block connections to malicious websites, but will instead log the access to the event log.
+
+
+
-Accepted values: Disabled, Enabled, and AuditMode
-Position: Named
-Default value: Disabled
-Accept pipeline input: False
-Accept wildcard characters: False
+
-**EnableNetworkProtection/AllowNetworkProtectionDownLevel**
+
+#### Detections/{ThreatId}/Severity
-By default, network protection isn't allowed to be enabled on Windows versions before 1709, regardless of the setting of the EnableNetworkProtection configuration. Set this configuration to "$true" to override that behavior and allow Network Protection to be set to Enabled or Audit Mode.
-- Type: Boolean
-- Position: Named
-- Default value: False
-- Accept pipeline input: False
-- Accept wildcard characters: False
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-**EnableNetworkProtection/AllowNetworkProtectionOnWinServer**
+
+```Device
+./Device/Vendor/MSFT/Defender/Detections/{ThreatId}/Severity
+```
+
-By default, network protection isn't allowed to be enabled on Windows Server, regardless of the setting of the EnableNetworkProtection configuration. Set this configuration to "$true" to override that behavior and allow Network Protection to be set to Enabled or Audit Mode.
+
+Threat severity ID. The following list shows the supported values:
-- Type: Boolean
-- Position: Named
-- Default value: False
-- Accept pipeline input: False
-- Accept wildcard characters: False
+| Value | Description |
+|:--|:--|
+| 0 | Unknown |
+| 1 | Low |
+| 2 | Moderate |
+| 4 | High |
+| 5 | Severe |
+
-**EnableNetworkProtection/DisableNetworkProtectionPerfTelemetry**
+
+
+
-Network Protection sends up anonymized performance statistics about its connection monitoring to improve our product and help to find bugs. You can disable this behavior by setting this configuration to "$true".
+
+**Description framework properties**:
-- Type: Boolean
-- Position: Named
-- Default value: False
-- Accept pipeline input: False
-- Accept wildcard characters: False
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
-**EnableNetworkProtection/DisableDatagramProcessing**
+
+
+
-Network Protection inspects UDP connections allowing us to find malicious DNS or other UDP Traffic. To disable this functionality, set this configuration to "$true".
+
-- Type: Boolean
-- Position: Named
-- Default value: False
-- Accept pipeline input: False
-- Accept wildcard characters: False
+
+#### Detections/{ThreatId}/URL
-**EnableNetworkProtection/DisableInboundConnectionFiltering**
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-Network Protection inspects and can block both connections that originate from the host machine, and those connections that originate from outside the machine. To have network connection to inspect only outbound connections, set this configuration to "$true".
+
+```Device
+./Device/Vendor/MSFT/Defender/Detections/{ThreatId}/URL
+```
+
-- Type: Boolean
-- Position: Named
-- Default value: False
-- Accept pipeline input: False
-- Accept wildcard characters: False
+
+URL link for additional threat information.
+
-**EnableNetworkProtection/EnableDnsSinkhole**
+
+
+
-Network Protection can inspect the DNS traffic of a machine and, in conjunction with behavior monitoring, detect and sink hole DNS exfiltration attempts and other DNS-based malicious attacks. Set this configuration to "$true" to enable this feature.
+
+**Description framework properties**:
-- Type: Boolean
-- Position: Named
-- Default value: False
-- Accept pipeline input: False
-- Accept wildcard characters: False
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
-**EnableNetworkProtection/DisableDnsOverTcpParsing**
+
+
+
-Network Protection inspects DNS traffic that occurs over a TCP channel, to provide metadata for Anti-malware Behavior Monitoring or to allow for DNS sink holing if the -EnableDnsSinkhole configuration is set. This attribute can be disabled by setting this value to "$true".
+
-- Type: Boolean
-- Position: Named
-- Default value: False
-- Accept pipeline input: False
-- Accept wildcard characters: False
+
+## Health
-**EnableNetworkProtection/DisableDnsParsing**
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-Network Protection inspects DNS traffic that occurs over a UDP channel, to provide metadata for Anti-malware Behavior Monitoring or to allow for DNS sink holing if the -EnableDnsSinkhole configuration is set. This attribute can be disabled by setting this value to "$true".
+
+```Device
+./Device/Vendor/MSFT/Defender/Health
+```
+
-- Type: Boolean
-- Position: Named
-- Default value: False
-- Accept pipeline input: False
-- Accept wildcard characters: False
-
-**EnableNetworkProtection/DisableHttpParsing**
-
-Network Protection inspects HTTP traffic to see if a connection is being made to a malicious website, and to provide metadata to Behavior Monitoring. HTTP connections to malicious websites can also be blocked if Enable Network Protection is set to enabled. HTTP inspection can be disabled by setting this value to "$true".
-
-- Type: Boolean
-- Position: Named
-- Default value: False
-- Accept pipeline input: False
-- Accept wildcard characters: False
-
-**EnableNetworkProtection/DisableRdpParsing**
-
-Network Protection inspects RDP traffic so that it can block connections from known malicious hosts if Enable Network Protection is set to be enabled, and to provide metadata to behavior monitoring. RDP inspection can be disabled by setting this value to "$true".
-
-- Type: Boolean
-- Position: Named
-- Default value: False
-- Accept pipeline input: False
-- Accept wildcard characters: False
-
-**EnableNetworkProtection/DisableSshParsing**
-
-Network Protection inspects SSH traffic, so that it can block connections from known malicious hosts. If Enable Network Protection is set to be enabled, and to provide metadata to behavior monitoring. SSH inspection can be disabled by setting this value to "$true".
-
-- Type: Boolean
-- Position: Named
-- Default value: False
-- Accept pipeline input: False
-- Accept wildcard characters: False
-
-**EnableNetworkProtection/DisableTlsParsing**
-
-Network Protection inspects TLS traffic (also known as HTTPS traffic) to see if a connection is being made to a malicious website, and to provide metadata to Behavior Monitoring. TLS connections to malicious websites can also be blocked if Enable Network Protection is set to enabled. HTTP inspection can be disabled by setting this value to "$true".
-
-- Type: Boolean
-- Position: Named
-- Default value: False
-- Accept pipeline input: False
-- Accept wildcard characters: False
-
-**Health**
+
An interior node to group information about Windows Defender health status.
+
-Supported operation is Get.
+
+
+
-**Health/ProductStatus**
-Added in Windows 10, version 1809. Provide the current state of the product. This value is a bitmask flag value that can represent one or multiple product states from below list.
+
+**Description framework properties**:
-The data type is integer. Supported operation is Get.
