diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md
index 4680d2fe2c..1347f65ae1 100644
--- a/windows/keep-secure/TOC.md
+++ b/windows/keep-secure/TOC.md
@@ -804,6 +804,7 @@
#### [Windows Defender compatibility](defender-compatibility-windows-defender-advanced-threat-protection.md)
### [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
#### [Windows Defender AV in the Windows Defender Security Center app](windows-defender-security-center-antivirus.md)
+#### [Windows Defender Antivirus on Windows Server](windows-defender-antivirus-on-windows-server-2016.md)
#### [Evaluate Windows Defender Antivirus protection](evaluate-windows-defender-antivirus.md)
#### [Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md)
##### [Deploy and enable Windows Defender Antivirus](deploy-windows-defender-antivirus.md)
diff --git a/windows/keep-secure/command-line-arguments-windows-defender-antivirus.md b/windows/keep-secure/command-line-arguments-windows-defender-antivirus.md
index ea9f0e7d05..90098f1ce1 100644
--- a/windows/keep-secure/command-line-arguments-windows-defender-antivirus.md
+++ b/windows/keep-secure/command-line-arguments-windows-defender-antivirus.md
@@ -19,10 +19,14 @@ author: iaanw
- Windows 10
+**Audience**
+
+- Enterprise security administrators
+
You can use a dedicated command-line tool to perform various functions in Windows Defender Antivirus.
-This utility can be handy when you want to automate the use of Windows Defender Antivirus.
+This utility can be useful when you want to automate the use of Windows Defender Antivirus.
The utility is available in _%Program Files%\Windows Defender\MpCmdRun.exe_ and must be run from a command prompt.
diff --git a/windows/keep-secure/configure-advanced-scan-types-windows-defender-antivirus.md b/windows/keep-secure/configure-advanced-scan-types-windows-defender-antivirus.md
index 369450238d..242dec94f1 100644
--- a/windows/keep-secure/configure-advanced-scan-types-windows-defender-antivirus.md
+++ b/windows/keep-secure/configure-advanced-scan-types-windows-defender-antivirus.md
@@ -1,5 +1,5 @@
---
-title: Configure advanced scanning types for Windows Defender AV
+title: Configure scanning options for Windows Defender AV
description: You can configure Windows Defender AV to scan email storage files, back-up or reparse points, network files, and archived files (such as .zip files).
keywords: advanced scans, scanning, email, archive, zip, rar, archive, reparse scanning
search.product: eADQiWindows 10XVcnh
@@ -12,7 +12,7 @@ localizationpriority: medium
author: iaanw
---
-# Configure email, removable storage, network, reparse point, and archive scanning in Windows Defender AV
+# Configure scanning options in Windows Defender AV
**Applies to**
@@ -25,147 +25,79 @@ author: iaanw
**Manageability available with**
- Group Policy
-- System Center Configuration Manager
- PowerShell
- Windows Management Instrumentation (WMI)
+- System Center Configuration Manager
- Microsoft Intune
+To configure the Group Policy settings described in the following table:
-Scan Turn on e-mail scanning
-Scan Turn on reparse point scanning
+1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3. In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4. Click **Policies** then **Administrative templates**.
+
+5. Expand the tree to **Windows components > Windows Defender Antivirus** and then the **Location** specified in the table below.
+
+6. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings.
+
+See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
+
+For using WMI classes, see [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx).
+
+Description | GP location and setting | Default setting (if not configured) | PowerShell `Set-MpPreference` parameter or WMI property for `MSFT_MpPreference` class
+---|---|---|---
+See [Email scanning limitations](#ref1)) below | Scan > Turn on e-mail scanning | Disabled | `-DisableEmailScanning`
+Scan [reparse points](https://msdn.microsoft.com/library/windows/desktop/aa365503.aspx) | Scan > Turn on reparse point scanning | Disabled | `-DisableRestorePoint`
+Scan mapped network drives | Scan > Run full scan on mapped network drives | Disabled | `-DisableScanningMappedNetworkDrivesForFullScan`
+ Scan archive files (such as .zip or .rar files). The [extensions exclusion list](configure-extension-exclusions-windows-defender-antivirus.md) will take precendence over this setting. | Scan > Scan archive files | Enabled | `-DisableArchiveScanning`
+Scan files on the network | Scan > Scan network files | Disabled | `-DisableScanningNetworkFiles`
+Scan packed executables | Scan > Scan packed executables | Enabled | Not available
+Scan removable drives during full scans only | Scan > Scan removable drives | Disabled | `-DisableRemovableDriveScanning`
+Specify the level of subfolders within an archive folder to scan | Scan > Specify the maximum depth to scan archive files | 0 | Not available
+ Specify the maximum CPU load (as a percentage) during a scan. This a theoretical maximum - scans will not always use the maximum load defined here, but they will never exceed it | Scan > Specify the maximum percentage of CPU utilization during a scan | 50 | `-ScanAvgCPULoadFactor`
+ Specify the maximum size (in kilobytes) of archive files that should be scanned. The default, **0**, applies not limit | Scan > Specify the maximum size of archive files to be scanned | No limit | Not available
+
+**Use Configuration Manager to configure scanning options:**
+
+See [How to create and deploy antimalware policies: Scan settings]( https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#scan-settings) for details on configuring System Center Configuration Manager (current branch).
