deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-15 14:57:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merged PR 10512: Content reorg and rebranding changes

Browse Source 
Content reorg and rebranding changes
This commit is contained in:
Andrea Bichsel (Aquent LLC) 2018-08-10 04:30:23 +00:00 committed by Joey Caparas
commit 28d4db54ec
52 changed files with 1153 additions and 1776 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

62
windows/security/threat-protection/TOC.md
View File

@ -58,48 +58,40 @@
#### [Configure next generation protection](windows-defender-antivirus\windows-defender-antivirus-in-windows-10.md)
##### [Next generation protection in Windows Server 2016](windows-defender-antivirus\windows-defender-antivirus-on-windows-server-2016.md)
##### [Antivirus compatibility](windows-defender-antivirus\windows-defender-antivirus-compatibility.md)
###### [Use limited periodic scanning](windows-defender-antivirus\limited-periodic-scanning-windows-defender-antivirus.md)
##### [Deploy next generation protection](windows-defender-antivirus\deploy-manage-report-windows-defender-antivirus.md)
###### [Deploy and enable next generation protection](windows-defender-antivirus\deploy-windows-defender-antivirus.md)
###### [Deployment guide for VDI environments](windows-defender-antivirus\deployment-vdi-windows-defender-antivirus.md)
##### [Report on next generation protection](windows-defender-antivirus\report-monitor-windows-defender-antivirus.md)
###### [Troubleshoot antivirus reporting in Update Compliance](windows-defender-antivirus\troubleshoot-reporting.md)
##### [Manage updates and apply baselines](windows-defender-antivirus\manage-updates-baselines-windows-defender-antivirus.md)
###### [Manage protection and definition updates](windows-defender-antivirus\manage-protection-updates-windows-defender-antivirus.md)
###### [Manage when protection updates should be downloaded and applied](windows-defender-antivirus\manage-protection-update-schedule-windows-defender-antivirus.md)
###### [Manage updates for endpoints that are out of date](windows-defender-antivirus\manage-outdated-endpoints-windows-defender-antivirus.md)
###### [Manage event-based forced updates](windows-defender-antivirus\manage-event-based-updates-windows-defender-antivirus.md)
###### [Manage updates for mobile devices and VMs](windows-defender-antivirus\manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
#### [Configure Next generation protection](windows-defender-antivirus\windows-defender-antivirus-in-windows-10.md)
##### [Windows Defender AV on Windows Server 2016](windows-defender-antivirus\windows-defender-antivirus-on-windows-server-2016.md)
##### [Windows Defender Antivirus compatibility](windows-defender-antivirus\windows-defender-antivirus-compatibility.md)
###### [Use limited periodic scanning in Windows Defender AV](windows-defender-antivirus\limited-periodic-scanning-windows-defender-antivirus.md)
##### [Deploy, manage updates, and report on Windows Defender Antivirus](windows-defender-antivirus\deploy-manage-report-windows-defender-antivirus.md)
###### [Deploy and enable Windows Defender Antivirus](windows-defender-antivirus\deploy-windows-defender-antivirus.md)
####### [Deployment guide for VDI environments](windows-defender-antivirus\deployment-vdi-windows-defender-antivirus.md)
###### [Report on Windows Defender Antivirus protection](windows-defender-antivirus\report-monitor-windows-defender-antivirus.md)
####### [Troubleshoot Windows Defender Antivirus reporting in Update Compliance](windows-defender-antivirus\troubleshoot-reporting.md)
###### [Manage updates and apply baselines](windows-defender-antivirus\manage-updates-baselines-windows-defender-antivirus.md)
####### [Manage protection and definition updates](windows-defender-antivirus\manage-protection-updates-windows-defender-antivirus.md)
####### [Manage when protection updates should be downloaded and applied](windows-defender-antivirus\manage-protection-update-schedule-windows-defender-antivirus.md)
####### [Manage updates for endpoints that are out of date](windows-defender-antivirus\manage-outdated-endpoints-windows-defender-antivirus.md)
####### [Manage event-based forced updates](windows-defender-antivirus\manage-event-based-updates-windows-defender-antivirus.md)
####### [Manage updates for mobile devices and VMs](windows-defender-antivirus\manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
##### [Customize, initiate, and review the results of scans and remediation](windows-defender-antivirus\customize-run-review-remediate-scans-windows-defender-antivirus.md)
###### [Configure and validate exclusions in Windows Defender AV scans](windows-defender-antivirus\configure-exclusions-windows-defender-antivirus.md)
##### [Manage scans and remediation](windows-defender-antivirus\customize-run-review-remediate-scans-windows-defender-antivirus.md)
###### [Configure and validate exclusions in antivirus scans](windows-defender-antivirus\configure-exclusions-windows-defender-antivirus.md)
####### [Configure and validate exclusions based on file name, extension, and folder location](windows-defender-antivirus\configure-extension-file-exclusions-windows-defender-antivirus.md)
####### [Configure and validate exclusions for files opened by processes](windows-defender-antivirus\configure-process-opened-file-exclusions-windows-defender-antivirus.md)
####### [Configure exclusions in Windows Defender AV on Windows Server 2016](windows-defender-antivirus\configure-server-exclusions-windows-defender-antivirus.md)
###### [Configure scanning options in Windows Defender AV](windows-defender-antivirus\configure-advanced-scan-types-windows-defender-antivirus.md)
####### [Configure antivirus exclusions on Windows Server 2016](windows-defender-antivirus\configure-server-exclusions-windows-defender-antivirus.md)
###### [Configure scanning options](windows-defender-antivirus\configure-advanced-scan-types-windows-defender-antivirus.md)
###### [Configure remediation for scans](windows-defender-antivirus\configure-remediation-windows-defender-antivirus.md)
###### [Configure scheduled scans](windows-defender-antivirus\scheduled-catch-up-scans-windows-defender-antivirus.md)
###### [Configure and run scans](windows-defender-antivirus\run-scan-windows-defender-antivirus.md)
###### [Review scan results](windows-defender-antivirus\review-scan-results-windows-defender-antivirus.md)
###### [Run and review the results of a Windows Defender Offline scan](windows-defender-antivirus\windows-defender-offline.md)
##### [Restore quarantined files in Windows Defender AV](windows-defender-antivirus\restore-quarantined-files-windows-defender-antivirus.md)
##### [Manage Windows Defender AV in your business](windows-defender-antivirus\configuration-management-reference-windows-defender-antivirus.md)
###### [Use Group Policy settings to configure and manage Windows Defender AV](windows-defender-antivirus\use-group-policy-windows-defender-antivirus.md)
###### [Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender AV](windows-defender-antivirus\use-intune-config-manager-windows-defender-antivirus.md)
###### [Use PowerShell cmdlets to configure and manage Windows Defender AV](windows-defender-antivirus\use-powershell-cmdlets-windows-defender-antivirus.md)
###### [Use Windows Management Instrumentation (WMI) to configure and manage Windows Defender AV](windows-defender-antivirus\use-wmi-windows-defender-antivirus.md)
###### [Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender AV](windows-defender-antivirus\command-line-arguments-windows-defender-antivirus.md)
###### [Run and review the results of an offline scan](windows-defender-antivirus\windows-defender-offline.md)
###### [Restore quarantined files](windows-defender-antivirus\restore-quarantined-files-windows-defender-antivirus.md)
##### [Manage next generation protection in your business](windows-defender-antivirus\configuration-management-reference-windows-defender-antivirus.md)
###### [Use Microsoft Intune and System Center Configuration Manager to manage next generation protection](windows-defender-antivirus\use-intune-config-manager-windows-defender-antivirus.md)
###### [Use Group Policy settings to manage next generation protection](windows-defender-antivirus\use-group-policy-windows-defender-antivirus.md)
###### [Use PowerShell cmdlets to manage next generation protection](windows-defender-antivirus\use-powershell-cmdlets-windows-defender-antivirus.md)
###### [Use Windows Management Instrumentation (WMI) to manage next generation protection](windows-defender-antivirus\use-wmi-windows-defender-antivirus.md)
###### [Use the mpcmdrun.exe command line tool to manage next generation protection](windows-defender-antivirus\command-line-arguments-windows-defender-antivirus.md)

25
windows/security/threat-protection/windows-defender-antivirus/collect-diagnostic-data-update-compliance.md
View File

@ -1,6 +1,6 @@
---
title: Collect diagnostic data for Update Compliance and Windows Defender AV
description: Use a tool to collect data to troubleshoot Update Compliance issues when using the Windows Defender AV Assessment add in
title: Collect diagnostic data for Update Compliance and antivirus
description: Use a tool to collect data to troubleshoot Update Compliance issues when using the antivirus Assessment add in
keywords: troubleshoot, error, fix, update compliance, oms, monitor, report, windows defender av
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@ -16,18 +16,9 @@ ms.date: 09/12/2017
# Collect Update Compliance diagnostic data for Windows Defender AV Assessment
**Applies to:**
- Windows 10
**Audience**
- IT administrators
This topic describes how to collect diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues you may encounter when using the Windows Defender AV Assessment section in the Update Compliance add-in.
Before attempting this process, ensure you have read the [Troubleshoot Windows Defender Antivirus reporting](troubleshoot-reporting.md) topic, met all require pre-requisites, and taken any other suggested troubleshooting steps.
Before attempting this process, ensure you have read [Troubleshoot antivirus reporting](troubleshoot-reporting.md), met all require pre-requisites, and taken any other suggested troubleshooting steps.
1. On at least two endpoints that are not reporting or showing up in Update Compliance, obtain the .cab diagnostic file by following this process:
@ -57,20 +48,16 @@ Before attempting this process, ensure you have read the [Troubleshoot Windows D
3. Send an email using the <a href="mailto:ucsupport@microsoft.com?subject=WDAV assessment issue&body=I%20am%20encountering%20the%20following%20issue%20when%20using%20Windows%20Defender%20AV%20in%20Update%20Compliance%3a%20%0d%0aI%20have%20provided%20at%20least%202%20support%20.cab%20files%20at%20the%20following%20location%3a%20%3Caccessible%20share%2c%20including%20access%20details%20such%20as%20password%3E%0d%0aMy%20OMS%20workspace%20ID%20is%3a%20%0d%0aPlease%20contact%20me%20at%3a">Update Compliance support email template</a>, and fill out the template with the following information:
```
I am encountering the following issue when using Windows Defender AV in Update Compliance:
I am encountering the following issue when using antivirus in Update Compliance:
I have provided at least 2 support .cab files at the following location: <accessible share, including access details such as password>
My OMS workspace ID is:
My OMS workspace ID is:
Please contact me at:
Please contact me at:
```
## Related topics
- [Troubleshoot Windows Defender Antivirus reporting](troubleshoot-reporting.md)

