diff --git a/windows/client-management/mdm/policy-csp-bits.md b/windows/client-management/mdm/policy-csp-bits.md index d7f56e3f4c..d4c64c584f 100644 --- a/windows/client-management/mdm/policy-csp-bits.md +++ b/windows/client-management/mdm/policy-csp-bits.md @@ -14,10 +14,6 @@ manager: dansimp # Policy CSP - BITS -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. - - The following bandwidth policies are used together to define the bandwidth-throttling schedule and transfer rate. - BITS/BandwidthThrottlingEndTime diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md index 4b686d7c13..3f68b4b8cb 100644 --- a/windows/client-management/mdm/policy-csp-browser.md +++ b/windows/client-management/mdm/policy-csp-browser.md @@ -4303,5 +4303,7 @@ Footnotes: - 4 - Added in Windows 10, version 1803. - 5 - Added in Windows 10, version 1809. - 6 - Added in Windows 10, version 1903. +- 7 - Added in Windows 10, version 1909. +- 8 - Added in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-credentialproviders.md b/windows/client-management/mdm/policy-csp-credentialproviders.md index 003b1ca8d3..d9cc3f9647 100644 --- a/windows/client-management/mdm/policy-csp-credentialproviders.md +++ b/windows/client-management/mdm/policy-csp-credentialproviders.md @@ -249,6 +249,8 @@ Footnotes: - 4 - Added in Windows 10, version 1803. - 5 - Added in Windows 10, version 1809. - 6 - Added in Windows 10, version 1903. +- 7 - Added in Windows 10, version 1909. +- 8 - Added in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md index d691487aa2..2e45c2f251 100644 --- a/windows/client-management/mdm/policy-csp-defender.md +++ b/windows/client-management/mdm/policy-csp-defender.md @@ -205,7 +205,7 @@ Allows or disallows scanning of archives. ADMX Info: - GP English name: *Scan archive files* - GP name: *Scan_DisableArchiveScanning* -- GP path: *Windows Components/Windows Defender Antivirus/Scan* +- GP path: *Windows Components/Microsoft Defender Antivirus/Scan* - GP ADMX file name: *WindowsDefender.admx* @@ -275,7 +275,7 @@ Allows or disallows Windows Defender Behavior Monitoring functionality. ADMX Info: - GP English name: *Turn on behavior monitoring* - GP name: *RealtimeProtection_DisableBehaviorMonitoring* -- GP path: *Windows Components/Windows Defender Antivirus/Real-time Protection* +- GP path: *Windows Components/Microsoft Defender Antivirus/Real-time Protection* - GP ADMX file name: *WindowsDefender.admx* @@ -346,7 +346,7 @@ ADMX Info: - GP English name: *Join Microsoft MAPS* - GP name: *SpynetReporting* - GP element: *SpynetReporting* -- GP path: *Windows Components/Windows Defender Antivirus/MAPS* +- GP path: *Windows Components/Microsoft Defender Antivirus/MAPS* - GP ADMX file name: *WindowsDefender.admx* @@ -416,7 +416,7 @@ Allows or disallows scanning of email. ADMX Info: - GP English name: *Turn on e-mail scanning* - GP name: *Scan_DisableEmailScanning* -- GP path: *Windows Components/Windows Defender Antivirus/Scan* +- GP path: *Windows Components/Microsoft Defender Antivirus/Scan* - GP ADMX file name: *WindowsDefender.admx* @@ -486,7 +486,7 @@ Allows or disallows a full scan of mapped network drives. ADMX Info: - GP English name: *Run full scan on mapped network drives* - GP name: *Scan_DisableScanningMappedNetworkDrivesForFullScan* -- GP path: *Windows Components/Windows Defender Antivirus/Scan* +- GP path: *Windows Components/Microsoft Defender Antivirus/Scan* - GP ADMX file name: *WindowsDefender.admx* @@ -556,7 +556,7 @@ Allows or disallows a full scan of removable drives. During a quick scan, remova ADMX Info: - GP English name: *Scan removable drives* - GP name: *Scan_DisableRemovableDriveScanning* -- GP path: *Windows Components/Windows Defender Antivirus/Scan* +- GP path: *Windows Components/Microsoft Defender Antivirus/Scan* - GP ADMX file name: *WindowsDefender.admx* @@ -626,7 +626,7 @@ Allows or disallows Windows Defender IOAVP Protection functionality. ADMX Info: - GP English name: *Scan all downloaded files and attachments* - GP name: *RealtimeProtection_DisableIOAVProtection* -- GP path: *Windows Components/Windows Defender Antivirus/Real-time Protection* +- GP path: *Windows Components/Microsoft Defender Antivirus/Real-time Protection* - GP ADMX file name: *WindowsDefender.admx* @@ -758,7 +758,7 @@ Allows or disallows Windows Defender On Access Protection functionality. ADMX Info: - GP English name: *Monitor file and program activity on your computer* - GP name: *RealtimeProtection_DisableOnAccessProtection* -- GP path: *Windows Components/Windows Defender Antivirus/Real-time Protection* +- GP path: *Windows Components/Microsoft Defender Antivirus/Real-time Protection* - GP ADMX file name: *WindowsDefender.admx* @@ -828,7 +828,7 @@ Allows or disallows Windows Defender Realtime Monitoring functionality. ADMX Info: - GP English name: *Turn off real-time protection* - GP name: *DisableRealtimeMonitoring* -- GP path: *Windows Components/Windows Defender Antivirus/Real-time Protection* +- GP path: *Windows Components/Microsoft Defender Antivirus/Real-time Protection* - GP ADMX file name: *WindowsDefender.admx* @@ -898,7 +898,7 @@ Allows or disallows a scanning of network files. ADMX Info: - GP English name: *Scan network files* - GP name: *Scan_DisableScanningNetworkFiles* -- GP path: *Windows Components/Windows Defender Antivirus/Scan* +- GP path: *Windows Components/Microsoft Defender Antivirus/Scan* - GP ADMX file name: *WindowsDefender.admx* @@ -1030,7 +1030,7 @@ Allows or disallows user access to the Windows Defender UI. If disallowed, all W ADMX Info: - GP English name: *Enable headless UI mode* - GP name: *UX_Configuration_UILockdown* -- GP path: *Windows Components/Windows Defender Antivirus/Client Interface* +- GP path: *Windows Components/Microsoft Defender Antivirus/Client Interface* - GP ADMX file name: *WindowsDefender.admx* @@ -1103,7 +1103,7 @@ ADMX Info: - GP English name: *Exclude files and paths from Attack Surface Reduction Rules* - GP name: *ExploitGuard_ASR_ASROnlyExclusions* - GP element: *ExploitGuard_ASR_ASROnlyExclusions* -- GP path: *Windows Components/Windows Defender Antivirus/Windows Defender Exploit Guard/Attack Surface Reduction* +- GP path: *Windows Components/Microsoft Defender Antivirus/Windows Defender Exploit Guard/Attack Surface Reduction* - GP ADMX file name: *WindowsDefender.admx* @@ -1171,7 +1171,7 @@ ADMX Info: - GP English name: *Configure Attack Surface Reduction rules* - GP name: *ExploitGuard_ASR_Rules* - GP element: *ExploitGuard_ASR_Rules* -- GP path: *Windows Components/Windows Defender Antivirus/Windows Defender Exploit Guard/Attack Surface Reduction* +- GP path: *Windows Components/Microsoft Defender Antivirus/Windows Defender Exploit Guard/Attack Surface Reduction* - GP ADMX file name: *WindowsDefender.admx* @@ -1238,7 +1238,7 @@ ADMX Info: - GP English name: *Specify the maximum percentage of CPU utilization during a scan* - GP name: *Scan_AvgCPULoadFactor* - GP element: *Scan_AvgCPULoadFactor* -- GP path: *Windows Components/Windows Defender Antivirus/Scan* +- GP path: *Windows Components/Microsoft Defender Antivirus/Scan* - GP ADMX file name: *WindowsDefender.admx* @@ -1315,7 +1315,7 @@ ADMX Info: - GP English name: *Check for the latest virus and spyware definitions before running a scheduled scan* - GP name: *CheckForSignaturesBeforeRunningScan* - GP element: *CheckForSignaturesBeforeRunningScan* -- GP path: *Windows Components/Windows Defender Antivirus/Scan* +- GP path: *Windows Components/Microsoft Defender Antivirus/Scan* - GP ADMX file name: *WindowsDefender.admx* @@ -1380,11 +1380,11 @@ ADMX Info: > This policy is only enforced in Windows 10 for desktop. -Added in Windows 10, version 1709. This policy setting determines how aggressive Windows Defender Antivirus will be in blocking and scanning suspicious files. Value type is integer. +Added in Windows 10, version 1709. This policy setting determines how aggressive Microsoft Defender Antivirus will be in blocking and scanning suspicious files. Value type is integer. -If this setting is on, Windows Defender Antivirus will be more aggressive when identifying suspicious files to block and scan; otherwise, it will be less aggressive and therefore block and scan with less frequency. +If this setting is on, Microsoft Defender Antivirus will be more aggressive when identifying suspicious files to block and scan; otherwise, it will be less aggressive and therefore block and scan with less frequency. -For more information about specific values that are supported, see the Windows Defender Antivirus documentation site. +For more information about specific values that are supported, see the Microsoft Defender Antivirus documentation site. > [!NOTE] > This feature requires the "Join Microsoft MAPS" setting enabled in order to function. @@ -1395,7 +1395,7 @@ ADMX Info: - GP English name: *Select cloud protection level* - GP name: *MpEngine_MpCloudBlockLevel* - GP element: *MpCloudBlockLevel* -- GP path: *Windows Components/Windows Defender Antivirus/MpEngine* +- GP path: *Windows Components/Microsoft Defender Antivirus/MpEngine* - GP ADMX file name: *WindowsDefender.admx* @@ -1459,7 +1459,7 @@ The following list shows the supported values: > [!NOTE] > This policy is only enforced in Windows 10 for desktop. -Added in Windows 10, version 1709. This feature allows Windows Defender Antivirus to block a suspicious file for up to 60 seconds, and scan it in the cloud to make sure it's safe. Value type is integer, range is 0 - 50. +Added in Windows 10, version 1709. This feature allows Microsoft Defender Antivirus to block a suspicious file for up to 60 seconds, and scan it in the cloud to make sure it's safe. Value type is integer, range is 0 - 50. The typical cloud check timeout is 10 seconds. To enable the extended cloud check feature, specify the extended time in seconds, up to an additional 50 seconds. @@ -1474,7 +1474,7 @@ ADMX Info: - GP English name: *Configure extended cloud check* - GP name: *MpEngine_MpBafsExtendedTimeout* - GP element: *MpBafsExtendedTimeout* -- GP path: *Windows Components/Windows Defender Antivirus/MpEngine* +- GP path: *Windows Components/Microsoft Defender Antivirus/MpEngine* - GP ADMX file name: *WindowsDefender.admx* @@ -1529,7 +1529,7 @@ ADMX Info: > [!NOTE] > This policy is only enforced in Windows 10 for desktop. The previous name was GuardedFoldersAllowedApplications and changed to ControlledFolderAccessAllowedApplications. -Added in Windows 10, version 1709. This policy setting allows user-specified applications to the controlled folder access feature. Adding an allowed application means the controlled folder access feature will allow the application to modify or delete content in certain folders such as My Documents. In most cases it will not be necessary to add entries. Windows Defender Antivirus will automatically detect and dynamically add applications that are friendly. Value type is string. Use the | as the substring separator. +Added in Windows 10, version 1709. This policy setting allows user-specified applications to the controlled folder access feature. Adding an allowed application means the controlled folder access feature will allow the application to modify or delete content in certain folders such as My Documents. In most cases it will not be necessary to add entries. Microsoft Defender Antivirus will automatically detect and dynamically add applications that are friendly. Value type is string. Use the | as the substring separator. @@ -1537,7 +1537,7 @@ ADMX Info: - GP English name: *Configure allowed applications* - GP name: *ExploitGuard_ControlledFolderAccess_AllowedApplications* - GP element: *ExploitGuard_ControlledFolderAccess_AllowedApplications* -- GP path: *Windows Components/Windows Defender Antivirus/Windows Defender Exploit Guard/Controlled Folder Access* +- GP path: *Windows Components/Microsoft Defender Antivirus/Windows Defender Exploit Guard/Controlled Folder Access* - GP ADMX file name: *WindowsDefender.admx* @@ -1600,7 +1600,7 @@ ADMX Info: - GP English name: *Configure protected folders* - GP name: *ExploitGuard_ControlledFolderAccess_ProtectedFolders* - GP element: *ExploitGuard_ControlledFolderAccess_ProtectedFolders* -- GP path: *Windows Components/Windows Defender Antivirus/Windows Defender Exploit Guard/Controlled Folder Access* +- GP path: *Windows Components/Microsoft Defender Antivirus/Windows Defender Exploit Guard/Controlled Folder Access* - GP ADMX file name: *WindowsDefender.admx* @@ -1667,7 +1667,7 @@ ADMX Info: - GP English name: *Configure removal of items from Quarantine folder* - GP name: *Quarantine_PurgeItemsAfterDelay* - GP element: *Quarantine_PurgeItemsAfterDelay* -- GP path: *Windows Components/Windows Defender Antivirus/Quarantine* +- GP path: *Windows Components/Microsoft Defender Antivirus/Quarantine* - GP ADMX file name: *WindowsDefender.admx* @@ -1742,7 +1742,7 @@ ADMX Info: - GP English name: *Turn on catch-up full scan* - GP name: *Scan_DisableCatchupFullScan* - GP element: *Scan_DisableCatchupFullScan* -- GP path: *Windows Components/Windows Defender Antivirus/Scan* +- GP path: *Windows Components/Microsoft Defender Antivirus/Scan* - GP ADMX file name: *WindowsDefender.admx* @@ -1822,7 +1822,7 @@ ADMX Info: - GP English name: *Turn on catch-up quick scan* - GP name: *Scan_DisableCatchupQuickScan* - GP element: *Scan_DisableCatchupQuickScan* -- GP path: *Windows Components/Windows Defender Antivirus/Scan* +- GP path: *Windows Components/Microsoft Defender Antivirus/Scan* - GP ADMX file name: *WindowsDefender.admx* @@ -1894,7 +1894,7 @@ ADMX Info: - GP English name: *Configure Controlled folder access* - GP name: *ExploitGuard_ControlledFolderAccess_EnableControlledFolderAccess* - GP element: *ExploitGuard_ControlledFolderAccess_EnableControlledFolderAccess* -- GP path: *Windows Components/Windows Defender Antivirus/Windows Defender Exploit Guard/Controlled Folder Access* +- GP path: *Windows Components/Microsoft Defender Antivirus/Windows Defender Exploit Guard/Controlled Folder Access* - GP ADMX file name: *WindowsDefender.admx* @@ -1971,7 +1971,7 @@ ADMX Info: - GP English name: *Configure low CPU priority for scheduled scans* - GP name: *Scan_LowCpuPriority* - GP element: *Scan_LowCpuPriority* -- GP path: *Windows Components/Windows Defender Antivirus/Scan* +- GP path: *Windows Components/Microsoft Defender Antivirus/Scan* - GP ADMX file name: *WindowsDefender.admx* @@ -2049,7 +2049,7 @@ ADMX Info: - GP English name: *Prevent users and apps from accessing dangerous websites* - GP name: *ExploitGuard_EnableNetworkProtection* - GP element: *ExploitGuard_EnableNetworkProtection* -- GP path: *Windows Components/Windows Defender Antivirus/Windows Defender Exploit Guard/Network Protection* +- GP path: *Windows Components/Microsoft Defender Antivirus/Windows Defender Exploit Guard/Network Protection* - GP ADMX file name: *WindowsDefender.admx* @@ -2121,7 +2121,7 @@ ADMX Info: - GP English name: *Path Exclusions* - GP name: *Exclusions_Paths* - GP element: *Exclusions_PathsList* -- GP path: *Windows Components/Windows Defender Antivirus/Exclusions* +- GP path: *Windows Components/Microsoft Defender Antivirus/Exclusions* - GP ADMX file name: *WindowsDefender.admx* @@ -2185,7 +2185,7 @@ ADMX Info: - GP English name: *Extension Exclusions* - GP name: *Exclusions_Extensions* - GP element: *Exclusions_ExtensionsList* -- GP path: *Windows Components/Windows Defender Antivirus/Exclusions* +- GP path: *Windows Components/Microsoft Defender Antivirus/Exclusions* - GP ADMX file name: *WindowsDefender.admx* @@ -2255,7 +2255,7 @@ ADMX Info: - GP English name: *Process Exclusions* - GP name: *Exclusions_Processes* - GP element: *Exclusions_ProcessesList* -- GP path: *Windows Components/Windows Defender Antivirus/Exclusions* +- GP path: *Windows Components/Microsoft Defender Antivirus/Exclusions* - GP ADMX file name: *WindowsDefender.admx* @@ -2385,7 +2385,7 @@ ADMX Info: - GP English name: *Configure monitoring for incoming and outgoing file and program activity* - GP name: *RealtimeProtection_RealtimeScanDirection* - GP element: *RealtimeProtection_RealtimeScanDirection* -- GP path: *Windows Components/Windows Defender Antivirus/Real-time Protection* +- GP path: *Windows Components/Microsoft Defender Antivirus/Real-time Protection* - GP ADMX file name: *WindowsDefender.admx* @@ -2457,7 +2457,7 @@ ADMX Info: - GP English name: *Specify the scan type to use for a scheduled scan* - GP name: *Scan_ScanParameters* - GP element: *Scan_ScanParameters* -- GP path: *Windows Components/Windows Defender Antivirus/Scan* +- GP path: *Windows Components/Microsoft Defender Antivirus/Scan* - GP ADMX file name: *WindowsDefender.admx* @@ -2537,7 +2537,7 @@ ADMX Info: - GP English name: *Specify the time for a daily quick scan* - GP name: *Scan_ScheduleQuickScantime* - GP element: *Scan_ScheduleQuickScantime* -- GP path: *Windows Components/Windows Defender Antivirus/Scan* +- GP path: *Windows Components/Microsoft Defender Antivirus/Scan* - GP ADMX file name: *WindowsDefender.admx* @@ -2608,7 +2608,7 @@ ADMX Info: - GP English name: *Specify the day of the week to run a scheduled scan* - GP name: *Scan_ScheduleDay* - GP element: *Scan_ScheduleDay* -- GP path: *Windows Components/Windows Defender Antivirus/Scan* +- GP path: *Windows Components/Microsoft Defender Antivirus/Scan* - GP ADMX file name: *WindowsDefender.admx* @@ -2695,7 +2695,7 @@ ADMX Info: - GP English name: *Specify the time of day to run a scheduled scan* - GP name: *Scan_ScheduleTime* - GP element: *Scan_ScheduleTime* -- GP path: *Windows Components/Windows Defender Antivirus/Scan* +- GP path: *Windows Components/Microsoft Defender Antivirus/Scan* - GP ADMX file name: *WindowsDefender.admx* @@ -2774,7 +2774,7 @@ ADMX Info: - GP English name: *Define the order of sources for downloading definition updates* - GP name: *SignatureUpdate_FallbackOrder* - GP element: *SignatureUpdate_FallbackOrder* -- GP path: *Windows Components/Windows Defender Antivirus/Signature Updates* +- GP path: *Windows Components/Microsoft Defender Antivirus/Signature Updates* - GP ADMX file name: *WindowsDefender.admx* @@ -2853,7 +2853,7 @@ ADMX Info: - GP English name: *Define file shares for downloading definition updates* - GP name: *SignatureUpdate_DefinitionUpdateFileSharesSources* - GP element: *SignatureUpdate_DefinitionUpdateFileSharesSources* -- GP path: *Windows Components/Windows Defender Antivirus/Signature Updates* +- GP path: *Windows Components/Microsoft Defender Antivirus/Signature Updates* - GP ADMX file name: *WindowsDefender.admx* @@ -2933,7 +2933,7 @@ ADMX Info: - GP English name: *Specify the interval to check for definition updates* - GP name: *SignatureUpdate_SignatureUpdateInterval* - GP element: *SignatureUpdate_SignatureUpdateInterval* -- GP path: *Windows Components/Windows Defender Antivirus/Signature Updates* +- GP path: *Windows Components/Microsoft Defender Antivirus/Signature Updates* - GP ADMX file name: *WindowsDefender.admx* @@ -3001,7 +3001,7 @@ ADMX Info: - GP English name: *Send file samples when further analysis is required* - GP name: *SubmitSamplesConsent* - GP element: *SubmitSamplesConsent* -- GP path: *Windows Components/Windows Defender Antivirus/MAPS* +- GP path: *Windows Components/Microsoft Defender Antivirus/MAPS* - GP ADMX file name: *WindowsDefender.admx* @@ -3092,7 +3092,7 @@ ADMX Info: - GP English name: *Specify threat alert levels at which default action should not be taken when detected* - GP name: *Threats_ThreatSeverityDefaultAction* - GP element: *Threats_ThreatSeverityDefaultActionList* -- GP path: *Windows Components/Windows Defender Antivirus/Threats* +- GP path: *Windows Components/Microsoft Defender Antivirus/Threats* - GP ADMX file name: *WindowsDefender.admx* diff --git a/windows/client-management/mdm/policy-csp-deviceguard.md b/windows/client-management/mdm/policy-csp-deviceguard.md index f34ee27dd5..00ab26dd22 100644 --- a/windows/client-management/mdm/policy-csp-deviceguard.md +++ b/windows/client-management/mdm/policy-csp-deviceguard.md @@ -14,9 +14,6 @@ manager: dansimp # Policy CSP - DeviceGuard -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. -
diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md index 4ced8ce8ab..f1c54d540a 100644 --- a/windows/client-management/mdm/policy-csp-deviceinstallation.md +++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md @@ -14,9 +14,6 @@ ms.localizationpriority: medium # Policy CSP - DeviceInstallation -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. -
diff --git a/windows/client-management/mdm/policy-csp-dmaguard.md b/windows/client-management/mdm/policy-csp-dmaguard.md index 08eaddf872..d553a30d50 100644 --- a/windows/client-management/mdm/policy-csp-dmaguard.md +++ b/windows/client-management/mdm/policy-csp-dmaguard.md @@ -14,9 +14,6 @@ manager: dansimp # Policy CSP - DmaGuard -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. -
diff --git a/windows/client-management/mdm/policy-csp-education.md b/windows/client-management/mdm/policy-csp-education.md index 3f4beef3e9..e316fbdb3f 100644 --- a/windows/client-management/mdm/policy-csp-education.md +++ b/windows/client-management/mdm/policy-csp-education.md @@ -14,9 +14,6 @@ manager: dansimp # Policy CSP - Education -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. -
diff --git a/windows/client-management/mdm/policy-csp-kerberos.md b/windows/client-management/mdm/policy-csp-kerberos.md index 200fde9087..f61798a6d7 100644 --- a/windows/client-management/mdm/policy-csp-kerberos.md +++ b/windows/client-management/mdm/policy-csp-kerberos.md @@ -14,9 +14,6 @@ manager: dansimp # Policy CSP - Kerberos -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. -
diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md index 4935d3f947..1707ca7bfc 100644 --- a/windows/client-management/mdm/policy-csp-restrictedgroups.md +++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md @@ -14,8 +14,6 @@ manager: dansimp # Policy CSP - RestrictedGroups -> [!WARNING] -> Some information in this article relates to prereleased products, which may be substantially modified before they are commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
diff --git a/windows/client-management/mdm/policy-csp-security.md b/windows/client-management/mdm/policy-csp-security.md index 0a4dcd146d..46499d7701 100644 --- a/windows/client-management/mdm/policy-csp-security.md +++ b/windows/client-management/mdm/policy-csp-security.md @@ -14,9 +14,6 @@ manager: dansimp # Policy CSP - Security -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. -
diff --git a/windows/client-management/mdm/policy-csp-start.md b/windows/client-management/mdm/policy-csp-start.md index c5e74893fc..17a91ff2d8 100644 --- a/windows/client-management/mdm/policy-csp-start.md +++ b/windows/client-management/mdm/policy-csp-start.md @@ -14,9 +14,6 @@ manager: dansimp # Policy CSP - Start -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. -
diff --git a/windows/client-management/mdm/policy-csp-taskmanager.md b/windows/client-management/mdm/policy-csp-taskmanager.md index 8a69418c47..7d502e9af7 100644 --- a/windows/client-management/mdm/policy-csp-taskmanager.md +++ b/windows/client-management/mdm/policy-csp-taskmanager.md @@ -14,9 +14,6 @@ manager: dansimp # Policy CSP - TaskManager -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. -
diff --git a/windows/client-management/mdm/policy-csp-textinput.md b/windows/client-management/mdm/policy-csp-textinput.md index a116d3b084..79e47c91f8 100644 --- a/windows/client-management/mdm/policy-csp-textinput.md +++ b/windows/client-management/mdm/policy-csp-textinput.md @@ -16,10 +16,6 @@ manager: dansimp -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before they are commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. - -
diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 9949285fca..3942b48f24 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -14,9 +14,6 @@ manager: dansimp # Policy CSP - Update -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. - > [!NOTE] > If the MSA service is disabled, Windows Update will no longer offer feature updates to devices running Windows 10 1709 or higher. See [Feature updates are not being offered while other updates are](https://docs.microsoft.com/windows/deployment/update/windows-update-troubleshooting#feature-updates-are-not-being-offered-while-other-updates-are). diff --git a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md index 4db39b31f2..86ea14fd52 100644 --- a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md +++ b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md @@ -14,9 +14,6 @@ manager: dansimp # Policy CSP - WindowsDefenderSecurityCenter -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. -
diff --git a/windows/client-management/mdm/policy-ddf-file.md b/windows/client-management/mdm/policy-ddf-file.md index 8a9c1a34dc..7a522ee312 100644 --- a/windows/client-management/mdm/policy-ddf-file.md +++ b/windows/client-management/mdm/policy-ddf-file.md @@ -10,7 +10,7 @@ ms.prod: w10 ms.technology: windows author: manikadhiman ms.localizationpriority: medium -ms.date: 05/21/2019 +ms.date: 06/03/2020 --- # Policy DDF file @@ -20,6 +20,7 @@ This topic shows the OMA DM device description framework (DDF) for the **Policy* You can view various Policy DDF files by clicking the following links: +- [View the Policy DDF file for Windows 10, version 2004](https://download.microsoft.com/download/4/0/f/40f9ec45-3bea-442c-8afd-21edc1e057d8/PolicyDDF_all_2004.xml) - [View the Policy DDF file for Windows 10, version 1903](https://download.microsoft.com/download/0/C/D/0CD61812-8B9C-4846-AC4A-1545BFD201EE/PolicyDDF_all_1903.xml) - [View the Policy DDF file for Windows 10, version 1809](https://download.microsoft.com/download/7/3/5/735B8537-82F4-4CD1-B059-93984F9FAAC5/Policy_DDF_all_1809.xml) - [View the Policy DDF file for Windows 10, version 1803](https://download.microsoft.com/download/4/9/6/496534EE-8F0C-4F12-B084-A8502DA22430/PolicyDDF_all.xml) @@ -31,7 +32,7 @@ You can view various Policy DDF files by clicking the following links: You can download DDF files for various CSPs from [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). -The XML below is the DDF for Windows 10, version 1903. +The XML below is the DDF for Windows 10, version 2004. ```xml @@ -57,7 +58,7 @@ The XML below is the DDF for Windows 10, version 1903.
If diagnostic data cannot be sent, the Autopilot process will still continue, but services that depend on diagnostic data, such as Windows Analytics, will not work. -
+
If the WNS services are not available, the Autopilot process will still continue without notifications.
diff --git a/windows/privacy/gdpr-win10-whitepaper.md b/windows/privacy/gdpr-win10-whitepaper.md index 302909fefa..71f256d128 100644 --- a/windows/privacy/gdpr-win10-whitepaper.md +++ b/windows/privacy/gdpr-win10-whitepaper.md @@ -132,24 +132,24 @@ As seen with recent ransomware attacks, once called the "black plague" of the In In response to these threats and as a part of your mechanisms to resist these types of breaches so that you remain in compliance with the GDPR, Windows 10 provides built in technology, detailed below including the following: -- Windows Defender Antivirus to respond to emerging threats on data. +- Microsoft Defender Antivirus to respond to emerging threats on data. - Microsoft Edge to systemically disrupt phishing, malware, and hacking attacks. - Windows Defender Device Guard to block all unwanted applications on client machines. #### Responding to emerging data threats -Windows Defender Antivirus is a built-in antimalware solution that provides security and antimalware management for desktops, portable computers, and servers. In Windows 10, it uses a multi-pronged approach to improve antimalware: +Microsoft Defender Antivirus is a built-in antimalware solution that provides security and antimalware management for desktops, portable computers, and servers. In Windows 10, it uses a multi-pronged approach to improve antimalware: - **Cloud-delivered protection.** Helps to detect and block new malware within seconds, even if the malware has never been seen before. -- **Rich local context.** Improves how malware is identified. Windows 10 informs Windows Defender Antivirus not only about content like files and processes, but also where the content came from, where it's been stored, and more. +- **Rich local context.** Improves how malware is identified. Windows 10 informs Microsoft Defender Antivirus not only about content like files and processes, but also where the content came from, where it's been stored, and more. -- **Extensive global sensors.** Help to keep Windows Defender Antivirus current and aware of even the newest malware. This is accomplished in two ways: by collecting the rich local context data from end points and by centrally analyzing that data. +- **Extensive global sensors.** Help to keep Microsoft Defender Antivirus current and aware of even the newest malware. This is accomplished in two ways: by collecting the rich local context data from end points and by centrally analyzing that data. -- **Tamper proofing.** Helps to guard Windows Defender Antivirus itself against malware attacks. For example, Windows Defender Antivirus uses Protected Processes, which prevents untrusted processes from attempting to tamper with Windows Defender Antivirus components, its registry keys, and so on. +- **Tamper proofing.** Helps to guard Microsoft Defender Antivirus itself against malware attacks. For example, Microsoft Defender Antivirus uses Protected Processes, which prevents untrusted processes from attempting to tamper with Microsoft Defender Antivirus components, its registry keys, and so on. -- **Enterprise-level features.** Give IT pros the tools and configuration options necessary to make Windows Defender Antivirus an enterprise-class antimalware solution. +- **Enterprise-level features.** Give IT pros the tools and configuration options necessary to make Microsoft Defender Antivirus an enterprise-class antimalware solution. #### Systemically disrupting phishing, malware, and hacking attacks In today’s threat landscape, your ability to provide those mechanisms should be tied to the specific data-focused attacks you face through phishing, malware and hacking due to the browser-related attacks. @@ -204,7 +204,7 @@ Among the key benefits of ATP are the following: - Built in, not bolted on - agentless with high performance and low impact, cloud-powered; easy management with no deployment. -- Single pane of glass for Windows security - explore 6 months of rich machine timeline that unifies security events from Windows Defender ATP, Windows Defender Antivirus. +- Single pane of glass for Windows security - explore 6 months of rich machine timeline that unifies security events from Windows Defender ATP, Microsoft Defender Antivirus. - Power of the Microsoft graph - leverages the Microsoft Intelligence Security Graph to integrate detection and exploration with Office 365 ATP subscription, to track back and respond to attacks. @@ -216,7 +216,7 @@ To provide Detection capabilities, Windows 10 improves our OS memory and kernel We continue to upgrade our detections of ransomware and other advanced attacks, applying our behavioral and machine-learning detection library to counter changing attacks trends. Our historical detection capability ensures new detection rules apply to up to six months of stored data to detect attacks that previously went unnoticed. Customers can also add customized detection rules or IOCs to augment the detection dictionary. -Customers asked us for a single pane of glass across the entire Windows security stack. Windows Defender Antivirus detections and Windows Defender Device Guard blocks are the first to surface in the Windows Defender ATP portal interleaved with Windows Defender ATP detections. The new user entity adds identity as a pivot, providing insight into actions, relationships, and alerts that span machines and allow us to track attackers moving laterally across the network. +Customers asked us for a single pane of glass across the entire Windows security stack. Microsoft Defender Antivirus detections and Windows Defender Device Guard blocks are the first to surface in the Windows Defender ATP portal interleaved with Windows Defender ATP detections. The new user entity adds identity as a pivot, providing insight into actions, relationships, and alerts that span machines and allow us to track attackers moving laterally across the network. Our alert page now includes a new process tree visualization that aggregates multiple detections and related events into a single view that helps security teams reduce the time to resolve cases by providing the information required to understand and resolve incidents without leaving the alert page. @@ -314,7 +314,7 @@ Azure Information Protection also helps your users share sensitive data in a sec - **Windows Hello for Business:** https://www.youtube.com/watch?v=WOvoXQdj-9E and https://docs.microsoft.com/windows/access-protection/hello-for-business/hello-identity-verification -- **Windows Defender Antivirus:** https://www.youtube.com/watch?v=P1aNEy09NaI and https://docs.microsoft.com/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10 +- **Microsoft Defender Antivirus:** https://www.youtube.com/watch?v=P1aNEy09NaI and https://docs.microsoft.com/windows/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10 - **Windows Defender Advanced Threat Protection:** https://www.youtube.com/watch?v=qxeGa3pxIwg and https://docs.microsoft.com/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 4bbec23cef..7d7448f4d5 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -14,7 +14,7 @@ ms.author: obezeajo manager: robsize ms.collection: M365-security-compliance ms.topic: article -ms.date: 5/14/2020 +ms.date: 6/3/2020 --- # Manage connections from Windows 10 operating system components to Microsoft services @@ -37,7 +37,9 @@ Microsoft provides a [Windows Restricted Traffic Limited Functionality Baseline] > - The **Get Help** and **Give us Feedback** links no longer work after the Windows Restricted Traffic Limited Functionality Baseline is applied. > [!Warning] -> If a user executes the **Reset this PC** command (Settings -> Update & Security -> Recovery) with the **Keep my files option** (or the **Remove Everything** option) the Windows Restricted Traffic Limited Functionality Baseline settings will need to be re-applied in order to re-restrict the device. Egress traffic may occur prior to the re-application of the Restricted Traffic Limited Functionality Baseline settings. +> - If a user executes the **Reset this PC** command (Settings -> Update & Security -> Recovery) with the **Keep my files option** (or the **Remove Everything** option) the Windows Restricted Traffic Limited Functionality Baseline settings will need to be re-applied in order to re-restrict the device. Egress traffic may occur prior to the re-application of the Restricted Traffic Limited Functionality Baseline settings. +> - To restrict a device effectively (first time or subsequently), it is recommended to apply the Restricted Traffic Limited Functionality Baseline settings package in offline mode. +> - During update or upgrade of Windows, egress traffic may occur. To use Microsoft Intune cloud based device management for restricting traffic please refer to the [Manage connections from Windows 10 operating system components to Microsoft services using Microsoft Intune MDM Server](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-mdm) @@ -550,7 +552,7 @@ To disable the Microsoft Account Sign-In Assistant: ### 13. Microsoft Edge -Use Group Policies to manage settings for Microsoft Edge. For more info, see [Microsoft Edge and privacy: FAQ](https://go.microsoft.com/fwlink/p/?LinkId=730682). +Use Group Policies to manage settings for Microsoft Edge. For more info, see [Microsoft Edge and privacy: FAQ](https://go.microsoft.com/fwlink/p/?LinkId=730682) and [Configure Microsoft Edge policy settings on Windows](https://docs.microsoft.com/DeployEdge/configure-microsoft-edge). ### 13.1 Microsoft Edge Group Policies @@ -1595,7 +1597,7 @@ You can disconnect from the Microsoft Antimalware Protection Service. >1. Ensure Windows and Windows Defender are fully up to date. >2. Search the Start menu for "Tamper Protection" by clicking on the search icon next to the Windows Start button. Then scroll down to the Tamper Protection toggle and turn it **Off**. This will allow you to modify the Registry key and allow the Group Policy to make the setting. Alternatively, you can go to **Windows Security Settings -> Virus & threat protection, click on Manage Settings** link and then scroll down to the Tamper Protection toggle to set it to **Off**. -- **Enable** the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender Antivirus** > **MAPS** > **Join Microsoft MAPS** and then select **Disabled** from the drop-down box named **Join Microsoft MAPS** +- **Enable** the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **MAPS** > **Join Microsoft MAPS** and then select **Disabled** from the drop-down box named **Join Microsoft MAPS** -OR- @@ -1608,7 +1610,7 @@ You can disconnect from the Microsoft Antimalware Protection Service. You can stop sending file samples back to Microsoft. -- **Enable** the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender Antivirus** > **MAPS** > **Send file samples when further analysis is required** to **Never Send**. +- **Enable** the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **MAPS** > **Send file samples when further analysis is required** to **Never Send**. -or- @@ -1617,11 +1619,11 @@ You can stop sending file samples back to Microsoft. You can stop downloading **Definition Updates**: -- **Enable** the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender Antivirus** > **Signature Updates** > **Define the order of sources for downloading definition updates** and set it to **FileShares**. +- **Enable** the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Signature Updates** > **Define the order of sources for downloading definition updates** and set it to **FileShares**. -and- -- **Disable** the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender Antivirus** > **Signature Updates** > **Define file shares for downloading definition updates** and set it to **Nothing**. +- **Disable** the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Signature Updates** > **Define file shares for downloading definition updates** and set it to **Nothing**. -or- @@ -1645,7 +1647,7 @@ You can turn off **Enhanced Notifications** as follows: -or- -- **Enable** the Group Policy **Turn off enhanced notifications** under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender Antivirus** > **Reporting**. +- **Enable** the Group Policy **Turn off enhanced notifications** under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Reporting**. -or- diff --git a/windows/privacy/manage-windows-1809-endpoints.md b/windows/privacy/manage-windows-1809-endpoints.md index 6367bb1968..e29d853c05 100644 --- a/windows/privacy/manage-windows-1809-endpoints.md +++ b/windows/privacy/manage-windows-1809-endpoints.md @@ -398,7 +398,7 @@ The following endpoint is used to retrieve Skype configuration values. To turn o ## Windows Defender The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), the device will not use Cloud-based Protection. For a detailed list of Windows Defender Antivirus cloud service connections, see [Allow connections to the Windows Defender Antivirus cloud service](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus#allow-connections-to-the-windows-defender-antivirus-cloud-service). +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), the device will not use Cloud-based Protection. For a detailed list of Microsoft Defender Antivirus cloud service connections, see [Allow connections to the Microsoft Defender Antivirus cloud service](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus#allow-connections-to-the-microsoft-defender-antivirus-cloud-service). | Source process | Protocol | Destination | |----------------|----------|------------| diff --git a/windows/privacy/windows-diagnostic-data-1703.md b/windows/privacy/windows-diagnostic-data-1703.md index 73ccd75c12..ef7ec52739 100644 --- a/windows/privacy/windows-diagnostic-data-1703.md +++ b/windows/privacy/windows-diagnostic-data-1703.md @@ -74,7 +74,7 @@ This type of data includes details about the health of the device, operating sys | Category Name | Description and Examples | | - | - | |Device health and crash data | Information about the device and software health such as:
- Error codes and error messages, name and ID of the app, and process reporting the error
- DLL library predicted to be the source of the error -- xyz.dll
- System generated files -- app or product logs and trace files to help diagnose a crash or hang
- System settings such as registry keys
- User generated files – .doc, .ppt, .csv files where they are indicated as a potential cause for a crash or hang
- Details and counts of abnormal shutdowns, hangs, and crashes
- Crash failure data – OS, OS component, driver, device, 1st and 3rd party app data
- Crash and Hang dumps
- The recorded state of the working memory at the point of the crash.
- Memory in use by the kernel at the point of the crash.
- Memory in use by the application at the point of the crash.
- All the physical memory used by Windows at the point of the crash.
- Class and function name within the module that failed.