+
+
+**Use Microsoft Intune to configure scanning options**
-## Manage email scans in Windows Defender
-
-You can use Windows Defender to scan email files. Malware can install itself and hide in email files, and although real-time protection offers you the best protection from email malware, you can also scan emails stored on your PC or server with Windows Defender.
-> **Important:** Mail scanning only applies to on-demand and scheduled scans, not on-access scans.
+See [Help secure Windows PCs with Endpoint Protection for Microsoft Intune: Scan options](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#specify-scan-options-settings) and [Windows Defender policy settings in Windows 10](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune#windows-defender-1) for more details.
-Windows Defender scans Microsoft Office Outlook 2003 and older email files. We identify the file type at run-time based on the content of the file, not on location or extension.
-> **Note: ** Scanning email files might increase the time required to complete a scan.
-
-Windows Defender can extract embedded objects within a file (attachments and archived files, for example) and scan internally.
-> **Note:** While Windows Defender can be configured to scan email files, it can only remediate threats detected inside certain files, for example:
-- DBX
-- MBX
-- MIME
-
-You can configure Windows Defender to scan PST files used by Outlook 2003 or older versions (where the archive type is set to non-uni-code), but Windows Defender cannot remediate threats detected inside PST files. We recommend using real-time protection to protect against email malware.
+
+
+
+### Email scanning limitations
+Enabling email scanning will cause Windows Defender AV to scan emails during on-demand and scheduled scans. Embedded objects within an email file (such as attachments and archived files) are also scanned. The following file format types can be scanned and remediated:
+- DBX
+- MBX
+- MIME
+
+>[!WARNING]
+> Is this true - can it scan Outlook 2013/ 2016?
+> "Windows Defender scans Microsoft Office Outlook 2003 and older email files."
+
+You can configure Windows Defender to scan PST files used by Outlook 2003 or older versions (where the archive type is set to non-uni-code), but Windows Defender cannot remediate threats detected inside PST files. We recommend using [always-on real-time protection](configure-real-time-protection-windows-defender-antivirus.md) to protect against email-based malware.
If Windows Defender detects a threat inside an email, it will show you the following information to assist you in identifying the compromised email, so you can remediate the threat:
- Email subject
- Attachment name
-Email scanning in Windows Defender is turned off by default. There are three ways you can manage scans through Windows Defender:
-- *Group Policy* settings
-- WMI
-- PowerShell
-> **Important:** There are some risks associated with scanning some Microsoft Outlook files and email messages. You can read about tips and risks associated with scanning Outlook files and email messages in the following articles:
+
+>[!WARNING]
+>There are some risks associated with scanning some Microsoft Outlook files and email messages. You can read about tips and risks associated with scanning Outlook files and email messages in the following articles:
- [Scanning Outlook files in Outlook 2013](https://technet.microsoft.com/library/dn769141.aspx#bkmk-1)
- [Scanning email messages in Outlook 2013](https://technet.microsoft.com/library/dn769141.aspx#bkmk-2)
-
-## Use *Group Policy* settings to enable email scans
-This policy setting allows you to turn on email scanning. When email scanning is enabled, the engine will parse the mailbox and mail files to analyze the mail bodies and attachments.
+## Related topics
-Turn on email scanning with the following *Group Policy* settings:
-1. Open the **Group Policy Editor**.
-2. In the **Local Computer Policy** tree, expand **Computer Configuration**, then **Administrative Templates**, then **Windows Components**, then **Windows Defender**.
-3. Click **Scan**.
-4. Double-click **Turn on e-mail scanning**.
-
- This will open the **Turn on e-mail scanning** window:
-
- 
-
-5. Select **Enabled**.
-6. Click **OK** to apply changes.
-
-## Use WMI to disable email scans
-
-You can write a WMI script or application to disable email scanning. Read more about [WMI in this article](https://msdn.microsoft.com/library/windows/desktop/dn439477.aspx), and read about [Windows Preference classes in this article](https://msdn.microsoft.com/library/windows/desktop/dn455323.aspx).
-
-Use the **DisableEmailScanning** property of the **MSFT\_MpPreference** class (part of the Windows DefenderWMI provider) to enable or disable this setting:
-**DisableEmailScanning**
-Data type: **boolean**
-Access type: Read-only
-Disable email scanning.