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
-Supported product status values:
-- No status = 0
-- Service not running = 1 << 0
-- Service started without any malware protection engine = 1 << 1
-- Pending full scan due to threat action = 1 << 2
-- Pending reboot due to threat action = 1 << 3
-- ending manual steps due to threat action = 1 << 4
-- AV signatures out of date = 1 << 5
-- AS signatures out of date = 1 << 6
-- No quick scan has happened for a specified period = 1 << 7
-- No full scan has happened for a specified period = 1 << 8
-- System initiated scan in progress = 1 << 9
-- System initiated clean in progress = 1 << 10
-- There are samples pending submission = 1 << 11
-- Product running in evaluation mode = 1 << 12
-- Product running in non-genuine Windows mode = 1 << 13
-- Product expired = 1 << 14
-- Off-line scan required = 1 << 15
-- Service is shutting down as part of system shutdown = 1 << 16
-- Threat remediation failed critically = 1 << 17
-- Threat remediation failed non-critically = 1 << 18
-- No status flags set (well-initialized state) = 1 << 19
-- Platform is out of date = 1 << 20
-- Platform update is in progress = 1 << 21
-- Platform is about to be outdated = 1 << 22
-- Signature or platform end of life is past or is impending = 1 << 23
-- Windows SMode signatures still in use on non-Win10S install = 1 << 24
+
+
+
-Example:
+
+
+
+### Health/ComputerState
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Health/ComputerState
+```
+
+
+
+Provide the current state of the device. The following list shows the supported values:
+
+| Value | Description |
+|:--|:--|
+| 0 | Clean |
+| 1 | Pending full scan |
+| 2 | Pending reboot |
+| 4 | Pending manual steps (Windows Defender is waiting for the user to take some action, such as restarting the computer or running a full scan) |
+| 8 | Pending offline scan |
+| 16 | Pending critical failure (Windows Defender has failed critically and an Administrator needs to investigate and take some action, such as restarting the computer or reinstalling Windows Defender) |
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### Health/DefenderEnabled
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Health/DefenderEnabled
+```
+
+
+
+Indicates whether the Windows Defender service is running.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### Health/DefenderVersion
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Health/DefenderVersion
+```
+
+
+
+Version number of Windows Defender on the device.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### Health/EngineVersion
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Health/EngineVersion
+```
+
+
+
+Version number of the current Windows Defender engine on the device.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### Health/FullScanOverdue
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Health/FullScanOverdue
+```
+
+
+
+Indicates whether a Windows Defender full scan is overdue for the device. A Full scan is overdue when a scheduled Full scan did not complete successfully for 2 weeks and catchup Full scans are disabled (default).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### Health/FullScanRequired
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Health/FullScanRequired
+```
+
+
+
+Indicates whether a Windows Defender full scan is required.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### Health/FullScanSigVersion
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Health/FullScanSigVersion
+```
+
+
+
+Signature version used for the last full scan of the device.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### Health/FullScanTime
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Health/FullScanTime
+```
+
+
+
+Time of the last Windows Defender full scan of the device.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### Health/IsVirtualMachine
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Health/IsVirtualMachine
+```
+
+
+
+Indicates whether the device is a virtual machine.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### Health/NisEnabled
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Health/NisEnabled
+```
+
+
+
+Indicates whether network protection is running.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### Health/ProductStatus
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Health/ProductStatus
+```
+
+
+
+Provide the current state of the product. This is a bitmask flag value that can represent one or multiple product states from below list. Supported product status values:
+
+| Value | Description |
+|:--|:--|
+| 0 | No status |
+| 1 (1 << 0) | Service not running |
+| 2 (1 << 1) | Service started without any malware protection engine |
+| 4 (1 << 2) | Pending full scan due to threat action |
+| 8 (1 << 3) | Pending reboot due to threat action |
+| 16 (1 << 4) | ending manual steps due to threat action |
+| 32 (1 << 5) | AV signatures out of date |
+| 64 (1 << 6) | AS signatures out of date |
+| 128 (1 << 7) | No quick scan has happened for a specified period |
+| 256 (1 << 8) | No full scan has happened for a specified period |
+| 512 (1 << 9) | System initiated scan in progress |
+| 1024 (1 << 10) | System initiated clean in progress |
+| 2048 (1 << 11) | There are samples pending submission |
+| 4096 (1 << 12) | Product running in evaluation mode |
+| 8192 (1 << 13) | Product running in non-genuine Windows mode |
+| 16384 (1 << 14) | Product expired |
+| 32768 (1 << 15) | Off-line scan required |
+| 65536 (1 << 16) | Service is shutting down as part of system shutdown |
+| 131072 (1 << 17) | Threat remediation failed critically |
+| 262144 (1 << 18) | Threat remediation failed non-critically |
+| 524288 (1 << 19) | No status flags set (well initialized state) |
+| 1048576 (1 << 20) | Platform is out of date |
+| 2097152 (1 << 21) | Platform update is in progress |
+| 4194304 (1 << 22) | Platform is about to be outdated |
+| 8388608 (1 << 23) | Signature or platform end of life is past or is impending |
+| 16777216 (1 << 24) | Windows SMode signatures still in use on non-Win10S install |
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+**Example**:
```xml
@@ -456,421 +3111,522 @@ Example:
```
+
-**Health/ComputerState**
-Provide the current state of the device.
+
-The data type is integer.
+
+### Health/QuickScanOverdue
-The following list shows the supported values:
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-- 0 = Clean
-- 1 = Pending full scan
-- 2 = Pending reboot
-- 4 = Pending manual steps (Windows Defender is waiting for the user to take some action, such as restarting the computer or running a full scan)
-- 8 = Pending offline scan
-- 16 = Pending critical failure (Windows Defender has failed critically and an Administrator needs to investigate and take some action, such as restarting the computer or reinstalling Windows Defender)
+
+```Device
+./Device/Vendor/MSFT/Defender/Health/QuickScanOverdue
+```
+
-Supported operation is Get.
+
+Indicates whether a Windows Defender quick scan is overdue for the device. A Quick scan is overdue when a scheduled Quick scan did not complete successfully for 2 weeks and catchup Quick scans are disabled (default).
+
-**Health/DefenderEnabled**
-Indicates whether the Windows Defender service is running.
+
+
+
-The data type is a Boolean.
+
+**Description framework properties**:
-Supported operation is Get.
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get |
+
-**Health/RtpEnabled**
-Indicates whether real-time protection is running.
+
+
+
-The data type is a Boolean.
+
-Supported operation is Get.
+
+### Health/QuickScanSigVersion
-**Health/NisEnabled**
-Indicates whether network protection is running.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-The data type is a Boolean.
+
+```Device
+./Device/Vendor/MSFT/Defender/Health/QuickScanSigVersion
+```
+
-Supported operation is Get.
-
-**Health/QuickScanOverdue**
-Indicates whether a Windows Defender quick scan is overdue for the device.
-
-A Quick scan is overdue when a scheduled Quick scan didn't complete successfully for 2 weeks and [catchup Quick scans](./policy-csp-defender.md#disablecatchupquickscan) are disabled (default).
-
-The data type is a Boolean.
-
-Supported operation is Get.
-
-**Health/FullScanOverdue**
-Indicates whether a Windows Defender full scan is overdue for the device.
-
-A Full scan is overdue when a scheduled Full scan didn't complete successfully for 2 weeks and [catchup Full scans](./policy-csp-defender.md#disablecatchupfullscan) are disabled (default).
-
-The data type is a Boolean.
-
-Supported operation is Get.
-
-**Health/SignatureOutOfDate**
-Indicates whether the Windows Defender signature is outdated.
-
-The data type is a Boolean.
-
-Supported operation is Get.
-
-**Health/RebootRequired**
-Indicates whether a device reboot is needed.
-
-The data type is a Boolean.
-
-Supported operation is Get.
-
-**Health/FullScanRequired**
-Indicates whether a Windows Defender full scan is required.
-
-The data type is a Boolean.
-
-Supported operation is Get.
-
-**Health/EngineVersion**
-Version number of the current Windows Defender engine on the device.
-
-The data type is a string.
-
-Supported operation is Get.
-
-**Health/SignatureVersion**
-Version number of the current Windows Defender signatures on the device.
-
-The data type is a string.
-
-Supported operation is Get.
-
-**Health/DefenderVersion**
-Version number of Windows Defender on the device.
-
-The data type is a string.
-
-Supported operation is Get.
-
-**Health/QuickScanTime**
-Time of the last Windows Defender quick scan of the device.
-
-The data type is a string.
-
-Supported operation is Get.
-
-**Health/FullScanTime**
-Time of the last Windows Defender full scan of the device.