- User Interface interaction durations -- Start Menu display times, browser tab switch times, app launch and switch times, and Cortana and search performance and reliability.
- Device on/off performance -- Device boot, shutdown, power on/off, lock/unlock times, and user authentication times (fingerprint and face recognition durations).
- In-app responsiveness -- time to set alarm, time to fully render in-app navigation menus, time to sync reading list, time to start GPS navigation, time to attach picture MMS, and time to complete a Microsoft Store transaction.
- User input responsiveness – onscreen keyboard invocation times for different languages, time to show auto-complete words, pen or touch latencies, latency for handwriting recognition to words, Narrator screen reader responsiveness, and CPU score.
- UI and media performance and glitches/smoothness -- video playback frame rate, audio glitches, animation glitches (stutter when bringing up Start), graphics score, time to first frame, play/pause/stop/seek responsiveness, time to render PDF, dynamic streaming of video from OneDrive performance
- Disk footprint -- Free disk space, out of memory conditions, and disk score.
- Excessive resource utilization – components impacting performance or battery life through high CPU usage during different screen and power states
- Background task performance -- download times, Windows Update scan duration, Windows Defender Antivirus scan times, disk defrag times, mail fetch times, service startup and state transition times, and time to index on-device files for search results
- Peripheral and devices -- USB device connection times, time to connect to a wireless display, printing times, network availability and connection times (time to connect to Wi-Fi, time to get an IP address from DHCP etc.), smart card authentication times, automatic brightness environmental response times
- Device setup -- first setup experience times (time to install updates, install apps, connect to network etc.), time to recognize connected devices (printer and monitor), and time to setup Microsoft Account.
- Power and Battery life – power draw by component (Process/CPU/GPU/Display), hours of screen off time, sleep state transition details, temperature and thermal throttling, battery drain in a power state (screen off or screen on), processes and components requesting power use during screen off, auto-brightness details, time device is plugged into AC vs. battery, battery state transitions
- Service responsiveness - Service URI, operation, latency, service success/error codes, and protocol.
- Diagnostic heartbeat – regular signal to validate the health of the diagnostics system
- User Interface interaction durations -- Start Menu display times, browser tab switch times, app launch and switch times, and Cortana and search performance and reliability.
- Device on/off performance -- Device boot, shutdown, power on/off, lock/unlock times, and user authentication times (fingerprint and face recognition durations).
- In-app responsiveness -- time to set alarm, time to fully render in-app navigation menus, time to sync reading list, time to start GPS navigation, time to attach picture MMS, and time to complete a Microsoft Store transaction.
- User input responsiveness – onscreen keyboard invocation times for different languages, time to show auto-complete words, pen or touch latencies, latency for handwriting recognition to words, Narrator screen reader responsiveness, and CPU score.
- UI and media performance and glitches/smoothness -- video playback frame rate, audio glitches, animation glitches (stutter when bringing up Start), graphics score, time to first frame, play/pause/stop/seek responsiveness, time to render PDF, dynamic streaming of video from OneDrive performance
- Disk footprint -- Free disk space, out of memory conditions, and disk score.
- Excessive resource utilization – components impacting performance or battery life through high CPU usage during different screen and power states
- Background task performance -- download times, Windows Update scan duration, Microsoft Defender Antivirus scan times, disk defrag times, mail fetch times, service startup and state transition times, and time to index on-device files for search results
- Peripheral and devices -- USB device connection times, time to connect to a wireless display, printing times, network availability and connection times (time to connect to Wi-Fi, time to get an IP address from DHCP etc.), smart card authentication times, automatic brightness environmental response times
- Device setup -- first setup experience times (time to install updates, install apps, connect to network etc.), time to recognize connected devices (printer and monitor), and time to setup Microsoft Account.
- Power and Battery life – power draw by component (Process/CPU/GPU/Display), hours of screen off time, sleep state transition details, temperature and thermal throttling, battery drain in a power state (screen off or screen on), processes and components requesting power use during screen off, auto-brightness details, time device is plugged into AC vs. battery, battery state transitions
- Service responsiveness - Service URI, operation, latency, service success/error codes, and protocol.
- Diagnostic heartbeat – regular signal to validate the health of the diagnostics system
- Video Width, height, color pallet, encoding (compression) type, and encryption type
- Instructions for how to stream content for the user -- the smooth streaming manifest of chunks of content files that must be pieced together to stream the content based on screen resolution and bandwidth
- URL for a specific two second chunk of content if there is an error
- Full screen viewing mode details|
|Music & TV|Information about music and TV consumption on the device. This isn't intended to capture user viewing, listening or habits.
- Service URL for song being downloaded from the music service – collected when an error occurs to facilitate restoration of service
- Content type (video, audio, surround audio)
- Local media library collection statistics -- number of purchased tracks, number of playlists
- Region mismatch -- User OS Region, and Xbox Live region
- App accessing content and status and options used to open a Microsoft Store book
- Language of the book
- Time spent reading content
- Content type and size details
" diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 50032d076f..b7bd91eda3 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -46,12 +46,12 @@ #### [Hardware-based isolation]() ##### [Hardware-based isolation in Windows 10](microsoft-defender-atp/overview-hardware-based-isolation.md) -##### [Hardware-based isolation evaluation](windows-defender-application-guard/test-scenarios-wd-app-guard.md) +##### [Hardware-based isolation evaluation](microsoft-defender-application-guard/test-scenarios-md-app-guard.md) ##### [Application isolation]() -###### [Application guard overview](windows-defender-application-guard/wd-app-guard-overview.md) -###### [System requirements](windows-defender-application-guard/reqs-wd-app-guard.md) -###### [Install Windows Defender Application Guard](windows-defender-application-guard/install-wd-app-guard.md) +###### [Application guard overview](microsoft-defender-application-guard/md-app-guard-overview.md) +###### [System requirements](microsoft-defender-application-guard/reqs-md-app-guard.md) +###### [Install Windows Defender Application Guard](microsoft-defender-application-guard/install-md-app-guard.md) ##### [Application control](windows-defender-application-control/windows-defender-application-control.md) ###### [Audit Application control policies](windows-defender-application-control/audit-windows-defender-application-control-policies.md) @@ -96,105 +96,105 @@ ### [Next-generation protection]() -#### [Next-generation protection overview](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) -#### [Evaluate next-generation protection](windows-defender-antivirus/evaluate-windows-defender-antivirus.md) +#### [Next-generation protection overview](microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md) +#### [Evaluate next-generation protection](microsoft-defender-antivirus/evaluate-microsoft-defender-antivirus.md) #### [Configure next-generation protection]() -##### [Configure Windows Defender Antivirus features](windows-defender-antivirus/configure-windows-defender-antivirus-features.md) +##### [Configure Microsoft Defender Antivirus features](microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md) -##### [Utilize Microsoft cloud-delivered protection](windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md) -###### [Enable cloud-delivered protection](windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) -###### [Specify the cloud-delivered protection level](windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md) -###### [Configure and validate network connections](windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md) -###### [Prevent security settings changes with tamper protection](windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md) -###### [Enable Block at first sight](windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md) -###### [Configure the cloud block timeout period](windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md) +##### [Utilize Microsoft cloud-delivered protection](microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) +###### [Enable cloud-delivered protection](microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md) +###### [Specify the cloud-delivered protection level](microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md) +###### [Configure and validate network connections](microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md) +###### [Prevent security settings changes with tamper protection](microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md) +###### [Enable Block at first sight](microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md) +###### [Configure the cloud block timeout period](microsoft-defender-antivirus/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md) ##### [Configure behavioral, heuristic, and real-time protection]() -###### [Configuration overview](windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md) -###### [Detect and block Potentially Unwanted Applications](windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md) -###### [Enable and configure always-on protection and monitoring](windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) +###### [Configuration overview](microsoft-defender-antivirus/configure-protection-features-microsoft-defender-antivirus.md) +###### [Detect and block Potentially Unwanted Applications](microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md) +###### [Enable and configure always-on protection and monitoring](microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md) -##### [Antivirus on Windows Server 2016](windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md) +##### [Antivirus on Windows Server 2016](microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md) ##### [Antivirus compatibility]() -###### [Compatibility charts](windows-defender-antivirus/windows-defender-antivirus-compatibility.md) -###### [Use limited periodic antivirus scanning](windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md) +###### [Compatibility charts](microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md) +###### [Use limited periodic antivirus scanning](microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus.md) ##### [Deploy, manage updates, and report on antivirus]() -###### [Preparing to deploy](windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md) -###### [Deploy and enable antivirus](windows-defender-antivirus/deploy-windows-defender-antivirus.md) -####### [Deployment guide for VDI environments](windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md) +###### [Preparing to deploy](microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md) +###### [Deploy and enable antivirus](microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md) +####### [Deployment guide for VDI environments](microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md) ###### [Report on antivirus protection]() -####### [Review protection status and alerts](windows-defender-antivirus/report-monitor-windows-defender-antivirus.md) -####### [Troubleshoot antivirus reporting in Update Compliance](windows-defender-antivirus/troubleshoot-reporting.md) +####### [Review protection status and alerts](microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md) +####### [Troubleshoot antivirus reporting in Update Compliance](microsoft-defender-antivirus/troubleshoot-reporting.md) ###### [Manage updates and apply baselines]() -####### [Learn about the different kinds of updates](windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md) -####### [Manage protection and security intelligence updates](windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md) -####### [Manage when protection updates should be downloaded and applied](windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md) -####### [Manage updates for endpoints that are out of date](windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md) -####### [Manage event-based forced updates](windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md) -####### [Manage updates for mobile devices and VMs](windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md) +####### [Learn about the different kinds of updates](microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md) +####### [Manage protection and security intelligence updates](microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md) +####### [Manage when protection updates should be downloaded and applied](microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md) +####### [Manage updates for endpoints that are out of date](microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus.md) +####### [Manage event-based forced updates](microsoft-defender-antivirus/manage-event-based-updates-microsoft-defender-antivirus.md) +####### [Manage updates for mobile devices and VMs](microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md) ##### [Customize, initiate, and review the results of scans and remediation]() -###### [Configuration overview](windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md) +###### [Configuration overview](microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md) ###### [Configure and validate exclusions in antivirus scans]() -####### [Exclusions overview](windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md) -####### [Configure and validate exclusions based on file name, extension, and folder location](windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md) -####### [Configure and validate exclusions for files opened by processes](windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md) -####### [Configure antivirus exclusions Windows Server 2016](windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md) +####### [Exclusions overview](microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md) +####### [Configure and validate exclusions based on file name, extension, and folder location](microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md) +####### [Configure and validate exclusions for files opened by processes](microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md) +####### [Configure antivirus exclusions Windows Server 2016](microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md) -###### [Configure scanning antivirus options](windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md) -###### [Configure remediation for scans](windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md) -###### [Configure scheduled scans](windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md) -###### [Configure and run scans](windows-defender-antivirus/run-scan-windows-defender-antivirus.md) -###### [Review scan results](windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md) -###### [Run and review the results of an offline scan](windows-defender-antivirus/windows-defender-offline.md) +###### [Configure scanning antivirus options](microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md) +###### [Configure remediation for scans](microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md) +###### [Configure scheduled scans](microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md) +###### [Configure and run scans](microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md) +###### [Review scan results](microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md) +###### [Run and review the results of an offline scan](microsoft-defender-antivirus/microsoft-defender-offline.md) -##### [Restore quarantined files](windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md) +##### [Restore quarantined files](microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md) ##### [Manage antivirus in your business]() -###### [Management overview](windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md) -###### [Use Group Policy settings to configure and manage antivirus](windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md) -###### [Use Microsoft Endpoint Configuration Manager and Microsoft Intune to configure and manage antivirus](windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md) -###### [Use PowerShell cmdlets to configure and manage antivirus](windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md) -###### [Use Windows Management Instrumentation (WMI) to configure and manage antivirus](windows-defender-antivirus/use-wmi-windows-defender-antivirus.md) -###### [Use the mpcmdrun.exe commandline tool to configure and manage antivirus](windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md) +###### [Management overview](microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md) +###### [Use Group Policy settings to configure and manage antivirus](microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md) +###### [Use Microsoft Endpoint Configuration Manager and Microsoft Intune to configure and manage antivirus](microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md) +###### [Use PowerShell cmdlets to configure and manage antivirus](microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md) +###### [Use Windows Management Instrumentation (WMI) to configure and manage antivirus](microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md) +###### [Use the mpcmdrun.exe commandline tool to configure and manage antivirus](microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md) ##### [Manage scans and remediation]() -###### [Management overview](windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md) +###### [Management overview](microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md) ###### [Configure and validate exclusions in antivirus scans]() -####### [Exclusions overview](windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md) -####### [Configure and validate exclusions based on file name, extension, and folder location](windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md) -####### [Configure and validate exclusions for files opened by processes](windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md) -####### [Configure antivirus exclusions on Windows Server 2016](windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md) +####### [Exclusions overview](microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md) +####### [Configure and validate exclusions based on file name, extension, and folder location](microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md) +####### [Configure and validate exclusions for files opened by processes](microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md) +####### [Configure antivirus exclusions on Windows Server 2016](microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md) -###### [Configure scanning options](windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md) +###### [Configure scanning options](microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md) -##### [Configure remediation for scans](windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md) -###### [Configure remediation for scans](windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md) -###### [Configure scheduled scans](windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md) -###### [Configure and run scans](windows-defender-antivirus/run-scan-windows-defender-antivirus.md) -###### [Review scan results](windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md) -###### [Run and review the results of an offline scan](windows-defender-antivirus/windows-defender-offline.md) -###### [Restore quarantined files](windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md) +##### [Configure remediation for scans](microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md) +###### [Configure remediation for scans](microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md) +###### [Configure scheduled scans](microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md) +###### [Configure and run scans](microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md) +###### [Review scan results](microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md) +###### [Run and review the results of an offline scan](microsoft-defender-antivirus/microsoft-defender-offline.md) +###### [Restore quarantined files](microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md) ##### [Manage next-generation protection in your business]() -###### [Handle false positives/negatives in Windows Defender Antivirus](windows-defender-antivirus/antivirus-false-positives-negatives.md) -###### [Management overview](windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md) -###### [Use Microsoft Intune and Microsoft Endpoint Configuration Manager to manage next generation protection](windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md) -###### [Use Group Policy settings to manage next generation protection](windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md) -###### [Use PowerShell cmdlets to manage next generation protection](windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md) -###### [Use Windows Management Instrumentation (WMI) to manage next generation protection](windows-defender-antivirus/use-wmi-windows-defender-antivirus.md) -###### [Use the mpcmdrun.exe command line tool to manage next generation protection](windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md) +###### [Handle false positives/negatives in Microsoft Defender Antivirus](microsoft-defender-antivirus/antivirus-false-positives-negatives.md) +###### [Management overview](microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md) +###### [Use Microsoft Intune and Microsoft Endpoint Configuration Manager to manage next generation protection](microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md) +###### [Use Group Policy settings to manage next generation protection](microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md) +###### [Use PowerShell cmdlets to manage next generation protection](microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md) +###### [Use Windows Management Instrumentation (WMI) to manage next generation protection](microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md) +###### [Use the mpcmdrun.exe command line tool to manage next generation protection](microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md) -#### [Better together: Windows Defender Antivirus and Microsoft Defender ATP](windows-defender-antivirus/why-use-microsoft-antivirus.md) -#### [Better together: Windows Defender Antivirus and Office 365](windows-defender-antivirus/office-365-windows-defender-antivirus.md) +#### [Better together: Microsoft Defender Antivirus and Microsoft Defender ATP](microsoft-defender-antivirus/why-use-microsoft-defender-antivirus.md) +#### [Better together: Microsoft Defender Antivirus and Office 365](microsoft-defender-antivirus/office-365-microsoft-defender-antivirus.md) ### [Microsoft Defender Advanced Threat Protection for Mac]() @@ -284,7 +284,7 @@ ###### [Initiate an automated investigation](microsoft-defender-atp/respond-machine-alerts.md#initiate-automated-investigation) ###### [Initiate Live Response session](microsoft-defender-atp/respond-machine-alerts.md#initiate-live-response-session) ###### [Collect investigation package](microsoft-defender-atp/respond-machine-alerts.md#collect-investigation-package-from-machines) -###### [Run antivirus scan](microsoft-defender-atp/respond-machine-alerts.md#run-windows-defender-antivirus-scan-on-machines) +###### [Run antivirus scan](microsoft-defender-atp/respond-machine-alerts.md#run-microsoft-defender-antivirus-scan-on-machines) ###### [Restrict app execution](microsoft-defender-atp/respond-machine-alerts.md#restrict-app-execution) ###### [Isolate machines from the network](microsoft-defender-atp/respond-machine-alerts.md#isolate-machines-from-the-network) ###### [Consult a threat expert](microsoft-defender-atp/respond-machine-alerts.md#consult-a-threat-expert) @@ -632,7 +632,7 @@ ##### [Network protection](microsoft-defender-atp/troubleshoot-np.md) ##### [Attack surface reduction rules](microsoft-defender-atp/troubleshoot-asr.md) -#### [Troubleshoot next-generation protection](windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md) +#### [Troubleshoot next-generation protection](microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md) diff --git a/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md b/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md index b8f2f1dbc6..d6788c3add 100644 --- a/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md +++ b/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md @@ -26,7 +26,7 @@ Microsoft recommends [a layered approach to securing removable media](https://ak 1. [Allow or block removable devices](#allow-or-block-removable-devices) based on granular configuration to deny write access to removable disks and approve or deny devices by USB vendor IDs, product IDs, device IDs, or a combination. Flexible policy assignment of device installation settings based on an individual or group of Azure Active Directory (Azure AD) users and devices. 2. [Prevent threats from removable storage](#prevent-threats-from-removable-storage) introduced by removable storage devices by enabling: - - Windows Defender Antivirus real-time protection (RTP) to scan removable storage for malware. + - Microsoft Defender Antivirus real-time protection (RTP) to scan removable storage for malware. - The Attack Surface Reduction (ASR) USB rule to block untrusted and unsigned processes that run from USB. - Direct Memory Access (DMA) protection settings to mitigate DMA attacks, including Kernel DMA Protection for Thunderbolt and blocking DMA until a user signs in. 3. [Create customized alerts and response actions](#create-customized-alerts-and-response-actions) to monitor usage of removable devices based on these plug and play events or any other Microsoft Defender ATP events with [custom detection rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules). @@ -234,22 +234,22 @@ For more information about controlling USB devices, see the [Microsoft Defender | Control | Description | |----------|-------------| -| [Enable Windows Defender Antivirus Scanning](#enable-windows-defender-antivirus-scanning) | Enable Windows Defender Antivirus scanning for real-time protection or scheduled scans.| +| [Enable Microsoft Defender Antivirus Scanning](#enable-microsoft-defender-antivirus-scanning) | Enable Microsoft Defender Antivirus scanning for real-time protection or scheduled scans.| | [Block untrusted and unsigned processes on USB peripherals](#block-untrusted-and-unsigned-processes-on-usb-peripherals) | Block USB files that are unsigned or untrusted. | | [Protect against Direct Memory Access (DMA) attacks](#protect-against-direct-memory-access-dma-attacks) | Configure settings to protect against DMA attacks. | >[!NOTE] >Because an unauthorized USB peripheral can have firmware that spoofs its USB properties, we recommend only allowing specifically approved USB peripherals and limiting the users who can access them. -### Enable Windows Defender Antivirus Scanning +### Enable Microsoft Defender Antivirus Scanning -Protecting authorized removable storage with Windows Defender Antivirus requires [enabling real-time protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus) or scheduling scans and configuring removable drives for scans. +Protecting authorized removable storage with Microsoft Defender Antivirus requires [enabling real-time protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus) or scheduling scans and configuring removable drives for scans. -- If real-time protection is enabled, files are scanned before they are accessed and executed. The scanning scope includes all files, including those on mounted removable devices such as USB drives. You can optionally [run a PowerShell script to perform a custom scan](https://aka.ms/scanusb) of a USB drive after it is mounted, so that Windows Defender Antivirus starts scanning all files on a removable device once the removable device is attached. However, we recommend enabling real-time protection for improved scanning performance, especially for large storage devices. +- If real-time protection is enabled, files are scanned before they are accessed and executed. The scanning scope includes all files, including those on mounted removable devices such as USB drives. You can optionally [run a PowerShell script to perform a custom scan](https://aka.ms/scanusb) of a USB drive after it is mounted, so that Microsoft Defender Antivirus starts scanning all files on a removable device once the removable device is attached. However, we recommend enabling real-time protection for improved scanning performance, especially for large storage devices. - If scheduled scans are used, then you need to disable the DisableRemovableDriveScanning setting (enabled by default) to scan the removable device during a full scan. Removable devices are scanned during a quick or custom scan regardless of the DisableRemovableDriveScanning setting. >[!NOTE] ->We recommend enabling real-time monitoring for scanning. In Intune, you can enable real-time monitoring for Windows 10 in **Device Restrictions** > **Configure** > **Windows Defender Antivirus** > **Real-time monitoring**. +>We recommend enabling real-time monitoring for scanning. In Intune, you can enable real-time monitoring for Windows 10 in **Device Restrictions** > **Configure** > **Microsoft Defender Antivirus** > **Real-time monitoring**. @@ -263,7 +263,7 @@ This can be done by setting **Untrusted and unsigned processes that run from USB With this rule, admins can prevent or audit unsigned or untrusted executable files from running from USB removable drives, including SD cards. Affected file types include executable files (such as .exe, .dll, or .scr) and script files such as a PowerShell (.ps), VisualBasic (.vbs), or JavaScript (.js) files. -These settings require [enabling real-time protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus). +These settings require [enabling real-time protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus). 1. Sign in to the [Microsoft Azure portal](https://portal.azure.com/). 2. Click **Intune** > **Device configuration** > **Profiles** > **Create profile**. @@ -332,7 +332,7 @@ For example, using either approach, you can automatically have the Microsoft Def ## Related topics -- [Configure real-time protection for Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus) +- [Configure real-time protection for Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus) - [Defender/AllowFullScanRemovableDriveScanning](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-allowfullscanremovabledrivescanning) - [Policy/DeviceInstallation CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation) - [Perform a custom scan of a removable device](https://aka.ms/scanusb) diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md index 71fca8b044..7a0b4059d1 100644 --- a/windows/security/threat-protection/index.md +++ b/windows/security/threat-protection/index.md @@ -77,14 +77,14 @@ The attack surface reduction set of capabilities provide the first line of defen -**[Next generation protection](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)**Details Originating update Status History Unable to create local users in Chinese, Japanese and Korean during device setup When setting up a new Windows device using the Out of Box Experience (OOBE), you might be unable to create a local user when using Input Method Editor (IME). This issue might affect you if you are using the IME for Chinese, Japanese, or Korean languages.Note This issue does not affect using a Microsoft Account during OOBE.Affected platforms:- Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709
- Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709
Resolution: This issue was resolved in KB4534321.
Back to topOS Build 17763.737
September 10, 2019
KB4512578Resolved
KB4534321Resolved:
January 23, 2020
02:00 PM PT
Opened:
October 29, 2019
05:15 PM PTMicrosoft Defender Advanced Threat Protection might stop running After installing the optional non-security update (KB4520062), the Microsoft Defender Advanced Threat Protection (ATP) service might stop running and might fail to send reporting data. You might also receive a 0xc0000409 error in Event Viewer on MsSense.exe.Note Microsoft Windows Defender Antivirus is not affected by this issue.Affected platforms:- Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
- Server: Windows Server, version 1809; Windows Server 2019
Resolution: This issue was resolved in KB4523205.
Back to topOS Build 17763.832
October 15, 2019
KB4520062Resolved
KB4523205Resolved:
November 12, 2019
10:00 AM PT
Opened:
October 17, 2019
05:14 PM PTMicrosoft Defender Advanced Threat Protection might stop running After installing the optional non-security update (KB4520062), the Microsoft Defender Advanced Threat Protection (ATP) service might stop running and might fail to send reporting data. You might also receive a 0xc0000409 error in Event Viewer on MsSense.exe.Note Microsoft Microsoft Defender Antivirus is not affected by this issue.Affected platforms:- Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
- Server: Windows Server, version 1809; Windows Server 2019
Resolution: This issue was resolved in KB4523205.
Back to topOS Build 17763.832
October 15, 2019
KB4520062Resolved
KB4523205Resolved:
November 12, 2019
10:00 AM PT
Opened:
October 17, 2019
05:14 PM PT
+**[Next generation protection](microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md)**
To further reinforce the security perimeter of your network, Microsoft Defender ATP uses next generation protection designed to catch all types of emerging threats. -- [Behavior monitoring](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus) -- [Cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-protection-features-windows-defender-antivirus) -- [Machine learning](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus) -- [URL Protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus) -- [Automated sandbox service](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus) +- [Behavior monitoring](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus) +- [Cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-protection-features-microsoft-defender-antivirus) +- [Machine learning](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus) +- [URL Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus) +- [Automated sandbox service](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus) diff --git a/windows/security/threat-protection/intelligence/criteria.md b/windows/security/threat-protection/intelligence/criteria.md index 572d4cf705..74c19eb50f 100644 --- a/windows/security/threat-protection/intelligence/criteria.md +++ b/windows/security/threat-protection/intelligence/criteria.md @@ -159,11 +159,11 @@ Advertisements shown to you must: #### Consumer opinion -Microsoft maintains a worldwide network of analysts and intelligence systems where you can [submit software for analysis](https://www.microsoft.com/wdsi/filesubmission). Your participation helps Microsoft identify new malware quickly. After analysis, Microsoft creates Security intelligence for software that meets the described criteria. This Security intelligence identifies the software as malware and are available to all users through Windows Defender Antivirus and other Microsoft antimalware solutions. +Microsoft maintains a worldwide network of analysts and intelligence systems where you can [submit software for analysis](https://www.microsoft.com/wdsi/filesubmission). Your participation helps Microsoft identify new malware quickly. After analysis, Microsoft creates Security intelligence for software that meets the described criteria. This Security intelligence identifies the software as malware and are available to all users through Microsoft Defender Antivirus and other Microsoft antimalware solutions. ## Potentially unwanted application (PUA) -Our PUA protection aims to safeguard user productivity and ensure enjoyable Windows experiences. This protection helps deliver more productive, performant, and delightful Windows experiences. For instruction on how to enable PUA protection in Chromium-based Microsoft Edge and Windows Defender Antivirus, see [Detect and block potentially unwanted applications](../windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md). +Our PUA protection aims to safeguard user productivity and ensure enjoyable Windows experiences. This protection helps deliver more productive, performant, and delightful Windows experiences. For instruction on how to enable PUA protection in Chromium-based Microsoft Edge and Microsoft Defender Antivirus, see [Detect and block potentially unwanted applications](../microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md). *PUAs are not considered malware.* @@ -175,7 +175,7 @@ Microsoft uses specific categories and the category definitions to classify soft * **Cryptomining software:** Software that uses your device resources to mine cryptocurrencies. -* **Bundling software:** Software that offers to install other software that is not digitally signed by the same entity. Also, software that offers to install other software that qualifies as PUA based on the criteria outlined in this document. +* **Bundling software:** Software that offers to install other software that is not developed by the same entity or not required for the software to run. Also, software that offers to install other software that qualifies as PUA based on the criteria outlined in this document. * **Marketing software:** Software that monitors and transmits the activities of users to applications or services other than itself for marketing research. diff --git a/windows/security/threat-protection/intelligence/developer-faq.md b/windows/security/threat-protection/intelligence/developer-faq.md index 3e680879b5..c6973ab9e1 100644 --- a/windows/security/threat-protection/intelligence/developer-faq.md +++ b/windows/security/threat-protection/intelligence/developer-faq.md @@ -43,8 +43,8 @@ It contains instructions to offer a program classified as unwanted software. You ## Why is the Windows Firewall blocking my program? -This is not related to Windows Defender Antivirus and other Microsoft antimalware. You can find out more about Windows Firewall from the Microsoft Developer Network. +This is not related to Microsoft Defender Antivirus and other Microsoft antimalware. You can find out more about Windows Firewall from the Microsoft Developer Network. ## Why does the Windows Defender SmartScreen say my program is not commonly downloaded? -This is not related to Windows Defender Antivirus and other Microsoft antimalware. You can find out more from the SmartScreen website. +This is not related to Microsoft Defender Antivirus and other Microsoft antimalware. You can find out more from the SmartScreen website. diff --git a/windows/security/threat-protection/intelligence/developer-resources.md b/windows/security/threat-protection/intelligence/developer-resources.md index 35aec2bd9c..b413cea906 100644 --- a/windows/security/threat-protection/intelligence/developer-resources.md +++ b/windows/security/threat-protection/intelligence/developer-resources.md @@ -40,4 +40,4 @@ Find more guidance about the file submission and detection dispute process in ou ### Scan your software -Use [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) to check your software against the latest Security intelligence and cloud protection from Microsoft. +Use [Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) to check your software against the latest Security intelligence and cloud protection from Microsoft. diff --git a/windows/security/threat-protection/intelligence/malware-naming.md b/windows/security/threat-protection/intelligence/malware-naming.md index 2a52b19798..001d356c59 100644 --- a/windows/security/threat-protection/intelligence/malware-naming.md +++ b/windows/security/threat-protection/intelligence/malware-naming.md @@ -1,7 +1,7 @@ --- title: Malware names ms.reviewer: -description: Understand the malware naming convention used by Windows Defender Antivirus and other Microsoft antimalware. +description: Understand the malware naming convention used by Microsoft Defender Antivirus and other Microsoft antimalware. keywords: security, malware, names, Microsoft, MMPC, Microsoft Malware Protection Center, WDSI, malware name, malware prefix, malware type, virus name ms.prod: w10 ms.mktglfcycl: secure diff --git a/windows/security/threat-protection/intelligence/rootkits-malware.md b/windows/security/threat-protection/intelligence/rootkits-malware.md index ffe4254e2b..ad80fad7fe 100644 --- a/windows/security/threat-protection/intelligence/rootkits-malware.md +++ b/windows/security/threat-protection/intelligence/rootkits-malware.md @@ -55,7 +55,7 @@ For more general tips, see [prevent malware infection](prevent-malware-infection Microsoft security software includes a number of technologies designed specifically to remove rootkits. If you think you might have a rootkit on your device and your antimalware software isn’t detecting it, you might need an extra tool that lets you boot to a known trusted environment. -[Windows Defender Offline](https://support.microsoft.com/help/17466/windows-defender-offline-help-protect-my-pc) can be launched from Windows Security Center and has the latest anti-malware updates from Microsoft. It’s designed to be used on devices that aren't working correctly due to a possible malware infection. +[Microsoft Defender Offline](https://support.microsoft.com/help/17466/microsoft-defender-offline-help-protect-my-pc) can be launched from Windows Security Center and has the latest anti-malware updates from Microsoft. It’s designed to be used on devices that aren't working correctly due to a possible malware infection. [System Guard](https://cloudblogs.microsoft.com/microsoftsecure/2017/10/23/hardening-the-system-and-maintaining-integrity-with-windows-defender-system-guard/) in Windows 10 protects against rootkits and threats that impact system integrity. diff --git a/windows/security/threat-protection/intelligence/safety-scanner-download.md b/windows/security/threat-protection/intelligence/safety-scanner-download.md index f6b12d45e0..96e45bc39b 100644 --- a/windows/security/threat-protection/intelligence/safety-scanner-download.md +++ b/windows/security/threat-protection/intelligence/safety-scanner-download.md @@ -34,7 +34,7 @@ Microsoft Safety Scanner is a scan tool designed to find and remove malware from - Safety scanner is a portable executable and does not appear in the Windows Start menu or as an icon on the desktop. Note where you saved this download. -- This tool does not replace your antimalware product. For real-time protection with automatic updates, use [Windows Defender Antivirus on Windows 10 and Windows 8](https://www.microsoft.com/windows/comprehensive-security) or [Microsoft Security Essentials on Windows 7](https://support.microsoft.com/help/14210/security-essentials-download). These antimalware products also provide powerful malware removal capabilities. If you are having difficulties removing malware with these products, you can refer to our help on [removing difficult threats](https://www.microsoft.com/wdsi/help/troubleshooting-infection). +- This tool does not replace your antimalware product. For real-time protection with automatic updates, use [Microsoft Defender Antivirus on Windows 10 and Windows 8](https://www.microsoft.com/windows/comprehensive-security) or [Microsoft Security Essentials on Windows 7](https://support.microsoft.com/help/14210/security-essentials-download). These antimalware products also provide powerful malware removal capabilities. If you are having difficulties removing malware with these products, you can refer to our help on [removing difficult threats](https://www.microsoft.com/wdsi/help/troubleshooting-infection). ## System requirements @@ -53,7 +53,7 @@ For more information about the Safety Scanner, see the support article on [how t ## Related resources - [Troubleshooting Safety Scanner](https://support.microsoft.com/help/2520970/how-to-troubleshoot-an-error-when-you-run-the-microsoft-safety-scanner) -- [Windows Defender Antivirus](https://www.microsoft.com/windows/comprehensive-security) +- [Microsoft Defender Antivirus](https://www.microsoft.com/windows/comprehensive-security) - [Microsoft Security Essentials](https://support.microsoft.com/help/14210/security-essentials-download) - [Removing difficult threats](https://support.microsoft.com/help/4466982/windows-10-troubleshoot-problems-with-detecting-and-removing-malware) - [Submit file for malware analysis](https://www.microsoft.com/wdsi/filesubmission) diff --git a/windows/security/threat-protection/intelligence/support-scams.md b/windows/security/threat-protection/intelligence/support-scams.md index 35942059ca..8544b43d61 100644 --- a/windows/security/threat-protection/intelligence/support-scams.md +++ b/windows/security/threat-protection/intelligence/support-scams.md @@ -45,13 +45,13 @@ It is also important to keep the following in mind: * Use [Microsoft Edge](https://www.microsoft.com/windows/microsoft-edge) when browsing the internet. It blocks known support scam sites using Windows Defender SmartScreen (which is also used by Internet Explorer). Furthermore, Microsoft Edge can stop pop-up dialogue loops used by these sites. -* Enable [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) in Windows 10. It detects and removes known support scam malware. +* Enable [Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) in Windows 10. It detects and removes known support scam malware. ## What to do if information has been given to a tech support person * Uninstall applications that scammers asked to be install. If access has been granted, consider resetting the device -* Run a full scan with Windows Defender Antivirus to remove any malware. Apply all security updates as soon as they are available. +* Run a full scan with Microsoft Defender Antivirus to remove any malware. Apply all security updates as soon as they are available. * Change passwords. diff --git a/windows/security/threat-protection/intelligence/trojans-malware.md b/windows/security/threat-protection/intelligence/trojans-malware.md index c9f64fecd6..2ed753b049 100644 --- a/windows/security/threat-protection/intelligence/trojans-malware.md +++ b/windows/security/threat-protection/intelligence/trojans-malware.md @@ -40,7 +40,7 @@ Trojans can come in many different varieties, but generally they do the followin Use the following free Microsoft software to detect and remove it: -- [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) for Windows 10 and Windows 8.1, or [Microsoft Security Essentials](https://www.microsoft.com/download/details.aspx?id=5201) for previous versions of Windows. +- [Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) for Windows 10 and Windows 8.1, or [Microsoft Security Essentials](https://www.microsoft.com/download/details.aspx?id=5201) for previous versions of Windows. - [Microsoft Safety Scanner](safety-scanner-download.md) diff --git a/windows/security/threat-protection/intelligence/unwanted-software.md b/windows/security/threat-protection/intelligence/unwanted-software.md index fdf1e1e4bf..ab2471f894 100644 --- a/windows/security/threat-protection/intelligence/unwanted-software.md +++ b/windows/security/threat-protection/intelligence/unwanted-software.md @@ -43,7 +43,7 @@ To prevent unwanted software infection, download software only from official web Use [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/index) when browsing the internet. Microsoft Edge includes additional protections that effectively block browser modifiers that can change your browser settings. Microsoft Edge also blocks known websites hosting unwanted software using [Windows Defender SmartScreen](https://docs.microsoft.com/microsoft-edge/deploy/index) (also used by Internet Explorer). -Enable [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) in Windows 10. It provides real-time protection against threats and detects and removes known unwanted software. +Enable [Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) in Windows 10. It provides real-time protection against threats and detects and removes known unwanted software. Download [Microsoft Security Essentials](https://www.microsoft.com/download/details.aspx?id=5201) for real-time protection in Windows 7 or Windows Vista. diff --git a/windows/security/threat-protection/intelligence/worms-malware.md b/windows/security/threat-protection/intelligence/worms-malware.md index 6b392dcc81..04c8f8280f 100644 --- a/windows/security/threat-protection/intelligence/worms-malware.md +++ b/windows/security/threat-protection/intelligence/worms-malware.md @@ -44,7 +44,7 @@ This image shows how a worm can quickly spread through a shared USB drive. ## How to protect against worms -Enable [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) in Windows 10. It provides real-time protection against threats and detects and removes known unwanted software. +Enable [Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) in Windows 10. It provides real-time protection against threats and detects and removes known unwanted software. Download [Microsoft Security Essentials](https://www.microsoft.com/download/details.aspx?id=5201) for real-time protection in Windows 7 or Windows Vista. diff --git a/windows/security/threat-protection/windows-defender-antivirus/antivirus-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-antivirus/antivirus-false-positives-negatives.md similarity index 68% rename from windows/security/threat-protection/windows-defender-antivirus/antivirus-false-positives-negatives.md rename to windows/security/threat-protection/microsoft-defender-antivirus/antivirus-false-positives-negatives.md index 9b7b2cffbf..243ea0e80a 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/antivirus-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/antivirus-false-positives-negatives.md @@ -1,7 +1,7 @@ --- -title: What to do with false positives/negatives in Windows Defender Antivirus -description: Did Windows Defender Antivirus miss or wrongly detect something? Find out what you can do. -keywords: Windows Defender Antivirus, false positives, false negatives, exclusions +title: What to do with false positives/negatives in Microsoft Defender Antivirus +description: Did Microsoft Defender Antivirus miss or wrongly detect something? Find out what you can do. +keywords: Microsoft Defender Antivirus, false positives, false negatives, exclusions search.product: eADQiWindows 10XVcnh ms.pagetype: security ms.prod: w10 @@ -19,18 +19,18 @@ audience: ITPro ms.topic: article --- -# What to do with false positives/negatives in Windows Defender Antivirus +# What to do with false positives/negatives in Microsoft Defender Antivirus **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Windows Defender Antivirus is designed to keep your PC safe with built-in, trusted antivirus protection. With Windows Defender Antivirus, you get comprehensive, ongoing, and real-time protection against software threats like viruses, malware and spyware across email, apps, the cloud, and the web. +Microsoft Defender Antivirus is designed to keep your PC safe with built-in, trusted antivirus protection. With Microsoft Defender Antivirus, you get comprehensive, ongoing, and real-time protection against software threats like viruses, malware and spyware across email, apps, the cloud, and the web. But what if something gets detected wrongly as malware, or something is missed? We call these false positives and false negatives. Fortunately, there are some steps you can take to deal with these things. You can: - [Submit a file to Microsoft for analysis](#submit-a-file-to-microsoft-for-analysis); - [Create an "Allow" indicator to prevent a false positive from recurring](#create-an-allow-indicator-to-prevent-a-false-positive-from-recurring); or -- [Define an exclusion on an individual Windows device to prevent an item from being scanned](#define-an-exclusion-on-an-individual-windows-device-to-prevent-an-item-from-being-scanned) by Windows Defender Antivirus. +- [Define an exclusion on an individual Windows device to prevent an item from being scanned](#define-an-exclusion-on-an-individual-windows-device-to-prevent-an-item-from-being-scanned) by Microsoft Defender Antivirus. ## Submit a file to Microsoft for analysis @@ -42,13 +42,13 @@ But what if something gets detected wrongly as malware, or something is missed? ## Create an "Allow" indicator to prevent a false positive from recurring -If a file, IP address, URL, or domain is treated as malware on a device, even though it's safe, you can create an "Allow" indicator. This indicator tells Windows Defender Antivirus (and Microsoft Defender Advanced Threat Protection) that the item is safe. +If a file, IP address, URL, or domain is treated as malware on a device, even though it's safe, you can create an "Allow" indicator. This indicator tells Microsoft Defender Antivirus (and Microsoft Defender Advanced Threat Protection) that the item is safe. To set up your "Allow" indicator, follow the guidance in [Manage indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators). ## Define an exclusion on an individual Windows device to prevent an item from being scanned -When you define an exclusion for Windows Defender Antivirus, you configure your antivirus to skip that item. +When you define an exclusion for Microsoft Defender Antivirus, you configure your antivirus to skip that item. 1. On your Windows 10 device, open the Windows Security app. 2. Select **Virus & threat protection** > **Virus & threat protection settings**. @@ -59,14 +59,14 @@ The following table summarizes exclusion types, how they're defined, and what ha |Exclusion type |Defined by |What happens | |---------|---------|---------| -|**File** |Location
