deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-16 07:17:24 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Add enhanced notifs. Do near-final copyedit.

Browse Source
This commit is contained in:
Iaan 2016-07-27 23:36:34 -07:00
parent 833d39fe9d
commit 320525d03d
7 changed files with 164 additions and 116 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
windows/keep-secure/images/defender/enhanced-notifications.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 72 KiB

BIN
windows/keep-secure/images/defender/ux-config-key.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 48 KiB

BIN
windows/keep-secure/images/defender/ux-uilockdown-key.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 48 KiB

49
windows/keep-secure/windows-defender-block-at-first-seen.md
View File

@ -1,6 +1,6 @@
---
title: Enable the Block at First Sight feature to detect malware within seconds
description: In Windows 10 Anniversary Update the Block at First Sight feature determines and blocks new malware variants in seconds. You can enable the feature with Group Policy
description: In Windows 10 the Block at First Sight feature determines and blocks new malware variants in seconds. You can enable the feature with Group Policy.
keywords: scan, BAFS, malware, first seen, first sight, cloud, MAPS, defender
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@ -14,11 +14,12 @@ author: iaanw
# Block at First Sight
**Applies to**
- Windows 10 Aniversary Update
Block at First Sight (BAFS) is a feature of Windows Defender cloud protection that provides a way to detect and block new malware within seconds.
- Windows 10, version 1607
You can enable BAFS with Group Policy (GP) or individually on endpoints.
Block at First Sight is a feature of Windows Defender cloud protection that provides a way to detect and block new malware within seconds.
You can enable Block at First Sight with Group Policy or individually on endpoints.
## Backend procesing and near-instant determinations
@ -26,7 +27,7 @@ When a Windows Defender client encounters a suspicious but previously undetected
If the cloud backend is unable to make a determination, a copy of the file is requested for additional processing and analysis in the cloud.
If the BAFS feature is enabled on the client, the file will be locked by Windows Defender while a copy is uploaded to the cloud, processed, and a verdict returned to the client. Only after a determination is returned from the cloud will Windows Defender release the lock and let the file run.
If the Block at First Sight feature is enabled on the client, the file will be locked by Windows Defender while a copy is uploaded to the cloud, processed, and a verdict returned to the client. Only after a determination is returned from the cloud will Windows Defender release the lock and let the file run.
The file-based determination typically takes 1 to 4 seconds.
@ -34,52 +35,52 @@ The following video describes how this feature works:
<iframe src="https://tnstage.redmond.corp.microsoft.com/en-us/itpro/windows/keep-secure/media/Windows_Defender_-_Fast_Learning.mp4" width="640" height="360" allowFullScreen="true" frameBorder="0" scrolling="no"></iframe>
> **Note:**&nbsp;&nbsp;Suspicious file downloads requiring additional backend processing to reach a determination will be locked by Windows Defender on the first machine where the file is encountered, until it is finished uploading to the backend. Users will see a longer "Running security scan" message in the browser while the file is being uploaded. This might result in what appear to slowerr download times for some files.
>[!NOTE]Suspicious file downloads requiring additional backend processing to reach a determination will be locked by Windows Defender on the first machine where the file is encountered, until it is finished uploading to the backend. Users will see a longer "Running security scan" message in the browser while the file is being uploaded. This might result in what appear to be slower download times for some files.
## Enable Block at First Sight
### Use Group Policy to configure Block at First Sight
You can use GP to control whether Windows Defender will continue to lock a suspicious file until it is uploaded to the backend.
You can use Group Policy to control whether Windows Defender will continue to lock a suspicious file until it is uploaded to the backend.
This feature ensures the device checks in real time with the Microsoft Active Protection Service (MAPS) before allowing certain content to be run or accessed. If this feature is disabled, the check will not occur, which will lower the protection state of the device.
BAFS requires a number of Group Policy settings to be configured correctly or it will not work.
Block at First Sight requires a number of Group Policy settings to be configured correctly or it will not work.
**Configure pre-requisite cloud protection Group Policy settings:**
1. On your GP management machine, open the [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx), right-click the GPO you want to configure, and click **Edit**.
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration**.