30
windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md
View File

@ -1,6 +1,6 @@
---
title: Use the command line to manage Windows Defender AV
description: Windows Defender AV has a dedicated command-line utility that can run scans and configure protection.
title: Use the command line to manage antivirus
description: Run antivirus scans and configure next gen protection with a dedicated command-line utility.
keywords: run windows defender scan, run antivirus scan from command line, run windows defender scan from command line, mpcmdrun, defender
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@ -11,31 +11,20 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 08/26/2017
ms.date: 09/01/2018
---
# Configure and manage antivirus with the mpcmdrun.exe command-line tool
# Use the mpcmdrun.exe command-line tool to configure and manage Windows Defender Antivirus
You can perform various antivirus functions with the dedicated command-line tool mpcmdrun.exe.
**Applies to:**
This utility can be useful when you want to automate antivirus use.
- Windows 10
**Audience**
- Enterprise security administrators
You can use a dedicated command-line tool to perform various functions in Windows Defender Antivirus.
This utility can be useful when you want to automate the use of Windows Defender Antivirus.
The utility is available in _%ProgramFiles%\Windows Defender\MpCmdRun.exe_ and must be run from a command prompt.
You can find the utility in _%ProgramFiles%\Windows Defender\MpCmdRun.exe_. You must run it from a command prompt.
> [!NOTE]
> You may need to open an administrator-level version of the command prompt. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
The utility has the following commands:
```DOS
@ -55,12 +44,7 @@ Command | Description
\-ValidateMapsConnection | Used to validate connection to the [cloud-delivered protection service](configure-network-connections-windows-defender-antivirus.md)
\-SignatureUpdate [-UNC [-Path <path>]] | Checks for new definition updates
## Related topics
- [Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md)
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)

30
windows/security/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md
View File

@ -14,33 +14,25 @@ ms.author: v-anbic
ms.date: 03/01/2018
---
# Manage Windows Defender AV in your business
# Manage antivirus in your business
**Applies to:**
- Windows 10
**Audience**
- Enterprise security administrators
You can manage and configure Windows Defender Antivirus with the following tools:
You can manage and configure antivirus with the following tools:
- Microsoft Intune
- System Center Configuration Manager
- Group Policy
- System Center Configuration Manager and Microsoft Intune
- PowerShell cmdlets
- Windows Management Instruction (WMI)
- The mpcmdrun.exe utility
The topics in this section provide further information, links, and resources for using these tools in conjunction with Windows Defender AV.
The topics in this section provide further information, links, and resources for using these tools to manage and configure antivirus.
## In this section
Topic | Description
Topic | Description
---|---
[Use Group Policy settings to configure and manage Windows Defender AV](use-group-policy-windows-defender-antivirus.md)|List of all Group Policy settings located in the Windows 10, version 1703 ADMX templates
[Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender AV](use-intune-config-manager-windows-defender-antivirus.md)|Information on using System Center Configuration Manager and Microsoft Intune to deploy, manage, report, and configure Windows Defender AV
[Use PowerShell cmdlets to configure and manage Windows Defender AV](use-powershell-cmdlets-windows-defender-antivirus.md)|Instructions on using PowerShell cmdlets in the Defender Module and links to documentation for all cmdlets and allowed parameters
[Use Windows Management Instrumentation (WMI) to configure and manage Windows Defender AV](use-wmi-windows-defender-antivirus.md)| Instructions on using WMI to manage Windows Defender AV and links to documentation for the Windows Defender WMIv2 APIs (including all classes, methods, and properties)
[Use the mpcmdrun.exe command-line tool to configure and manage Windows Defender Antivirus](command-line-arguments-windows-defender-antivirus.md)|Instructions on using the dedicated command-line tool to manage and use Windows Defender AV
[Manage antivirus with Microsoft Intune and System Center Configuration Manager](use-intune-config-manager-windows-defender-antivirus.md)|Information about using Intune and System Center Configuration Manager to deploy, manage, report, and configure antivirus
[Manage antivirus with Group Policy settings](use-group-policy-windows-defender-antivirus.md)|List of all Group Policy settings located in ADMX templates
[Manage antivirus with PowerShell cmdlets](use-powershell-cmdlets-windows-defender-antivirus.md)|Instructions for using PowerShell cmdlets to manage antivirus, plus links to documentation for all cmdlets and allowed parameters
[Manage antivirus with Windows Management Instrumentation (WMI)](use-wmi-windows-defender-antivirus.md)| Instructions for using WMI to manage antivirus, plus links to documentation for the WMIv2 APIs (including all classes, methods, and properties)
[Manage antivirus with the mpcmdrun.exe command-line tool](command-line-arguments-windows-defender-antivirus.md)|Instructions on using the dedicated command-line tool to manage and use antivirus

73
windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md
View File

@ -15,38 +15,37 @@ ms.date: 07/10/2018
---
# Configure scanning options in Windows Defender AV
**Applies to**
- Windows 10
**Audience**
- Enterprise security administrators
# Configure antivirus scanning options
**Manageability available with**
- Microsoft Intune
- System Center Configuration Manager
- Group Policy
- PowerShell
- Windows Management Instrumentation (WMI)
- System Center Configuration Manager
- Microsoft Intune
**Use Microsoft Intune to configure scanning options**
See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure) and [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-windows-10#windows-defender-antivirus) for more details.
<a id="ref1"></a>
**Use Configuration Manager to configure scanning options:**
See [How to create and deploy antimalware policies: Scan settings]( https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#scan-settings) for details on configuring System Center Configuration Manager (current branch).
**Use Group Policy to configure scanning options**
To configure the Group Policy settings described in the following table:
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender Antivirus** and then the **Location** specified in the table below.
3. Expand the tree to **Windows components > Windows Defender Antivirus** and then the **Location** specified in the table below.
6. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings.
See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
For using WMI classes, see [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx).
4. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings.
Description | Location and setting | Default setting (if not configured) | PowerShell `Set-MpPreference` parameter or WMI property for `MSFT_MpPreference` class
---|---|---|---
@ -61,42 +60,42 @@ Specify the level of subfolders within an archive folder to scan | Scan > Specif
Specify the maximum CPU load (as a percentage) during a scan. Note: This is not a hard limit but rather a guidance for the scanning engine to not exceed this maximum on average. | Scan > Specify the maximum percentage of CPU utilization during a scan | 50 | `-ScanAvgCPULoadFactor`
Specify the maximum size (in kilobytes) of archive files that should be scanned. The default, **0**, applies no limit | Scan > Specify the maximum size of archive files to be scanned | No limit | Not available
**Use Configuration Manager to configure scanning options:**
**Use PowerShell to configure scanning options**
See [How to create and deploy antimalware policies: Scan settings]( https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#scan-settings) for details on configuring System Center Configuration Manager (current branch).
See [Manage antivirus with PowerShell cmdlets](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
**Use WMI to configure scanning options**
**Use Microsoft Intune to configure scanning options**
For using WMI classes, see [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx).
See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure) and [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-windows-10#windows-defender-antivirus) for more details.
<a id="ref1"></a>
### Email scanning limitations
We recommend using [always-on real-time protection](configure-real-time-protection-windows-defender-antivirus.md) to protect against email-based malware.
Always-on protection scans emails as they arrive and as they are manipulated, just like normal files in the operating system. This provides the strongest form of protection and is the recommended setting for scanning emails.
You can use this Group Policy to also enable scanning of older email files used by Outlook 2003 and older during on-demand and scheduled scans. Embedded objects within an email file (such as attachments and archived files) are also scanned. The following file format types can be scanned and remediated:
You can also use this Group Policy to enable scanning of older email files used by Outlook 2003 and older during on-demand and scheduled scans. Embedded objects within an email file (such as attachments and archived files) are also scanned. The following file format types can be scanned and remediated:
- DBX
- MBX
- MIME
PST files used by Outlook 2003 or older (where the archive type is set to non-unicode) can also be scanned, but Windows Defender cannot remediate threats detected inside PST files. This is another reason why we recommend using [always-on real-time protection](configure-real-time-protection-windows-defender-antivirus.md) to protect against email-based malware.
If Windows Defender Antivirus detects a threat inside an email, it will show you the following information to assist you in identifying the compromised email, so you can remediate the threat:
- Email subject
- Attachment name
If antivirus detects a threat inside an email, it will show you the following information to assist you in identifying the compromised email, so you can remediate the threat:
- Email subject
- Attachment name
>[!WARNING]
>There are some risks associated with scanning some Microsoft Outlook files and email messages. You can read about tips and risks associated with scanning Outlook files and email messages in the following articles:
- [Scanning Outlook files in Outlook 2013](https://technet.microsoft.com/library/dn769141.aspx#bkmk-1)
- [Scanning email messages in Outlook 2013](https://technet.microsoft.com/library/dn769141.aspx#bkmk-2)
>
> - [Scanning Outlook files in Outlook 2013](https://technet.microsoft.com/library/dn769141.aspx#bkmk-1)
> - [Scanning email messages in Outlook 2013](https://technet.microsoft.com/library/dn769141.aspx#bkmk-2)
## Related topics
- [Customize, initiate, and review the results of Windows Defender AV scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
- [Configure and run on-demand Windows Defender AV scans](run-scan-windows-defender-antivirus.md)
- [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md)
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Customize, initiate, and review the results of antivirus scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
- [Configure and run on-demand antivirus scans](run-scan-windows-defender-antivirus.md)
- [Configure scheduled antivirus scans](scheduled-catch-up-scans-windows-defender-antivirus.md)
- [Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)

134
windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md
View File

@ -14,24 +14,15 @@ ms.author: v-anbic
ms.date: 05/02/2018
---
# Enable the Block at First Sight feature
**Applies to**
- Windows 10, version 1703 and later
**Audience**
- Enterprise security administrators
# Enable block at first sight
**Manageability available with**
- Intune
- Microsoft Intune
- Group Policy
- Windows Defender Security Center app
Block at first sight is a feature of Windows Defender Antivirus cloud-delivered protection that provides a way to detect and block new malware within seconds.
Block at first sight is a feature of next gen protection that provides a way to detect and block new malware within seconds.
It is enabled by default when certain pre-requisite settings are also enabled. In most cases, these pre-requisite settings are also enabled by default, so the feature is running without any intervention. You can use group policy settings to confirm the feature is enabled.
@ -40,128 +31,117 @@ You can [specify how long the file should be prevented from running](configure-c
You can also [customize the message displayed on users' desktops](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information) when a file is blocked. You can change the company name, contact information, and message URL.
> [!IMPORTANT]
> There is no specific individual setting in System Center Configuration Manager to enable or disable Block at First Sight. It is enabled by default when the pre-requisite settings are configured correctly. You must use Group Policy settings to enable or disable the feature.
> There is no specific individual setting in System Center Configuration Manager to enable or disable block at first sight. It is enabled by default when the pre-requisite settings are configured correctly. You must use Group Policy settings to enable or disable the feature.
>[!TIP]
>You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the features are working and see how they work.
>You can also visit the Windows Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the features are working and see how they work.
## How it works
When a Windows Defender Antivirus client encounters a suspicious but undetected file, it queries our cloud protection backend. The cloud backend will apply heuristics, machine learning, and automated analysis of the file to determine the files as malicious or clean.
When antivirus encounters a suspicious but undetected file, it queries our cloud protection backend. The cloud backend applies heuristics, machine learning, and automated analysis of the file to determine whether the files are malicious or clean.
In Windows 10, version 1803, the Block at First Sight feature can now block non-portable executable files (such as JS, VBS, or macros) as well as executable files.
In Windows 10, version 1803, block at first sight can now block non-portable executable files (such as JS, VBS, or macros) as well as executable files.
The Block at First Sight feature only uses the cloud protection backend for executable files and non-portable executable files that are downloaded from the Internet, or originating from the Internet zone. A hash value of the .exe file is checked via the cloud backend to determine if this is a previously undetected file.
Block at first sight only uses the cloud protection backend for executable files and non-portable executable files that are downloaded from the Internet, or that originate from the Internet zone. A hash value of the .exe file is checked via the cloud backend to determine if this is a previously undetected file.
If the cloud backend is unable to make a determination, the file will be locked by Windows Defender AV while a copy is uploaded to the cloud. The cloud will perform additional analysis to reach a determination before it allows the file to run or blocks it in all future encounters, depending on whether the file is determined to be malicious or safe.
If the cloud backend is unable to make a determination, antivirus locks the file and uploads a copy to the cloud. The cloud performs additional analysis to reach a determination before it either allows the file to run or blocks it in all future encounters, depending on whether it determines the file to be malicious or safe.
In many cases this process can reduce the response time for new malware from hours to seconds.
In many cases, this process can reduce the response time for new malware from hours to seconds.
## Confirm and validate that block at first sight is enabled
## Confirm and validate Block at First Sight is enabled
Block at first sight requires a number of Group Policy settings to be configured correctly or it will not work. These settings are enabled by default in most enterprise antivirus deployments.
Block at First Sight requires a number of Group Policy settings to be configured correctly or it will not work. Usually, these settings are already enabled in most default Windows Defender AV deployments in enterprise networks.
### Confirm Block at First Sight is enabled with Intune
### Confirm block at first sight is enabled with Intune
1. In Intune, navigate to **Device configuration - Profiles > *Profile name* > Device restrictions > Windows Defender Antivirus**.
> [!NOTE]
> The profile you select must be a Device Restriction profile type, not an Endpoint Protection profile type.
> [!NOTE]
> The profile you select must be a Device Restriction profile type, not an Endpoint Protection profile type.
2. Verify these settings are configured as follows:
- **Cloud-delivered protection**: **Enable**
- **File Blocking Level**: **High**
- **Time extension for file scanning by the cloud**: **50**
- **Prompt users before sample submission**: **Send all data without prompting**
- **Cloud-delivered protection**: **Enable**
- **File Blocking Level**: **High**
- **Time extension for file scanning by the cloud**: **50**
- **Prompt users before sample submission**: **Send all data without prompting**
For more information about configuring Windows Defender AV device restrictions in Intune, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure).
For more information about configuring antivirus device restrictions in Intune, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure).
For a list of Windows Defender AV device restrictions in Intune, see [Device restriction for Windows 10 (and newer) settings in Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-windows-10#windows-defender-antivirus).
For a list of antivirus device restrictions in Intune, see [Device restriction for Windows 10 (and newer) settings in Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-windows-10#windows-defender-antivirus).
### Confirm block at first sight is enabled with Group Policy
### Confirm Block at First Sight is enabled with Group Policy
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
3. Expand the tree to **Windows components > Windows Defender Antivirus > MAPS** and configure the following Group Policies:
5. Expand the tree to **Windows components > Windows Defender Antivirus > MAPS** and configure the following Group Policies:
1. Double-click the **Join Microsoft MAPS** setting and ensure the option is set to **Enabled**. Click **OK**.
1. Double-click the **Send file samples when further analysis is required** setting and ensure the option is set to **Enabled** and the additional options are either of the following:
1. Send safe samples (1)
1. Send all samples (3)
1. Double-click **Join Microsoft MAPS** and ensure the option is set to **Enabled**. Click **OK**.
2. Double-click **Send file samples when further analysis is required** and ensure the option is set to **Enabled** and the additional options are either of the following:
- Send safe samples (1)
- Send all samples (3)
> [!WARNING]
> Setting to 0 (Always Prompt) will lower the protection state of the device. Setting to 2 (Never send) means the "Block at First Sight" feature will not function.
> Setting to 0 (Always Prompt) will lower the protection state of the device. Setting to 2 (Never send) means block at first sight will not function.
1. Click **OK**.
3. Click **OK**.
1. In the **Group Policy Management Editor**, expand the tree to **Windows components > Windows Defender Antivirus > Real-time Protection**:
1. Double-click the **Scan all downloaded files and attachments** setting and ensure the option is set to **Enabled**. Click **OK**.
1. Double-click the **Turn off real-time protection** setting and ensure the option is set to **Disabled**. Click **OK**.
4. In the **Group Policy Management Editor**, expand the tree to **Windows components > Windows Defender Antivirus > Real-time Protection**:
1. Double-click **Scan all downloaded files and attachments** and ensure the option is set to **Enabled**. Click **OK**.
2. Double-click **Turn off real-time protection** and ensure the option is set to **Disabled**. Click **OK**.
If you had to change any of the settings, you should re-deploy the Group Policy Object across your network to ensure all endpoints are covered.
### Confirm block at first sight is enabled with the Windows Defender Security Center app
### Confirm Block at First Sight is enabled with the Windows Defender Security Center app
You can confirm that block at first sight is enabled in Windows Settings.
You can confirm that Block at First Sight is enabled in Windows Settings.
The feature is automatically enabled as long as **Cloud-based protection** and **Automatic sample submission** are both turned on.
Block at first sight is automatically enabled as long as **Cloud-based protection** and **Automatic sample submission** are both turned on.
**Confirm Block at First Sight is enabled on individual clients**
1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar.
2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label:
2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then click **Virus & threat protection settings**:
![Screenshot of the Virus & threat protection settings label in the Windows Defender Security Center app](images/defender/wdav-protection-settings-wdsc.png)
3. Confirm that **Cloud-based Protection** and **Automatic sample submission** are switched to **On**.
3. Confirm that **Cloud-based Protection** and **Automatic sample submission** are switched to **On**.
> [!NOTE]
> If the pre-requisite settings are configured and deployed using Group Policy, the settings described in this section will be greyed-out and unavailable for use on individual endpoints. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings.
### Validate block at first sight is working
### Validate Block at First Sight is working
You can validate that the feature is working by following the steps outlined in [Validate connections between your network and the cloud](configure-network-connections-windows-defender-antivirus.md#validate).
You can validate that the feature is working by following the steps outlined in the [Validate connections between your network and the cloud](configure-network-connections-windows-defender-antivirus.md#validate) topic.
## Disable Block at First Sight
## Disable block at first sight
> [!WARNING]
> Disabling the Block at First Sight feature will lower the protection state of the endpoint and your network.
> Disabling block at first sight will lower the protection state of the endpoint and your network.
You may choose to disable the Block at First Sight feature if you want to retain the pre-requisite settings without using Block at First Sight protection. You might wish to do this if you are experiencing latency issues or you want to test the feature's impact on your network.
You may choose to disable block at first sight if you want to retain the pre-requisite settings without using block at first sight protection. You might wish to do this if you are experiencing latency issues or you want to test the feature's impact on your network.
**Disable Block at First Sight with Group Policy**
**Disable block at first sight with Group Policy**
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
5. Expand the tree through **Windows components > Windows Defender Antivirus > MAPS**.
3. Expand the tree through **Windows components > Windows Defender Antivirus > MAPS**.
1. Double-click the **Configure the 'Block at First Sight' feature** setting and set the option to **Disabled**.
4. Double-click **Configure the 'Block at First Sight' feature** and set the option to **Disabled**.
> [!NOTE]
> Disabling the Block at First Sight feature will not disable or alter the pre-requisite group policies.
> Disabling block at first sight will not disable or alter the pre-requisite group policies.
## Related topics
- [Windows Defender in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md)

48
windows/security/threat-protection/windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md
View File

@ -16,59 +16,35 @@ ms.date: 04/30/2018
# Configure the cloud block timeout period
**Applies to:**
- Windows 10, version 1703 and later
**Audience**
- Enterprise security administrators
**Manageability available with**
- Group Policy
When antivirus finds a suspicious file, it can prevent the file from running while it queries the [antivirus cloud service](utilize-microsoft-cloud-protection-windows-defender-antivirus.md).
When Windows Defender Antivirus is suspicious of a file, it can prevent the file from running while it queries the [Windows Defender Antivirus cloud-protection service](utilize-microsoft-cloud-protection-windows-defender-antivirus.md).
The default period that the file will be [blocked](configure-block-at-first-sight-windows-defender-antivirus.md) for is 10 seconds. You can specify an additional period of time to wait before the file is allowed to run. This can help ensure there is enough time to receive a proper determination from the Windows Defender Antivirus cloud.
The default period that the file will be [blocked](configure-block-at-first-sight-windows-defender-antivirus.md) is 10 seconds. You can specify an additional period of time to wait before the file is allowed to run. This can help ensure there is enough time to receive a proper determination from the antivirus cloud service.
## Prerequisites to use the extended cloud block timeout
The [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature and its prerequisites must be enabled before you can specify an extended timeout period.
[Block at first sight](configure-block-at-first-sight-windows-defender-antivirus.md) and its prerequisites must be enabled before you can specify an extended timeout period.
## Specify the extended timeout period
You can use Group Policy to specify an extended timeout for cloud checks.
**Use Group Policy to specify an extended timeout period:**
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
3. Expand the tree to **Windows components > Windows Defender Antivirus > MpEngine**
4. Expand the tree to **Windows components > Windows Defender Antivirus > MpEngine**
5. Double-click the **Configure extended cloud check** setting and ensure the option is enabled. Specify the additional amount of time to prevent the file from running while waiting for a cloud determination. You can specify the additional time, in seconds, from 1 second to 50 seconds. This time will be added to the default 10 seconds.
6. Click **OK**.
4. Double-click **Configure extended cloud check** and ensure the option is enabled. Specify the additional amount of time to prevent the file from running while waiting for a cloud determination. You can specify the additional time, in seconds, from 1 second to 50 seconds. This time will be added to the default 10 seconds.
5. Click **OK**.
## Related topics
- [Windows Defender in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Utilize Microsoft cloud-delivered protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
- [Configure the Block at First Sight feature](configure-block-at-first-sight-windows-defender-antivirus.md)
- [Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Use next-gen antivirus technologies through cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
- [Configure block at first sight](configure-block-at-first-sight-windows-defender-antivirus.md)
- [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md)

18
windows/security/threat-protection/windows-defender-antivirus/configure-end-user-interaction-windows-defender-antivirus.md
View File

@ -14,28 +14,20 @@ ms.author: v-anbic
ms.date: 08/26/2017
---
# Configure end-user interaction with Windows Defender Antivirus
**Applies to:**
- Windows 10
**Audience**
- Enterprise security administrators
# Configure end-user interaction with antivirus
**Manageability available with**
- Group Policy
You can configure how users of the endpoints on your network can interact with Windows Defender Antivirus.
You can configure how users of the endpoints on your network can interact with antivirus.
This includes whether they see the Windows Defender AV interface, what notifications they see, and if they can locally override globally deployed Group Policy settings.
This includes whether they see the antivirus interface, what notifications they see, and if they can locally override globally-deployed Group Policy settings.
## In this section
Topic | Description
---|---
[Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md) | Configure and customize additional notifications, customized text for notifications, and notifications about reboots for remediation
[Prevent users from seeing or interacting with the Windows Defender AV user interface](prevent-end-user-interaction-windows-defender-antivirus.md) | Hide the user interface from users
[Configure notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md) | Configure and customize additional notifications, customized text for notifications, and notifications about reboots for remediation
[Prevent users from seeing or interacting with the antivirus user interface](prevent-end-user-interaction-windows-defender-antivirus.md) | Hide the user interface from users
[Prevent users from locally modifying policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) | Prevent (or allow) users from overriding policy settings on their individual endpoints

30
windows/security/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md
View File

@ -14,44 +14,32 @@ ms.author: v-anbic
ms.date: 07/27/2017
---
# Configure and validate exclusions for Windows Defender AV scans (client)
**Applies to:**
- Windows 10
- Windows Server 2016
**Audience**
- Enterprise security administrators
# Configure and validate exclusions for antivirus
**Manageability available with**
- Microsoft Intune
- System Center Configuration Manager
- Group Policy
- PowerShell
- Windows Management Instrumentation (WMI)
- System Center Configuration Manager
- Microsoft Intune
- Windows Defender Security Center
You can exclude certain files, folders, processes, and process-opened files from being scanned by Windows Defender Antivirus.
You can exclude certain files, folders, processes, and process-opened files from antivirus scans.
The exclusions apply to [scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md), [on-demand scans](run-scan-windows-defender-antivirus.md), and [always-on real-time protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md). Exclusions for process-opened files only apply to real-time protection.
Exclusions can be useful to avoid incorrect detections on files or software that are unique or customized to your organization.
Windows Server 2016 also features automatic exclusions that are defined by the server roles you enable. See the [Windows Defender AV exclusions on Windows Server 2016](configure-server-exclusions-windows-defender-antivirus.md) topic for more information and a list of the automatic exclusions.
Windows Server 2016 also features automatic exclusions that are defined by the server roles you enable. See the [Antivirus exclusions on Windows Server 2016](configure-server-exclusions-windows-defender-antivirus.md) topic for more information and a list of the automatic exclusions.
>[!WARNING]
>Defining exclusions lowers the protection offered by Windows Defender AV. You should always evaluate the risks that are associated with implementing exclusions, and you should only exclude files that you are confident are not malicious.
>Defining exclusions lowers the protection offered by antivirus. You should always evaluate the risks that are associated with implementing exclusions, and you should only exclude files that you are confident are not malicious.
## In this section
Topic | Description
---|---
[Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md) | Exclude files from Windows Defender AV scans based on their file extension, file name, or location
[Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md) | You can exclude files from scans that have been opened by a specific process
[Configure exclusions in Windows Defender AV on Windows Server](configure-server-exclusions-windows-defender-antivirus.md) | Windows Server 2016 includes automatic exclusions, based on the defined Server Role. You can also add custom exclusions
[Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md) | Exclude files from antivirus scans based on their file extension, file name, or location
[Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md) | Exclude files from scans that have been opened by a specific process
[Configure antivirus exclusions on Windows Server](configure-server-exclusions-windows-defender-antivirus.md) | Windows Server 2016 includes automatic exclusions, based on the defined server role. You can also add custom exclusions.

146
windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md
View File

@ -1,6 +1,6 @@
---
title: Configure and validate exclusions based on extension, name, or location
description: Exclude files from Windows Defender AV scans based on their file extension, file name, or location.
description: Exclude files from antivirus scans based on their file extension, file name, or location.
keywords: exclusions, files, extension, file type, folder name, file name, scans
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@ -16,29 +16,18 @@ ms.date: 07/10/2018
# Configure and validate exclusions based on file extension and folder location
**Applies to:**
- Windows 10
- Windows Server 2016
**Audience**
- Enterprise security administrators
**Manageability available with**
- Microsoft Intune
- System Center Configuration Manager
- Group Policy
- PowerShell
- Windows Management Instrumentation (WMI)
- System Center Configuration Manager
- Microsoft Intune
- Windows Defender Security Center
You can exclude certain files from being scanned by Windows Defender AV by modifying exclusion lists.
You can exclude certain files from antivirus scans by modifying exclusion lists.
Generally, you shouldn't need to apply exclusions. Windows Defender AV includes a number of automatic exclusions based on known operating system behaviors and typical management files, such as those used in enterprise management, database management, and other enterprise scenarios and situations.
Generally, you shouldn't need to apply exclusions. Antivirus includes a number of automatic exclusions based on known operating system behaviors and typical management files, such as those used in enterprise management, database management, and other enterprise scenarios and situations.
>[!TIP]
>The default antimalware policy we deploy at Microsoft doesn't set any exclusions by default.
@ -53,6 +42,7 @@ A specific file in a specific folder | The file c:\sample\sample.test only | Fil
A specific process | The executable file c:\test\process.exe | File and folder exclusions
This means the exclusion lists have the following characteristics:
- Folder exclusions will apply to all files and folders under that folder, unless the subfolder is a reparse point. Reparse point subfolders must be excluded separately.
- File extensions will apply to any file name with the defined extension if a path or folder is not defined.
@ -61,70 +51,64 @@ This means the exclusion lists have the following characteristics:
>
>You cannot exclude mapped network drives. You must specify the actual network path.
>
>Folders that are reparse points that are created after the Windows Defender AV service starts and that have been added to the exclusion list will not be included. You must restart the service (by restarting Windows) for new reparse points to be recognized as a valid exclusion target.
To exclude files opened by a specific process, see the [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md) topic.
>Folders that are reparse points that are created after the antivirus service starts and that have been added to the exclusion list will not be included. You must restart the service (by restarting Windows) for new reparse points to be recognized as a valid exclusion target.
To exclude files opened by a specific process, see [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md).
The exclusions apply to [scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md), [on-demand scans](run-scan-windows-defender-antivirus.md), and [real-time protection](configure-real-time-protection-windows-defender-antivirus.md).
>[!IMPORTANT]
>Changes made via Group Policy to the exclusion lists **will show** in the lists in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions).
>Exclusion list changes made with Group Policy **will show** in the lists in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions).
>
>Changes made in the Windows Defender Security Center app **will not show** in the Group Policy lists.
By default, local changes made to the lists (by users with administrator privileges; this includes changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists will take precedence in the case of conflicts.
By default, local changes made to the lists (by users with administrator privileges, including changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists will take precedence in case of conflicts.
You can [configure how locally and globally defined exclusions lists are merged](configure-local-policy-overrides-windows-defender-antivirus.md#merge-lists) to allow local changes to override managed deployment settings.
## Configure the list of exclusions based on folder name or file extension
<a id="gp"></a>
**Use Intune to configure file name, folder, or file extension exclusions:**
See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure) and [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-windows-10#windows-defender-antivirus) for more details.
**Use Configuration Manager to configure file name, folder, or file extension exclusions:**
See [How to create and deploy antimalware policies: Exclusion settings](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) for details on configuring System Center Configuration Manager (current branch).
**Use Group Policy to configure folder or file extension exclusions:**
>[!NOTE]
>If you specify a fully qualified path to a file, then only that file will be excluded. If a folder is defined in the exclusion, then all files and subdirectories under that folder will be excluded.
>If you specify a fully qualified path to a file, then only that file is excluded. If a folder is defined in the exclusion, then all files and subdirectories under that folder are excluded.
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender Antivirus > Exclusions**.
3. Expand the tree to **Windows components > Windows Defender Antivirus > Exclusions**.
6. Double-click the **Path Exclusions** setting and add the exclusions:
4. Double-click the **Path Exclusions** setting and add the exclusions:
1. Set the option to **Enabled**.
2. Under the **Options** section, click **Show...**
2. Under the **Options** section, click **Show...**.
3. Enter each folder on its own line under the **Value name** column. If you are entering a file, ensure you enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column.
7. Click **OK**.
5. Click **OK**.
![The Group Policy setting for file and folder exclusions](images/defender/wdav-path-exclusions.png)
![The Group Policy setting for file and folder exclusions](images/defender/wdav-path-exclusions.png)
8. Double-click the **Extension Exclusions** setting and add the exclusions:
6. Double-click the **Extension Exclusions** setting and add the exclusions:
1. Set the option to **Enabled**.
2. Under the **Options** section, click **Show...**
1. Set the option to **Enabled**.
2. Under the **Options** section, click **Show...**.
3. Enter each file extension on its own line under the **Value name** column. Enter **0** in the **Value** column.
7. Click **OK**.
9. Click **OK**.
![The Group Policy setting for extension exclusions](images/defender/wdav-extension-exclusions.png)
![The Group Policy setting for extension exclusions](images/defender/wdav-extension-exclusions.png)
<a id="ps"></a>
**Use PowerShell cmdlets to configure file name, folder, or file extension exclusions:**
Using PowerShell to add or remove exclusions for files based on the extension, location, or file name requires using a combination of three cmdlets and the appropriate exclusion list parameter. The cmdlets are all in the [Defender module](https://technet.microsoft.com/en-us/itpro/powershell/windows/defender/defender).
@ -139,9 +123,9 @@ The following are allowed as the \<cmdlet>:
Configuration action | PowerShell cmdlet
---|---
Create or overwrite the list | `Set-MpPreference`
Add to the list | `Add-MpPreference`
Remove item from the list | `Remove-MpPreference`
Create or overwrite the list | `Set-MpPreference`
Add to the list | `Add-MpPreference`
Remove item from the list | `Remove-MpPreference`
The following are allowed as the \<exclusion list>:
@ -150,10 +134,8 @@ Exclusion type | PowerShell parameter
All files with a specified file extension | `-ExclusionExtension`
All files under a folder (including files in subdirectories), or a specific file | `-ExclusionPath`
>[!IMPORTANT]
>If you have created a list, either with `Set-MpPreference` or `Add-MpPreference`, using the `Set-MpPreference` cmdlet again will overwrite the existing list.
>If you have created a list, either with `Set-MpPreference` or `Add-MpPreference`, using the `Set-MpPreference` cmdlet again will overwrite the existing list.
For example, the following code snippet would cause Windows Defender AV scans to exclude any file with the **.test** file extension:
@ -161,8 +143,7 @@ For example, the following code snippet would cause Windows Defender AV scans to
Add-MpPreference -ExclusionExtension ".test"
```
See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
See [Use PowerShell cmdlets to configure and run antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
**Use Windows Management Instruction (WMI) to configure file name, folder, or file extension exclusions:**
@ -176,25 +157,15 @@ ExclusionPath
The use of **Set**, **Add**, and **Remove** is analogous to their counterparts in PowerShell: `Set-MpPreference`, `Add-MpPreference`, and `Remove-MpPreference`.
See the following for more information and allowed parameters:
- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx)
<a id="man-tools"></a>
**Use Configuration Manager to configure file name, folder, or file extension exclusions:**
See [How to create and deploy antimalware policies: Exclusion settings](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) for details on configuring System Center Configuration Manager (current branch).
**Use Microsoft Intune to configure file name, folder, or file extension exclusions:**
See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure) and [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-windows-10#windows-defender-antivirus) for more details.
**Use the Windows Defender Security Center app to configure file name, folder, or file extension exclusions:**
See [Add exclusions in the Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions) for instructions.
<a id="wildcards"></a>
## Use wildcards in the file name and folder path or extension exclusion lists
@ -205,8 +176,7 @@ You can use the asterisk `*`, question mark `?`, or environment variables (such
>
>- Environment variable usage is limited to machine variables and those applicable to processes running as an NT AUTHORITY\SYSTEM account.
>- You cannot use a wildcard in place of a drive letter.
>- The use of asterisk `*` in a folder exclusion will stand in place for a single folder. Use multiple instances of `\*\` to indicate multiple nested folders with unspecified names.
>- An asterisk `*` in a folder exclusion will stand in place for a single folder. Use multiple instances of `\*\` to indicate multiple nested folders with unspecified names.
The following table describes how the wildcards can be used and provides some examples.
<table>
@ -231,7 +201,7 @@ The following table describes how the wildcards can be used and provides some ex
<td>
<ol>
<li><i>C:\MyData\\<b>notes</b>.txt</i></li>
<li>Any file in:
<li>Any file in:
<ul>
<li><i>C:\somepath\\<b>Archives</b>\Data</i> and its subfolders</li>
<li><i>C:\somepath\\<b>Authorized</b>\Data</i> and its subfolders</li>
@ -246,7 +216,7 @@ The following table describes how the wildcards can be used and provides some ex
</tr>
<tr>
<td>
<b>?</b> (question mark)
<b>?</b> (question mark)
</td>
<td>
Replaces a single character. <br />
@ -295,23 +265,23 @@ The following table describes how the wildcards can be used and provides some ex
>
>This argument, however, will not match any files in **subfolders** under *c:\data\final\marked* or *c:\data\review\marked*.
<a id="review"></a>
## Review the list of exclusions
You can retrieve the items in the exclusion list with PowerShell, [System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings), [Intune](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune), or the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions).
You can retrieve the items in the exclusion list with [Intune](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune), [System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings), PowerShell, or the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions).
>[!IMPORTANT]
>Changes made via Group Policy to the exclusion lists **will show** in the lists in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions).
>Exclusion list changes made with Group Policy **will show** in the lists in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions).
>
>Changes made in the Windows Defender Security Center app **will not show** in the Group Policy lists.
If you use PowerShell, you can retrieve the list in two ways:
- Retrieve the status of all Windows Defender AV preferences. Each of the lists will be displayed on separate lines, but the items within each list will be combined into the same line.
- Retrieve the status of all antivirus preferences. Each of the lists will be displayed on separate lines, but the items within each list will be combined into the same line.
- Write the status of all preferences to a variable, and use that variable to only call the specific list you are interested in. Each use of `Add-MpPreference` is written to a new line.
**Review the list of exclusions alongside all other Windows Defender AV preferences:**
**Review the list of exclusions alongside all other antivirus preferences:**
Use the following cmdlet:
@ -320,13 +290,11 @@ Get-MpPreference
```
In the following example, the items contained in the `ExclusionExtension` list are highlighted:
![PowerShell output for Get-MpPreference showing the exclusion list alongside other preferences](images/defender/wdav-powershell-get-exclusions-all.png)
See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
**Retrieve a specific exclusions list:**
Use the following code snippet (enter each line as a separate command); replace **WDAVprefs** with whatever label you want to name the variable:
@ -341,14 +309,10 @@ In the following example, the list is split into new lines for each use of the `
![PowerShell output showing only the entries in the exclusion list](images/defender/wdav-powershell-get-exclusions-variable.png)
See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
See [Use PowerShell cmdlets to configure and run antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
<a id="validate"></a>
## Validate exclusions lists with the EICAR test file
You can validate that your exclusion lists are working by using PowerShell with either the `Invoke-WebRequest` cmdlet or the .NET WebClient class to download a test file.
@ -359,11 +323,11 @@ In the following PowerShell snippet, replace *test.txt* with a file that conform
Invoke-WebRequest "http://www.eicar.org/download/eicar.com.txt" -OutFile "test.txt"
```
If Windows Defender AV reports malware, then the rule is not working. If there is no report of malware, and the downloaded file exists, then the exclusion is working. You can open the file to confirm the contents are the same as what is described on the [EICAR testfile website](http://www.eicar.org/86-0-Intended-use.html).
If antivirus reports malware, then the rule is not working. If there is no report of malware, and the downloaded file exists, then the exclusion is working. You can open the file to confirm the contents are the same as what is described on the [EICAR testfile website](http://www.eicar.org/86-0-Intended-use.html).
You can also use the following PowerShell code, which calls the .NET WebClient class to download the testfile - as with the `Invoke-WebRequest` cmdlet; replace *c:\test.txt* with a file that conforms to the rule you are validating:
```PowerShell
```PowerShell
$client = new-object System.Net.WebClient
$client.DownloadFile("http://www.eicar.org/download/eicar.com.txt","c:\test.txt")
```
@ -376,12 +340,10 @@ If you do not have Internet access, you can create your own EICAR test file by w
You can also copy the string into a blank text file and attempt to save it with the file name or in the folder you are attempting to exclude.
## Related topics
- [Configure and validate exclusions in Windows Defender AV scans](configure-exclusions-windows-defender-antivirus.md)
- [Configure and validate exclusions in antivirus scans](configure-exclusions-windows-defender-antivirus.md)
- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md)
- [Configure exclusions in Windows Defender AV on Windows Server](configure-server-exclusions-windows-defender-antivirus.md)
- [Customize, initiate, and review the results of Windows Defender AV scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Configure antivirus exclusions on Windows Server](configure-server-exclusions-windows-defender-antivirus.md)
- [Customize, initiate, and review the results of antivirus scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
- [Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)

58
windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md
View File

@ -16,24 +16,15 @@ ms.date: 04/30/2018
# Prevent or allow users to locally modify Windows Defender AV policy settings
**Applies to:**
- Windows 10
**Audience**
- Enterprise security administrators
**Manageability available with**
- Group Policy
By default, Windows Defender AV settings that are deployed via a Group Policy Object to the endpoints in your network will prevent users from locally changing the settings. You can change this in some instances.
By default, antivirus settings that are deployed via a Group Policy Object to the endpoints in your network will prevent users from locally changing the settings. You can change this in some instances.
For example, it may be necessary to allow certain user groups (such as security researchers and threat investigators) further control over individual settings on the endpoints they use.
## Configure local overrides for Windows Defender AV settings
## Configure local overrides for antivirus settings
The default setting for these policies is **Disabled**.
@ -43,25 +34,25 @@ The following table lists each of the override policy setting and the configurat
To configure these settings:
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender Antivirus** and then the **Location** specified in the table below.
3. Expand the tree to **Windows components > Windows Defender Antivirus** and then the **Location** specified in the table below.
6. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings.
4. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings.
7. Deploy the Group Policy Object as usual.
5. Deploy the Group Policy Object as usual.
Location | Setting | Configuration topic
---|---|---|---
MAPS | Configure local setting override for reporting to Microsoft MAPS | [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md)
Quarantine | Configure local setting override for the removal of items from Quarantine folder | [Configure remediation for scans](configure-remediation-windows-defender-antivirus.md)
Real-time protection | Configure local setting override for monitoring file and program activity on your computer | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
Real-time protection | Configure local setting override for monitoring for incoming and outgoing file activity | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
Real-time protection | Configure local setting override for scanning all downloaded files and attachments | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
Real-time protection | Configure local setting override for turn on behavior monitoring | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
Real-time protection | Configure local setting override to turn on real-time protection | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
Real-time protection | Configure local setting override for monitoring file and program activity on your computer | [Enable and configure antivirus always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
Real-time protection | Configure local setting override for monitoring for incoming and outgoing file activity | [Enable and configure antivirus always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
Real-time protection | Configure local setting override for scanning all downloaded files and attachments | [Enable and configure antivirus always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
Real-time protection | Configure local setting override for turn on behavior monitoring | [Enable and configure antivirus always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
Real-time protection | Configure local setting override to turn on real-time protection | [Enable and configure antivirus always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
Remediation | Configure local setting override for the time of day to run a scheduled full scan to complete remediation | [Configure remediation for scans](configure-remediation-windows-defender-antivirus.md)
Scan | Configure local setting override for maximum percentage of CPU utilization | [Configure and run scans](run-scan-windows-defender-antivirus.md)
Scan | Configure local setting override for schedule scan day | [Configure scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md)
@ -69,35 +60,30 @@ Scan | Configure local setting override for scheduled quick scan time | [Configu
Scan | Configure local setting override for scheduled scan time | [Configure scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md)
Scan | Configure local setting override for the scan type to use for a scheduled scan | [Configure scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md)
<a id="merge-lists"></a>
## Configure how locally and globally defined threat remediation and exclusions lists are merged
You can also configure how locally defined lists are combined or merged with globally defined lists. This setting applies to [exclusion lists](configure-exclusions-windows-defender-antivirus.md) and [specified remediation lists](configure-remediation-windows-defender-antivirus.md).
By default, lists that have been configured in local group policy and the Windows Defender Security Center app are merged with lists that are defined by the appropriate GPO that you have deployed on your network. Where there are conflicts, the globally defined list takes precedence.
You can disable this setting to ensure that only globally defined lists (such as those from any deployed GPOs) are used.
By default, lists that have been configured in local group policy and the Windows Defender Security Center app are merged with lists that are defined by the appropriate Group Policy Object that you have deployed on your network. Where there are conflicts, the globally-defined list takes precedence.
You can disable this setting to ensure that only globally-defined lists (such as those from any deployed GPOs) are used.
**Use Group Policy to disable local list merging:**
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender Antivirus**.
3. Expand the tree to **Windows components > Windows Defender Antivirus**.
6. Double-click the **Configure local administrator merge behavior for lists** setting and set the option to **Enabled**. Click **OK**.
4. Double-click **Configure local administrator merge behavior for lists** and set the option to **Enabled**. Click **OK**.
> [!NOTE]
> If you disable local list merging, it will override Controlled folder access settings in Windows Defender Exploit Guard. It also overrides any protected folders or allowed apps set by the local administrator. For more information about Controlled folder access settings, see [Enable Controlled folder access](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard).
> If you disable local list merging, it will override controlled folder access settings. It also overrides any protected folders or allowed apps set by the local administrator. For more information about controlled folder access settings, see [Enable controlled folder access](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard).
## Related topics
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Configure end-user interaction with Windows Defender AV](configure-end-user-interaction-windows-defender-antivirus.md)
- [Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Configure end-user interaction with antivirus](configure-end-user-interaction-windows-defender-antivirus.md)

81
windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md
View File

@ -1,7 +1,7 @@
---
title: Configure and test Windows Defender Antivirus network connections
description: Configure and test your connection to the Windows Defender Antivirus cloud-delivered protection service.
keywords: windows defender antivirus, antimalware, security, defender, cloud, aggressiveness, protection level
title: Configure and validate antivirus network connections
description: Configure and test your connection to the antivirus cloud protection service.
keywords: antivirus, windows defender antivirus, antimalware, security, defender, cloud, aggressiveness, protection level
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@ -14,38 +14,29 @@ ms.author: v-anbic
ms.date: 04/30/2018
---
# Configure and validate network connections for Windows Defender Antivirus
# Configure and validate antivirus network connections
**Applies to:**
- Windows 10 (some instructions are only applicable for Windows 10, version 1703 or later)
**Audience**
- Enterprise security administrators
To ensure Windows Defender Antivirus cloud-delivered protection works properly, you need to configure your network to allow connections between your endpoints and certain Microsoft servers.
To ensure antivirus cloud-delivered protection works properly, you need to configure your network to allow connections between your endpoints and certain Microsoft servers.
This topic lists the connections that must be allowed, such as by using firewall rules, and provides instructions for validating your connection. This will help ensure you receive the best protection from our cloud-delivered protection services.
See the Enterprise Mobility and Security blog post [Important changes to Microsoft Active Protection Services endpoint](https://blogs.technet.microsoft.com/enterprisemobility/2016/05/31/important-changes-to-microsoft-active-protection-service-maps-endpoint/) for some details about network connectivity.
>[!TIP]
>You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working:
>You can also visit the Windows Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working:
>
>- Cloud-delivered protection
>- Fast learning (including Block at first sight)
>- Fast learning (including block at first sight)
>- Potentially unwanted application blocking
## Allow connections to the Windows Defender Antivirus cloud
## Allow connections to the antivirus cloud service
The Windows Defender Antivirus cloud provides fast, strong protection for your endpoints. Enabling the cloud-delivered protection service is optional, however it is highly recommend as it provides very important protection against malware on your endpoints and across your network.
The antivirus cloud service provides fast, strong protection for your endpoints. Enabling the cloud-delivered protection service is optional, however it is highly recommended because it provides very important protection against malware on your endpoints and across your network.
>[!NOTE]
>The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional signature updates.
>[!NOTE]
>The antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional signature updates.
See the [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) topic for details on enabling the service with Group Policy, System Center Configuration Manager, PowerShell cmdlets, Microsoft Intune, or on individual clients in the Windows Defender Security Center app.
See [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) for details on enabling the service with Intune, System Center Configuration Manager, Group Policy, PowerShell cmdlets, or on individual clients in the Windows Defender Security Center app.
After you've enabled the service, you may need to configure your network or firewall to allow connections between it and your endpoints.
@ -59,10 +50,10 @@ The following table lists the services and their associated URLs that your netwo
</tr>
<tr style="vertical-align:top">
<td>
Windows Defender Antivirus cloud-delivered protection service, also referred to as Microsoft Active Protection Service (MAPS)
Antivirus cloud-delivered protection service, also referred to as Microsoft Active Protection Service (MAPS)
</td>
<td>
Used by Windows Defender Antivirus to provide cloud-delivered protection
Used by antivirus to provide cloud-delivered protection
</td>
<td>
*.wdcp.microsoft.com*<br />
@ -85,7 +76,7 @@ Signature and product updates
Definition updates alternate download location (ADL)
</td>
<td>
Alternate location for Windows Defender Antivirus definition updates if the installed definitions fall out of date (7 or more days behind)
Alternate location for antivirus definition updates if the installed definitions fall out of date (7 or more days behind)
</td>
<td>
*.download.microsoft.com
@ -122,7 +113,7 @@ http://www.microsoft.com/pki/certs
Symbol Store
</td>
<td>
Used by Windows Defender Antivirus to restore certain critical files during remediation flows
Used by antivirus to restore certain critical files during remediation flows
</td>
<td>
https://msdl.microsoft.com/download/symbols
@ -133,46 +124,45 @@ https://msdl.microsoft.com/download/symbols
Universal Telemetry Client
</td>
<td>
Used by Windows to send client diagnostic data, Windows Defender Antivirus uses this for product quality monitoring purposes
Used by Windows to send client diagnostic data; antivirus uses this for product quality monitoring purposes
</td>
<td>
This update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints: <ul><li>vortex-win.data.microsoft.com</li><li>settings-win.data.microsoft.com</li></ul></td>
</tr>
</table>
<a id="validate"></a>
## Validate connections between your network and the cloud
After whitelisting the URLs listed above, you can test if you are connected to the Windows Defender AV cloud and are correctly reporting and receiving information to ensure you are fully protected.
After whitelisting the URLs listed above, you can test if you are connected to the antivirus cloud service and are correctly reporting and receiving information to ensure you are fully protected.
**Use the cmdline tool to validate cloud-delivered protection:**
Use the following argument with the Windows Defender AV command line utility (*mpcmdrun.exe*) to verify that your network can communicate with the Windows Defender AV cloud:
Use the following argument with the antivirus command line utility (*mpcmdrun.exe*) to verify that your network can communicate with the antivirus cloud service:
```DOS
MpCmdRun -ValidateMapsConnection
MpCmdRun -ValidateMapsConnection
```
> [!NOTE]
> You need to open an administrator-level version of the command prompt. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt. This command will only work on Windows 10, version 1703.
See [Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender Antivirus](command-line-arguments-windows-defender-antivirus.md) for more information on how to use the *mpcmdrun.exe* utility.
> [!NOTE]
> You need to open an administrator-level version of the command prompt. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt. This command will only work on Windows 10, version 1703 or higher.
See [Mange antivirus with the mpcmdrun.exe commandline tool](command-line-arguments-windows-defender-antivirus.md) for more information on how to use the *mpcmdrun.exe* utility.
**Attempt to download a fake malware file from Microsoft:**
You can download a sample file that Windows Defender AV will detect and block if you are properly connected to the cloud.
You can download a sample file that antivirus will detect and block if you are properly connected to the cloud.
Download the file by visiting the following link:
- http://aka.ms/ioavtest
>[!NOTE]
>[!NOTE]
>This file is not an actual piece of malware. It is a fake file that is designed to test if you are properly connected to the cloud.
If you are properly connected, you will see a warning notification from Windows Defender Antivirus:
If you are properly connected, you will see a warning antivirus notification:
![Windows Defender Antivirus notification informing the user that malware was found](images/defender/wdav-malware-detected.png)
![Antivirus notification informing the user that malware was found](images/defender/wdav-malware-detected.png)
If you are using Microsoft Edge, you'll also see a notification message:
@ -180,7 +170,7 @@ If you are using Microsoft Edge, you'll also see a notification message:
A similar message occurs if you are using Internet Explorer:
![Windows Defender Antivirus notification informing the user that malware was found](images/defender/wdav-bafs-ie.png)
![Antivirus notification informing the user that malware was found](images/defender/wdav-bafs-ie.png)
You will also see a detection under **Quarantined threats** in the **Scan history** section in the Windows Defender Security Center app:
@ -189,23 +179,22 @@ You will also see a detection under **Quarantined threats** in the **Scan histor
2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Scan history** label:
![Screenshot of the Scan history label in the Windows Defender Security Center app](images/defender/wdav-history-wdsc.png)
3. Under the **Quarantined threats** section, click the **See full history** label to see the detected fake malware:
![Screenshot of quarantined items in the Windows Defender Security Center app](images/defender/wdav-quarantined-history-wdsc.png)
>[!NOTE]
>Versions of Windows 10 before version 1703 have a different user interface. See the [Windows Defender Antivirus in the Windows Defender Security Center](windows-defender-security-center-antivirus.md) topic for more information about the differences between versions, and instructions on how to perform common tasks in the different interfaces.
>Versions of Windows 10 before version 1703 have a different user interface. See [Antivirus in the Windows Defender Security Center](windows-defender-security-center-antivirus.md) for more information about the differences between versions, and instructions on how to perform common tasks in the different interfaces.
The Windows event log will also show [Windows Defender client event ID 2050](troubleshoot-windows-defender-antivirus.md).
>[!IMPORTANT]
>You will not be able to use a proxy auto-config (.pac) file to test network connections to these URLs. You will need to verify your proxy servers and any network filtering tools manually to ensure connectivity.
>You will not be able to use a proxy auto-config (.pac) file to test network connections to these URLs. You will need to verify your proxy servers and any network filtering tools manually to ensure connectivity.
## Related topics
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md)
- [Run a Windows Defender scan from the command line](command-line-arguments-windows-defender-antivirus.md) and [Command line arguments](command-line-arguments-windows-defender-antivirus.md)
- [Run an antivirus scan from the command line](command-line-arguments-windows-defender-antivirus.md) and [Command line arguments](command-line-arguments-windows-defender-antivirus.md)
- [Important changes to Microsoft Active Protection Services endpoint](https://blogs.technet.microsoft.com/enterprisemobility/2016/05/31/important-changes-to-microsoft-active-protection-service-maps-endpoint/)

71
windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md
View File

@ -1,7 +1,7 @@
---
title: Configure notifications for Windows Defender Antivirus
description: Configure and customize notifications from Windows Defender AV.
keywords: notifications, defender, endpoint, management, admin
title: Configure antivirus notifications
description: Configure and customize antivirus notifications.
keywords: notifications, defender, antivirus, endpoint, management, admin
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@ -16,22 +16,14 @@ ms.date: 04/30/2018
# Configure the notifications that appear on endpoints
**Applies to:**
- Windows 10, version 1703 and later
**Audience**
- Enterprise security administrators
**Manageability available with**
- Group Policy
- Windows Defender Security Center app
In Windows 10, application notifications about malware detection and remediation by Windows Defender are more robust, consistent, and concise.
In Windows 10, application notifications about malware detection and remediation are more robust, consistent, and concise.
Notifications will appear on endpoints when manually triggered and scheduled scans are completed and threats are detected. These notifications will also be seen in the **Notification Center**, and a summary of scans and threat detections will also appear at regular time intervals.
Notifications appear on endpoints when manually triggered and scheduled scans are completed and threats are detected. These notifications also appear in the **Notification Center**, and a summary of scans and threat detections appear at regular time intervals.
You can also configure how standard notifications appear on endpoints, such as notifications for reboot or when a threat has been detected and remediated.
@ -40,78 +32,73 @@ You can also configure how standard notifications appear on endpoints, such as n
You can configure the display of additional notifications, such as recent threat detection summaries, in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md) and with Group Policy.
> [!NOTE]
> In Windows 10, version 1607 the feature was called **Enhanced notifications** and could be configured under **Windows Settings** > **Update & security** > **Windows Defender**. In Group Policy settings in all versions of Windows 10 it is called **Enhanced notifications**.
> In Windows 10, version 1607 the feature was called **Enhanced notifications** and could be configured under **Windows Settings** > **Update & security** > **Windows Defender**. In Group Policy settings in all versions of Windows 10, it is called **Enhanced notifications**.
> [!IMPORTANT]
> Disabling additional notifications will not disable critical notifications, such as threat detection and remediation alerts.
**Use the Windows Defender Security Center app to disable additional notifications:**
**Use the Windows Defender Security Center app to disable additional notifications:**
1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label:
![Screenshot of the Virus & threat protection settings label in the Windows Defender Security Center](images/defender/wdav-protection-settings-wdsc.png)
3. Scroll to the **Notifications** section and click **Change notification settings**.
![Screenshot of the Virus & threat protection settings label in the Windows Defender Security Center](images/defender/wdav-protection-settings-wdsc.png)
3. Scroll to the **Notifications** section and click **Change notification settings**.
4. Slide the switch to **Off** or **On** to disable or enable additional notifications.
**Use Group Policy to disable additional notifications:**
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration**.
2. In the **Group Policy Management Editor** go to **Computer configuration**.
4. Click **Administrative templates**.
3. Click **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender Antivirus > Reporting**.
6. Double-click the **Turn off enhanced notifications** setting and set the option to **Enabled**. Click **OK**. This will prevent additional notifications from appearing.
4. Expand the tree to **Windows components > Windows Defender Antivirus > Reporting**.
5. Double-click **Turn off enhanced notifications** and set the option to **Enabled**. Click **OK**. This will prevent additional notifications from appearing.
## Configure standard notifications on endpoints
You can use Group Policy to:
- Display additional, customized text on endpoints when the user needs to perform an action
- Hide all notifications on endpoints
- Hide reboot notifications on endpoints
Hiding notifications can be useful in situations where you cannot hide the entire Windows Defender AV interface. See [Prevent users from seeing or interacting with the Windows Defender AV user interface](prevent-end-user-interaction-windows-defender-antivirus.md) for more information.
Hiding notifications can be useful in situations where you can't hide the entire antivirus interface. See [Prevent users from seeing or interacting with the antivirus user interface](prevent-end-user-interaction-windows-defender-antivirus.md) for more information.
> [!NOTE]
> Hiding notifications will only occur on endpoints to which the policy has been deployed. Notifications related to actions that must be taken (such as a reboot) will still appear on the [System Center Configuration Manager Endpoint Protection monitoring dashboard and reports](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/monitor-endpoint-protection).
See the [Customize the Windows Defender Security Center app for your organization](/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md) topic for instructions to add custom contact information to the notifications that users see on their machines.
See [Customize the Windows Defender Security Center app for your organization](/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md) for instructions to add custom contact information to the notifications that users see on their machines.
**Use Group Policy to hide notifications:**
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure, and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender Antivirus > Client interface**.
3. Expand the tree to **Windows components > Windows Defender Antivirus > Client interface**.
6. Double-click the **Suppress all notifications** setting and set the option to **Enabled**. Click **OK**. This will prevent additional notifications from appearing.
4. Double-click **Suppress all notifications** and set the option to **Enabled**. Click **OK**. This will prevent additional notifications from appearing.
**Use Group Policy to hide reboot notifications:**
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration**.
4. Click **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender Antivirus > Client interface**.
6. Double-click the **Suppresses reboot notifications** setting and set the option to **Enabled**. Click **OK**. This will prevent additional notifications from appearing.
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
2. In the **Group Policy Management Editor** go to **Computer configuration**.
3. Click **Administrative templates**.
4. Expand the tree to **Windows components > Windows Defender Antivirus > Client interface**.
5. Double-click **Suppresses reboot notifications** and set the option to **Enabled**. Click **OK**. This will prevent additional notifications from appearing.
## Related topics
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Configure end-user interaction with Windows Defender AV](configure-end-user-interaction-windows-defender-antivirus.md)
- [Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Configure end-user interaction with antivirus](configure-end-user-interaction-windows-defender-antivirus.md)

114
windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md
View File

@ -1,7 +1,7 @@
---
title: Configure exclusions for files opened by specific processes
description: You can exclude files from scans if they have been opened by a specific process.
keywords: process, exclusion, files, scans
keywords: antivirus, process, exclusion, files, scans
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@ -16,78 +16,73 @@ ms.date: 07/10/2018
# Configure exclusions for files opened by processes
**Applies to:**
- Windows 10
- Windows Server 2016
**Audience**
- Enterprise security administrators
**Manageability available with**
- Microsoft Intune
- System Center Configuration Manager
- Group Policy
- PowerShell
- Windows Management Instrumentation (WMI)
- System Center Configuration Manager
- Microsoft Intune
- Windows Defender Security Center
You can exclude files that have been opened by specific processes from being scanned by Windows Defender AV.
You can exclude files that have been opened by specific processes from antivirus scans.
This topic describes how to configure exclusion lists for the following:
<a id="examples"></a>
Exclusion | Example
Exclusion | Example
---|---
Any file on the machine that is opened by any process with a specific file name | Specifying "test.exe" would exclude files opened by: <ul><li>c:\sample\test.exe</li><li>d:\internal\files\test.exe</li></ul>
Any file on the machine that is opened by any process under a specific folder | Specifying "c:\test\sample\\*" would exclude files opened by:<ul><li>c:\test\sample\test.exe</li><li>c:\test\sample\test2.exe</li><li>c:\test\sample\utility.exe</li></ul>
Any file on the machine that is opened by a specific process in a specific folder | Specifying "c:\test\process.exe" would exclude files only opened by c:\test\process.exe
When you add a process to the process exclusion list, Windows Defender AV will not scan files opened by that process, no matter where the files are located. The process itself, however, will be scanned unless it has also been added to the [file exclusion list](configure-extension-file-exclusions-windows-defender-antivirus.md).
When you add a process to the process exclusion list, antivirus won't scan files opened by that process, no matter where the files are located. The process itself, however, will be scanned unless it has also been added to the [file exclusion list](configure-extension-file-exclusions-windows-defender-antivirus.md).
The exclusions only apply to [always-on real-time protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md). They do not apply to scheduled or on-demand scans.
The exclusions only apply to [always-on real-time protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md). They don't apply to scheduled or on-demand scans.
Changes made via Group Policy to the exclusion lists **will show** in the lists in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions). However, changes made in the Windows Defender Security Center app **will not show** in the Group Policy lists.
Changes made with Group Policy to the exclusion lists **will show** in the lists in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions). However, changes made in the Windows Defender Security Center app **will not show** in the Group Policy lists.
You can add, remove, and review the lists for exclusions in [Group Policy](#gp), [System Center Configuration Manager, Microsoft Intune, and with the Windows Defender Security Center app](#man-tools), and you can [use wildcards](#wildcards) to further customize the lists.
You can also [use PowerShell cmdlets and WMI to configure the exclusion lists](#ps), including [reviewing](#review) your lists.
You can also [use PowerShell cmdlets and WMI to configure the exclusion lists](#ps), including [reviewing](#review) your lists.
By default, local changes made to the lists (by users with administrator privileges; this includes changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists will take precedence in the case of conflicts.
By default, local changes made to the lists (by users with administrator privileges; this includes changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists will take precedence in the case of conflicts.
You can [configure how locally and globally defined exclusions lists are merged](configure-local-policy-overrides-windows-defender-antivirus.md#merge-lists) to allow local changes to override managed deployment settings.
## Configure the list of exclusions for files opened by specified processes
<a id="gp"></a>
**Use Microsoft Intune to exclude files that have been opened by specified processes from scans:**
See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure) and [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-windows-10#windows-defender-antivirus) for more details.
**Use System Center Configuration Manager to exclude files that have been opened by specified processes from scans:**
See [How to create and deploy antimalware policies: Exclusion settings](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) for details on configuring System Center Configuration Manager (current branch).
**Use Group Policy to exclude files that have been opened by specified processes from scans:**
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender Antivirus > Exclusions**.
3. Expand the tree to **Windows components > Windows Defender Antivirus > Exclusions**.
4. Double-click **Process Exclusions** and add the exclusions:
6. Double-click the **Process Exclusions** setting and add the exclusions:
1. Set the option to **Enabled**.
2. Under the **Options** section, click **Show...**
1. Set the option to **Enabled**.
2. Under the **Options** section, click **Show...**.
3. Enter each process on its own line under the **Value name** column. See the [example table](#examples) for the different types of process exclusions. Enter **0** in the **Value** column for all processes.
7. Click **OK**.
5. Click **OK**.
![The Group Policy setting for specifying process exclusions](images/defender/wdav-process-exclusions.png)
<a id="ps"></a>
**Use PowerShell cmdlets to exclude files that have been opened by specified processes from scans:**
Using PowerShell to add or remove exclusions for files that have been opened by processes requires using a combination of three cmdlets with the `-ExclusionProcess` parameter. The cmdlets are all in the [Defender module](https://technet.microsoft.com/en-us/itpro/powershell/windows/defender/defender).
@ -102,14 +97,12 @@ The following are allowed as the \<cmdlet>:
Configuration action | PowerShell cmdlet
---|---
Create or overwrite the list | `Set-MpPreference`
Add to the list | `Add-MpPreference`
Remove items from the list | `Remove-MpPreference`
Create or overwrite the list | `Set-MpPreference`
Add to the list | `Add-MpPreference`
Remove items from the list | `Remove-MpPreference`
>[!IMPORTANT]
>If you have created a list, either with `Set-MpPreference` or `Add-MpPreference`, using the `Set-MpPreference` cmdlet again will overwrite the existing list.
>If you have created a list, either with `Set-MpPreference` or `Add-MpPreference`, using the `Set-MpPreference` cmdlet again will overwrite the existing list.
For example, the following code snippet would cause Windows Defender AV scans to exclude any file that is opened by the specified process:
@ -117,9 +110,7 @@ For example, the following code snippet would cause Windows Defender AV scans to
Add-MpPreference -ExclusionProcess "c:\internal\test.exe"
```
See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
See [Manage antivirus with PowerShell cmdlets](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with antivirus.
**Use Windows Management Instruction (WMI) to exclude files that have been opened by specified processes from scans:**
@ -132,26 +123,17 @@ ExclusionProcess
The use of **Set**, **Add**, and **Remove** is analogous to their counterparts in PowerShell: `Set-MpPreference`, `Add-MpPreference`, and `Remove-MpPreference`.
See the following for more information and allowed parameters:
- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx)
<a id="man-tools"></a>
**Use Configuration Manager to exclude files that have been opened by specified processes from scans:**
See [How to create and deploy antimalware policies: Exclusion settings](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) for details on configuring System Center Configuration Manager (current branch).
**Use Microsoft Intune to exclude files that have been opened by specified processes from scans:**
See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure) and [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-windows-10#windows-defender-antivirus) for more details.
**Use the Windows Defender Security Center app to exclude files that have been opened by specified processes from scans:**
See [Add exclusions in the Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions) for instructions.
<a id="wildcards"></a>
## Use wildcards in the process exclusion list
The use of wildcards in the process exclusion list is different from their use in other exclusion lists.
@ -166,20 +148,18 @@ Wildcard | Use | Example use | Example matches
? (question mark) | Not available | \- | \-
Environment variables | The defined variable will be populated as a path when the exclusion is evaluated | <ul><li>%ALLUSERSPROFILE%\CustomLogFiles\file.exe</li></ul> | <ul><li>Any file opened by C:\ProgramData\CustomLogFiles\file.exe</li></ul>
<a id="review"></a>
## Review the list of exclusions
You can retrieve the items in the exclusion list with PowerShell, [System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings), [Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure), or the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions).
If you use PowerShell, you can retrieve the list in two ways:
- Retrieve the status of all Windows Defender AV preferences. Each of the lists will be displayed on separate lines, but the items within each list will be combined into the same line.
- Retrieve the status of all antivirus preferences. Each of the lists will be displayed on separate lines, but the items within each list will be combined into the same line.
- Write the status of all preferences to a variable, and use that variable to only call the specific list you are interested in. Each use of `Add-MpPreference` is written to a new line.
**Review the list of exclusions alongside all other Windows Defender AV preferences:**
**Review the list of exclusions alongside all other antivirus preferences:**
Use the following cmdlet:
@ -187,9 +167,7 @@ Use the following cmdlet:
Get-MpPreference
```
See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with antivirus.
**Retrieve a specific exclusions list:**
@ -200,18 +178,12 @@ $WDAVprefs = Get-MpPreference
$WDAVprefs.ExclusionProcess
```
See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with antivirus.
## Related topics
- [Configure and validate exclusions in Windows Defender AV scans](configure-exclusions-windows-defender-antivirus.md)
- [Configure and validate exclusions in antivirus scans](configure-exclusions-windows-defender-antivirus.md)
- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md)
- [Configure exclusions in Windows Defender AV on Windows Server](configure-server-exclusions-windows-defender-antivirus.md)
- [Customize, initiate, and review the results of Windows Defender AV scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Configure antivirus exclusions on Windows Server](configure-server-exclusions-windows-defender-antivirus.md)
- [Customize, initiate, and review the results of antivirus scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
- [Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)