-
-## Use PowerShell to enable email scans
-
-You can also enable email scanning using the following PowerShell parameter:
-1. Open PowerShell or PowerShellIntegrated Scripting Environment (ISE).
-2. Type **Set-MpPreference -DisableEmailScanning $false**.
-
-Read more about this in:
-- [Scripting with Windows PowerShell](https://technet.microsoft.com/library/bb978526.aspx)
-- [Defender Cmdlets](https://technet.microsoft.com/library/dn433280.aspx)
-
-## Manage archive scans in Windows Defender
-
-You can use Windows Defender to scan archive files. Malware can install itself and hide in archive files, and although real-time protection offers you the best protection from malware, you can also scan archives stored on your PC or server with Windows Defender.
-> **Important:** Archive scanning only applies to on-demand and scheduled scans, not on-access scans.
-
-Archive scanning in Windows Defender is turned on by default. There are four ways you can manage scans through Windows Defender:
-- *Group Policy* settings
-- WMI
-- PowerShell
-- Endpoint Protection
-> **Note:** Scanning archive files might increase the time required to complete a scan.
-
-If you exclude an archive file type by using the **Extensions** box, Windows Defender will not scan files with that extension (no matter what the content is), even when you have selected the **Scan archive files** check box. For example, if you exclude .rar files but there’s a .r00 file that’s actually .rar content, it will still be scanned if archive scanning is enabled.
-
-## Use *Group Policy* settings to enable archive scans
-
-This policy setting allows you to turn on archive scanning.
-
-Turn on email scanning with the following *Group Policy* settings:
-1. Open the **Group Policy Editor**.
-2. In the **Local Computer Policy** tree, expand **Computer Configuration**, then **Administrative Templates**, then **Windows Components**, then **Windows Defender**.
-3. Click **Scan**.
-4. Double-click **Scan archive files**.
-
- This will open the **Scan archive files** window:
-
- 
-
-5. Select **Enabled**.
-6. Click **OK** to apply changes.
-
-There are a number of archive scan settings in the **Scan** repository you can configure through *Group Policy*, for example:
-- Maximum directory depth level into which archive files are unpacked during scanning
-
- 
-
-- Maximum size of archive files that will be scanned
-
- 
-
-- Maximum percentage CPU utilization permitted during a scan
-
- 
-
-## Use WMI to disable archive scans
-
-You can write a WMI script or application to disable archive scanning. Read more about [WMI in this article](https://msdn.microsoft.com/library/windows/desktop/dn439477.aspx), and read about [Windows Preference classes in this article](https://msdn.microsoft.com/library/windows/desktop/dn455323.aspx).
-
-Use the **DisableArchiveScanning** property of the **MSFT\_MpPreference** class (part of the Windows DefenderWMI provider) to enable or disable this setting:
-**DisableArchiveScanning**
-Data type: **boolean**
-Access type: Read-only
-Disable archive scanning.
-
-## Use PowerShell to enable archive scans
-
-You can also enable archive scanning using the following PowerShell parameter:
-1. Open PowerShell or PowerShellISE.
-2. Type **Set-MpPreference -DisableArchiveScanning $false**.
-
-Read more about this in:
-- [Scripting with Windows PowerShell](https://technet.microsoft.com/library/bb978526.aspx)
-- [Defender Cmdlets](https://technet.microsoft.com/library/dn433280.aspx)
-
-## Use Endpoint Protection to configure archive scans
-
-In Endpoint Protection, you can use the advanced scanning options to configure archive scanning. For more information, see [What are advanced scanning options?](https://technet.microsoft.com/library/ff823807.aspx)
-
+- [Customize, initiate, and review the results of Windows Defender AV scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
+- [Configure and run on-demand Windows Defender AV scans](run-scan-windows-defender-antivirus.md)
+- [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md)
+- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
\ No newline at end of file
diff --git a/windows/keep-secure/configure-remediation-windows-defender-antivirus.md b/windows/keep-secure/configure-remediation-windows-defender-antivirus.md
index bfc941c20c..6e3c6cb619 100644
--- a/windows/keep-secure/configure-remediation-windows-defender-antivirus.md
+++ b/windows/keep-secure/configure-remediation-windows-defender-antivirus.md
@@ -14,4 +14,41 @@ author: iaanw
-# Configure remediation for Windows Defender AV scans
\ No newline at end of file
+# Configure remediation for Windows Defender AV scans
+
+**Applies to**
+- Windows 10
+
+**Audience**
+
+- Enterprise security administrators
+
+**Manageability available with**
+
+- Group Policy
+- System Center Configuration Manager
+- PowerShell
+- Windows Management Instrumentation (WMI)
+- Microsoft Intune
+
+
+
+Main | Allow antimalware service to startup with normal priority