-
-The data type is a string.
-
-Supported operation is Get.
-
-**Health/QuickScanSigVersion**
+
Signature version used for the last quick scan of the device.
+
-The data type is a string.
+
+
+
-Supported operation is Get.
-
-**Health/FullScanSigVersion**
-Signature version used for the last full scan of the device.
-
-The data type is a string.
-
-Supported operation is Get.
-
-**Health/TamperProtectionEnabled**
-Indicates whether the Windows Defender tamper protection feature is enabled.​
-
-The data type is a Boolean.
-
-Supported operation is Get.
-
-**Health/IsVirtualMachine**
-Indicates whether the device is a virtual machine.
-
-The data type is a string.
-
-Supported operation is Get.
-
-**Configuration**
-An interior node to group Windows Defender configuration information.
-
-Supported operation is Get.
-
-**Configuration/TamperProtection**
-
-Tamper protection helps protect important security features from unwanted changes and interference. This protection includes real-time protection, behavior monitoring, and more. Accepts signed string to turn the feature on or off. Settings are configured with an MDM solution, such as Intune and is available in Windows 10 Enterprise E5 or equivalent subscriptions.
-
-
-Send off blob to device to reset the tamper protection state before setting this configuration to "not configured" or "unassigned" in Intune.
-
-The data type is a Signed BLOB.
-
-Supported operations are Add, Delete, Get, Replace.
-
-Intune tamper protection setting UX supports three states:
-- Not configured (default): Doesn't have any impact on the default state of the device.
-- Enabled: Enables the tamper protection feature.
-- Disabled: Turns off the tamper protection feature.
-
-When enabled or disabled exists on the client and admin moves the setting to not configured, it won't have any impact on the device state. To change the state to either enabled or disabled would require to be set explicitly.
-
-**Configuration/DisableLocalAdminMerge**
-This policy setting controls whether or not complex list settings configured by a local administrator are merged with managed settings. This setting applies to lists such as threats and exclusion list.
-
-If you disable or don't configure this setting, unique items defined in preference settings configured by the local administrator will be merged into the resulting effective policy. If conflicts occur, management settings will override preference settings.
-
-If you enable this setting, only items defined by management will be used in the resulting effective policy. Managed settings will override preference settings configured by the local administrator.
-
-> [!NOTE]
-> Applying this setting won't remove exclusions from the device registry, it will only prevent them from being applied/used. This is reflected in **Get-MpPreference**.
-
-Supported OS versions: Windows 10
-
-The data type is integer.
-
-Supported operations are Add, Delete, Get, Replace.
-
-Valid values are:
-- 1 – Enable.
-- 0 (default) – Disable.
-
-**Configuration/HideExclusionsFromLocalAdmins**
-
-This policy setting controls whether or not exclusions are visible to Local Admins. For end users (that aren't Local Admins) exclusions aren't visible, whether or not this setting is enabled.
-
-If you disable or don't configure this setting, Local Admins will be able to see exclusions in the Windows Security App, in the registry, and via PowerShell.
-
-If you enable this setting, Local Admins will no longer be able to see the exclusion list in the Windows Security app, in the registry, or via PowerShell.
-
-> [!NOTE]
-> Applying this setting won't remove exclusions, it will only prevent them from being visible to Local Admins. This is reflected in **Get-MpPreference**.
-
-Supported OS versions: Windows 10
-
-The data type is integer.
-
-Supported operations are Add, Delete, Get, and Replace.
-
-Valid values are:
-- 1 – Enable.
-- 0 (default) – Disable.
-
-**Configuration/DisableCpuThrottleOnIdleScans**
-
-Indicates whether the CPU will be throttled for scheduled scans while the device is idle. This feature is enabled by default and won't throttle the CPU for scheduled scans performed when the device is otherwise idle, regardless of what ScanAvgCPULoadFactor is set to. For all other scheduled scans, this flag will have no impact and normal throttling will occur.
-
-The data type is integer.
-
-Supported operations are Add, Delete, Get, and Replace.
-
-Valid values are:
-- 1 (default) – Enable.
-- 0 – Disable.
-
-**Configuration/MeteredConnectionUpdates**
-Allow managed devices to update through metered connections. Data charges may apply.
-
-The data type is integer.
-
-Supported operations are Add, Delete, Get, and Replace.
-
-Valid values are:
-- 1 – Enable.
-- 0 (default) – Disable.
-
-**Configuration/AllowNetworkProtectionOnWinServer**
-This settings controls whether Network Protection is allowed to be configured into block or audit mode on Windows Server. If false, the value of EnableNetworkProtection will be ignored.
-
-The data type is integer.
-
-Supported operations are Add, Delete, Get, and Replace.
-
-Valid values are:
-- 1 – Enable.
-- 0 (default) – Disable.
-
-**Configuration/ExclusionIpAddress**
-Allows an administrator to explicitly disable network packet inspection made by wdnisdrv on a particular set of IP addresses.
-
-The data type is string.
-
-Supported operations are Add, Delete, Get, and Replace.
-
-**Configuration/EnableFileHashComputation**
-Enables or disables file hash computation feature.
-When this feature is enabled, Windows Defender will compute hashes for files it scans.
-
-The data type is integer.
-
-Supported operations are Add, Delete, Get, and Replace.
-
-Valid values are:
-- 1 – Enable.
-- 0 (default) – Disable.
-
-**Configuration/SupportLogLocation**
-The support log location setting allows the administrator to specify where the Microsoft Defender Antivirus diagnostic data collection tool (**MpCmdRun.exe**) will save the resulting log files. This setting is configured with an MDM solution, such as Intune, and is available for Windows 10 Enterprise.
-
-Data type is string.
-
-Supported operations are Add, Delete, Get, and Replace.
-
-Intune Support log location setting UX supports three states:
-
-- Not configured (default) - Doesn't have any impact on the default state of the device.
-- 1 - Enabled. Enables the Support log location feature. Requires admin to set custom file path.
-- 0 - Disabled. Turns off the Support log location feature.
-
-When enabled or disabled exists on the client and admin moves the setting to not configured, it won't have any impact on the device state. To change the state to either enabled or disabled would require to be set explicitly.
-
-More details:
-
-- [Microsoft Defender Antivirus diagnostic data](/microsoft-365/security/defender-endpoint/collect-diagnostic-data)
-- [Collect investigation package from devices](/microsoft-365/security/defender-endpoint/respond-machine-alerts#collect-investigation-package-from-devices)
-
-**Configuration/PlatformUpdatesChannel**
-Enable this policy to specify when devices receive Microsoft Defender platform updates during the monthly gradual rollout.
-
-Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices.
-
-Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments.
-
-Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested applying to a small, representative part of your production population (~10%).
-
-Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).
-
-Critical: Devices will be offered updates with a 48-hour delay. Suggested for critical environments only
-
-If you disable or don't configure this policy, the device will stay up to date automatically during the gradual release cycle. Suitable for most devices.
-
-The data type is integer.
-
-Supported operations are Add, Delete, Get, and Replace.
-
-Valid values are:
-- 0: Not configured (Default)
-- 2: Beta Channel - Prerelease
-- 3: Current Channel (Preview)
-- 4: Current Channel (Staged)
-- 5: Current Channel (Broad)
-- 6: Critical- Time Delay
-
-
-More details:
-
-- [Manage the gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/manage-gradual-rollout)
-- [Create a custom gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/configure-updates)
-
-**Configuration/EngineUpdatesChannel**
-Enable this policy to specify when devices receive Microsoft Defender engine updates during the monthly gradual rollout.
-
-Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices.
-
-Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments.