23
windows/security/threat-protection/windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md
View File

@ -1,5 +1,5 @@
---
title: Enable and configure protection features in Windows Defender AV
title: Enable and configure antivirus protection features
description: Enable behavior-based, heuristic, and real-time protection in Windows Defender AV.
keywords: heuristic, machine-learning, behavior monitor, real-time protection, always-on, windows defender antivirus, antimalware, security, defender
search.product: eADQiWindows 10XVcnh
@ -16,30 +16,21 @@ ms.date: 08/26/2017
# Configure behavioral, heuristic, and real-time protection
**Applies to:**
- Windows 10
**Audience**
- Enterprise security administrators
Windows Defender Antivirus uses several methods to provide threat protection:
Antivirus uses several methods to provide threat protection:
- Cloud-delivered protection for near-instant detection and blocking of new and emerging threats
- Always-on scanning, using file and process behavior monitoring and other heuristics (also known as "real-time protection")
- Dedicated protection updates based on machine-learning, human and automated big-data analysis, and in-depth threat resistance research
You can configure how Windows Defender AV uses these methods with Group Policy, System Center Configuration Manage, PowerShell cmdlets, and Windows Management Instrumentation (WMI).
You can configure how antivirus uses these methods with Group Policy, System Center Configuration Manage, PowerShell cmdlets, and Windows Management Instrumentation (WMI).
This section covers configuration for always-on scanning, including how to detect and block apps that are deemed unsafe, but may not be detected as malware.
See the [Utilize Microsoft cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) section for how to enable and configure Windows Defender AV cloud-delivered protection.
This section covers configuration for always-on scanning, including how to detect and block apps that are deemed unsafe, but may not be detected as malware.
See [Use next-gen antivirus technologies through cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) for how to enable and configure antivirus cloud-delivered protection.
## In this section
Topic | Description
Topic | Description
---|---
[Detect and block potentially unwanted applications](detect-block-potentially-unwanted-apps-windows-defender-antivirus.md) | Detect and block apps that may be unwanted in your network, such as adware, browser modifiers and toolbars, and rogue or fake antivirus apps
[Enable and configure Windows Defender AV protection capabilities](configure-real-time-protection-windows-defender-antivirus.md) | Enable and configure real-time protection, heuristics, and other always-on antivirus monitoring features
[Enable and configure antivirus protection capabilities](configure-real-time-protection-windows-defender-antivirus.md) | Enable and configure real-time protection, heuristics, and other always-on antivirus monitoring features

70
windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md
View File

@ -1,7 +1,7 @@
---
title: Configure always-on real-time protection in Windows Defender AV
description: Enable and configure real-time protection features such as behavior monitoring, heuristics, and machine-learning in Windows Defender AV
keywords: real-time protection, rtp, machine-learning, behavior monitoring, heuristics
title: Configure always-on real-time antivirus protection
description: Enable and configure antivirus real-time protection features such as behavior monitoring, heuristics, and machine-learning
keywords: antivirus, real-time protection, rtp, machine-learning, behavior monitoring, heuristics
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@ -14,66 +14,42 @@ ms.author: v-anbic
ms.date: 04/30/2018
---
# Enable and configure Windows Defender AV always-on protection and monitoring
**Applies to:**
- Windows 10
**Audience**
- Enterprise security administrators
# Enable and configure antivirius always-on protection and monitoring
**Manageability available with**
- Group Policy
Always-on protection consists of real-time protection, behavior monitoring, and heuristics to identify malware based on known suspicious and malicious activities.
Always-on protection consists of real-time protection, behavior monitoring, and heuristics to identify malware based on known suspicious and malicious activities.
These activities include events such as processes making unusual changes to existing files, modifying or creating automatic startup registry keys and startup locations (also known as auto-start extensibility points, or ASEPs), and other changes to the file system or file structure.
## Configure and enable always-on protection
You can configure how always-on protection works with the Group Policy settings described in this section.
To configure these settings:
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender Antivirus** and then the **Location** specified in the table below.
6. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings.
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
3. Expand the tree to **Windows components > Windows Defender Antivirus** and then the **Location** specified in the table below.
4. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK** and repeat for any other settings.
Location | Setting | Description | Default setting (if not configured)
---|---|---|---
Real-time protection | Monitor file and program activity on your computer | The AV engine makes note of any file changes (file writes, such as moves, copies, or modifications) and general program activity (programs that are opened or running and that cause other programs to run) | Enabled
Real-time protection | Scan all downloaded files and attachments | Downloaded files and attachments are automatically scanned. This operates in addition to Windows Defender SmartScreen filter, which scans files before and during downloading | Enabled
Real-time protection | Turn on process scanning whenever real-time protection is enabled | You can independently enable the AV engine to scan running processes for suspicious modifications or behaviors. This is useful if you have disabled real-time protection | Enabled
Real-time protection | Monitor file and program activity on your computer | The antivirus engine makes note of any file changes (file writes, such as moves, copies, or modifications) and general program activity (programs that are opened or running and that cause other programs to run) | Enabled
Real-time protection | Scan all downloaded files and attachments | Downloaded files and attachments are automatically scanned. This operates in addition to the SmartScreen filter, which scans files before and during downloading | Enabled
Real-time protection | Turn on process scanning whenever real-time protection is enabled | You can independently enable the antivirus engine to scan running processes for suspicious modifications or behaviors. This is useful if you have disabled real-time protection | Enabled
Real-time protection | Turn on behavior monitoring | The AV engine will monitor file processes, file and registry changes, and other events on your endpoints for suspicious and known malicious activity | Enabled
Real-time protection | Turn on raw volume write notifications | Information about raw volume writes will be analyzed by behavior monitoring | Enabled
Real-time protection | Define the maximum size of downloaded files and attachments to be scanned | You can define the size in kilobytes | Enabled
Real-time protection | Configure monitoring for incoming and outgoing file and program activity | Specify whether monitoring should occur on incoming, outgoing, both, or neither direction. This is relevant for Windows Server installations where you have defined specific servers or Server Roles that see large amounts of file changes in only one direction and you want to improve network performance. Note that fully updated endpoints (and servers) on a network will see little performance impact irrespective of the number or direction of file changes. | Enabled (both directions)
Scan | Turn on heuristics | Heuristic protection will disable or block suspicious activity immediately before the AV engine is asked to detect the activity | Enabled
Root | Allow antimalware service to startup with normal priority | You can lower the priority of the AV engine, which may be useful in lightweight deployments where you want to have as lean a startup process as possible. This may impact protection on the endpoint. | Enabled
Root | Allow antimalware service to remain running always | If protection updates have been disabled, you can set Windows Defender AV to still run. This lowers the protection on the endpoint. | Disabled
Real-time protection | Define the maximum size of downloaded files and attachments to be scanned | You can define the size in kilobytes | Enabled
Real-time protection | Configure monitoring for incoming and outgoing file and program activity | Specify whether monitoring should occur on incoming, outgoing, both, or neither direction. This is relevant for Windows Server installations where you have defined specific servers or Server Roles that see large amounts of file changes in only one direction and you want to improve network performance. Note that fully updated endpoints (and servers) on a network will see little performance impact irrespective of the number or direction of file changes. | Enabled (both directions)
Scan | Turn on heuristics | Heuristic protection will disable or block suspicious activity immediately before the antivirus engine is asked to detect the activity | Enabled
Root | Allow antimalware service to startup with normal priority | You can lower the priority of the antivirus engine, which may be useful in lightweight deployments where you want to have as lean a startup process as possible. This may impact protection on the endpoint. | Enabled
Root | Allow antimalware service to remain running always | If protection updates have been disabled, you can set antivirus to still run. This lowers the protection on the endpoint. | Disabled
## Disable real-time protection
> [!WARNING]
@ -83,17 +59,15 @@ The main real-time protection capability is enabled by default, but you can disa
**Use Group Policy to disable real-time protection:**
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender Antivirus > Real-time protection**.
6. Double-click the **Turn off real-time protection** setting and set the option to **Enabled**. Click **OK**.
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
3. Expand the tree to **Windows components > Windows Defender Antivirus > Real-time protection**.
4. Double-click the **Turn off real-time protection** setting and set the option to **Enabled**. Click **OK**.
## Related topics
- [Configure behavioral, heuristic, and real-time protection](configure-protection-features-windows-defender-antivirus.md)
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)

51
windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md
View File

@ -1,6 +1,6 @@
---
title: Remediate and resolve infections detected by Windows Defender AV
description: Configure what Windows Defender AV should do when it detects a threat, and how long quarantined files should be retained in the quarantine folder
title: Remediate and resolve infections detected by antivirus
description: Configure what antivirus should do when it detects a threat, and how long quarantined files should be retained in the quarantine folder
keywords: remediation, fix, remove, threats, quarantine, scan, restore
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@ -14,16 +14,7 @@ ms.author: v-anbic
ms.date: 07/10/2018
---
# Configure remediation for Windows Defender AV scans
**Applies to**
- Windows 10
**Audience**
- Enterprise security administrators
# Configure remediation for antivirus scans
**Manageability available with**
@ -33,7 +24,7 @@ ms.date: 07/10/2018
- Windows Management Instrumentation (WMI)
- Microsoft Intune
When Windows Defender Antivirus runs a scan, it will attempt to remediate or remove threats that it finds. You can configure how Windows Defender AV should react to certain threats, whether it should create a restore point before remediating, and when it should remove remediated threats.
When antivirus runs a scan, it will attempt to remediate or remove threats that it finds. You can configure how antivirus should react to certain threats, whether it should create a restore point before remediating, and when it should remove remediated threats.
This topic describes how to configure these settings with Group Policy, but you can also use [System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#threat-overrides-settings) and [Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure).
@ -45,40 +36,38 @@ You can configure how remediation works with the Group Policy settings described
To configure these settings:
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender Antivirus** and then the **Location** specified in the table below.
6. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings.
3. Expand the tree to **Windows components > Windows Defender Antivirus** and then the **Location** specified in the table below.
4. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings.
Location | Setting | Description | Default setting (if not configured)
---|---|---|---
Scan | Create a system restore point | A system restore point will be created each day before cleaning or scanning is attempted | Disabled
Scan | Turn on removal of items from scan history folder | Specify how many days items should be kept in the scan history | 30 days
Root | Turn off routine remediation | You can specify whether Windows Defender AV automatically remediates threats, or if it should ask the endpoint user what to do. | Disabled (threats are remediated automatically)
Root | Turn off routine remediation | You can specify whether antivirus automatically remediates threats, or if it should ask the endpoint user what to do. | Disabled (threats are remediated automatically)
Quarantine | Configure removal of items from Quarantine folder | Specify how many days items should be kept in quarantine before being removed | Never removed
Threats | Specify threat alert levels at which default action should not be taken when detected | Every threat that is detected by Windows Defender AV is assigned a threat level (low, medium, high, or severe). You can use this setting to define how all threats for each of the threat levels should be remediated (quarantined, removed, or ignored) | Not applicable
Threats | Specify threat alert levels at which default action should not be taken when detected | Every threat that is detected by antivirus is assigned a threat level (low, medium, high, or severe). You can use this setting to define how all threats for each of the threat levels should be remediated (quarantined, removed, or ignored) | Not applicable
Threats | Specify threats upon which default action should not be taken when detected | Specify how specific threats (using their threat ID) should be remediated. You can specify whether the specific threat should be quarantined, removed, or ignored | Not applicable
>[!IMPORTANT]
>Windows Defender Antivirus detects and remediates files based on many factors. Sometimes, completing a remediation requires a reboot. Even if the detection is later determined to be a false positive, the reboot must be completed to ensure all additional remediation steps have been completed.
>Antivirus detects and remediates files based on many factors. Sometimes, completing a remediation requires a reboot. Even if the detection is later determined to be a false positive, the reboot must be completed to ensure all additional remediation steps have been completed.
></p>
>If you are certain Windows Defender AV quarantined a file based on a false positive, you can restore the file from quarantine after the device reboots. See [Restore quarantined files in Windows Defender AV](restore-quarantined-files-windows-defender-antivirus.md).
>If you are certain antivirus quarantined a file based on a false positive, you can restore the file from quarantine after the device reboots. See [Restore quarantined files in antivirus](restore-quarantined-files-windows-defender-antivirus.md).
></p>
>To avoid this problem in the future, you can exclude files from the scans. See [Configure and validate exclusions for Windows Defender AV scans](configure-exclusions-windows-defender-antivirus.md).
>To avoid this problem in the future, you can exclude files from the scans. See [Configure and validate exclusions for antivirus scans](configure-exclusions-windows-defender-antivirus.md).
Also see the [Configure remediation-required scheduled full scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md#remed) topic for more remediation-related settings.
Also see [Configure remediation-required scheduled full antivirus scans](scheduled-catch-up-scans-windows-defender-antivirus.md#remed) for more remediation-related settings.
## Related topics
- [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md)
- [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md)
- [Configure and run on-demand Windows Defender AV scans](run-scan-windows-defender-antivirus.md)
- [Configure antivirus scanning options](configure-advanced-scan-types-windows-defender-antivirus.md)
- [Configure scheduled antivirus scans](scheduled-catch-up-scans-windows-defender-antivirus.md)
- [Configure and run on-demand antivirus scans](run-scan-windows-defender-antivirus.md)
- [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md)
- [Configure end-user interaction with Windows Defender AV](configure-end-user-interaction-windows-defender-antivirus.md)
- [Customize, initiate, and review the results of Windows Defender AV scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Configure end-user antivirus interaction](configure-end-user-interaction-windows-defender-antivirus.md)
- [Customize, initiate, and review the results of antivirus scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
- [Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)