+Main | Allow antimalware service to remain running always
+Scan | Create a system restore point
+
+Main | Turn off routine remediation
+Quarantine | Configure removal of items from Quarantine folder
+Scan | Turn on removal of items from scan history folder
+
+
+
+
+
+[Configure remediation-required scheduled full scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md#remed)
+
+Threats | Specify threat alert levels at which default action should not be taken when detected
+Threats | Specify threats upon which default action should not be taken when detected
+
+https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#threat-overrides-settings
+https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#choose-default-actions-settings
\ No newline at end of file
diff --git a/windows/keep-secure/deployment-vdi-windows-defender-antivirus.md b/windows/keep-secure/deployment-vdi-windows-defender-antivirus.md
index 50d37bfe9d..100bffd5f8 100644
--- a/windows/keep-secure/deployment-vdi-windows-defender-antivirus.md
+++ b/windows/keep-secure/deployment-vdi-windows-defender-antivirus.md
@@ -20,7 +20,7 @@ author: iaanw
**Audience**
-- IT professionals
+- Enterprise security administrators
**Manageability available with**
diff --git a/windows/keep-secure/images/defender/wdav-get-mpthreat.png b/windows/keep-secure/images/defender/wdav-get-mpthreat.png
new file mode 100644
index 0000000000..e1671237a6
Binary files /dev/null and b/windows/keep-secure/images/defender/wdav-get-mpthreat.png differ
diff --git a/windows/keep-secure/images/defender/wdav-get-mpthreatdetection.png b/windows/keep-secure/images/defender/wdav-get-mpthreatdetection.png
new file mode 100644
index 0000000000..3e5de6552f
Binary files /dev/null and b/windows/keep-secure/images/defender/wdav-get-mpthreatdetection.png differ
diff --git a/windows/keep-secure/review-scan-results-windows-defender-antivirus.md b/windows/keep-secure/review-scan-results-windows-defender-antivirus.md
index 7147c968b9..a2b534e2b7 100644
--- a/windows/keep-secure/review-scan-results-windows-defender-antivirus.md
+++ b/windows/keep-secure/review-scan-results-windows-defender-antivirus.md
@@ -1,7 +1,7 @@
---
title: Review the results of Windows Defender AV scans
description: Review the results of scans using System Center Configuration Manager, Microsoft Intune, or the Windows Defender Security Center app
-keywords:
+keywords: scan results, remediation, full scan, quick scan
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@@ -13,3 +13,79 @@ author: iaanw
---
# Review Windows Defender AV scan results
+
+
+**Applies to:**
+
+- Windows 10
+
+**Audience**
+
+- Enterprise security administrators
+
+**Manageability available with**
+
+- PowerShell
+- Windows Management Instrumentation (WMI)
+- System Center Configuration Manager
+- Microsoft Intune
+- Windows Defender Security Center app
+
+
+After Windows Defender Antivirus has completed a scan, whether it is an [on-demand](run-scan-windows-defender-antivirus.md) or [scheduled scan](scheduled-catch-up-scans-windows-defender-antivirus.md), the results are recorded and you can view the results. You can also define
+
+
+**Use Configuration Manager to review Windows Defender AV scan results:**
+
+See [How to monitor Endpoint Protection status](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/monitor-endpoint-protection).
+
+
+**Use the Windows Defender Security app to review Windows Defender AV scan results:**
+
+1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+
+2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Scan history** label.
+
+ - Click **See full history** for any of the sections to see previous detections and the action taken. You can also clear the list.
+ - Information about the last scan is displayed at the bottom of the page.
+
+
+
+
+**Use PowerShell cmdlets to review Windows Defender AV scan results:**
+
+The following cmdlet will return each detection on the endpoint. If there are multiple detection of the same threat, each detection will be listed separately, based on the time of each detection:
+
+```PowerShell
+Get-MpThreatDetection
+```
+
+
+
+You can specify `-ThreatID` to limit the output to only show the detections for a specific threat.
+
+If you want to list threat detections, but combine detections of the same threat into a single item, you can use the following cmdlet:
+
+```PowerShell
+Get-MpThreat
+```
+
+
+
+See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
+
+**Use Windows Management Instruction (WMI) to review Windows Defender AV scan results:**
+
+Use the [**Get** method of the **MSFT_MpThreat** and **MSFT_MpThreatDetection**](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx) classes.
+
+
+**Use Microsoft Intune to review Windows Defender AV scan results:**
+
+See [Help secure Windows PCs with Endpoint Protection for Microsoft Intune: Monitor Endpoint Protection](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#monitor-endpoint-protection).