Example: `c:\sample\sample.test` |The specified file is skipped by Windows Defender Antivirus. | -|**Folder** |Location
Example: `c:\test\sample` |All items in the specified folder are skipped by Windows Defender Antivirus. | -|**File type** |File extension
Example: `.test` |All files with the specified extension anywhere on your device are skipped by Windows Defender Antivirus. | -|**Process** |Executable file path
Example: `c:\test\process.exe` |The specified process and any files that are opened by that process are skipped by Windows Defender Antivirus. | +|**File** |Location
Example: `c:\sample\sample.test` |The specified file is skipped by Microsoft Defender Antivirus. | +|**Folder** |Location
Example: `c:\test\sample` |All items in the specified folder are skipped by Microsoft Defender Antivirus. | +|**File type** |File extension
Example: `.test` |All files with the specified extension anywhere on your device are skipped by Microsoft Defender Antivirus. | +|**Process** |Executable file path
Example: `c:\test\process.exe` |The specified process and any files that are opened by that process are skipped by Microsoft Defender Antivirus. | To learn more, see: -- [Configure and validate exclusions based on file extension and folder location](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus) -- [Configure exclusions for files opened by processes](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus) +- [Configure and validate exclusions based on file extension and folder location](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus) +- [Configure exclusions for files opened by processes](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus) ## Related articles diff --git a/windows/security/threat-protection/windows-defender-antivirus/collect-diagnostic-data-update-compliance.md b/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data-update-compliance.md similarity index 86% rename from windows/security/threat-protection/windows-defender-antivirus/collect-diagnostic-data-update-compliance.md rename to windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data-update-compliance.md index 1cae26190b..532462188a 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/collect-diagnostic-data-update-compliance.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data-update-compliance.md @@ -1,6 +1,6 @@ --- -title: Collect diagnostic data for Update Compliance and Windows Defender Windows Defender Antivirus -description: Use a tool to collect data to troubleshoot Update Compliance issues when using the Windows Defender Antivirus Assessment add in +title: Collect diagnostic data for Update Compliance and Windows Defender Microsoft Defender Antivirus +description: Use a tool to collect data to troubleshoot Update Compliance issues when using the Microsoft Defender Antivirus Assessment add in keywords: troubleshoot, error, fix, update compliance, oms, monitor, report, windows defender av search.product: eADQiWindows 10XVcnh ms.pagetype: security @@ -25,7 +25,7 @@ manager: dansimp This article describes how to collect diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues you may encounter when using the Windows Defender AV Assessment section in the Update Compliance add-in. -Before attempting this process, ensure you have read [Troubleshoot Windows Defender Antivirus reporting](troubleshoot-reporting.md), met all require prerequisites, and taken any other suggested troubleshooting steps. +Before attempting this process, ensure you have read [Troubleshoot Microsoft Defender Antivirus reporting](troubleshoot-reporting.md), met all require prerequisites, and taken any other suggested troubleshooting steps. On at least two devices that are not reporting or showing up in Update Compliance, obtain the .cab diagnostic file by taking the following steps: @@ -52,7 +52,7 @@ On at least two devices that are not reporting or showing up in Update Complianc 6. Send an email using the Update Compliance support email template, and fill out the template with the following information: ``` - I am encountering the following issue when using Windows Defender Antivirus in Update Compliance: + I am encountering the following issue when using Microsoft Defender Antivirus in Update Compliance: I have provided at least 2 support .cab files at the following location:@@ -63,5 +63,5 @@ On at least two devices that are not reporting or showing up in Update Complianc ## See also -- [Troubleshoot Windows Defender Windows Defender Antivirus reporting](troubleshoot-reporting.md) +- [Troubleshoot Windows Defender Microsoft Defender Antivirus reporting](troubleshoot-reporting.md) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md b/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md new file mode 100644 index 0000000000..708ec3f869 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md @@ -0,0 +1,95 @@ +--- +title: Collect diagnostic data of Microsoft Defender Antivirus +description: Use a tool to collect data to troubleshoot Microsoft Defender Antivirus +keywords: troubleshoot, error, fix, update compliance, oms, monitor, report, windows defender av +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen +ms.date: 06/01/2020 +ms.reviewer: +manager: dansimp +--- + +# Collect Windows Defender AV diagnostic data + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +This article describes how to collect diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues you may encounter when using the Windows Defender AV. + +On at least two devices that are experiencing the same issue, obtain the .cab diagnostic file by taking the following steps: + +1. Open an administrator-level version of the command prompt as follows: + + a. Open the **Start** menu. + + b. Type **cmd**. Right-click on **Command Prompt** and click **Run as administrator**. + + c. Enter administrator credentials or approve the prompt. + +2. Navigate to the Windows Defender directory. By default, this is `C:\Program Files\Windows Defender`. + +> [!NOTE] +> If you're running an updated Windows Defender Platform version, please run `MpCmdRun` from the following location: `C:\ProgramData\Microsoft\Windows Defender\Platform\ `. + +3. Type the following command, and then press **Enter** + + ```Dos + mpcmdrun.exe -GetFiles + ``` + +4. A .cab file will be generated that contains various diagnostic logs. The location of the file will be specified in the output in the command prompt. By default, the location is `C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab`. + +> [!NOTE] +> To redirect the cab file to a a different path or UNC share, use the following command: `mpcmdrun.exe -GetFiles -SupportLogLocation `
For more information see [Redirect diagnostic data to a UNC share](#redirect-diagnostic-data-to-a-unc-share). + +5. Copy these .cab files to a location that can be accessed by Microsoft support. An example could be a password-protected OneDrive folder that you can share with us. + +> [!NOTE] +>If you have a problem with Update compliance, send an email using the Update Compliance support email template, and fill out the template with the following information: +>``` +> I am encountering the following issue when using Microsoft Defender Antivirus in Update Compliance: +> I have provided at least 2 support .cab files at the following location: +>+> +> My OMS workspace ID is: +> +> Please contact me at: + +## Redirect diagnostic data to a UNC share +To collect diagnostic data on a central repository, you can specify the SupportLogLocation parameter. + +```Dos +mpcmdrun.exe -GetFiles -SupportLogLocation +``` + +Copies the diagnostic data to the specified path. If the path is not specified, the diagnostic data will be copied to the location specified in the Support Log Location Configuration. + +When the SupportLogLocation parameter is used, a folder structure as below will be created in the destination path: + +```Dos + \ \MpSupport- - .cab +``` + +| field | Description | +|:----|:----| +| path | The path as specified on the commandline or retrieved from configuration +| MMDD | Month Day when the diagnostic data was collected (eg 0530) +| hostname | the hostname of the device on which the diagnostic data was collected. +| HHMM | Hours Minutes when the diagnostic data was collected (eg 1422) + +> [!NOTE] +> When using a File share please make sure that account used to collect the diagnostic package has write access to the share. + +## See also + +- [Troubleshoot Microsoft Defender Antivirus reporting](troubleshoot-reporting.md) + diff --git a/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md similarity index 74% rename from windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md rename to windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md index 0483497ae8..cf81f65145 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md @@ -1,6 +1,6 @@ --- -title: Use the command line to manage Windows Defender Antivirus -description: Run Windows Defender Antivirus scans and configure next-generation protection with a dedicated command-line utility. +title: Use the command line to manage Microsoft Defender Antivirus +description: Run Microsoft Defender Antivirus scans and configure next-generation protection with a dedicated command-line utility. keywords: run windows defender scan, run antivirus scan from command line, run windows defender scan from command line, mpcmdrun, defender search.product: eADQiWindows 10XVcnh ms.pagetype: security @@ -16,13 +16,13 @@ ms.reviewer: ksarens manager: dansimp --- -# Configure and manage Windows Defender Antivirus with the mpcmdrun.exe command-line tool +# Configure and manage Microsoft Defender Antivirus with the mpcmdrun.exe command-line tool **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -You can perform various Windows Defender Antivirus functions with the dedicated command-line tool *mpcmdrun.exe*. This utility is useful when you want to automate Windows Defender Antivirus use. You can find the utility in `%ProgramFiles%\Windows Defender\MpCmdRun.exe`. You must run it from a command prompt. +You can perform various Microsoft Defender Antivirus functions with the dedicated command-line tool *mpcmdrun.exe*. This utility is useful when you want to automate Microsoft Defender Antivirus use. You can find the utility in `%ProgramFiles%\Windows Defender\MpCmdRun.exe`. You must run it from a command prompt. > [!NOTE] > You might need to open an administrator-level version of the command prompt. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt. @@ -36,7 +36,7 @@ MpCmdRun.exe [command] [-options] ``` Here's an example: ``` -MpCmdRun.exe -scan -2 +MpCmdRun.exe -Scan -ScanType 2 ``` | Command | Description | @@ -44,7 +44,7 @@ MpCmdRun.exe -scan -2 | `-?` **or** `-h` | Displays all available options for this tool | | `-Scan [-ScanType [0\|1\|2\|3]] [-File [-DisableRemediation] [-BootSectorScan] [-CpuThrottling]] [-Timeout ] [-Cancel]` | Scans for malicious software. Values for **ScanType** are: **0** Default, according to your configuration, **-1** Quick scan, **-2** Full scan, **-3** File and directory custom scan. CpuThrottling will honor the configured CPU throttling from policy | | `-Trace [-Grouping #] [-Level #]` | Starts diagnostic tracing | -| `-GetFiles` | Collects support information | +| `-GetFiles [-SupportLogLocation ]` | Collects support information. See '[collecting diagnostic data](collect-diagnostic-data.md)' | | `-GetFilesDiagTrack` | Same as `-GetFiles`, but outputs to temporary DiagTrack folder | | `-RemoveDefinitions [-All]` | Restores the installed Security intelligence to a previous backup copy or to the original default set | | `-RemoveDefinitions [-DynamicSignatures]` | Removes only the dynamically downloaded Security intelligence | @@ -58,5 +58,5 @@ MpCmdRun.exe -scan -2 ## Related topics -- [Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md) -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) +- [Reference topics for management and configuration tools](configuration-management-reference-microsoft-defender-antivirus.md) +- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md new file mode 100644 index 0000000000..a48b41622f --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md @@ -0,0 +1,45 @@ +--- +title: Manage Windows Defender in your business +description: Learn how to use Group Policy, Configuration Manager, PowerShell, WMI, Intune, and the command line to manage Windows Defender AV +keywords: group policy, gpo, config manager, sccm, scep, powershell, wmi, intune, defender, antivirus, antimalware, security, protection +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen +ms.date: 09/03/2018 +ms.reviewer: +manager: dansimp +--- + +# Manage Microsoft Defender Antivirus in your business + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +You can manage and configure Microsoft Defender Antivirus with the following tools: + +- Microsoft Intune +- Microsoft Endpoint Configuration Manager +- Group Policy +- PowerShell cmdlets +- Windows Management Instrumentation (WMI) +- The mpcmdrun.exe utility + +The articles in this section provide further information, links, and resources for using these tools to manage and configure Microsoft Defender Antivirus. + +## In this section + +Article | Description +---|--- +[Manage Microsoft Defender Antivirus with Microsoft Intune and Microsoft Endpoint Configuration Manager](use-intune-config-manager-microsoft-defender-antivirus.md)|Information about using Intune and Configuration Manager to deploy, manage, report, and configure Microsoft Defender Antivirus +[Manage Microsoft Defender Antivirus with Group Policy settings](use-group-policy-microsoft-defender-antivirus.md)|List of all Group Policy settings located in ADMX templates +[Manage Microsoft Defender Antivirus with PowerShell cmdlets](use-powershell-cmdlets-microsoft-defender-antivirus.md)|Instructions for using PowerShell cmdlets to manage Microsoft Defender Antivirus, plus links to documentation for all cmdlets and allowed parameters +[Manage Microsoft Defender Antivirus with Windows Management Instrumentation (WMI)](use-wmi-microsoft-defender-antivirus.md)| Instructions for using WMI to manage Microsoft Defender Antivirus, plus links to documentation for the WMIv2 APIs (including all classes, methods, and properties) +[Manage Microsoft Defender Antivirus with the mpcmdrun.exe command-line tool](command-line-arguments-microsoft-defender-antivirus.md)|Instructions on using the dedicated command-line tool to manage and use Microsoft Defender Antivirus diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md similarity index 74% rename from windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md rename to windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md index 14125ae30d..e2bba2fe2b 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md @@ -17,7 +17,7 @@ manager: dansimp --- -# Configure Windows Defender Antivirus scanning options +# Configure Microsoft Defender Antivirus scanning options **Applies to:** @@ -25,7 +25,7 @@ manager: dansimp **Use Microsoft Intune to configure scanning options** -See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure) and [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#windows-defender-antivirus) for more details. +See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure) and [Microsoft Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#microsoft-defender-antivirus) for more details. @@ -41,7 +41,7 @@ To configure the Group Policy settings described in the following table: 2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. -3. Expand the tree to **Windows components > Windows Defender Antivirus** and then the **Location** specified in the table below. +3. Expand the tree to **Windows components > Microsoft Defender Antivirus** and then the **Location** specified in the table below. 4. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings. @@ -50,7 +50,7 @@ Description | Location and setting | Default setting (if not configured) | Power Email scanning See [Email scanning limitations](#ref1)| Scan > Turn on e-mail scanning | Disabled | `-DisableEmailScanning` Scan [reparse points](https://msdn.microsoft.com/library/windows/desktop/aa365503.aspx) | Scan > Turn on reparse point scanning | Disabled | Not available Scan mapped network drives | Scan > Run full scan on mapped network drives | Disabled | `-DisableScanningMappedNetworkDrivesForFullScan` - Scan archive files (such as .zip or .rar files). The [extensions exclusion list](configure-extension-file-exclusions-windows-defender-antivirus.md) will take precedence over this setting. | Scan > Scan archive files | Enabled | `-DisableArchiveScanning` + Scan archive files (such as .zip or .rar files). The [extensions exclusion list](configure-extension-file-exclusions-microsoft-defender-antivirus.md) will take precedence over this setting. | Scan > Scan archive files | Enabled | `-DisableArchiveScanning` Scan files on the network | Scan > Scan network files | Disabled | `-DisableScanningNetworkFiles` Scan packed executables | Scan > Scan packed executables | Enabled | Not available Scan removable drives during full scans only | Scan > Scan removable drives | Disabled | `-DisableRemovableDriveScanning` @@ -64,7 +64,7 @@ Specify the level of subfolders within an archive folder to scan | Scan > Specif ## Use PowerShell to configure scanning options -See [Manage Windows Defender Antivirus with PowerShell cmdlets](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. +See [Manage Microsoft Defender Antivirus with PowerShell cmdlets](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus. ## Use WMI to configure scanning options @@ -80,14 +80,14 @@ Email scanning enables scanning of email files used by Outlook and other mail c PST files used by Outlook 2003 or older (where the archive type is set to non-unicode) will also be scanned, but Windows Defender cannot remediate threats detected inside PST files. -If Windows Defender Antivirus detects a threat inside an email, it will show you the following information to assist you in identifying the compromised email, so you can remediate the threat manually: +If Microsoft Defender Antivirus detects a threat inside an email, it will show you the following information to assist you in identifying the compromised email, so you can remediate the threat manually: - Email subject - Attachment name ## Related topics -- [Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md) -- [Configure and run on-demand Windows Defender Antivirus scans](run-scan-windows-defender-antivirus.md) -- [Configure scheduled Windows Defender Antivirus scans](scheduled-catch-up-scans-windows-defender-antivirus.md) -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) +- [Customize, initiate, and review the results of Microsoft Defender Antivirus scans and remediation](customize-run-review-remediate-scans-microsoft-defender-antivirus.md) +- [Configure and run on-demand Microsoft Defender Antivirus scans](run-scan-microsoft-defender-antivirus.md) +- [Configure scheduled Microsoft Defender Antivirus scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md) +- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md similarity index 75% rename from windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md rename to windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md index d74cf4da9a..3906d071de 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md @@ -24,33 +24,33 @@ ms.custom: nextgen Block at first sight provides a way to detect and block new malware within seconds. This protection is enabled by default when certain prerequisite settings are also enabled. In most cases, these prerequisite settings are also enabled by default, so the feature is running without any intervention. -You can [specify how long the file should be prevented from running](configure-cloud-block-timeout-period-windows-defender-antivirus.md) while the cloud-based protection service analyzes the file. And, you can [customize the message displayed on users' desktops](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information) when a file is blocked. You can change the company name, contact information, and message URL. +You can [specify how long the file should be prevented from running](configure-cloud-block-timeout-period-microsoft-defender-antivirus.md) while the cloud-based protection service analyzes the file. And, you can [customize the message displayed on users' desktops](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information) when a file is blocked. You can change the company name, contact information, and message URL. >[!TIP] >Visit the Microsoft Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the features are working and see how they work. ## How it works -When Windows Defender Antivirus encounters a suspicious but undetected file, it queries our cloud protection backend. The cloud backend applies heuristics, machine learning, and automated analysis of the file to determine whether the files are malicious or clean. +When Microsoft Defender Antivirus encounters a suspicious but undetected file, it queries our cloud protection backend. The cloud backend applies heuristics, machine learning, and automated analysis of the file to determine whether the files are malicious or clean. -Windows Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender ATP next generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/). +Microsoft Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender ATP next generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/).  In Windows 10, version 1803, block at first sight can now block non-portable executable files (such as JS, VBS, or macros) as well as executable files. Block at first sight only uses the cloud protection backend for executable files and non-portable executable files that are downloaded from the Internet, or that originate from the Internet zone. A hash value of the .exe file is checked via the cloud backend to determine if this is a previously undetected file. -If the cloud backend is unable to make a determination, Windows Defender Antivirus locks the file and uploads a copy to the cloud. The cloud performs additional analysis to reach a determination before it either allows the file to run or blocks it in all future encounters, depending on whether it determines the file to be malicious or safe. +If the cloud backend is unable to make a determination, Microsoft Defender Antivirus locks the file and uploads a copy to the cloud. The cloud performs additional analysis to reach a determination before it either allows the file to run or blocks it in all future encounters, depending on whether it determines the file to be malicious or safe. In many cases, this process can reduce the response time for new malware from hours to seconds. ## Confirm and validate that block at first sight is enabled -Block at first sight requires a number of settings to be configured correctly or it will not work. These settings are enabled by default in most enterprise Windows Defender Antivirus deployments. +Block at first sight requires a number of settings to be configured correctly or it will not work. These settings are enabled by default in most enterprise Microsoft Defender Antivirus deployments. ### Confirm block at first sight is enabled with Intune -1. In Intune, navigate to **Device configuration - Profiles** > *Profile name* > **Device restrictions** > **Windows Defender Antivirus**. +1. In Intune, navigate to **Device configuration - Profiles** > *Profile name* > **Device restrictions** > **Microsoft Defender Antivirus**. > [!NOTE] > The profile you select must be a Device Restriction profile type, not an Endpoint Protection profile type. @@ -65,11 +65,11 @@ Block at first sight requires a number of settings to be configured correctly or  > [!WARNING] - > Setting the file blocking level to **High** will apply a strong level of detection. In the unlikely event that it causes a false positive detection of legitimate files, use the option to [restore the quarantined files](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus). + > Setting the file blocking level to **High** will apply a strong level of detection. In the unlikely event that it causes a false positive detection of legitimate files, use the option to [restore the quarantined files](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus). -For more information about configuring Windows Defender Antivirus device restrictions in Intune, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure). +For more information about configuring Microsoft Defender Antivirus device restrictions in Intune, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure). -For a list of Windows Defender Antivirus device restrictions in Intune, see [Device restriction for Windows 10 (and newer) settings in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#windows-defender-antivirus). +For a list of Microsoft Defender Antivirus device restrictions in Intune, see [Device restriction for Windows 10 (and newer) settings in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#microsoft-defender-antivirus). ### Enable block at first sight with Microsoft Endpoint Configuration Manager @@ -100,7 +100,7 @@ For a list of Windows Defender Antivirus device restrictions in Intune, see [Dev 2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. -3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **MAPS**, configure the following Group Policies, and then click **OK**: +3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **MAPS**, configure the following Group Policies, and then click **OK**: - Double-click **Join Microsoft MAPS** and ensure the option is set to **Enabled**. Click **OK**. @@ -109,7 +109,7 @@ For a list of Windows Defender Antivirus device restrictions in Intune, see [Dev > [!WARNING] > Setting to **Always prompt (0)** will lower the protection state of the device. Setting to **Never send (2)** means block at first sight will not function. -4. In the **Group Policy Management Editor**, expand the tree to **Windows components** > **Windows Defender Antivirus** > **Real-time Protection**: +4. In the **Group Policy Management Editor**, expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Real-time Protection**: 1. Double-click **Scan all downloaded files and attachments** and ensure the option is set to **Enabled**, and then click **OK**. @@ -152,7 +152,7 @@ Block at first sight is automatically enabled as long as **Cloud-delivered prote ### Validate block at first sight is working -You can validate that the feature is working by following the steps outlined in [Validate connections between your network and the cloud](configure-network-connections-windows-defender-antivirus.md#validate-connections-between-your-network-and-the-cloud). +You can validate that the feature is working by following the steps outlined in [Validate connections between your network and the cloud](configure-network-connections-microsoft-defender-antivirus.md#validate-connections-between-your-network-and-the-cloud). ## Disable block at first sight @@ -167,7 +167,7 @@ You may choose to disable block at first sight if you want to retain the prerequ 2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. -3. Expand the tree through **Windows components** > **Windows Defender Antivirus** > **MAPS**. +3. Expand the tree through **Windows components** > **Microsoft Defender Antivirus** > **MAPS**. 4. Double-click **Configure the 'Block at First Sight' feature** and set the option to **Disabled**. @@ -176,5 +176,5 @@ You may choose to disable block at first sight if you want to retain the prerequ ## Related topics -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) -- [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) +- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) +- [Enable cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md similarity index 54% rename from windows/security/threat-protection/windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md rename to windows/security/threat-protection/microsoft-defender-antivirus/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md index 1b9c177447..6fb6d97688 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md @@ -1,7 +1,7 @@ --- title: Configure the Windows Defender AV cloud block timeout period -description: You can configure how long Windows Defender Antivirus will block a file from running while waiting for a cloud determination. -keywords: windows defender antivirus, antimalware, security, defender, cloud, timeout, block, period, seconds +description: You can configure how long Microsoft Defender Antivirus will block a file from running while waiting for a cloud determination. +keywords: Microsoft Defender Antivirus, antimalware, security, defender, cloud, timeout, block, period, seconds search.product: eADQiWindows 10XVcnh ms.pagetype: security ms.prod: w10 @@ -24,13 +24,13 @@ ms.custom: nextgen - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -When Windows Defender Antivirus finds a suspicious file, it can prevent the file from running while it queries the [Windows Defender Antivirus cloud service](utilize-microsoft-cloud-protection-windows-defender-antivirus.md). +When Microsoft Defender Antivirus finds a suspicious file, it can prevent the file from running while it queries the [Microsoft Defender Antivirus cloud service](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md). -The default period that the file will be [blocked](configure-block-at-first-sight-windows-defender-antivirus.md) is 10 seconds. You can specify an additional period of time to wait before the file is allowed to run. This can help ensure there is enough time to receive a proper determination from the Windows Defender Antivirus cloud service. +The default period that the file will be [blocked](configure-block-at-first-sight-microsoft-defender-antivirus.md) is 10 seconds. You can specify an additional period of time to wait before the file is allowed to run. This can help ensure there is enough time to receive a proper determination from the Microsoft Defender Antivirus cloud service. ## Prerequisites to use the extended cloud block timeout -[Block at first sight](configure-block-at-first-sight-windows-defender-antivirus.md) and its prerequisites must be enabled before you can specify an extended timeout period. +[Block at first sight](configure-block-at-first-sight-microsoft-defender-antivirus.md) and its prerequisites must be enabled before you can specify an extended timeout period. ## Specify the extended timeout period @@ -40,7 +40,7 @@ You can use Group Policy to specify an extended timeout for cloud checks. 2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. -3. Expand the tree to **Windows components > Windows Defender Antivirus > MpEngine** +3. Expand the tree to **Windows components > Microsoft Defender Antivirus > MpEngine** 4. Double-click **Configure extended cloud check** and ensure the option is enabled. Specify the additional amount of time to prevent the file from running while waiting for a cloud determination. You can specify the additional time, in seconds, from 1 second to 50 seconds. This time will be added to the default 10 seconds. @@ -48,7 +48,7 @@ You can use Group Policy to specify an extended timeout for cloud checks. ## Related topics -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) -- [Use next-generation antivirus technologies through cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) -- [Configure block at first sight](configure-block-at-first-sight-windows-defender-antivirus.md) -- [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) +- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) +- [Use next-generation antivirus technologies through cloud-delivered protection](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) +- [Configure block at first sight](configure-block-at-first-sight-microsoft-defender-antivirus.md) +- [Enable cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-end-user-interaction-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-end-user-interaction-microsoft-defender-antivirus.md similarity index 54% rename from windows/security/threat-protection/windows-defender-antivirus/configure-end-user-interaction-windows-defender-antivirus.md rename to windows/security/threat-protection/microsoft-defender-antivirus/configure-end-user-interaction-microsoft-defender-antivirus.md index 47161748b2..13346bae2f 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-end-user-interaction-windows-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-end-user-interaction-microsoft-defender-antivirus.md @@ -17,20 +17,20 @@ ms.reviewer: manager: dansimp --- -# Configure end-user interaction with Windows Defender Antivirus +# Configure end-user interaction with Microsoft Defender Antivirus **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -You can configure how users of the endpoints on your network can interact with Windows Defender Antivirus. +You can configure how users of the endpoints on your network can interact with Microsoft Defender Antivirus. -This includes whether they see the Windows Defender Antivirus interface, what notifications they see, and if they can locally override globally-deployed Group Policy settings. +This includes whether they see the Microsoft Defender Antivirus interface, what notifications they see, and if they can locally override globally-deployed Group Policy settings. ## In this section Topic | Description ---|--- -[Configure notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md) | Configure and customize additional notifications, customized text for notifications, and notifications about reboots for remediation -[Prevent users from seeing or interacting with the Windows Defender Antivirus user interface](prevent-end-user-interaction-windows-defender-antivirus.md) | Hide the user interface from users -[Prevent users from locally modifying policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) | Prevent (or allow) users from overriding policy settings on their individual endpoints +[Configure notifications that appear on endpoints](configure-notifications-microsoft-defender-antivirus.md) | Configure and customize additional notifications, customized text for notifications, and notifications about reboots for remediation +[Prevent users from seeing or interacting with the Microsoft Defender Antivirus user interface](prevent-end-user-interaction-microsoft-defender-antivirus.md) | Hide the user interface from users +[Prevent users from locally modifying policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md) | Prevent (or allow) users from overriding policy settings on their individual endpoints diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md new file mode 100644 index 0000000000..6407947fe2 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md @@ -0,0 +1,37 @@ +--- +title: Set up exclusions for Windows Defender AV scans +description: You can exclude files (including files modified by specified processes) and folders from being scanned by Windows Defender AV. Validate your exclusions with PowerShell. +keywords: +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen +ms.date: 03/12/2020 +ms.reviewer: +manager: dansimp +--- + +# Configure and validate exclusions for Microsoft Defender Antivirus scans + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +You can exclude certain files, folders, processes, and process-opened files from Microsoft Defender Antivirus scans. Such exclusions apply to [scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md), [on-demand scans](run-scan-microsoft-defender-antivirus.md), and [always-on real-time protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md). Exclusions for process-opened files only apply to real-time protection. + +>[!WARNING] +>Defining exclusions lowers the protection offered by Microsoft Defender Antivirus. You should always evaluate the risks that are associated with implementing exclusions, and you should only exclude files that you are confident are not malicious. + +- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-microsoft-defender-antivirus.md). This enables you to exclude files from Microsoft Defender Antivirus scans based on their file extension, file name, or location. + +- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md). This enables you to exclude files from scans that have been opened by a specific process. + +## Related articles + +[Microsoft Defender Antivirus exclusions on Windows Server 2016](configure-server-exclusions-microsoft-defender-antivirus.md) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md similarity index 76% rename from windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md rename to windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md index bc096eac9e..db259755b0 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md @@ -1,6 +1,6 @@ --- title: Configure and validate exclusions based on extension, name, or location -description: Exclude files from Windows Defender Antivirus scans based on their file extension, file name, or location. +description: Exclude files from Microsoft Defender Antivirus scans based on their file extension, file name, or location. keywords: exclusions, files, extension, file type, folder name, file name, scans search.product: eADQiWindows 10XVcnh ms.pagetype: security @@ -23,11 +23,11 @@ manager: dansimp - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) > [!IMPORTANT] -> Windows Defender Antivirus exclusions don't apply to other Microsoft Defender ATP capabilities, including [endpoint detection and response (EDR)](../microsoft-defender-atp/overview-endpoint-detection-response.md), [attack surface reduction (ASR) rules](../microsoft-defender-atp/attack-surface-reduction.md), and [controlled folder access](../microsoft-defender-atp/controlled-folders.md). Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections. To exclude files broadly, add them to the Microsoft Defender ATP [custom indicators](../microsoft-defender-atp/manage-indicators.md). +> Microsoft Defender Antivirus exclusions don't apply to other Microsoft Defender ATP capabilities, including [endpoint detection and response (EDR)](../microsoft-defender-atp/overview-endpoint-detection-response.md), [attack surface reduction (ASR) rules](../microsoft-defender-atp/attack-surface-reduction.md), and [controlled folder access](../microsoft-defender-atp/controlled-folders.md). Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections. To exclude files broadly, add them to the Microsoft Defender ATP [custom indicators](../microsoft-defender-atp/manage-indicators.md). ## Exclusion lists -You can exclude certain files from Windows Defender Antivirus scans by modifying exclusion lists. **Generally, you shouldn't need to apply exclusions**. Windows Defender Antivirus includes a number of automatic exclusions based on known operating system behaviors and typical management files, such as those used in enterprise management, database management, and other enterprise scenarios and situations. +You can exclude certain files from Microsoft Defender Antivirus scans by modifying exclusion lists. **Generally, you shouldn't need to apply exclusions**. Microsoft Defender Antivirus includes a number of automatic exclusions based on known operating system behaviors and typical management files, such as those used in enterprise management, database management, and other enterprise scenarios and situations. > [!NOTE] > Automatic exclusions apply only to Windows Server 2016 and above. The default antimalware policy we deploy at Microsoft doesn't set any exclusions by default. @@ -51,20 +51,20 @@ Exclusion lists have the following characteristics: > >You cannot exclude mapped network drives. You must specify the actual network path. > ->Folders that are reparse points that are created after the Windows Defender Antivirus service starts and that have been added to the exclusion list will not be included. You must restart the service (by restarting Windows) for new reparse points to be recognized as a valid exclusion target. +>Folders that are reparse points that are created after the Microsoft Defender Antivirus service starts and that have been added to the exclusion list will not be included. You must restart the service (by restarting Windows) for new reparse points to be recognized as a valid exclusion target. -To exclude files opened by a specific process, see [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md). +To exclude files opened by a specific process, see [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md). -The exclusions apply to [scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md), [on-demand scans](run-scan-windows-defender-antivirus.md), and [real-time protection](configure-real-time-protection-windows-defender-antivirus.md). +The exclusions apply to [scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md), [on-demand scans](run-scan-microsoft-defender-antivirus.md), and [real-time protection](configure-real-time-protection-microsoft-defender-antivirus.md). >[!IMPORTANT] ->Exclusion list changes made with Group Policy **will show** in the lists in the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions). +>Exclusion list changes made with Group Policy **will show** in the lists in the [Windows Security app](microsoft-defender-security-center-antivirus.md#exclusions). > >Changes made in the Windows Security app **will not show** in the Group Policy lists. By default, local changes made to the lists (by users with administrator privileges, including changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists will take precedence when there are conflicts. -You can [configure how locally and globally defined exclusions lists are merged](configure-local-policy-overrides-windows-defender-antivirus.md#merge-lists) to allow local changes to override managed deployment settings. +You can [configure how locally and globally defined exclusions lists are merged](configure-local-policy-overrides-microsoft-defender-antivirus.md#merge-lists) to allow local changes to override managed deployment settings. ## Configure the list of exclusions based on folder name or file extension @@ -72,7 +72,7 @@ You can [configure how locally and globally defined exclusions lists are merged] See the following articles: - [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure) -- [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#windows-defender-antivirus) +- [Microsoft Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#microsoft-defender-antivirus) ### Use Configuration Manager to configure file name, folder, or file extension exclusions @@ -87,7 +87,7 @@ See [How to create and deploy antimalware policies: Exclusion settings](https:// 2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. -3. Expand the tree to **Windows components > Windows Defender Antivirus > Exclusions**. +3. Expand the tree to **Windows components > Microsoft Defender Antivirus > Exclusions**. 4. Double-click the **Path Exclusions** setting and add the exclusions. @@ -146,7 +146,7 @@ For example, the following code snippet would cause Windows Defender AV scans to Add-MpPreference -ExclusionExtension ".test" ``` -For more information, see [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index). +For more information, see [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index). ### Use Windows Management Instruction (WMI) to configure file name, folder, or file extension exclusions @@ -165,7 +165,7 @@ For more information, see [Windows Defender WMIv2 APIs](https://msdn.microsoft.c ### Use the Windows Security app to configure file name, folder, or file extension exclusions -See [Add exclusions in the Windows Security app](windows-defender-security-center-antivirus.md#exclusions) for instructions. +See [Add exclusions in the Windows Security app](microsoft-defender-security-center-antivirus.md#exclusions) for instructions. @@ -206,30 +206,30 @@ You can retrieve the items in the exclusion list using one of the following meth - [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) - MpCmdRun - PowerShell -- [Windows Security app](windows-defender-security-center-antivirus.md#exclusions) +- [Windows Security app](microsoft-defender-security-center-antivirus.md#exclusions) >[!IMPORTANT] ->Exclusion list changes made with Group Policy **will show** in the lists in the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions). +>Exclusion list changes made with Group Policy **will show** in the lists in the [Windows Security app](microsoft-defender-security-center-antivirus.md#exclusions). > >Changes made in the Windows Security app **will not show** in the Group Policy lists. If you use PowerShell, you can retrieve the list in two ways: -- Retrieve the status of all Windows Defender Antivirus preferences. Each of the lists will be displayed on separate lines, but the items within each list will be combined into the same line. +- Retrieve the status of all Microsoft Defender Antivirus preferences. Each of the lists will be displayed on separate lines, but the items within each list will be combined into the same line. - Write the status of all preferences to a variable, and use that variable to only call the specific list you are interested in. Each use of `Add-MpPreference` is written to a new line. ### Validate the exclusion list by using MpCmdRun -To check exclusions with the dedicated [command-line tool mpcmdrun.exe](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus?branch=v-anbic-wdav-new-mpcmdrun-options), use the following command: +To check exclusions with the dedicated [command-line tool mpcmdrun.exe](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus?branch=v-anbic-wdav-new-mpcmdrun-options), use the following command: ```DOS MpCmdRun.exe -CheckExclusion -path ``` >[!NOTE] ->Checking exclusions with MpCmdRun requires Windows Defender Antivirus CAMP version 4.18.1812.3 (released in December 2018) or later. +>Checking exclusions with MpCmdRun requires Microsoft Defender Antivirus CAMP version 4.18.1812.3 (released in December 2018) or later. -### Review the list of exclusions alongside all other Windows Defender Antivirus preferences by using PowerShell +### Review the list of exclusions alongside all other Microsoft Defender Antivirus preferences by using PowerShell Use the following cmdlet: @@ -241,7 +241,7 @@ In the following example, the items contained in the `ExclusionExtension` list a  -For more information, see [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index). +For more information, see [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index). ### Retrieve a specific exclusions list by using PowerShell @@ -257,7 +257,7 @@ In the following example, the list is split into new lines for each use of the `  -For more information, see [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index). +For more information, see [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index). @@ -271,7 +271,7 @@ In the following PowerShell snippet, replace *test.txt* with a file that conform Invoke-WebRequest "http://www.eicar.org/download/eicar.com.txt" -OutFile "test.txt" ``` -If Windows Defender Antivirus reports malware, then the rule is not working. If there is no report of malware, and the downloaded file exists, then the exclusion is working. You can open the file to confirm the contents are the same as what is described on the [EICAR test file website](http://www.eicar.org/86-0-Intended-use.html). +If Microsoft Defender Antivirus reports malware, then the rule is not working. If there is no report of malware, and the downloaded file exists, then the exclusion is working. You can open the file to confirm the contents are the same as what is described on the [EICAR test file website](http://www.eicar.org/86-0-Intended-use.html). You can also use the following PowerShell code, which calls the .NET WebClient class to download the test file - as with the `Invoke-WebRequest` cmdlet; replace *c:\test.txt* with a file that conforms to the rule you are validating: @@ -290,6 +290,6 @@ You can also copy the string into a blank text file and attempt to save it with ## Related topics -- [Configure and validate exclusions in Windows Defender Antivirus scans](configure-exclusions-windows-defender-antivirus.md) -- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md) -- [Configure Windows Defender Antivirus exclusions on Windows Server](configure-server-exclusions-windows-defender-antivirus.md) +- [Configure and validate exclusions in Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md) +- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md) +- [Configure Microsoft Defender Antivirus exclusions on Windows Server](configure-server-exclusions-microsoft-defender-antivirus.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-local-policy-overrides-microsoft-defender-antivirus.md similarity index 63% rename from windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md rename to windows/security/threat-protection/microsoft-defender-antivirus/configure-local-policy-overrides-microsoft-defender-antivirus.md index 59f19f11c9..a7871d1232 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-local-policy-overrides-microsoft-defender-antivirus.md @@ -17,21 +17,21 @@ ms.reviewer: manager: dansimp --- -# Prevent or allow users to locally modify Windows Defender Antivirus policy settings +# Prevent or allow users to locally modify Microsoft Defender Antivirus policy settings **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -By default, Windows Defender Antivirus settings that are deployed via a Group Policy Object to the endpoints in your network will prevent users from locally changing the settings. You can change this in some instances. +By default, Microsoft Defender Antivirus settings that are deployed via a Group Policy Object to the endpoints in your network will prevent users from locally changing the settings. You can change this in some instances. For example, it may be necessary to allow certain user groups (such as security researchers and threat investigators) further control over individual settings on the endpoints they use. -## Configure local overrides for Windows Defender Antivirus settings +## Configure local overrides for Microsoft Defender Antivirus settings The default setting for these policies is **Disabled**. -If they are set to **Enabled**, users on endpoints can make changes to the associated setting with the [Windows Security](windows-defender-security-center-antivirus.md) app, local Group Policy settings, and PowerShell cmdlets (where appropriate). +If they are set to **Enabled**, users on endpoints can make changes to the associated setting with the [Windows Security](microsoft-defender-security-center-antivirus.md) app, local Group Policy settings, and PowerShell cmdlets (where appropriate). The following table lists each of the override policy setting and the configuration instructions for the associated feature or setting. @@ -41,7 +41,7 @@ To configure these settings: 2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. -3. Expand the tree to **Windows components > Windows Defender Antivirus** and then the **Location** specified in the table below. +3. Expand the tree to **Windows components > Microsoft Defender Antivirus** and then the **Location** specified in the table below. 4. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings. @@ -49,25 +49,25 @@ To configure these settings: Location | Setting | Article ---|---|---|--- -MAPS | Configure local setting override for reporting to Microsoft MAPS | [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) -Quarantine | Configure local setting override for the removal of items from Quarantine folder | [Configure remediation for scans](configure-remediation-windows-defender-antivirus.md) -Real-time protection | Configure local setting override for monitoring file and program activity on your computer | [Enable and configure Windows Defender Antivirus always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md) -Real-time protection | Configure local setting override for monitoring for incoming and outgoing file activity | [Enable and configure Windows Defender Antivirus always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md) -Real-time protection | Configure local setting override for scanning all downloaded files and attachments | [Enable and configure Windows Defender Antivirus always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md) -Real-time protection | Configure local setting override for turn on behavior monitoring | [Enable and configure Windows Defender Antivirus always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md) -Real-time protection | Configure local setting override to turn on real-time protection | [Enable and configure Windows Defender Antivirus always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md) -Remediation | Configure local setting override for the time of day to run a scheduled full scan to complete remediation | [Configure remediation for scans](configure-remediation-windows-defender-antivirus.md) -Scan | Configure local setting override for maximum percentage of CPU utilization | [Configure and run scans](run-scan-windows-defender-antivirus.md) -Scan | Configure local setting override for schedule scan day | [Configure scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md) -Scan | Configure local setting override for scheduled quick scan time | [Configure scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md) -Scan | Configure local setting override for scheduled scan time | [Configure scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md) -Scan | Configure local setting override for the scan type to use for a scheduled scan | [Configure scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md) +MAPS | Configure local setting override for reporting to Microsoft MAPS | [Enable cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md) +Quarantine | Configure local setting override for the removal of items from Quarantine folder | [Configure remediation for scans](configure-remediation-microsoft-defender-antivirus.md) +Real-time protection | Configure local setting override for monitoring file and program activity on your computer | [Enable and configure Microsoft Defender Antivirus always-on protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md) +Real-time protection | Configure local setting override for monitoring for incoming and outgoing file activity | [Enable and configure Microsoft Defender Antivirus always-on protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md) +Real-time protection | Configure local setting override for scanning all downloaded files and attachments | [Enable and configure Microsoft Defender Antivirus always-on protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md) +Real-time protection | Configure local setting override for turn on behavior monitoring | [Enable and configure Microsoft Defender Antivirus always-on protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md) +Real-time protection | Configure local setting override to turn on real-time protection | [Enable and configure Microsoft Defender Antivirus always-on protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md) +Remediation | Configure local setting override for the time of day to run a scheduled full scan to complete remediation | [Configure remediation for scans](configure-remediation-microsoft-defender-antivirus.md) +Scan | Configure local setting override for maximum percentage of CPU utilization | [Configure and run scans](run-scan-microsoft-defender-antivirus.md) +Scan | Configure local setting override for schedule scan day | [Configure scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md) +Scan | Configure local setting override for scheduled quick scan time | [Configure scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md) +Scan | Configure local setting override for scheduled scan time | [Configure scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md) +Scan | Configure local setting override for the scan type to use for a scheduled scan | [Configure scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md) ## Configure how locally and globally defined threat remediation and exclusions lists are merged -You can also configure how locally defined lists are combined or merged with globally defined lists. This setting applies to [exclusion lists](configure-exclusions-windows-defender-antivirus.md), [specified remediation lists](configure-remediation-windows-defender-antivirus.md), and [attack surface reduction](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction). +You can also configure how locally defined lists are combined or merged with globally defined lists. This setting applies to [exclusion lists](configure-exclusions-microsoft-defender-antivirus.md), [specified remediation lists](configure-remediation-microsoft-defender-antivirus.md), and [attack surface reduction](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction). By default, lists that have been configured in local group policy and the Windows Security app are merged with lists that are defined by the appropriate Group Policy Object that you have deployed on your network. Where there are conflicts, the globally-defined list takes precedence. @@ -79,7 +79,7 @@ You can disable this setting to ensure that only globally-defined lists (such as 2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. -3. Expand the tree to **Windows components > Windows Defender Antivirus**. +3. Expand the tree to **Windows components > Microsoft Defender Antivirus**. 4. Double-click **Configure local administrator merge behavior for lists** and set the option to **Disabled**. Click **OK**. @@ -88,5 +88,5 @@ You can disable this setting to ensure that only globally-defined lists (such as ## Related topics -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) -- [Configure end-user interaction with Windows Defender Antivirus](configure-end-user-interaction-windows-defender-antivirus.md) +- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) +- [Configure end-user interaction with Microsoft Defender Antivirus](configure-end-user-interaction-microsoft-defender-antivirus.md) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md new file mode 100644 index 0000000000..3f6f29e47b --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md @@ -0,0 +1,49 @@ +--- +title: Configure Microsoft Defender Antivirus features +description: You can configure Microsoft Defender Antivirus features with Intune, Microsoft Endpoint Configuration Manager, Group Policy, and PowerShell. +keywords: Microsoft Defender Antivirus, antimalware, security, defender, configure, configuration, Config Manager, Microsoft Endpoint Configuration Manager, SCCM, Intune, MDM, mobile device management, GP, group policy, PowerShell +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen +ms.date: 09/03/2018 +ms.reviewer: +manager: dansimp +--- + +# Configure Microsoft Defender Antivirus features + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +You can configure Microsoft Defender Antivirus with a number of tools, including: + +- Microsoft Intune +- Microsoft Endpoint Configuration Manager +- Group Policy +- PowerShell cmdlets +- Windows Management Instrumentation (WMI) + +The following broad categories of features can be configured: + +- Cloud-delivered protection +- Always-on real-time protection, including behavioral, heuristic, and machine-learning-based protection +- How end-users interact with the client on individual endpoints + +The topics in this section describe how to perform key tasks when configuring Microsoft Defender Antivirus. Each topic includes instructions for the applicable configuration tool (or tools). + +You can also review the [Reference topics for management and configuration tools](configuration-management-reference-microsoft-defender-antivirus.md) topic for an overview of each tool and links to further help. + +## In this section +Topic | Description +:---|:--- +[Utilize Microsoft cloud-provided Microsoft Defender Antivirus protection](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) | Cloud-delivered protection provides an advanced level of fast, robust antivirus detection +[Configure behavioral, heuristic, and real-time protection](configure-protection-features-microsoft-defender-antivirus.md)|Enable behavior-based, heuristic, and real-time antivirus protection +[Configure end-user interaction with Microsoft Defender Antivirus](configure-end-user-interaction-microsoft-defender-antivirus.md)|Configure how end-users interact with Microsoft Defender Antivirus, what notifications they see, and whether they can override settings diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md similarity index 58% rename from windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md rename to windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md index 69f56da605..2992128fc2 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md @@ -1,7 +1,7 @@ --- -title: Configure and validate Windows Defender Antivirus network connections -description: Configure and test your connection to the Windows Defender Antivirus cloud protection service. -keywords: antivirus, windows defender antivirus, antimalware, security, defender, cloud, aggressiveness, protection level +title: Configure and validate Microsoft Defender Antivirus network connections +description: Configure and test your connection to the Microsoft Defender Antivirus cloud protection service. +keywords: antivirus, Microsoft Defender Antivirus, antimalware, security, defender, cloud, aggressiveness, protection level search.product: eADQiWindows 10XVcnh ms.pagetype: security ms.prod: w10 @@ -17,13 +17,13 @@ ms.reviewer: manager: dansimp --- -# Configure and validate Windows Defender Antivirus network connections +# Configure and validate Microsoft Defender Antivirus network connections **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -To ensure Windows Defender Antivirus cloud-delivered protection works properly, you need to configure your network to allow connections between your endpoints and certain Microsoft servers. +To ensure Microsoft Defender Antivirus cloud-delivered protection works properly, you need to configure your network to allow connections between your endpoints and certain Microsoft servers. This article lists the connections that must be allowed, such as by using firewall rules, and provides instructions for validating your connection. Configuring your protection properly helps ensure that you receive the best value from your cloud-delivered protection services. @@ -36,14 +36,14 @@ See the blog post [Important changes to Microsoft Active Protection Services end >- Fast learning (including block at first sight) >- Potentially unwanted application blocking -## Allow connections to the Windows Defender Antivirus cloud service +## Allow connections to the Microsoft Defender Antivirus cloud service -The Windows Defender Antivirus cloud service provides fast, strong protection for your endpoints. Enabling the cloud-delivered protection service is optional, however it is highly recommended because it provides important protection against malware on your endpoints and across your network. +The Microsoft Defender Antivirus cloud service provides fast, strong protection for your endpoints. Enabling the cloud-delivered protection service is optional, however it is highly recommended because it provides important protection against malware on your endpoints and across your network. >[!NOTE] ->The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates. +>The Microsoft Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates. -See [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) for details on enabling the service with Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, or on individual clients in the Windows Security app. +See [Enable cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md) for details on enabling the service with Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, or on individual clients in the Windows Security app. After you've enabled the service, you may need to configure your network or firewall to allow connections between it and your endpoints. @@ -52,21 +52,21 @@ Because your protection is a cloud service, computers must have access to the in | **Service**| **Description** |**URL** | | :--: | :-- | :-- | -| Windows Defender Antivirus cloud-delivered protection service, also referred to as Microsoft Active Protection Service (MAPS)|Used by Windows Defender Antivirus to provide cloud-delivered protection|`*.wdcp.microsoft.com`
`*.wdcpalt.microsoft.com`
`*.wd.microsoft.com`| +| Microsoft Defender Antivirus cloud-delivered protection service, also referred to as Microsoft Active Protection Service (MAPS)|Used by Microsoft Defender Antivirus to provide cloud-delivered protection|`*.wdcp.microsoft.com`
`*.wdcpalt.microsoft.com`
`*.wd.microsoft.com`| | Microsoft Update Service (MU)| Security intelligence and product updates |`*.update.microsoft.com`| -|Security intelligence updates Alternate Download Location (ADL)| Alternate location for Windows Defender Antivirus Security intelligence updates if the installed Security intelligence is out of date (7 or more days behind)| `*.download.microsoft.com`| +|Security intelligence updates Alternate Download Location (ADL)| Alternate location for Microsoft Defender Antivirus Security intelligence updates if the installed Security intelligence is out of date (7 or more days behind)| `*.download.microsoft.com`| | Malware submission storage|Upload location for files submitted to Microsoft via the Submission form or automatic sample submission | `ussus1eastprod.blob.core.windows.net`
`ussus1westprod.blob.core.windows.net`
`usseu1northprod.blob.core.windows.net`
`usseu1westprod.blob.core.windows.net`
`ussuk1southprod.blob.core.windows.net`
`ussuk1westprod.blob.core.windows.net`
`ussas1eastprod.blob.core.windows.net`
`ussas1southeastprod.blob.core.windows.net`
`ussau1eastprod.blob.core.windows.net`
`ussau1southeastprod.blob.core.windows.net` | | Certificate Revocation List (CRL)|Used by Windows when creating the SSL connection to MAPS for updating the CRL | `https://www.microsoft.com/pkiops/crl/`
`https://www.microsoft.com/pkiops/certs`
`https://crl.microsoft.com/pki/crl/products`
`https://www.microsoft.com/pki/certs` | -| Symbol Store|Used by Windows Defender Antivirus to restore certain critical files during remediation flows | `https://msdl.microsoft.com/download/symbols` | -| Universal Telemetry Client| Used by Windows to send client diagnostic data; Windows Defender Antivirus uses this for product quality monitoring purposes | This update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints: `vortex-win.data.microsoft.com`
`settings-win.data.microsoft.com`| +| Symbol Store|Used by Microsoft Defender Antivirus to restore certain critical files during remediation flows | `https://msdl.microsoft.com/download/symbols` | +| Universal Telemetry Client| Used by Windows to send client diagnostic data; Microsoft Defender Antivirus uses this for product quality monitoring purposes | This update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints: `vortex-win.data.microsoft.com`
`settings-win.data.microsoft.com`| ## Validate connections between your network and the cloud -After whitelisting the URLs listed above, you can test if you are connected to the Windows Defender Antivirus cloud service and are correctly reporting and receiving information to ensure you are fully protected. +After whitelisting the URLs listed above, you can test if you are connected to the Microsoft Defender Antivirus cloud service and are correctly reporting and receiving information to ensure you are fully protected. **Use the cmdline tool to validate cloud-delivered protection:** -Use the following argument with the Windows Defender Antivirus command-line utility (`mpcmdrun.exe`) to verify that your network can communicate with the Windows Defender Antivirus cloud service: +Use the following argument with the Microsoft Defender Antivirus command-line utility (`mpcmdrun.exe`) to verify that your network can communicate with the Microsoft Defender Antivirus cloud service: ```DOS "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -ValidateMapsConnection @@ -75,11 +75,11 @@ Use the following argument with the Windows Defender Antivirus command-line util > [!NOTE] > You need to open an administrator-level version of the command prompt. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt. This command will only work on Windows 10, version 1703 or higher. -For more information, see [Manage Windows Defender Antivirus with the mpcmdrun.exe commandline tool](command-line-arguments-windows-defender-antivirus.md). +For more information, see [Manage Microsoft Defender Antivirus with the mpcmdrun.exe commandline tool](command-line-arguments-microsoft-defender-antivirus.md). **Attempt to download a fake malware file from Microsoft:** -You can download a sample file that Windows Defender Antivirus will detect and block if you are properly connected to the cloud. +You can download a sample file that Microsoft Defender Antivirus will detect and block if you are properly connected to the cloud. Download the file by visiting the following link: - https://aka.ms/ioavtest @@ -87,9 +87,9 @@ Download the file by visiting the following link: >[!NOTE] >This file is not an actual piece of malware. It is a fake file that is designed to test if you are properly connected to the cloud. -If you are properly connected, you will see a warning Windows Defender Antivirus notification: +If you are properly connected, you will see a warning Microsoft Defender Antivirus notification: - + If you are using Microsoft Edge, you'll also see a notification message: @@ -97,7 +97,7 @@ If you are using Microsoft Edge, you'll also see a notification message: A similar message occurs if you are using Internet Explorer: - + You will also see a detection under **Quarantined threats** in the **Scan history** section in the Windows Security app: @@ -112,19 +112,19 @@ You will also see a detection under **Quarantined threats** in the **Scan histor  >[!NOTE] ->Versions of Windows 10 before version 1703 have a different user interface. See [Windows Defender Antivirus in the Windows Security app](windows-defender-security-center-antivirus.md). +>Versions of Windows 10 before version 1703 have a different user interface. See [Microsoft Defender Antivirus in the Windows Security app](microsoft-defender-security-center-antivirus.md). -The Windows event log will also show [Windows Defender client event ID 2050](troubleshoot-windows-defender-antivirus.md). +The Windows event log will also show [Windows Defender client event ID 2050](troubleshoot-microsoft-defender-antivirus.md). >[!IMPORTANT] >You will not be able to use a proxy auto-config (.pac) file to test network connections to these URLs. You will need to verify your proxy servers and any network filtering tools manually to ensure connectivity. ## Related articles -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) +- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) -- [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) +- [Enable cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md) -- [Run an Windows Defender Antivirus scan from the command line](command-line-arguments-windows-defender-antivirus.md) and [Command line arguments](command-line-arguments-windows-defender-antivirus.md) +- [Run an Microsoft Defender Antivirus scan from the command line](command-line-arguments-microsoft-defender-antivirus.md) and [Command line arguments](command-line-arguments-microsoft-defender-antivirus.md) - [Important changes to Microsoft Active Protection Services endpoint](https://techcommunity.microsoft.com/t5/Configuration-Manager-Archive/Important-changes-to-Microsoft-Active-Protection-Service-MAPS/ba-p/274006) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-notifications-microsoft-defender-antivirus.md similarity index 83% rename from windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md rename to windows/security/threat-protection/microsoft-defender-antivirus/configure-notifications-microsoft-defender-antivirus.md index ef9bf3607a..57a0ea6f0e 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-notifications-microsoft-defender-antivirus.md @@ -1,6 +1,6 @@ --- -title: Configure Windows Defender Antivirus notifications -description: Configure and customize Windows Defender Antivirus notifications. +title: Configure Microsoft Defender Antivirus notifications +description: Configure and customize Microsoft Defender Antivirus notifications. keywords: notifications, defender, antivirus, endpoint, management, admin search.product: eADQiWindows 10XVcnh ms.pagetype: security @@ -31,7 +31,7 @@ You can also configure how standard notifications appear on endpoints, such as n ## Configure the additional notifications that appear on endpoints -You can configure the display of additional notifications, such as recent threat detection summaries, in the [Windows Security app](windows-defender-security-center-antivirus.md) and with Group Policy. +You can configure the display of additional notifications, such as recent threat detection summaries, in the [Windows Security app](microsoft-defender-security-center-antivirus.md) and with Group Policy. > [!NOTE] > In Windows 10, version 1607 the feature was called **Enhanced notifications** and could be configured under **Windows Settings** > **Update & security** > **Windows Defender**. In Group Policy settings in all versions of Windows 10, it is called **Enhanced notifications**. @@ -59,7 +59,7 @@ You can configure the display of additional notifications, such as recent threat 3. Click **Administrative templates**. -4. Expand the tree to **Windows components > Windows Defender Antivirus > Reporting**. +4. Expand the tree to **Windows components > Microsoft Defender Antivirus > Reporting**. 5. Double-click **Turn off enhanced notifications** and set the option to **Enabled**. Click **OK**. This will prevent additional notifications from appearing. @@ -71,7 +71,7 @@ You can use Group Policy to: - Hide all notifications on endpoints - Hide reboot notifications on endpoints -Hiding notifications can be useful in situations where you can't hide the entire Windows Defender Antivirus interface. See [Prevent users from seeing or interacting with the Windows Defender Antivirus user interface](prevent-end-user-interaction-windows-defender-antivirus.md) for more information. +Hiding notifications can be useful in situations where you can't hide the entire Microsoft Defender Antivirus interface. See [Prevent users from seeing or interacting with the Microsoft Defender Antivirus user interface](prevent-end-user-interaction-microsoft-defender-antivirus.md) for more information. > [!NOTE] > Hiding notifications will only occur on endpoints to which the policy has been deployed. Notifications related to actions that must be taken (such as a reboot) will still appear on the [Microsoft Endpoint Configuration Manager Endpoint Protection monitoring dashboard and reports](https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection). @@ -84,7 +84,7 @@ See [Customize the Windows Security app for your organization](../windows-defend 2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. -3. Expand the tree to **Windows components > Windows Defender Antivirus > Client interface**. +3. Expand the tree to **Windows components > Microsoft Defender Antivirus > Client interface**. 4. Double-click **Suppress all notifications** and set the option to **Enabled**. Click **OK**. This will prevent additional notifications from appearing. @@ -96,11 +96,11 @@ See [Customize the Windows Security app for your organization](../windows-defend 3. Click **Administrative templates**. -4. Expand the tree to **Windows components > Windows Defender Antivirus > Client interface**. +4. Expand the tree to **Windows components > Microsoft Defender Antivirus > Client interface**. 5. Double-click **Suppresses reboot notifications** and set the option to **Enabled**. Click **OK**. This will prevent additional notifications from appearing. ## Related topics -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) -- [Configure end-user interaction with Windows Defender Antivirus](configure-end-user-interaction-windows-defender-antivirus.md) +- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) +- [Configure end-user interaction with Microsoft Defender Antivirus](configure-end-user-interaction-microsoft-defender-antivirus.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md similarity index 70% rename from windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md rename to windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md index 1b19f98ccd..7b14f8eda8 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md @@ -1,7 +1,7 @@ --- title: Configure exclusions for files opened by specific processes description: You can exclude files from scans if they have been opened by a specific process. -keywords: Windows Defender Antivirus, process, exclusion, files, scans +keywords: Microsoft Defender Antivirus, process, exclusion, files, scans search.product: eADQiWindows 10XVcnh ms.pagetype: security ms.prod: w10 @@ -22,7 +22,7 @@ manager: dansimp - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -You can exclude files that have been opened by specific processes from Windows Defender Antivirus scans. +You can exclude files that have been opened by specific processes from Microsoft Defender Antivirus scans. This topic describes how to configure exclusion lists for the following: @@ -34,11 +34,11 @@ Any file on the machine that is opened by any process with a specific file name Any file on the machine that is opened by any process under a specific folder | Specifying "c:\test\sample\\*" would exclude files opened by:- c:\test\sample\test.exe
- c:\test\sample\test2.exe
- c:\test\sample\utility.exe
``` >[!NOTE] ->Checking exclusions with MpCmdRun requires Windows Defender Antivirus CAMP version 4.18.1812.3 (released in December 2018) or later. +>Checking exclusions with MpCmdRun requires Microsoft Defender Antivirus CAMP version 4.18.1812.3 (released in December 2018) or later. -### Review the list of exclusions alongside all other Windows Defender Antivirus preferences by using PowerShell +### Review the list of exclusions alongside all other Microsoft Defender Antivirus preferences by using PowerShell Use the following cmdlet: @@ -176,7 +176,7 @@ Use the following cmdlet: Get-MpPreference ``` -See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. +See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus. ### Retrieve a specific exclusions list by using PowerShell @@ -187,12 +187,12 @@ $WDAVprefs = Get-MpPreference $WDAVprefs.ExclusionProcess ``` -See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. +See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus. ## Related articles -- [Configure and validate exclusions in Windows Defender Antivirus scans](configure-exclusions-windows-defender-antivirus.md) -- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md) -- [Configure Windows Defender Antivirus exclusions on Windows Server](configure-server-exclusions-windows-defender-antivirus.md) -- [Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md) -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) +- [Configure and validate exclusions in Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md) +- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-microsoft-defender-antivirus.md) +- [Configure Microsoft Defender Antivirus exclusions on Windows Server](configure-server-exclusions-microsoft-defender-antivirus.md) +- [Customize, initiate, and review the results of Microsoft Defender Antivirus scans and remediation](customize-run-review-remediate-scans-microsoft-defender-antivirus.md) +- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-protection-features-microsoft-defender-antivirus.md similarity index 52% rename from windows/security/threat-protection/windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md rename to windows/security/threat-protection/microsoft-defender-antivirus/configure-protection-features-microsoft-defender-antivirus.md index 8e6f966e08..e09172a74b 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-protection-features-microsoft-defender-antivirus.md @@ -1,7 +1,7 @@ --- -title: Enable and configure Windows Defender Antivirus protection features +title: Enable and configure Microsoft Defender Antivirus protection features description: Enable behavior-based, heuristic, and real-time protection in Windows Defender AV. -keywords: heuristic, machine-learning, behavior monitor, real-time protection, always-on, windows defender antivirus, antimalware, security, defender +keywords: heuristic, machine-learning, behavior monitor, real-time protection, always-on, Microsoft Defender Antivirus, antimalware, security, defender search.product: eADQiWindows 10XVcnh ms.pagetype: security ms.prod: w10 @@ -23,21 +23,21 @@ manager: dansimp - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Windows Defender Antivirus uses several methods to provide threat protection: +Microsoft Defender Antivirus uses several methods to provide threat protection: - Cloud-delivered protection for near-instant detection and blocking of new and emerging threats - Always-on scanning, using file and process behavior monitoring and other heuristics (also known as "real-time protection") - Dedicated protection updates based on machine-learning, human and automated big-data analysis, and in-depth threat resistance research -You can configure how Windows Defender Antivirus uses these methods with Group Policy, System Center Configuration Manage, PowerShell cmdlets, and Windows Management Instrumentation (WMI). +You can configure how Microsoft Defender Antivirus uses these methods with Group Policy, System Center Configuration Manage, PowerShell cmdlets, and Windows Management Instrumentation (WMI). This section covers configuration for always-on scanning, including how to detect and block apps that are deemed unsafe, but may not be detected as malware. -See [Use next-gen Windows Defender Antivirus technologies through cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) for how to enable and configure Windows Defender Antivirus cloud-delivered protection. +See [Use next-gen Microsoft Defender Antivirus technologies through cloud-delivered protection](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) for how to enable and configure Microsoft Defender Antivirus cloud-delivered protection. ## In this section Topic | Description ---|--- -[Detect and block potentially unwanted applications](detect-block-potentially-unwanted-apps-windows-defender-antivirus.md) | Detect and block apps that may be unwanted in your network, such as adware, browser modifiers and toolbars, and rogue or fake antivirus apps -[Enable and configure Windows Defender Antivirus protection capabilities](configure-real-time-protection-windows-defender-antivirus.md) | Enable and configure real-time protection, heuristics, and other always-on Windows Defender Antivirus monitoring features +[Detect and block potentially unwanted applications](detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md) | Detect and block apps that may be unwanted in your network, such as adware, browser modifiers and toolbars, and rogue or fake antivirus apps +[Enable and configure Microsoft Defender Antivirus protection capabilities](configure-real-time-protection-microsoft-defender-antivirus.md) | Enable and configure real-time protection, heuristics, and other always-on Microsoft Defender Antivirus monitoring features diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md similarity index 75% rename from windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md rename to windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md index 5d08760627..a456334e1f 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md @@ -1,6 +1,6 @@ --- -title: Enable and configure Windows Defender Antivirus protection capabilities -description: Enable and configure Windows Defender Antivirus real-time protection features such as behavior monitoring, heuristics, and machine-learning +title: Enable and configure Microsoft Defender Antivirus protection capabilities +description: Enable and configure Microsoft Defender Antivirus real-time protection features such as behavior monitoring, heuristics, and machine-learning keywords: antivirus, real-time protection, rtp, machine-learning, behavior monitoring, heuristics search.product: eADQiWindows 10XVcnh ms.pagetype: security @@ -17,7 +17,7 @@ manager: dansimp ms.custom: nextgen --- -# Enable and configure Windows Defender Antivirus always-on protection in Group Policy +# Enable and configure Microsoft Defender Antivirus always-on protection in Group Policy **Applies to:** @@ -29,7 +29,7 @@ These activities include events, such as processes making unusual changes to exi ## Enable and configure always-on protection in Group Policy -You can use **Local Group Policy Editor** to enable and configure Windows Defender Antivirus always-on protection settings. +You can use **Local Group Policy Editor** to enable and configure Microsoft Defender Antivirus always-on protection settings. To enable and configure always-on protection: @@ -37,29 +37,29 @@ To enable and configure always-on protection: 1. In your Windows 10 taskbar search box, type **gpedit**. 2. Under **Best match**, click **Edit group policy** to launch **Local Group Policy Editor**.  -2. In the left pane of **Local Group Policy Editor**, expand the tree to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender Antivirus**. - -3. Configure the Windows Defender Antivirus antimalware service policy settings. To do this: - 1. In the **Windows Defender Antivirus** details pane on right, double-click the policy setting as specified in the following table: +2. In the left pane of **Local Group Policy Editor**, expand the tree to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus**. + +3. Configure the Microsoft Defender Antivirus antimalware service policy settings. To do this: + 1. In the **Microsoft Defender Antivirus** details pane on right, double-click the policy setting as specified in the following table: | Setting | Description | Default setting | |-----------------------------|------------------------|-------------------------------| - | Allow antimalware service to startup with normal priority | You can lower the priority of the Windows Defender Antivirus engine, which may be useful in lightweight deployments where you want to have as lean a startup process as possible. This may impact protection on the endpoint. | Enabled - | Allow antimalware service to remain running always | If protection updates have been disabled, you can set Windows Defender Antivirus to still run. This lowers the protection on the endpoint. | Disabled | + | Allow antimalware service to startup with normal priority | You can lower the priority of the Microsoft Defender Antivirus engine, which may be useful in lightweight deployments where you want to have as lean a startup process as possible. This may impact protection on the endpoint. | Enabled + | Allow antimalware service to remain running always | If protection updates have been disabled, you can set Microsoft Defender Antivirus to still run. This lowers the protection on the endpoint. | Disabled | 2. Configure the setting as appropriate, and click **OK**. 3. Repeat the previous steps for each setting in the table. -4. Configure the Windows Defender Antivirus real-time protection policy settings. To do this: - 1. In the **Windows Defender Antivirus** details pane, double-click **Real-time Protection**. Or, from the **Windows Defender Antivirus** tree on left pane, click **Real-time Protection**. -  +4. Configure the Microsoft Defender Antivirus real-time protection policy settings. To do this: + 1. In the **Microsoft Defender Antivirus** details pane, double-click **Real-time Protection**. Or, from the **Microsoft Defender Antivirus** tree on left pane, click **Real-time Protection**. +  2. In the **Real-time Protection** details pane on right, double-click the policy setting as specified in the following table: | Setting | Description | Default setting | |-----------------------------|------------------------|-------------------------------| | Turn on behavior monitoring | The AV engine will monitor file processes, file and registry changes, and other events on your endpoints for suspicious and known malicious activity. | Enabled | | Scan all downloaded files and attachments | Downloaded files and attachments are automatically scanned. This operates in addition to the Windows Defender SmartScreen filter, which scans files before and during downloading. | Enabled | - | Monitor file and program activity on your computer | The Windows Defender Antivirus engine makes note of any file changes (file writes, such as moves, copies, or modifications) and general program activity (programs that are opened or running and that cause other programs to run). | Enabled | + | Monitor file and program activity on your computer | The Microsoft Defender Antivirus engine makes note of any file changes (file writes, such as moves, copies, or modifications) and general program activity (programs that are opened or running and that cause other programs to run). | Enabled | | Turn on raw volume write notifications | Information about raw volume writes will be analyzed by behavior monitoring. | Enabled | | Turn on process scanning whenever real-time protection is enabled | You can independently enable the Microsoft Defender Antivirus engine to scan running processes for suspicious modifications or behaviors. This is useful if you have temporarily disabled real-time protection and want to automatically scan processes that started while it was disabled. | Enabled | | Define the maximum size of downloaded files and attachments to be scanned | You can define the size in kilobytes. | Enabled | @@ -73,15 +73,15 @@ To enable and configure always-on protection: 3. Configure the setting as appropriate, and click **OK**. 4. Repeat the previous steps for each setting in the table. -5. Configure the Windows Defender Antivirus scanning policy setting. To do this: - 1. From the **Windows Defender Antivirus** tree on left pane, click **Scan**. -  +5. Configure the Microsoft Defender Antivirus scanning policy setting. To do this: + 1. From the **Microsoft Defender Antivirus** tree on left pane, click **Scan**. +  2. In the **Scan** details pane on right, double-click the policy setting as specified in the following table: | Setting | Description | Default setting | |-----------------------------|------------------------|-------------------------------| - | Turn on heuristics | Heuristic protection will disable or block suspicious activity immediately before the Windows Defender Antivirus engine is asked to detect the activity. | Enabled | + | Turn on heuristics | Heuristic protection will disable or block suspicious activity immediately before the Microsoft Defender Antivirus engine is asked to detect the activity. | Enabled | 3. Configure the setting as appropriate, and click **OK**. 6. Close **Local Group Policy Editor**. @@ -98,7 +98,7 @@ To disable real-time protection in Group policy: 1. In your Windows 10 taskbar search box, type **gpedit**. 2. Under **Best match**, click **Edit group policy** to launch **Local Group Policy Editor**. -2. In the left pane of **Local Group Policy Editor**, expand the tree to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender Antivirus** > **Real-time Protection**. +2. In the left pane of **Local Group Policy Editor**, expand the tree to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Real-time Protection**. 3. In the **Real-time Protection** details pane on right, double-click **Turn off real-time protection**.  @@ -110,5 +110,5 @@ To disable real-time protection in Group policy: ## Related articles -- [Configure behavioral, heuristic, and real-time protection](configure-protection-features-windows-defender-antivirus.md) -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) +- [Configure behavioral, heuristic, and real-time protection](configure-protection-features-microsoft-defender-antivirus.md) +- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md new file mode 100644 index 0000000000..f8ac6071ef --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md @@ -0,0 +1,72 @@ +--- +title: Remediate and resolve infections detected by Microsoft Defender Antivirus +description: Configure what Microsoft Defender Antivirus should do when it detects a threat, and how long quarantined files should be retained in the quarantine folder +keywords: remediation, fix, remove, threats, quarantine, scan, restore +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen +ms.date: 09/03/2018 +ms.reviewer: +manager: dansimp +--- + +# Configure remediation for Microsoft Defender Antivirus scans + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +When Microsoft Defender Antivirus runs a scan, it will attempt to remediate or remove threats that it finds. You can configure how Microsoft Defender Antivirus should react to certain threats, whether it should create a restore point before remediating, and when it should remove remediated threats. + +This topic describes how to configure these settings with Group Policy, but you can also use [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#threat-overrides-settings) and [Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure). + +You can also use the [`Set-MpPreference` PowerShell cmdlet](https://technet.microsoft.com/itpro/powershell/windows/defender/set-mppreference) or [`MSFT_MpPreference` WMI class](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) to configure these settings. + +## Configure remediation options + +You can configure how remediation works with the Group Policy settings described in this section. + +To configure these settings: + +1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. + +3. Expand the tree to **Windows components > Microsoft Defender Antivirus** and then the **Location** specified in the table below. + +4. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings. + +Location | Setting | Description | Default setting (if not configured) +---|---|---|--- +Scan | Create a system restore point | A system restore point will be created each day before cleaning or scanning is attempted | Disabled +Scan | Turn on removal of items from scan history folder | Specify how many days items should be kept in the scan history | 30 days +Root | Turn off routine remediation | You can specify whether Microsoft Defender Antivirus automatically remediates threats, or if it should ask the endpoint user what to do. | Disabled (threats are remediated automatically) +Quarantine | Configure removal of items from Quarantine folder | Specify how many days items should be kept in quarantine before being removed | Never removed +Threats | Specify threat alert levels at which default action should not be taken when detected | Every threat that is detected by Microsoft Defender Antivirus is assigned a threat level (low, medium, high, or severe). You can use this setting to define how all threats for each of the threat levels should be remediated (quarantined, removed, or ignored) | Not applicable +Threats | Specify threats upon which default action should not be taken when detected | Specify how specific threats (using their threat ID) should be remediated. You can specify whether the specific threat should be quarantined, removed, or ignored | Not applicable + +> [!IMPORTANT] +> Microsoft Defender Antivirus detects and remediates files based on many factors. Sometimes, completing a remediation requires a reboot. Even if the detection is later determined to be a false positive, the reboot must be completed to ensure all additional remediation steps have been completed. +> +> If you are certain Microsoft Defender Antivirus quarantined a file based on a false positive, you can restore the file from quarantine after the device reboots. See [Restore quarantined files in Microsoft Defender Antivirus](restore-quarantined-files-microsoft-defender-antivirus.md). +> +> To avoid this problem in the future, you can exclude files from the scans. See [Configure and validate exclusions for Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md). + +Also see [Configure remediation-required scheduled full Microsoft Defender Antivirus scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md#remed) for more remediation-related settings. + +## Related topics + +- [Configure Microsoft Defender Antivirus scanning options](configure-advanced-scan-types-microsoft-defender-antivirus.md) +- [Configure scheduled Microsoft Defender Antivirus scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md) +- [Configure and run on-demand Microsoft Defender Antivirus scans](run-scan-microsoft-defender-antivirus.md) +- [Configure the notifications that appear on endpoints](configure-notifications-microsoft-defender-antivirus.md) +- [Configure end-user Microsoft Defender Antivirus interaction](configure-end-user-interaction-microsoft-defender-antivirus.md) +- [Customize, initiate, and review the results of Microsoft Defender Antivirus scans and remediation](customize-run-review-remediate-scans-microsoft-defender-antivirus.md) +- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md similarity index 85% rename from windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md rename to windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md index 78f6412fd9..66adf9c4d6 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md @@ -1,9 +1,9 @@ --- -title: Configure Windows Defender Antivirus exclusions on Windows Server 2016 or 2019 +title: Configure Microsoft Defender Antivirus exclusions on Windows Server 2016 or 2019 ms.reviewer: manager: dansimp description: Windows Servers 2016 and 2019 include automatic exclusions, based on server role. You can also add custom exclusions. -keywords: exclusions, server, auto-exclusions, automatic, custom, scans, Windows Defender Antivirus +keywords: exclusions, server, auto-exclusions, automatic, custom, scans, Microsoft Defender Antivirus search.product: eADQiWindows 10XVcnh ms.pagetype: security ms.prod: w10 @@ -16,20 +16,20 @@ ms.author: deniseb ms.custom: nextgen --- -# Configure Windows Defender Antivirus exclusions on Windows Server +# Configure Microsoft Defender Antivirus exclusions on Windows Server **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Windows Defender Antivirus on Windows Server 2016 and 2019 automatically enrolls you in certain exclusions, as defined by your specified server role. See the [list of automatic exclusions](#list-of-automatic-exclusions) (in this article). These exclusions do not appear in the standard exclusion lists that are shown in the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions). +Microsoft Defender Antivirus on Windows Server 2016 and 2019 automatically enrolls you in certain exclusions, as defined by your specified server role. See the [list of automatic exclusions](#list-of-automatic-exclusions) (in this article). These exclusions do not appear in the standard exclusion lists that are shown in the [Windows Security app](microsoft-defender-security-center-antivirus.md#exclusions). > [!NOTE] > Automatic exclusions only apply to Real-time protection (RTP) scanning. Automatic exclusions are not honored during a Full/Quick or On-demand scan. In addition to server role-defined automatic exclusions, you can add or remove custom exclusions. To do that, refer to these articles: -- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md) -- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md) +- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-microsoft-defender-antivirus.md) +- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md) ## A few points to keep in mind @@ -39,7 +39,7 @@ In addition to server role-defined automatic exclusions, you can add or remove c - Custom and duplicate exclusions do not conflict with automatic exclusions. -- Windows Defender Antivirus uses the Deployment Image Servicing and Management (DISM) tools to determine which roles are installed on your computer. +- Microsoft Defender Antivirus uses the Deployment Image Servicing and Management (DISM) tools to determine which roles are installed on your computer. ## Opt out of automatic exclusions @@ -48,7 +48,7 @@ In Windows Server 2016 and 2019, the predefined exclusions delivered by Security > [!WARNING] > Opting out of automatic exclusions may adversely impact performance, or result in data corruption. The exclusions that are delivered automatically are optimized for Windows Server 2016 and 2019 roles. -Because predefined exclusions only exclude **default paths**, if you move NTDS and SYSVOL to another drive or path that is *different from the original path*, you must add exclusions manually using the information [here](configure-extension-file-exclusions-windows-defender-antivirus.md#configure-the-list-of-exclusions-based-on-folder-name-or-file-extension) . +Because predefined exclusions only exclude **default paths**, if you move NTDS and SYSVOL to another drive or path that is *different from the original path*, you must add exclusions manually using the information [here](configure-extension-file-exclusions-microsoft-defender-antivirus.md#configure-the-list-of-exclusions-based-on-folder-name-or-file-extension) . You can disable the automatic exclusion lists with Group Policy, PowerShell cmdlets, and WMI. @@ -58,7 +58,7 @@ You can disable the automatic exclusion lists with Group Policy, PowerShell cmdl 2. In the **Group Policy Management Editor** go to **Computer configuration**, and then click **Administrative templates**. -3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Exclusions**. +3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Exclusions**. 4. Double-click **Turn off Auto Exclusions**, and set the option to **Enabled**. Then click **OK**. @@ -70,9 +70,9 @@ Use the following cmdlets: Set-MpPreference -DisableAutoExclusions $true ``` -[Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md). +[Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md). -[Use PowerShell with Windows Defender Antivirus](https://technet.microsoft.com/itpro/powershell/windows/defender/index). +[Use PowerShell with Microsoft Defender Antivirus](https://technet.microsoft.com/itpro/powershell/windows/defender/index). ### Use Windows Management Instruction (WMI) to disable the auto-exclusions list on Windows Server 2016 and 2019 @@ -168,7 +168,7 @@ This section lists the default exclusions for all Windows Server 2016 and 2019 r - The Distributed File System Replication (DFSR) database and working folders. These folders are specified by the registry key `HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\DFSR\Parameters\Replication Groups\GUID\Replica Set Configuration File` > [!NOTE] - > For custom locations, see [Opt out of automatic exclusions](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus#opt-out-of-automatic-exclusions). + > For custom locations, see [Opt out of automatic exclusions](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus#opt-out-of-automatic-exclusions). - *%systemdrive%*\System Volume Information\DFSR\\$db_normal$ @@ -400,12 +400,12 @@ This section lists the folder exclusions that are delivered automatically when y ## Related articles -- [Configure and validate exclusions for Windows Defender Antivirus scans](configure-exclusions-windows-defender-antivirus.md) +- [Configure and validate exclusions for Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md) -- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md) +- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-microsoft-defender-antivirus.md) -- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md) +- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md) -- [Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md) +- [Customize, initiate, and review the results of Microsoft Defender Antivirus scans and remediation](customize-run-review-remediate-scans-microsoft-defender-antivirus.md) -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) +- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md new file mode 100644 index 0000000000..0a108f47da --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md @@ -0,0 +1,37 @@ +--- +title: Run and customize scheduled and on-demand scans +description: Customize and initiate Microsoft Defender Antivirus scans on endpoints across your network. +keywords: scan, schedule, customize, exclusions, exclude files, remediation, scan results, quarantine, remove threat, quick scan, full scan, Microsoft Defender Antivirus +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen +ms.date: 09/03/2018 +ms.reviewer: +manager: dansimp +--- + +# Customize, initiate, and review the results of Microsoft Defender Antivirus scans and remediation + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +You can use Group Policy, PowerShell, and Windows Management Instrumentation (WMI) to configure Microsoft Defender Antivirus scans. + +## In this section + +Topic | Description +---|--- +[Configure and validate file, folder, and process-opened file exclusions in Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md) | You can exclude files (including files modified by specified processes) and folders from on-demand scans, scheduled scans, and always-on real-time protection monitoring and scanning +[Configure Microsoft Defender Antivirus scanning options](configure-advanced-scan-types-microsoft-defender-antivirus.md) | You can configure Microsoft Defender Antivirus to include certain types of email storage files, back-up or reparse points, and archived files (such as .zip files) in scans. You can also enable network file scanning +[Configure remediation for scans](configure-remediation-microsoft-defender-antivirus.md) | Configure what Microsoft Defender Antivirus should do when it detects a threat, and how long quarantined files should be retained in the quarantine folder +[Configure scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md) | Set up recurring (scheduled) scans, including when they should run and whether they run as full or quick scans +[Configure and run scans](run-scan-microsoft-defender-antivirus.md) | Run and configure on-demand scans using PowerShell, Windows Management Instrumentation, or individually on endpoints with the Windows Security app +[Review scan results](review-scan-results-microsoft-defender-antivirus.md) | Review the results of scans using Microsoft Endpoint Configuration Manager, Microsoft Intune, or the Windows Security app diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md new file mode 100644 index 0000000000..0a108f47da --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md @@ -0,0 +1,37 @@ +--- +title: Run and customize scheduled and on-demand scans +description: Customize and initiate Microsoft Defender Antivirus scans on endpoints across your network. +keywords: scan, schedule, customize, exclusions, exclude files, remediation, scan results, quarantine, remove threat, quick scan, full scan, Microsoft Defender Antivirus +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen +ms.date: 09/03/2018 +ms.reviewer: +manager: dansimp +--- + +# Customize, initiate, and review the results of Microsoft Defender Antivirus scans and remediation + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +You can use Group Policy, PowerShell, and Windows Management Instrumentation (WMI) to configure Microsoft Defender Antivirus scans. + +## In this section + +Topic | Description +---|--- +[Configure and validate file, folder, and process-opened file exclusions in Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md) | You can exclude files (including files modified by specified processes) and folders from on-demand scans, scheduled scans, and always-on real-time protection monitoring and scanning +[Configure Microsoft Defender Antivirus scanning options](configure-advanced-scan-types-microsoft-defender-antivirus.md) | You can configure Microsoft Defender Antivirus to include certain types of email storage files, back-up or reparse points, and archived files (such as .zip files) in scans. You can also enable network file scanning +[Configure remediation for scans](configure-remediation-microsoft-defender-antivirus.md) | Configure what Microsoft Defender Antivirus should do when it detects a threat, and how long quarantined files should be retained in the quarantine folder +[Configure scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md) | Set up recurring (scheduled) scans, including when they should run and whether they run as full or quick scans +[Configure and run scans](run-scan-microsoft-defender-antivirus.md) | Run and configure on-demand scans using PowerShell, Windows Management Instrumentation, or individually on endpoints with the Windows Security app +[Review scan results](review-scan-results-microsoft-defender-antivirus.md) | Review the results of scans using Microsoft Endpoint Configuration Manager, Microsoft Intune, or the Windows Security app diff --git a/windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md similarity index 62% rename from windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md rename to windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md index faaa2c10dd..b9406da6f4 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md @@ -1,7 +1,7 @@ --- -title: Deploy, manage, and report on Windows Defender Antivirus -description: You can deploy and manage Windows Defender Antivirus with Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell, or WMI -keywords: deploy, manage, update, protection, windows defender antivirus +title: Deploy, manage, and report on Microsoft Defender Antivirus +description: You can deploy and manage Microsoft Defender Antivirus with Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell, or WMI +keywords: deploy, manage, update, protection, Microsoft Defender Antivirus search.product: eADQiWindows 10XVcnh ms.pagetype: security ms.prod: w10 @@ -17,40 +17,40 @@ ms.reviewer: manager: dansimp --- -# Deploy, manage, and report on Windows Defender Antivirus +# Deploy, manage, and report on Microsoft Defender Antivirus **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -You can deploy, manage, and report on Windows Defender Antivirus in a number of ways. +You can deploy, manage, and report on Microsoft Defender Antivirus in a number of ways. -Because the Windows Defender Antivirus client is installed as a core part of Windows 10, traditional deployment of a client to your endpoints does not apply. +Because the Microsoft Defender Antivirus client is installed as a core part of Windows 10, traditional deployment of a client to your endpoints does not apply. However, in most cases you will still need to enable the protection service on your endpoints with Microsoft Intune, Microsoft Endpoint Configuration Manager, Azure Security Center, or Group Policy Objects, which is described in the following table. You'll also see additional links for: -- Managing Windows Defender Antivirus protection, including managing product and protection updates -- Reporting on Windows Defender Antivirus protection +- Managing Microsoft Defender Antivirus protection, including managing product and protection updates +- Reporting on Microsoft Defender Antivirus protection > [!IMPORTANT] -> In most cases, Windows 10 will disable Windows Defender Antivirus if it finds another antivirus product that is running and up-to-date. You must disable or uninstall third-party antivirus products before Windows Defender Antivirus will function. If you re-enable or install third-party antivirus products, then Windows 10 automatically disables Windows Defender Antivirus. +> In most cases, Windows 10 will disable Microsoft Defender Antivirus if it finds another antivirus product that is running and up-to-date. You must disable or uninstall third-party antivirus products before Microsoft Defender Antivirus will function. If you re-enable or install third-party antivirus products, then Windows 10 automatically disables Microsoft Defender Antivirus. Tool|Deployment options (2)|Management options (network-wide configuration and policy or baseline deployment) ([3](#fn3))|Reporting options ---|---|---|--- Microsoft Intune|[Add endpoint protection settings in Intune](https://docs.microsoft.com/intune/endpoint-protection-configure)|[Configure device restriction settings in Intune](https://docs.microsoft.com/intune/device-restrictions-configure)| [Use the Intune console to manage devices](https://docs.microsoft.com/intune/device-management) Microsoft Endpoint Configuration Manager ([1](#fn1))|Use the [Endpoint Protection point site system role][] and [enable Endpoint Protection with custom client settings][]|With [default and customized antimalware policies][] and [client management][]|With the default [Configuration Manager Monitoring workspace][] and [email alerts][] -Group Policy and Active Directory (domain-joined)|Use a Group Policy Object to deploy configuration changes and ensure Windows Defender Antivirus is enabled.