320
windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md
View File

@ -1,7 +1,7 @@
---
title: Automatic and customized exclusions for Windows Defender AV on Windows Server 2016
description: Windows Server 2016 includes automatic exclusions, based on Server Role. You can also add custom exclusions.
keywords: exclusions, server, auto-exclusions, automatic, custom, scans
title: Configure antivirus exclusions on Windows Server 2016
description: Windows Server 2016 includes automatic exclusions, based on server role. You can also add custom exclusions.
keywords: exclusions, server, auto-exclusions, automatic, custom, scans, antivirus
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@ -14,17 +14,7 @@ ms.author: v-anbic
ms.date: 05/17/2018
---
# Configure exclusions in Windows Defender AV on Windows Server
**Applies to:**
- Windows Server 2016
**Audience**
- Enterprise security administrators
# Configure antivirus exclusions on Windows Server
**Manageability available with**
@ -32,25 +22,25 @@ ms.date: 05/17/2018
- PowerShell
- Windows Management Instrumentation (WMI)
If you are using Windows Defender Antivirus to protect Windows Server 2016 machines, you are automatically enrolled in certain exclusions, as defined by your specified Windows Server Role. A list of these exclusions is provided at [the end of this topic](#list-of-automatic-exclusions).
Antivirus on Windows Server 2016 computers automatically enrolls you in certain exclusions, as defined by your specified server role. See [the end of this topic](#list-of-automatic-exclusions) for a list of these exclusions.
These exclusions will not appear in the standard exclusion lists shown in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions).
You can still add or remove custom exclusions (in addition to the Server Role-defined automatic exclusions) as described in the other exclusion-related topics:
You can still add or remove custom exclusions (in addition to the server role-defined automatic exclusions) as described in these exclusion-related topics:
- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md)
- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md)
Custom exclusions take precedence over the automatic exclusions.
Custom exclusions take precedence over automatic exclusions.
> [!TIP]
> Custom and duplicate exclusions do not conflict with automatic exclusions.
Windows Defender AV uses the Deployment Image Servicing and Management (DSIM) tools to determine which roles are installed on your computer.
Antivirus uses the Deployment Image Servicing and Management (DISM) tools to determine which roles are installed on your computer.
## Opt out of automatic exclusions
In Windows Server 2016 the predefined exclusions delivered by definition updates only exclude the default paths for a role or feature. If you installed a role or feature in a custom path, or you want to manually control the set of exclusions, you need to opt-out of the automatic exclusions delivered in definition updates.
In Windows Server 2016, the predefined exclusions delivered by definition updates only exclude the default paths for a role or feature. If you installed a role or feature in a custom path, or you want to manually control the set of exclusions, you need to opt out of the automatic exclusions delivered in definition updates.
> [!WARNING]
> Opting out of automatic exclusions may adversely impact performance, or result in data corruption. The exclusions that are delivered automatically are optimized for Windows Server 2016 roles.
@ -58,17 +48,17 @@ In Windows Server 2016 the predefined exclusions delivered by definition updates
> [!NOTE]
> This setting is only supported on Windows Server 2016. While this setting exists in Windows 10, it doesn't have an effect on exclusions.
You can disable the auto-exclusions lists with Group Policy, PowerShell cmdlets, and WMI.
You can disable the automatic exclusion lists with Group Policy, PowerShell cmdlets, and WMI.
**Use Group Policy to disable the auto-exclusions list on Windows Server 2016:**
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender Antivirus > Exclusions**.
3. Expand the tree to **Windows components > Windows Defender Antivirus > Exclusions**.
6. Double-click the **Turn off Auto Exclusions** setting and set the option to **Enabled**. Click **OK**.
4. Double-click **Turn off Auto Exclusions** and set the option to **Enabled**. Click **OK**.
**Use PowerShell cmdlets to disable the auto-exclusions list on Windows Server 2016:**
@ -91,311 +81,305 @@ DisableAutoExclusions
See the following for more information and allowed parameters:
- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx)
## List of automatic exclusions
The following sections contain the exclusions that are delivered with automatic exclusions file paths and file types.
### Default exclusions for all roles
This section lists the default exclusions for all Windows Server 2016 roles.
- Windows "temp.edb" files:
- Windows "temp.edb" files:
- *%windir%*\SoftwareDistribution\Datastore\\*\tmp.edb
- *%windir%*\SoftwareDistribution\Datastore\\*\tmp.edb
- *%ProgramData%*\Microsoft\Search\Data\Applications\Windows\\*\\\*.log
- *%ProgramData%*\Microsoft\Search\Data\Applications\Windows\\*\\\*.log
- Windows Update files or Automatic Update files:
- Windows Update files or Automatic Update files:
- *%windir%*\SoftwareDistribution\Datastore\\*\Datastore.edb
- *%windir%*\SoftwareDistribution\Datastore\\*\Datastore.edb
- *%windir%*\SoftwareDistribution\Datastore\\*\edb.chk
- *%windir%*\SoftwareDistribution\Datastore\\*\edb.chk
- *%windir%*\SoftwareDistribution\Datastore\\*\edb\*.log
- *%windir%*\SoftwareDistribution\Datastore\\*\edb\*.log
- *%windir%*\SoftwareDistribution\Datastore\\*\Edb\*.jrs
- *%windir%*\SoftwareDistribution\Datastore\\*\Edb\*.jrs
- *%windir%*\SoftwareDistribution\Datastore\\*\Res\*.log
- *%windir%*\SoftwareDistribution\Datastore\\*\Res\*.log
- Windows Security files:
- Windows Security files:
- *%windir%*\Security\database\\*.chk
- *%windir%*\Security\database\\*.chk
- *%windir%*\Security\database\\*.edb
- *%windir%*\Security\database\\*.edb
- *%windir%*\Security\database\\*.jrs
- *%windir%*\Security\database\\*.jrs
- *%windir%*\Security\database\\*.log
- *%windir%*\Security\database\\*.log
- *%windir%*\Security\database\\*.sdb
- *%windir%*\Security\database\\*.sdb
- Group Policy files:
- Group Policy files:
- *%allusersprofile%*\NTUser.pol
- *%allusersprofile%*\NTUser.pol
- *%SystemRoot%*\System32\GroupPolicy\Machine\registry.pol
- *%SystemRoot%*\System32\GroupPolicy\Machine\registry.pol
- *%SystemRoot%*\System32\GroupPolicy\User\registry.pol
- *%SystemRoot%*\System32\GroupPolicy\User\registry.pol
- WINS files:
- WINS files:
- *%systemroot%*\System32\Wins\\*\\\*.chk
- *%systemroot%*\System32\Wins\\*\\\*.chk
- *%systemroot%*\System32\Wins\\*\\\*.log
- *%systemroot%*\System32\Wins\\*\\\*.log
- *%systemroot%*\System32\Wins\\*\\\*.mdb
- *%systemroot%*\System32\Wins\\*\\\*.mdb
- *%systemroot%*\System32\LogFiles\
- *%systemroot%*\System32\LogFiles\
- *%systemroot%*\SysWow64\LogFiles\
- *%systemroot%*\SysWow64\LogFiles\
- File Replication Service (FRS) exclusions:
- File Replication Service (FRS) exclusions:
- Files in the File Replication Service (FRS) working folder. The FRS working folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Working Directory`
- Files in the File Replication Service (FRS) working folder. The FRS working folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Working Directory`
- *%windir%*\Ntfrs\jet\sys\\*\edb.chk
- *%windir%*\Ntfrs\jet\sys\\*\edb.chk
- *%windir%*\Ntfrs\jet\\*\Ntfrs.jdb
- *%windir%*\Ntfrs\jet\\*\Ntfrs.jdb
- *%windir%*\Ntfrs\jet\log\\*\\\*.log
- *%windir%*\Ntfrs\jet\log\\*\\\*.log
- FRS Database log files. The FRS Database log file folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\Ntfrs\Parameters\DB Log File Directory`
- FRS Database log files. The FRS Database log file folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\Ntfrs\Parameters\DB Log File Directory`
- *%windir%*\Ntfrs\\*\Edb\*.log
-*%windir%*\Ntfrs\\*\Edb\*.log
- The FRS staging folder. The staging folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\NtFrs\Parameters\Replica Sets\GUID\Replica Set Stage`
- The FRS staging folder. The staging folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\NtFrs\Parameters\Replica Sets\GUID\Replica Set Stage`
- *%systemroot%*\Sysvol\\*\Nntfrs_cmp\*\
- *%systemroot%*\Sysvol\\*\Nntfrs_cmp\*\
- The FRS preinstall folder. This folder is specified by the folder `Replica_root\DO_NOT_REMOVE_NtFrs_PreInstall_Directory`
- The FRS preinstall folder. This folder is specified by the folder `Replica_root\DO_NOT_REMOVE_NtFrs_PreInstall_Directory`
- *%systemroot%*\SYSVOL\domain\DO_NOT_REMOVE_NtFrs_PreInstall_Directory\\*\Ntfrs\*\
- *%systemroot%*\SYSVOL\domain\DO_NOT_REMOVE_NtFrs_PreInstall_Directory\\*\Ntfrs\*\
- The Distributed File System Replication (DFSR) database and working folders. These folders are specified by the registry key `HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\DFSR\Parameters\Replication Groups\GUID\Replica Set Configuration File`
- The Distributed File System Replication (DFSR) database and working folders. These folders are specified by the registry key `HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\DFSR\Parameters\Replication Groups\GUID\Replica Set Configuration File`
- *%systemdrive%*\System Volume Information\DFSR\\$db_normal$
- *%systemdrive%*\System Volume Information\DFSR\\$db_normal$
- *%systemdrive%*\System Volume Information\DFSR\FileIDTable_*
- *%systemdrive%*\System Volume Information\DFSR\FileIDTable_*
- *%systemdrive%*\System Volume Information\DFSR\SimilarityTable_*
- *%systemdrive%*\System Volume Information\DFSR\SimilarityTable_*
- *%systemdrive%*\System Volume Information\DFSR\\*.XML
- *%systemdrive%*\System Volume Information\DFSR\\*.XML
- *%systemdrive%*\System Volume Information\DFSR\\$db_dirty$
- *%systemdrive%*\System Volume Information\DFSR\\$db_dirty$
- *%systemdrive%*\System Volume Information\DFSR\\$db_clean$
- *%systemdrive%*\System Volume Information\DFSR\\$db_clean$
- *%systemdrive%*\System Volume Information\DFSR\\$db_lostl$
- *%systemdrive%*\System Volume Information\DFSR\\$db_lostl$
- *%systemdrive%*\System Volume Information\DFSR\Dfsr.db
- *%systemdrive%*\System Volume Information\DFSR\Dfsr.db
- *%systemdrive%*\System Volume Information\DFSR\\*.frx
- *%systemdrive%*\System Volume Information\DFSR\\*.frx
- *%systemdrive%*\System Volume Information\DFSR\\*.log
- *%systemdrive%*\System Volume Information\DFSR\\*.log
- *%systemdrive%*\System Volume Information\DFSR\Fsr*.jrs
- *%systemdrive%*\System Volume Information\DFSR\Fsr*.jrs
- *%systemdrive%*\System Volume Information\DFSR\Tmp.edb
- *%systemdrive%*\System Volume Information\DFSR\Tmp.edb
- Process exclusions
- Process exclusions
- *%systemroot%*\System32\dfsr.exe
- *%systemroot%*\System32\dfsr.exe
- *%systemroot%*\System32\dfsrs.exe
- *%systemroot%*\System32\dfsrs.exe
- Hyper-V exclusions:
- Hyper-V exclusions:
- This section lists the file type exclusions, folder exclusions, and process exclusions that are delivered automatically when you install the Hyper-V role
- This section lists the file type exclusions, folder exclusions, and process exclusions that are delivered automatically when you install the Hyper-V role
- File type exclusions:
- File type exclusions:
- *.vhd
- *.vhd
- *.vhdx
- *.vhdx
- *.avhd
- *.avhd
- *.avhdx
- *.avhdx
- *.vsv
- *.vsv
- *.iso
- *.iso
- *.rct
- *.rct
- *.vmcx
- *.vmcx
- *.vmrs
- *.vmrs
- Folder exclusions:
- Folder exclusions:
- *%ProgramData%*\Microsoft\Windows\Hyper-V
- *%ProgramData%*\Microsoft\Windows\Hyper-V
- *%ProgramFiles%*\Hyper-V
- *%ProgramFiles%*\Hyper-V
- *%SystemDrive%*\ProgramData\Microsoft\Windows\Hyper-V\Snapshots
- *%SystemDrive%*\ProgramData\Microsoft\Windows\Hyper-V\Snapshots
- *%Public%*\Documents\Hyper-V\Virtual Hard Disks
- *%Public%*\Documents\Hyper-V\Virtual Hard Disks
- Process exclusions:
- Process exclusions:
- *%systemroot%*\System32\Vmms.exe
- *%systemroot%*\System32\Vmms.exe
- *%systemroot%*\System32\Vmwp.exe
- *%systemroot%*\System32\Vmwp.exe
- SYSVOL files:
- SYSVOL files:
- *%systemroot%*\Sysvol\Domain\\*.adm
- *%systemroot%*\Sysvol\Domain\\*.adm
- *%systemroot%*\Sysvol\Domain\\*.admx
- *%systemroot%*\Sysvol\Domain\\*.admx
- *%systemroot%*\Sysvol\Domain\\*.adml
- *%systemroot%*\Sysvol\Domain\\*.adml
- *%systemroot%*\Sysvol\Domain\Registry.pol
- *%systemroot%*\Sysvol\Domain\Registry.pol
- *%systemroot%*\Sysvol\Domain\\*.aas
- *%systemroot%*\Sysvol\Domain\\*.aas
- *%systemroot%*\Sysvol\Domain\\*.inf
- *%systemroot%*\Sysvol\Domain\\*.inf
- *%systemroot%*\Sysvol\Domain\\*.Scripts.ini
- *%systemroot%*\Sysvol\Domain\\*.Scripts.ini
- *%systemroot%*\Sysvol\Domain\\*.ins
- *%systemroot%*\Sysvol\Domain\\*.ins
- *%systemroot%*\Sysvol\Domain\Oscfilter.ini
- *%systemroot%*\Sysvol\Domain\Oscfilter.ini
### Active Directory exclusions
This section lists the exclusions that are delivered automatically when you install Active Directory Domain Services.
- NTDS database files. The database files are specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Database File`
- NTDS database files. The database files are specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Database File`
- %windir%\Ntds\ntds.dit
- %windir%\Ntds\ntds.dit
- %windir%\Ntds\ntds.pat
- %windir%\Ntds\ntds.pat
- The AD DS transaction log files. The transaction log files are specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\Database Log Files`
- The AD DS transaction log files. The transaction log files are specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\Database Log Files`
- %windir%\Ntds\EDB*.log
- %windir%\Ntds\EDB*.log
- %windir%\Ntds\Res*.log
- %windir%\Ntds\Res*.log
- %windir%\Ntds\Edb*.jrs
- %windir%\Ntds\Edb*.jrs
- %windir%\Ntds\Ntds*.pat
- %windir%\Ntds\Ntds*.pat
- %windir%\Ntds\EDB*.log
- %windir%\Ntds\EDB*.log
- %windir%\Ntds\TEMP.edb
- %windir%\Ntds\TEMP.edb
- The NTDS working folder. This folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Working Directory`
- The NTDS working folder. This folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Working Directory`
- %windir%\Ntds\Temp.edb
- %windir%\Ntds\Temp.edb
- %windir%\Ntds\Edb.chk
- %windir%\Ntds\Edb.chk
- Process exclusions for AD DS and AD DS-related support files:
- Process exclusions for AD DS and AD DS-related support files:
- %systemroot%\System32\ntfrs.exe
- %systemroot%\System32\ntfrs.exe
- %systemroot%\System32\lsass.exe
- %systemroot%\System32\lsass.exe
### DHCP Server exclusions
This section lists the exclusions that are delivered automatically when you install the DHCP Server role. The DHCP Server file locations are specified by the *DatabasePath*, *DhcpLogFilePath*, and *BackupDatabasePath* parameters in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DHCPServer\Parameters`
- *%systemroot%*\System32\DHCP\\*\\\*.mdb
- *%systemroot%*\System32\DHCP\\*\\\*.mdb
- *%systemroot%*\System32\DHCP\\*\\\*.pat
- *%systemroot%*\System32\DHCP\\*\\\*.pat
- *%systemroot%*\System32\DHCP\\*\\\*.log
- *%systemroot%*\System32\DHCP\\*\\\*.log
- *%systemroot%*\System32\DHCP\\*\\\*.chk
- *%systemroot%*\System32\DHCP\\*\\\*.chk
- *%systemroot%*\System32\DHCP\\*\\\*.edb
- *%systemroot%*\System32\DHCP\\*\\\*.edb
### DNS Server exclusions
This section lists the file and folder exclusions and the process exclusions that are delivered automatically when you install the DNS Server role.
- File and folder exclusions for the DNS Server role:
- File and folder exclusions for the DNS Server role:
- *%systemroot%*\System32\Dns\\*\\\*.log
- *%systemroot%*\System32\Dns\\*\\\*.log
- *%systemroot%*\System32\Dns\\*\\\*.dns
- *%systemroot%*\System32\Dns\\*\\\*.dns
- *%systemroot%*\System32\Dns\\*\\\*.scc
- *%systemroot%*\System32\Dns\\*\\\*.scc
- *%systemroot%*\System32\Dns\\*\BOOT
- *%systemroot%*\System32\Dns\\*\BOOT
- Process exclusions for the DNS Server role:
- Process exclusions for the DNS Server role:
- *%systemroot%*\System32\dns.exe
- *%systemroot%*\System32\dns.exe
### File and Storage Services exclusions
This section lists the file and folder exclusions that are delivered automatically when you install the File and Storage Services role. The exclusions listed below do not include exclusions for the Clustering role.
- *%SystemDrive%*\ClusterStorage
- *%SystemDrive%*\ClusterStorage
- *%clusterserviceaccount%*\Local Settings\Temp
- *%clusterserviceaccount%*\Local Settings\Temp
- *%SystemDrive%*\mscs
- *%SystemDrive%*\mscs
### Print Server exclusions
This section lists the file type exclusions, folder exclusions, and the process exclusions that are delivered automatically when you install the Print Server role.
- File type exclusions:
- File type exclusions:
- *.shd
- *.shd
- *.spl
- *.spl
- Folder exclusions. This folder is specified in the registry key `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Printers\DefaultSpoolDirectory`
- Folder exclusions. This folder is specified in the registry key `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Printers\DefaultSpoolDirectory`
- *%system32%*\spool\printers\\*
- *%system32%*\spool\printers\\*
- Process exclusions:
- Process exclusions:
- spoolsv.exe
- spoolsv.exe
### Web Server exclusions
This section lists the folder exclusions and the process exclusions that are delivered automatically when you install the Web Server role.
- Folder exclusions:
- Folder exclusions:
- *%SystemRoot%*\IIS Temporary Compressed Files
- *%SystemRoot%*\IIS Temporary Compressed Files
- *%SystemDrive%*\inetpub\temp\IIS Temporary Compressed Files
- *%SystemDrive%*\inetpub\temp\IIS Temporary Compressed Files
- *%SystemDrive%*\inetpub\temp\ASP Compiled Templates
- *%SystemDrive%*\inetpub\temp\ASP Compiled Templates
- *%systemDrive%*\inetpub\logs
- *%systemDrive%*\inetpub\logs
- *%systemDrive%*\inetpub\wwwroot
- *%systemDrive%*\inetpub\wwwroot
- Process exclusions:
- Process exclusions:
- *%SystemRoot%*\system32\inetsrv\w3wp.exe
- *%SystemRoot%*\system32\inetsrv\w3wp.exe
- *%SystemRoot%*\SysWOW64\inetsrv\w3wp.exe
- *%SystemRoot%*\SysWOW64\inetsrv\w3wp.exe
- *%SystemDrive%*\PHP5433\php-cgi.exe
- *%SystemDrive%*\PHP5433\php-cgi.exe
### Windows Server Update Services exclusions
This section lists the folder exclusions that are delivered automatically when you install the Windows Server Update Services (WSUS) role. The WSUS folder is specified in the registry key `HKEY_LOCAL_MACHINE\Software\Microsoft\Update Services\Server\Setup`
- *%systemroot%*\WSUS\WSUSContent
- *%systemroot%*\WSUS\UpdateServicesDBFiles
- *%systemroot%*\SoftwareDistribution\Datastore
- *%systemroot%*\SoftwareDistribution\Download
- *%systemroot%*\WSUS\WSUSContent
- *%systemroot%*\WSUS\UpdateServicesDBFiles
- *%systemroot%*\SoftwareDistribution\Datastore
- *%systemroot%*\SoftwareDistribution\Download
## Related topics
- [Configure and validate exclusions for Windows Defender AV scans](configure-exclusions-windows-defender-antivirus.md)
- [Configure and validate exclusions for antivirus scans](configure-exclusions-windows-defender-antivirus.md)
- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md)
- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md)
- [Customize, initiate, and review the results of Windows Defender AV scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Customize, initiate, and review the results of antivirus scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
- [Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)

36
windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md
View File

@ -1,7 +1,7 @@
---
title: Configure Windows Defender Antivirus features (Windows 10)
description: You can configure features for Windows Defender Antivirus using Configuration Manager, MDM software (such as Intune), PowerShell, and with Group Policy settings.
keywords: windows defender antivirus, antimalware, security, defender, configure, configuration, Config Manager, System Center Configuration Manager, SCCM, Intune, MDM, mobile device management, GP, group policy, PowerShell
title: Configure antivirus features
description: You can configure antivirus features with Intune, System Center Configuration Manager, Group Policy, and PowerShell.
keywords: antivirus, antimalware, security, defender, configure, configuration, Config Manager, System Center Configuration Manager, SCCM, Intune, MDM, mobile device management, GP, group policy, PowerShell
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@ -14,25 +14,15 @@ ms.author: v-anbic
ms.date: 08/26/2017
---
# Configure Windows Defender Antivirus features
# Configure antivirus features
You can configure antivirus with a number of tools, including:
**Applies to:**
- Windows 10
**Audience**
- Enterprise security administrators
Windows Defender Antivirus can be configured with a number of tools, including:
- Group Policy settings
- Microsoft Intune
- System Center Configuration Manager
- Group Policy
- PowerShell cmdlets
- Windows Management Instrumentation (WMI)
- Microsoft Intune
The following broad categories of features can be configured:
@ -40,17 +30,13 @@ The following broad categories of features can be configured:
- Always-on real-time protection, including behavioral, heuristic, and machine-learning-based protection
- How end-users interact with the client on individual endpoints
The topics in this section describe how to perform key tasks when configuring Windows Defender AV. Each topic includes instructions for the applicable configuration tool (or tools).
The topics in this section describe how to perform key tasks when configuring antivirus. Each topic includes instructions for the applicable configuration tool (or tools).
You can also review the [Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md) topic for an overview of each tool and links to further help.
## In this section
Topic | Description
:---|:---
[Utilize Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) | Cloud-delivered protection provides an advanced level of fast, robust antivirus detection
[Configure behavioral, heuristic, and real-time protection](configure-protection-features-windows-defender-antivirus.md)|Enable behavior-based, heuristic, and real-time protection in Windows Defender AV
[Configure end-user interaction with Windows Defender Antivirus](configure-end-user-interaction-windows-defender-antivirus.md)|Configure how end-users interact with Windows Defender AV, what notifications they see, and if they can override settings
[Utilize Microsoft cloud-provided antivirus protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) | Cloud-delivered protection provides an advanced level of fast, robust antivirus detection
[Configure behavioral, heuristic, and real-time protection](configure-protection-features-windows-defender-antivirus.md)|Enable behavior-based, heuristic, and real-time antivirus protection
[Configure end-user antivirus interaction](configure-end-user-interaction-windows-defender-antivirus.md)|Configure how end-users interact with antivirus, what notifications they see, and whether they can override settings

30
windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md
View File

@ -1,7 +1,7 @@
---
title: Run and customize scheduled and on-demand scans
description: Customize and initiate scans using Windows Defender AV on endpoints across your network.
keywords: scan, schedule, customize, exclusions, exclude files, remediation, scan results, quarantine, remove threat, quick scan, full scan
description: Customize and initiate antivirus scans on endpoints across your network.
keywords: scan, schedule, customize, exclusions, exclude files, remediation, scan results, quarantine, remove threat, quick scan, full scan, antivirus
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@ -14,29 +14,17 @@ ms.author: v-anbic
ms.date: 08/26/2017
---
# Customize, initiate, and review the results of Windows Defender AV scans and remediation
**Applies to:**
- Windows 10
**Audience**
- Enterprise security administrators
You can use Group Policy, PowerShell, and Windows Management Instrumentation (WMI) to configure scans run by Windows Defender Antivirus.
# Customize, initiate, and review the results of antivirus scans and remediation
You can use Group Policy, PowerShell, and Windows Management Instrumentation (WMI) to configure antivirus scans.
## In this section
Topic | Description
Topic | Description
---|---
[Configure and validate file, folder, and process-opened file exclusions in Windows Defender AV scans](configure-exclusions-windows-defender-antivirus.md) | You can exclude files (including files modified by specified processes) and folders from on-demand scans, scheduled scans, and always-on real-time protection monitoring and scanning
[Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md) | You can configure Windows Defender AV to include certain types of email storage files, back-up or reparse points, and archived files (such as .zip files) in scans. You can also enable network file scanning
[Configure remediation for scans](configure-remediation-windows-defender-antivirus.md) | Configure what Windows Defender AV should do when it detects a threat, and how long quarantined files should be retained in the quarantine folder
[Configure and validate file, folder, and process-opened file exclusions in antivirus scans](configure-exclusions-windows-defender-antivirus.md) | You can exclude files (including files modified by specified processes) and folders from on-demand scans, scheduled scans, and always-on real-time protection monitoring and scanning
[Configure antivirus scanning options](configure-advanced-scan-types-windows-defender-antivirus.md) | You can configure antivirus to include certain types of email storage files, back-up or reparse points, and archived files (such as .zip files) in scans. You can also enable network file scanning
[Configure remediation for scans](configure-remediation-windows-defender-antivirus.md) | Configure what antivirus should do when it detects a threat, and how long quarantined files should be retained in the quarantine folder
[Configure scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md) | Set up recurring (scheduled) scans, including when they should run and whether they run as full or quick scans
[Configure and run scans](run-scan-windows-defender-antivirus.md) | Run and configure on-demand scans using PowerShell, Windows Management Instrumentation, or individually on endpoints with the Windows Defender Security Center app
[Configure and run scans](run-scan-windows-defender-antivirus.md) | Run and configure on-demand scans using PowerShell, Windows Management Instrumentation, or individually on endpoints with the Windows Defender Security Center app
[Review scan results](review-scan-results-windows-defender-antivirus.md) | Review the results of scans using System Center Configuration Manager, Microsoft Intune, or the Windows Defender Security Center app

49
windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md
View File

@ -1,6 +1,6 @@
---
title: Deploy, manage, and report on Windows Defender Antivirus
description: You can deploy and manage Windows Defender Antivirus with Group Policy, Configuration Manager, WMI, PowerShell, or Intune
title: Deploy, manage, and report on antivirus
description: You can deploy and manage antivirus with Intune, System Center Configuration Manager, Group Policy, PowerShell, or WMI
keywords: deploy, manage, update, protection, windows defender antivirus
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@ -14,46 +14,36 @@ ms.author: v-anbic
ms.date: 07/19/2018
---
# Deploy, manage, and report on Windows Defender Antivirus
# Deploy, manage, and report on antivirus
**Applies to:**
You can deploy, manage, and report on antivirus in a number of ways.
- Windows 10
Because the antivirus client is installed as a core part of Windows 10, traditional deployment of a client to your endpoints does not apply.
**Audience**
- IT administrators
You can deploy, manage, and report on Windows Defender Antivirus in a number of ways.
As the Windows Defender AV client is installed as a core part of Windows 10, traditional deployment of a client to your endpoints does not apply.
However, in most cases you will still need to enable the protection service on your endpoints with System Center Configuration Manager, Microsoft Intune, Azure Security Center, or Group Policy Objects, which is described in the following table.
However, in most cases you will still need to enable the protection service on your endpoints with Microsoft Intune, System Center Configuration Manager, Azure Security Center, or Group Policy Objects, which is described in the following table.
You'll also see additional links for:
- Managing Windows Defender Antivirus protection, including managing product and protection updates
- Reporting on Windows Defender Antivirus protection
- Managing antivirus protection, including managing product and protection updates
- Reporting on antivirus protection
> [!IMPORTANT]
> In most cases, Windows 10 will disable Windows Defender Antivirus if it finds another antivirus product running and up-to-date. You must disable or uninstall third-party antivirus products before Windows Defender Antivirus will be functioning. If you re-enable or install third-party antivirus products, then Windows 10 will automatically disable Windows Defender Antivirus.
> In most cases, Windows 10 will disable antivirus if it finds another antivirus product that is running and up-to-date. You must disable or uninstall third-party antivirus products before antivirus will function. If you re-enable or install third-party antivirus products, then Windows 10 automatically disables antivirus.
Tool|Deployment options (<a href="#fn2" id="ref2">2</a>)|Management options (network-wide configuration and policy or baseline deployment) ([3](#fn3))|Reporting options
---|---|---|---
System Center Configuration Manager ([1](#fn1))|Use the [Endpoint Protection point site system role][] and [enable Endpoint Protection with custom client settings][]|With [default and customized antimalware policies][] and [client management][]|With the default [Configuration Manager Monitoring workspace][] and [email alerts][]
Microsoft Intune|[Add endpoint protection settings in Intune](https://docs.microsoft.com/en-us/intune/endpoint-protection-configure)|[Configure device restriction settings in Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure)| [Use the Intune console to manage devices](https://docs.microsoft.com/en-us/intune/device-management)
Windows Management Instrumentation|Deploy with Group Policy, System Center Configuration Manager, or manually on individual endpoints.|Use the [Set method of the MSFT_MpPreference class][] and the [Update method of the MSFT_MpSignature class][]|Use the [MSFT_MpComputerStatus][] class and the get method of associated classes in the [Windows Defender WMIv2 Provider][]
PowerShell|Deploy with Group Policy, System Center Configuration Manager, or manually on individual endpoints.|Use the [Set-MpPreference][] and [Update-MpSignature] [] cmdlets available in the Defender module|Use the appropriate [Get- cmdlets available in the Defender module][]
System Center Configuration Manager ([1](#fn1))|Use the [Endpoint Protection point site system role][] and [enable Endpoint Protection with custom client settings][]|With [default and customized antimalware policies][] and [client management][]|With the default [Configuration Manager Monitoring workspace][] and [email alerts][]
Group Policy and Active Directory (domain-joined)|Use a Group Policy Object to deploy configuration changes and ensure Windows Defender Antivirus is enabled.|Use Group Policy Objects (GPOs) to [Configure update options for Windows Defender Antivirus][] and [Configure Windows Defender features][]|Endpoint reporting is not available with Group Policy. You can generate a list of [Group Policies to determine if any settings or policies are not applied][]
PowerShell|Deploy with Group Policy, System Center Configuration Manager, or manually on individual endpoints.|Use the [Set-MpPreference][] and [Update-MpSignature] [] cmdlets available in the Defender module|Use the appropriate [Get- cmdlets available in the Defender module][]
Windows Management Instrumentation|Deploy with Group Policy, System Center Configuration Manager, or manually on individual endpoints.|Use the [Set method of the MSFT_MpPreference class][] and the [Update method of the MSFT_MpSignature class][]|Use the [MSFT_MpComputerStatus][] class and the get method of associated classes in the [Windows Defender WMIv2 Provider][]
Microsoft Azure|Deploy Microsoft Antimalware for Azure in the [Azure portal, by using Visual Studio virtual machine configuration, or using Azure PowerShell cmdlets](https://docs.microsoft.com/en-us/azure/security/azure-security-antimalware#antimalware-deployment-scenarios). You can also [Install Endpoint protection in Azure Security Center](https://docs.microsoft.com/en-us/azure/security-center/security-center-install-endpoint-protection)|Configure [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/en-us/powershell/servicemanagement/azure.antimalware/v3.4.0/azure.antimalware) or [use code samples](https://gallery.technet.microsoft.com/Antimalware-For-Azure-5ce70efe)|Use [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/en-us/powershell/servicemanagement/azure.antimalware/v3.4.0/azure.antimalware) to enable monitoring. You can also review usage reports in Azure Active Directory to determine suspicious activity, including the [Possibly infected devices][] report and configure an SIEM tool to report on [Windows Defender Antivirus events][] and add that tool as an app in AAD.
1. <span id="fn1" />The availability of some functions and features, especially related to cloud-delivered protection, differ between System Center Configuration Manager (Current Branch) and System Center Configuration Manager 2012. In this library, we've focused on Windows 10, Windows Server 2016, and System Center Configuration Manager (Current Branch). See [Use Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) for a table that describes the major differences. [(Return to table)](#ref2)
2. <span id="fn2" />In Windows 10, Windows Defender Antivirus is a component available without installation or deployment of an additional client or service. It will automatically be enabled when third-party antivirus products are either uninstalled or out of date ([except on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md)). Traditional deployment therefore is not required. Deployment here refers to ensuring the Windows Defender Antivirus component is available and enabled on endpoints or servers. [(Return to table)](#ref2)
3. <span id="fn3" />Configuration of features and protection, including configuring product and protection updates, are further described in the [Configure Windows Defender Antivirus features](configure-notifications-windows-defender-antivirus.md) section in this library. [(Return to table)](#ref2)
3. <span id="fn3" />Configuration of features and protection, including configuring product and protection updates, are further described in the [Configure antivirus features](configure-notifications-windows-defender-antivirus.md) section in this library. [(Return to table)](#ref2)
[Endpoint Protection point site system role]: https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-protection-site-role
[default and customized antimalware policies]: https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies
@ -79,13 +69,10 @@ Microsoft Azure|Deploy Microsoft Antimalware for Azure in the [Azure portal, by
[Possibly infected devices]: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-reporting-sign-ins-from-possibly-infected-devices
[Windows Defender Antivirus events]: troubleshoot-windows-defender-antivirus.md
## In this section
Topic | Description
Topic | Description
---|---
[Deploy and enable Windows Defender Antivirus protection](deploy-windows-defender-antivirus.md) | While the client is installed as a core part of Windows 10, and traditional deployment does not apply, you will still need to enable the client on your endpoints with System Center Configuration Manager, Microsoft Intune, or Group Policy Objects.
[Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md) | There are two parts to updating Windows Defender Antivirus: updating the client on endpoints (product updates), and updating definitions (protection updates). You can update definitions in a number of ways, using System Center Configuration Manager, Group Policy, PowerShell, and WMI.
[Monitor and report on Windows Defender Antivirus protection](report-monitor-windows-defender-antivirus.md) | You can use System Center Configuration Manager, the Update Compliance add-in for Microsoft Operations Management Suite, a third-party SIEM product (by consuming Windows event logs), or Microsoft Intune to monitor protection status and create reports about endpoint protection
[Deploy and enable antivirus protection](deploy-windows-defender-antivirus.md) | While the client is installed as a core part of Windows 10, and traditional deployment does not apply, you will still need to enable the client on your endpoints with System Center Configuration Manager, Microsoft Intune, or Group Policy Objects.
[Manage antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md) | There are two parts to updating antivirus: updating the client on endpoints (product updates), and updating definitions (protection updates). You can update definitions in a number of ways, using System Center Configuration Manager, Group Policy, PowerShell, and WMI.
[Monitor and report on antivirus protection](report-monitor-windows-defender-antivirus.md) | You can use Microsoft Intune, System Center Configuration Manager, the Update Compliance add-in for Microsoft Operations Management Suite, or a third-party SIEM product (by consuming Windows event logs) to monitor protection status and create reports about endpoint protection.