4. Click **Policies** then **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender > MAPS** and configure the following GPs:
5. Expand the tree to **Windows components > Windows Defender > MAPS** and configure the following Group Policies:
1. Double-click the **Join Microsoft MAPS** GP and set the option to **Enabled**. Click **OK**.
1. Double-click the **Join Microsoft MAPS** setting and set the option to **Enabled**. Click **OK**.
1. Double-click the **Send file samples when further analysis is required** GP and set the option as **Enabled** and the additional options as either of the following:
1. Double-click the **Send file samples when further analysis is required** setting and set the option as **Enabled** and the additional options as either of the following:
1. Send safe samples (1)
1. Send all samples (3)
> **Note:**&nbsp;&nbsp;Setting to 0 (Always Prompt) will lower the protection state of the device. Setting to 2 (Never send) means the "Block at First Sight" feature will not function.
>[!NOTE]Setting to 0 (Always Prompt) will lower the protection state of the device. Setting to 2 (Never send) means the "Block at First Sight" feature will not function.
1. Click OK after both GPs have been set.
1. Click OK after both Group Policies have been set.
1. In the **Group Policy Management Editor**, expand the tree to **Windows components > Windows Defender > Real-time Protection**:
1. Double-click the **Scan all downloaded files and attachments** GP and set the option to **Enabled**. Click **OK**.
1. Double-click the **Scan all downloaded files and attachments** setting and set the option to **Enabled**. Click **OK**.
1. Double-click the **Turn off real-time protection** GP and set the option to **Disabled**. Click **OK**.
1. Double-click the **Turn off real-time protection** setting and set the option to **Disabled**. Click **OK**.
**Enable Block at First Sight with Group Policy**
1. On your GP management machine, open the [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx), right-click the GPO you want to configure, and click **Edit**.
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration**.
@ -87,24 +88,24 @@ BAFS requires a number of Group Policy settings to be configured correctly or it
5. Expand the tree through **Windows components > Windows Defender > MAPS**.
1. Double-click the **Configure the Block at First Sight feature** and set the option to **Enabled**.
1. Double-click the **Configure the Block at First Sight feature** setting and set the option to **Enabled**.
> **Note:**&nbsp;&nbsp;The Block at First Sight feature will not function if the pre-requisite group policies have not been correctly set.
>[!NOTE]The Block at First Sight feature will not function if the pre-requisite group policies have not been correctly set.
### Manually enable BAFS on Individual clients
### Manually enable Block at First Sight on Individual clients
To configure un-managed clients that are running Windows 10 Anniversary Update, BAFS is automatically enabled as long as Cloud-based protection and Automatic sample submission are both turned on.
To configure un-managed clients that are running Windows 10, Block at First Sight is automatically enabled as long as **Cloud-based protection** and **Automatic sample submission** are both turned on.
**Enable BAFS on invididual clients**
**Enable Block at First Sight on invididual clients**
1. Open Windows Defender settings:
a. Open the Windows Defender app and click **Settings**.
b. On the main Windows Setting page, click **Update & Security** and then **Windows Defender88.
b. On the main Windows Settings page, click **Update & Security** and then **Windows Defender**.
2. Switch **Cloud-based Protection** and **Automatic sample submission** to **On**.
> **Note:**&nbsp;&nbsp;These settings will be overridden if the network administrator has configured their associated Group Policies. The settings will appear grayed out and you will not be able to modify them if they are being managed by GP.
>[!NOTE]These settings will be overridden if the network administrator has configured their associated Group Policies. The settings will appear grayed out and you will not be able to modify them if they are being managed by Group Policy.

122
windows/keep-secure/windows-defender-enhanced-notifications.md
View File

@ -1,7 +1,7 @@
---
title: Use PowerShell cmdlets to configure and run Windows Defender in Windows 10
description: In Windows 10, you can use PowerShell cmdlets to run scans, update definitions, and change settings in Windows Defender.
keywords: scan, command line, mpcmdrun, defender
title: Configure enhanced notifications for Windows Defender
description: In Windows 10, you can enable advanced notifications for endpoints throughout your enterprise network.
keywords: notifications, defender, endpoint, management, admin
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@ -11,33 +11,119 @@ ms.pagetype: security
author: iaanw
---
# Use PowerShell cmdlets to configure and run Windows Defender
# Configure enhanced notifications for Windows Defender in Windows 10
**Applies to:**
- Windows 10
- Windows 10, version 1607
You can use PowerShell to perform various functions in Windows Defender. Similar to the command prompt or command line, PowerShell is a task-based command-line shell and scripting language designed especially for system administration, and you can read more about it at the [PowerShell hub on MSDN](https://msdn.microsoft.com/en-us/powershell/mt173057.aspx).