+
+
+
+## Related topics
+
+- [Customize, initiate, and review the results of Windows Defender AV scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
+- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
\ No newline at end of file
diff --git a/windows/keep-secure/run-scan-windows-defender-antivirus.md b/windows/keep-secure/run-scan-windows-defender-antivirus.md
index 2c09909c04..c2432a6ac2 100644
--- a/windows/keep-secure/run-scan-windows-defender-antivirus.md
+++ b/windows/keep-secure/run-scan-windows-defender-antivirus.md
@@ -1,7 +1,7 @@
---
title: Run and customize on-demand scans in Windows Defender AV
description: Run and configure on-demand scans using PowerShell, Windows Management Instrumentation, or individually on endpoints with the Windows Defender Security Center app
-keywords:
+keywords: scan, on-demand, dos, intune, instant scan
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@@ -16,44 +16,93 @@ author: iaanw
-# Configure and run Windows Defender AV scans
+# Configure and run on-demand Windows Defender AV scans
**Applies to:**
- Windows 10
-IT professionals can use a command-line utility to run a Windows Defender scan.
+**Audience**
-The utility is available in _%Program Files%\Windows Defender\MpCmdRun.exe_.
+- Enterprise security administrators
-This utility can be handy when you want to automate the use of Windows Defender.
+**Manageability available with**
-**To run a quick scan from the command line**
+- Windows Defender AV mpcmdrun utility
+- PowerShell
+- Windows Management Instrumentation (WMI)
+- System Center Configuration Manager
+- Microsoft Intune
+- Windows Defender Security Center app
-1. Click **Start**, type **cmd**, and press **Enter**.
-2. Navigate to _%ProgramFiles%\Windows Defender_ and enter the following command, and press **Enter**:
-
-```
-C:\Program Files\Windows Defender\mpcmdrun.exe -scan -scantype 1
-```
-The quick scan will start. When the scan completes, you'll see a message indicating that the scan is finished.
+You can run an on-demand scan on individual endpoints. These scans will start immediately, and you can define parameters for the scan, such as the location or type.
-The utility also provides other commands that you can run:
+## Quick scan versus full scan
-```
-MpCmdRun.exe [command] [-options]
+Quick scan looks at all the locations where there could be malware registered to start with the system, such as registry keys and known Windows startup folders.
+
+Combined with [always-on real-time protection capability](configure-real-time-protection-windows-defender-antivirus.md) - which reviews files when they are opened and closed, and whenever a user navigates to a folder - a quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware.
+
+In most instances, this means a quick scan is adequate to find malware that wasn't picked up by real-time protection.
+
+A full scan can be useful on endpoints that have encountered a malware threat to identify if there are any inactive components that require a more thorough clean-up, and can be ideal when running on-demand scans.
+
+
+**Use the mpcmdrum.exe command-line utility to run a scan:**
+
+Use the following `-scan` parameter:
+
+```DOS
+mpcmdrun.exe -scan -scantype 1
```
-Command | Description
-:---|:---
-\- ? / -h | Displays all available options for the tool
-\-Scan [-ScanType #] [-File [-DisableRemediation] [-BootSectorScan]][-Timeout ] | Scans for malicious software
-\-Trace [-Grouping #] [-Level #]| Starts diagnostic tracing
-\-GetFiles | Collects support information
-\-RemoveDefinitions [-All] | Restores the installed signature definitions to a previous backup copy or to the original default set of signatures
-\-AddDynamicSignature [-Path] | Loads a dynamic signature
-\-ListAllDynamicSignature [-Path] | Lists the loaded dynamic signatures
-\-RemoveDynamicSignature [-SignatureSetID] | Removes a dynamic signature
-
-The command-line utility provides detailed information on the other commands supported by the tool.
+
+
+See [Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender Antivirus](command-line-arguments-windows-defender-antivirus.md) for more information on how to use the tool and additional parameters, including starting a full scan or defining paths.
+
+
+
+**Use Configuration Manager to run a scan:**
+
+See [Antimalware and firewall tasks: How to perform an on-demance scan](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-firewall#how-to-perform-an-on-demand-scan-of-computers) for details on using System Center Configuration Manager (current branch) to run a scan.
+
+
+
+**Use the Windows Defender Security Center app to run a scan:**
+
+See [Run a scan in the Windows Defender Security Center app](windows-defender-security-center-antivirus.md#scan) for instructions on running a scan on individual endpoints.
+
+
+
+**Use PowerShell cmdlets to run a scan:**
+
+Use the following cmdlet:
+
+```PowerShell
+Start-MpScan
+```
+
+
+See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
+
+**Use Windows Management Instruction (WMI) to run a scan:**
+
+Use the [**Start** method of the **MSFT_MpScan**](https://msdn.microsoft.com/en-us/library/dn455324(v=vs.85).aspx#methods) class.