33
windows/security/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md
View File

@ -1,7 +1,7 @@
---
title: Deploy and enable Windows Defender Antivirus
description: Deploy Windows Defender AV for protection of your endpoints with Configuration Manager, Microsoft Intune, Group Policy, PowerShell cmdlets, or WMI.
keywords: deploy, enable, windows defender av
title: Deploy and enable antivirus
description: Deploy antivirus for protection of your endpoints with Microsoft Intune, System Center Configuration Manager, Group Policy, PowerShell cmdlets, or WMI.
keywords: deploy, enable, antivirus
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@ -14,29 +14,18 @@ ms.author: v-anbic
ms.date: 04/30/2018
---
# Deploy and enable Windows Defender Antivirus
# Deploy and enable antivirus
Depending on the management tool you are using, you may need to specifically enable or configure antivirus protection.
**Applies to:**
See the table in [Deploy, manage, and report on antivirus](deploy-manage-report-windows-defender-antivirus.md#ref2) for instructions on how to enable protection with Microsoft Intune, System Center Configuration Manager, Group Policy, Active Directory, Microsoft Azure, PowerShell cmdlets, and Windows Management Instruction (WMI).
- Windows 10
Some scenarios require additional guidance on how to successfully deploy or configure antivirus protection, such as Virtual Desktop Infrastructure (VDI) environments.
**Audience**
- Network administrators
- IT administrators
Depending on the management tool you are using, you may need to specifically enable or configure Windows Defender AV protection.
See the table in the [Deploy, manage, and report on Windows Defender AV](deploy-manage-report-windows-defender-antivirus.md#ref2) topic for instructions on how to enable protection with System Center Configuration Manager, Group Policy, Active Directory, Microsoft Azure, Microsoft Intune, PowerShell cmdlets, and Windows Management Instruction (WMI).
Some scenarios require additional guidance on how to successfully deploy or configure Windows Defender AV protection, such as Virtual Desktop Infrastructure (VDI) environments.
The remaining topic in this section provides end-to-end advice and best practices for [setting up Windows Defender AV on virtual machines (VMs) in a VDI or Remote Desktop Services (RDS) environment](deployment-vdi-windows-defender-antivirus.md).
The remaining topic in this section provides end-to-end advice and best practices for [setting up antivirus on virtual machines (VMs) in a VDI or Remote Desktop Services (RDS) environment](deployment-vdi-windows-defender-antivirus.md).
## Related topics
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md)
- [Deployment guide for Windows Defender Antivirus in a virtual desktop infrastructure (VDI) environment](deployment-vdi-windows-defender-antivirus.md)
- [Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Deploy, manage updates, and report on antivirus](deploy-manage-report-windows-defender-antivirus.md)
- [Deployment guide for antivirus in a virtual desktop infrastructure (VDI) environment](deployment-vdi-windows-defender-antivirus.md)

215
windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md
View File

@ -16,26 +16,16 @@ ms.date: 04/30/2018
# Deployment guide for Windows Defender Antivirus in a virtual desktop infrastructure (VDI) environment
**Applies to:**
- Windows 10
**Audience**
- Enterprise security administrators
**Manageability available with**
- System Center Configuration Manager (current branch)
- Group Policy
In addition to standard on-premises or hardware configurations, you can also use antivirus in a remote desktop (RDS) or virtual desktop infrastructure (VDI) environment.
Boot storms can be a problem in large-scale VDIs; this guide will help reduce the overall network bandwidth and performance impact on your hardware.
In addition to standard on-premises or hardware configurations, you can also use Windows Defender Antivirus (Windows Defender AV) in a remote desktop (RDS) or virtual desktop infrastructure (VDI) environment.
Boot storms can be a problem in large-scale VDIs; this guide will help reduce the overall network bandwidth and performance impact on your hardware.
We recommend setting the following when deploying Windows Defender AV in a VDI environment:
We recommend setting the following when deploying antivirus in a VDI environment:
Location | Setting | Suggested configuration
---|---|---
@ -46,17 +36,20 @@ Root | Randomize scheduled task times | Enabled
Signature updates | Turn on scan after signature update | Enabled
Scan | Turn on catch up quick scan | Enabled
For more details on the best configuration options to ensure a good balance between performance and protection, including detailed instructions for Group Policy and System Center Configuration Manager, see the [Configure endpoints for optimal performance](#configure-endpoints-for-optimal-performance) section.
For more details on the best configuration options to ensure a good balance between performance and protection, including detailed instructions for System Center Configuration Manager and Group Policy, see the [Configure endpoints for optimal performance](#configure-endpoints-for-optimal-performance) section.
See the [Microsoft Desktop virtualization site](https://www.microsoft.com/en-us/server-cloud/products/virtual-desktop-infrastructure/) for more details on Microsoft Remote Desktop Services and VDI support.
For Azure-based virtual machines, you can also review the [Install Endpoint Protection in Azure Security Center](https://docs.microsoft.com/en-us/azure/security-center/security-center-install-endpoint-protection) topic.
There are three main steps in this guide to help roll out Windows Defender AV protection across your VDI:
There are three main steps in this guide to help roll out antivirus protection across your VDI:
1. [Create and deploy the base image (for example, as a virtual hard disk (VHD)) that your virtual machines (VMs) will use](#create-and-deploy-the-base-image)
2. [Manage the base image and updates for your VMs](#manage-your-vms-and-base-image)
3. [Configure the VMs for optimal protection and performance](#configure-endpoints-for-optimal-performance), including:
1. [Create and deploy the base image (for example, as a virtual hard disk (VHD)) that your virtual machines (VMs) will use](#create-and-deploy-the-base-image)
2. [Manage the base image and updates for your VMs](#manage-your-vms-and-base-image)
3. [Configure the VMs for optimal protection and performance](#configure-endpoints-for-optimal-performance), including:
- [Randomize scheduled scans](#randomize-scheduled-scans)
- [Use quick scans](#use-quick-scans)
- [Prevent notifications](#prevent-notifications)
@ -66,47 +59,49 @@ There are three main steps in this guide to help roll out Windows Defender AV pr
>[!IMPORTANT]
> While the VDI can be hosted on Windows Server 2012 or Windows Server 2016, the virtual machines (VMs) should be running Windows 10, 1607 at a minimum, due to increased protection technologies and features that are unavailable in earlier versions of Windows.
>[!NOTE]
>When you manage Windows with System Center Configuration Manager, Windows Defender AV protection will be referred to as Endpoint Protection or System Center Endpoint Protection. See the [Endpoint Protection section at the Configuration Manager library]( https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-protection) for more information.
>[!NOTE]
>When you manage Windows with System Center Configuration Manager, antivirus protection will be referred to as Endpoint Protection or System Center Endpoint Protection. See the [Endpoint Protection section at the Configuration Manager library]( https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-protection) for more information.
## Create and deploy the base image
## Create and deploy the base image
The main steps in this section include:
1. Create your standard base image according to your requirements
2. Apply Windows Defender AV protection updates to your base image
3. Seal or “lock” the image to create a “known-good” image
4. Deploy your image to your VMs
1. Create your standard base image according to your requirements
2. Apply Windows Defender AV protection updates to your base image
3. Seal or “lock” the image to create a “known-good” image
4. Deploy your image to your VMs
### Create the base image
First, you should create your base image according to your business needs, applying or installing the relevant line of business (LOB) apps and settings as you normally would. Typically, this would involve creating a VHD or customized .iso, depending on how you will deploy the image to your VMs.
### Apply protection updates to the base image
After creating the image, you should ensure it is fully updated. See [Configure Windows Defender in Windows 10]( https://technet.microsoft.com/en-us/itpro/windows/keep-secure/configure-windows-defender-in-windows-10) for instructions on how to update Windows Defender AV protection via WSUS, Microsoft Update, the MMPC site, or UNC file shares. You should ensure that your initial base image is also fully patched with Microsoft and Windows updates and patches.
After creating the image, you should ensure it is fully updated. See [Configure Windows Defender in Windows 10]( https://technet.microsoft.com/en-us/itpro/windows/keep-secure/configure-windows-defender-in-windows-10) for instructions on how to update antivirus protection via WSUS, Microsoft Update, the MMPC site, or UNC file shares. You should ensure that your initial base image is also fully patched with Microsoft and Windows updates and patches.
### Seal the base image
When the base image is fully updated, you should run a quick scan on the image.
After running a scan and buliding the cache, remove the machine GUID that uniquely identifies the device in telemetry for both Windows Defender Antivirus and the Microsoft Security Removal Tool. This key is located here:
When the base image is fully updated, you should run a quick scan on the image.
After running a scan and buliding the cache, remove the machine GUID that uniquely identifies the device in telemetry for both antivirus and the Microsoft Security Removal Tool. This key is located here:
'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemovalTools\MRT'
Remove the string found in the 'GUID' value
This “sealing” or “locking” of the image helps Windows Defender AV build a cache of known-good files and avoid scanning them again on your VMs. In turn, this can help ensure performance on the VM is not impacted.
This “sealing” or “locking” of the image helps antivirus build a cache of known-good files and avoid scanning them again on your VMs. In turn, this can help ensure performance on the VM is not impacted.
You can run a quick scan [from the command line](command-line-arguments-windows-defender-antivirus.md) or via [System Center Configuration Manager](run-scan-windows-defender-antivirus.md).
>[!NOTE]
>[!NOTE]
><b>Quick scan versus full scan</b>
>Quick scan looks at all the locations where there could be malware registered to start with the system, such as registry keys and known Windows startup folders. Combined with our always on real-time protection capability - which reviews files when they are opened and closed, and whenever a user navigates to a folder quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware.
>Therefore, when considering performance especially for creating a new or updated image in preparation for deployment it makes sense to use a quick scan only.
>Therefore, when considering performance especially for creating a new or updated image in preparation for deployment it makes sense to use a quick scan only.
>A full scan, however, can be useful on a VM that has encountered a malware threat to identify if there are any inactive components lying around and help perform a thorough clean-up.
### Deploy the base image
### Deploy the base image
You'll then need to deploy the base image across your VDI. For example, you can create or clone a VHD from your base image, and then use that VHD when you create or start your VMs.
You'll then need to deploy the base image across your VDI. For example, you can create or clone a VHD from your base image, and then use that VHD when you create or start your VMs.
The following references provide ways you can create and deploy the base image across your VDI:
@ -116,58 +111,57 @@ The following references provide ways you can create and deploy the base image a
- [Create a virtual machine in Hyper-V (with a VHD)](https://technet.microsoft.com/en-us/windows-server-docs/compute/hyper-v/get-started/create-a-virtual-machine-in-hyper-v)
- [Build Virtual Desktop templates]( https://technet.microsoft.com/en-us/library/dn645526(v=ws.11).aspx)
## Manage your VMs and base image
How you manage your VDI will affect the performance impact of Windows Defender AV on your VMs and infrastructure.
Because Windows Defender AV downloads protection updates every day, or [based on your protection update settings](manage-protection-updates-windows-defender-antivirus.md), network bandwidth can be a problem if multiple VMs attempt to download updates at the same time.
Because antivirus downloads protection updates every day, or [based on your protection update settings](manage-protection-updates-windows-defender-antivirus.md), network bandwidth can be a problem if multiple VMs attempt to download updates at the same time.
Following the guidelines in this means the VMs will only need to download “delta” updates, which are the differences between an existing definition set and the next one. Delta updates are typically much smaller (a few kilobytes) than a full definition download (which can average around 150 mb).
### Manage updates for persistent VDIs
If you are using a persistent VDI, you should update the base image monthly, and set up protection updates to be delivered daily via a file share, as follows:
1. Create a dedicated file share location on your network that can be accessed by your VMs and your VM host (or other, persistent machine, such as a dedicated admin console that you use to manage your VMs).
2. Set up a scheduled task on your VM host to automatically download updates from the MMPC website or Microsoft Update and save them to the file share (the [SignatureDownloadCustomTask PowerShell script](https://www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4/DisplayScript) can help with this).
3. [Configure the VMs to pull protection updates from the file share](manage-protection-updates-windows-defender-antivirus.md).
4. Disable or delay automatic Microsoft updates on your VMs. See [Update Windows 10 in the enterprise](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-update-windows-10) for information on managing operating system updates with WSUS, SCCM, and others.
5. On or just after each Patch Tuesday (the second Tuesday of each month), [update your base image with the latest protection updates from the MMPC website, WSUS, or Microsoft Update](manage-protection-updates-windows-defender-antivirus.md) Also apply all other Windows patches and fixes that were delivered on the Patch Tuesday. You can automate this by following the instructions in [Orchestrated offline VM Patching using Service Management Automation](https://blogs.technet.microsoft.com/privatecloud/2013/12/06/orchestrated-offline-vm-patching-using-service-management-automation/).
5. [Run a quick scan](run-scan-windows-defender-antivirus.md) on your base image before deploying it to your VMs.
A benefit to aligning your image update to the monthly Microsoft Update is that you ensure your VMs will have the latest Windows security patches and other important Microsoft updates without each VM needing to individually download them.
6. [Run a quick scan](run-scan-windows-defender-antivirus.md) on your base image before deploying it to your VMs.
A benefit to aligning your image update to the monthly Microsoft Update is that you ensure your VMs will have the latest Windows security patches and other important Microsoft updates without each VM needing to individually download them.
### Manage updates for non-persistent VDIs
If you are using a non-persistent VDI, you can update the base image daily (or nightly) and directly apply the latest updates to the image.
An example:
1. Every night or other time when you can safely take your VMs offline, update your base image with the latest [protection updates from the MMPC website, WSUS, or Microsoft Update](manage-protection-updates-windows-defender-antivirus.md).
2. [Run a quick scan](run-scan-windows-defender-antivirus.md) on your base image before deploying it to your VMs.
## Configure endpoints for optimal performance
There are a number of settings that can help ensure optimal performance on your VMs and VDI without affecting the level of protection, including:
- [Randomize scheduled scans](#randomize-scheduled-scans)
- [Use quick scans](#use-quick-scans)
- [Prevent notifications](#prevent-notifications)
- [Disable scans from occurring after every update](#disable-scans-after-an-update)
- [Scan out-of-date machines or machines that have been offline for a while](#scan-vms-that-have-been-offline)
- [Randomize scheduled scans](#randomize-scheduled-scans)
- [Use quick scans](#use-quick-scans)
- [Prevent notifications](#prevent-notifications)
- [Disable scans from occurring after every update](#disable-scans-after-an-update)
- [Scan out-of-date machines or machines that have been offline for a while](#scan-vms-that-have-been-offline)
These settings can be configured as part of creating your base image, or as a day-to-day management function of your VDI infrastructure or network.
### Randomize scheduled scans
Windows Defender AV supports the randomization of scheduled scans and signature updates. This can be extremely helpful in reducing boot storms (especially when used in conjunction with [Disable scans from occurring after every update](#disable-scans-after-an-update) and [Scan out-of-date machines or machines that have been offline for a while](#scan-vms-that-have-been-offline).
Antivirus supports the randomization of scheduled scans and signature updates. This can be extremely helpful in reducing boot storms (especially when used in conjunction with [Disable scans from occurring after every update](#disable-scans-after-an-update) and [Scan out-of-date machines or machines that have been offline for a while](#scan-vms-that-have-been-offline).
Scheduled scans run in addition to [real-time protection and scanning](configure-real-time-protection-windows-defender-antivirus.md).
@ -177,17 +171,17 @@ The start time of the scan itself is still based on the scheduled scan policy
**Use Group Policy to randomize scheduled scan start times:**
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration**.
2. In the **Group Policy Management Editor** go to **Computer configuration**.
4. Click **Policies** then **Administrative templates**.
3. Click **Policies** then **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender** and configure the following setting:
1. Double-click the **Randomize scheduled task times** setting and set the option to **Enabled**. Click **OK**. This adds a true randomization (it is still random if the disk image is replicated) of plus or minus 30 minutes (using all of the intervals) to the start of the scheduled scan and the signature update. For example, if the schedule start time was set at 2.30pm, then enabling this setting could cause one machine to scan and update at 2.33pm and another machine to scan and update at 2.14pm.
4. Expand the tree to **Windows components > Windows Defender** and configure the following setting:
**Use Configuration Manager to randomize schedule scans:**
- Double-click **Randomize scheduled task times** and set the option to **Enabled**. Click **OK**. This adds a true randomization (it is still random if the disk image is replicated) of plus or minus 30 minutes (using all of the intervals) to the start of the scheduled scan and the signature update. For example, if the schedule start time was set at 2.30pm, then enabling this setting could cause one machine to scan and update at 2.33pm and another machine to scan and update at 2.14pm.
**Use Configuration Manager to randomize scheduled scans:**
See [How to create and deploy antimalware policies: Advanced settings]( https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#advanced-settings) for details on configuring System Center Configuration Manager (current branch).
@ -196,18 +190,19 @@ See [Schedule scans](scheduled-catch-up-scans-windows-defender-antivirus.md) for
### Use quick scans
You can specify the type of scan that should be performed during a scheduled scan.
Quick scans are the preferred approach as they are designed to look in all places where malware needs to reside to be active.
Quick scans are the preferred approach as they are designed to look in all places where malware needs to reside to be active.
**Use Group Policy to specify the type of scheduled scan:**
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
2. In the **Group Policy Management Editor** go to **Computer configuration**.
2. In the **Group Policy Management Editor** go to **Computer configuration**.
3. Click **Policies** then **Administrative templates**.
3. Click **Policies** then **Administrative templates**.
4. Expand the tree to **Windows components > Windows Defender > Scan** and configure the following setting:
1. Double-click the **Specify the scan type to use for a scheduled scan** setting and set the option to **Enabled** and **Quick scan**. Click **OK**.
4. Expand the tree to **Windows components > Windows Defender > Scan** and configure the following setting:
- Double-click **Specify the scan type to use for a scheduled scan** and set the option to **Enabled** and **Quick scan**. Click **OK**.
**Use Configuration Manager to specify the type of scheduled scan:**
@ -217,34 +212,34 @@ See [Schedule scans](scheduled-catch-up-scans-windows-defender-antivirus.md) for
### Prevent notifications
Sometimes, Windows Defender AV notifications may be sent to or persist across multiple sessions. In order to minimize this problem, you can use the lock down the user interface for Windows Defender AV.
Sometimes, antivirus notifications may be sent to or persist across multiple sessions. In order to minimize this problem, you can use the lock down the antivirus user interface.
**Use Group Policy to hide notifications:**
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration**.
2. In the **Group Policy Management Editor** go to **Computer configuration**.
4. Click **Policies** then **Administrative templates**.
3. Click **Policies** then **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender > Client Interface** and configure the following settings:
1. Double-click the **Suppress all notifications** setting and set the option to **Enabled**. Click **OK**. This prevents notifications from Windows Defender AV appearing in the action center on Windows 10 when scans or remediation is performed.
2. Double-click the **Enable headless UI mode** setting and set the option to **Enabled**. Click **OK**. This hides the entire Windows Defender AV user interface from users.
4. Expand the tree to **Windows components > Windows Defender > Client Interface** and configure the following settings:
- Double-click **Suppress all notifications** and set the option to **Enabled**. Click **OK**. This prevents notifications from Windows Defender AV appearing in the action center on Windows 10 when scans or remediation is performed.
- Double-click **Enable headless UI mode** and set the option to **Enabled**. Click **OK**. This hides the entire Windows Defender AV user interface from users.
**Use Configuration Manager to hide notifications:**
1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
2. Go to the **Advanced** section and configure the following settings:
2. Go to the **Advanced** section and configure the following settings:
1. Set **Disable the client user interface** to **Yes**. This hides the entire Windows Defender AV user interface.
2. Set **Show notifications messages on the client computer...** to **Yes**. This hides notifications from appearing.
1. Set **Disable the client user interface** to **Yes**. This hides the entire Windows Defender AV user interface.
3. Click **OK**.
2. Set **Show notifications messages on the client computer...** to **Yes**. This hides notifications from appearing.
3. [Deploy the updated policy as usual](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers).
3. Click **OK**.
3. [Deploy the updated policy as usual](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers).
### Disable scans after an update
@ -255,68 +250,58 @@ This setting will prevent a scan from occurring after receiving an update. You c
**Use Group Policy to disable scans after an update:**
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration**.
2. In the **Group Policy Management Editor** go to **Computer configuration**.
4. Click **Policies** then **Administrative templates**.
3. Click **Policies** then **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender > Signature Updates** and configure the following setting:
1. Double-click the **Turn on scan after signature update** setting and set the option to **Disabled**. Click **OK**. This prevents a scan from running immediately after an update.
4. Expand the tree to **Windows components > Windows Defender > Signature Updates** and configure the following setting:
- Double-click **Turn on scan after signature update** and set the option to **Disabled**. Click **OK**. This prevents a scan from running immediately after an update.
**Use Configuration Manager to disable scans after an update:**
1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
2. Go to the **Scheduled scans** section and configure the following setting:
1. Set **Check for the latest definition updates before running a scan** to **No**. This prevents a scan after an update.
3. Click **OK**.
2. [Deploy the updated policy as usual](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers).
1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
2. Go to the **Scheduled scans** section and configure the following setting:
3. Set **Check for the latest definition updates before running a scan** to **No**. This prevents a scan after an update.
4. Click **OK**.
5. [Deploy the updated policy as usual](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers).
### Scan VMs that have been offline
This setting will help ensure protection for a VM that has been offline for some time or has otherwise missed a scheduled scan.
This setting will help ensure protection for a VM that has been offline for some time or has otherwise missed a scheduled scan.
**Use Group Policy to enable a catch-up scan:**
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration**.
4. Click **Policies** then **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender > Scan** and configure the following setting:
1. Double-click the **Turn on catch-up quick scan** setting and set the option to **Enabled**. Click **OK**. This forces a scan if the VM has missed two or more consecutive scheduled scans.
2. In the **Group Policy Management Editor** go to **Computer configuration**.
3. Click **Policies** then **Administrative templates**.
4. Expand the tree to **Windows components > Windows Defender > Scan** and configure the following setting:
5. Double-click the **Turn on catch-up quick scan** setting and set the option to **Enabled**. Click **OK**. This forces a scan if the VM has missed two or more consecutive scheduled scans.
**Use Configuration Manager to disable scans after an update:**
1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
2. Go to the **Scheduled scans** section and configure the following setting:
2. Go to the **Scheduled scans** section and configure the following setting:
1. Set **Force a scan of the selected scan type if client computer is offline during...** to **Yes**. This forces a scan if the VM has missed two or more consecutive scheduled scans.
3. Click **OK**.
2. [Deploy the updated policy as usual](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers).
3. Set **Force a scan of the selected scan type if client computer is offline during...** to **Yes**. This forces a scan if the VM has missed two or more consecutive scheduled scans.
4. Click **OK**.
5. [Deploy the updated policy as usual](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers).
### Exclusions
Windows Server 2016 contains Windows Defender Antivirus and will automatically deliver the right exclusions for servers running a VDI environment. However, if you are running an older Windows server version, you can refer to the exclusions that are applied on this page:
Windows Server 2016 antivirus will automatically deliver the right exclusions for servers running a VDI environment. However, if you are running an older Windows server version, you can refer to the exclusions that are applied on this page:
- [Automatic exclusions for Windows Server Antimalware](https://technet.microsoft.com/en-us/windows-server-docs/security/windows-defender/automatic-exclusions-for-windows-defender)
## Additional resources
@ -324,4 +309,4 @@ Windows Server 2016 contains Windows Defender Antivirus and will automatically d
- [Video: Microsoft Senior Program Manager Bryan Keller on how System Center Configuration Manger 2012 manages VDI and integrates with App-V]( http://channel9.msdn.com/Shows/Edge/Edge-Show-5-Manage-VDI-using-SCCM-2012#time=03m02s)
- [Project VRC: Antivirus impact and best practices on VDI](https://blogs.technet.microsoft.com/privatecloud/2013/12/06/orchestrated-offline-vm-patching-using-service-management-automation/)
- [TechNet forums on Remote Desktop Services and VDI](https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverTS)
- [SignatureDownloadCustomTask PowerShell script](https://www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4/DisplayScript)
- [SignatureDownloadCustomTask PowerShell script](https://www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4/DisplayScript)

58
windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md
View File

@ -1,7 +1,7 @@
---
title: Block Potentially Unwanted Applications with Windows Defender AV
description: Enable the Potentially Unwanted Application (PUA) feature in Windows Defender Antivirus to block unwanted software such as adware.
keywords: pua, enable, unwanted software, unwanted apps, adware, browser toolbar, detect, block, windows defender
title: Block potentially unwanted applications with antivirus
description: Enable the potentially unwanted application (PUA) antivirus feature to block unwanted software such as adware.
keywords: pua, enable, unwanted software, unwanted apps, adware, browser toolbar, detect, block, antivirus
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@ -14,73 +14,68 @@ ms.author: v-anbic
ms.date: 07/10/2018
---
# Detect and block Potentially Unwanted Applications
**Applies to:**
- Windows 10
**Audience**
- Enterprise security administrators
# Detect and block potentially unwanted applications
**Manageability available with**
- Microsoft Intune
- System Center Configuration Manager
- PowerShell cmdlets
- Microsoft Intune
The Potentially Unwanted Application (PUA) protection feature in Windows Defender Antivirus can identify and block PUAs from downloading and installing on endpoints in your network.
The potentially unwanted application (PUA) antivirus protection feature can identify and block PUAs from downloading and installing on endpoints in your network.
These applications are not considered viruses, malware, or other types of threats, but might perform actions on endpoints that adversely affect their performance or use. PUA can also refer to applications that are considered to have a poor reputation.
Typical PUA behavior includes:
- Various types of software bundling
- Ad-injection into web browsers
- Ad injection into web browsers
- Driver and registry optimizers that detect issues, request payment to fix the errors, but remain on the endpoint and make no changes or optimizations (also known as "rogue antivirus" programs)
These applications can increase the risk of your network being infected with malware, cause malware infections to be harder to identify, and can waste IT resources in cleaning up the applications.
>[!TIP]
>You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
>You can also visit the Windows Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
## How it works
PUAs are blocked when a user attempts to download or install the detected file, and if the file meets one of the following conditions:
- The file is being scanned from the browser
- The file is in a folder with "**downloads**" in the path
- The file is in a folder with "**temp**" in the path
- The file is on the user's Desktop
- The file is on the user's desktop
- The file does not meet one of these conditions and is not under *%programfiles%*, *%appdata%*, or *%windows%*
The file is placed in the quarantine section so it won't run.
The file is placed in the quarantine section so it won't run.
When a PUA is detected on an endpoint, the endpoint will present a notification to the user ([unless notifications have been disabled](configure-notifications-windows-defender-antivirus.md)) in the same format as normal threat detections (prefaced with "PUA:").
They will also appear in the usual [quarantine list in the Windows Defender Security Center app](windows-defender-security-center-antivirus.md#detection-history).
## View PUA events
PUA events are reported in the Windows Event Viewer and not in System Center Configuration Manager or Intune.
PUA events are reported in the Windows Event Viewer and not in System Center Configuration Manager or Intune.
Hoever, PUA detections will be reported if you have set up email notifications for detections.
See [Troubleshoot event IDs](troubleshoot-windows-defender-antivirus.md) for details on viewing Windows Defender Antivirus events. PUA events are recorded under event ID 1160.
## Configure PUA protection
## Configure the PUA protection feature
You can enable PUA protection with Microsoft Intune, System Center Configuration Manager, or PowerShell cmdlets.
You can enable the PUA protection feature with System Center Configuration Manager, PowerShell cmdlets, or Microsoft Intune.
You can also use the PUA audit mode to detect PUA without blocking them. The detections will be captured in the Windows event log.
You can also use the PUA audit mode to detect PUA without blocking them. The detections will be captured in the Windows event log.
This feature is useful if your company is conducting an internal software security compliance check and you'd like to avoid any false positives.
**Use Intune to configure the PUA protection feature**
See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure) and [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-windows-10#windows-defender-antivirus) for more details.
**Use Configuration Manager to configure the PUA protection feature:**
PUA protection is enabled by default in System Center Configuration Manager (current branch), including version 1606 and later.
PUA protection is enabled by default in System Center Configuration Manager (current branch), including version 1606 and later.
See [How to create and deploy antimalware policies: Scheduled scans settings](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#real-time-protection-settings) for details on configuring System Center Configuration Manager (current branch).
@ -101,18 +96,9 @@ Setting the value for this cmdlet to `Enabled` will turn the feature on if it ha
Setting `AuditMode` will detect PUAs but will not block them.
See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus.
**Use Intune to configure the PUA protection feature**
See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure) and [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-windows-10#windows-defender-antivirus) for more details.
See [Use PowerShell cmdlets to configure and run antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus.
## Related topics
- [Windows Defender Antivirus](windows-defender-antivirus-in-windows-10.md)
- [Next gen protection](windows-defender-antivirus-in-windows-10.md)
- [Configure behavioral, heuristic, and real-time protection](configure-protection-features-windows-defender-antivirus.md)