In Windows 10, application notifications about malware detection and remediation by Windows Defender is more robust, consistent, and concise. Endpoint users will now see fewer messages, and messages will be more clearer about the actions the user needs to take.
For a list of the cmdlets and their functions and available parameters, see the [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) topic.
Notifications will appear on endpoints when manually triggered and scheduled scans are completed. A summary also appears in the **Notification center** at regular time intervals.
PowerShell cmdlets are most useful in Windows Server environments that don't rely on a graphical user interface (GUI) to configure software.
<span style="background-color: yellow">{{Would be good to get an updated screenshot for this}}</span>
> **Note:**&nbsp;&nbsp;PowerShell cmdlets should not be used as a replacement for a full network policy management infrastructure, such as [System Center Configuration Manager](https://technet.microsoft.com/en-us/library/gg682129.aspx), [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx), or [Windows Defender Group Policy ADMX templates](https://support.microsoft.com/en-us/kb/927367).
You can enable and disable enhanced notifications and with the registry or in Windows Settings. You can also configure notifications and disable the Windows Defender user interface with Group Policy.
PowerShell is typically installed under the folder _%SystemRoot%\system32\WindowsPowerShell_.
## Configure enhanced notifications
You can disable enhanced notifications on individual endpoints by configuring the registry or in Windows Settings. You can also use Group Policy to suppress certain types of notifications, or display additional, customized text to endpoints inside the notifications.
**Use Windows Defender PowerShell cmdlets**
**Use the registry to disable Windows Defender notifications on individual endpoints:**
1. Click **Start**, type **powershell**, and press **Enter**.
2. Click **Windows PowerShell** to open the interface.
> **Note:**&nbsp;&nbsp;You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
3. Enter the command and parameters.
1. Click **Start**, type **Run**, and press **Enter**.
To open online help for any of the cmdlets type the following:
2. From the **Run** dialog box, type **regedit** and press **Enter**.
4. In the **Registry Editor** navigate to the **ux configuration** key under:
```text
Get-Help <cmdlet> -Online
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
```
Omit the `-online` parameter to get locally cached help.
5. Double click the **Notifications_Suppress** value and set it to **1**.
![Image of enhanced notification suppression in Registry Editor](images/defender/ux-config-key.png)
**Use Windows Settings to disable notifications on individual endpoints**
1. Open the **Start** menu and click or type **Settings**.
1. Click **Update & Security** and then **Windows Defender**. Scroll to the bottom of the settings page until you see the **Enhanced notifications** section.
1. Toggle the setting between **On** and **Off**.
![Windows Defender enhanced notifications](images/defender/enhanced-notifications.png)
**Use Group Policy to suppress Windows Defender notifications:**
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration**.
4. Click **Policies** then **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender > Client Interface** and configure the following settings:
1. Double-click the **Suppress all notifications** setting and set the option to **Enabled**. Click **OK**. This will disable all notifications shown by the Windows Defender client.
1. Double-click the **Suppresses reboot notifications** setting and set the option to **Enabled**. Click **Ok**. This will disable notifications that ask the endpoint user to reboot the machine to perform additional cleaning.
>[!NOTE]
>Usually, users are asked to reboot the endpoint to perform a scan with Windows Defender Offline. For details on performing offline scans, see the [Windows Defender Offline](windows-defender-offline.md#manage-notifications) topic.
**Use Group Policy to display customized text inside Windows Defender notifications:**
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration**.
4. Click **Policies** then **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender > Client Interface**.
1. Double-click the **Display additional text to clients when they need to perform an action** setting and set the option to **Enabled**. Enter the text you want to be displayed when Windows Defender requires further action from the endpoint user.