+
+See the following for more information and allowed parameters:
+- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx)
+
+
+**Use Microsoft Intune to run a scan:**
+
+
+See [Help secure Windows PCs with Endpoint Protection for Microsoft Intune: Run a malware scan](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#run-a-malware-scan-or-update-malware-definitions-on-a-computer) and [Windows Defender policy settings in Windows 10](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune#windows-defender-1) for more details.
+
+
+## Related topics
+
+
+- [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md)
+- [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md)
+- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
\ No newline at end of file
diff --git a/windows/keep-secure/scheduled-catch-up-scans-windows-defender-antivirus.md b/windows/keep-secure/scheduled-catch-up-scans-windows-defender-antivirus.md
index 0c16327c23..098ab1250c 100644
--- a/windows/keep-secure/scheduled-catch-up-scans-windows-defender-antivirus.md
+++ b/windows/keep-secure/scheduled-catch-up-scans-windows-defender-antivirus.md
@@ -1,7 +1,7 @@
---
title: Schedule regular scans with Windows Defender AV
description: Set up recurring (scheduled) scans, including when they should run and whether they run as full or quick scans
-keywords:
+keywords: schedule scan, daily, weekly, time, scheduled, recurring, regular
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@@ -22,7 +22,7 @@ author: iaanw
**Audience**
-- Network administrators
+- Enterprise security administrators
**Manageability available with**
@@ -37,7 +37,197 @@ author: iaanw
> By default, Windows Defender AV will check for an update 15 minutes before the time of any scheduled scans. You can [Manage the schedule for when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) to override this default.
-RANDOMIZE
+In addition to always-on real-time protection and [on-demand](run-scan-windows-defender-antivirus.md) scans, you can set up regular, scheduled scans.
+
+You can configure the type of scan, when the scan should occur, and if the scan should occur after a [protection update](manage-protection-updates-windows-defender-antivirus.md) or if the endpoint is being used. You can also specify when special scans to complete remediation should occur.
+
+This topic describes how to configure scheduled scans with Group Policy, PowerShell cmdlets, and WMI. You can also configure schedules scans with [System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#scheduled-scans-settings) or [Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intunespecify-scan-schedule-settings).
+
+To configure the Group Policy settings described in this topic:
+
+1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3. In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4. Click **Policies** then **Administrative templates**.
+
+5. Expand the tree to **Windows components > Windows Defender Antivirus** and then the **Location** specified in the table below.
+
+6. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings.
+
+
+Also see the [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) and [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) topics.
+
+## Quick scan versus full scan
+
+When you set up scheduled scans, you can set up whether the scan should be a full or quick scan.
+
+Quick scans look at all the locations where there could be malware registered to start with the system, such as registry keys and known Windows startup folders.
+
+Combined with [always-on real-time protection capability](configure-real-time-protection-windows-defender-antivirus.md) - which reviews files when they are opened and closed, and whenever a user navigates to a folder - a quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware.
+
+In most instances, this means a quick scan is adequate to find malware that wasn't picked up by real-time protection.
+
+A full scan can be useful on endpoints that have encountered a malware threat to identify if there are any inactive components that require a more thorough clean-up. In this instance, you may want to use a full scan when running an [on-demand scan](run-scan-windows-defender-antivirus.md).
+
+## Set up scheduled scans
+
+Scheduled scans will run at the day and time you specify. You can use Group Policy, PowerShell, and WMI to configure scheduled scans.
+
+
+**Use Group Policy to schedule scans:**
+
+Location | Setting | Description | Default setting (if not configured)
+---|---|---|---
+Scan | Specify the scan type to use for a scheduled scan | Quick scan
+Scan | Specify the day of the week to run a scheduled scan | Specify the day (or never) to run a scan. | Never
+Scan | Specify the time of day to run a scheduled scan | Specify the number of minutes after midnight (for example, enter **60** for 1 am) | 2 am
+Main | Randomize scheduled task times | Randomize the start time of the scan to any interval plus or minus 30 minutes. This can be useful in VM or VDI deployments | Enabled
+
+**Use PowerShell cmdlets to schedule scans:**
+
+Use the following cmdlets:
+
+```PowerShell
+Set-MpPreference -ScanParameters
+Set-MpPreference -ScanScheduleDay
+Set-MpPreference -ScanScheduleTime
+Set-MpPreference -RandomizeScheduleTaskTimes
+
+```
+
+See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
+
+**Use Windows Management Instruction (WMI) to schedule scans:**
+
+Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties:
+
+```WMI
+SignatureFallbackOrder
+SignatureDefinitionUpdateFileSharesSouce
+```
+
+See the following for more information and allowed parameters:
+- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx)
+
+
+
+
+## Start scheduled scans only when the endpoint is not in use
+
+You can set the scheduled scan to only occur when the endpoint is turned on but not in use with Group Policy, PowerShell, or WMI.