115
windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md
View File

@ -14,71 +14,74 @@ ms.author: v-anbic
ms.date: 07/10/2018
---
# Enable cloud-delivered protection in Windows Defender AV
**Applies to:**
- Windows 10
**Audience**
- Enterprise security administrators
# Enable cloud-delivered protection
**Manageability available with**
- Group Policy
- Microsoft Intune
- System Center Configuration Manager
- Group Policy
- PowerShell cmdlets
- Windows Management Instruction (WMI)
- Microsoft Intune
- Windows Defender Security Center app
>[!NOTE]
>The antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud; rather, it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional signature updates.
>[!NOTE]
>The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional signature updates.
You can enable or disable antivirus cloud-delivered protection with Microsoft Intune, System Center Configuration Manager, Group Policy, PowerShell cmdlets, or on individual clients in the Windows Defender Security Center app.
See [Use Microsoft cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) for an overview of Windows Defender Antivirus cloud-delivered protection.
You can enable or disable Windows Defender Antivirus cloud-delivered protection with Group Policy, System Center Configuration Manager, PowerShell cmdlets, Microsoft Intune, or on individual clients in the Windows Defender Security Center app.
See [Utilize Microsoft cloud-delivered protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) for an overview of Windows Defender Antivirus cloud-delivered protection.
There are specific network-connectivity requirements to ensure your endpoints can connect to the cloud-delivered protection service. See [Configure and validate network connections for Windows Defender AV](configure-network-connections-windows-defender-antivirus.md) for more details.
There are specific network-connectivity requirements to ensure your endpoints can connect to the cloud-delivered protection service. See [Configure and validate network connections](configure-network-connections-windows-defender-antivirus.md) for more details.
>[!NOTE]
>In Windows 10, there is no difference between the **Basic** and **Advanced** options described in this topic. This is a legacy distinction and choosing either setting will result in the same level of cloud-delivered protection. There is no difference in the type or amount of information that is shared. See the [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=521839) for more information on what we collect.
**Use Intune to enable cloud-delivered protection**
**Use Group Policy to enable cloud-delivered protection:**
1. Sign in to the [Azure portal](https://portal.azure.com).
2. Select **All services > Intune**.
3. In the **Intune** pane, select **Device configuration > Profiles**, and then select the **Device restrictions** profile type you want to configure. If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure).
4. Select **Properties**, select **Settings: Configure**, and then select **Windows Defender Antivirus**.
5. On the **Cloud-delivered protection** switch, select **Enable**.
6. In the **Prompt users before sample submission** dropdown, select **Send all data without prompting**.
7. In the **Submit samples consent** dropdown, select one of the following:
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration**.
4. Click **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender Antivirus > MAPS**
1. Double-click the **Join Microsoft MAPS** setting and ensure the option is enabled and set to **Basic MAPS** or **Advanced MAPS**. Click **OK**.
1. Double-click the **Send file samples when further analysis is required** setting and ensure the option is set to **Enabled** and the additional options are either of the following:
1. **Send safe samples** (1)
1. **Send all samples** (3)
- **Send safe samples automatically**
- **Send all samples automatically**
> [!WARNING]
> Setting to 0 (Always Prompt) will lower the protection state of the device. Setting to 2 (Never send) means the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature will not function.
1. Click **OK**.
> Setting to **Always Prompt** will lower the protection state of the device. Setting to **Never send** means the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature will not function.
8. Click **OK** to exit the **Windows Defender Antivirus** settings pane, click **OK** to exit the **Device restrictions** pane, and then click **Save** to save the changes to your **Device restrictions** profile.
For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/en-us/intune/device-profiles)
**Use Configuration Manager to enable cloud-delivered protection:**
See [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) for details on configuring System Center Configuration Manager (current branch).
**Use Group Policy to enable cloud-delivered protection:**
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
2. In the **Group Policy Management Editor** go to **Computer configuration**.
3. Click **Administrative templates**.
4. Expand the tree to **Windows components > Windows Defender Antivirus > MAPS**
5. Double-click **Join Microsoft MAPS** and ensure the option is enabled and set to **Basic MAPS** or **Advanced MAPS**. Click **OK**.
6. Double-click **Send file samples when further analysis is required** and ensure the option is set to **Enabled** and the additional options are either of the following:
1. **Send safe samples** (1)
2. **Send all samples** (3)
> [!WARNING]
> Setting to 0 (Always Prompt) will lower the protection state of the device. Setting to 2 (Never send) means the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature will not function.
7. Click **OK**.
**Use PowerShell cmdlets to enable cloud-delivered protection:**
@ -88,10 +91,10 @@ Use the following cmdlets to enable cloud-delivered protection:
Set-MpPreference -MAPSReporting Advanced
Set-MpPreference -SubmitSamplesConsent Always
```
>[!NOTE]
>You can also set -SubmitSamplesConsent to `None`. Setting it to `Never` will lower the protection state of the device, and setting it to 2 means the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature will not function.
See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus.
**Use Windows Management Instruction (WMI) to enable cloud-delivered protection:**
@ -106,36 +109,18 @@ SubmitSamplesConsent
See the following for more information and allowed parameters:
- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx)
**Use Intune to enable cloud-delivered protection**
1. Sign in to the [Azure portal](https://portal.azure.com).
2. Select **All services > Intune**.
3. In the **Intune** pane, select **Device configuration > Profiles**, and then select the **Device restrictions** profile type you want to configure. If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure).
4. Select **Properties**, select **Settings: Configure**, and then select **Windows Defender Antivirus**.
5. On the **Cloud-delivered protection** switch, select **Enable**.
6. In the **Prompt users before sample submission** dropdown, select **Send all data without prompting**.
7. In the **Submit samples consent** dropdown, select one of the following:
1. **Send safe samples automatically**
2. **Send all samples automatically**
> [!WARNING]
> Setting to **Always Prompt** will lower the protection state of the device. Setting to **Never send** means the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature will not function.
8. Click **OK** to exit the **Windows Defender Antivirus** settings pane, click **OK** to exit the **Device restrictions** pane, and then click **Save** to save the changes to your **Device restrictions** profile.
For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/en-us/intune/device-profiles)
**Enable cloud-delivered protection on individual clients with the Windows Defender Security Center app**
> [!NOTE]
> If the **Configure local setting override for reporting Microsoft MAPS** Group Policy setting is set to **Disabled**, then the **Cloud-based protection** setting in Windows Settings will be greyed-out and unavailable. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings.
1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label:
![Screenshot of the Virus & threat protection settings label in the Windows Defender Security Center app](images/defender/wdav-protection-settings-wdsc.png)
3. Confirm that **Cloud-based Protection** and **Automatic sample submission** are switched to **On**.
![Screenshot of the Virus & threat protection settings label in the Windows Defender Security Center app](images/defender/wdav-protection-settings-wdsc.png)
3. Confirm that **Cloud-based Protection** and **Automatic sample submission** are switched to **On**.
>[!NOTE]
>If automatic sample submission has been configured with Group Policy then the setting will be greyed-out and unavailable.
@ -143,10 +128,10 @@ For more information about Intune device profiles, including how to create and c
## Related topics
- [Configure the cloud block timeout period](configure-cloud-block-timeout-period-windows-defender-antivirus.md)
- [Configure the block at first sight feature](configure-block-at-first-sight-windows-defender-antivirus.md)
- [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md)
- [Configure block at first sight](configure-block-at-first-sight-windows-defender-antivirus.md)
- [Use PowerShell cmdlets to manage next generation protection](use-powershell-cmdlets-windows-defender-antivirus.md)
- [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune)]
- [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx)
- [Utilize Microsoft cloud-delivered protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
- [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service)
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Next generation protection in Windows 10](windows-defender-antivirus-in-windows-10.md)

35
windows/security/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md
View File

@ -1,5 +1,5 @@
---
title: Evaluate Windows Defender Antivirus
title: Evaluate next generation protection
description: Businesses of all sizes can use this guide to evaluate and test the protection offered by Windows Defender Antivirus in Windows 10.
keywords: windows defender antivirus, cloud protection, cloud, antimalware, security, defender, evaluate, test, protection, compare, real-time protection
search.product: eADQiWindows 10XVcnh
@ -14,47 +14,34 @@ ms.author: v-anbic
ms.date: 04/30/2018
---
# Evaluate Windows Defender Antivirus protection
# Evaluate next generation protection
**Applies to:**
- Windows 10, version 1703 and later
**Audience**
- Enterprise security administrators
If you're an enterprise security administrator, and you want to determine how well Windows Defender Antivirus protects you from viruses, malware, and potentially unwanted applications, then you can use this guide to help you evaluate Microsoft protection.
Use this guide to determine how well next generation protection protects you from viruses, malware, and potentially unwanted applications.
>[!TIP]
>You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working and see how they work:
>You can also visit the Windows Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working and see how they work:
>- Cloud-delivered protection
>- Fast learning (including Block at first sight)
>- Potentially unwanted application blocking
It explains the important features available for both small and large enterprises in Windows Defender, and how they will increase malware detection and protection across your network.
It explains the important next generation protection features available for both small and large enterprises, and how they increase malware detection and protection across your network.
You can choose to configure and evaluate each setting independently, or all at once. We have grouped similar settings based upon typical evaluation scenarios, and include instructions for using PowerShell to enable the settings.
The guide is available in PDF format for offline viewing:
- [Download the guide in PDF format](https://www.microsoft.com/download/details.aspx?id=54795)
You can also download a PowerShell that will enable all the settings described in the guide automatically. You can obtain the script alongside the PDF download above, or individually from PowerShell Gallery:
- [Download the PowerShell script to automatically configure the settings](https://www.powershellgallery.com/packages/WindowsDefender_InternalEvaluationSettings/1.2/DisplayScript)
> [!IMPORTANT]
> The guide is currently intended for single-machine evaluation of Windows Defender Antivirus protection. Enabling all of the settings in this guide may not be suitable for real-world deployment.
> The guide is currently intended for single-machine evaluation of next generation protection. Enabling all of the settings in this guide may not be suitable for real-world deployment.
>
> For the latest recommendations for real-world deployment and monitoring of Windows Defender Antivirus across a network, see the [Deploy, manage, and report](deploy-manage-report-windows-defender-antivirus.md) topic in this library.
> For the latest recommendations for real-world deployment and monitoring of next generation protection across a network, see [Deploy next generation](deploy-manage-report-windows-defender-antivirus.md).
## Related topics
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Deploy, manage, and report](deploy-manage-report-windows-defender-antivirus.md)
- [Next generation protection in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Deploy next generation protection](deploy-manage-report-windows-defender-antivirus.md)

39
windows/security/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md
View File

@ -1,6 +1,6 @@
---
title: Enable the limited periodic scanning feature in Windows Defender AV
description: Limited periodic scanning lets you use Windows Defender AV in addition to your other installed AV providers
title: Enable the limited periodic antivirus scanning feature
description: Limited periodic scanning lets you use next generation protection in addition to your other installed AV providers
keywords: lps, limited, periodic, scan, scanning, compatibility, 3rd party, other av, disable
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@ -16,58 +16,39 @@ ms.date: 04/30/2018
# Use limited periodic scanning in Windows Defender AV
**Applies to:**
- Windows 10, version 1703 and later
**Audience**
- Enterprise security administrators
# Use limited periodic scanning in next generation protection
**Manageability available with**
- Windows Defender Security Center app
Limited periodic scanning is a special type of threat detection and remediation that can be enabled when you have installed another antivirus product on a Windows 10 device.
It can only be enabled in certain situations. See the [Windows Defender Antivirus compatibility](windows-defender-antivirus-compatibility.md) topic for more information on when limited periodic scanning can be enabled, and how Windows Defender Antivirus works with other AV products.
It can only be enabled in certain situations. See [Antivirus compatibility](windows-defender-antivirus-compatibility.md) for more information on when limited periodic scanning can be enabled, and how next generation protection works with other AV products.
**Microsoft does not recommend using this feature in enterprise environments. This is a feature primarily intended for consumers.** This feature only uses a very limited subset of the capabilities of Windows Defender Antivirus to detect malware, and will not be able to detect most malware and potentially unwanted software. Also, management and reporting capabilities will be limited. Microsoft recommends enterprises choose their primary antivirus solution and use it exclusively.
**Microsoft does not recommend using this feature in enterprise environments. This is a feature primarily intended for consumers.** This feature only uses a very limited subset of the antivirus capabilities to detect malware, and will not be able to detect most malware and potentially unwanted software. Also, management and reporting capabilities will be limited. Microsoft recommends enterprises choose their primary antivirus solution and use it exclusively.
## How to enable limited periodic scanning
By default, Windows Defender AV will enable itself on a Windows 10 device if there is no other antivirus product installed, or if the other AV product is out-of-date, expired, or not working correctly.
By default, antivirus will enable itself on a Windows 10 device if there is no other antivirus product installed, or if the other product is out-of-date, expired, or not working correctly.
If Windows Defender AV is enabled, the usual options will appear to configure Windows Defender AV on that device:
If antivirus is enabled, the usual options will appear to configure it on that device:
![Windows Defender Security Center app showing Windows Defender AV options, including scan options, settings, and update options](images/vtp-wdav.png)
If another AV product is installed and working correctly, Windows Defender AV will disable itself. The Windows Defender Security Center app will change the **Virus & threat protection** section to show status about the AV product, and provide a link to the product's configuration options:
If another antivirus product is installed and working correctly, Windows antivirus will disable itself. The Windows Defender Security Center app will change the **Virus & threat protection** section to show status about the AV product, and provide a link to the product's configuration options:
![Windows Defender Security Center app showing ContosoAV as the installed and running antivirus provider. There is a single link to open ContosoAV settings.](images/vtp-3ps.png)
Underneath any 3rd party AV products, a new link will appear as **Windows Defender Antivirus options**. Clicking this link will expand to show the toggle that enables limited periodic scanning.
![The limited periodic option is a toggle to enable or disable **periodic scanning**](images/vtp-3ps-lps.png)
Sliding the swtich to **On** will show the standard Windows Defender AV options underneath the 3rd party AV product. The limited periodic scanning option will appear at the bottom of the page.
![When enabled, periodic scanning shows the normal Windows Defender AV options](images/vtp-3ps-lps-on.png)
![When enabled, periodic scanning shows the normal antivirus options](images/vtp-3ps-lps-on.png)
## Related topics
- [Configure behavioral, heuristic, and real-time protection](configure-protection-features-windows-defender-antivirus.md)
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Next generation protection in Windows 10](windows-defender-antivirus-in-windows-10.md)

128
windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md
View File

@ -1,6 +1,6 @@
---
title: Apply Windows Defender AV updates after certain events
description: Manage how Windows Defender Antivirus applies proteciton updates after startup or receiving cloud-delivered detection reports.
title: Apply next generation protection updates after certain events
description: Manage how antivirus applies protection updates after startup or receiving cloud-delivered detection reports.
keywords: updates, protection, force updates, events, startup, check for latest, notifications
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@ -16,52 +16,42 @@ ms.date: 04/30/2018
# Manage event-based forced updates
**Applies to**
- Windows 10
**Audience**
- Network administrators
**Manageability available with**
- Group Policy
- System Center Configuration Manager
- Group Policy
- PowerShell cmdlets
- Windows Management Instruction (WMI)
Windows Defender AV allows you to determine if updates should (or should not) occur after certain events, such as at startup or after receiving specific reports from the cloud-delivered protection service.
Next generation protection allows you to determine if updates should (or should not) occur after certain events, such as at startup or after receiving specific reports from the cloud-delivered protection service.
## Check for protection updates before running a scan
You can use Group Policy, Configuration Manager, PowerShell cmdlets, and WMI to force Windows Defender AV to check and download protection updates before running a scheduled scan.
**Use Group Policy to check for protection updates before running a scan:**
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration**.
4. Click **Policies** then **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender Antivirus > Scan**.
6. Double-click the **Check for the latest virus and spyware definitions before running a scheduled scan** setting and set the option to **Enabled**.
7. Click **OK**.
You can use System Center Configuration Manager, Group Policy, PowerShell cmdlets, and WMI to force antivirus to check and download protection updates before running a scheduled scan.
**Use Configuration Manager to check for protection updates before running a scan:**
1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
2. Go to the **Scheduled scans** section and set **Check for the latest definition updates before running a scan** to **Yes**.
2. Go to the **Scheduled scans** section and set **Check for the latest definition updates before running a scan** to **Yes**.
3. Click **OK**.
4. [Deploy the updated policy as usual](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers).
4.[Deploy the updated policy as usual](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers).
**Use Group Policy to check for protection updates before running a scan:**
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
2. In the **Group Policy Management Editor** go to **Computer configuration**.
3. Click **Policies** then **Administrative templates**.
4. Expand the tree to **Windows components > Windows Defender Antivirus > Scan**.
5. Double-click **Check for the latest virus and spyware definitions before running a scheduled scan** and set the option to **Enabled**.
6. Click **OK**.
**Use PowerShell cmdlets to check for protection updates before running a scan:**
@ -73,7 +63,6 @@ Set-MpPreference -CheckForSignaturesBeforeRunningScan
See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus.
**Use Windows Management Instruction (WMI) to check for protection updates before running a scan**
Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties:
@ -85,46 +74,39 @@ CheckForSignaturesBeforeRunningScan
See the following for more information:
- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx)
## Check for protection updates on startup
You can use Group Policy to force Windows Defender AV to check and download protection updates when the machine is started.
You can use Group Policy to force antivirus to check and download protection updates when the machine is started.
**Use Group Policy to download protection updates at startup:**
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
2. In the **Group Policy Management Editor** go to **Computer configuration**.
3. In the **Group Policy Management Editor** go to **Computer configuration**.
3. Click **Policies** then **Administrative templates**.
4. Click **Policies** then **Administrative templates**.
4. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates**.
5. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates**.
5. Double-click **Check for the latest virus and spyware definitions on startup** and set the option to **Enabled**.
5. Double-click the **Check for the latest virus and spyware definitions on startup** setting and set the option to **Enabled**.
6. Click **OK**.
6. Click **OK**.
You can also use Group Policy, PowerShell, or WMI to configure antivirus to check for updates at startup even when it is not running.
You can also use Group Policy, PowerShell, or WMI to configure Windows Defender AV to check for updates at startup even when it is not running.
**Use Group Policy to download updates when Windows antivirus is not present:**
**Use Group Policy to download updates when Windows Defender AV is not present:**
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
2. In the **Group Policy Management Editor** go to **Computer configuration**.
3. In the **Group Policy Management Editor** go to **Computer configuration**.
3. Click **Policies** then **Administrative templates**.
4. Click **Policies** then **Administrative templates**.
4. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates**.
5. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates**.
5. Double-click **Initiate definition update on startup** and set the option to **Enabled**.
6. Double-click the **Initiate definition update on startup** setting and set the option to **Enabled**.
6. Click **OK**.
7. Click **OK**.
**Use PowerShell cmdlets to download updates when Windows Defender AV is not present:**
**Use PowerShell cmdlets to download updates when Windows antivirus is not present:**
Use the following cmdlets:
@ -132,10 +114,9 @@ Use the following cmdlets:
Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine
```
See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus.
See [Use PowerShell cmdlets to manage next generation protection](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus.
**Use Windows Management Instruction (WMI) to download updates when Windows Defender AV is not present:**
**Use Windows Management Instruction (WMI) to download updates when Windows antivirus not present:**
Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties:
@ -146,11 +127,8 @@ SignatureDisableUpdateOnStartupWithoutEngine
See the following for more information:
- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx)
<a id="cloud-report-updates"></a>
## Allow ad hoc changes to protection based on cloud-delivered protection
Windows Defender AV can make changes to its protection based on cloud-delivered protection. This can occur outside of normal or scheduled protection updates.
@ -159,27 +137,21 @@ If you have enabled cloud-delivered protection, Windows Defender AV will send fi
**Use Group Policy to automatically download recent updates based on cloud-delivered protection:**
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration**.
4. Click **Policies** then **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates** and configure the following:
1. Double-click the **Allow real-time definition updates based on reports to Microsoft MAPS** setting and set the option to **Enabled**. Click **OK**.
2. Double-click the **Allow notifications to disable definitions based reports to Microsoft MAPS** setting and set the option to **Enabled**. Click **OK**.
2. In the **Group Policy Management Editor** go to **Computer configuration**.
3. Click **Policies** then **Administrative templates**.
4. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates** and configure the following:
1. Double-click **Allow real-time definition updates based on reports to Microsoft MAPS** and set the option to **Enabled**. Click **OK**.
2. Double-click **Allow notifications to disable definitions based reports to Microsoft MAPS** and set the option to **Enabled**. Click **OK**.
## Related topics
- [Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md)
- [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md)
- [Manage Windows Defender Antivirus protection and definition updates](manage-protection-updates-windows-defender-antivirus.md)
- [Deploy next generation protection](deploy-manage-report-windows-defender-antivirus.md)
- [Manage next generation protection updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md)
- [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md)
- [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md)
- [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Next generation protection in Windows 10](windows-defender-antivirus-in-windows-10.md)

67
windows/security/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md
View File