-
-Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested applying to a small, representative part of your production population (~10%).
-
-Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).
-
-Critical: Devices will be offered updates with a 48-hour delay. Suggested for critical environments only
-
-If you disable or don't configure this policy, the device will stay up to date automatically during the gradual release cycle. Suitable for most devices.
-
-The data type is integer.
-
-Supported operations are Add, Delete, Get, and Replace.
-
-Valid values are:
-- 0: Not configured (Default)
-- 2: Beta Channel - Prerelease
-- 3: Current Channel (Preview)
-- 4: Current Channel (Staged)
-- 5: Current Channel (Broad)
-- 6: Critical- Time Delay
-
-More details:
-
-- [Manage the gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/manage-gradual-rollout)
-- [Create a custom gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/configure-updates)
-
-**Configuration/SecurityIntelligenceUpdatesChannel**
-Enable this policy to specify when devices receive daily Microsoft Defender security intelligence (definition) updates during the daily gradual rollout.
-
-Current Channel (Staged): Devices will be offered updates after the release cycle. Suggested to apply to a small, representative part of production population (~10%).
-
-Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).
-
-If you disable or don't configure this policy, the device will stay up to date automatically during the daily release cycle. Suitable for most devices.
-
-The data type is integer.
-Supported operations are Add, Delete, Get, and Replace.
-
-Valid Values are:
-- 0: Not configured (Default)
-- 4: Current Channel (Staged)
-- 5: Current Channel (Broad)
-
-More details:
-
-- [Manage the gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/manage-gradual-rollout)
-- [Create a custom gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/configure-updates)
-
-**Configuration/DisableGradualRelease**
-Enable this policy to disable gradual rollout of monthly and daily Microsoft Defender updates.
-Devices will be offered all Microsoft Defender updates after the gradual release cycle completes. This facility for devices is best for datacenters that only receive limited updates.
-
-> [!NOTE]
-> This setting applies to both monthly as well as daily Microsoft Defender updates and will override any previously configured channel selections for platform and engine updates.
-
-If you disable or don't configure this policy, the device will remain in Current Channel (Default) unless specified otherwise in specific channels for platform and engine updates. Stay up to date automatically during the gradual release cycle. Suitable for most devices.
-
-The data type is integer.
-
-Supported operations are Add, Delete, Get, and Replace.
-
-Valid values are:
-- 1 – Enabled.
-- 0 (default) – Not Configured.
-
-More details:
-
-- [Manage the gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/manage-gradual-rollout)
-- [Create a custom gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/configure-updates)
-
-**Configuration/PassiveRemediation**
-This policy setting enables or disables EDR in block mode (recommended for devices running Microsoft Defender Antivirus in passive mode). For more information, see Endpoint detection and response in block mode | Microsoft Docs. Available with platform release: 4.18.2202.X
-
-The data type is integer
-
-Supported values:
-- 1: Turn EDR in block mode on
-- 0: Turn EDR in block mode off
-
-
-**Scan**
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### Health/QuickScanTime
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Health/QuickScanTime
+```
+
+
+
+Time of the last Windows Defender quick scan of the device.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### Health/RebootRequired
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Health/RebootRequired
+```
+
+
+
+Indicates whether a device reboot is needed.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### Health/RtpEnabled
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Health/RtpEnabled
+```
+
+
+
+Indicates whether real-time protection is running.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### Health/SignatureOutOfDate
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Health/SignatureOutOfDate
+```
+
+
+
+Indicates whether the Windows Defender signature is outdated.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### Health/SignatureVersion
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Health/SignatureVersion
+```
+
+
+
+Version number of the current Windows Defender signatures on the device.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### Health/TamperProtectionEnabled
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Health/TamperProtectionEnabled
+```
+
+
+
+Indicates whether the Windows Defender tamper protection feature is enabled.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+## OfflineScan
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/OfflineScan
+```
+
+
+
+OfflineScan action starts a Microsoft Defender Offline scan on the computer where you run the command. After the next OS reboot, the device will start in Microsoft Defender Offline mode to begin the scan.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Exec, Get |
+| Reboot Behavior | ServerInitiated |
+
+
+
+
+
+
+
+
+
+## RollbackEngine
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/RollbackEngine
+```
+
+
+
+RollbackEngine action rolls back Microsoft Defender engine to it's last known good saved version on the computer where you run the command.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Exec, Get |
+| Reboot Behavior | ServerInitiated |
+
+
+
+
+
+
+
+
+
+## RollbackPlatform
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/RollbackPlatform
+```
+
+
+
+RollbackPlatform action rolls back Microsoft Defender to it's last known good installation location on the computer where you run the command.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Exec, Get |
+| Reboot Behavior | ServerInitiated |
+
+
+
+
+
+
+
+
+
+## Scan
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Scan
+```
+
+
+
Node that can be used to start a Windows Defender scan on a device.
+
-Valid values are:
-- 1 - quick scan
-- 2 - full scan
+
+
+
-Supported operations are Get and Execute.
+
+**Description framework properties**:
-**UpdateSignature**
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Exec, Get |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 1 | quick scan |
+| 2 | full scan |
+
+
+
+
+
+
+
+
+
+## UpdateSignature
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/UpdateSignature
+```
+
+
+
Node that can be used to perform signature updates for Windows Defender.
+
-Supported operations are Get and Execute.
+
+
+
-**OfflineScan**
-Added in Windows 10, version 1803. OfflineScan action starts a Microsoft Defender Offline scan on the computer where you run the command. After the next OS reboot, the device will start in Microsoft Defender Offline mode to begin the scan.
+
+**Description framework properties**:
-Supported operations are Get and Execute.
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Exec, Get |
+
-## See also
+
+
+
-[Configuration service provider reference](index.yml)
+
+
+
+
+
+
+
+
+## Related articles
+
+[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/defender-ddf.md b/windows/client-management/mdm/defender-ddf.md
index b7851e330b..661c491b22 100644
--- a/windows/client-management/mdm/defender-ddf.md
+++ b/windows/client-management/mdm/defender-ddf.md
@@ -1,35 +1,748 @@
---
title: Defender DDF file
-description: Learn how the OMA DM device description framework (DDF) for the Defender configuration service provider is used.
-ms.reviewer:
+description: View the XML file containing the device description framework (DDF) for the Defender configuration service provider.
+author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.topic: article
-ms.prod: w10
-ms.technology: windows
-author: vinaypamnani-msft
+ms.date: 11/02/2022
ms.localizationpriority: medium
-ms.date: 07/23/2021
+ms.prod: windows-client
+ms.technology: itpro-manage
+ms.topic: reference
---
+
+
# Defender DDF file
-This article shows the OMA DM device description framework (DDF) for the Defender configuration service provider. DDF files are used only with OMA DM provisioning XML.
-
-Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-ddf.md).
-
-The XML below is the current version for this CSP.
+The following XML file contains the device description framework (DDF) for the Defender configuration service provider.
```xml
-]>
+]>
1.2
+
+
+
+ Defender
+ ./Device/Vendor/MSFT
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.10586
+ 1.0
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBD;0xBF;0xCA;0xCB;
+
+
+
+ Detections
+
+
+
+
+ An interior node to group all threats detected by Windows Defender.
+
+
+
+
+
+
+
+
+
+
+
+
+
- Defender
- ./Vendor/MSFT
+
+
+
+
+
+
+ The ID of a threat that has been detected by Windows Defender.