|Use Group Policy Objects (GPOs) to [Configure update options for Windows Defender Antivirus][] and [Configure Windows Defender features][]|Endpoint reporting is not available with Group Policy. You can generate a list of [Group Policies to determine if any settings or policies are not applied][] +Group Policy and Active Directory (domain-joined)|Use a Group Policy Object to deploy configuration changes and ensure Microsoft Defender Antivirus is enabled.|Use Group Policy Objects (GPOs) to [Configure update options for Microsoft Defender Antivirus][] and [Configure Windows Defender features][]|Endpoint reporting is not available with Group Policy. You can generate a list of [Group Policies to determine if any settings or policies are not applied][] PowerShell|Deploy with Group Policy, Microsoft Endpoint Configuration Manager, or manually on individual endpoints.|Use the [Set-MpPreference] and [Update-MpSignature] cmdlets available in the Defender module.|Use the appropriate [Get- cmdlets available in the Defender module][] Windows Management Instrumentation|Deploy with Group Policy, Microsoft Endpoint Configuration Manager, or manually on individual endpoints.|Use the [Set method of the MSFT_MpPreference class][] and the [Update method of the MSFT_MpSignature class][]|Use the [MSFT_MpComputerStatus][] class and the get method of associated classes in the [Windows Defender WMIv2 Provider][] -Microsoft Azure|Deploy Microsoft Antimalware for Azure in the [Azure portal, by using Visual Studio virtual machine configuration, or using Azure PowerShell cmdlets](https://docs.microsoft.com/azure/security/azure-security-antimalware#antimalware-deployment-scenarios). You can also [Install Endpoint protection in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-install-endpoint-protection)|Configure [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/azure/security/azure-security-antimalware#enable-and-configure-antimalware-using-powershell-cmdlets) or [use code samples](https://gallery.technet.microsoft.com/Antimalware-For-Azure-5ce70efe)|Use [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/azure/security/azure-security-antimalware#enable-and-configure-antimalware-using-powershell-cmdlets) to enable monitoring. You can also review usage reports in Azure Active Directory to determine suspicious activity, including the [Possibly infected devices][] report and configure an SIEM tool to report on [Windows Defender Antivirus events][] and add that tool as an app in AAD. +Microsoft Azure|Deploy Microsoft Antimalware for Azure in the [Azure portal, by using Visual Studio virtual machine configuration, or using Azure PowerShell cmdlets](https://docs.microsoft.com/azure/security/azure-security-antimalware#antimalware-deployment-scenarios). You can also [Install Endpoint protection in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-install-endpoint-protection)|Configure [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/azure/security/azure-security-antimalware#enable-and-configure-antimalware-using-powershell-cmdlets) or [use code samples](https://gallery.technet.microsoft.com/Antimalware-For-Azure-5ce70efe)|Use [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/azure/security/azure-security-antimalware#enable-and-configure-antimalware-using-powershell-cmdlets) to enable monitoring. You can also review usage reports in Azure Active Directory to determine suspicious activity, including the [Possibly infected devices][] report and configure an SIEM tool to report on [Microsoft Defender Antivirus events][] and add that tool as an app in AAD. -1. The availability of some functions and features, especially related to cloud-delivered protection, differ between Microsoft Endpoint Configuration Manager (Current Branch) and System Center 2012 Configuration Manager. In this library, we've focused on Windows 10, Windows Server 2016, and Microsoft Endpoint Configuration Manager (Current Branch). See [Use Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) for a table that describes the major differences. [(Return to table)](#ref2) +1. The availability of some functions and features, especially related to cloud-delivered protection, differ between Microsoft Endpoint Configuration Manager (Current Branch) and System Center 2012 Configuration Manager. In this library, we've focused on Windows 10, Windows Server 2016, and Microsoft Endpoint Configuration Manager (Current Branch). See [Use Microsoft cloud-provided protection in Microsoft Defender Antivirus](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) for a table that describes the major differences. [(Return to table)](#ref2) -2. In Windows 10, Windows Defender Antivirus is a component available without installation or deployment of an additional client or service. It will automatically be enabled when third-party antivirus products are either uninstalled or out of date ([except on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md)). Traditional deployment therefore is not required. Deployment here refers to ensuring the Windows Defender Antivirus component is available and enabled on endpoints or servers. [(Return to table)](#ref2) +2. In Windows 10, Microsoft Defender Antivirus is a component available without installation or deployment of an additional client or service. It will automatically be enabled when third-party antivirus products are either uninstalled or out of date ([except on Windows Server 2016](microsoft-defender-antivirus-on-windows-server-2016.md)). Traditional deployment therefore is not required. Deployment here refers to ensuring the Microsoft Defender Antivirus component is available and enabled on endpoints or servers. [(Return to table)](#ref2) -3. Configuration of features and protection, including configuring product and protection updates, are further described in the [Configure Windows Defender Antivirus features](configure-notifications-windows-defender-antivirus.md) section in this library. [(Return to table)](#ref2) +3. Configuration of features and protection, including configuring product and protection updates, are further described in the [Configure Microsoft Defender Antivirus features](configure-notifications-microsoft-defender-antivirus.md) section in this library. [(Return to table)](#ref2) [Endpoint Protection point site system role]: https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-protection-site-role [default and customized antimalware policies]: https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies @@ -70,16 +70,16 @@ Microsoft Azure|Deploy Microsoft Antimalware for Azure in the [Azure portal, by [Set-MpPreference]: https://technet.microsoft.com/itpro/powershell/windows/defender/set-mppreference.md [Update-MpSignature]: https://technet.microsoft.com/itpro/powershell/windows/defender/update-mpsignature [Get- cmdlets available in the Defender module]: https://technet.microsoft.com/itpro/powershell/windows/defender/index -[Configure update options for Windows Defender Antivirus]: manage-updates-baselines-windows-defender-antivirus.md -[Configure Windows Defender features]: configure-windows-defender-antivirus-features.md +[Configure update options for Microsoft Defender Antivirus]: manage-updates-baselines-microsoft-defender-antivirus.md +[Configure Windows Defender features]: configure-microsoft-defender-antivirus-features.md [Group Policies to determine if any settings or policies are not applied]: https://technet.microsoft.com/library/cc771389.aspx [Possibly infected devices]: https://docs.microsoft.com/azure/active-directory/active-directory-reporting-sign-ins-from-possibly-infected-devices -[Windows Defender Antivirus events]: troubleshoot-windows-defender-antivirus.md +[Microsoft Defender Antivirus events]: troubleshoot-microsoft-defender-antivirus.md ## In this section Topic | Description ---|--- -[Deploy and enable Windows Defender Antivirus protection](deploy-windows-defender-antivirus.md) | While the client is installed as a core part of Windows 10, and traditional deployment does not apply, you will still need to enable the client on your endpoints with Microsoft Endpoint Configuration Manager, Microsoft Intune, or Group Policy Objects. -[Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md) | There are two parts to updating Windows Defender Antivirus: updating the client on endpoints (product updates), and updating Security intelligence (protection updates). You can update Security intelligence in a number of ways, using Microsoft Endpoint Configuration Manager, Group Policy, PowerShell, and WMI. -[Monitor and report on Windows Defender Antivirus protection](report-monitor-windows-defender-antivirus.md) | You can use Microsoft Intune, Microsoft Endpoint Configuration Manager, the Update Compliance add-in for Microsoft Operations Management Suite, or a third-party SIEM product (by consuming Windows event logs) to monitor protection status and create reports about endpoint protection. +[Deploy and enable Microsoft Defender Antivirus protection](deploy-microsoft-defender-antivirus.md) | While the client is installed as a core part of Windows 10, and traditional deployment does not apply, you will still need to enable the client on your endpoints with Microsoft Endpoint Configuration Manager, Microsoft Intune, or Group Policy Objects. +[Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md) | There are two parts to updating Microsoft Defender Antivirus: updating the client on endpoints (product updates), and updating Security intelligence (protection updates). You can update Security intelligence in a number of ways, using Microsoft Endpoint Configuration Manager, Group Policy, PowerShell, and WMI. +[Monitor and report on Microsoft Defender Antivirus protection](report-monitor-microsoft-defender-antivirus.md) | You can use Microsoft Intune, Microsoft Endpoint Configuration Manager, the Update Compliance add-in for Microsoft Operations Management Suite, or a third-party SIEM product (by consuming Windows event logs) to monitor protection status and create reports about endpoint protection. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md new file mode 100644 index 0000000000..6e0bb71ecc --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md @@ -0,0 +1,38 @@ +--- +title: Deploy and enable Microsoft Defender Antivirus +description: Deploy Microsoft Defender Antivirus for protection of your endpoints with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, or WMI. +keywords: deploy, enable, Microsoft Defender Antivirus +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen +ms.date: 09/03/2018 +ms.reviewer: +manager: dansimp +--- + +# Deploy and enable Microsoft Defender Antivirus + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +Depending on the management tool you are using, you may need to specifically enable or configure Microsoft Defender Antivirus protection. + +See the table in [Deploy, manage, and report on Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md#ref2) for instructions on how to enable protection with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, Active Directory, Microsoft Azure, PowerShell cmdlets, and Windows Management Instruction (WMI). + +Some scenarios require additional guidance on how to successfully deploy or configure Microsoft Defender Antivirus protection, such as Virtual Desktop Infrastructure (VDI) environments. + +The remaining topic in this section provides end-to-end advice and best practices for [setting up Microsoft Defender Antivirus on virtual machines (VMs) in a VDI or Remote Desktop Services (RDS) environment](deployment-vdi-microsoft-defender-antivirus.md). + +## Related topics + +- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) +- [Deploy, manage updates, and report on Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md) +- [Deployment guide for Microsoft Defender Antivirus in a virtual desktop infrastructure (VDI) environment](deployment-vdi-microsoft-defender-antivirus.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md similarity index 88% rename from windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md rename to windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md index ad266974fa..096a6816cb 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md @@ -1,6 +1,6 @@ --- -title: Windows Defender Antivirus Virtual Desktop Infrastructure deployment guide -description: Learn how to deploy Windows Defender Antivirus in a virtual desktop environment for the best balance between protection and performance. +title: Microsoft Defender Antivirus Virtual Desktop Infrastructure deployment guide +description: Learn how to deploy Microsoft Defender Antivirus in a virtual desktop environment for the best balance between protection and performance. keywords: vdi, hyper-v, vm, virtual machine, windows defender, antivirus, av, virtual desktop, rds, remote desktop search.product: eADQiWindows 10XVcnh ms.pagetype: security @@ -17,13 +17,13 @@ ms.reviewer: manager: dansimp --- -# Deployment guide for Windows Defender Antivirus in a virtual desktop infrastructure (VDI) environment +# Deployment guide for Microsoft Defender Antivirus in a virtual desktop infrastructure (VDI) environment **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -In addition to standard on-premises or hardware configurations, you can also use Windows Defender Antivirus in a remote desktop (RDS) or virtual desktop infrastructure (VDI) environment. +In addition to standard on-premises or hardware configurations, you can also use Microsoft Defender Antivirus in a remote desktop (RDS) or virtual desktop infrastructure (VDI) environment. See [Windows Virtual Desktop Documentation](https://docs.microsoft.com/azure/virtual-desktop) for more details on Microsoft Remote Desktop Services and VDI support. @@ -41,7 +41,7 @@ This guide describes how to configure your VMs for optimal protection and perfor - [Scan out-of-date machines or machines that have been offline for a while](#scan-vms-that-have-been-offline) - [Apply exclusions](#exclusions) -You can also download the whitepaper [Windows Defender Antivirus on Virtual Desktop Infrastructure](https://demo.wd.microsoft.com/Content/wdav-testing-vdi-ssu.pdf), which looks at the new shared security intelligence update feature, alongside performance testing and guidance on how you can test antivirus performance on your own VDI. +You can also download the whitepaper [Microsoft Defender Antivirus on Virtual Desktop Infrastructure](https://demo.wd.microsoft.com/Content/wdav-testing-vdi-ssu.pdf), which looks at the new shared security intelligence update feature, alongside performance testing and guidance on how you can test antivirus performance on your own VDI. > [!IMPORTANT] > Although the VDI can be hosted on Windows Server 2012 or Windows Server 2016, the virtual machines (VMs) should be running Windows 10, 1607 at a minimum, due to increased protection technologies and features that are unavailable in earlier versions of Windows.
There are performance and feature improvements to the way in which Windows Defender AV operates on virtual machines in Windows 10 Insider Preview, build 18323 (and later). We'll identify in this guide if you need to be using an Insider Preview build; if it isn't specified, then the minimum required version for the best protection and performance is Windows 10 1607. @@ -116,7 +116,7 @@ The profile will now be deployed to the impacted devices. This may take some tim 3. Click **Administrative templates**. -4. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Security Intelligence Updates**. +4. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Security Intelligence Updates**. 5. Double-click **Define security intelligence location for VDI clients**, and then set the option to **Enabled**. A field automatically appears. @@ -192,11 +192,11 @@ If you would prefer to do everything manually, this what you would need to do to ### Randomize scheduled scans -Scheduled scans run in addition to [real-time protection and scanning](configure-real-time-protection-windows-defender-antivirus.md). +Scheduled scans run in addition to [real-time protection and scanning](configure-real-time-protection-microsoft-defender-antivirus.md). The start time of the scan itself is still based on the scheduled scan policy – ScheduleDay, ScheduleTime, ScheduleQuickScanTime. Randomization will cause Windows Defender AV to start a scan on each machine within a 4 hour window from the time set for the scheduled scan. -See [Schedule scans](scheduled-catch-up-scans-windows-defender-antivirus.md) for other configuration options available for scheduled scans. +See [Schedule scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md) for other configuration options available for scheduled scans. ### Use quick scans @@ -211,7 +211,7 @@ Quick scans are the preferred approach as they are designed to look in all place ### Prevent notifications -Sometimes, Windows Defender Antivirus notifications may be sent to or persist across multiple sessions. In order to minimize this problem, you can use the lock down the Windows Defender Antivirus user interface. +Sometimes, Microsoft Defender Antivirus notifications may be sent to or persist across multiple sessions. In order to minimize this problem, you can use the lock down the Microsoft Defender Antivirus user interface. 1. Expand the tree to **Windows components > Windows Defender > Client Interface**. @@ -257,7 +257,7 @@ This hides the entire Windows Defender AV user interface from users. ### Exclusions -On Windows Server 2016, Windows Defender Antivirus will automatically deliver the right exclusions for servers running a VDI environment. However, if you are running an older Windows server version, see [Configure Windows Defender Antivirus exclusions on Windows Server](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus). +On Windows Server 2016, Microsoft Defender Antivirus will automatically deliver the right exclusions for servers running a VDI environment. However, if you are running an older Windows server version, see [Configure Microsoft Defender Antivirus exclusions on Windows Server](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus). ## Additional resources diff --git a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md similarity index 80% rename from windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md rename to windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md index 7c0db7f78f..3345190e01 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md @@ -1,7 +1,7 @@ --- -title: Block potentially unwanted applications with Windows Defender Antivirus +title: Block potentially unwanted applications with Microsoft Defender Antivirus description: Enable the potentially unwanted application (PUA) antivirus feature to block unwanted software such as adware. -keywords: pua, enable, unwanted software, unwanted apps, adware, browser toolbar, detect, block, Windows Defender Antivirus +keywords: pua, enable, unwanted software, unwanted apps, adware, browser toolbar, detect, block, Microsoft Defender Antivirus search.product: eADQiWindows 10XVcnh ms.pagetype: security ms.prod: w10 @@ -64,20 +64,20 @@ Defender SmartScreen available, including [one for blocking PUA](https://docs.mi Although Microsoft Defender ATP has its own block list, based upon a data set managed by Microsoft, you can customize this list based on your own threat intelligence. If you [create and manage indicators](../microsoft-defender-atp/manage-indicators.md) in the Microsoft Defender ATP portal, Windows Defender SmartScreen will respect the new settings. -### Windows Defender Antivirus +### Microsoft Defender Antivirus -The potentially unwanted application (PUA) protection feature in Windows Defender Antivirus can detect and block PUAs on endpoints in your network. +The potentially unwanted application (PUA) protection feature in Microsoft Defender Antivirus can detect and block PUAs on endpoints in your network. > [!NOTE] > This feature is only available in Windows 10. -Windows Defender Antivirus blocks detected PUA files and any attempts to download, move, run, or install them. Blocked PUA files are then moved to quarantine. +Microsoft Defender Antivirus blocks detected PUA files and any attempts to download, move, run, or install them. Blocked PUA files are then moved to quarantine. -When a PUA file is detected on an endpoint, Windows Defender Antivirus sends a notification to the user ([unless notifications have been disabled](configure-notifications-windows-defender-antivirus.md)) in the same format as other threat detections. The notification will be prefaced with _PUA:_ to indicate its content. +When a PUA file is detected on an endpoint, Microsoft Defender Antivirus sends a notification to the user ([unless notifications have been disabled](configure-notifications-microsoft-defender-antivirus.md)) in the same format as other threat detections. The notification will be prefaced with _PUA:_ to indicate its content. -The notification appears in the usual [quarantine list within the Windows Security app](windows-defender-security-center-antivirus.md#detection-history). +The notification appears in the usual [quarantine list within the Windows Security app](microsoft-defender-security-center-antivirus.md#detection-history). -#### Configure PUA protection in Windows Defender Antivirus +#### Configure PUA protection in Microsoft Defender Antivirus You can enable PUA protection with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, or via PowerShell cmdlets. @@ -90,7 +90,7 @@ PUA audit mode is useful if your company is conducting an internal software secu ##### Use Intune to configure PUA protection -See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure) and [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#windows-defender-antivirus) for more details. +See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure) and [Microsoft Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#microsoft-defender-antivirus) for more details. ##### Use Configuration Manager to configure PUA protection @@ -101,7 +101,7 @@ See [How to create and deploy antimalware policies: Scheduled scans settings](ht For System Center 2012 Configuration Manager, see [How to Deploy Potentially Unwanted Application Protection Policy for Endpoint Protection in Configuration Manager](https://technet.microsoft.com/library/hh508770.aspx#BKMK_PUA). > [!NOTE] -> PUA events blocked by Windows Defender Antivirus are reported in the Windows Event Viewer and not in Microsoft Endpoint Configuration Manager. +> PUA events blocked by Microsoft Defender Antivirus are reported in the Windows Event Viewer and not in Microsoft Endpoint Configuration Manager. ##### Use Group Policy to configure PUA protection @@ -109,7 +109,7 @@ For System Center 2012 Configuration Manager, see [How to Deploy Potentially Unw 2. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**. -3. Expand the tree to **Windows components > Windows Defender Antivirus**. +3. Expand the tree to **Windows components > Microsoft Defender Antivirus**. 4. Double-click **Configure protection for potentially unwanted applications**. @@ -142,7 +142,7 @@ Set-MpPreference -PUAProtection disable ``` Setting the value for this cmdlet to `Disabled` will turn the feature off if it has been enabled. -See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://docs.microsoft.com/powershell/module/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. +See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://docs.microsoft.com/powershell/module/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus. #### View PUA events @@ -150,13 +150,13 @@ PUA events are reported in the Windows Event Viewer, but not in Microsoft Endpoi You can turn on email notifications to receive mail about PUA detections. -See [Troubleshoot event IDs](troubleshoot-windows-defender-antivirus.md) for details on viewing Windows Defender Antivirus events. PUA events are recorded under event ID **1160**. +See [Troubleshoot event IDs](troubleshoot-microsoft-defender-antivirus.md) for details on viewing Microsoft Defender Antivirus events. PUA events are recorded under event ID **1160**. #### Allow-listing apps -Sometimes a file is erroneously blocked by PUA protection, or a feature of a PUA is required to complete a task. In these cases, a file can be allow-listed. See [How to Configure Endpoint Protection in Configuration Manager](https://docs.microsoft.com/previous-versions/system-center/system-center-2012-R2/hh508770(v=technet.10)#to-exclude-specific-files-or-folders) for information on allowing files which are currently blocked by PUA protection in Windows Defender Antivirus. +Sometimes a file is erroneously blocked by PUA protection, or a feature of a PUA is required to complete a task. In these cases, a file can be allow-listed. See [How to Configure Endpoint Protection in Configuration Manager](https://docs.microsoft.com/previous-versions/system-center/system-center-2012-R2/hh508770(v=technet.10)#to-exclude-specific-files-or-folders) for information on allowing files which are currently blocked by PUA protection in Microsoft Defender Antivirus. ## Related articles -- [Next-generation protection](windows-defender-antivirus-in-windows-10.md) -- [Configure behavioral, heuristic, and real-time protection](configure-protection-features-windows-defender-antivirus.md) +- [Next-generation protection](microsoft-defender-antivirus-in-windows-10.md) +- [Configure behavioral, heuristic, and real-time protection](configure-protection-features-microsoft-defender-antivirus.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md similarity index 70% rename from windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md rename to windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md index 8c14c01d58..69f126b8f8 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md @@ -1,7 +1,7 @@ --- -title: Enable cloud-delivered protection in Windows Defender Antivirus +title: Enable cloud-delivered protection in Microsoft Defender Antivirus description: Enable cloud-delivered protection to benefit from fast and advanced protection features. -keywords: windows defender antivirus, antimalware, security, cloud, block at first sight +keywords: Microsoft Defender Antivirus, antimalware, security, cloud, block at first sight search.product: eADQiWindows 10XVcnh ms.pagetype: security ms.prod: w10 @@ -23,16 +23,16 @@ ms.custom: nextgen - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) > [!NOTE] -> The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud; rather, it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates. +> The Microsoft Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud; rather, it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates. -Windows Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender ATP next generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/). +Microsoft Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender ATP next generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/).  -You can enable or disable Windows Defender Antivirus cloud-delivered protection with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, or on individual clients in the Windows Security app. +You can enable or disable Microsoft Defender Antivirus cloud-delivered protection with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, or on individual clients in the Windows Security app. -See [Use Microsoft cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) for an overview of Windows Defender Antivirus cloud-delivered protection. +See [Use Microsoft cloud-delivered protection](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) for an overview of Microsoft Defender Antivirus cloud-delivered protection. -There are specific network-connectivity requirements to ensure your endpoints can connect to the cloud-delivered protection service. See [Configure and validate network connections](configure-network-connections-windows-defender-antivirus.md) for more details. +There are specific network-connectivity requirements to ensure your endpoints can connect to the cloud-delivered protection service. See [Configure and validate network connections](configure-network-connections-microsoft-defender-antivirus.md) for more details. > [!NOTE] > In Windows 10, there is no difference between the **Basic** and **Advanced** reporting options described in this topic. This is a legacy distinction and choosing either setting will result in the same level of cloud-delivered protection. There is no difference in the type or amount of information that is shared. See the [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=521839) for more information on what we collect. @@ -42,7 +42,7 @@ There are specific network-connectivity requirements to ensure your endpoints ca 1. Sign in to the [Azure portal](https://portal.azure.com). 2. Select **All services > Intune**. 3. In the **Intune** pane, select **Device configuration > Profiles**, and then select the **Device restrictions** profile type you want to configure. If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure). -4. Select **Properties**, select **Settings: Configure**, and then select **Windows Defender Antivirus**. +4. Select **Properties**, select **Settings: Configure**, and then select **Microsoft Defender Antivirus**. 5. On the **Cloud-delivered protection** switch, select **Enable**. 6. In the **Prompt users before sample submission** dropdown, select **Send all data without prompting**. 7. In the **Submit samples consent** dropdown, select one of the following: @@ -54,9 +54,9 @@ There are specific network-connectivity requirements to ensure your endpoints ca > The **Send safe samples automatically** option means that most samples will be sent automatically. Files that are likely to contain personal information will still prompt and require additional confirmation. > [!WARNING] - > Setting to **Always Prompt** will lower the protection state of the device. Setting to **Never send** means the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature of Microsoft Defender ATP won't work. + > Setting to **Always Prompt** will lower the protection state of the device. Setting to **Never send** means the [Block at First Sight](configure-block-at-first-sight-microsoft-defender-antivirus.md) feature of Microsoft Defender ATP won't work. -8. Click **OK** to exit the **Windows Defender Antivirus** settings pane, click **OK** to exit the **Device restrictions** pane, and then click **Save** to save the changes to your **Device restrictions** profile. +8. Click **OK** to exit the **Microsoft Defender Antivirus** settings pane, click **OK** to exit the **Device restrictions** pane, and then click **Save** to save the changes to your **Device restrictions** profile. For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/intune/device-profiles) @@ -72,7 +72,7 @@ See [How to create and deploy antimalware policies: Cloud-protection service](ht 3. Select **Administrative templates**. -4. Expand the tree to **Windows components > Windows Defender Antivirus > MAPS** +4. Expand the tree to **Windows components > Microsoft Defender Antivirus > MAPS** 5. Double-click **Join Microsoft MAPS**. Ensure the option is enabled and set to **Basic MAPS** or **Advanced MAPS**. Select **OK**. @@ -85,7 +85,7 @@ See [How to create and deploy antimalware policies: Cloud-protection service](ht > The **Send safe samples** (1) option means that most samples will be sent automatically. Files that are likely to contain personal information will still prompt and require additional confirmation. > [!WARNING] - > Setting the option to **Always Prompt** (0) will lower the protection state of the device. Setting it to **Never send** (2) means that the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature of Microsoft Defender ATP won't work. + > Setting the option to **Always Prompt** (0) will lower the protection state of the device. Setting it to **Never send** (2) means that the [Block at First Sight](configure-block-at-first-sight-microsoft-defender-antivirus.md) feature of Microsoft Defender ATP won't work. 7. Click **OK**. @@ -98,13 +98,13 @@ Set-MpPreference -MAPSReporting Advanced Set-MpPreference -SubmitSamplesConsent SendAllSamples ``` -See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus. [Policy CSP - Defender](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender) also has more information specifically on [-SubmitSamplesConsent](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-submitsamplesconsent). +See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Microsoft Defender Antivirus. [Policy CSP - Defender](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender) also has more information specifically on [-SubmitSamplesConsent](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-submitsamplesconsent). >[!NOTE] > You can also set **-SubmitSamplesConsent** to `SendSafeSamples` (the default setting), `NeverSend`, or `AlwaysPrompt`. The `SendSafeSamples` setting means that most samples will be sent automatically. Files that are likely to contain personal information will still prompt and require additional confirmation. >[!WARNING] -> Setting **-SubmitSamplesConsent** to `NeverSend` or `AlwaysPrompt` will lower the protection level of the device. In addition, setting it to `NeverSend` means that the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature of Microsoft Defender ATP won't work. +> Setting **-SubmitSamplesConsent** to `NeverSend` or `AlwaysPrompt` will lower the protection level of the device. In addition, setting it to `NeverSend` means that the [Block at First Sight](configure-block-at-first-sight-microsoft-defender-antivirus.md) feature of Microsoft Defender ATP won't work. ## Use Windows Management Instruction (WMI) to enable cloud-delivered protection @@ -137,11 +137,11 @@ See the following for more information and allowed parameters: ## Related topics -- [Configure the cloud block timeout period](configure-cloud-block-timeout-period-windows-defender-antivirus.md) -- [Configure block at first sight](configure-block-at-first-sight-windows-defender-antivirus.md) -- [Use PowerShell cmdlets to manage Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) +- [Configure the cloud block timeout period](configure-cloud-block-timeout-period-microsoft-defender-antivirus.md) +- [Configure block at first sight](configure-block-at-first-sight-microsoft-defender-antivirus.md) +- [Use PowerShell cmdlets to manage Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) - [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune)] - [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) -- [Utilize Microsoft cloud-delivered protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) +- [Utilize Microsoft cloud-delivered protection in Microsoft Defender Antivirus](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) - [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) +- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/evaluate-microsoft-defender-antivirus.md similarity index 62% rename from windows/security/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md rename to windows/security/threat-protection/microsoft-defender-antivirus/evaluate-microsoft-defender-antivirus.md index 6173192baf..1c2dec92b5 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/evaluate-microsoft-defender-antivirus.md @@ -1,7 +1,7 @@ --- -title: Evaluate Windows Defender Antivirus -description: Businesses of all sizes can use this guide to evaluate and test the protection offered by Windows Defender Antivirus in Windows 10. -keywords: windows defender antivirus, cloud protection, cloud, antimalware, security, defender, evaluate, test, protection, compare, real-time protection +title: Evaluate Microsoft Defender Antivirus +description: Businesses of all sizes can use this guide to evaluate and test the protection offered by Microsoft Defender Antivirus in Windows 10. +keywords: Microsoft Defender Antivirus, cloud protection, cloud, antimalware, security, defender, evaluate, test, protection, compare, real-time protection search.product: eADQiWindows 10XVcnh ms.pagetype: security ms.prod: w10 @@ -17,13 +17,13 @@ ms.reviewer: manager: dansimp --- -# Evaluate Windows Defender Antivirus +# Evaluate Microsoft Defender Antivirus **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Use this guide to determine how well Windows Defender Antivirus protects you from viruses, malware, and potentially unwanted applications. +Use this guide to determine how well Microsoft Defender Antivirus protects you from viruses, malware, and potentially unwanted applications. >[!TIP] >You can also visit the Microsoft Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working and see how they work: @@ -31,7 +31,7 @@ Use this guide to determine how well Windows Defender Antivirus protects you fro >- Fast learning (including Block at first sight) >- Potentially unwanted application blocking -It explains the important next generation protection features of Windows Defender Antivirus available for both small and large enterprises, and how they increase malware detection and protection across your network. +It explains the important next generation protection features of Microsoft Defender Antivirus available for both small and large enterprises, and how they increase malware detection and protection across your network. You can choose to configure and evaluate each setting independently, or all at once. We have grouped similar settings based upon typical evaluation scenarios, and include instructions for using PowerShell to enable the settings. @@ -44,11 +44,11 @@ You can also download a PowerShell that will enable all the settings described i - [Download the PowerShell script to automatically configure the settings](https://www.powershellgallery.com/packages/WindowsDefender_InternalEvaluationSettings) > [!IMPORTANT] -> The guide is currently intended for single-machine evaluation of Windows Defender Antivirus. Enabling all of the settings in this guide may not be suitable for real-world deployment. +> The guide is currently intended for single-machine evaluation of Microsoft Defender Antivirus. Enabling all of the settings in this guide may not be suitable for real-world deployment. > -> For the latest recommendations for real-world deployment and monitoring of Windows Defender Antivirus across a network, see [Deploy Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md). +> For the latest recommendations for real-world deployment and monitoring of Microsoft Defender Antivirus across a network, see [Deploy Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md). ## Related topics -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) -- [Deploy Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md) +- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) +- [Deploy Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/WDAV-WinSvr2019-turnfeatureson.jpg b/windows/security/threat-protection/microsoft-defender-antivirus/images/WDAV-WinSvr2019-turnfeatureson.jpg similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/WDAV-WinSvr2019-turnfeatureson.jpg rename to windows/security/threat-protection/microsoft-defender-antivirus/images/WDAV-WinSvr2019-turnfeatureson.jpg diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/atp-portal-onboarding-page.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/atp-portal-onboarding-page.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/atp-portal-onboarding-page.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/atp-portal-onboarding-page.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender-updatedefs2.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender-updatedefs2.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/defender-updatedefs2.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender-updatedefs2.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/client.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/client.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/client.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/client.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/intune-block-at-first-sight.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/intune-block-at-first-sight.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/intune-block-at-first-sight.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/intune-block-at-first-sight.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/notification.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/notification.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/notification.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/notification.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/sccm-advanced-settings.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/sccm-advanced-settings.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/sccm-advanced-settings.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/sccm-advanced-settings.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/sccm-cloud-protection-service.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/sccm-cloud-protection-service.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/sccm-cloud-protection-service.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/sccm-cloud-protection-service.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/sccm-real-time-protection.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/sccm-real-time-protection.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/sccm-real-time-protection.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/sccm-real-time-protection.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/sccm-wdo.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/sccm-wdo.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/sccm-wdo.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/sccm-wdo.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-bafs-edge.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-bafs-edge.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-bafs-edge.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-bafs-edge.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-bafs-ie.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-bafs-ie.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-bafs-ie.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-bafs-ie.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-extension-exclusions.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-extension-exclusions.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-extension-exclusions.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-extension-exclusions.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-get-mpthreat.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-get-mpthreat.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-get-mpthreat.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-get-mpthreat.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-get-mpthreatdetection.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-get-mpthreatdetection.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-get-mpthreatdetection.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-get-mpthreatdetection.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-headless-mode-1607.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-headless-mode-1607.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-headless-mode-1607.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-headless-mode-1607.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-headless-mode-1703.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-headless-mode-1703.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-headless-mode-1703.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-headless-mode-1703.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-headless-mode-off-1703.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-headless-mode-off-1703.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-headless-mode-off-1703.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-headless-mode-off-1703.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-history-wdsc.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-history-wdsc.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-history-wdsc.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-history-wdsc.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-malware-detected.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-malware-detected.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-malware-detected.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-malware-detected.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-order-update-sources.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-order-update-sources.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-order-update-sources.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-order-update-sources.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-path-exclusions.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-path-exclusions.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-path-exclusions.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-path-exclusions.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-powershell-get-exclusions-all.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-powershell-get-exclusions-all.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-powershell-get-exclusions-all.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-powershell-get-exclusions-all.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-powershell-get-exclusions-variable.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-powershell-get-exclusions-variable.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-powershell-get-exclusions-variable.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-powershell-get-exclusions-variable.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-process-exclusions.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-process-exclusions.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-process-exclusions.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-process-exclusions.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-protection-settings-wdsc.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-protection-settings-wdsc.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-protection-settings-wdsc.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-protection-settings-wdsc.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-quarantined-history-wdsc.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-quarantined-history-wdsc.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-quarantined-history-wdsc.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-quarantined-history-wdsc.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-settings-old.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-settings-old.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-settings-old.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-settings-old.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-wdsc-defs.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-wdsc-defs.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-wdsc-defs.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-wdsc-defs.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-wdsc.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-wdsc.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-wdsc.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-wdsc.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-windows-defender-app-old.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-windows-defender-app-old.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-windows-defender-app-old.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-windows-defender-app-old.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/gpedit-administrative-templates.PNG b/windows/security/threat-protection/microsoft-defender-antivirus/images/gpedit-administrative-templates.PNG similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/gpedit-administrative-templates.PNG rename to windows/security/threat-protection/microsoft-defender-antivirus/images/gpedit-administrative-templates.PNG diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/gpedit-real-time-protection.PNG b/windows/security/threat-protection/microsoft-defender-antivirus/images/gpedit-real-time-protection.PNG similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/gpedit-real-time-protection.PNG rename to windows/security/threat-protection/microsoft-defender-antivirus/images/gpedit-real-time-protection.PNG diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/gpedit-search.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/gpedit-search.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/gpedit-search.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/gpedit-search.