>[!NOTE] The notification will only display the first 1024 characters of the message specified in this setting. The additional text will only appear in notifications that prompt the endpoint user for additional actions, such as rebooting the endpoint or manually reviewing a detection.
## Configure the Windows Defender user interface
You can hide the Windows Defender user interface by modifying the registry or configuring Group Policy settings.
>[!NOTE]
>These instructions will prevent the Windows Defender interface from being seen by the user. The interface will be hidden, but Windows Defender will still be running normally.
**Use Group Policy to disable the Windows Defender user interface:**
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration**.
4. Click **Policies** then **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender > Client Interface**.
1. Double-click the **Enable headless UI mode** setting and set the option to **Enabled**.
**Use the registry to disable the Windows Defender user interface:**
1. Click **Start**, type **Run** and press **Enter**.
2. From the **Run** dialog box, type **regedit** and press **Enter**.
4. In the **Registry Editor** navigate to the **ux configuration** key under:
```text
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
```
5. Double click the **UILockdown** value and set it to **1**.
![Image of Windows Defender user interface setting in Registry Editor](images/defender/ux-uilockdown-key.png)

52
windows/keep-secure/windows-defender-offline.md
View File

@ -1,7 +1,7 @@
---
title: Windows Defender Offline in Windows 10
description:
keywords: scan, defender
description: You can use Windows Defender Offline straight from the Windows Defender client. You can also manage how it is deployed in your network.
keywords: scan, defender, offline
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@ -14,11 +14,12 @@ author: iaanw
# Windows Defender Offline in Windows 10
**Applies to:**
- Windows 10, version 1607
Windows Defender Offline is an antimalware scanning tool that lets you boot and run a scan from a trusted environment. The scan runs from outside the normal Windows kernel so it can target malware that attempts to bypass the Windows shell, such as viruses and rootkits that infect or overwrite the master boot record (MBR).
Read more in [What is Windows Defender Offline?](http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline)
Read more in [What is Windows Defender Offline?](http://windows.microsoft.com/windows/what-is-windows-defender-offline)
In Windows 10, Windows Defender Offline can be run with one click directly from the Windows Defender client. In previous versions of Windows, a user had to install Windows Defender Offline to bootable media, restart the endpoint, and load the bootable media.
@ -26,7 +27,7 @@ In Windows 10, Windows Defender Offline can be run with one click directly from
Windows Defender Offline in Windows 10 has the same hardware requirements as Windows 10. See the Windows [Minimum hardware requirements](https://msdn.microsoft.com/library/windows/hardware/dn915086(v=vs.85).aspx) and [Hardware component guidelines](https://msdn.microsoft.com/library/windows/hardware/dn915049(v=vs.85).aspx) for more details.
> **Note:**&nbsp;&nbsp;Windows Defender Offline is not supported on machines with ARM processors, or on Windows Server Stock Keeping Units.
>[!NOTE]Windows Defender Offline is not supported on machines with ARM processors, or on Windows Server Stock Keeping Units.
To run Windows Defender Offline from the endpoint, the user must be logged in with administrator privileges.
@ -34,11 +35,11 @@ To run Windows Defender Offline from the endpoint, the user must be logged in wi
Windows Defender Offline uses the most up-to-date signature definitions available; it's updated through the same update session as Windows Defender - usually though Microsoft Update or through the [Microsoft Malware Protection Center](https://www.microsoft.com/security/portal/definitions/adl.aspx). The Windows Defender Offline image is the same platform connected through the hardwired network, so it can update itself from the wired network.
You can still download Windows Defender Offline and create bootable media to run on any PCs that are not connected to the internet. <span style="background-color:yellow">{{This still true?}}</span>
You can still download Windows Defender Offline and create bootable media to run on any PCs that are not connected to the Internet. <span style="background-color:yellow">{{This still true?}}</span>
## Usage scenarios
In most instances, will prompt you or the endpoint user to run Windows Defender Offline. You might also choose to run Windows Defender Offline if:
In most instances, Windows Defender will prompt you or the endpoint user to run Windows Defender Offline. You might also choose to run Windows Defender Offline if:
- You have reason to suspect there is malware on the endpoint but that is not being detected by Windows Defender.