+
+
+
+
+
+
+
+
+
+ ThreatId
+
+
+
+
+
+
+
+
+ Name
+
+
+
+
+ The name of the specific threat.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ URL
+
+
+
+
+ URL link for additional threat information.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Severity
+
+
+
+
+ Threat severity ID. The following list shows the supported values: 0 = Unknown; 1 = Low; 2 = Moderate; 4 = High; 5 = Severe;
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Category
+
+
+
+
+ Threat category ID. Supported values: 0-Invalid; 1-Adware; 2-Spyware; 3-Password stealer; 4-Trojan downloader; 5-Worm; 6-Backdoor; 7-Remote access Trojan; 8-Trojan; 9-Email flooder; 10-Keylogger; 11-Dialer; 12-Monitoring software; 13-Browser modifier; 14-Cookie; 15-Browser plugin; 16-AOL exploit; 17-Nuker; 18-Security disabler; 19-Joke program; 20-Hostile ActiveX control; 21-Software bundler; 22-Stealth modifier; 23-Settings modifier; 24-Toolbar; 25-Remote control software; 26-Trojan FTP; 27-Potential unwanted software; 28-ICQ exploit; 29-Trojan telnet; 30-Exploit; 31-File sharing program; 32-Malware creation tool; 33-Remote control software; 34-Tool; 36-Trojan denial of service; 37-Trojan dropper; 38-Trojan mass mailer; 39-Trojan monitoring software; 40-Trojan proxy server; 42-Virus; 43-Known; 44-Unknown; 45-SPP; 46-Behavior; 47-Vulnerability; 48-Policy; 49-EUS (Enterprise Unwanted Software); 50-Ransomware; 51-ASR Rule
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ CurrentStatus
+
+
+
+
+ Information about the current status of the threat. The following list shows the supported values: 0 = Active; 1 = Action failed; 2 = Manual steps required; 3 = Full scan required; 4 = Reboot required; 5 = Remediated with noncritical failures; 6 = Quarantined; 7 = Removed; 8 = Cleaned; 9 = Allowed; 10 = No Status ( Cleared)
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ExecutionStatus
+
+
+
+
+ Information about the execution status of the threat.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ InitialDetectionTime
+
+
+
+
+ The first time this particular threat was detected.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ LastThreatStatusChangeTime
+
+
+
+
+ The last time this particular threat was changed.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ NumberOfDetections
+
+
+
+
+ Number of times this threat has been detected on a particular client.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Health
+
+
+
+
+ An interior node to group information about Windows Defender health status.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ProductStatus
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.17763
+ 1.2
+
+
+
+
+ ComputerState
+
+
+
+
+ Provide the current state of the device. The following list shows the supported values: 0 = Clean; 1 = Pending full scan; 2 = Pending reboot; 4 = Pending manual steps (Windows Defender is waiting for the user to take some action, such as restarting the computer or running a full scan); 8 = Pending offline scan; 16 = Pending critical failure (Windows Defender has failed critically and an Administrator needs to investigate and take some action, such as restarting the computer or reinstalling Windows Defender)
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ DefenderEnabled
+
+
+
+
+ Indicates whether the Windows Defender service is running.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ RtpEnabled
+
+
+
+
+ Indicates whether real-time protection is running.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ NisEnabled
+
+
+
+
+ Indicates whether network protection is running.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ QuickScanOverdue
+
+
+
+
+ Indicates whether a Windows Defender quick scan is overdue for the device. A Quick scan is overdue when a scheduled Quick scan did not complete successfully for 2 weeks and catchup Quick scans are disabled (default).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ FullScanOverdue
+
+
+
+
+ Indicates whether a Windows Defender full scan is overdue for the device. A Full scan is overdue when a scheduled Full scan did not complete successfully for 2 weeks and catchup Full scans are disabled (default).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ SignatureOutOfDate
+
+
+
+
+ Indicates whether the Windows Defender signature is outdated.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ RebootRequired
+
+
+
+
+ Indicates whether a device reboot is needed.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ FullScanRequired
+
+
+
+
+ Indicates whether a Windows Defender full scan is required.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ EngineVersion
+
+
+
+
+ Version number of the current Windows Defender engine on the device.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ SignatureVersion
+
+
+
+
+ Version number of the current Windows Defender signatures on the device.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ DefenderVersion
+
+
+
+
+ Version number of Windows Defender on the device.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ QuickScanTime
+
+
+
+
+ Time of the last Windows Defender quick scan of the device.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ FullScanTime
+
+
+
+
+ Time of the last Windows Defender full scan of the device.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ QuickScanSigVersion
+
+
+
+
+ Signature version used for the last quick scan of the device.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ FullScanSigVersion
+
+
+
+
+ Signature version used for the last full scan of the device.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ TamperProtectionEnabled
+
+
+
+
+ Indicates whether the Windows Defender tamper protection feature is enabled.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.18362
+ 1.3
+
+
+
+
+ IsVirtualMachine
+
+
+
+
+ Indicates whether the device is a virtual machine.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.18362
+ 1.3
+
+
+
+
+
+ Configuration
+
+
+
+
+ An interior node to group Windows Defender configuration information.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.18362
+ 1.3
+
+
+
+ DeviceControl
@@ -41,14 +754,18 @@ The XML below is the current version for this CSP.
-
+
- com.microsoft/1.3/MDM/Defender
+
+
+ 10.0.17763
+ 1.3
+
- Detections
+ PolicyGroups
@@ -63,14 +780,18 @@ The XML below is the current version for this CSP.
-
+
-
+
+
+
+
+
@@ -81,16 +802,19 @@ The XML below is the current version for this CSP.
- ThreatId
+ GroupId
-
+
- Name
+ GroupData
+
+
+
@@ -102,174 +826,14 @@ The XML below is the current version for this CSP.
- text/plain
-
-
-
-
- URL
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Severity
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Category
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- CurrentStatus
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ExecutionStatus
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- InitialDetectionTime
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- LastThreatStatusChangeTime
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- NumberOfDetections
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
+
- Health
+ PolicyRules
@@ -284,480 +848,61 @@ The XML below is the current version for this CSP.
-
+
- ProductStatus
+
+
+
+
+
-
+
-
+
+ RuleId
- text/plain
-
-
-
-
- ComputerState
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- DefenderEnabled
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- RtpEnabled
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- NisEnabled
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- QuickScanOverdue
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- FullScanOverdue
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- SignatureOutOfDate
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- RebootRequired
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- FullScanRequired
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- EngineVersion
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- SignatureVersion
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- DefenderVersion
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- QuickScanTime
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- FullScanTime
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- QuickScanSigVersion
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- FullScanSigVersion
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- TamperProtectionEnabled
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- IsVirtualMachine
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
+
+
+ RuleData
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
- Configuration
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- TamperProtection
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- EnableFileHashComputation
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- SupportLogLocation
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- DisableGradualRelease
+
+
+ TamperProtection
@@ -765,7 +910,34 @@ The XML below is the current version for this CSP.
- Enable this policy to disable gradual rollout of Defender updates.
+ Tamper protection helps protect important security features from unwanted changes and interference. This includes real-time protection, behavior monitoring, and more. Accepts signed string to turn the feature on or off. Settings are configured with an MDM solution, such as Intune and is available in Windows 10 Enterprise E5 or equivalent subscriptions. Send off blob to device to reset tamper protection state before setting this configuration to "not configured" or "unassigned" in Intune. The data type is a Signed blob.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ EnableFileHashComputation
+
+
+
+
+
+
+
+ 0
+ Enables or disables file hash computation feature. When this feature is enabled Windows defender will compute hashes for files it scans.
@@ -776,26 +948,22 @@ The XML below is the current version for this CSP.