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/gpedit-turn-off-real-time-protection-enabled.PNG b/windows/security/threat-protection/microsoft-defender-antivirus/images/gpedit-turn-off-real-time-protection-enabled.PNG similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/gpedit-turn-off-real-time-protection-enabled.PNG rename to windows/security/threat-protection/microsoft-defender-antivirus/images/gpedit-turn-off-real-time-protection-enabled.PNG diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/gpedit-turn-off-real-time-protection.PNG b/windows/security/threat-protection/microsoft-defender-antivirus/images/gpedit-turn-off-real-time-protection.PNG similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/gpedit-turn-off-real-time-protection.PNG rename to windows/security/threat-protection/microsoft-defender-antivirus/images/gpedit-turn-off-real-time-protection.PNG diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/gpedit-windows-defender-antivirus-scan.PNG b/windows/security/threat-protection/microsoft-defender-antivirus/images/gpedit-windows-defender-antivirus-scan.PNG similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/gpedit-windows-defender-antivirus-scan.PNG rename to windows/security/threat-protection/microsoft-defender-antivirus/images/gpedit-windows-defender-antivirus-scan.PNG diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/gpedit-windows-defender-antivirus.PNG b/windows/security/threat-protection/microsoft-defender-antivirus/images/gpedit-windows-defender-antivirus.PNG similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/gpedit-windows-defender-antivirus.PNG rename to windows/security/threat-protection/microsoft-defender-antivirus/images/gpedit-windows-defender-antivirus.PNG diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/jamf-onboarding.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/jamf-onboarding.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/jamf-onboarding.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/jamf-onboarding.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-1-registerapp.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-1-registerapp.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-1-registerapp.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-1-registerapp.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-10-clientapps.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-10-clientapps.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-10-clientapps.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-10-clientapps.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-11-assignments.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-11-assignments.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-11-assignments.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-11-assignments.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-12-deviceinstall.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-12-deviceinstall.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-12-deviceinstall.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-12-deviceinstall.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-13-systempreferences.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-13-systempreferences.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-13-systempreferences.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-13-systempreferences.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-14-systempreferencesprofiles.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-14-systempreferencesprofiles.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-14-systempreferencesprofiles.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-14-systempreferencesprofiles.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-15-managementprofileconfig.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-15-managementprofileconfig.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-15-managementprofileconfig.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-15-managementprofileconfig.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-16-preferencedomain.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-16-preferencedomain.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-16-preferencedomain.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-16-preferencedomain.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-17-approvedkernelextensions.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-17-approvedkernelextensions.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-17-approvedkernelextensions.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-17-approvedkernelextensions.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-18-configurationprofilesscope.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-18-configurationprofilesscope.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-18-configurationprofilesscope.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-18-configurationprofilesscope.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-19-microsoftdefenderwdavpkg.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-19-microsoftdefenderwdavpkg.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-19-microsoftdefenderwdavpkg.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-19-microsoftdefenderwdavpkg.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-2-downloadpackages.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-2-downloadpackages.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-2-downloadpackages.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-2-downloadpackages.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-20-microsoftdefenderpackages.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-20-microsoftdefenderpackages.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-20-microsoftdefenderpackages.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-20-microsoftdefenderpackages.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-21-mdmprofile1.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-21-mdmprofile1.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-21-mdmprofile1.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-21-mdmprofile1.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-22-mdmprofileapproved.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-22-mdmprofileapproved.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-22-mdmprofileapproved.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-22-mdmprofileapproved.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-23-mdmstatus.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-23-mdmstatus.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-23-mdmstatus.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-23-mdmstatus.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-24-statusonserver.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-24-statusonserver.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-24-statusonserver.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-24-statusonserver.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-25-statusonclient.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-25-statusonclient.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-25-statusonclient.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-25-statusonclient.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-26-uninstall.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-26-uninstall.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-26-uninstall.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-26-uninstall.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-27-uninstallscript.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-27-uninstallscript.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-27-uninstallscript.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-27-uninstallscript.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-28-appinstall.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-28-appinstall.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-28-appinstall.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-28-appinstall.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-29-appinstalllogin.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-29-appinstalllogin.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-29-appinstalllogin.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-29-appinstalllogin.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-3-confirmdevicemgmt.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-3-confirmdevicemgmt.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-3-confirmdevicemgmt.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-3-confirmdevicemgmt.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-30-systemextension.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-30-systemextension.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-30-systemextension.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-30-systemextension.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-31-securityprivacysettings.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-31-securityprivacysettings.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-31-securityprivacysettings.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-31-securityprivacysettings.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-32-main-app-fix.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-32-main-app-fix.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-32-main-app-fix.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-32-main-app-fix.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-33-securityprivacysettings-noprompt.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-33-securityprivacysettings-noprompt.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-33-securityprivacysettings-noprompt.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-33-securityprivacysettings-noprompt.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-34-mau.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-34-mau.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-34-mau.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-34-mau.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-35-jamf-privacypreferences.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-35-jamf-privacypreferences.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-35-jamf-privacypreferences.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-35-jamf-privacypreferences.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-36-rtp.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-36-rtp.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-36-rtp.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-36-rtp.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-37-exclusions.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-37-exclusions.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-37-exclusions.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-37-exclusions.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-4-managementprofile.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-4-managementprofile.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-4-managementprofile.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-4-managementprofile.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-5-alldevices.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-5-alldevices.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-5-alldevices.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-5-alldevices.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-6-systemconfigurationprofiles.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-6-systemconfigurationprofiles.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-6-systemconfigurationprofiles.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-6-systemconfigurationprofiles.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-7-devicestatusblade.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-7-devicestatusblade.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-7-devicestatusblade.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-7-devicestatusblade.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-8-intuneappinfo.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-8-intuneappinfo.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-8-intuneappinfo.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-8-intuneappinfo.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-9-intunepkginfo.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-9-intunepkginfo.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-9-intunepkginfo.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-9-intunepkginfo.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-icon-bar.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-icon-bar.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-icon-bar.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-icon-bar.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-icon.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-icon.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/mdatp-icon.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-icon.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/microsoft-defender-atp-next-generation-protection-engines.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/microsoft-defender-atp-next-generation-protection-engines.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/microsoft-defender-atp-next-generation-protection-engines.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/microsoft-defender-atp-next-generation-protection-engines.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/pre-execution-and-post-execution-detection-engines.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/pre-execution-and-post-execution-detection-engines.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/pre-execution-and-post-execution-detection-engines.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/pre-execution-and-post-execution-detection-engines.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/server-add-gui.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/server-add-gui.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/server-add-gui.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/server-add-gui.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/svg/check-no.svg b/windows/security/threat-protection/microsoft-defender-antivirus/images/svg/check-no.svg similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/svg/check-no.svg rename to windows/security/threat-protection/microsoft-defender-antivirus/images/svg/check-no.svg diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/svg/check-yes.svg b/windows/security/threat-protection/microsoft-defender-antivirus/images/svg/check-yes.svg similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/svg/check-yes.svg rename to windows/security/threat-protection/microsoft-defender-antivirus/images/svg/check-yes.svg diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/tamperattemptalert.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/tamperattemptalert.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/tamperattemptalert.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/tamperattemptalert.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/tamperprotectionturnedon.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/tamperprotectionturnedon.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/tamperprotectionturnedon.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/tamperprotectionturnedon.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/tamperprotectsecurityrecos.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/tamperprotectsecurityrecos.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/tamperprotectsecurityrecos.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/tamperprotectsecurityrecos.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/tampprotintune-alert.jpg b/windows/security/threat-protection/microsoft-defender-antivirus/images/tampprotintune-alert.jpg similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/tampprotintune-alert.jpg rename to windows/security/threat-protection/microsoft-defender-antivirus/images/tampprotintune-alert.jpg diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/tampprotintune-huntingquery.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/tampprotintune-huntingquery.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/tampprotintune-huntingquery.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/tampprotintune-huntingquery.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/tampprotintune-windowssecurityapp.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/tampprotintune-windowssecurityapp.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/tampprotintune-windowssecurityapp.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/tampprotintune-windowssecurityapp.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/turnontamperprotect-consumer.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/turnontamperprotect-consumer.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/turnontamperprotect-consumer.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/turnontamperprotect-consumer.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/turnontamperprotect-enterprise.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/turnontamperprotect-enterprise.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/turnontamperprotect-enterprise.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/turnontamperprotect-enterprise.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/turnontamperprotect-intune.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/turnontamperprotect-intune.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/turnontamperprotect-intune.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/turnontamperprotect-intune.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/turnontamperprotection.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/turnontamperprotection.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/turnontamperprotection.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/turnontamperprotection.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/vtp-3ps-lps-on.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/vtp-3ps-lps-on.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/vtp-3ps-lps-on.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/vtp-3ps-lps-on.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/vtp-3ps-lps.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/vtp-3ps-lps.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/vtp-3ps-lps.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/vtp-3ps-lps.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/vtp-3ps.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/vtp-3ps.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/vtp-3ps.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/vtp-3ps.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/vtp-wdav.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/vtp-wdav.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/vtp-wdav.png rename to windows/security/threat-protection/microsoft-defender-antivirus/images/vtp-wdav.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus.md similarity index 51% rename from windows/security/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md rename to windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus.md index 8285dbdc5e..8e83b95ad4 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus.md @@ -1,6 +1,6 @@ --- -title: Enable the limited periodic Windows Defender Antivirus scanning feature -description: Limited periodic scanning lets you use Windows Defender Antivirus in addition to your other installed AV providers +title: Enable the limited periodic Microsoft Defender Antivirus scanning feature +description: Limited periodic scanning lets you use Microsoft Defender Antivirus in addition to your other installed AV providers keywords: lps, limited, periodic, scan, scanning, compatibility, 3rd party, other av, disable search.product: eADQiWindows 10XVcnh ms.pagetype: security @@ -19,7 +19,7 @@ manager: dansimp -# Use limited periodic scanning in Windows Defender Antivirus +# Use limited periodic scanning in Microsoft Defender Antivirus **Applies to:** @@ -27,31 +27,31 @@ manager: dansimp Limited periodic scanning is a special type of threat detection and remediation that can be enabled when you have installed another antivirus product on a Windows 10 device. -It can only be enabled in certain situations. For more information about limited periodic scanning and how Microsoft Defender Antivirus works with other antivirus products, see [Windows Defender Antivirus compatibility](windows-defender-antivirus-compatibility.md). +It can only be enabled in certain situations. For more information about limited periodic scanning and how Microsoft Defender Antivirus works with other antivirus products, see [Microsoft Defender Antivirus compatibility](microsoft-defender-antivirus-compatibility.md). -**Microsoft does not recommend using this feature in enterprise environments. This is a feature primarily intended for consumers.** This feature only uses a limited subset of the Windows Defender Antivirus capabilities to detect malware, and will not be able to detect most malware and potentially unwanted software. Also, management and reporting capabilities will be limited. Microsoft recommends enterprises choose their primary antivirus solution and use it exclusively. +**Microsoft does not recommend using this feature in enterprise environments. This is a feature primarily intended for consumers.** This feature only uses a limited subset of the Microsoft Defender Antivirus capabilities to detect malware, and will not be able to detect most malware and potentially unwanted software. Also, management and reporting capabilities will be limited. Microsoft recommends enterprises choose their primary antivirus solution and use it exclusively. ## How to enable limited periodic scanning -By default, Windows Defender Antivirus will enable itself on a Windows 10 device if there is no other antivirus product installed, or if the other product is out-of-date, expired, or not working correctly. +By default, Microsoft Defender Antivirus will enable itself on a Windows 10 device if there is no other antivirus product installed, or if the other product is out-of-date, expired, or not working correctly. -If Windows Defender Antivirus is enabled, the usual options will appear to configure it on that device: +If Microsoft Defender Antivirus is enabled, the usual options will appear to configure it on that device:  -If another antivirus product is installed and working correctly, Windows Defender Antivirus will disable itself. The Windows Security app will change the **Virus & threat protection** section to show status about the AV product, and provide a link to the product's configuration options: +If another antivirus product is installed and working correctly, Microsoft Defender Antivirus will disable itself. The Windows Security app will change the **Virus & threat protection** section to show status about the AV product, and provide a link to the product's configuration options:  -Underneath any third party AV products, a new link will appear as **Windows Defender Antivirus options**. Clicking this link will expand to show the toggle that enables limited periodic scanning. +Underneath any third party AV products, a new link will appear as **Microsoft Defender Antivirus options**. Clicking this link will expand to show the toggle that enables limited periodic scanning.  Sliding the switch to **On** will show the standard Windows Defender AV options underneath the third party AV product. The limited periodic scanning option will appear at the bottom of the page. - + ## Related articles -- [Configure behavioral, heuristic, and real-time protection](configure-protection-features-windows-defender-antivirus.md) -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) +- [Configure behavioral, heuristic, and real-time protection](configure-protection-features-microsoft-defender-antivirus.md) +- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-event-based-updates-microsoft-defender-antivirus.md similarity index 71% rename from windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md rename to windows/security/threat-protection/microsoft-defender-antivirus/manage-event-based-updates-microsoft-defender-antivirus.md index 20d523d368..6f5db8d1e5 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-event-based-updates-microsoft-defender-antivirus.md @@ -1,6 +1,6 @@ --- -title: Apply Windows Defender Antivirus updates after certain events -description: Manage how Windows Defender Antivirus applies security intelligence updates after startup or receiving cloud-delivered detection reports. +title: Apply Microsoft Defender Antivirus updates after certain events +description: Manage how Microsoft Defender Antivirus applies security intelligence updates after startup or receiving cloud-delivered detection reports. keywords: updates, protection, force updates, events, startup, check for latest, notifications search.product: eADQiWindows 10XVcnh ms.pagetype: security @@ -23,11 +23,11 @@ manager: dansimp - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Windows Defender Antivirus allows you to determine if updates should (or should not) occur after certain events, such as at startup or after receiving specific reports from the cloud-delivered protection service. +Microsoft Defender Antivirus allows you to determine if updates should (or should not) occur after certain events, such as at startup or after receiving specific reports from the cloud-delivered protection service. ## Check for protection updates before running a scan -You can use Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, and WMI to force Windows Defender Antivirus to check and download protection updates before running a scheduled scan. +You can use Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, and WMI to force Microsoft Defender Antivirus to check and download protection updates before running a scheduled scan. ### Use Configuration Manager to check for protection updates before running a scan @@ -47,7 +47,7 @@ You can use Microsoft Endpoint Configuration Manager, Group Policy, PowerShell c 3. Click **Policies** then **Administrative templates**. -4. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Scan**. +4. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Scan**. 5. Double-click **Check for the latest virus and spyware definitions before running a scheduled scan** and set the option to **Enabled**. @@ -61,7 +61,7 @@ Use the following cmdlets: Set-MpPreference -CheckForSignaturesBeforeRunningScan ``` -For more information, see [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://docs.microsoft.com/powershell/module/defender/index). +For more information, see [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://docs.microsoft.com/powershell/module/defender/index). ### Use Windows Management Instruction (WMI) to check for protection updates before running a scan @@ -75,7 +75,7 @@ For more information, see [Windows Defender WMIv2 APIs](https://docs.microsoft.c ## Check for protection updates on startup -You can use Group Policy to force Windows Defender Antivirus to check and download protection updates when the machine is started. +You can use Group Policy to force Microsoft Defender Antivirus to check and download protection updates when the machine is started. 1. On your Group Policy management computer, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal), right-click the Group Policy Object you want to configure and click **Edit**. @@ -83,15 +83,15 @@ You can use Group Policy to force Windows Defender Antivirus to check and downlo 3. Click **Policies** then **Administrative templates**. -4. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Signature Updates**. +4. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Signature Updates**. 5. Double-click **Check for the latest virus and spyware definitions on startup** and set the option to **Enabled**. 6. Click **OK**. -You can also use Group Policy, PowerShell, or WMI to configure Windows Defender Antivirus to check for updates at startup even when it is not running. +You can also use Group Policy, PowerShell, or WMI to configure Microsoft Defender Antivirus to check for updates at startup even when it is not running. -### Use Group Policy to download updates when Windows Defender Antivirus is not present +### Use Group Policy to download updates when Microsoft Defender Antivirus is not present 1. On your Group Policy management machine, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal), right-click the Group Policy Object you want to configure and click **Edit**. @@ -99,13 +99,13 @@ You can also use Group Policy, PowerShell, or WMI to configure Windows Defender 3. Click **Policies** then **Administrative templates**. -4. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Security Intelligence Updates**. +4. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Security Intelligence Updates**. 5. Double-click **Initiate security intelligence update on startup** and set the option to **Enabled**. 6. Click **OK**. -### Use PowerShell cmdlets to download updates when Windows Defender Antivirus is not present +### Use PowerShell cmdlets to download updates when Microsoft Defender Antivirus is not present Use the following cmdlets: @@ -113,9 +113,9 @@ Use the following cmdlets: Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine ``` -For more information, see [Use PowerShell cmdlets to manage Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://docs.microsoft.com/powershell/module/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. +For more information, see [Use PowerShell cmdlets to manage Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://docs.microsoft.com/powershell/module/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus. -### Use Windows Management Instruction (WMI) to download updates when Windows Defender Antivirus is not present +### Use Windows Management Instruction (WMI) to download updates when Microsoft Defender Antivirus is not present Use the [**Set** method of the **MSFT_MpPreference**](https://docs.microsoft.com/previous-versions/windows/desktop/legacy/dn455323(v=vs.85)) class for the following properties: @@ -141,7 +141,7 @@ If you have enabled cloud-delivered protection, Windows Defender AV will send fi 3. Click **Policies** then **Administrative templates**. -4. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Signature Updates**. +4. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Signature Updates**. 5. Double-click **Allow real-time security intelligence updates based on reports to Microsoft MAPS** and set the option to **Enabled**. Then click **OK**. @@ -152,9 +152,9 @@ If you have enabled cloud-delivered protection, Windows Defender AV will send fi ## Related articles -- [Deploy Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md) -- [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md) -- [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) -- [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md) -- [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md) -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) +- [Deploy Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md) +- [Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md) +- [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md) +- [Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md) +- [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md) +- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus.md similarity index 70% rename from windows/security/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md rename to windows/security/threat-protection/microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus.md index 9a6e186de0..6d5ec2c418 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus.md @@ -17,21 +17,21 @@ ms.reviewer: manager: dansimp --- -# Manage Windows Defender Antivirus updates and scans for endpoints that are out of date +# Manage Microsoft Defender Antivirus updates and scans for endpoints that are out of date **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Windows Defender Antivirus lets you define how long an endpoint can avoid an update or how many scans it can miss before it is required to update and scan itself. This is especially useful in environments where devices are not often connected to a corporate or external network, or devices that are not used on a daily basis. +Microsoft Defender Antivirus lets you define how long an endpoint can avoid an update or how many scans it can miss before it is required to update and scan itself. This is especially useful in environments where devices are not often connected to a corporate or external network, or devices that are not used on a daily basis. For example, an employee that uses a particular PC is on break for three days and does not log on to their PC during that time. -When the user returns to work and logs on to their PC, Windows Defender Antivirus will immediately check and download the latest protection updates, and run a scan. +When the user returns to work and logs on to their PC, Microsoft Defender Antivirus will immediately check and download the latest protection updates, and run a scan. ## Set up catch-up protection updates for endpoints that haven't updated for a while -If Windows Defender Antivirus did not download protection updates for a specified period, you can set it up to automatically check and download the latest update at the next log on. This is useful if you have [globally disabled automatic update downloads on startup](manage-event-based-updates-windows-defender-antivirus.md). +If Microsoft Defender Antivirus did not download protection updates for a specified period, you can set it up to automatically check and download the latest update at the next log on. This is useful if you have [globally disabled automatic update downloads on startup](manage-event-based-updates-microsoft-defender-antivirus.md). ### Use Configuration Manager to configure catch-up protection updates @@ -40,7 +40,7 @@ If Windows Defender Antivirus did not download protection updates for a specifie 2. Go to the **Security intelligence updates** section and configure the following settings: 1. Set **Force a security intelligence update if the client computer is offline for more than two consecutive scheduled updates** to **Yes**. - 2. For the **If Configuration Manager is used as a source for security intelligence updates...**, specify the hours before which the protection updates delivered by Configuration Manager should be considered out-of-date. This will cause the next update location to be used, based on the defined [fallback source order](manage-protection-updates-windows-defender-antivirus.md#fallback-order). + 2. For the **If Configuration Manager is used as a source for security intelligence updates...**, specify the hours before which the protection updates delivered by Configuration Manager should be considered out-of-date. This will cause the next update location to be used, based on the defined [fallback source order](manage-protection-updates-microsoft-defender-antivirus.md#fallback-order). 3. Click **OK**. @@ -54,7 +54,7 @@ If Windows Defender Antivirus did not download protection updates for a specifie 3. Click **Policies** then **Administrative templates**. -4. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates**. +4. Expand the tree to **Windows components > Microsoft Defender Antivirus > Signature Updates**. 5. Double-click the **Define the number of days after which a catch-up security intelligence update is required** setting and set the option to **Enabled**. Enter the number of days after which you want Windows Defender AV to check for and download the latest protection update. @@ -68,7 +68,7 @@ Use the following cmdlets: Set-MpPreference -SignatureUpdateCatchupInterval ``` -See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus. +See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Microsoft Defender Antivirus. ### Use Windows Management Instruction (WMI) to configure catch-up protection updates @@ -84,7 +84,7 @@ See the following for more information and allowed parameters: ## Set the number of days before protection is reported as out-of-date -You can also specify the number of days after which Windows Defender Antivirus protection is considered old or out-of-date. After the specified number of days, the client will report itself as out-of-date, and show an error to the user of the PC. It may also cause Windows Defender Antivirus to attempt to download an update from other sources (based on the defined [fallback source order](manage-protection-updates-windows-defender-antivirus.md#fallback-order)), such as when using MMPC as a secondary source after setting WSUS or Microsoft Update as the first source. +You can also specify the number of days after which Microsoft Defender Antivirus protection is considered old or out-of-date. After the specified number of days, the client will report itself as out-of-date, and show an error to the user of the PC. It may also cause Microsoft Defender Antivirus to attempt to download an update from other sources (based on the defined [fallback source order](manage-protection-updates-microsoft-defender-antivirus.md#fallback-order)), such as when using MMPC as a secondary source after setting WSUS or Microsoft Update as the first source. ### Use Group Policy to specify the number of days before protection is considered out-of-date @@ -94,7 +94,7 @@ You can also specify the number of days after which Windows Defender Antivirus p 4. Click **Policies** then **Administrative templates**. -5. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates** and configure the following settings: +5. Expand the tree to **Windows components > Microsoft Defender Antivirus > Signature Updates** and configure the following settings: 1. Double-click **Define the number of days before spyware definitions are considered out of date** and set the option to **Enabled**. Enter the number of days after which you want Windows Defender AV to consider spyware Security intelligence to be out-of-date. @@ -107,11 +107,11 @@ You can also specify the number of days after which Windows Defender Antivirus p ## Set up catch-up scans for endpoints that have not been scanned for a while -You can set the number of consecutive scheduled scans that can be missed before Windows Defender Antivirus will force a scan. +You can set the number of consecutive scheduled scans that can be missed before Microsoft Defender Antivirus will force a scan. The process for enabling this feature is: -1. Set up at least one scheduled scan (see the [Schedule scans](scheduled-catch-up-scans-windows-defender-antivirus.md) topic). +1. Set up at least one scheduled scan (see the [Schedule scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md) topic). 2. Enable the catch-up scan feature. 3. Define the number of scans that can be skipped before a catch-up scan occurs. @@ -127,12 +127,12 @@ This feature can be enabled for both full and quick scans. 4. Click **Policies** then **Administrative templates**. -5. Expand the tree to **Windows components > Windows Defender Antivirus > Scan** and configure the following settings: +5. Expand the tree to **Windows components > Microsoft Defender Antivirus > Scan** and configure the following settings: 1. If you have set up scheduled quick scans, double-click the **Turn on catch-up quick scan** setting and set the option to **Enabled**. 2. If you have set up scheduled full scans, double-click the **Turn on catch-up full scan** setting and set the option to **Enabled**. Click **OK**. 3. Double-click the **Define the number of days after which a catch-up scan is forced** setting and set the option to **Enabled**. - 4. Enter the number of scans that can be missed before a scan will be automatically run when the user next logs on to the PC. The type of scan that is run is determined by the **Specify the scan type to use for a scheduled scan** (see the [Schedule scans](scheduled-catch-up-scans-windows-defender-antivirus.md) topic). Click **OK**. + 4. Enter the number of scans that can be missed before a scan will be automatically run when the user next logs on to the PC. The type of scan that is run is determined by the **Specify the scan type to use for a scheduled scan** (see the [Schedule scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md) topic). Click **OK**. > [!NOTE] > The Group Policy setting title refers to the number of days. The setting, however, is applied to the number of scans (not days) before the catch-up scan will be run. @@ -147,7 +147,7 @@ Set-MpPreference -DisableCatchupQuickScan ``` -See [Use PowerShell cmdlets to manage Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus. +See [Use PowerShell cmdlets to manage Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Microsoft Defender Antivirus. ### Use Windows Management Instruction (WMI) to configure catch-up scans @@ -174,9 +174,9 @@ See the following for more information and allowed parameters: ## Related articles -- [Deploy Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md) -- [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md) -- [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) -- [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md) -- [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md) -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) +- [Deploy Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md) +- [Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md) +- [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md) +- [Manage event-based forced updates](manage-event-based-updates-microsoft-defender-antivirus.md) +- [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md) +- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md similarity index 76% rename from windows/security/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md rename to windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md index c67fd41aa8..5ba75a3387 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md @@ -1,5 +1,5 @@ --- -title: Schedule Windows Defender Antivirus protection updates +title: Schedule Microsoft Defender Antivirus protection updates description: Schedule the day, time, and interval for when protection updates should be downloaded keywords: updates, security baselines, schedule updates search.product: eADQiWindows 10XVcnh @@ -24,7 +24,7 @@ manager: dansimp - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Windows Defender Antivirus lets you determine when it should look for and download updates. +Microsoft Defender Antivirus lets you determine when it should look for and download updates. You can schedule updates for your endpoints by: @@ -32,7 +32,7 @@ You can schedule updates for your endpoints by: - Specifying the interval to check for protection updates - Specifying the time to check for protection updates -You can also randomize the times when each endpoint checks and downloads protection updates. See the [Schedule scans](scheduled-catch-up-scans-windows-defender-antivirus.md) topic for more information. +You can also randomize the times when each endpoint checks and downloads protection updates. See the [Schedule scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md) topic for more information. ## Use Configuration Manager to schedule protection updates @@ -51,7 +51,7 @@ You can also randomize the times when each endpoint checks and downloads protect ## Use Group Policy to schedule protection updates > [!IMPORTANT] -> By default, Windows Defender Antivirus will check for an update 15 minutes before the time of any scheduled scans. Enabling these settings will override that default. +> By default, Microsoft Defender Antivirus will check for an update 15 minutes before the time of any scheduled scans. Enabling these settings will override that default. 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. @@ -59,7 +59,7 @@ You can also randomize the times when each endpoint checks and downloads protect 4. Click **Policies** then **Administrative templates**. -5. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates** and configure the following settings: +5. Expand the tree to **Windows components > Microsoft Defender Antivirus > Signature Updates** and configure the following settings: 1. Double-click the **Specify the interval to check for security intelligence updates** setting and set the option to **Enabled**. Enter the number of hours between updates. Click **OK**. 2. Double-click the **Specify the day of the week to check for security intelligence updates** setting and set the option to **Enabled**. Enter the day of the week to check for updates. Click **OK**. @@ -76,7 +76,7 @@ Set-MpPreference -SignatureScheduleTime Set-MpPreference -SignatureUpdateInterval ``` -See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus. +See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Microsoft Defender Antivirus. ## Use Windows Management Instruction (WMI) to schedule protection updates @@ -94,12 +94,12 @@ See the following for more information and allowed parameters: ## Related articles -- [Deploy Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md) -- [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md) -- [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md) -- [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md) -- [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md) -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) +- [Deploy Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md) +- [Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md) +- [Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md) +- [Manage event-based forced updates](manage-event-based-updates-microsoft-defender-antivirus.md) +- [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md) +- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md similarity index 72% rename from windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md rename to windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md index a487d96a32..d3a6243859 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md @@ -1,6 +1,6 @@ --- title: Manage how and where Windows Defender AV receives updates -description: Manage the fallback order for how Windows Defender Antivirus receives protection updates. +description: Manage the fallback order for how Microsoft Defender Antivirus receives protection updates. keywords: updates, security baselines, protection, fallback order, ADL, MMPC, UNC, file path, share, wsus search.product: eADQiWindows 10XVcnh ms.pagetype: security @@ -16,7 +16,7 @@ manager: dansimp ms.custom: nextgen --- -# Manage the sources for Windows Defender Antivirus protection updates +# Manage the sources for Microsoft Defender Antivirus protection updates **Applies to:** @@ -25,11 +25,11 @@ ms.custom: nextgen -Keeping your antivirus protection up to date is critical. There are two components to managing protection updates for Windows Defender Antivirus: +Keeping your antivirus protection up to date is critical. There are two components to managing protection updates for Microsoft Defender Antivirus: - *Where* the updates are downloaded from; and - *When* updates are downloaded and applied. -This article describes how to specify from where updates should be downloaded (this is also known as the fallback order). See [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md) topic for an overview on how updates work, and how to configure other aspects of updates (such as scheduling updates). +This article describes how to specify from where updates should be downloaded (this is also known as the fallback order). See [Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md) topic for an overview on how updates work, and how to configure other aspects of updates (such as scheduling updates). > [!IMPORTANT] > Microsoft Defender Antivirus Security intelligence updates are delivered through Windows Update and starting Monday, October 21, 2019, all security intelligence updates will be SHA-2 signed exclusively. Your devices must be updated to support SHA-2 in order to update your security intelligence. To learn more, see [2019 SHA-2 Code Signing Support requirement for Windows and WSUS](https://support.microsoft.com/help/4472027/2019-sha-2-code-signing-support-requirement-for-windows-and-wsus). @@ -53,13 +53,13 @@ There are five locations where you can specify where an endpoint should obtain u - [Windows Server Update Service](https://docs.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus) - [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/core/servers/manage/updates) - [Network file share](https://docs.microsoft.com/windows-server/storage/nfs/nfs-overview) -- [Security intelligence updates for Windows Defender Antivirus and other Microsoft antimalware](https://www.microsoft.com/en-us/wdsi/defenderupdates) (Your policy and registry might have this listed as Microsoft Malware Protection Center (MMPC) security intelligence, its former name.) +- [Security intelligence updates for Microsoft Defender Antivirus and other Microsoft antimalware](https://www.microsoft.com/en-us/wdsi/defenderupdates) (Your policy and registry might have this listed as Microsoft Malware Protection Center (MMPC) security intelligence, its former name.) To ensure the best level of protection, Microsoft Update allows for rapid releases, which means smaller downloads on a frequent basis. The Windows Server Update Service, Microsoft Endpoint Configuration Manager, and Microsoft security intelligence updates sources deliver less frequent updates. Thus, the delta can be larger, resulting in larger downloads. > [!IMPORTANT] > If you have set [Microsoft Malware Protection Center Security intelligence page](https://www.microsoft.com/security/portal/definitions/adl.aspx) (MMPC) updates as a fallback source after Windows Server Update Service or Microsoft Update, updates are only downloaded from security intelligence updates when the current update is considered out-of-date. (By default, this is 14 consecutive days of not being able to apply updates from the Windows Server Update Service or Microsoft Update services). -> You can, however, [set the number of days before protection is reported as out-of-date](https://docs.microsoft.com/windows/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus#set-the-number-of-days-before-protection-is-reported-as-out-of-date).+> You can, however, [set the number of days before protection is reported as out-of-date](https://docs.microsoft.com/windows/threat-protection/microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus#set-the-number-of-days-before-protection-is-reported-as-out-of-date).
> Starting Monday, October 21, 2019, security intelligence updates will be SHA-2 signed exclusively. Devices must be updated to support SHA-2 in order to get the latest security intelligence updates. To learn more, see [2019 SHA-2 Code Signing Support requirement for Windows and WSUS](https://support.microsoft.com/help/4472027/2019-sha-2-code-signing-support-requirement-for-windows-and-wsus). Each source has typical scenarios that depend on how your network is configured, in addition to how often they publish updates, as described in the following table: @@ -68,9 +68,9 @@ Each source has typical scenarios that depend on how your network is configured, |---|---| |Windows Server Update Service | You are using Windows Server Update Service to manage updates for your network.| |Microsoft Update | You want your endpoints to connect directly to Microsoft Update. This can be useful for endpoints that irregularly connect to your enterprise network, or if you do not use Windows Server Update Service to manage your updates.| -|File share | You have non-Internet-connected devices (such as VMs). You can use your Internet-connected VM host to download the updates to a network share, from which the VMs can obtain the updates. See the [VDI deployment guide](deployment-vdi-windows-defender-antivirus.md) for how file shares can be used in virtual desktop infrastructure (VDI) environments.| +|File share | You have non-Internet-connected devices (such as VMs). You can use your Internet-connected VM host to download the updates to a network share, from which the VMs can obtain the updates. See the [VDI deployment guide](deployment-vdi-microsoft-defender-antivirus.md) for how file shares can be used in virtual desktop infrastructure (VDI) environments.| |Microsoft Endpoint Configuration Manager | You are using Microsoft Endpoint Configuration Manager to update your endpoints.| -|Security intelligence updates for Windows Defender Antivirus and other Microsoft antimalware (formerly referred to as MMPC) |[Make sure your devices are updated to support SHA-2](https://support.microsoft.com/help/4472027/2019-sha-2-code-signing-support-requirement-for-windows-and-wsus). Microsoft Defender Antivirus Security intelligence updates are delivered through Windows Update, and starting Monday October 21, 2019 security intelligence updates will be SHA-2 signed exclusively.
Download the latest protection updates because of a recent infection or to help provision a strong, base image for [VDI deployment](deployment-vdi-windows-defender-antivirus.md). This option should generally be used only as a final fallback source, and not the primary source. It will only be used if updates cannot be downloaded from Windows Server Update Service or Microsoft Update for [a specified number of days](https://docs.microsoft.com/windows/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus#set-the-number-of-days-before-protection-is-reported-as-out-of-date).| +|Security intelligence updates for Microsoft Defender Antivirus and other Microsoft antimalware (formerly referred to as MMPC) |[Make sure your devices are updated to support SHA-2](https://support.microsoft.com/help/4472027/2019-sha-2-code-signing-support-requirement-for-windows-and-wsus). Microsoft Defender Antivirus Security intelligence updates are delivered through Windows Update, and starting Monday October 21, 2019 security intelligence updates will be SHA-2 signed exclusively.