+
+**Use Group Policy to schedule scans**
+
+Location | Setting | Description | Default setting (if not configured)
+---|---|---|---
+Scan | Start the scheduled scan only when computer is on but not in use | Scheduled scans will not run, unless the computer is on but not in use | Enabled
+
+**Use PowerShell cmdlets:**
+
+Use the following cmdlets:
+
+```PowerShell
+Set-MpPreference -ScanOnlyIfIdleEnabled
+```
+
+See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
+
+**Use Windows Management Instruction (WMI):**
+
+Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties:
+
+```WMI
+SignatureFallbackOrder
+SignatureDefinitionUpdateFileSharesSouce
+```
+
+See the following for more information and allowed parameters:
+- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx)
+
+
+## Configure when full scans should be run to complete remediation
+
+Some threats may require a full scan to complete their removal and remediation. You can schedule when these scans should occur with Group Policy, PowerShell, or WMI.
+
+
+**Use Group Policy to schedule remediation-required scans**
+
+Location | Setting | Description | Default setting (if not configured)
+---|---|---|---
+Remediation | Specify the day of the week to run a scheduled full scan to complete remediation | Specify the day (or never) to run a scan. | Never
+Remediation | Specify the time of day to run a scheduled full scan to complete remediation | Specify the number of minutes after midnight (for example, enter **60** for 1 am) | 2 am
+
+**Use PowerShell cmdlets:**
+
+Use the following cmdlets:
+
+```PowerShell
+Set-MpPreference -RemediationScheduleDay
+Set-MpPreference -RemediationScheduleTime
+```
+
+See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
+
+**Use Windows Management Instruction (WMI):**
+
+Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties:
+
+```WMI
+SignatureFallbackOrder
+SignatureDefinitionUpdateFileSharesSouce
+```
+
+See the following for more information and allowed parameters:
+- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx)
+
+
+
+
+## Set up daily quick scans
+
+You can enable a daily quick scan that can be run in addition to your other scheduled scans with Group Policy, PowerShell, or WMI.
+
+
+**Use Group Policy to schedule daily scans:**
+
+Location | Setting | Description | Default setting (if not configured)
+---|---|---|---
+Scan | Specify the interval to run quick scans per day | Specify how many hours should elapse before the next quick scan. For example, to run every two hours, enter **2**, for once a day, enter **24**. Enter **0** to never run a daily quick scan. | Never
+Scan | Specify the time for a daily quick scan | Specify the number of minutes after midnight (for example, enter **60** for 1 am) | 2 am
+
+**Use PowerShell cmdlets to schedule daily scans:**
+
+Use the following cmdlets:
+
+```PowerShell
+Set-MpPreference Set-MpPreference -ScanScheduleQuickTime
+```
+
+See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
+
+**Use Windows Management Instruction (WMI) to schedule daily scans:**
+
+Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties:
+
+```WMI
+SignatureFallbackOrder
+SignatureDefinitionUpdateFileSharesSouce
+```
+
+See the following for more information and allowed parameters:
+- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx)
+
+
+## Enable scans after protection updates
+
+You can force a scan to occur after every [protection update](manage-protection-updates-windows-defender-antivirus.md) with Group Policy.
+
+**Use Group Policy to schedule scans after protection updates**
+
+Location | Setting | Description | Default setting (if not configured)
+---|---|---|---
+Signature updates | Turn on scan after signature update | A scan will occur immediately after a new protection update is downloaded | Enabled
@@ -45,6 +235,10 @@ RANDOMIZE
## Related topics
+
+- [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
+- [Configure and run on-demand Windows Defender AV scans](run-scan-windows-defender-antivirus.md)
+- [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md)
- [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md)
-- [Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md)
-- [Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md)
+- [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md)
+- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
diff --git a/windows/keep-secure/use-group-policy-windows-defender-antivirus.md b/windows/keep-secure/use-group-policy-windows-defender-antivirus.md
index 07133adfb1..3402536f1f 100644
--- a/windows/keep-secure/use-group-policy-windows-defender-antivirus.md
+++ b/windows/keep-secure/use-group-policy-windows-defender-antivirus.md
@@ -12,4 +12,33 @@ localizationpriority: medium
author: iaanw
---
-# Use Group Policy settings to configure and manage Windows Defender AV
\ No newline at end of file
+# Use Group Policy settings to configure and manage Windows Defender AV
+
+**Applies to:**
+
+- Windows 10, version 1703
+
+You can use [Group Policy](https://msdn.microsoft.com/en-us/library/ee663280(v=vs.85).aspx) to configure and manage Windows Defender AV on your endpoints.
+
+
+
+In general, you can use the following procedure to configure or change Windows Defender AV group policy settings:
+
+1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
+
+3. In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4. Click **Policies** then **Administrative templates**.
+
+5. Expand the tree to **Windows components > Windows Defender Antivirus**.