- text/plain
+
-
- 99.9.99999
- 1.3
-
-
-
- 1
- Gradual release is disabled
-
-
- 0
- Gradual release is enabled
-
-
+
+
+ 0
+ Disable
+
+
+ 1
+ Enable
+
+
-
- DefinitionUpdatesChannel
+
+ MeteredConnectionUpdates
@@ -803,7 +971,8 @@ The XML below is the current version for this CSP.
- Enable this policy to specify when devices receive daily Microsoft Defender definition updates during the daily gradual rollout.
+ 0
+ Allow managed devices to update through metered connections. Default is 0 - not allowed, 1 - allowed
@@ -814,30 +983,25 @@ The XML below is the current version for this CSP.
- text/plain
+
-
- 99.9.99999
- 1.3
-
-
-
- 0
- Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices.
-
-
- 4
- Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%).
-
-
- 5
- Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).
-
-
+
+ 10.0.14393
+
+
+
+ 1
+ Allowed
+
+
+ 0
+ Not Allowed
+
+
-
- EngineUpdatesChannel
+
+ SupportLogLocation
@@ -845,7 +1009,38 @@ The XML below is the current version for this CSP.
- Enable this policy to specify when devices receive Microsoft Defender engine updates during the monthly gradual rollout.
+ The support log location setting allows the administrator to specify where the Microsoft Defender Antivirus diagnostic data collection tool (MpCmdRun.exe) will save the resulting log files. This setting is configured with an MDM solution, such as Intune, and is available for Windows 10 Enterprise.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 9.9
+
+
+
+
+
+
+ AllowNetworkProtectionOnWinServer
+
+
+
+
+
+
+
+ 1
+ This settings controls whether Network Protection is allowed to be configured into block or audit mode on Windows Server. If false, the value of EnableNetworkProtection will be ignored.
@@ -856,37 +1051,399 @@ The XML below is the current version for this CSP.
- text/plain
+
-
- 99.9.99999
- 1.3
-
-
-
- 0
- Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices.
-
-
- 2
- Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices.
-
-
- 3
- Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments.
-
-
- 4
- Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%).
-
-
- 5
- Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).
-
-
+
+ 10.0.16299
+ 1.3
+
+
+
+ 1
+ Allow
+
+
+ 0
+ Disallow
+
+
-
+
+ ExcludedIpAddresses
+
+
+
+
+
+
+
+ This node contains a list of values specifying any IP addresses that wdnisdrv will ignore when intercepting traffic.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.3
+
+
+
+
+
+
+
+ DisableCpuThrottleOnIdleScans
+
+
+
+
+
+
+
+ 1
+ Indicates whether the CPU will be throttled for scheduled scans while the device is idle. This feature is enabled by default and will not throttle the CPU for scheduled scans performed when the device is otherwise idle, regardless of what ScanAvgCPULoadFactor is set to. For all other scheduled scans this flag will have no impact and normal throttling will occur.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.3
+
+
+
+ 1
+ Disable CPU Throttle on idle scans
+
+
+ 0
+ Enable CPU Throttle on idle scans
+
+
+
+
+
+ DisableLocalAdminMerge
+
+
+
+
+
+
+
+ When this value is set to false, it allows a local admin the ability to specify some settings for complex list type that will then merge /override the Preference settings with the Policy settings
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.3
+
+
+
+ 1
+ Disable Local Admin Merge
+
+
+ 0
+ Enable Local Admin Merge
+
+
+
+
+
+ SchedulerRandomizationTime
+
+
+
+
+
+
+
+ 4
+ This setting allows you to configure the scheduler randomization in hours. The randomization interval is [1 - 23] hours. For more information on the randomization effect please check the RandomizeScheduleTaskTimes setting.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.3
+
+
+ [1-23]
+
+
+
+
+ DisableTlsParsing
+
+
+
+
+
+
+
+ 0
+ This setting disables TLS Parsing for Network Protection.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.3
+
+
+
+ 1
+ TLS parsing is disabled
+
+
+ 0
+ TLS parsing is enabled
+
+
+
+
+
+ DisableFtpParsing
+
+
+
+
+
+
+
+ 0
+ This setting disables FTP Parsing for Network Protection.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.3
+
+
+
+ 1
+ FTP parsing is disabled
+
+
+ 0
+ FTP parsing is enabled
+
+
+
+
+
+ DisableHttpParsing
+
+
+
+
+
+
+
+ 0
+ This setting disables HTTP Parsing for Network Protection.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.3
+
+
+
+ 1
+ HTTP parsing is disabled
+
+
+ 0
+ HTTP parsing is enabled
+
+
+
+
+
+ DisableDnsParsing
+
+
+
+
+
+
+
+ 0
+ This setting disables DNS Parsing for Network Protection.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.3
+
+
+
+ 1
+ DNS parsing is disabled
+
+
+ 0
+ DNS parsing is enabled
+
+
+
+
+
+ DisableDnsOverTcpParsing
+
+
+
+
+
+
+
+ 0
+ This setting disables DNS over TCP Parsing for Network Protection.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.3
+
+
+
+ 1
+ DNS over TCP parsing is disabled
+
+
+ 0
+ DNS over TCP parsing is enabled
+
+
+
+
+
+ DisableSshParsing
+
+
+
+
+
+
+
+ 0
+ This setting disables SSH Parsing for Network Protection.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.3
+
+
+
+ 1
+ SSH parsing is disabled
+
+
+ 0
+ SSH parsing is enabled
+
+
+
+
+
PlatformUpdatesChannel
@@ -906,104 +1463,966 @@ The XML below is the current version for this CSP.
- text/plain
+
-
- 99.9.99999
- 1.3
-
-
-
- 0
- Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices.
-
-
- 2
- Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices.
-
-
- 3
- Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments.
-
-
- 4
- Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%).
-
-
- 5
- Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).
-
-
+
+ 10.0.14393
+ 1.3
+
+
+
+ 0
+ Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices.
+
+
+ 2
+ Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices.
+
+
+ 3
+ Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments.
+
+
+ 4
+ Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%).
+
+
+ 5
+ Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).
+
+
+ 6
+ Critical - Time delay: Devices will be offered updates with a 48-hour delay. Suggested for critical environments only.
+
+
-
-
- Scan
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- UpdateSignature
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- OfflineScan
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
+
+ EngineUpdatesChannel
+
+
+
+
+
+
+
+ Enable this policy to specify when devices receive Microsoft Defender engine updates during the monthly gradual rollout.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.3
+
+
+
+ 0
+ Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices.
+
+
+ 2
+ Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices.
+
+
+ 3
+ Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments.
+
+
+ 4
+ Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%).
+
+
+ 5
+ Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).
+
+
+ 6
+ Critical - Time delay: Devices will be offered updates with a 48-hour delay. Suggested for critical environments only.
+
+
+
+
+ SecurityIntelligenceUpdatesChannel
+
+
+
+
+
+
+
+ Enable this policy to specify when devices receive Microsoft Defender security intelligence updates during the daily gradual rollout.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.3
+
+
+
+ 0
+ Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices.
+
+
+ 4
+ Current Channel (Staged): Devices will be offered updates after the release cycle. Suggested to apply to a small, representative part of production population (~10%).
+
+
+ 5
+ Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).
+
+
+
+
+
+ DisableGradualRelease
+
+
+
+
+
+
+
+ Enable this policy to disable gradual rollout of Defender updates.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.3
+
+
+
+ 1
+ Gradual release is disabled
+
+
+ 0
+ Gradual release is enabled
+
+
+
+
+
+ AllowNetworkProtectionDownLevel
+
+
+
+
+
+
+
+ This settings controls whether Network Protection is allowed to be configured into block or audit mode on windows downlevel of RS3. If false, the value of EnableNetworkProtection will be ignored.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.3
+
+
+
+ 1
+ Network protection will be enabled downlevel.