@ -57,12 +58,13 @@ The user will also be notified within the Windows Defender client:
![Windows Defender showing the requirement to run Windows Defender Offline](images/defender/client.png)
## Manage notifications
<a name="manage-notifications"></a>
You can suppress Windows Defender Offline notifications with Group Policy.
**Suppress notifications with the Group Policy Management Console**
**Suppress notifications with the Group Policy Management Console:**
1. On your GP management machine, open the [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx), right-click the GPO you want to configure, and click **Edit**.
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
1. In the **Group Policy Management Editor** go to **Computer configuration**.
@ -70,11 +72,11 @@ You can suppress Windows Defender Offline notifications with Group Policy.
1. Expand the tree through **Windows components > Windows Defender > Client Interface**.
1. Double-click the **Suppresses reboot notifications** setting and set the option to **Enabled**.
1. Double-click the **Suppresses reboot notifications** setting and set the option to **Enabled**. Click **Ok**. This will disable notifications that ask the endpoint user to reboot the machine to perform additional cleaning.
<span style="background-color:yellow">{{Is this the correct setting in GPMC? I can't find a WDO suppress GP setting this is the only one but it matches the description in the .adm template section. Which makes me wonder if the name of the setting in the template is correct or outdated? See the image below}}</span>
**Suppress notifications with the ADM template**
**Suppress notifications with the ADM template:**
1. Download the windowsdefender.adm Group Policy from the [Group Policy ADM files](https://www.microsoft.com/en-us/download/details.aspx?id=18664) on the Microsoft Download Center if it is not already deployed in Windows and visible in the Group Policy Object Editor or Group Policy Management Console.
@ -96,9 +98,9 @@ For information about managing ADMX files and using a central store for Administ
## Run a scan
Windows Defender Offline uses up-to-date threat definitions to scan your PC for malware that might be hidden.
Windows Defender Offline uses up-to-date threat definitions to scan the endpoint for malware that might be hidden.
> **Note:**&nbsp;&nbsp;Before you use Windows Defender Offline, make sure you save any files and shut down running programs. The Windows Defender Offline scan takes about 15 minutes to run. It will restart your PC when the scan is complete.
>[!NOTE]Before you use Windows Defender Offline, make sure you save any files and shut down running programs. The Windows Defender Offline scan takes about 15 minutes to run. It will restart your PC when the scan is complete.
You can set up a Windows Defender Offline scan with the following:
@ -106,15 +108,15 @@ You can set up a Windows Defender Offline scan with the following:
- Windows Update and Security settings
- Windows Management Instrumentation (WMI)
- Windows Management Instrumentation
- PowerShell
- Windows PowerShell
- Group Policy
> **Note:**&nbsp;&nbsp;The scan is performed outside of the usual Windows operating environment. The user interface will appear different to a normal scan performed by Windows Defender. After the scan is completed, the endpoint will be restarted and Windows will load normally.
>[!NOTE]The scan is performed outside of the usual Windows operating environment. The user interface will appear different to a normal scan performed by Windows Defender. After the scan is completed, the endpoint will be restarted and Windows will load normally.
**Run Windows Defender Offline from Windows Defender**
**Run Windows Defender Offline from Windows Defender:**
1. Open the **Start** menu, type **windows defender**, and press **Enter** to open the Windows Defender client.
@ -124,7 +126,7 @@ You can set up a Windows Defender Offline scan with the following:
1. Follow the prompts to continue with the scan. You might be warned that you'll be signed out of Windows and that the endpoint will restart.
**Run Windows Defender Offline from Windows Settings**
**Run Windows Defender Offline from Windows Settings:**
1. Open the **Start** menu and click or type **Settings**.
@ -136,11 +138,11 @@ You can set up a Windows Defender Offline scan with the following:
1. Follow the prompts to continue with the scan. You might be warned that you'll be signed out of Windows and that the endpoint will restart.
**Use Windows Management Instrumentation to configure and run Windows Defender Offline**
**Use Windows Management Instrumentation to configure and run Windows Defender Offline:**
Use the `MSFT_MpWDOScan` class (part of the Windows Defender WMI provider) to run a Windows Defender Offline scan.