Download the latest protection updates because of a recent infection or to help provision a strong, base image for [VDI deployment](deployment-vdi-microsoft-defender-antivirus.md). This option should generally be used only as a final fallback source, and not the primary source. It will only be used if updates cannot be downloaded from Windows Server Update Service or Microsoft Update for [a specified number of days](https://docs.microsoft.com/windows/threat-protection/microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus#set-the-number-of-days-before-protection-is-reported-as-out-of-date).| You can manage the order in which update sources are used with Group Policy, Microsoft Endpoint Configuration Manager, PowerShell cmdlets, and WMI. @@ -104,8 +104,8 @@ The procedures in this article first describe how to set the order, and then how 6. Click **OK**. This will set the order of file shares when that source is referenced in the **Define the order of sources...** group policy setting. > [!NOTE] -> For Windows 10, versions 1703 up to and including 1809, the policy path is **Windows Components > Windows Defender Antivirus > Signature Updates** -> For Windows 10, version 1903, the policy path is **Windows Components > Windows Defender Antivirus > Security Intelligence Updates** +> For Windows 10, versions 1703 up to and including 1809, the policy path is **Windows Components > Microsoft Defender Antivirus > Signature Updates** +> For Windows 10, version 1903, the policy path is **Windows Components > Microsoft Defender Antivirus > Security Intelligence Updates** ## Use Configuration Manager to manage the update location @@ -123,7 +123,7 @@ Set-MpPreference -SignatureDefinitionUpdateFileSharesSource {\\UNC SHARE PATH|\\ See the following articles for more information: - [Set-MpPreference -SignatureFallbackOrder](https://docs.microsoft.com/powershell/module/defender/set-mppreference) - [Set-MpPreference -SignatureDefinitionUpdateFileSharesSource](https://technet.microsoft.com/itpro/powershell/windows/defender/set-mppreference#-signaturedefinitionupdatefilesharessources) -- [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) +- [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) - [Defender cmdlets](https://docs.microsoft.com/powershell/module/defender/index) ## Use Windows Management Instruction (WMI) to manage the update location @@ -144,19 +144,19 @@ See [Policy CSP - Defender/SignatureUpdateFallbackOrder](https://docs.microsoft. ## What if we're using a third-party vendor? -This article describes how to configure and manage updates for Windows Defender Antivirus. However, third-party vendors can be used to perform these tasks. +This article describes how to configure and manage updates for Microsoft Defender Antivirus. However, third-party vendors can be used to perform these tasks. -For example, suppose that Contoso has hired Fabrikam to manage their security solution, which includes Windows Defender Antivirus. Fabrikam typically uses [Windows Management Instrumentation](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus), [PowerShell cmdlets](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus), or [Windows command-line](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus) to deploy patches and updates. +For example, suppose that Contoso has hired Fabrikam to manage their security solution, which includes Microsoft Defender Antivirus. Fabrikam typically uses [Windows Management Instrumentation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus), [PowerShell cmdlets](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus), or [Windows command-line](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus) to deploy patches and updates. > [!NOTE] -> Microsoft does not test third-party solutions for managing Windows Defender Antivirus. +> Microsoft does not test third-party solutions for managing Microsoft Defender Antivirus. ## Related articles -- [Deploy Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md) -- [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md) -- [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md) -- [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md) -- [Manage updates for mobile devices and VMs](manage-updates-mobile-devices-vms-windows-defender-antivirus.md) -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) +- [Deploy Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md) +- [Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md) +- [Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md) +- [Manage event-based forced updates](manage-event-based-updates-microsoft-defender-antivirus.md) +- [Manage updates for mobile devices and VMs](manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md) +- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md similarity index 68% rename from windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md rename to windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md index 5fdfa55aa4..f619b37fca 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md @@ -1,6 +1,6 @@ --- -title: Manage Windows Defender Antivirus updates and apply baselines -description: Manage how Windows Defender Antivirus receives protection and product updates. +title: Manage Microsoft Defender Antivirus updates and apply baselines +description: Manage how Microsoft Defender Antivirus receives protection and product updates. keywords: updates, security baselines, protection, schedule updates, force updates, mobile updates, wsus search.product: eADQiWindows 10XVcnh ms.pagetype: security @@ -16,35 +16,35 @@ ms.reviewer: manager: dansimp --- -# Manage Windows Defender Antivirus updates and apply baselines +# Manage Microsoft Defender Antivirus updates and apply baselines **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -There are two types of updates related to keeping Windows Defender Antivirus up to date: +There are two types of updates related to keeping Microsoft Defender Antivirus up to date: - Security intelligence updates - Product updates > [!IMPORTANT] -> Keeping Windows Defender Antivirus up to date is critical to assure your devices have the latest technology and features needed to protect against new malware and attack techniques. -> This also applies to devices where Windows Defender Antivirus is running in [passive mode](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility). +> Keeping Microsoft Defender Antivirus up to date is critical to assure your devices have the latest technology and features needed to protect against new malware and attack techniques. +> This also applies to devices where Microsoft Defender Antivirus is running in [passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility). ## Security intelligence updates -Windows Defender Antivirus uses [cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) (also called the Microsoft Advanced Protection Service or MAPS) and periodically downloads security intelligence updates to provide protection. +Microsoft Defender Antivirus uses [cloud-delivered protection](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) (also called the Microsoft Advanced Protection Service or MAPS) and periodically downloads security intelligence updates to provide protection. -The cloud-delivered protection is always on and requires an active connection to the Internet to function, while the security intelligence updates occur on a scheduled cadence (configurable via policy). See the [Utilize Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) topic for more details about enabling and configuring cloud-provided protection. +The cloud-delivered protection is always on and requires an active connection to the Internet to function, while the security intelligence updates occur on a scheduled cadence (configurable via policy). See the [Utilize Microsoft cloud-provided protection in Microsoft Defender Antivirus](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) topic for more details about enabling and configuring cloud-provided protection. Engine updates are included with the security intelligence updates and are released on a monthly cadence. ## Product updates -Windows Defender Antivirus requires [monthly updates (KB4052623)](https://support.microsoft.com/help/4052623/update-for-windows-defender-antimalware-platform) (known as "platform updates"), and will receive major feature updates alongside Windows 10 releases. +Microsoft Defender Antivirus requires [monthly updates (KB4052623)](https://support.microsoft.com/help/4052623/update-for-windows-defender-antimalware-platform) (known as "platform updates"), and will receive major feature updates alongside Windows 10 releases. You can manage the distribution of updates through [Windows Server Update Service (WSUS)](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-definitions-wsus#to-synchronize-endpoint-protection-definition-updates-in-standalone-wsus), with [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/sum/understand/software-updates-introduction), or in the normal manner that you deploy Microsoft and Windows updates to endpoints in your network. -For more information, see [Manage the sources for Windows Defender Antivirus protection updates](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-definitions-wsus#to-synchronize-endpoint-protection-definition-updates-in-standalone-wsus). +For more information, see [Manage the sources for Microsoft Defender Antivirus protection updates](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-definitions-wsus#to-synchronize-endpoint-protection-definition-updates-in-standalone-wsus). > [!NOTE] > We release these monthly updates in phases. This results in multiple packages showing up in your WSUS server. @@ -58,11 +58,32 @@ All our updates contain: * serviceability improvements * integration improvements (Cloud, MTP)
++May-2020 (Platform: 4.18.2005.4 | Engine: 1.1.17100.2)
+ + Security intelligence update version: **1.317.20.0** + Released: **May 26, 2020** + Platform: **4.18.2005.4** + Engine: **1.1.17100.2** + Support phase: **Security and Critical Updates** + +### What's new +* Improved logging for scan events +* Improved user mode crash handling. +* Added event tracing for Tamper protection +* Fixed AMSI Sample submission +* Fixed AMSI Cloud blocking +* Fixed Security update install log + +### Known Issues +No known issues +
+@@ -139,7 +160,7 @@ Support phase: **Technical upgrade Support (Only)** * Fixed BSOD on WS2016 with Exchange * Support platform updates when TMP is redirected to network path * Platform and engine versions are added to [WDSI](https://www.microsoft.com/wdsi/defenderupdates) -* extend Emergency signature update to [passive mode](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility) +* extend Emergency signature update to [passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility) * Fix 4.18.1911.10 hang ### Known Issues @@ -171,7 +192,7 @@ No known issuesApril-2020 (Platform: 4.18.2004.6 | Engine: 1.1.17000.2)
- Security intelligence update version: **TBD** + Security intelligence update version: **1.315.12.0** Released: **April 30, 2020** Platform: **4.18.2004.6** Engine: **1.1.17000.2** @@ -93,14 +114,14 @@ No known issues ### What's new -* CPU Throttling option added to [MpCmdRun](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus) +* CPU Throttling option added to [MpCmdRun](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus) * Improve diagnostic capability * reduce Security intelligence timeout (5min) * Extend AMSI engine internal log capability * Improve notification for process blocking ### Known Issues -[**Fixed**] Windows Defender Antivirus is skipping files when running a scan. +[**Fixed**] Microsoft Defender Antivirus is skipping files when running a scan.
-## Windows Defender Antivirus platform support +## Microsoft Defender Antivirus platform support As stated above, platform and engine updates are provided on a monthly cadence. Customers must stay current with the latest platform update to be fully supported. Our support structure is now dynamic, evolving into two phases depending on the availability of the latest platform version: @@ -186,7 +207,7 @@ Customers must stay current with the latest platform update to be fully supporte During the technical support (only) phase, commercially reasonable support incidents will be provided through Microsoft Customer Service & Support and Microsoft’s managed support offerings (such as Premier Support). If a support incident requires escalation to development for further guidance, requires a non-security update, or requires a security update, customers will be asked to upgrade to the latest platform version or an intermediate update (*). ### Platform version included with Windows 10 releases -The below table provides the Windows Defender Antivirus platform and engine versions that are shipped with the latest Windows 10 releases: +The below table provides the Microsoft Defender Antivirus platform and engine versions that are shipped with the latest Windows 10 releases: |Windows 10 release |Platform version |Engine version |Support phase | |-|-|-|-| @@ -205,8 +226,8 @@ Windows 10 release info: [Windows lifecycle fact sheet](https://support.microsof Article | Description ---|--- -[Manage how protection updates are downloaded and applied](manage-protection-updates-windows-defender-antivirus.md) | Protection updates can be delivered through a number of sources. -[Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) | You can schedule when protection updates should be downloaded. -[Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md) | If an endpoint misses an update or scheduled scan, you can force an update or scan at the next log on. -[Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md) | You can set protection updates to be downloaded at startup or after certain cloud-delivered protection events. -[Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md)| You can specify settings, such as whether updates should occur on battery power, that are especially useful for mobile devices and virtual machines. +[Manage how protection updates are downloaded and applied](manage-protection-updates-microsoft-defender-antivirus.md) | Protection updates can be delivered through a number of sources. +[Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md) | You can schedule when protection updates should be downloaded. +[Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md) | If an endpoint misses an update or scheduled scan, you can force an update or scan at the next log on. +[Manage event-based forced updates](manage-event-based-updates-microsoft-defender-antivirus.md) | You can set protection updates to be downloaded at startup or after certain cloud-delivered protection events. +[Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md)| You can specify settings, such as whether updates should occur on battery power, that are especially useful for mobile devices and virtual machines. diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md similarity index 78% rename from windows/security/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md rename to windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md index 94b9e04752..81ba39a7cc 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md @@ -31,13 +31,13 @@ There are two settings that are particularly useful for these devices: - Prevent Security intelligence updates when running on battery power The following topics may also be useful in these situations: -- [Configuring scheduled and catch-up scans](scheduled-catch-up-scans-windows-defender-antivirus.md) -- [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md) -- [Deployment guide for Windows Defender Antivirus in a virtual desktop infrastructure (VDI) environment](deployment-vdi-windows-defender-antivirus.md) +- [Configuring scheduled and catch-up scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md) +- [Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md) +- [Deployment guide for Microsoft Defender Antivirus in a virtual desktop infrastructure (VDI) environment](deployment-vdi-microsoft-defender-antivirus.md) ## Opt-in to Microsoft Update on mobile computers without a WSUS connection -You can use Microsoft Update to keep Security intelligence on mobile devices running Windows Defender Antivirus up to date when they are not connected to the corporate network or don't otherwise have a WSUS connection. +You can use Microsoft Update to keep Security intelligence on mobile devices running Microsoft Defender Antivirus up to date when they are not connected to the corporate network or don't otherwise have a WSUS connection. This means that protection updates can be delivered to devices (via Microsoft Update) even if you have set WSUS to override Microsoft Update. @@ -55,7 +55,7 @@ You can opt-in to Microsoft Update on the mobile device in one of the following 4. Click **Policies** then **Administrative templates**. -5. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Signature Updates**. +5. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Signature Updates**. 6. Double-click the **Allow security intelligence updates from Microsoft Update** setting and set the option to **Enabled**. Click **OK**. @@ -73,7 +73,7 @@ You can opt-in to Microsoft Update on the mobile device in one of the following ## Prevent Security intelligence updates when running on battery power -You can configure Windows Defender Antivirus to only download protection updates when the PC is connected to a wired power source. +You can configure Microsoft Defender Antivirus to only download protection updates when the PC is connected to a wired power source. ### Use Group Policy to prevent security intelligence updates on battery power @@ -83,7 +83,7 @@ You can configure Windows Defender Antivirus to only download protection updates 4. Click **Policies** then **Administrative templates**. -5. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates** and configure the following setting: +5. Expand the tree to **Windows components > Microsoft Defender Antivirus > Signature Updates** and configure the following setting: 1. Double-click the **Allow security intelligence updates when running on battery power** setting and set the option to **Disabled**. 2. Click **OK**. This will prevent protection updates from downloading when the PC is on battery power. @@ -91,5 +91,5 @@ You can configure Windows Defender Antivirus to only download protection updates ## Related articles -- [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md) -- [Update and manage Windows Defender Antivirus in Windows 10](deploy-manage-report-windows-defender-antivirus.md) +- [Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md) +- [Update and manage Microsoft Defender Antivirus in Windows 10](deploy-manage-report-microsoft-defender-antivirus.md) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md new file mode 100644 index 0000000000..2cb802f3b8 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md @@ -0,0 +1,98 @@ +--- +title: Microsoft Defender Antivirus compatibility with other security products +description: Microsoft Defender Antivirus operates in different ways depending on what other security products you have installed, and the operating system you are using. +keywords: windows defender, atp, advanced threat protection, compatibility, passive mode +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen +ms.reviewer: +manager: dansimp +--- + +# Microsoft Defender Antivirus compatibility + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +## Overview + +Microsoft Defender Antivirus is automatically enabled and installed on endpoints and devices that are running Windows 10. But what happens when another antivirus/antimalware solution is used? It depends on whether you're using [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) together with your antivirus protection. +- If your organization's endpoints and devices are protected with a non-Microsoft antivirus/antimalware solution, and Microsoft Defender ATP is not used, then Microsoft Defender Antivirus automatically goes into disabled mode. +- If your organization is using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) together with a non-Microsoft antivirus/antimalware solution, then Microsoft Defender Antivirus automatically goes into passive mode. (Real-time protection and threats are not remediated by Microsoft Defender Antivirus.) +- If your organization is using Microsoft Defender ATP together with a non-Microsoft antivirus/antimalware solution, and you have [EDR in block mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/shadow-protection) (currently in private preview) enabled, then Microsoft Defender Antivirus runs in the background and blocks/remediates malicious items that are detected, such as during a post-breach attack. + +## Antivirus and Microsoft Defender ATP + +The following table summarizes what happens with Microsoft Defender Antivirus when third-party antivirus products are used together or without Microsoft Defender ATP. + + +| Windows version | Antimalware protection offered by | Organization enrolled in Microsoft Defender ATP | Microsoft Defender Antivirus state | +|------|------|-------|-------| +| Windows 10 | A third-party product that is not offered or developed by Microsoft | Yes | Passive mode | +| Windows 10 | A third-party product that is not offered or developed by Microsoft | No | Automatic disabled mode | +| Windows 10 | Microsoft Defender Antivirus | Yes | Active mode | +| Windows 10 | Microsoft Defender Antivirus | No | Active mode | +| Windows Server 2016 or 2019 | A third-party product that is not offered or developed by Microsoft | Yes | Active mode[[1](#fn1)] | +| Windows Server 2016 or 2019 | A third-party product that is not offered or developed by Microsoft | No | Active mode[[1](#fn1)] | +| Windows Server 2016 or 2019 | Microsoft Defender Antivirus | Yes | Active mode | +| Windows Server 2016 or 2019 | Microsoft Defender Antivirus | No | Active mode | + +(1) On Windows Server 2016 or 2019, Microsoft Defender Antivirus will not enter passive or disabled mode if you have also installed a third-party antivirus product. If you install a third-party antivirus product, you should [consider uninstalling Microsoft Defender Antivirus on Windows Server 2016 or 2019](microsoft-defender-antivirus-on-windows-server-2016.md#need-to-uninstall-microsoft-defender-antivirus) to prevent problems caused by having multiple antivirus products installed on a machine. + +If you are Using Windows Server, version 1803 and Windows 2019, you can enable passive mode by setting this registry key: +- Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection` +- Name: ForceDefenderPassiveMode +- Value: 1 + +See [Microsoft Defender Antivirus on Windows Server 2016 and 2019](microsoft-defender-antivirus-on-windows-server-2016.md) for key differences and management options for Windows Server installations. + +> [!IMPORTANT] +> Microsoft Defender Antivirus is only available on endpoints running Windows 10, Windows Server 2016, and Windows Server 2019. +> +> In Windows 8.1 and Windows Server 2012, enterprise-level endpoint antivirus protection is offered as [System Center Endpoint Protection](https://technet.microsoft.com/library/hh508760.aspx), which is managed through Microsoft Endpoint Configuration Manager. +> +> Windows Defender is also offered for [consumer devices on Windows 8.1 and Windows Server 2012](https://technet.microsoft.com/library/dn344918#BKMK_WindowsDefender), although it does not provide enterprise-level management (or an interface on Windows Server 2012 Server Core installations). + +## Functionality and features available in each state + +The following table summarizes the functionality and features that are available in each state: + +|State |[Real-time protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus) and [cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus) | [Limited periodic scanning availability](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus) | [File scanning and detection information](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus) | [Threat remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus) | [Security intelligence updates](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus) | +|--|--|--|--|--|--| +|Active mode
|Yes |No |Yes |Yes |Yes | +|Passive mode |No |No |Yes |No |Yes | +|[EDR in block mode enabled](../microsoft-defender-atp/edr-in-block-mode.md) |No |No |Yes |Yes |Yes | +|Automatic disabled mode |No |Yes |No |No |No | + +- In Active mode, Microsoft Defender Antivirus is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files are scanned and threats remediated, and detection information are reported in your configuration tool (such as Configuration Manager or the Microsoft Defender Antivirus app on the machine itself). +- In Passive mode, Microsoft Defender Antivirus is not used as the antivirus app, and threats are not remediated by Microsoft Defender Antivirus. Files are scanned and reports are provided for threat detections which are shared with the Microsoft Defender ATP service. +- When [EDR in block mode](../microsoft-defender-atp/edr-in-block-mode.md) (currently in private preview) is turned on, Microsoft Defender Antivirus is not used as the primary antivirus solution, but can still detect and remediate malicious items. +- In Automatic disabled mode, Microsoft Defender Antivirus is not used as the antivirus app. Files are not scanned and threats are not remediated. + +## Keep the following points in mind + +If you are enrolled in Microsoft Defender ATP and you are using a third party antimalware product then passive mode is enabled because [the service requires common information sharing from the Microsoft Defender Antivirus service](../microsoft-defender-atp/defender-compatibility.md) in order to properly monitor your devices and network for intrusion attempts and attacks. + +When Microsoft Defender Antivirus is automatic disabled, it can automatically re-enable if the protection offered by a third-party antivirus product expires or otherwise stops providing real-time protection from viruses, malware or other threats. This is to ensure antivirus protection is maintained on the endpoint. It also allows you to enable [limited periodic scanning](limited-periodic-scanning-microsoft-defender-antivirus.md), which uses the Microsoft Defender Antivirus engine to periodically check for threats in addition to your main antivirus app. + +In passive and automatic disabled mode, you can still [manage updates for Microsoft Defender Antivirus](manage-updates-baselines-microsoft-defender-antivirus.md); however, you can't move Microsoft Defender Antivirus into the normal active mode if your endpoints have an up-to-date third-party product providing real-time protection from malware. + +If you uninstall the other product, and choose to use Microsoft Defender Antivirus to provide protection to your endpoints, Microsoft Defender Antivirus will automatically return to its normal active mode. + +> [!WARNING] +> You should not attempt to disable, stop, or modify any of the associated services used by Microsoft Defender Antivirus, Microsoft Defender ATP, or the Windows Security app. This includes the *wscsvc*, *SecurityHealthService*, *MsSense*, *Sense*, *WinDefend*, or *MsMpEng* services and process. Manually modifying these services can cause severe instability on your endpoints and open your network to infections and attacks. It can also cause problems when using third-party antivirus apps and how their information is displayed in the [Windows Security app](microsoft-defender-security-center-antivirus.md). + + +## Related topics + +- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) +- [Microsoft Defender Antivirus on Windows Server 2016 and 2019](microsoft-defender-antivirus-on-windows-server-2016.md) +- [EDR in block mode](../microsoft-defender-atp/edr-in-block-mode.md) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md new file mode 100644 index 0000000000..f0ebabb8e5 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md @@ -0,0 +1,59 @@ +--- +title: Next-generation protection in Windows 10, Windows Server 2016, and Windows Server 2019 +description: Learn how to manage, configure, and use Windows Defender AV, the built-in antimalware and antivirus product available in Windows 10 and Windows Server 2016 +keywords: Microsoft Defender Antivirus, windows defender, antimalware, scep, system center endpoint protection, system center configuration manager, virus, malware, threat, detection, protection, security +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: denisebmsft +ms.author: deniseb +ms.date: 02/25/2020 +ms.reviewer: +manager: dansimp +ms.custom: nextgen +--- + +# Next-generation protection in Windows 10, Windows Server 2016, and Windows Server 2019 + +**Applies to:** + +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +## Microsoft Defender Antivirus: Your next-generation protection + +Microsoft Defender Antivirus is the next-generation protection component of Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). Next-generation protection brings together machine learning, big-data analysis, in-depth threat resistance research, and the Microsoft cloud infrastructure to protect devices in your enterprise organization. Next-generation protection services include the following: + +- [Behavior-based, heuristic, and real-time antivirus protection](configure-protection-features-microsoft-defender-antivirus.md). This includes always-on scanning using file and process behavior monitoring and other heuristics (also known as "real-time protection"). It also includes detecting and blocking apps that are deemed unsafe, but may not be detected as malware. +- [Cloud-delivered protection](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md). This includes near-instant detection and blocking of new and emerging threats. +- [Dedicated protection and product updates](manage-updates-baselines-microsoft-defender-antivirus.md). This includes updates related to keeping Microsoft Defender Antivirus up to date. + +## Try a demo! + +Visit the [Microsoft Defender ATP demo website](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following protection features are working and explore them using demo scenarios: +- Cloud-delivered protection +- Block at first sight (BAFS) protection +- Potentially unwanted applications (PUA) protection + +## Minimum system requirements + +Microsoft Defender Antivirus has the same hardware requirements as of Windows 10. For more information, see: + +- [Minimum hardware requirements](https://docs.microsoft.com/windows-hardware/design/minimum/minimum-hardware-requirements-overview) +- [Hardware component guidelines](https://docs.microsoft.com/windows-hardware/design/component-guidelines/components) + +## Configure next-generation protection services + +For information on how to configure next-generation protection services, see [Configure Microsoft Defender Antivirus features](configure-microsoft-defender-antivirus-features.md). + +> [!Note] +> Configuration and management is largely the same in Windows Server 2016 and Windows Server 2019, while running Microsoft Defender Antivirus; however, there are some differences. To learn more, see [Microsoft Defender Antivirus on Windows Server 2016 and 2019](microsoft-defender-antivirus-on-windows-server-2016.md). + +## Related articles + +- [Microsoft Defender Antivirus management and configuration](configuration-management-reference-microsoft-defender-antivirus.md) + +- [Evaluate Microsoft Defender Antivirus protection](evaluate-microsoft-defender-antivirus.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md similarity index 62% rename from windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md rename to windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md index 6ff0b08f83..4cf3a8a1e7 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md @@ -1,5 +1,5 @@ --- -title: Windows Defender Antivirus on Windows Server 2016 and 2019 +title: Microsoft Defender Antivirus on Windows Server 2016 and 2019 description: Enable and configure Windows Defender AV on Windows Server 2016 and 2019 keywords: windows defender, server, scep, system center endpoint protection, server 2016, current branch, server 2012 search.product: eADQiWindows 10XVcnh @@ -16,28 +16,28 @@ ms.reviewer: manager: dansimp --- -# Windows Defender Antivirus on Windows Server 2016 and 2019 +# Microsoft Defender Antivirus on Windows Server 2016 and 2019 **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Windows Defender Antivirus is available on Windows Server 2016 and Windows Server 2019. In some instances, Windows Defender Antivirus is referred to as Endpoint Protection; however, the protection engine is the same. +Microsoft Defender Antivirus is available on Windows Server 2016 and Windows Server 2019. In some instances, Microsoft Defender Antivirus is referred to as Endpoint Protection; however, the protection engine is the same. -While the functionality, configuration, and management are largely the same for Windows Defender Antivirus on Windows 10, there are a few key differences on Windows Server 2016 or Windows Server 2019: +While the functionality, configuration, and management are largely the same for Microsoft Defender Antivirus on Windows 10, there are a few key differences on Windows Server 2016 or Windows Server 2019: -- In Windows Server, [automatic exclusions](configure-server-exclusions-windows-defender-antivirus.md) are applied based on your defined Server Role. -- In Windows Server, Windows Defender Antivirus does not automatically disable itself if you are running another antivirus product. +- In Windows Server, [automatic exclusions](configure-server-exclusions-microsoft-defender-antivirus.md) are applied based on your defined Server Role. +- In Windows Server, Microsoft Defender Antivirus does not automatically disable itself if you are running another antivirus product. ## The process at a glance -The process of setting up and running Windows Defender Antivirus on a server platform includes several steps: +The process of setting up and running Microsoft Defender Antivirus on a server platform includes several steps: 1. [Enable the interface](#enable-the-user-interface-on-windows-server-2016-or-2019) -2. [Install Windows Defender Antivirus](#install-windows-defender-antivirus-on-windows-server-2016-or-2019) +2. [Install Microsoft Defender Antivirus](#install-microsoft-defender-antivirus-on-windows-server-2016-or-2019) -2. [Verify Windows Defender Antivirus is running](#verify-windows-defender-antivirus-is-running) +2. [Verify Microsoft Defender Antivirus is running](#verify-microsoft-defender-antivirus-is-running) 3. [Update your antimalware Security intelligence](#update-antimalware-security-intelligence) @@ -45,11 +45,11 @@ The process of setting up and running Windows Defender Antivirus on a server pla 5. (As needed) [Configure automatic exclusions](#configure-automatic-exclusions) -6. (Only if necessary) [Uninstall Windows Defender Antivirus](#need-to-uninstall-windows-defender-antivirus) +6. (Only if necessary) [Uninstall Microsoft Defender Antivirus](#need-to-uninstall-microsoft-defender-antivirus) ## Enable the user interface on Windows Server 2016 or 2019 -By default, Windows Defender Antivirus is installed and functional on Windows Server 2016 and Windows Server 2019. The user interface (GUI) is installed by default on some SKUs, but is not required because you can use PowerShell or other methods to manage Windows Defender Antivirus. And if the GUI is not installed on your server, you can add it by using the Add Roles and Features Wizard or PowerShell. +By default, Microsoft Defender Antivirus is installed and functional on Windows Server 2016 and Windows Server 2019. The user interface (GUI) is installed by default on some SKUs, but is not required because you can use PowerShell or other methods to manage Microsoft Defender Antivirus. And if the GUI is not installed on your server, you can add it by using the Add Roles and Features Wizard or PowerShell. ### Turn on the GUI using the Add Roles and Features Wizard @@ -73,30 +73,30 @@ The following PowerShell cmdlet will enable the interface: Install-WindowsFeature -Name Windows-Defender-GUI ``` -## Install Windows Defender Antivirus on Windows Server 2016 or 2019 +## Install Microsoft Defender Antivirus on Windows Server 2016 or 2019 -You can use either the **Add Roles and Features Wizard** or PowerShell to install Windows Defender Antivirus. +You can use either the **Add Roles and Features Wizard** or PowerShell to install Microsoft Defender Antivirus. ### Use the Add Roles and Features Wizard 1. Refer to [this article](https://docs.microsoft.com/windows-server/administration/server-manager/install-or-uninstall-roles-role-services-or-features#install-roles-role-services-and-features-by-using-the-add-roles-and-features-wizard), and use the **Add Roles and Features Wizard**. -2. When you get to the **Features** step of the wizard, select the Windows Defender Antivirus option. Also select the **GUI for Windows Defender** option. +2. When you get to the **Features** step of the wizard, select the Microsoft Defender Antivirus option. Also select the **GUI for Windows Defender** option. ### Use PowerShell -To use PowerShell to install Windows Defender Antivirus, run the following cmdlet: +To use PowerShell to install Microsoft Defender Antivirus, run the following cmdlet: ```PowerShell Install-WindowsFeature -Name Windows-Defender ``` -Event messages for the antimalware engine included with Windows Defender Antivirus can be found in [Windows Defender AV Events](troubleshoot-windows-defender-antivirus.md). +Event messages for the antimalware engine included with Microsoft Defender Antivirus can be found in [Windows Defender AV Events](troubleshoot-microsoft-defender-antivirus.md). -## Verify Windows Defender Antivirus is running +## Verify Microsoft Defender Antivirus is running -To verify that Windows Defender Antivirus is running on your server, run the following PowerShell cmdlet: +To verify that Microsoft Defender Antivirus is running on your server, run the following PowerShell cmdlet: ```PowerShell Get-Service -Name windefend @@ -108,17 +108,17 @@ To verify that firewall protection is turned on, run the following PowerShell cm Get-Service -Name mpssvc ``` -As an alternative to PowerShell, you can use Command Prompt to verify that Windows Defender Antivirus is running. To do that, run the following command from a command prompt: +As an alternative to PowerShell, you can use Command Prompt to verify that Microsoft Defender Antivirus is running. To do that, run the following command from a command prompt: ```DOS sc query Windefend ``` -The `sc query` command returns information about the Windows Defender Antivirus service. When Windows Defender Antivirus is running, the `STATE` value displays `RUNNING`. +The `sc query` command returns information about the Microsoft Defender Antivirus service. When Microsoft Defender Antivirus is running, the `STATE` value displays `RUNNING`. ## Update antimalware Security intelligence -In order to get updated antimalware Security intelligence, you must have the Windows Update service running. If you use an update management service, like Windows Server Update Services (WSUS), make sure that updates for Windows Defender Antivirus Security intelligence are approved for the computers you manage. +In order to get updated antimalware Security intelligence, you must have the Windows Update service running. If you use an update management service, like Windows Server Update Services (WSUS), make sure that updates for Microsoft Defender Antivirus Security intelligence are approved for the computers you manage. By default, Windows Update does not download and install updates automatically on Windows Server 2016 or 2019. You can change this configuration by using one of the following methods: @@ -135,11 +135,11 @@ To ensure that protection from malware is maintained, we recommend that you enab - Windows Update service -The following table lists the services for Windows Defender Antivirus and the dependent services. +The following table lists the services for Microsoft Defender Antivirus and the dependent services. |Service Name|File Location|Description| |--------|---------|--------| -|Windows Defender Service (WinDefend)|`C:\Program Files\Windows Defender\MsMpEng.exe`|This is the main Windows Defender Antivirus service that needs to be running at all times.| +|Windows Defender Service (WinDefend)|`C:\Program Files\Windows Defender\MsMpEng.exe`|This is the main Microsoft Defender Antivirus service that needs to be running at all times.| |Windows Error Reporting Service (Wersvc)|`C:\WINDOWS\System32\svchost.exe -k WerSvcGroup`|This service sends error reports back to Microsoft.| |Windows Defender Firewall (MpsSvc)|`C:\WINDOWS\system32\svchost.exe -k LocalServiceNoNetwork`|We recommend leaving the Windows Defender Firewall service enabled.| |Windows Update (Wuauserv)|`C:\WINDOWS\system32\svchost.exe -k netsvcs`|Windows Update is needed to get Security intelligence updates and antimalware engine updates| @@ -161,28 +161,28 @@ To enable automatic sample submission, start a Windows PowerShell console as an |Setting |Description | |---------|---------| -|**0** Always prompt |The Windows Defender Antivirus service prompts you to confirm submission of all required files. This is the default setting for Windows Defender Antivirus, but is not recommended for installations on Windows Server 2016 or 2019 without a GUI. | -|**1** Send safe samples automatically |The Windows Defender Antivirus service sends all files marked as "safe" and prompts for the remainder of the files. | -|**2** Never send |The Windows Defender Antivirus service does not prompt and does not send any files. | -|**3** Send all samples automatically |The Windows Defender Antivirus service sends all files without a prompt for confirmation. | +|**0** Always prompt |The Microsoft Defender Antivirus service prompts you to confirm submission of all required files. This is the default setting for Microsoft Defender Antivirus, but is not recommended for installations on Windows Server 2016 or 2019 without a GUI. | +|**1** Send safe samples automatically |The Microsoft Defender Antivirus service sends all files marked as "safe" and prompts for the remainder of the files. | +|**2** Never send |The Microsoft Defender Antivirus service does not prompt and does not send any files. | +|**3** Send all samples automatically |The Microsoft Defender Antivirus service sends all files without a prompt for confirmation. | ## Configure automatic exclusions -To help ensure security and performance, certain exclusions are automatically added based on the roles and features you install when using Windows Defender Antivirus on Windows Server 2016 or 2019. +To help ensure security and performance, certain exclusions are automatically added based on the roles and features you install when using Microsoft Defender Antivirus on Windows Server 2016 or 2019. -See [Configure exclusions in Windows Defender Antivirus on Windows Server](configure-server-exclusions-windows-defender-antivirus.md). +See [Configure exclusions in Microsoft Defender Antivirus on Windows Server](configure-server-exclusions-microsoft-defender-antivirus.md). -## Need to uninstall Windows Defender Antivirus? +## Need to uninstall Microsoft Defender Antivirus? -If you are using a third-party antivirus solution and you're running into issues with that solution and Windows Defender Antivirus, you can consider uninstalling Windows Defender Antivirus. Before you do that, review the following resources: +If you are using a third-party antivirus solution and you're running into issues with that solution and Microsoft Defender Antivirus, you can consider uninstalling Microsoft Defender Antivirus. Before you do that, review the following resources: - See the question "Should I run Microsoft security software at the same time as other security products?" on the [Windows Defender Security Intelligence Antivirus and antimalware software FAQ](https://www.microsoft.com/wdsi/help/antimalware-faq#multiple-products). -- See [Better together: Windows Defender Antivirus and Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus). This article describes 10 advantages to using Windows Defender Antivirus together with Microsoft Defender Advanced Threat Protection. +- See [Better together: Microsoft Defender Antivirus and Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/why-use-microsoft-antivirus). This article describes 10 advantages to using Microsoft Defender Antivirus together with Microsoft Defender Advanced Threat Protection. -If you determine you do want to uninstall Windows Defender Antivirus, follow the steps in the following sections. +If you determine you do want to uninstall Microsoft Defender Antivirus, follow the steps in the following sections. -### Uninstall Windows Defender Antivirus using the Remove Roles and Features wizard +### Uninstall Microsoft Defender Antivirus using the Remove Roles and Features wizard 1. Refer to [this article](https://docs.microsoft.com/windows-server/administration/server-manager/install-or-uninstall-roles-role-services-or-features#remove-roles-role-services-and-features-by-using-the-remove-roles-and-features-wizard), and use the **Remove Roles and Features Wizard**. @@ -192,7 +192,7 @@ If you determine you do want to uninstall Windows Defender Antivirus, follow the Windows Defender AV will still run normally without the user interface, but the user interface cannot be enabled if you disable the core **Windows Defender** feature. -### Uninstall Windows Defender Antivirus using PowerShell +### Uninstall Microsoft Defender Antivirus using PowerShell >[!NOTE] >You can't uninstall the Windows Security app, but you can disable the interface with these instructions. @@ -205,7 +205,7 @@ Uninstall-WindowsFeature -Name Windows-Defender ### Turn off the GUI using PowerShell -To turn off the Windows Defender Antivirus GUI, use the following PowerShell cmdlet: +To turn off the Microsoft Defender Antivirus GUI, use the following PowerShell cmdlet: ```PowerShell Uninstall-WindowsFeature -Name Windows-Defender-GUI @@ -214,8 +214,8 @@ Uninstall-WindowsFeature -Name Windows-Defender-GUI ## Related topics -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) +- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) -- [Configure exclusions in Windows Defender AV on Windows Server](configure-server-exclusions-windows-defender-antivirus.md) +- [Configure exclusions in Windows Defender AV on Windows Server](configure-server-exclusions-microsoft-defender-antivirus.md) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-offline.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-offline.md new file mode 100644 index 0000000000..636b470f3c --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-offline.md @@ -0,0 +1,141 @@ +--- +title: Microsoft Defender Offline in Windows 10 +description: You can use Microsoft Defender Offline straight from the Windows Defender Antivirus app. You can also manage how it is deployed in your network. +keywords: scan, defender, offline +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen +ms.reviewer: +manager: dansimp +--- + +# Run and review the results of a Microsoft Defender Offline scan + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +Microsoft Defender Offline is an antimalware scanning tool that lets you boot and run a scan from a trusted environment. The scan runs from outside the normal Windows kernel so it can target malware that attempts to bypass the Windows shell, such as viruses and rootkits that infect or overwrite the master boot record (MBR). + +You can use Microsoft Defender Offline if you suspect a malware infection, or you want to confirm a thorough clean of the endpoint after a malware outbreak. + +In Windows 10, Microsoft Defender Offline can be run with one click directly from the [Windows Security app](microsoft-defender-security-center-antivirus.md). In previous versions of Windows, a user had to install Microsoft Defender Offline to bootable media, restart the endpoint, and load the bootable media. + +## prerequisites and requirements + +Microsoft Defender Offline in Windows 10 has the same hardware requirements as Windows 10. + +For more information about Windows 10 requirements, see the following topics: + +- [Minimum hardware requirements](https://msdn.microsoft.com/library/windows/hardware/dn915086(v=vs.85).aspx) + +- [Hardware component guidelines](https://msdn.microsoft.com/library/windows/hardware/dn915049(v=vs.85).aspx) + +> [!NOTE] +> Microsoft Defender Offline is not supported on machines with ARM processors, or on Windows Server Stock Keeping Units. + +To run Microsoft Defender Offline from the endpoint, the user must be logged in with administrator privileges. + +## Microsoft Defender Offline updates + +Microsoft Defender Offline uses the most recent protection updates available on the endpoint; it's updated whenever Windows Defender Antivirus is updated. + +> [!NOTE] +> Before running an offline scan, you should attempt to update Windows Defender AV protection. You can either force an update with Group Policy or however you normally deploy updates to endpoints, or you can manually download and install the latest protection updates from the [Microsoft Malware Protection Center](https://www.microsoft.com/security/portal/definitions/adl.aspx). + +See the [Manage Microsoft Defender Antivirus Security intelligence updates](manage-protection-updates-microsoft-defender-antivirus.md) topic for more information. + +## Usage scenarios + +In Windows 10, version 1607, you can manually force an offline scan. Alternatively, if Windows Defender determines that Microsoft Defender Offline needs to run, it will prompt the user on the endpoint. + +The need to perform an offline scan will also be revealed in Microsoft Endpoint Configuration Manager if you're using it to manage your endpoints. + +The prompt can occur via a notification, similar to the following: + + + +The user will also be notified within the Windows Defender client: + + + +In Configuration Manager, you can identify the status of endpoints by navigating to **Monitoring > Overview > Security > Endpoint Protection Status > System Center Endpoint Protection Status**. + +Microsoft Defender Offline scans are indicated under **Malware remediation status** as **Offline scan required**. + + + +## Configure notifications + + +Microsoft Defender Offline notifications are configured in the same policy setting as other Windows Defender AV notifications. + +For more information about notifications in Windows Defender, see the [Configure the notifications that appear on endpoints](configure-notifications-microsoft-defender-antivirus.md) topic. + +## Run a scan + +> [!IMPORTANT] +> Before you use Microsoft Defender Offline, make sure you save any files and shut down running programs. The Microsoft Defender Offline scan takes about 15 minutes to run. It will restart the endpoint when the scan is complete. The scan is performed outside of the usual Windows operating environment. The user interface will appear different to a normal scan performed by Windows Defender. After the scan is completed, the endpoint will be restarted and Windows will load normally. + +You can run a Microsoft Defender Offline scan with the following: + +- PowerShell +- Windows Management Instrumentation (WMI) +- The Windows Security app + + + +### Use PowerShell cmdlets to run an offline scan + +Use the following cmdlets: + +```PowerShell +Start-MpWDOScan +``` + +See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Microsoft Defender Antivirus. + +### Use Windows Management Instruction (WMI) to run an offline scan + +Use the [**MSFT_MpWDOScan**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class to run an offline scan. + +The following WMI script snippet will immediately run a Microsoft Defender Offline scan, which will cause the endpoint to restart, run the offline scan, and then restart and boot into Windows. + +```WMI +wmic /namespace:\\root\Microsoft\Windows\Defender path MSFT_MpWDOScan call Start +``` + +See the following for more information: +- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) + + +### Use the Windows Defender Security app to run an offline scan + +1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. + +2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Advanced scan** label: + + +3. Select **Microsoft Defender Offline scan** and click **Scan now**. + + + > [!NOTE] + > In Windows 10, version 1607, the offline scan could be run from under **Windows Settings** > **Update & security** > **Windows Defender** or from the Windows Defender client. + + +## Review scan results + +Microsoft Defender Offline scan results will be listed in the [Scan history section of the Windows Security app](microsoft-defender-security-center-antivirus.md#detection-history). + + +## Related articles + +- [Customize, initiate, and review the results of scans and remediation](customize-run-review-remediate-scans-microsoft-defender-antivirus.md) +- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-security-center-antivirus.md similarity index 87% rename from windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md rename to windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-security-center-antivirus.md index 77eca7df65..36f41c59d3 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-security-center-antivirus.md @@ -1,5 +1,5 @@ --- -title: Windows Defender Antivirus in the Windows Security app +title: Microsoft Defender Antivirus in the Windows Security app description: With Windows Defender AV now included in the Windows Security app, you can review, compare, and perform common tasks. keywords: wdav, antivirus, firewall, security, windows search.product: eADQiWindows 10XVcnh @@ -16,7 +16,7 @@ ms.reviewer: manager: dansimp --- -# Windows Defender Antivirus in the Windows Security app +# Microsoft Defender Antivirus in the Windows Security app **Applies to:** @@ -52,22 +52,22 @@ The following diagrams compare the location of settings and functions between th  - + Item | Windows 10, before version 1703 | Windows 10, version 1703 and later | Description ---|---|---|--- 1 | **Update** tab | **Protection updates** | Update the protection (Security intelligence) 2 | **History** tab | **Scan history** | Review threats that were quarantined, removed, or allowed 3 | **Settings** (links to **Windows Settings**) | **Virus & threat protection settings** | Enable various features, including Real-time protection, Cloud-delivered protection, Advanced notifications, and Automatic ample submission -4 | **Scan options** | **Advanced scan** | Run a full scan, custom scan, or a Windows Defender Offline scan +4 | **Scan options** | **Advanced scan** | Run a full scan, custom scan, or a Microsoft Defender Offline scan 5 | Run a scan (based on the option chosen under **Scan options** | **Quick scan** | In Windows 10, version 1703 and later, you can run custom and full scans under the **Advanced scan** option ## Common tasks -This section describes how to perform some of the most common tasks when reviewing or interacting with the threat protection provided by Windows Defender Antivirus in the Windows Security app. +This section describes how to perform some of the most common tasks when reviewing or interacting with the threat protection provided by Microsoft Defender Antivirus in the Windows Security app. > [!NOTE] -> If these settings are configured and deployed using Group Policy, the settings described in this section will be greyed-out and unavailable for use on individual endpoints. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings. The [Configure end-user interaction with Windows Defender Antivirus](configure-end-user-interaction-windows-defender-antivirus.md) topic describes how local policy override settings can be configured. +> If these settings are configured and deployed using Group Policy, the settings described in this section will be greyed-out and unavailable for use on individual endpoints. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings. The [Configure end-user interaction with Microsoft Defender Antivirus](configure-end-user-interaction-microsoft-defender-antivirus.md) topic describes how local policy override settings can be configured. @@ -96,7 +96,7 @@ This section describes how to perform some of the most common tasks when reviewi 4. Click **Check for updates** to download new protection updates (if there are any). -### Ensure Windows Defender Antivirus is enabled in the Windows Security app +### Ensure Microsoft Defender Antivirus is enabled in the Windows Security app 1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. @@ -108,12 +108,12 @@ This section describes how to perform some of the most common tasks when reviewi >[!NOTE] >If you switch **Real-time protection** off, it will automatically turn back on after a short delay. This is to ensure you are protected from malware and threats. - >If you install another antivirus product, Windows Defender AV will automatically disable itself and will indicate this in the Windows Security app. A setting will appear that will allow you to enable [limited periodic scanning](limited-periodic-scanning-windows-defender-antivirus.md). + >If you install another antivirus product, Windows Defender AV will automatically disable itself and will indicate this in the Windows Security app. A setting will appear that will allow you to enable [limited periodic scanning](limited-periodic-scanning-microsoft-defender-antivirus.md). -### Add exclusions for Windows Defender Antivirus in the Windows Security app +### Add exclusions for Microsoft Defender Antivirus in the Windows Security app 1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. @@ -130,14 +130,14 @@ The following table summarizes exclusion types and what happens: |Exclusion type |Defined by |What happens | |---------|---------|---------| -|**File** |Location