+
+
+ 0
+ Network protection will be disabled downlevel.
+
+
+
+
+
+ EnableDnsSinkhole
+
+
+
+
+
+
+
+ This setting enables the DNS Sinkhole feature for Network Protection, respecting the value of EnableNetworkProtection for block vs audit, does nothing in inspect mode.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.3
+
+
+
+ 1
+ DNS Sinkhole is disabled
+
+
+ 0
+ DNS Sinkhole is enabled
+
+
+
+
+
+ DisableInboundConnectionFiltering
+
+
+
+
+
+
+
+ This setting disables Inbound connection filtering for Network Protection.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.3
+
+
+
+ 1
+ Inbound connection filtering is disabled
+
+
+ 0
+ Inbound connection filtering is enabled
+
+
+
+
+
+ DisableRdpParsing
+
+
+
+
+
+
+
+ This setting disables RDP Parsing for Network Protection.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.3
+
+
+
+ 1
+ RDP Parsing is disabled
+
+
+ 0
+ RDP Parsing is enabled
+
+
+
+
+
+ AllowDatagramProcessingOnWinServer
+
+
+
+
+
+
+
+ This settings controls whether Network Protection is allowed to enable datagram processing on Windows Server. If false, the value of DisableDatagramProcessing will be ignored and default to disabling Datagram inspection.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.3
+
+
+
+ 1
+ Datagram processing on Windows Server is enabled.
+
+
+ 0
+ Datagram processing on Windows Server is disabled.
+
+
+
+
+
+ DisableNetworkProtectionPerfTelemetry
+
+
+
+
+
+
+
+ This setting disables the gathering and send of performance telemetry from Network Protection.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.3
+
+
+
+ 1
+ Network protection telemetry is disabled
+
+
+ 0
+ Network protection telemetry is enabled
+
+
+
+
+
+ HideExclusionsFromLocalAdmins
+
+
+
+
+
+
+
+ This policy setting controls whether or not exclusions are visible to local admins. For end users (that are not local admins) exclusions are not visible, whether or not this setting is enabled.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.17763
+ 1.3
+
+
+
+ 1
+ If you enable this setting, local admins will no longer be able to see the exclusion list in Windows Security App or via PowerShell.
+
+
+ 0
+ If you disable or do not configure this setting, local admins will be able to see exclusions in the Windows Security App and via PowerShell.
+
+
+
+
+
+ ThrottleForScheduledScanOnly
+
+
+
+
+
+
+
+ 1
+ A CPU usage limit can be applied to scheduled scans only, or to scheduled and custom scans. The default value applies a CPU usage limit to scheduled scans only.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.3
+
+
+
+ 1
+ If you enable this setting, CPU throttling will apply only to scheduled scans.
+
+
+ 0
+ If you disable this setting, CPU throttling will apply to scheduled and custom scans.
+
+
+
+
+
+ ASROnlyPerRuleExclusions
+
+
+
+
+
+
+
+ Apply ASR only per rule exclusions.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.16299
+ 1.3
+
+
+
+
+
+
+ DataDuplicationDirectory
+
+
+
+
+
+
+
+ Define data duplication directory for device control.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.17763
+ 1.3
+
+
+
+
+
+
+ DataDuplicationRemoteLocation
+
+
+
+
+
+
+
+ Define data duplication remote location for device control.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.17763
+ 1.3
+
+
+
+
+
+
+ DeviceControlEnabled
+
+
+
+
+
+
+
+ Control Device Control feature.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.17763
+ 1.3
+
+
+
+ 1
+
+
+
+
+ 0
+
+
+
+
+
+
+
+ DefaultEnforcement
+
+
+
+
+
+
+
+ Control Device Control default enforcement. This is the enforcement applied if there are no policy rules present or at the end of the policy rules evaluation none were matched.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.17763
+ 1.3
+
+
+
+ 1
+ Default Allow Enforcement
+
+
+ 2
+ Default Deny Enforcement
+
+
+
+
+
+ PassiveRemediation
+
+
+
+
+
+
+
+ Setting to control automatic remediation for Sense scans.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.3
+
+
+
+ 0x1
+ PASSIVE_REMEDIATION_FLAG_SENSE_AUTO_REMEDIATION: Passive Remediation Sense AutoRemediation
+
+
+ 0x2
+ PASSIVE_REMEDIATION_FLAG_RTP_AUDIT: Passive Remediation Realtime Protection Audit
+
+
+ 0x4
+ PASSIVE_REMEDIATION_FLAG_RTP_REMEDIATION: Passive Remediation Realtime Protection Remediation
+
+
+
+
+
+ PauseUpdateStartTime
+
+
+
+
+
+
+
+ Pause update from the UTC time in ISO string format without milliseconds, for example, 2022-02-24T00:03:59Z.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.3
+
+
+
+
+
+
+ PauseUpdateExpirationTime
+
+
+
+
+
+
+
+ Pause update until the UTC time in ISO string format without milliseconds, for example, 2022-02-24T00:03:59Z.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.3
+
+
+
+
+
+
+ PauseUpdateFlag
+
+
+
+
+
+
+
+ Setting to control automatic remediation for Sense scans.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.3
+
+
+
+ 0
+ Update not paused
+
+
+ 1
+ Update paused
+
+
+
+
+
+ TDTFeatureEnabled
+
+
+
+
+
+
+
+ 0
+ This policy setting configures the integration level for Intel TDT integration for Intel TDT-capable devices.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.19041
+ 1.3
+
+
+
+ 0
+ If you do not configure this setting, the default value will be applied. The default value is set to control by signatures. TDT will be enabled based on particular signatures that are released by Microsoft.
+
+
+ 2
+ If you configure this setting to disabled, Intel TDT integration will be turned off.