+
+6. Expand the section that contains the setting you want to configure, double-click the setting to open it, and make configuration changes.
+
+7. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/en-us/library/ee663280(v=vs.85).aspx).
+
+## Related topics
+
+- [Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md)
+- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
\ No newline at end of file
diff --git a/windows/keep-secure/use-intune-config-manager-windows-defender-antivirus.md b/windows/keep-secure/use-intune-config-manager-windows-defender-antivirus.md
index 9f6c3a09b5..2cf071feeb 100644
--- a/windows/keep-secure/use-intune-config-manager-windows-defender-antivirus.md
+++ b/windows/keep-secure/use-intune-config-manager-windows-defender-antivirus.md
@@ -12,4 +12,18 @@ localizationpriority: medium
author: iaanw
---
-# Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender AV
\ No newline at end of file
+# Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender AV
+
+If you are using System Center Configuration Manager or Microsoft Intune to manage the endpoints on your network, you can also use them to manage Windows Defender AV.
+
+In both cases, the protection will be labelled as Endpoint Protection, although the engine is the same as that used by Windows Defender AV.
+
+See the [Endpoint Protection](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-protection) library on docs.microsoft.com for information on using Configuration Manager.
+
+For Microsoft Intune, consult the [Help secure Windows PCs with Endpoint Protection for Microsoft Intune library](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune).
+
+
+## Related topics
+
+- [Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md)
+- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
\ No newline at end of file
diff --git a/windows/keep-secure/use-powershell-cmdlets-windows-defender-antivirus.md b/windows/keep-secure/use-powershell-cmdlets-windows-defender-antivirus.md
index 7d975adcd1..4fde6f96c2 100644
--- a/windows/keep-secure/use-powershell-cmdlets-windows-defender-antivirus.md
+++ b/windows/keep-secure/use-powershell-cmdlets-windows-defender-antivirus.md
@@ -30,7 +30,7 @@ PowerShell cmdlets are most useful in Windows Server environments that don't rel
PowerShell is typically installed under the folder _%SystemRoot%\system32\WindowsPowerShell_.
-**Use Windows Defender PowerShell cmdlets**
+**Use Windows Defender AV PowerShell cmdlets:**
1. Click **Start**, type **powershell**, and press **Enter**.
2. Click **Windows PowerShell** to open the interface.
diff --git a/windows/keep-secure/use-wmi-windows-defender-antivirus.md b/windows/keep-secure/use-wmi-windows-defender-antivirus.md
index 0d0a20403d..83c19a8f4f 100644
--- a/windows/keep-secure/use-wmi-windows-defender-antivirus.md
+++ b/windows/keep-secure/use-wmi-windows-defender-antivirus.md
@@ -1,6 +1,6 @@
---
title: Configure Windows Defender AV with WMI
-description: Use WMI scripts to configure Windows Defender AV
+description: Use WMI scripts to configure Windows Defender AV.
keywords: wmi, scripts, windows management instrumentation, configuration
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@@ -12,5 +12,23 @@ localizationpriority: medium
author: iaanw
---
-# Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender AV
+# Use Windows Management Instrumentation (WMI) to configure and manage Windows Defender AV
+**Applies to:**
+
+- Windows 10
+
+Windows Management Instrumentation (WMI) is a scripting interface that allows you to retrieve, modify, and update settings.
+
+Read more about WMI at the [Microsoft Develop Network System Administration library](https://msdn.microsoft.com/en-us/library/aa394582(v=vs.85).aspx).
+
+Windows Defender AV has a number of specific WMI classes that can be used to perform most of the same functions as Group Policy and other management tools. Many of the classes are analogous to [Defender PowerShell cmdlets](use-powershell-cmdlets-windows-defender-antivirus.md).
+
+The [MSDN Windows Defender WMIv2 Provider reference library](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx) lists the available WMI classes for Windows Defender AV, and includes example scripts.
+
+
+
+## Related topics
+
+- [Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md)
+- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
\ No newline at end of file
diff --git a/windows/keep-secure/windows-defender-security-center-antivirus.md b/windows/keep-secure/windows-defender-security-center-antivirus.md
index 971dd16747..335bce95e7 100644
--- a/windows/keep-secure/windows-defender-security-center-antivirus.md
+++ b/windows/keep-secure/windows-defender-security-center-antivirus.md
@@ -79,6 +79,7 @@ This section describes how to perform some of the most common tasks when reviewi
> [!NOTE]
> If these settings are configured and deployed using Group Policy, the settings described in this section will be greyed-out and unavailable for use on individual endpoints. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings. The [Configure end-user interaction with Windows Defender Antivirus](configure-end-user-interaction-windows-defender-antivirus.md) topic describes how local policy override settings can be configured.
+
**Run a scan with the Windows Defender Security Center app**
1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**.