Use the `MSFT_MpWDOScan` class (part of the Windows Defender Windows Management Instrumentation provider) to run a Windows Defender Offline scan.
The following WMI script snippet will immediately run a Windows Defender Offline scan, which will cause the endpoint to restart, run the offline scan, and then restart and boot into Windows.
The following Windows Management Instrumentation script snippet will immediately run a Windows Defender Offline scan, which will cause the endpoint to restart, run the offline scan, and then restart and boot into Windows.
```WMI
wmic /namespace:\\root\Microsoft\Windows\Defender path MSFT_MpWDOScan call Start
@ -152,7 +154,7 @@ See the following topics for configuration parameters and options:
- [MSFT_MpWDOScan class article](https://msdn.microsoft.com/library/windows/desktop/mt622458(v=vs.85).aspx)
You can also use WMI to enable and disable certain features in WDO. For example, you can use `Set-MpPreference` to change the `UILockdown` setting to disable and enable notifications.
You can also use Windows Management Instrumentation to enable and disable certain features in Windows Defender Offline. For example, you can use `Set-MpPreference` to change the `UILockdown` setting to disable and enable notifications.
See the following topics for configuration parameters and options:
@ -160,13 +162,15 @@ See the following topics for configuration parameters and options:
- [Windows Defender MSFT_MpPreference class](https://msdn.microsoft.com/en-us/library/windows/desktop/dn455323(v=vs.85).aspx)
To run WDO remotely, xxx. <span style="background-color:yellow">{{How do we do this? Still in pipeline?}}</span>
For more information about notifications in Windows Defender, see the [Configure enhanced notifications in Windows Defender](windows-defender-enhanced-notifications.md)] topic.
**Run Windows Defender Offline using PowerShell**
To run Windows Defender Offline remotely, xxx. <span style="background-color:yellow">{{How do we do this? Still in pipeline?}}</span>
**Run Windows Defender Offline using PowerShell:**
Use the PowerShell parameter `Start-MpWDOScan` to run a Windows Defender Offline scan.
See the [Use PowerShell cmdlets to configure and run Windows Defender](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/use-powershell-cmdlets-windows-defender-for-windows-10) topic for more details on available cmdlets and options.
See the [Use PowerShell cmdlets to configure and run Windows Defender](use-powershell-cmdlets-windows-defender-for-windows-10) topic for more details on available cmdlets and options.
## Review scan results

43
windows/keep-secure/windows-defender-states.md
View File

@ -1,43 +0,0 @@
---
title: Use PowerShell cmdlets to configure and run Windows Defender in Windows 10
description: In Windows 10, you can use PowerShell cmdlets to run scans, update definitions, and change settings in Windows Defender.
keywords: scan, command line, mpcmdrun, defender
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
author: iaanw
---
# Use PowerShell cmdlets to configure and run Windows Defender
**Applies to:**
- Windows 10
You can use PowerShell to perform various functions in Windows Defender. Similar to the command prompt or command line, PowerShell is a task-based command-line shell and scripting language designed especially for system administration, and you can read more about it at the [PowerShell hub on MSDN](https://msdn.microsoft.com/en-us/powershell/mt173057.aspx).
For a list of the cmdlets and their functions and available parameters, see the [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) topic.
PowerShell cmdlets are most useful in Windows Server environments that don't rely on a graphical user interface (GUI) to configure software.
> **Note:**&nbsp;&nbsp;PowerShell cmdlets should not be used as a replacement for a full network policy management infrastructure, such as [System Center Configuration Manager](https://technet.microsoft.com/en-us/library/gg682129.aspx), [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx), or [Windows Defender Group Policy ADMX templates](https://support.microsoft.com/en-us/kb/927367).
PowerShell is typically installed under the folder _%SystemRoot%\system32\WindowsPowerShell_.
**Use Windows Defender PowerShell cmdlets**
1. Click **Start**, type **powershell**, and press **Enter**.
2. Click **Windows PowerShell** to open the interface.
> **Note:**&nbsp;&nbsp;You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
3. Enter the command and parameters.
To open online help for any of the cmdlets type the following:
```text
Get-Help <cmdlet> -Online
```
Omit the `-online` parameter to get locally cached help.