@ -16,45 +16,49 @@ ms.date: 04/30/2018
# Manage updates and scans for endpoints that are out of date
**Applies to**
- Windows 10
**Audience**
- Network administrators
**Manageability available with**
- Group Policy
- System Center Configuration Manager
- Group Policy
- PowerShell cmdlets
- Windows Management Instruction (WMI)
Windows Defender AV lets you define how long an endpoint can avoid an update or how many scans it can miss before it is required to update and scan itself. This is especially useful in environments where devices are not often connected to a corporate or external network, or devices that are not used on a daily basis.
Next generation protection lets you define how long an endpoint can avoid an update or how many scans it can miss before it is required to update and scan itself. This is especially useful in environments where devices are not often connected to a corporate or external network, or devices that are not used on a daily basis.
For example, an employee that uses a particular PC is on break for three days and does not log on to their PC during that time.
When the user returns to work and logs on to their PC, Windows Defender AV will immediately check and download the latest protection updates, and run a scan.
When the user returns to work and logs on to their PC, antivirus will immediately check and download the latest protection updates, and run a scan.
## Set up catch-up protection updates for endpoints that haven't updated for a while
If Windows Defender AV did not download protection updates for a specified period, you can set it up to automatically check and download the latest update at the next log on. This is useful if you have [globally disabled automatic update downloads on startup](manage-event-based-updates-windows-defender-antivirus.md).
If antivirus did not download protection updates for a specified period, you can set it up to automatically check and download the latest update at the next log on. This is useful if you have [globally disabled automatic update downloads on startup](manage-event-based-updates-windows-defender-antivirus.md).
**Use Configuration Manager to configure catch-up protection updates:**
1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
2. Go to the **Definition updates** section and configure the following settings:
1. Set **Force a definition update if the client computer is offline for more than two consecutive scheduled updates** to **Yes**.
2. For the **If Configuration Manager is used as a source for definition updates...**, specify the hours before which the protection updates delivered by Configuration Manager should be considered out-of-date. This will cause the next update location to be used, based on the defined [fallback source order](manage-protection-updates-windows-defender-antivirus.md#fallback-order).
3. Click **OK**.
4. [Deploy the updated policy as usual](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers).
**Use Group Policy to enable and configure the catch-up update feature:**
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration**.
2. In the **Group Policy Management Editor** go to **Computer configuration**.
4. Click **Policies** then **Administrative templates**.
3. Click **Policies** then **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates**.
4. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates**.
6. Double-click the **Define the number of days after which a catch-up definition update is required** setting and set the option to **Enabled**. Enter the number of days after which you want Windows Defender AV to check for and download the latest protection update.
5. Double-click the **Define the number of days after which a catch-up definition update is required** setting and set the option to **Enabled**. Enter the number of days after which you want Windows Defender AV to check for and download the latest protection update.
7. Click **OK**.
6. Click **OK**.
**Use PowerShell cmdlets to configure catch-up protection updates:**
@ -78,23 +82,11 @@ See the following for more information and allowed parameters:
- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx)
**Use Configuration Manager to configure catch-up protection updates:**
1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
2. Go to the **Definition updates** section and configure the following settings:
1. Set **Force a definition update if the client computer is offline for more than two consecutive scheduled updates** to **Yes**.
2. For the **If Configuration Manager is used as a source for definition updates...**, specify the hours before which the protection updates delivered by Configuration Manager should be considered out-of-date. This will cause the next update location to be used, based on the defined [fallback source order](manage-protection-updates-windows-defender-antivirus.md#fallback-order).
3. Click **OK**.
4. [Deploy the updated policy as usual](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers).
## Set the number of days before protection is reported as out-of-date
You can also specify the number of days after which Windows Defender AV protection is considered old or out-of-date. After the specified number of days, the client will report itself as out-of-date, and show an error to the user of the PC. It may also cause Windows Defender AV to attempt to download an update from other sources (based on the defined [fallback source order](manage-protection-updates-windows-defender-antivirus.md#fallback-order)), such as when using MMPC as a secondary source after setting WSUS or Microsoft Update as the first source.
You can also specify the number of days after which antivirus protection is considered old or out-of-date. After the specified number of days, the client will report itself as out-of-date, and show an error to the user of the PC. It may also cause antivirus to attempt to download an update from other sources (based on the defined [fallback source order](manage-protection-updates-windows-defender-antivirus.md#fallback-order)), such as when using MMPC as a secondary source after setting WSUS or Microsoft Update as the first source.
**Use Group Policy to specify the number of days before protection is considered out-of-date:**
@ -119,7 +111,7 @@ You can also specify the number of days after which Windows Defender AV protecti
## Set up catch-up scans for endpoints that have not been scanned for a while
You can set the number of consecutive scheduled scans that can be missed before Windows Defender AV will force a scan.
You can set the number of consecutive scheduled scans that can be missed before antivirus will force a scan.
The process for enabling this feature is:
@ -159,7 +151,7 @@ Set-MpPreference -DisableCatchupQuickScan
```
See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus.
See [Use PowerShell cmdlets to manage next generation protection](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus.
**Use Windows Management Instruction (WMI) to configure catch-up scans:**
@ -187,10 +179,9 @@ See the following for more information and allowed parameters:
## Related topics
- [Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md)
- [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md)
- [Manage Windows Defender Antivirus protection and definition updates](manage-protection-updates-windows-defender-antivirus.md)
- [Deploy next generation protection](deploy-manage-report-windows-defender-antivirus.md)
- [Manage next generation protection updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md)
- [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md)
- [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md)
- [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Next generation protection in Windows 10](windows-defender-antivirus-in-windows-10.md)

54
windows/security/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md
View File

@ -16,22 +16,15 @@ ms.date: 04/30/2018
# Manage the schedule for when protection updates should be downloaded and applied
**Applies to**
- Windows 10
**Audience**
- Network administrators
**Manageability available with**
- Group Policy
- System Center Configuration Manager
- Group Policy
- PowerShell cmdlets
- Windows Management Instruction (WMI)
Windows Defender AV lets you determine when it should look for and download updates.
Next generation protection lets you determine when it should look for and download updates.
You can schedule updates for your endpoints by:
@ -41,24 +34,6 @@ You can schedule updates for your endpoints by:
You can also randomize the times when each endpoint checks and downloads protection updates. See the [Schedule scans](scheduled-catch-up-scans-windows-defender-antivirus.md) topic for more information.
**Use Group Policy to schedule protection updates:**
> [!IMPORTANT]
> By default, Windows Defender AV will check for an update 15 minutes before the time of any scheduled scans. Enabling these settings will override that default.
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration**.
4. Click **Policies** then **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates** and configure the following settings:
1. Double-click the **Specify the interval to check for definition updates** setting and set the option to **Enabled**. Enter the number of hours between updates. Click **OK**.
2. Double-click the **Specify the day of the week to check for definition updates** setting and set the option to **Enabled**. Enter the day of the week to check for updates. Click **OK**.
3. Double-click the **Specify the time to check for definition updates** setting and set the option to **Enabled**. Enter the time when updates should be checked. The time is based on the local time of the endpoint. Click **OK**.
**Use Configuration Manager to schedule protection updates:**
1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
@ -73,6 +48,24 @@ You can also randomize the times when each endpoint checks and downloads protect
5. [Deploy the updated policy as usual](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers).
**Use Group Policy to schedule protection updates:**
> [!IMPORTANT]
> By default, antivirus will check for an update 15 minutes before the time of any scheduled scans. Enabling these settings will override that default.
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration**.
4. Click **Policies** then **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates** and configure the following settings:
1. Double-click the **Specify the interval to check for definition updates** setting and set the option to **Enabled**. Enter the number of hours between updates. Click **OK**.
2. Double-click the **Specify the day of the week to check for definition updates** setting and set the option to **Enabled**. Enter the day of the week to check for updates. Click **OK**.
3. Double-click the **Specify the time to check for definition updates** setting and set the option to **Enabled**. Enter the time when updates should be checked. The time is based on the local time of the endpoint. Click **OK**.
**Use PowerShell cmdlets to schedule protection updates:**
@ -102,13 +95,12 @@ See the following for more information and allowed parameters:
## Related topics
- [Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md)
- [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md)
- [Manage Windows Defender Antivirus protection and definition updates](manage-protection-updates-windows-defender-antivirus.md)
- [Deploy next generation protection](deploy-manage-report-windows-defender-antivirus.md)
- [Manage next generation protection updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md)
- [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md)
- [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md)
- [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Next generation protection in Windows 10](windows-defender-antivirus-in-windows-10.md)

17
windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md
View File

@ -16,13 +16,6 @@ ms.date: 04/30/2018
# Manage the sources for Windows Defender Antivirus protection updates
**Applies to**
- Windows 10
**Audience**
- Enterprise security administrators
**Manageability available with**
- Group Policy
@ -37,7 +30,7 @@ There are two components to managing protection updates - where the updates are
This topic describes where you can specify the updates should be downloaded from, also known as the fallback order.
See the [Manage Windows Defender AV updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md) topic for an overview on how updates work, and how to configure other aspects of updates (such as scheduling updates).
See [Manage next generation protection updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md) topic for an overview on how updates work, and how to configure other aspects of updates (such as scheduling updates).
<a id="fallback-order"></a>
@ -157,11 +150,11 @@ See the following for more information:
## Related topics
- [Deploy, manage updates, and report on Windows Defender AV](deploy-manage-report-windows-defender-antivirus.md)
- [Manage Windows Defender AV updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md)
- [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md)
- [Deploy next generation protection](deploy-manage-report-windows-defender-antivirus.md)
- [Manage next generation protection updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md)
- [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md)
- [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md)
- [Manage updates for mobile devices and VMs](manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
- [Windows Defender AV in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Next generation protection in Windows 10](windows-defender-antivirus-in-windows-10.md)

17
windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md
View File

@ -14,18 +14,9 @@ ms.author: v-anbic
ms.date: 04/30/2018
---
# Manage Windows Defender Antivirus updates and apply baselines
# Manage next generation protection updates and apply baselines
**Applies to:**
- Windows 10
**Audience**
- Network administrators
There are two types of updates related to keeping Windows Defender Antivirus:
There are two types of updates related to keeping antivirus up to date:
1. Protection updates
2. Product updates
@ -33,14 +24,14 @@ You can also apply [Windows security baselines](https://technet.microsoft.com/en
## Protection updates
Windows Defender AV uses both [cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) (also called the Microsoft Advanced Protection Service or MAPS) and periodically downloaded protection updates to provide protection. These protection updates are also known as "definitions" or "signature updates".
Antivirus uses both [cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) (also called the Microsoft Advanced Protection Service or MAPS) and periodically downloaded protection updates to provide protection. These protection updates are also known as "definitions" or "signature updates".
The cloud-delivered protection is always on and requires an active connection to the Internet to function, while the protection updates generally occur once a day (although this can be configured). See the [Utilize Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) topic for more details about enabling and configuring cloud-provided protection.
## Product updates
Windows Defender AV requires [monthly updates](https://support.microsoft.com/en-us/help/4052623/update-for-windows-defender-antimalware-platform) (known as "engine updates" and "platform updates"), and will receive major feature updates alongside Windows 10 releases.
Next generation protection requires [monthly updates](https://support.microsoft.com/en-us/help/4052623/update-for-windows-defender-antimalware-platform) (known as "engine updates" and "platform updates"), and will receive major feature updates alongside Windows 10 releases.
You can manage the distribution of updates through Windows Server Update Service (WSUS), with [System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/sum/understand/software-updates-introduction), or in the normal manner that you deploy Microsoft and Windows updates to endpoints in your network.

15
windows/security/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md
View File

@ -16,13 +16,6 @@ ms.date: 04/30/2018
# Manage updates for mobile devices and virtual machines (VMs)
**Applies to**
- Windows 10
**Audience**
- Network administrators
**Manageability available with**
- Group Policy
@ -44,7 +37,7 @@ The following topics may also be useful in these situations:
## Opt-in to Microsoft Update on mobile computers without a WSUS connection
You can use Microsoft Update to keep definitions on mobile devices running Windows Defender AV up to date when they are not connected to the corporate network or don't otherwise have a WSUS connection.
You can use Microsoft Update to keep definitions on mobile devices running antivirus up to date when they are not connected to the corporate network or don't otherwise have a WSUS connection.
This means that protection updates can be delivered to devices (via Microsoft Update) even if you have set WSUS to override Microsoft Update.
@ -81,7 +74,7 @@ You can opt-in to Microsoft Update on the mobile device in one of the following
## Prevent definition updates when running on battery power
You can configure Windows Defender AV to only download protection updates when the PC is connected to a wired power source.
You can configure antivirus to only download protection updates when the PC is connected to a wired power source.
**Use Group Policy to prevent definition updates on battery power:**
@ -102,5 +95,5 @@ You can configure Windows Defender AV to only download protection updates when t
## Related topics
- [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md)
- [Update and manage Windows Defender in Windows 10](deploy-manage-report-windows-defender-antivirus.md)
- [Manage next generationprotection updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md)
- [Update and manage next generation protection in Windows 10](deploy-manage-report-windows-defender-antivirus.md)

24
windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md
View File

@ -14,25 +14,13 @@ ms.author: v-anbic
ms.date: 04/30/2018
---
# Prevent users from seeing or interacting with the Windows Defender AV user interface
**Applies to:**
# Prevent users from seeing or interacting with the antivirus user interface
- Windows 10
You can use Group Policy to prevent users on endpoints from seeing the antivirus interface. You can also prevent them from pausing scans.
**Audience**
## Hide the antivirus interface
- Enterprise security administrators
**Manageability available with**
- Group Policy
You can use Group Policy to prevent users on endpoints from seeing the Windows Defender Antivirus interface. You can also prevent them from pausing scans.
## Hide the Windows Defender Antivirus interface
In Windows 10, versions 1703, hiding the interface will hide Windows Defender AV notifications and prevent the Virus & threat protection tile from appearing in the Windows Defender Security Center app.
In Windows 10, versions 1703, hiding the interface will hide antivirus notifications and prevent the Virus & threat protection tile from appearing in the Windows Defender Security Center app.
With the setting set to **Enabled**:
@ -43,7 +31,7 @@ With the setting set to **Disabled** or not configured:
![Scheenshot of Windows Defender Security Center showing the shield icon and virus and threat protection section](images/defender/wdav-headless-mode-off-1703.png)
>[!NOTE]
>Hiding the interface will also prevent Windows Defender AV notifications from appearing on the endpoint. Windows Defender Advanced Threat Protection notifications will still appear. You can also individually [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md)
>Hiding the interface will also prevent antivirus notifications from appearing on the endpoint. Windows Defender Advanced Threat Protection notifications will still appear. You can also individually [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md)
In earlier versions of Windows 10, the setting will hide the Windows Defender client interface. If the user attempts to open it, they will receive a warning "Your system administrator has restricted access to this app.":
@ -88,4 +76,4 @@ You can prevent users from pausing scans. This can be helpful to ensure schedule
- [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md)
- [Configure end-user interaction with Windows Defender AV](configure-end-user-interaction-windows-defender-antivirus.md)
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Next generation protection in Windows 10](windows-defender-antivirus-in-windows-10.md)

20
windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md
View File

@ -14,23 +14,15 @@ ms.author: v-anbic
ms.date: 07/10/2018
---
# Report on Windows Defender Antivirus protection
# Report on next generation protection
**Applies to:**
- Windows 10
**Audience**
- IT administrators
There are a number of ways you can review protection status and alerts, depending on the management tool you are using for Windows Defender AV.
There are a number of ways you can review protection status and alerts, depending on the management tool you are using for next generation protection.
You can use System Center Configuration Manager to [monitor Windows Defender AV protection](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/monitor-endpoint-protection) or [create email alerts](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-configure-alerts), or you can also monitor protection using [Microsoft Intune](https://docs.microsoft.com/en-us/intune/introduction-intune).
You can use System Center Configuration Manager to [monitor next generation protection](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/monitor-endpoint-protection) or [create email alerts](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-configure-alerts), or you can also monitor protection using [Microsoft Intune](https://docs.microsoft.com/en-us/intune/introduction-intune).
Microsoft Operations Management Suite has an [Update Compliance add-in](/windows/deployment/update/update-compliance-get-started) that reports on key Windows Defender AV issues, including protection updates and real-time protection settings.
Microsoft Operations Management Suite has an [Update Compliance add-in](/windows/deployment/update/update-compliance-get-started) that reports on key antivirus issues, including protection updates and real-time protection settings.
If you have a third-party security information and event management (SIEM) tool, you can also consume [Windows Defender client events](https://msdn.microsoft.com/en-us/library/windows/desktop/aa964766(v=vs.85).aspx).
@ -45,5 +37,5 @@ For monitoring or determining status with PowerShell, WMI, or Microsoft Azure, s
## Related topics
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md)
- [Next generation protection in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Deploy next generation protection](deploy-manage-report-windows-defender-antivirus.md)

14
windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md
View File

@ -16,21 +16,11 @@ ms.date: 04/23/2018
# Restore quarantined files in Windows Defender AV
**Applies to:**
- Windows 10
- Windows Server 2016
**Audience**
- Enterprise security administrators
**Manageability available with**
- Windows Defender Security Center
If Windows Defender Antivirus is configured to detect and remediate threats on your device, Windows Defender AV quarantines suspicious files. If you are certain these files do not present a threat, you can restore them.
If next generation protection is configured to detect and remediate threats on your device, antivirus quarantines suspicious files. If you are certain these files do not present a threat, you can restore them.
1. Open **Windows Defender Security Center**.
2. Click **Virus & threat protection** and then click **Scan history**.
@ -43,5 +33,5 @@ If Windows Defender Antivirus is configured to detect and remediate threats on y
- [Review scan results](review-scan-results-windows-defender-antivirus.md)
- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md)
- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md)
- [Configure exclusions in Windows Defender AV on Windows Server](configure-server-exclusions-windows-defender-antivirus.md)
- [Configure antivirus exclusions on Windows Server](configure-server-exclusions-windows-defender-antivirus.md)

40
windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md
View File

@ -14,35 +14,32 @@ ms.author: v-anbic
ms.date: 07/10/2018
---
# Review Windows Defender AV scan results
**Applies to:**
- Windows 10
**Audience**
- Enterprise security administrators
# Review antivirus scan results
**Manageability available with**
- Microsoft Intune
- System Center Configuration Manager
- PowerShell
- Windows Management Instrumentation (WMI)
- System Center Configuration Manager
- Microsoft Intune
- Windows Defender Security Center app
After Windows Defender Antivirus has completed a scan, whether it is an [on-demand](run-scan-windows-defender-antivirus.md) or [scheduled scan](scheduled-catch-up-scans-windows-defender-antivirus.md), the results are recorded and you can view the results.
After an antivirus scan completes, whether it is an [on-demand](run-scan-windows-defender-antivirus.md) or [scheduled scan](scheduled-catch-up-scans-windows-defender-antivirus.md), the results are recorded and you can view the results.
**Use Configuration Manager to review Windows Defender AV scan results:**
**Use Microsoft Intune to review scan results:**
1. In Intune, go to **Devices > All Devices** and select the device you want to scan.
2. Click the scan results in **Device actions status**.
**Use Configuration Manager to review scan results:**
See [How to monitor Endpoint Protection status](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/monitor-endpoint-protection).
**Use the Windows Defender Security Center app to review Windows Defender AV scan results:**
**Use the Windows Defender Security Center app to review scan results:**
1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
@ -54,7 +51,7 @@ See [How to monitor Endpoint Protection status](https://docs.microsoft.com/en-us
**Use PowerShell cmdlets to review Windows Defender AV scan results:**
**Use PowerShell cmdlets to review scan results:**
The following cmdlet will return each detection on the endpoint. If there are multiple detections of the same threat, each detection will be listed separately, based on the time of each detection:
@ -76,20 +73,15 @@ Get-MpThreat
See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
**Use Windows Management Instruction (WMI) to review Windows Defender AV scan results:**
**Use Windows Management Instruction (WMI) to review scan results:**
Use the [**Get** method of the **MSFT_MpThreat** and **MSFT_MpThreatDetection**](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx) classes.
**Use Microsoft Intune to review Windows Defender AV scan results:**
1. In Intune, go to **Devices > All Devices** and select the device you want to scan.
2. Click the scan results in **Device actions status**.
## Related topics
- [Customize, initiate, and review the results of Windows Defender AV scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Customize, initiate, and review the results of antivirus scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
- [Next generation protection in Windows 10](windows-defender-antivirus-in-windows-10.md)

44
windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md
View File

@ -14,27 +14,15 @@ ms.author: v-anbic
ms.date: 07/10/2018
---
# Configure and run on-demand Windows Defender AV scans
**Applies to:**
- Windows 10
**Audience**
- Enterprise security administrators
# Configure and run on-demand antivirus scans
**Manageability available with**
- Windows Defender AV mpcmdrun utility
- Microsoft Intune
- System Center Configuration Manager
- PowerShell
- Windows Management Instrumentation (WMI)
- System Center Configuration Manager
- Microsoft Intune
- Mpcmdrun utility
- Windows Defender Security Center app
You can run an on-demand scan on individual endpoints. These scans will start immediately, and you can define parameters for the scan, such as the location or type.
@ -44,13 +32,17 @@ You can run an on-demand scan on individual endpoints. These scans will start im
Quick scan looks at all the locations where there could be malware registered to start with the system, such as registry keys and known Windows startup folders.
Combined with [always-on real-time protection capability](configure-real-time-protection-windows-defender-antivirus.md) - which reviews files when they are opened and closed, and whenever a user navigates to a folder - a quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware.
Combined with [always-on real-time protection capability](configure-real-time-protection-windows-defender-antivirus.md)--which reviews files when they are opened and closed, and whenever a user navigates to a folder--a quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware.
In most instances, this means a quick scan is adequate to find malware that wasn't picked up by real-time protection.
A full scan can be useful on endpoints that have encountered a malware threat to identify if there are any inactive components that require a more thorough clean-up, and can be ideal when running on-demand scans.
**Use Configuration Manager to run a scan:**
See [Antimalware and firewall tasks: How to perform an on-demand scan](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-firewall#how-to-perform-an-on-demand-scan-of-computers) for details on using System Center Configuration Manager (current branch) to run a scan.
**Use the mpcmdrum.exe command-line utility to run a scan:**
Use the following `-scan` parameter:
@ -65,10 +57,11 @@ See [Use the mpcmdrun.exe commandline tool to configure and manage Windows Defen
**Use Configuration Manager to run a scan:**
**Use Microsoft Intune to run a scan:**
See [Antimalware and firewall tasks: How to perform an on-demand scan](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-firewall#how-to-perform-an-on-demand-scan-of-computers) for details on using System Center Configuration Manager (current branch) to run a scan.
1. In Intune, go to **Devices > All Devices** and select the device you want to scan.
2. Select **...More** and then select **Quick Scan** or **Full Scan**.
**Use the Windows Defender Security Center app to run a scan:**
@ -96,16 +89,9 @@ See the following for more information and allowed parameters:
- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx)
**Use Microsoft Intune to run a scan:**
1. In Intune, go to **Devices > All Devices** and select the device you want to scan.
2. Select **...More** and then select **Quick Scan** or **Full Scan**.
## Related topics
- [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md)
- [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md)
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Configure antivirus scanning options](configure-advanced-scan-types-windows-defender-antivirus.md)
- [Configure scheduled antivirus scans](scheduled-catch-up-scans-windows-defender-antivirus.md)
- [Next generation protection in Windows 10](windows-defender-antivirus-in-windows-10.md)

24
windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md
View File

@ -14,17 +14,7 @@ ms.author: v-anbic
ms.date: 07/26/2018
---
# Configure scheduled quick or full scans for Windows Defender AV
**Applies to**
- Windows 10
**Audience**
- Enterprise security administrators
# Configure scheduled quick or full antivirus scans
**Manageability available with**
@ -36,7 +26,7 @@ ms.date: 07/26/2018
> [!NOTE]
> By default, Windows Defender AV will check for an update 15 minutes before the time of any scheduled scans. You can [Manage the schedule for when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) to override this default.
> By default, antivirus checks for an update 15 minutes before the time of any scheduled scans. You can [Manage the schedule for when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) to override this default.
In addition to always-on real-time protection and [on-demand](run-scan-windows-defender-antivirus.md) scans, you can set up regular, scheduled scans.
@ -84,7 +74,7 @@ Location | Setting | Description | Default setting (if not configured)
Scan | Specify the scan type to use for a scheduled scan | Quick scan
Scan | Specify the day of the week to run a scheduled scan | Specify the day (or never) to run a scan. | Never
Scan | Specify the time of day to run a scheduled scan | Specify the number of minutes after midnight (for example, enter **60** for 1 am). | 2 am
Root | Randomize scheduled task times | Randomize the start time of the scan to any interval from 0 to 4 hours, or to any interval plus or minus 30 minutes for non-Windows Defender scans. This can be useful in VM or VDI deployments. | Enabled
Root | Randomize scheduled task times | Randomize the start time of the scan to any interval from 0 to 4 hours, or to any interval plus or minus 30 minutes for non-Windows antivirus scans. This can be useful in VM or VDI deployments. | Enabled
**Use PowerShell cmdlets to schedule scans:**
@ -239,8 +229,8 @@ Signature updates | Turn on scan after signature update | A scan will occur imme
- [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
- [Configure and run on-demand Windows Defender AV scans](run-scan-windows-defender-antivirus.md)
- [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md)
- [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md)
- [Configure and run on-demand antivirus scans](run-scan-windows-defender-antivirus.md)
- [Configure antivirus scanning options](configure-advanced-scan-types-windows-defender-antivirus.md)
- [Manage antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md)
- [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md)
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Next generation protection in Windows 10](windows-defender-antivirus-in-windows-10.md)

59
windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md
View File

@ -16,50 +16,19 @@ ms.date: 07/19/2018
# Specify the cloud-delivered protection level
**Applies to:**
- Windows 10, version 1703 and later
**Audience**
- Enterprise security administrators
**Manageability available with**
- Group Policy
- System Center Configuration Manager (current branch)
- Intune
You can specify the level of cloud-protection offered by Windows Defender Antivirus with Group Policy and System Center Configuration Manager.
You can specify the level of cloud-protection offered by antivirus with Group Policy and System Center Configuration Manager.
>[!NOTE]
>The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional signature updates.
>The antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional signature updates.
**Use Group Policy to specify the level of cloud-delivered protection:**
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration**.
4. Click **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender Antivirus > MpEngine**.
1. Double-click the **Select cloud protection level** setting and set it to **Enabled**. Select the level of protection:
1. Setting to **Default Windows Defender Antivirus blocking level** will provide strong detection without increasing the risk of detecting legitimate files.
2. Setting to **High blocking level** will apply a strong level of detection. While unlikely, some legitimate files may be detected (although you will have the option to unblock or dispute that detection).
1. Click **OK**.
**Use Configuration Manager to specify the level of cloud-delivered protection:**
1. See [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) for details on configuring System Center Configuration Manager (current branch).
**Use Intune to specify the level of cloud-delivered protection:**
1. Sign in to the [Azure portal](https://portal.azure.com).
@ -80,10 +49,32 @@ You can specify the level of cloud-protection offered by Windows Defender Antivi
For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/en-us/intune/device-profiles)
**Use Configuration Manager to specify the level of cloud-delivered protection:**
1. See [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) for details on configuring System Center Configuration Manager (current branch).
**Use Group Policy to specify the level of cloud-delivered protection:**
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration**.
4. Click **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender Antivirus > MpEngine**.
1. Double-click the **Select cloud protection level** setting and set it to **Enabled**. Select the level of protection:
1. Setting to **Default Windows Defender Antivirus blocking level** will provide strong detection without increasing the risk of detecting legitimate files.
2. Setting to **High blocking level** will apply a strong level of detection. While unlikely, some legitimate files may be detected (although you will have the option to unblock or dispute that detection).
1. Click **OK**.
## Related topics
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Next generation protection in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md)
- [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service)

22
windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md
View File

@ -14,24 +14,16 @@ ms.author: v-anbic
ms.date: 04/30/2018
---
# Troubleshoot Windows Defender Antivirus reporting in Update Compliance
# Troubleshoot antivirus reporting in Update Compliance
**Applies to:**
- Windows 10
**Audience**
- IT administrators
When you use [Windows Analytics Update Compliance to obtain reporting into the protection status of machines or endpoints](/windows/deployment/update/update-compliance-using#wdav-assessment) in your network that are using Windows Defender Antivirus, you may encounter problems or issues.
When you use [Windows Analytics Update Compliance to obtain reporting into the protection status of machines or endpoints](/windows/deployment/update/update-compliance-using#wdav-assessment) in your network that are using next generation protection, you may encounter problems or issues.
Typically, the most common indicators of a problem are:
- You only see a small number or subset of all the devices you were expecting to see
- You do not see any devices at all
- The reports and information you do see is outdated (older than a few days)
For common error codes and event IDs related to the Windows Defender AV service that are not related to Update Compliance, see the [Windows Defender Antivirus events](troubleshoot-windows-defender-antivirus.md) topic.
For common error codes and event IDs related to the antivirus service that are not related to Update Compliance, see [Antivirus events](troubleshoot-windows-defender-antivirus.md).
There are three steps to troubleshooting these problems:
@ -40,12 +32,12 @@ There are three steps to troubleshooting these problems:
3. Submit support logs
>[!IMPORTANT]
>It typically takes 3 days for devices to start appearing in Update Compliance
>It typically takes 3 days for devices to start appearing in Update Compliance.
## Confirm pre-requisites
In order for devices to properly show up in Update Compliance, you have to meet certain pre-requisites for both the Update Compliance service and for Windows Defender AV protection:
In order for devices to properly show up in Update Compliance, you have to meet certain pre-requisites for both the Update Compliance service and for next generation protection:
>[!div class="checklist"]
>- Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Windows Defender AV to disable itself](windows-defender-antivirus-compatibility.md) and the endpoint will not be reported in Update Compliance.
@ -66,5 +58,5 @@ If the above pre-requisites have all been met, you may need to proceed to the ne
## Related topics
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md)
- [Next generation protection in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Deploy next generation protection](deploy-manage-report-windows-defender-antivirus.md)

199
windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md
View File

@ -14,42 +14,33 @@ ms.author: v-anbic
ms.date: 04/16/2018
---
# Review event logs and error codes to troubleshoot issues with Windows Defender AV
# Review event logs and error codes to troubleshoot issues with antivirus
**Applies to**
- Windows 10
- Windows Server 2016
**Audience**
- Enterprise security administrators
If you encounter a problem with Windows Defender Antivirus, you can search the tables in this topic to find a matching issue and potential solution.
If you encounter a problem with antivirus, you can search the tables in this topic to find a matching issue and potential solution.
The tables list:
- [Windows Defender AV event IDs](#windows-defender-av-ids) (these apply to both Windows 10 and Windows Server 2016)
- [Windows Defender AV client error codes](#error-codes)
- [Internal Windows Defender AV client error codes (used by Microsoft during development and testing)](#internal-error-codes)
- [Antivirus event IDs](#windows-defender-av-ids) (these apply to both Windows 10 and Windows Server 2016)
- [Antivirus client error codes](#error-codes)
- [Internal antivirus client error codes (used by Microsoft during development and testing)](#internal-error-codes)
>[!TIP]
>You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working:
>You can also visit the Windows Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working:
>- Cloud-delivered protection
>- Fast learning (including Block at first sight)
>- Potentially unwanted application blocking
<a id="windows-defender-av-ids"></a>
## Windows Defender AV event IDs
## Antivirus event IDs
Windows Defender AV records event IDs in the Windows event log.
Antivirus records event IDs in the Windows event log.
You can directly view the event log, or if you have a third-party security information and event management (SIEM) tool, you can also consume [Windows Defender client event IDs](troubleshoot-windows-defender-antivirus.md#windows-defender-av-ids) to review specific events and errors from your endpoints.
You can directly view the event log, or if you have a third-party security information and event management (SIEM) tool, you can also consume [antivirus client event IDs](troubleshoot-windows-defender-antivirus.md#windows-defender-av-ids) to review specific events and errors from your endpoints.
The table in this section lists the main Windows Defender AV event IDs and, where possible, provides suggested solutions to fix or resolve the error.
The table in this section lists the main antivirus event IDs and, where possible, provides suggested solutions to fix or resolve the error.
**To view a Windows Defender AV event**
**To view an antivirus event**
1. Open **Event Viewer**.
2. In the console tree, expand **Applications and Services Logs**, then **Microsoft**, then **Windows**, then **Windows Defender Antivirus**.
@ -330,7 +321,7 @@ Description of the error. </dt>
User action:
</td>
<td >
The Windows Defender client encountered an error, and the current scan has stopped. The scan might fail due to a client-side issue. This event record includes the scan ID, type of scan (antivirus, antispyware, antimalware), scan parameters, the user that started the scan, the error code, and a description of the error.
The antivirus client encountered an error, and the current scan has stopped. The scan might fail due to a client-side issue. This event record includes the scan ID, type of scan (antivirus, antispyware, antimalware), scan parameters, the user that started the scan, the error code, and a description of the error.
To troubleshoot this event:
<ol>
<li>Run the scan again.</li>
@ -438,7 +429,7 @@ Message:
Description:
</td>
<td >
Windows Defender has taken action to protect this machine from malware or other potentially unwanted software. For more information please see the following:
Antivirus has taken action to protect this machine from malware or other potentially unwanted software. For more information please see the following:
<dl>
<dt>User: &lt;Domain&gt;\\&lt;User&gt;</dt>
<dt>Name: &lt;Threat name&gt;</dt>
@ -490,7 +481,7 @@ Message:
Description:
</td>
<td >
Windows Defender has encountered an error when taking action on malware or other potentially unwanted software. For more information please see the following:
Antivirus has encountered an error when taking action on malware or other potentially unwanted software. For more information please see the following:
<dl>
<dt>User: &lt;Domain&gt;\\&lt;User&gt;</dt>
<dt>Name: &lt;Threat name&gt;</dt>
@ -549,7 +540,7 @@ Message:
Description:
</td>
<td >
Windows Defender has restored an item from quarantine. For more information please see the following:
Antivirus has restored an item from quarantine. For more information please see the following:
<dl>
<dt>Name: &lt;Threat name&gt;</dt>
<dt>ID: &lt;Threat ID&gt;</dt>
@ -593,7 +584,7 @@ Message:
Description:
</td>
<td >
Windows Defender has encountered an error trying to restore an item from quarantine. For more information please see the following:
Antivirus has encountered an error trying to restore an item from quarantine. For more information please see the following:
<dl>
<dt>Name: &lt;Threat name&gt;</dt>
<dt>ID: &lt;Threat ID&gt;</dt>
@ -640,7 +631,7 @@ Message:
Description:
</td>
<td >
Windows Defender has deleted an item from quarantine.
Antivirus has deleted an item from quarantine.
For more information please see the following:
<dl>
<dt>Name: &lt;Threat name&gt;</dt>
@ -684,7 +675,7 @@ Message:
Description:
</td>
<td >
Windows Defender has encountered an error trying to delete an item from quarantine.
Antivirus has encountered an error trying to delete an item from quarantine.
For more information please see the following:
<dl>
<dt>Name: &lt;Threat name&gt;</dt>
@ -732,7 +723,7 @@ Message:
Description:
</td>
<td >
Windows Defender has removed history of malware and other potentially unwanted software.
Antivirus has removed history of malware and other potentially unwanted software.
<dl>
<dt>Time: The time when the event occurred, for example when the history is purged. Note that this parameter is not used in threat events so that there is no confusion regarding whether it is remediation time or infection time. For those, we specifically call them as Action Time or Detection Time.</dt>
<dt>User: &lt;Domain&gt;\\&lt;User&gt;</dt>
@ -763,7 +754,7 @@ The antimalware platform could not delete history of malware and other potential
Description:
</td>
<td >
Windows Defender has encountered an error trying to remove history of malware and other potentially unwanted software.
Antivirus has encountered an error trying to remove history of malware and other potentially unwanted software.
<dl>
<dt>Time: The time when the event occurred, for example when the history is purged. Note that this parameter is not used in threat events so that there is no confusion regarding whether it is remediation time or infection time. For those, we specifically call them as Action Time or Detection Time.</dt>
<dt>User: &lt;Domain&gt;\\&lt;User&gt;</dt>
@ -798,7 +789,7 @@ Message:
Description:
</td>
<td >
Windows Defender has detected a suspicious behavior.
Antivirus has detected a suspicious behavior.
For more information please see the following:
<dl>
<dt>Name: &lt;Threat name&gt;</dt>
@ -876,7 +867,7 @@ Message:
Description:
</td>
<td >
Windows Defender has detected malware or other potentially unwanted software.
Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
<dl>
<dt>Name: &lt;Threat name&gt;</dt>
@ -930,7 +921,7 @@ UAC</dt>
User action:
</td>
<td >
No action is required. Windows Defender can suspend and take routine action on this threat. If you want to remove the threat manually, in the Windows Defender interface, click <b>Clean Computer</b>.
No action is required. Antivirus can suspend and take routine action on this threat. If you want to remove the threat manually, in the antivirus interface, click <b>Clean Computer</b>.
</td>
</tr>
<tr>
@ -958,7 +949,7 @@ Message:
Description:
</td>
<td >
Windows Defender has taken action to protect this machine from malware or other potentially unwanted software.
Antivirus has taken action to protect this machine from malware or other potentially unwanted software.
For more information please see the following:
<dl>
<dt>Name: &lt;Threat name&gt;</dt>
@ -1020,7 +1011,7 @@ Description of the error. </dt>
<dt>Signature Version: &lt;Definition version&gt;</dt>
<dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
NOTE:
Whenever Windows Defender, Microsoft Security Essentials, Malicious Software Removal Tool, or System Center Endpoint Protection detects a malware, it will restore the following system settings and services which the malware might have changed:<ul>
Whenever antivirus, Microsoft Security Essentials, Malicious Software Removal Tool, or System Center Endpoint Protection detects a malware, it will restore the following system settings and services which the malware might have changed:<ul>
<li>Default Internet Explorer or Microsoft Edge setting</li>
<li>User Access Control settings</li>
<li>Chrome settings</li>
@ -1059,7 +1050,7 @@ Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Se
User action:
</td>
<td >
No action is necessary. Windows Defender removed or quarantined a threat.
No action is necessary. Antivirus removed or quarantined a threat.
</td>
</tr>
<tr>
@ -1086,7 +1077,7 @@ Message:
Description:
</td>
<td >
Windows Defender has encountered a non-critical error when taking action on malware or other potentially unwanted software.
Antivirus has encountered a non-critical error when taking action on malware or other potentially unwanted software.
For more information please see the following:
<dl>
<dt>Name: &lt;Threat name&gt;</dt>
@ -1155,7 +1146,7 @@ Description of the error. </dt>
User action:
</td>
<td >
No action is necessary. Windows Defender failed to complete a task related to the malware remediation. This is not a critical failure.
No action is necessary. Antivirus failed to complete a task related to the malware remediation. This is not a critical failure.
</td>
</tr>
<tr>
@ -1182,7 +1173,7 @@ Message:
Description:
</td>
<td >
Windows Defender has encountered a critical error when taking action on malware or other potentially unwanted software.
Antivirus has encountered a critical error when taking action on malware or other potentially unwanted software.
For more information please see the following:
<dl>
<dt>Name: &lt;Threat name&gt;</dt>