+
+
+
+
+
+
+ Scan
+
+
+
+
+
+ Node that can be used to start a Windows Defender scan on a device.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 1
+ quick scan
+
+
+ 2
+ full scan
+
+
+
+
+
+ UpdateSignature
+
+
+
+
+
+ Node that can be used to perform signature updates for Windows Defender.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ OfflineScan
+
+
+
+
+
+ OfflineScan action starts a Microsoft Defender Offline scan on the computer where you run the command. After the next OS reboot, the device will start in Microsoft Defender Offline mode to begin the scan.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.17134
+ 1.1
+
+ ServerInitiated
+
+
+
+ RollbackPlatform
+
+
+
+
+
+ RollbackPlatform action rolls back Microsoft Defender to it's last known good installation location on the computer where you run the command.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.17134
+ 1.1
+
+ ServerInitiated
+
+
+
+ RollbackEngine
+
+
+
+
+
+ RollbackEngine action rolls back Microsoft Defender engine to it's last known good saved version on the computer where you run the command.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.17134
+ 1.1
+
+ ServerInitiated
+
+
+
```
-## See also
+## Related articles
-[Defender configuration service provider](defender-csp.md)
+[Defender configuration service provider reference](defender-csp.md)
diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
index c9f905bcab..3b3a19e7b1 100644
--- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
@@ -4,12 +4,11 @@ description: Learn about the ADMX-backed policies in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 11/01/2022
+ms.date: 11/02/2022
ms.localizationpriority: medium
ms.prod: windows-client
-ms.reviewer:
ms.technology: itpro-manage
-ms.topic: article
+ms.topic: reference
---
diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md
index 43d727892e..0b6dede6bb 100644
--- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md
@@ -4,12 +4,11 @@ description: Learn about the policies in Policy CSP supported by Group Policy.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 11/01/2022
+ms.date: 11/02/2022
ms.localizationpriority: medium
ms.prod: windows-client
-ms.reviewer:
ms.technology: itpro-manage
-ms.topic: article
+ms.topic: reference
---
diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md
index 43dbef71be..785642dd8c 100644
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@@ -4,12 +4,11 @@ description: Learn more about the Policy CSP Policy
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 11/01/2022
+ms.date: 11/02/2022
ms.localizationpriority: medium
ms.prod: windows-client
-ms.reviewer:
ms.technology: itpro-manage
-ms.topic: article
+ms.topic: reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-mss-legacy.md b/windows/client-management/mdm/policy-csp-admx-mss-legacy.md
index 9fd3985c30..659f7439ea 100644
--- a/windows/client-management/mdm/policy-csp-admx-mss-legacy.md
+++ b/windows/client-management/mdm/policy-csp-admx-mss-legacy.md
@@ -4,12 +4,11 @@ description: Learn more about the ADMX_MSS-legacy CSP Policy
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 11/01/2022
+ms.date: 11/02/2022
ms.localizationpriority: medium
ms.prod: windows-client
-ms.reviewer:
ms.technology: itpro-manage
-ms.topic: article
+ms.topic: reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-qos.md b/windows/client-management/mdm/policy-csp-admx-qos.md
index 7d57c3d4a1..4a48f0aa3d 100644
--- a/windows/client-management/mdm/policy-csp-admx-qos.md
+++ b/windows/client-management/mdm/policy-csp-admx-qos.md
@@ -4,12 +4,11 @@ description: Learn more about the ADMX_QOS CSP Policy
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 11/01/2022
+ms.date: 11/02/2022
ms.localizationpriority: medium
ms.prod: windows-client
-ms.reviewer:
ms.technology: itpro-manage
-ms.topic: article
+ms.topic: reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-sam.md b/windows/client-management/mdm/policy-csp-admx-sam.md
index 3525bf6adf..eb3e792143 100644
--- a/windows/client-management/mdm/policy-csp-admx-sam.md
+++ b/windows/client-management/mdm/policy-csp-admx-sam.md
@@ -4,12 +4,11 @@ description: Learn more about the ADMX_sam CSP Policy
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 11/01/2022
+ms.date: 11/02/2022
ms.localizationpriority: medium
ms.prod: windows-client
-ms.reviewer:
ms.technology: itpro-manage
-ms.topic: article
+ms.topic: reference
---
diff --git a/windows/client-management/mdm/policy-csp-admx-tabletpcinputpanel.md b/windows/client-management/mdm/policy-csp-admx-tabletpcinputpanel.md
index 66267fea76..6a7a995b0c 100644
--- a/windows/client-management/mdm/policy-csp-admx-tabletpcinputpanel.md
+++ b/windows/client-management/mdm/policy-csp-admx-tabletpcinputpanel.md
@@ -4,12 +4,11 @@ description: Learn more about the ADMX_TabletPCInputPanel CSP Policy
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 11/01/2022
+ms.date: 11/02/2022
ms.localizationpriority: medium
ms.prod: windows-client
-ms.reviewer:
ms.technology: itpro-manage
-ms.topic: article
+ms.topic: reference
---
diff --git a/windows/client-management/mdm/policy-csp-cloudpc.md b/windows/client-management/mdm/policy-csp-cloudpc.md
index 64eba24f5e..77359405e7 100644
--- a/windows/client-management/mdm/policy-csp-cloudpc.md
+++ b/windows/client-management/mdm/policy-csp-cloudpc.md
@@ -4,12 +4,11 @@ description: Learn more about the CloudPC CSP Policy
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 11/01/2022
+ms.date: 11/02/2022
ms.localizationpriority: medium
ms.prod: windows-client
-ms.reviewer:
ms.technology: itpro-manage
-ms.topic: article
+ms.topic: reference
---
diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md
index e76be954c3..93e20497c1 100644
--- a/windows/client-management/mdm/policy-csp-defender.md
+++ b/windows/client-management/mdm/policy-csp-defender.md
@@ -4,12 +4,11 @@ description: Learn more about the Defender CSP Policy
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 11/01/2022
+ms.date: 11/02/2022
ms.localizationpriority: medium
ms.prod: windows-client
-ms.reviewer:
ms.technology: itpro-manage
-ms.topic: article
+ms.topic: reference
---
diff --git a/windows/client-management/mdm/policy-csp-msslegacy.md b/windows/client-management/mdm/policy-csp-msslegacy.md
index 43921b19b7..de29173242 100644
--- a/windows/client-management/mdm/policy-csp-msslegacy.md
+++ b/windows/client-management/mdm/policy-csp-msslegacy.md
@@ -4,12 +4,11 @@ description: Learn more about the MSSLegacy CSP Policy
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 11/01/2022
+ms.date: 11/02/2022
ms.localizationpriority: medium
ms.prod: windows-client
-ms.reviewer:
ms.technology: itpro-manage
-ms.topic: article
+ms.topic: reference
---
diff --git a/windows/client-management/mdm/policy-csp-settingssync.md b/windows/client-management/mdm/policy-csp-settingssync.md
index dd6e6688f3..30d73f4662 100644
--- a/windows/client-management/mdm/policy-csp-settingssync.md
+++ b/windows/client-management/mdm/policy-csp-settingssync.md
@@ -4,12 +4,11 @@ description: Learn more about the SettingsSync CSP Policy
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 11/01/2022
+ms.date: 11/02/2022
ms.localizationpriority: medium
ms.prod: windows-client
-ms.reviewer:
ms.technology: itpro-manage
-ms.topic: article
+ms.topic: reference
---
diff --git a/windows/client-management/mdm/policy-csp-stickers.md b/windows/client-management/mdm/policy-csp-stickers.md
index 3a1d8fa452..04d51e25af 100644
--- a/windows/client-management/mdm/policy-csp-stickers.md
+++ b/windows/client-management/mdm/policy-csp-stickers.md
@@ -4,12 +4,11 @@ description: Learn more about the Stickers CSP Policy
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 11/01/2022
+ms.date: 11/02/2022
ms.localizationpriority: medium
ms.prod: windows-client
-ms.reviewer:
ms.technology: itpro-manage
-ms.topic: article
+ms.topic: reference
---
diff --git a/windows/client-management/mdm/policy-csp-tenantdefinedtelemetry.md b/windows/client-management/mdm/policy-csp-tenantdefinedtelemetry.md
index 9ff31f2a3c..09894ac916 100644
--- a/windows/client-management/mdm/policy-csp-tenantdefinedtelemetry.md
+++ b/windows/client-management/mdm/policy-csp-tenantdefinedtelemetry.md
@@ -4,12 +4,11 @@ description: Learn more about the TenantDefinedTelemetry CSP Policy
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 11/01/2022
+ms.date: 11/02/2022
ms.localizationpriority: medium
ms.prod: windows-client
-ms.reviewer:
ms.technology: itpro-manage
-ms.topic: article
+ms.topic: reference
---
diff --git a/windows/client-management/mdm/policy-csp-tenantrestrictions.md b/windows/client-management/mdm/policy-csp-tenantrestrictions.md
index dc23e0f9a1..d9959e1e0b 100644
--- a/windows/client-management/mdm/policy-csp-tenantrestrictions.md
+++ b/windows/client-management/mdm/policy-csp-tenantrestrictions.md
@@ -4,12 +4,11 @@ description: Learn more about the TenantRestrictions CSP Policy
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 11/01/2022
+ms.date: 11/02/2022
ms.localizationpriority: medium
ms.prod: windows-client
-ms.reviewer:
ms.technology: itpro-manage
-ms.topic: article
+ms.topic: reference
---