@ -1251,7 +1242,7 @@ Description of the error. </dt>
User action:
</td>
<td >
The Windows Defender client encountered this error due to critical issues. The endpoint might not be protected. Review the error description then follow the relevant <b>User action</b> steps below.
The antivirus client encountered this error due to critical issues. The endpoint might not be protected. Review the error description then follow the relevant <b>User action</b> steps below.
<table>
<tr>
<th>Action</th>
@ -1314,7 +1305,7 @@ Symbolic name:
Message:
</td>
<td >
<b>Windows Defender has deduced the hashes for a threat resource.</b>
<b>Antivirus has deduced the hashes for a threat resource.</b>
</td>
</tr>
<tr>
@ -1322,7 +1313,7 @@ Message:
Description:
</td>
<td >
Windows Defender client is up and running in a healthy state.
Antivirus client is up and running in a healthy state.
<dl>
<dt>Current Platform Version: &lt;Current platform version&gt;</dt>
<dt>Threat Resource Path: &lt;Path&gt;</dt>
@ -1361,7 +1352,7 @@ Message:
Description:
</td>
<td >
Windows Defender client is up and running in a healthy state.
Antivirus client is up and running in a healthy state.
<dl>
<dt>Platform Version: &lt;Current platform version&gt;</dt>
<dt>Signature Version: &lt;Definition version&gt;</dt>
@ -1374,7 +1365,7 @@ Windows Defender client is up and running in a healthy state.
User action:
</td>
<td >
No action is necessary. The Windows Defender Antivirus client is in a healthy state. This event is reported on an hourly basis.
No action is necessary. The antivirus client is in a healthy state. This event is reported on an hourly basis.
</td>
</tr>
@ -1402,7 +1393,7 @@ Message:
Description:
</td>
<td >
Windows Defender client health report.
Antivirus client health report.
<dl>
<dt>Platform Version: &lt;Current platform version&gt;</dt>
<dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
@ -1456,7 +1447,7 @@ Message:
Description:
</td>
<td >
Windows Defender signature version has been updated.
Antivirus signature version has been updated.
<dl>
<dt>Current Signature Version: &lt;Current signature version&gt;</dt>
<dt>Previous Signature Version: &lt;Previous signature version&gt;</dt>
@ -1479,7 +1470,7 @@ Windows Defender signature version has been updated.
User action:
</td>
<td >
No action is necessary. The Windows Defender client is in a healthy state. This event is reported when signatures are successfully updated.
No action is necessary. The antivirus client is in a healthy state. This event is reported when signatures are successfully updated.
</td>
</tr>
<tr>
@ -1506,7 +1497,7 @@ Message:
Description:
</td>
<td >
Windows Defender has encountered an error trying to update signatures.
Antivirus has encountered an error trying to update signatures.
<dl>
<dt>New Signature Version: &lt;New version number&gt;</dt>
<dt>Previous Signature Version: &lt;Previous signature version&gt;</dt>
@ -1584,7 +1575,7 @@ Message:
Description:
</td>
<td >
Windows Defender engine version has been updated.
Antivirus engine version has been updated.
<dl>
<dt>Current Engine Version: &lt;Current engine version&gt;</dt>
<dt>Previous Engine Version: &lt;Previous engine version&gt;</dt>
@ -1598,7 +1589,7 @@ Windows Defender engine version has been updated.
User action:
</td>
<td >
No action is necessary. The Windows Defender client is in a healthy state. This event is reported when the antimalware engine is successfully updated.
No action is necessary. The antivirus client is in a healthy state. This event is reported when the antimalware engine is successfully updated.
</td>
</tr>
<tr>
@ -1625,7 +1616,7 @@ Message:
Description:
</td>
<td >
Windows Defender has encountered an error trying to update the engine.
Antivirus has encountered an error trying to update the engine.
<dl>
<dt>New Engine Version:</dt>
<dt>Previous Engine Version: &lt;Previous engine version&gt;</dt>
@ -1643,7 +1634,7 @@ Description of the error. </dt>
User action:
</td>
<td >
The Windows Defender client update failed. This event occurs when the client fails to update itself. This event is usually due to an interruption in network connectivity during an update.
The antivirus client update failed. This event occurs when the client fails to update itself. This event is usually due to an interruption in network connectivity during an update.
To troubleshoot this event:
<ol>
<li>[Update definitions](manage-updates-baselines-windows-defender-antivirus.md) and force a rescan directly on the endpoint.</li>
@ -1675,7 +1666,7 @@ Message:
Description:
</td>
<td >
Windows Defender has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures.
Antivirus has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures.
<dl>
<dt>Signatures Attempted:</dt>
<dt>Error Code: &lt;Error code&gt;
@ -1692,7 +1683,7 @@ Description of the error. </dt>
User action:
</td>
<td >
The Windows Defender client attempted to download and install the latest definitions file and failed. This error can occur when the client encounters an error while trying to load the definitions, or if the file is corrupt. Windows Defender will attempt to revert back to a known-good set of definitions.
The antivirus client attempted to download and install the latest definitions file and failed. This error can occur when the client encounters an error while trying to load the definitions, or if the file is corrupt. Antivirus will attempt to revert back to a known-good set of definitions.
To troubleshoot this event:
<ol>
<li>Restart the computer and try again.</li>
@ -1727,7 +1718,7 @@ Message:
Description:
</td>
<td >
Windows Defender could not load antimalware engine because current platform version is not supported. Windows Defender will revert back to the last known-good engine and a platform update will be attempted.
Antivirus could not load antimalware engine because current platform version is not supported. Antivirus will revert back to the last known-good engine and a platform update will be attempted.
<dl>
<dt>Current Platform Version: &lt;Current platform version&gt;</dt>
</dl>
@ -1758,7 +1749,7 @@ Message:
Description:
</td>
<td >
Windows Defender has encountered an error trying to update the platform.
Antivirus has encountered an error trying to update the platform.
<dl>
<dt>Current Platform Version: &lt;Current platform version&gt;</dt>
<dt>Error Code: &lt;Error code&gt;
@ -1791,7 +1782,7 @@ Message:
Description:
</td>
<td >
Windows Defender will soon require a newer platform version to support future versions of the antimalware engine. Download the latest Windows Defender platform to maintain the best level of protection available.
Antivirus will soon require a newer platform version to support future versions of the antimalware engine. Download the latest antivirus platform to maintain the best level of protection available.
<dl>
<dt>Current Platform Version: &lt;Current platform version&gt;</dt>
</dl>
@ -1822,7 +1813,7 @@ Message:
Description:
</td>
<td >
Windows Defender used <i>Dynamic Signature Service</i> to retrieve additional signatures to help protect your machine.
Antivirus used <i>Dynamic Signature Service</i> to retrieve additional signatures to help protect your machine.
<dl>
<dt>Current Signature Version: &lt;Current signature version&gt;</dt>
<dt>Signature Type: &lt;Signature type&gt;, for example: <ul>
@ -1880,7 +1871,7 @@ Message:
Description:
</td>
<td >
Windows Defender used <i>Dynamic Signature Service</i> to discard obsolete signatures.
Antivirus used <i>Dynamic Signature Service</i> to discard obsolete signatures.
<dl>
<dt>Current Signature Version: &lt;Current signature version&gt;</dt>
<dt>Signature Type: &lt;Signature type&gt;, for example: <ul>
@ -1919,7 +1910,7 @@ Windows Defender used <i>Dynamic Signature Service</i> to discard obsolete signa
User action:
</td>
<td >
No action is necessary. The Windows Defender client is in a healthy state. This event is reported when the Dynamic Signature Service successfully deletes out-of-date dynamic definitions.
No action is necessary. The antivirus client is in a healthy state. This event is reported when the Dynamic Signature Service successfully deletes out-of-date dynamic definitions.
</td>
</tr>
<tr>
@ -1947,7 +1938,7 @@ Message:
Description:
</td>
<td >
Windows Defender has encountered an error trying to use <i>Dynamic Signature Service</i>.
Antivirus has encountered an error trying to use <i>Dynamic Signature Service</i>.
<dl>
<dt>Current Signature Version: &lt;Current signature version&gt;</dt>
<dt>Signature Type: &lt;Signature type&gt;, for example: <ul>
@ -2017,7 +2008,7 @@ Message:
Description:
</td>
<td >
Windows Defender discarded all <i>Dynamic Signature Service</i> signatures.
Antivirus discarded all <i>Dynamic Signature Service</i> signatures.
<dl>
<dt>Current Signature Version: &lt;Current signature version&gt;</dt>
</dl>
@ -2048,7 +2039,7 @@ Message:
Description:
</td>
<td >
Windows Defender downloaded a clean file.
Antivirus downloaded a clean file.
<dl>
<dt>Filename: &lt;File name&gt;
Name of the file.</dt>
@ -2081,7 +2072,7 @@ Message:
Description:
</td>
<td >
Windows Defender has encountered an error trying to download a clean file.
Antivirus has encountered an error trying to download a clean file.
<dl>
<dt>Filename: &lt;File name&gt;
Name of the file.</dt>
@ -2100,7 +2091,7 @@ User action:
</td>
<td >
Check your Internet connectivity settings.
The Windows Defender client encountered an error when using the Dynamic Signature Service to download the latest definitions to a specific threat. This error is likely caused by a network connectivity issue.
The antivirus client encountered an error when using the Dynamic Signature Service to download the latest definitions to a specific threat. This error is likely caused by a network connectivity issue.
</td>
</tr>
<tr>
@ -2126,7 +2117,7 @@ Message:
Description:
</td>
<td >
Windows Defender downloaded and configured Windows Defender Offline to run on the next reboot.
Antivirus downloaded and configured offline antivirus to run on the next reboot.
</td>
</tr>
<tr>
@ -2153,7 +2144,7 @@ Message:
Description:
</td>
<td >
Windows Defender has encountered an error trying to download and configure Windows Defender Offline.
Antivirus has encountered an error trying to download and configure offline antivirus.
<dl>
<dt>Error Code: &lt;Error code&gt;
Result code associated with threat status. Standard HRESULT values.</dt>
@ -2187,7 +2178,7 @@ Message:
Description:
</td>
<td >
The support for your operating system will expire shortly. Running Windows Defender on an out of support operating system is not an adequate solution to protect against threats.
The support for your operating system will expire shortly. Running antivirus on an out of support operating system is not an adequate solution to protect against threats.
</td>
</tr>
<tr>
@ -2215,7 +2206,7 @@ Message:
Description:
</td>
<td >
The support for your operating system has expired. Running Windows Defender on an out of support operating system is not an adequate solution to protect against threats.
The support for your operating system has expired. Running antivirus on an out of support operating system is not an adequate solution to protect against threats.
</td>
</tr>
<tr>
@ -2243,7 +2234,7 @@ Message:
Description:
</td>
<td >
The support for your operating system has expired. Windows Defender is no longer supported on your operating system, has stopped functioning, and is not protecting against malware threats.
The support for your operating system has expired. Antivirus is no longer supported on your operating system, has stopped functioning, and is not protecting against malware threats.
</td>
</tr>
<tr>
@ -2270,7 +2261,7 @@ Message:
Description:
</td>
<td >
Windows Defender Real-Time Protection feature has encountered an error and failed.
Antivirus Real-Time Protection feature has encountered an error and failed.
<dl>
<dt>Feature: &lt;Feature&gt;, for example:
<ul>
@ -2284,7 +2275,7 @@ Windows Defender Real-Time Protection feature has encountered an error and faile
Result code associated with threat status. Standard HRESULT values.</dt>
<dt>Error Description: &lt;Error description&gt;
Description of the error. </dt>
<dt>Reason: The reason Windows Defender real-time protection has restarted a feature.</dt>
<dt>Reason: The reason antivirus real-time protection has restarted a feature.</dt>
</dl>
</td>
</tr>
@ -2294,7 +2285,7 @@ User action:
</td>
<td >
You should restart the system then run a full scan because it's possible the system was not protected for some time.
The Windows Defender client's real-time protection feature encountered an error because one of the services failed to start.
The antivirus client's real-time protection feature encountered an error because one of the services failed to start.
If it is followed by a 3007 event ID, the failure was temporary and the antimalware client recovered from the failure.
</td>
</tr>
@ -2322,7 +2313,7 @@ Message:
Description:
</td>
<td >
Windows Defender Real-time Protection has restarted a feature. It is recommended that you run a full system scan to detect any items that may have been missed while this agent was down.
antivirus Real-time Protection has restarted a feature. It is recommended that you run a full system scan to detect any items that may have been missed while this agent was down.
<dl>
<dt>Feature: &lt;Feature&gt;, for example:
<ul>
@ -2332,7 +2323,7 @@ Windows Defender Real-time Protection has restarted a feature. It is recommended
<li>Network Inspection System</li>
</ul>
</dt>
<dt>Reason: The reason Windows Defender real-time protection has restarted a feature.</dt>
<dt>Reason: The reason antivirus real-time protection has restarted a feature.</dt>
</dl>
</td>
</tr>
@ -2369,7 +2360,7 @@ Message:
Description:
</td>
<td >
Windows Defender Real-time Protection scanning for malware and other potentially unwanted software was enabled.
Antivirus real-time protection scanning for malware and other potentially unwanted software was enabled.
</td>
</tr>
<tr>
@ -2396,7 +2387,7 @@ Message:
Description:
</td>
<td >
Windows Defender Real-time Protection scanning for malware and other potentially unwanted software was disabled.
Antivirus real-time protection scanning for malware and other potentially unwanted software was disabled.
</td>
</tr>
<tr>
@ -2424,7 +2415,7 @@ Message:
Description:
</td>
<td >
Windows Defender Real-time Protection feature configuration has changed.
Antivirus real-time protection feature configuration has changed.
<dl>
<dt>Feature: &lt;Feature&gt;, for example:
<ul>
@ -2462,12 +2453,12 @@ Message:
Description:
</td>
<td >
Windows Defender Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Antivirus configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
<dl>
<dt>Old value: &lt;Old value number&gt;
Old Windows Defender configuration value.</dt>
Old antivirus configuration value.</dt>
<dt>New value: &lt;New value number&gt;
New Windows Defender configuration value.</dt>
New antivirus configuration value.</dt>
</dl>
</td>
</tr>
@ -2494,7 +2485,7 @@ Message:
Description:
</td>
<td >
Windows Defender engine has been terminated due to an unexpected error.
Antivirus engine has been terminated due to an unexpected error.
<dl>
<dt>Failure Type: &lt;Failure type&gt;, for example:
Crash
@ -2525,7 +2516,7 @@ To troubleshoot this event:<ol>
User action:
</td>
<td >
The Windows Defender client engine stopped due to an unexpected error.
The antivirus client engine stopped due to an unexpected error.
To troubleshoot this event:
<ol>
<li>Run the scan again.</li>
@ -2560,7 +2551,7 @@ Message:
Description:
</td>
<td >
Windows Defender scanning for malware and other potentially unwanted software has been enabled.
Antivirus scanning for malware and other potentially unwanted software has been enabled.
</td>
</tr>
<tr>
@ -2587,7 +2578,7 @@ Message:
Description:
</td>
<td >
Windows Defender scanning for malware and other potentially unwanted software is disabled.
Antivirus scanning for malware and other potentially unwanted software is disabled.
</td>
</tr>
<tr>
@ -2613,7 +2604,7 @@ Message:
Description:
</td>
<td >
Windows Defender scanning for viruses has been enabled.
Antivirus scanning for viruses has been enabled.
</td>
</tr>
<tr>
@ -2641,7 +2632,7 @@ Message:
Description:
</td>
<td >
Windows Defender scanning for viruses is disabled.
Antivirus scanning for viruses is disabled.
</td>
</tr>
<tr>
@ -2669,10 +2660,10 @@ Message:
Description:
</td>
<td >
Windows Defender has entered a grace period and will soon expire. After expiration, this program will disable protection against viruses, spyware, and other potentially unwanted software.
Antivirus has entered a grace period and will soon expire. After expiration, this program will disable protection against viruses, spyware, and other potentially unwanted software.
<dl>
<dt>Expiration Reason: The reason Windows Defender will expire.</dt>
<dt>Expiration Date: The date Windows Defender will expire.</dt>
<dt>Expiration Reason: The reason antivirus will expire.</dt>
<dt>Expiration Date: The date antivirus will expire.</dt>
</dl>
</td>
</tr>
@ -2701,7 +2692,7 @@ Message:
Description:
</td>
<td >
Windows Defender grace period has expired. Protection against viruses, spyware, and other potentially unwanted software is disabled.
Antivirus grace period has expired. Protection against viruses, spyware, and other potentially unwanted software is disabled.
<dl>
<dt>Expiration Reason:</dt>
<dt>Expiration Date: </dt>
@ -2715,14 +2706,14 @@ Description of the error. </dt>
</table>
<a id="error-codes"></a>
## Windows Defender client error codes
If Windows Defender Antivirus experiences any issues it will usually give you an error code to help you troubleshoot the issue. Most often an error means there was a problem installing an update.
This section provides the following information about Windows Defender Antivirus client errors.
## Antivirus client error codes
If antivirus experiences any issues it will usually give you an error code to help you troubleshoot the issue. Most often an error means there was a problem installing an update.
This section provides the following information about antivirus client errors.
- The error code
- The possible reason for the error
- Advice on what to do now
Use the information in these tables to help troubleshoot Windows Defender Antivirus error codes.
Use the information in these tables to help troubleshoot antivirus error codes.
<table class="oridealign">
@ -2765,7 +2756,7 @@ This error indicates that there might be a problem with your security product.
</tr><tr><td>Resolution</td><td>
<ol>
<li>Update the definitions. Either:<ol>
<li>Click the <b>Update definitions</b> button on the <b>Update</b> tab in Windows Defender. <img src="images/defender-updatedefs2.png" alt="Update definitions in Windows Defender"/>Or,
<li>Click the <b>Update definitions</b> button on the <b>Update</b> tab in antivirus. <img src="images/defender-updatedefs2.png" alt="Update definitions in antivirus"/>Or,
</li>
<li>Download the latest definitions from the <a href="https://aka.ms/wdsi">Windows Defender Security Intelligence site</a>.
Note: The size of the definitions file downloaded from the site can exceed 60 MB and should not be used as a long-term solution for updating definitions.
@ -2797,7 +2788,7 @@ data that does not allow the engine to function properly.
</b>
</td></tr><tr><td>Possible reason</td>
<td>
This error indicates that Windows Defender failed to quarantine a threat.
This error indicates that antivirus failed to quarantine a threat.
</td>
</tr>
<tr>
@ -2865,7 +2856,7 @@ Follow the manual remediation steps outlined in the <a href="https://www.microso
<td>
This error indicates that removal inside the container type might not be not supported.
</td></tr><tr><td>Resolution</td><td>
Windows Defender is not able to remediate threats detected inside the archive. Consider manually removing the detected resources.
Antivirus is not able to remediate threats detected inside the archive. Consider manually removing the detected resources.
</td>
</tr>
<tr>
@ -2904,7 +2895,7 @@ Run a full system scan.
<td>
This error indicates that an offline scan is required.
</td></tr><tr><td>Resolution</td><td>
Run Windows Defender Offline. You can read about how to do this in the <a href="http://windows.microsoft.com/windows/what-is-windows-defender-offline">Windows Defender Offline
Run offline antivirus. You can read about how to do this in the <a href="http://windows.microsoft.com/windows/what-is-windows-defender-offline">offline antivirus
article</a>.
</td>
</tr>
@ -2916,15 +2907,15 @@ article</a>.
</b>
</td></tr><tr><td>Possible reason</td>
<td>
This error indicates that Windows Defender does not support the current version of the platform and requires a new version of the platform.
This error indicates that antivirus does not support the current version of the platform and requires a new version of the platform.
</td></tr><tr><td>Resolution</td><td>
You can only use Windows Defender in Windows 10. For Windows 8, Windows 7 and Windows Vista, you can use <a href="https://www.microsoft.com/server-cloud/system-center/endpoint-protection-2012.aspx">System Center Endpoint Protection</a>.
You can only use antivirus in Windows 10. For Windows 8, Windows 7 and Windows Vista, you can use <a href="https://www.microsoft.com/server-cloud/system-center/endpoint-protection-2012.aspx">System Center Endpoint Protection</a>.
</td>
</tr>
</table>
<a id="internal-error-codes"></a>
The following error codes are used during internal testing of Windows Defender AV.
The following error codes are used during internal testing of antivirus.
If you see these errors, you can try to [update definitions](manage-updates-baselines-windows-defender-antivirus.md) and force a rescan directly on the endpoint.
@ -3256,5 +3247,5 @@ This is an internal error. It might have triggered when a scan fails to complete
## Related topics
- [Report on Windows Defender Antivirus protection](report-monitor-windows-defender-antivirus.md)
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Report on antivirus protection](report-monitor-windows-defender-antivirus.md)
- [Next generation protection in Windows 10](windows-defender-antivirus-in-windows-10.md)

102
windows/security/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md
View File

@ -1,6 +1,6 @@
---
title: Configure Windows Defender AV with Group Policy
description: Configure Windows Defender AV settings with Group Policy
title: Configure antivirus with Group Policy
description: Configure antivirus settings with Group Policy
keywords: group policy, GPO, configuration, settings
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@ -14,15 +14,11 @@ ms.author: v-anbic
ms.date: 04/30/2018
---
# Use Group Policy settings to configure and manage Windows Defender AV
# Use Group Policy settings to configure and manage next generation protection
**Applies to:**
You can use [Group Policy](https://msdn.microsoft.com/en-us/library/ee663280(v=vs.85).aspx) to configure and manage next generation protection on your endpoints.
- Windows 10, version 1703
You can use [Group Policy](https://msdn.microsoft.com/en-us/library/ee663280(v=vs.85).aspx) to configure and manage Windows Defender Antivirus on your endpoints.
In general, you can use the following procedure to configure or change Windows Defender AV group policy settings:
In general, you can use the following procedure to configure or change antivirus group policy settings:
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
@ -41,15 +37,15 @@ The following table in this topic lists the Group Policy settings available in W
Location | Setting | Documented in topic
---|---|---
Client interface | Enable headless UI mode | [Prevent users from seeing or interacting with the Windows Defender AV user interface](prevent-end-user-interaction-windows-defender-antivirus.md)
Client interface | Enable headless UI mode | [Prevent users from seeing or interacting with the antivirus user interface](prevent-end-user-interaction-windows-defender-antivirus.md)
Client interface | Display additional text to clients when they need to perform an action | [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md)
Client interface | Suppress all notifications | [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md)
Client interface | Suppresses reboot notifications | [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md)
Exclusions | Extension Exclusions | [Configure and validate exclusions in Windows Defender AV scans](configure-exclusions-windows-defender-antivirus.md)
Exclusions | Path Exclusions | [Configure and validate exclusions in Windows Defender AV scans](configure-exclusions-windows-defender-antivirus.md)
Exclusions | Process Exclusions | [Configure and validate exclusions in Windows Defender AV scans](configure-exclusions-windows-defender-antivirus.md)
Exclusions | Turn off Auto Exclusions | [Configure and validate exclusions in Windows Defender AV scans](configure-exclusions-windows-defender-antivirus.md)
MAPS | Configure the 'Block at First Sight' feature | [Enable the Block at First Sight feature](configure-block-at-first-sight-windows-defender-antivirus.md)
Exclusions | Extension Exclusions | [Configure and validate exclusions in antivirus scans](configure-exclusions-windows-defender-antivirus.md)
Exclusions | Path Exclusions | [Configure and validate exclusions in antivirus scans](configure-exclusions-windows-defender-antivirus.md)
Exclusions | Process Exclusions | [Configure and validate exclusions in antivirus scans](configure-exclusions-windows-defender-antivirus.md)
Exclusions | Turn off Auto Exclusions | [Configure and validate exclusions in antivirus scans](configure-exclusions-windows-defender-antivirus.md)
MAPS | Configure the 'Block at First Sight' feature | [Enable block at first sight](configure-block-at-first-sight-windows-defender-antivirus.md)
MAPS | Join Microsoft MAPS | [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md)
MAPS | Send file samples when further analysis is required | [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md)
MAPS | Configure local setting override for reporting to Microsoft MAPS | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
@ -59,23 +55,23 @@ Network inspection system | Specify additional definition sets for network traff
Network inspection system | Turn on definition retirement | Not used
Network inspection system | Turn on protocol recognition | Not used
Quarantine | Configure local setting override for the removal of items from Quarantine folder | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
Quarantine | Configure removal of items from Quarantine folder | [Configure remediation for Windows Defender AV scans](configure-remediation-windows-defender-antivirus.md)
Quarantine | Configure removal of items from Quarantine folder | [Configure remediation for antivirus scans](configure-remediation-windows-defender-antivirus.md)
Real-time protection | Configure local setting override for monitoring file and program activity on your computer | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
Real-time protection | Configure local setting override for monitoring for incoming and outgoing file activity | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
Real-time protection | Configure local setting override for scanning all downloaded files and attachments | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
Real-time protection | Configure local setting override for turn on behavior monitoring | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
Real-time protection | Configure local setting override to turn on real-time protection | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
Real-time protection | Define the maximum size of downloaded files and attachments to be scanned | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
Real-time protection | Monitor file and program activity on your computer | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
Real-time protection | Scan all downloaded files and attachments | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
Real-time protection | Turn off real-time protection | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
Real-time protection | Turn on behavior monitoring | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
Real-time protection | Turn on process scanning whenever real-time protection is enabled | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
Real-time protection | Turn on raw volume write notifications | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
Real-time protection | Configure monitoring for incoming and outgoing file and program activity | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
Real-time protection | Define the maximum size of downloaded files and attachments to be scanned | [Enable and configure antivirus always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
Real-time protection | Monitor file and program activity on your computer | [Enable and configure antivirus always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
Real-time protection | Scan all downloaded files and attachments | [Enable and configure antivirus always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
Real-time protection | Turn off real-time protection | [Enable and configure antivirus always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
Real-time protection | Turn on behavior monitoring | [Enable and configure antivirus always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
Real-time protection | Turn on process scanning whenever real-time protection is enabled | [Enable and configure antivirus always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
Real-time protection | Turn on raw volume write notifications | [Enable and configure antivirus always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
Real-time protection | Configure monitoring for incoming and outgoing file and program activity | [Enable and configure antivirus always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
Remediation | Configure local setting override for the time of day to run a scheduled full scan to complete remediation | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
Remediation | Specify the day of the week to run a scheduled full scan to complete remediation | [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md)
Remediation | Specify the time of day to run a scheduled full scan to complete remediation | [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md)
Remediation | Specify the day of the week to run a scheduled full scan to complete remediation | [Configure scheduled antivirus scans](scheduled-catch-up-scans-windows-defender-antivirus.md)
Remediation | Specify the time of day to run a scheduled full scan to complete remediation | [Configure scheduled antivirus scans](scheduled-catch-up-scans-windows-defender-antivirus.md)
Reporting | Configure Watson events | Not used
Reporting | Configure Windows software trace preprocessor components | Not used
Reporting | Configure WPP tracing level | Not used
@ -89,11 +85,11 @@ Root | Define addresses to bypass proxy server | Not used
Root | Define proxy auto-config (.pac) for connecting to the network | Not used
Root | Define proxy server for connecting to the network | Not used
Root | Configure local administrator merge behavior for lists | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
Root | Allow antimalware service to startup with normal priority | [Configure remediation for Windows Defender AV scans](configure-remediation-windows-defender-antivirus.md)
Root | Allow antimalware service to remain running always | [Configure remediation for Windows Defender AV scans](configure-remediation-windows-defender-antivirus.md)
Root | Turn off routine remediation | [Configure remediation for Windows Defender AV scans](configure-remediation-windows-defender-antivirus.md)
Root | Randomize scheduled task times | [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md)
Scan | Allow users to pause scan | [Prevent users from seeing or interacting with the Windows Defender AV user interface](prevent-end-user-interaction-windows-defender-antivirus.md)
Root | Allow antimalware service to startup with normal priority | [Configure remediation for antivirus scans](configure-remediation-windows-defender-antivirus.md)
Root | Allow antimalware service to remain running always | [Configure remediation for antivirus scans](configure-remediation-windows-defender-antivirus.md)
Root | Turn off routine remediation | [Configure remediation for antivirus scans](configure-remediation-windows-defender-antivirus.md)
Root | Randomize scheduled task times | [Configure scheduled scans for antivirus](scheduled-catch-up-scans-windows-defender-antivirus.md)
Scan | Allow users to pause scan | [Prevent users from seeing or interacting with the antivirus user interface](prevent-end-user-interaction-windows-defender-antivirus.md)
Scan | Check for the latest virus and spyware definitions before running a scheduled scan | [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md)
Scan | Define the number of days after which a catch-up scan is forced | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md)
Scan | Turn on catch up full scan | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md)
@ -103,25 +99,25 @@ Scan | Configure local setting override for schedule scan day | [Prevent or allo
Scan | Configure local setting override for scheduled quick scan time | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
Scan | Configure local setting override for scheduled scan time | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
Scan | Configure local setting override for the scan type to use for a scheduled scan | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
Scan | Create a system restore point | [Configure remediation for Windows Defender AV scans](configure-remediation-windows-defender-antivirus.md)
Scan | Turn on removal of items from scan history folder | [Configure remediation for Windows Defender AV scans](configure-remediation-windows-defender-antivirus.md)
Scan | Turn on heuristics | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
Scan | Turn on e-mail scanning | [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md)
Scan | Turn on reparse point scanning | [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md)
Scan | Run full scan on mapped network drives | [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md)
Scan | Scan archive files | [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md)
Scan | Scan network files | [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md)
Scan | Scan packed executables | [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md)
Scan | Scan removable drives | [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md)
Scan | Specify the maximum depth to scan archive files | [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md)
Scan | Specify the maximum percentage of CPU utilization during a scan | [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md)
Scan | Specify the maximum size of archive files to be scanned | [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md)
Scan | Specify the day of the week to run a scheduled scan | [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md)
Scan | Specify the interval to run quick scans per day | [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md)
Scan | Specify the scan type to use for a scheduled scan | [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md)
Scan | Specify the time for a daily quick scan | [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md)
Scan | Specify the time of day to run a scheduled scan | [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md)
Scan | Start the scheduled scan only when computer is on but not in use | [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md)
Scan | Create a system restore point | [Configure remediation for antivirus scans](configure-remediation-windows-defender-antivirus.md)
Scan | Turn on removal of items from scan history folder | [Configure remediation for antivirus scans](configure-remediation-windows-defender-antivirus.md)
Scan | Turn on heuristics | [Enable and configure antivirus always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
Scan | Turn on e-mail scanning | [Configure scanning options in antivirus](configure-advanced-scan-types-windows-defender-antivirus.md)
Scan | Turn on reparse point scanning | [Configure scanning options in antivirus](configure-advanced-scan-types-windows-defender-antivirus.md)
Scan | Run full scan on mapped network drives | [Configure scanning options in antivirus](configure-advanced-scan-types-windows-defender-antivirus.md)
Scan | Scan archive files | [Configure scanning options in antivirus](configure-advanced-scan-types-windows-defender-antivirus.md)
Scan | Scan network files | [Configure scanning options in antivirus](configure-advanced-scan-types-windows-defender-antivirus.md)
Scan | Scan packed executables | [Configure scanning options in antivirus](configure-advanced-scan-types-windows-defender-antivirus.md)
Scan | Scan removable drives | [Configure scanning options in antivirus](configure-advanced-scan-types-windows-defender-antivirus.md)
Scan | Specify the maximum depth to scan archive files | [Configure scanning options in antivirus](configure-advanced-scan-types-windows-defender-antivirus.md)
Scan | Specify the maximum percentage of CPU utilization during a scan | [Configure scanning options in antivirus](configure-advanced-scan-types-windows-defender-antivirus.md)
Scan | Specify the maximum size of archive files to be scanned | [Configure scanning options in antivirus](configure-advanced-scan-types-windows-defender-antivirus.md)
Scan | Specify the day of the week to run a scheduled scan | [Configure scheduled scans for antivirus](scheduled-catch-up-scans-windows-defender-antivirus.md)
Scan | Specify the interval to run quick scans per day | [Configure scheduled scans for antivirus](scheduled-catch-up-scans-windows-defender-antivirus.md)
Scan | Specify the scan type to use for a scheduled scan | [Configure scheduled scans for antivirus](scheduled-catch-up-scans-windows-defender-antivirus.md)
Scan | Specify the time for a daily quick scan | [Configure scheduled scans for antivirus](scheduled-catch-up-scans-windows-defender-antivirus.md)
Scan | Specify the time of day to run a scheduled scan | [Configure scheduled scans for antivirus](scheduled-catch-up-scans-windows-defender-antivirus.md)
Scan | Start the scheduled scan only when computer is on but not in use | [Configure scheduled scans for antivirus](scheduled-catch-up-scans-windows-defender-antivirus.md)
Signature updates | Allow definition updates from Microsoft Update | [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
Signature updates | Allow definition updates when running on battery power | [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
Signature updates | Allow notifications to disable definitions based repots to Microsoft MAPS | [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md)
@ -136,9 +132,9 @@ Signature updates | Initiate definition update on startup | [Manage event-based
Signature updates | Specify the day of the week to check for definition updates | [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md)
Signature updates | Specify the interval to check for definition updates | [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md)
Signature updates | Specify the time to check for definition updates | [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md)
Signature updates | Turn on scan after signature update | [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md)
Threats | Specify threat alert levels at which default action should not be taken when detected | [Configure remediation for Windows Defender AV scans](configure-remediation-windows-defender-antivirus.md)
Threats | Specify threats upon which default action should not be taken when detected | [Configure remediation for Windows Defender AV scans](configure-remediation-windows-defender-antivirus.md)
Signature updates | Turn on scan after signature update | [Configure scheduled scans for antivirus](scheduled-catch-up-scans-windows-defender-antivirus.md)
Threats | Specify threat alert levels at which default action should not be taken when detected | [Configure remediation for antivirus scans](configure-remediation-windows-defender-antivirus.md)
Threats | Specify threats upon which default action should not be taken when detected | [Configure remediation for antivirus scans](configure-remediation-windows-defender-antivirus.md)

10
windows/security/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md
View File

@ -1,5 +1,5 @@
---
title: Configure Windows Defender AV with Configuration Manager and Intune
title: Configure antivirus with Configuration Manager and Intune
description: Use System Center Configuration Manager and Microsoft Intune to configure Windows Defender AV and Endpoint Protection
keywords: scep, intune, endpoint protection, configuration
search.product: eADQiWindows 10XVcnh
@ -14,11 +14,11 @@ ms.author: v-anbic
ms.date: 07/19/2018
---
# Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender AV
# Use System Center Configuration Manager and Microsoft Intune to configure and manage next generation protection
If you are using System Center Configuration Manager or Microsoft Intune to manage the endpoints on your network, you can also use them to manage Windows Defender AV.
If you are using System Center Configuration Manager or Microsoft Intune to manage the endpoints on your network, you can also use them to manage antivirus scans.
In some cases, the protection will be labeled as Endpoint Protection, although the engine is the same as that used by Windows Defender AV.
In some cases, the protection will be labeled as Endpoint Protection, although the engine is the same as that used by antivirus.
See the [Endpoint Protection](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-protection) library on docs.microsoft.com for information on using Configuration Manager.
@ -28,4 +28,4 @@ For Microsoft Intune, consult the [Microsoft Intune library](https://docs.micros
## Related topics
- [Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md)
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Next generation protection in Windows 10](windows-defender-antivirus-in-windows-10.md)

12
windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md
View File

@ -14,11 +14,7 @@ ms.author: v-anbic
ms.date: 12/12/2017
---
# Use PowerShell cmdlets to configure and manage Windows Defender AV
**Applies to:**
- Windows 10
# Use PowerShell cmdlets to configure and manage next generation protection
You can use PowerShell to perform various functions in Windows Defender. Similar to the command prompt or command line, PowerShell is a task-based command-line shell and scripting language designed especially for system administration, and you can read more about it at the [PowerShell hub on MSDN](https://msdn.microsoft.com/en-us/powershell/mt173057.aspx).
@ -27,7 +23,7 @@ For a list of the cmdlets and their functions and available parameters, see the
PowerShell cmdlets are most useful in Windows Server environments that don't rely on a graphical user interface (GUI) to configure software.
> [!NOTE]
> PowerShell cmdlets should not be used as a replacement for a full network policy management infrastructure, such as [System Center Configuration Manager](https://technet.microsoft.com/en-us/library/gg682129.aspx), [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx), or [Windows Defender Group Policy ADMX templates](https://support.microsoft.com/en-us/kb/927367).
> PowerShell cmdlets should not be used as a replacement for a full network policy management infrastructure, such as [System Center Configuration Manager](https://technet.microsoft.com/en-us/library/gg682129.aspx), [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx), or [Antivirus Group Policy ADMX templates](https://support.microsoft.com/en-us/kb/927367).
Changes made with PowerShell will affect local settings on the endpoint where the changes are deployed or made. This means that deployments of policy with Group Policy, System Center Configuration Manager, or Microsoft Intune can overwrite changes made with PowerShell.
@ -36,7 +32,7 @@ You can [configure which settings can be overridden locally with local policy ov
PowerShell is typically installed under the folder _%SystemRoot%\system32\WindowsPowerShell_.
**Use Windows Defender AV PowerShell cmdlets:**
**Use antivirus PowerShell cmdlets:**
1. Click **Start**, type **powershell**, and press **Enter**.
2. Click **Windows PowerShell** to open the interface.
@ -55,4 +51,4 @@ Omit the `-online` parameter to get locally cached help.
## Related topics
- [Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md)
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Next generation protection in Windows 10](windows-defender-antivirus-in-windows-10.md)

14
windows/security/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md
View File

@ -1,5 +1,5 @@
---
title: Configure Windows Defender AV with WMI
title: Configure next generation protection with WMI
description: Use WMI scripts to configure Windows Defender AV.
keywords: wmi, scripts, windows management instrumentation, configuration
search.product: eADQiWindows 10XVcnh
@ -14,19 +14,15 @@ ms.author: v-anbic
ms.date: 08/26/2017
---
# Use Windows Management Instrumentation (WMI) to configure and manage Windows Defender AV
**Applies to:**
- Windows 10
# Use Windows Management Instrumentation (WMI) to configure and manage next generation protection
Windows Management Instrumentation (WMI) is a scripting interface that allows you to retrieve, modify, and update settings.
Read more about WMI at the [Microsoft Developer Network System Administration library](https://msdn.microsoft.com/en-us/library/aa394582(v=vs.85).aspx).
Windows Defender AV has a number of specific WMI classes that can be used to perform most of the same functions as Group Policy and other management tools. Many of the classes are analogous to [Defender PowerShell cmdlets](use-powershell-cmdlets-windows-defender-antivirus.md).
Antivirus has a number of specific WMI classes that can be used to perform most of the same functions as Group Policy and other management tools. Many of the classes are analogous to [Defender PowerShell cmdlets](use-powershell-cmdlets-windows-defender-antivirus.md).
The [MSDN Windows Defender WMIv2 Provider reference library](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx) lists the available WMI classes for Windows Defender AV, and includes example scripts.
The [MSDN Windows Defender WMIv2 Provider reference library](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx) lists the available WMI classes for antivirus, and includes example scripts.
Changes made with WMI will affect local settings on the endpoint where the changes are deployed or made. This means that deployments of policy with Group Policy, System Center Configuration Manager, or Microsoft Intune can overwrite changes made with WMI.
@ -35,4 +31,4 @@ You can [configure which settings can be overridden locally with local policy o
## Related topics
- [Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md)
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Next generation protection in Windows 10](windows-defender-antivirus-in-windows-10.md)

8
windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md
View File

@ -16,14 +16,6 @@ ms.date: 05/21/2018
# Use next-gen technologies in Windows Defender Antivirus through cloud-delivered protection
**Applies to:**
- Windows 10, version 1703 and later
**Audience**
- Enterprise security administrators
Microsoft next-gen technologies in Windows Defender Antivirus provide near-instant, automated protection against new and emerging threats. To dynamically identify new threats, these technologies work with large sets of interconnected data in the Microsoft Intelligent Security Graph and powerful artificial intelligence (AI) systems driven by advanced machine learning models.
To take advantage of the power and speed of these next-gen technologies, Windows Defender Antivirus works seamlessly with Microsoft cloud services. These cloud protection services, also referred to as Microsoft Advanced Protection Service (MAPS), enhances standard real-time protection, providing arguably the best antivirus defense.

12
windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
View File

@ -14,20 +14,8 @@ ms.author: v-anbic
ms.date: 04/04/2018
---
# Windows Defender Antivirus compatibility
**Applies to:**
- Windows 10
- Windows Server 2016
**Audience**
- Enterprise security administrators
Windows Defender Antivirus is automatically enabled and installed on endpoints and devices that are running Windows 10.
However, on endpoints and devices that are protected with a non-Microsoft antivirus or antimalware app, Windows Defender AV will automatically disable itself. You can then choose to enable an optional, limited protection feature, called [limited periodic scanning](limited-periodic-scanning-windows-defender-antivirus.md).

4
windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md
View File

@ -16,10 +16,6 @@ ms.date: 04/30/2018
# Windows Defender Antivirus in Windows 10 and Windows Server 2016
**Applies to**
- Windows 10
- Windows Server 2016
Windows Defender Antivirus is a built-in antimalware solution that provides security and antimalware management for desktops, portable computers, and servers.
This library of documentation is for enterprise security administrators who are either considering deployment, or have already deployed and are wanting to manage and configure Windows Defender AV on PC endpoints in their network.

12
windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md
View File

@ -14,20 +14,8 @@ ms.author: v-anbic
ms.date: 04/11/2018
---
# Windows Defender Antivirus on Windows Server 2016
**Applies to:**
- Windows Server 2016
**Audience**
- Enterprise security administrators
- Network administrators
**Manageability available with**
- Group Policy

9
windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline.md
View File

@ -16,15 +16,6 @@ ms.date: 04/30/2018
# Run and review the results of a Windows Defender Offline scan
**Applies to:**
- Windows 10, version 1607 and later
**Audience**
- Enterprise security administrators
**Manageability available with**
- Group Policy

8
windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md
View File

@ -16,14 +16,6 @@ ms.date: 04/30/2018
# Windows Defender Antivirus in the Windows Defender Security Center app
**Applies to**
- Windows 10, version 1703 and later
**Audience**
- End-users
**Manageability available with**
- Windows Defender Security Center app