Example: `c:\sample\sample.test` |The specific file is skipped by Windows Defender Antivirus. | -|**Folder** |Location
Example: `c:\test\sample` |All items in the specified folder are skipped by Windows Defender Antivirus. | -|**File type** |File extension
Example: `.test` |All files with the `.test` extension anywhere on your device are skipped by Windows Defender Antivirus. | -|**Process** |Executable file path
Example: `c:\test\process.exe` |The specific process and any files that are opened by that process are skipped by Windows Defender Antivirus. | +|**File** |Location
Example: `c:\sample\sample.test` |The specific file is skipped by Microsoft Defender Antivirus. | +|**Folder** |Location
Example: `c:\test\sample` |All items in the specified folder are skipped by Microsoft Defender Antivirus. | +|**File type** |File extension
Example: `.test` |All files with the `.test` extension anywhere on your device are skipped by Microsoft Defender Antivirus. | +|**Process** |Executable file path
Example: `c:\test\process.exe` |The specific process and any files that are opened by that process are skipped by Microsoft Defender Antivirus. | To learn more, see: -- [Configure and validate exclusions based on file extension and folder location](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus) -- [Configure exclusions for files opened by processes](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus) +- [Configure and validate exclusions based on file extension and folder location](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus) +- [Configure exclusions for files opened by processes](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus) ### Review threat detection history in the Windows Defender Security Center app @@ -167,6 +167,6 @@ To learn more, see: ## Related articles -- [Windows Defender Antivirus](windows-defender-antivirus-in-windows-10.md) +- [Microsoft Defender Antivirus](microsoft-defender-antivirus-in-windows-10.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/office-365-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/office-365-microsoft-defender-antivirus.md similarity index 75% rename from windows/security/threat-protection/windows-defender-antivirus/office-365-windows-defender-antivirus.md rename to windows/security/threat-protection/microsoft-defender-antivirus/office-365-microsoft-defender-antivirus.md index 77a5c15cf1..58f370b7dd 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/office-365-windows-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/office-365-microsoft-defender-antivirus.md @@ -1,6 +1,6 @@ --- -title: "Better together - Windows Defender Antivirus and Office 365 (including OneDrive) - better protection from ransomware and cyberthreats" -description: "Office 365, which includes OneDrive, goes together wonderfully with Windows Defender Antivirus. Read this article to learn more." +title: "Better together - Microsoft Defender Antivirus and Office 365 (including OneDrive) - better protection from ransomware and cyberthreats" +description: "Office 365, which includes OneDrive, goes together wonderfully with Microsoft Defender Antivirus. Read this article to learn more." keywords: windows defender, antivirus, office 365, onedrive, restore, ransomware search.product: eADQiWindows 10XVcnh ms.pagetype: security @@ -19,22 +19,22 @@ ms.reviewer: manager: dansimp --- -# Better together: Windows Defender Antivirus and Office 365 +# Better together: Microsoft Defender Antivirus and Office 365 **Applies to:** -- Windows Defender Antivirus +- Microsoft Defender Antivirus - Office 365 You might already know that: -- **Windows Defender Antivirus protects your Windows 10 device from software threats, such as viruses, malware, and spyware**. Windows Defender Antivirus is your complete, ongoing protection, built into Windows 10 and ready to go. [Windows Defender Antivirus is your next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10). +- **Microsoft Defender Antivirus protects your Windows 10 device from software threats, such as viruses, malware, and spyware**. Microsoft Defender Antivirus is your complete, ongoing protection, built into Windows 10 and ready to go. [Microsoft Defender Antivirus is your next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10). - **Office 365 includes antiphishing, antispam, and antimalware protection**. With your Office 365 subscription, you get premium email and calendars, Office apps, 1 TB of cloud storage (via OneDrive), and advanced security across all your devices. This is true for home and business users. And if you're a business user, and your organization is using Office 365 E5, you get even more protection through Office 365 Advanced Threat Protection. [Protect against threats with Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/protect-against-threats). - **OneDrive, included in Office 365, enables you to store your files and folders online, and share them as you see fit**. You can work together with people (for work or fun), and coauthor files that are stored in OneDrive. You can also access your files across all your devices (your PC, phone, and tablet). [Manage sharing in OneDrive](https://docs.microsoft.com/OneDrive/manage-sharing). -**But did you know there are good security reasons to use Windows Defender Antivirus together with Office 365**? Here are two: +**But did you know there are good security reasons to use Microsoft Defender Antivirus together with Office 365**? Here are two: 1. [You get ransomware protection and recovery](#ransomware-protection-and-recovery). @@ -44,11 +44,11 @@ Read the following sections to learn more. ## Ransomware protection and recovery -When you save your files to [OneDrive](https://docs.microsoft.com/onedrive), and [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) detects a ransomware threat on your device, the following things occur: +When you save your files to [OneDrive](https://docs.microsoft.com/onedrive), and [Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) detects a ransomware threat on your device, the following things occur: 1. **You are told about the threat**. (If your organization is using [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection) (ATP), your security operations team is notified, too.) -2. **Windows Defender Antivirus helps you (and your organization's security team) remove the ransomware** from your device(s). (If your organization is using Microsoft Defender ATP, your security operations team can determine whether other devices are infected and take appropriate action, too.) +2. **Microsoft Defender Antivirus helps you (and your organization's security team) remove the ransomware** from your device(s). (If your organization is using Microsoft Defender ATP, your security operations team can determine whether other devices are infected and take appropriate action, too.) 3. **You get the option to recover your files in OneDrive**. With the OneDrive Files Restore feature, you can recover your files in OneDrive to the state they were in before the ransomware attack occurred. See [Ransomware detection and recovering your files](https://support.office.com/article/0d90ec50-6bfd-40f4-acc7-b8c12c73637f). diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/oldTOC.md b/windows/security/threat-protection/microsoft-defender-antivirus/oldTOC.md new file mode 100644 index 0000000000..6e1deba9b5 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-antivirus/oldTOC.md @@ -0,0 +1,68 @@ + +# [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) + +## [Windows Defender AV in the Microsoft Defender Security Center app](microsoft-defender-security-center-antivirus.md) + +## [Windows Defender AV on Windows Server 2016](microsoft-defender-antivirus-on-windows-server-2016.md) + +## [Microsoft Defender Antivirus compatibility](microsoft-defender-antivirus-compatibility.md) +### [Use limited periodic scanning in Windows Defender AV](limited-periodic-scanning-microsoft-defender-antivirus.md) + + +## [Evaluate Microsoft Defender Antivirus protection](evaluate-microsoft-defender-antivirus.md) + + +## [Deploy, manage updates, and report on Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md) +### [Deploy and enable Microsoft Defender Antivirus](deploy-microsoft-defender-antivirus.md) +#### [Deployment guide for VDI environments](deployment-vdi-microsoft-defender-antivirus.md) +### [Report on Microsoft Defender Antivirus protection](report-monitor-microsoft-defender-antivirus.md) +#### [Troubleshoot Microsoft Defender Antivirus reporting in Update Compliance](troubleshoot-reporting.md) +### [Manage updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md) +#### [Manage protection and Security intelligence updates](manage-protection-updates-microsoft-defender-antivirus.md) +#### [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md) +#### [Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md) +#### [Manage event-based forced updates](manage-event-based-updates-microsoft-defender-antivirus.md) +#### [Manage updates for mobile devices and VMs](manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md) + + +## [Configure Microsoft Defender Antivirus features](configure-microsoft-defender-antivirus-features.md) +### [Utilize Microsoft cloud-delivered protection](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) +#### [Enable cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md) +#### [Specify the cloud-delivered protection level](specify-cloud-protection-level-microsoft-defender-antivirus.md) +#### [Configure and validate network connections](configure-network-connections-microsoft-defender-antivirus.md) +#### [Enable the Block at First Sight feature](configure-block-at-first-sight-microsoft-defender-antivirus.md) +#### [Configure the cloud block timeout period](configure-cloud-block-timeout-period-microsoft-defender-antivirus.md) +### [Configure behavioral, heuristic, and real-time protection](configure-protection-features-microsoft-defender-antivirus.md) +#### [Detect and block Potentially Unwanted Applications](detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md) +#### [Enable and configure always-on protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md) +### [Configure end-user interaction with Windows Defender AV](configure-end-user-interaction-microsoft-defender-antivirus.md) +#### [Configure the notifications that appear on endpoints](configure-notifications-microsoft-defender-antivirus.md) +#### [Prevent users from seeing or interacting with the user interface](prevent-end-user-interaction-microsoft-defender-antivirus.md) +#### [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md) + + +## [Customize, initiate, and review the results of scans and remediation](customize-run-review-remediate-scans-microsoft-defender-antivirus.md) +### [Configure and validate exclusions in Windows Defender AV scans](configure-exclusions-microsoft-defender-antivirus.md) +#### [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-microsoft-defender-antivirus.md) +#### [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md) +#### [Configure exclusions in Windows Defender AV on Windows Server 2016](configure-server-exclusions-microsoft-defender-antivirus.md) +### [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-microsoft-defender-antivirus.md) +### [Configure remediation for scans](configure-remediation-microsoft-defender-antivirus.md) +### [Configure scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md) +### [Configure and run scans](run-scan-microsoft-defender-antivirus.md) +### [Review scan results](review-scan-results-microsoft-defender-antivirus.md) +### [Run and review the results of a Windows Defender Offline scan](microsoft-defender-offline.md) + + +## [Review event logs and error codes to troubleshoot issues](troubleshoot-microsoft-defender-antivirus.md) + + + +## [Reference topics for management and configuration tools](configuration-management-reference-microsoft-defender-antivirus.md) +### [Use Group Policy settings to configure and manage Windows Defender AV](use-group-policy-microsoft-defender-antivirus.md) +### [Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender AV](use-intune-config-manager-microsoft-defender-antivirus.md) +### [Use PowerShell cmdlets to configure and manage Windows Defender AV](use-powershell-cmdlets-microsoft-defender-antivirus.md) +### [Use Windows Management Instrumentation (WMI) to configure and manage Windows Defender AV](use-wmi-microsoft-defender-antivirus.md) +### [Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender AV](command-line-arguments-microsoft-defender-antivirus.md) + + diff --git a/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md similarity index 91% rename from windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md rename to windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md index 52966241d0..06fb8a10f3 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md @@ -37,7 +37,7 @@ With tamper protection, malicious apps are prevented from taking actions like th ### How it works - Tamper protection essentially locks Windows Defender Antivirus and prevents your security settings from being changed through apps and methods like these: + Tamper protection essentially locks Microsoft Defender Antivirus and prevents your security settings from being changed through apps and methods like these: - Configuring settings in Registry Editor on your Windows machine - Changing settings through PowerShell cmdlets - Editing or removing security settings through group policies @@ -60,7 +60,7 @@ Tamper protection doesn't prevent you from viewing your security settings. And, ## Turn tamper protection on (or off) for an individual machine > [!NOTE] -> Tamper protection blocks attempts to modify Windows Defender Antivirus settings through the registry. +> Tamper protection blocks attempts to modify Microsoft Defender Antivirus settings through the registry. > > To help ensure that tamper protection doesn’t interfere with third-party security products or enterprise installation scripts that modify these settings, go to **Windows Security** and update **Security intelligence** to version 1.287.60.0 or later. (See [Security intelligence updates](https://www.microsoft.com/wdsi/definitions).) > @@ -93,7 +93,7 @@ You must have appropriate [permissions](../microsoft-defender-atp/assign-portal- - Your organization uses [Intune to manage devices](https://docs.microsoft.com/intune/fundamentals/what-is-device-management). ([Intune licenses](https://docs.microsoft.com/intune/fundamentals/licenses) are required; this is included in Microsoft 365 E5.) - Your Windows machines must be running Windows 10 OS [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803), [1809](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019) or later. (See [Windows 10 release information](https://docs.microsoft.com/windows/release-information/) for more details about releases.) - You must be using Windows security with [security intelligence](https://www.microsoft.com/wdsi/definitions) updated to version 1.287.60.0 (or above). - - Your machines must be using anti-malware platform version 4.18.1906.3 (or above) and anti-malware engine version 1.1.15500.X (or above). ([Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md).) + - Your machines must be using anti-malware platform version 4.18.1906.3 (or above) and anti-malware engine version 1.1.15500.X (or above). ([Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md).) 2. Go to the Microsoft 365 Device Management portal ([https://devicemanagement.microsoft.com](https://devicemanagement.microsoft.com)) and sign in with your work or school account. @@ -165,7 +165,7 @@ No No. Third-party antivirus offerings will continue to register with the Windows Security application. -### What happens if Windows Defender Antivirus is not active on a device? +### What happens if Microsoft Defender Antivirus is not active on a device? Tamper protection will not have any impact on such devices. @@ -175,18 +175,18 @@ If you are a home user, see [Turn tamper protection on (or off) for an individua If you are an organization using [Microsoft Defender ATP E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp), you should be able to manage tamper protection in Intune similar to how you manage other endpoint protection features. See [Turn tamper protection on (or off) for your organization using Intune](#turn-tamper-protection-on-or-off-for-your-organization-using-intune). -### How does configuring tamper protection in Intune affect how I manage Windows Defender Antivirus through my group policy? +### How does configuring tamper protection in Intune affect how I manage Microsoft Defender Antivirus through my group policy? -Your regular group policy doesn’t apply to tamper protection, and changes to Windows Defender Antivirus settings are ignored when tamper protection is on. +Your regular group policy doesn’t apply to tamper protection, and changes to Microsoft Defender Antivirus settings are ignored when tamper protection is on. >[!NOTE] ->A small delay in Group Policy (GPO) processing may occur if Group Policy settings include values that control Windows Defender Antivirus features protected by tamper protection. To avoid any potential delays, we recommend that you remove settings that control Windows Defender Antivirus related behavior from GPO and simply allow tamper protection to protect Windows Defender Antivirus settings.
-> Sample Windows Defender Antivirus settings:
-> Turn off Windows Defender Antivirus
+>A small delay in Group Policy (GPO) processing may occur if Group Policy settings include values that control Microsoft Defender Antivirus features protected by tamper protection. To avoid any potential delays, we recommend that you remove settings that control Microsoft Defender Antivirus related behavior from GPO and simply allow tamper protection to protect Microsoft Defender Antivirus settings.
+> Sample Microsoft Defender Antivirus settings:
+> Turn off Microsoft Defender Antivirus
> Computer Configuration\Administrative Templates\Windows Components\Windows Defender\ Value DisableAntiSpyware = 0
>Turn off real-time protection
-Computer Configuration\Administrative Templates\Windows Components\Windows Defender Antivirus\Real-time Protection\ +Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Real-time Protection\ Value DisableRealtimeMonitoring = 0 ### For Microsoft Defender ATP E5, is configuring tamper protection in Intune targeted to the entire organization only? @@ -234,4 +234,4 @@ No. [Get an overview of Microsoft Defender ATP E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) -[Better together: Windows Defender Antivirus and Microsoft Defender Advanced Threat Protection](why-use-microsoft-antivirus.md) +[Better together: Microsoft Defender Antivirus and Microsoft Defender Advanced Threat Protection](why-use-microsoft-defender-antivirus.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-end-user-interaction-microsoft-defender-antivirus.md similarity index 67% rename from windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md rename to windows/security/threat-protection/microsoft-defender-antivirus/prevent-end-user-interaction-microsoft-defender-antivirus.md index 8f6ebb3c64..4b5dfb5cc2 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-end-user-interaction-microsoft-defender-antivirus.md @@ -1,5 +1,5 @@ --- -title: Hide the Windows Defender Antivirus interface +title: Hide the Microsoft Defender Antivirus interface description: You can hide virus and threat protection tile in the Windows Security app. keywords: ui lockdown, headless mode, hide app, hide settings, hide interface search.product: eADQiWindows 10XVcnh @@ -17,17 +17,17 @@ ms.reviewer: manager: dansimp --- -# Prevent users from seeing or interacting with the Windows Defender Antivirus user interface +# Prevent users from seeing or interacting with the Microsoft Defender Antivirus user interface **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -You can use Group Policy to prevent users on endpoints from seeing the Windows Defender Antivirus interface. You can also prevent them from pausing scans. +You can use Group Policy to prevent users on endpoints from seeing the Microsoft Defender Antivirus interface. You can also prevent them from pausing scans. -## Hide the Windows Defender Antivirus interface +## Hide the Microsoft Defender Antivirus interface -In Windows 10, versions 1703, hiding the interface will hide Windows Defender Antivirus notifications and prevent the Virus & threat protection tile from appearing in the Windows Security app. +In Windows 10, versions 1703, hiding the interface will hide Microsoft Defender Antivirus notifications and prevent the Virus & threat protection tile from appearing in the Windows Security app. With the setting set to **Enabled**: @@ -38,7 +38,7 @@ With the setting set to **Disabled** or not configured:  >[!NOTE] ->Hiding the interface will also prevent Windows Defender Antivirus notifications from appearing on the endpoint. Microsoft Defender Advanced Threat Protection notifications will still appear. You can also individually [configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md) +>Hiding the interface will also prevent Microsoft Defender Antivirus notifications from appearing on the endpoint. Microsoft Defender Advanced Threat Protection notifications will still appear. You can also individually [configure the notifications that appear on endpoints](configure-notifications-microsoft-defender-antivirus.md) In earlier versions of Windows 10, the setting will hide the Windows Defender client interface. If the user attempts to open it, they will receive a warning that says, "Your system administrator has restricted access to this app." @@ -52,11 +52,11 @@ In earlier versions of Windows 10, the setting will hide the Windows Defender cl 3. Click **Administrative templates**. -4. Expand the tree to **Windows components > Windows Defender Antivirus > Client interface**. +4. Expand the tree to **Windows components > Microsoft Defender Antivirus > Client interface**. 5. Double-click the **Enable headless UI mode** setting and set the option to **Enabled**. Click **OK**. -See [Prevent users from locally modifying policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) for more options on preventing users form modifying protection on their PCs. +See [Prevent users from locally modifying policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md) for more options on preventing users form modifying protection on their PCs. ## Prevent users from pausing a scan @@ -70,14 +70,14 @@ You can prevent users from pausing scans, which can be helpful to ensure schedul 3. Click **Administrative templates**. -4. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Scan**. +4. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Scan**. 5. Double-click the **Allow users to pause scan** setting and set the option to **Disabled**. Click **OK**. ## Related articles -- [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md) +- [Configure the notifications that appear on endpoints](configure-notifications-microsoft-defender-antivirus.md) -- [Configure end-user interaction with Windows Defender Antivirus](configure-end-user-interaction-windows-defender-antivirus.md) +- [Configure end-user interaction with Microsoft Defender Antivirus](configure-end-user-interaction-microsoft-defender-antivirus.md) -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) +- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md similarity index 64% rename from windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md rename to windows/security/threat-protection/microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md index caea14600c..af0ed9fd05 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md @@ -1,5 +1,5 @@ --- -title: Monitor and report on Windows Defender Antivirus protection +title: Monitor and report on Microsoft Defender Antivirus protection description: Use Configuration Manager or security information and event management (SIEM) tools to consume reports, and monitor Windows Defender AV with PowerShell and WMI. keywords: siem, monitor, report, windows defender av search.product: eADQiWindows 10XVcnh @@ -17,28 +17,28 @@ ms.reviewer: manager: dansimp --- -# Report on Windows Defender Antivirus +# Report on Microsoft Defender Antivirus **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -With Windows Defender Antivirus, you have several options for reviewing protection status and alerts. You can use Microsoft Endpoint Configuration Manager to [monitor Windows Defender Antivirus](https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection) or [create email alerts](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-configure-alerts). Or, you can monitor protection using [Microsoft Intune](https://docs.microsoft.com/intune/introduction-intune). +With Microsoft Defender Antivirus, you have several options for reviewing protection status and alerts. You can use Microsoft Endpoint Configuration Manager to [monitor Microsoft Defender Antivirus](https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection) or [create email alerts](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-configure-alerts). Or, you can monitor protection using [Microsoft Intune](https://docs.microsoft.com/intune/introduction-intune). -Microsoft Operations Management Suite has an [Update Compliance add-in](/windows/deployment/update/update-compliance-get-started) that reports on key Windows Defender Antivirus issues, including protection updates and real-time protection settings. +Microsoft Operations Management Suite has an [Update Compliance add-in](/windows/deployment/update/update-compliance-get-started) that reports on key Microsoft Defender Antivirus issues, including protection updates and real-time protection settings. If you have a third-party security information and event management (SIEM) server, you can also consume [Windows Defender client events](https://msdn.microsoft.com/library/windows/desktop/aa964766(v=vs.85).aspx). -Windows events comprise several security event sources, including Security Account Manager (SAM) events ([enhanced for Windows 10](https://technet.microsoft.com/library/mt431757.aspx), also see the [Security auditing](/windows/device-security/auditing/security-auditing-overview) topic) and [Windows Defender events](troubleshoot-windows-defender-antivirus.md). +Windows events comprise several security event sources, including Security Account Manager (SAM) events ([enhanced for Windows 10](https://technet.microsoft.com/library/mt431757.aspx), also see the [Security auditing](/windows/device-security/auditing/security-auditing-overview) topic) and [Windows Defender events](troubleshoot-microsoft-defender-antivirus.md). These events can be centrally aggregated using the [Windows event collector](https://msdn.microsoft.com/library/windows/desktop/bb427443(v=vs.85).aspx). Often, SIEM servers have connectors for Windows events, allowing you to correlate all security events in your SIEM server. You can also [monitor malware events using the Malware Assessment solution in Log Analytics](https://docs.microsoft.com/azure/log-analytics/log-analytics-malware). -For monitoring or determining status with PowerShell, WMI, or Microsoft Azure, see the [(Deployment, management, and reporting options table)](deploy-manage-report-windows-defender-antivirus.md#ref2). +For monitoring or determining status with PowerShell, WMI, or Microsoft Azure, see the [(Deployment, management, and reporting options table)](deploy-manage-report-microsoft-defender-antivirus.md#ref2). ## Related articles -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) +- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) -- [Deploy Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md) +- [Deploy Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md similarity index 76% rename from windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md rename to windows/security/threat-protection/microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md index 625c85ac9a..5a30c57794 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md @@ -35,9 +35,9 @@ If Microsoft Defender Antivirus is configured to detect and remediate threats on ## Related articles -- [Configure remediation for scans](configure-remediation-windows-defender-antivirus.md) -- [Review scan results](review-scan-results-windows-defender-antivirus.md) -- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md) -- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md) -- [Configure Windows Defender Antivirus exclusions on Windows Server](configure-server-exclusions-windows-defender-antivirus.md) +- [Configure remediation for scans](configure-remediation-microsoft-defender-antivirus.md) +- [Review scan results](review-scan-results-microsoft-defender-antivirus.md) +- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-microsoft-defender-antivirus.md) +- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md) +- [Configure Microsoft Defender Antivirus exclusions on Windows Server](configure-server-exclusions-microsoft-defender-antivirus.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md similarity index 68% rename from windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md rename to windows/security/threat-protection/microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md index d0f31c4c8d..258b495b60 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md @@ -17,13 +17,13 @@ ms.reviewer: manager: dansimp --- -# Review Windows Defender Antivirus scan results +# Review Microsoft Defender Antivirus scan results **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -After an Windows Defender Antivirus scan completes, whether it is an [on-demand](run-scan-windows-defender-antivirus.md) or [scheduled scan](scheduled-catch-up-scans-windows-defender-antivirus.md), the results are recorded and you can view the results. +After an Microsoft Defender Antivirus scan completes, whether it is an [on-demand](run-scan-microsoft-defender-antivirus.md) or [scheduled scan](scheduled-catch-up-scans-microsoft-defender-antivirus.md), the results are recorded and you can view the results. ## Use Microsoft Intune to review scan results @@ -56,7 +56,7 @@ Get-MpThreat  -See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. +See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus. ## Use Windows Management Instruction (WMI) to review scan results @@ -65,5 +65,5 @@ Use the [**Get** method of the **MSFT_MpThreat** and **MSFT_MpThreatDetection**] ## Related articles -- [Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md) -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) +- [Customize, initiate, and review the results of Microsoft Defender Antivirus scans and remediation](customize-run-review-remediate-scans-microsoft-defender-antivirus.md) +- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md similarity index 67% rename from windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md rename to windows/security/threat-protection/microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md index f36197fe0f..0d9933fc95 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md @@ -17,7 +17,7 @@ ms.reviewer: manager: dansimp --- -# Configure and run on-demand Windows Defender Antivirus scans +# Configure and run on-demand Microsoft Defender Antivirus scans **Applies to:** @@ -30,7 +30,7 @@ You can run an on-demand scan on individual endpoints. These scans will start im Quick scan looks at all the locations where there could be malware registered to start with the system, such as registry keys and known Windows startup folders. -Combined with [always-on real-time protection capability](configure-real-time-protection-windows-defender-antivirus.md)--which reviews files when they are opened and closed, and whenever a user navigates to a folder--a quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware. +Combined with [always-on real-time protection capability](configure-real-time-protection-microsoft-defender-antivirus.md)--which reviews files when they are opened and closed, and whenever a user navigates to a folder--a quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware. In most instances, this means a quick scan is adequate to find malware that wasn't picked up by real-time protection. @@ -50,7 +50,7 @@ Use the following `-scan` parameter: ```DOS mpcmdrun.exe -scan -scantype 1 ``` -See [Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender Antivirus](command-line-arguments-windows-defender-antivirus.md) for more information on how to use the tool and additional parameters, including starting a full scan or defining paths. +See [Use the mpcmdrun.exe commandline tool to configure and manage Microsoft Defender Antivirus](command-line-arguments-microsoft-defender-antivirus.md) for more information on how to use the tool and additional parameters, including starting a full scan or defining paths. ## Use Microsoft Intune to run a scan @@ -61,7 +61,7 @@ See [Use the mpcmdrun.exe commandline tool to configure and manage Windows Defen ## Use the Windows Security app to run a scan -See [Run a scan in the Windows Security app](windows-defender-security-center-antivirus.md#scan) for instructions on running a scan on individual endpoints. +See [Run a scan in the Windows Security app](microsoft-defender-security-center-antivirus.md#scan) for instructions on running a scan on individual endpoints. ## Use PowerShell cmdlets to run a scan @@ -70,7 +70,7 @@ Use the following cmdlet: ```PowerShell Start-MpScan ``` -See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. +See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus. ## Use Windows Management Instruction (WMI) to run a scan @@ -82,6 +82,6 @@ See the following for more information and allowed parameters: ## Related articles -- [Configure Windows Defender Antivirus scanning options](configure-advanced-scan-types-windows-defender-antivirus.md) -- [Configure scheduled Windows Defender Antivirus scans](scheduled-catch-up-scans-windows-defender-antivirus.md) -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) +- [Configure Microsoft Defender Antivirus scanning options](configure-advanced-scan-types-microsoft-defender-antivirus.md) +- [Configure scheduled Microsoft Defender Antivirus scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md) +- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md similarity index 70% rename from windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md rename to windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md index b2b391a114..6dd4dadced 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md @@ -17,19 +17,19 @@ ms.reviewer: manager: dansimp --- -# Configure scheduled quick or full Windows Defender Antivirus scans +# Configure scheduled quick or full Microsoft Defender Antivirus scans **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) > [!NOTE] -> By default, Windows Defender Antivirus checks for an update 15 minutes before the time of any scheduled scans. You can [Manage the schedule for when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) to override this default. +> By default, Microsoft Defender Antivirus checks for an update 15 minutes before the time of any scheduled scans. You can [Manage the schedule for when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md) to override this default. -In addition to always-on real-time protection and [on-demand](run-scan-windows-defender-antivirus.md) scans, you can set up regular, scheduled scans. +In addition to always-on real-time protection and [on-demand](run-scan-microsoft-defender-antivirus.md) scans, you can set up regular, scheduled scans. -You can configure the type of scan, when the scan should occur, and if the scan should occur after a [protection update](manage-protection-updates-windows-defender-antivirus.md) or if the endpoint is being used. You can also specify when special scans to complete remediation should occur. +You can configure the type of scan, when the scan should occur, and if the scan should occur after a [protection update](manage-protection-updates-microsoft-defender-antivirus.md) or if the endpoint is being used. You can also specify when special scans to complete remediation should occur. This topic describes how to configure scheduled scans with Group Policy, PowerShell cmdlets, and WMI. You can also configure schedules scans with [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#scheduled-scans-settings) or [Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure). @@ -41,11 +41,11 @@ To configure the Group Policy settings described in this topic: 4. Click **Administrative templates**. -5. Expand the tree to **Windows components > Windows Defender Antivirus** and then the **Location** specified in the table below. +5. Expand the tree to **Windows components > Microsoft Defender Antivirus** and then the **Location** specified in the table below. 6. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings. -Also see the [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) and [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) topics. +Also see the [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md) and [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md) topics. ## Quick scan versus full scan and custom scan @@ -53,11 +53,11 @@ When you set up scheduled scans, you can set up whether the scan should be a ful Quick scans look at all the locations where there could be malware registered to start with the system, such as registry keys and known Windows startup folders. -Combined with [always-on real-time protection capability](configure-real-time-protection-windows-defender-antivirus.md) - which reviews files when they are opened and closed, and whenever a user navigates to a folder - a quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware. +Combined with [always-on real-time protection capability](configure-real-time-protection-microsoft-defender-antivirus.md) - which reviews files when they are opened and closed, and whenever a user navigates to a folder - a quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware. In most instances, this means a quick scan is adequate to find malware that wasn't picked up by real-time protection. -A full scan can be useful on endpoints that have encountered a malware threat to identify if there are any inactive components that require a more thorough clean-up. In this instance, you may want to use a full scan when running an [on-demand scan](run-scan-windows-defender-antivirus.md). +A full scan can be useful on endpoints that have encountered a malware threat to identify if there are any inactive components that require a more thorough clean-up. In this instance, you may want to use a full scan when running an [on-demand scan](run-scan-microsoft-defender-antivirus.md). A custom scan allows you to specify the files and folders to scan, such as a USB drive. @@ -69,7 +69,7 @@ A custom scan allows you to specify the files and folders to scan, such as a USB Scheduled scans will run at the day and time you specify. You can use Group Policy, PowerShell, and WMI to configure scheduled scans. >[!NOTE] ->If a computer is unplugged and running on battery during a scheduled full scan, the scheduled scan will stop with event 1002, which states that the scan stopped before completion. Windows Defender Antivirus will run a full scan at the next scheduled time. +>If a computer is unplugged and running on battery during a scheduled full scan, the scheduled scan will stop with event 1002, which states that the scan stopped before completion. Microsoft Defender Antivirus will run a full scan at the next scheduled time. **Use Group Policy to schedule scans:** @@ -78,7 +78,7 @@ Location | Setting | Description | Default setting (if not configured) Scan | Specify the scan type to use for a scheduled scan | Quick scan Scan | Specify the day of the week to run a scheduled scan | Specify the day (or never) to run a scan. | Never Scan | Specify the time of day to run a scheduled scan | Specify the number of minutes after midnight (for example, enter **60** for 1 am). | 2 am -Root | Randomize scheduled task times |In Windows Defender Antivirus: Randomize the start time of the scan to any interval from 0 to 4 hours.
In FEP/SCEP: randomize to any interval plus or minus 30 minutes. This can be useful in VM or VDI deployments. | Enabled +Root | Randomize scheduled task times |In Microsoft Defender Antivirus: Randomize the start time of the scan to any interval from 0 to 4 hours.
In FEP/SCEP: randomize to any interval plus or minus 30 minutes. This can be useful in VM or VDI deployments. | Enabled **Use PowerShell cmdlets to schedule scans:** @@ -92,7 +92,7 @@ Set-MpPreference -RandomizeScheduleTaskTimes ``` -See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. +See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus. **Use Windows Management Instruction (WMI) to schedule scans:** @@ -127,7 +127,7 @@ Use the following cmdlets: Set-MpPreference -ScanOnlyIfIdleEnabled ``` -See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. +See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus. **Use Windows Management Instruction (WMI):** @@ -163,7 +163,7 @@ Set-MpPreference -RemediationScheduleDay Set-MpPreference -RemediationScheduleTime ``` -See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. +See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus. **Use Windows Management Instruction (WMI):** @@ -200,7 +200,7 @@ Use the following cmdlets: Set-MpPreference -ScanScheduleQuickTime ``` -See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. +See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus. **Use Windows Management Instruction (WMI) to schedule daily scans:** @@ -217,7 +217,7 @@ See the following for more information and allowed parameters: ## Enable scans after protection updates -You can force a scan to occur after every [protection update](manage-protection-updates-windows-defender-antivirus.md) with Group Policy. +You can force a scan to occur after every [protection update](manage-protection-updates-microsoft-defender-antivirus.md) with Group Policy. **Use Group Policy to schedule scans after protection updates** @@ -232,9 +232,9 @@ Signature updates | Turn on scan after Security intelligence update | A scan wil ## Related topics -- [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) -- [Configure and run on-demand Windows Defender Antivirus scans](run-scan-windows-defender-antivirus.md) -- [Configure Windows Defender Antivirus scanning options](configure-advanced-scan-types-windows-defender-antivirus.md) -- [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md) -- [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) +- [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md) +- [Configure and run on-demand Microsoft Defender Antivirus scans](run-scan-microsoft-defender-antivirus.md) +- [Configure Microsoft Defender Antivirus scanning options](configure-advanced-scan-types-microsoft-defender-antivirus.md) +- [Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md) +- [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md) +- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md similarity index 69% rename from windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md rename to windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md index d04a0c0bd5..c6a20d3a13 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md @@ -1,7 +1,7 @@ --- -title: Specify cloud-delivered protection level in Windows Defender Antivirus -description: Set the aggressiveness of cloud-delivered protection in Windows Defender Antivirus. -keywords: windows defender antivirus, antimalware, security, defender, cloud, aggressiveness, protection level +title: Specify cloud-delivered protection level in Microsoft Defender Antivirus +description: Set the aggressiveness of cloud-delivered protection in Microsoft Defender Antivirus. +keywords: Microsoft Defender Antivirus, antimalware, security, defender, cloud, aggressiveness, protection level search.product: eADQiWindows 10XVcnh ms.pagetype: security ms.prod: w10 @@ -23,24 +23,24 @@ ms.custom: nextgen - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -You can specify the level of cloud-protection offered by Windows Defender Antivirus with Group Policy and Microsoft Endpoint Configuration Manager. +You can specify the level of cloud-protection offered by Microsoft Defender Antivirus with Group Policy and Microsoft Endpoint Configuration Manager. >[!NOTE] ->The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates. +>The Microsoft Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates. ## Use Intune to specify the level of cloud-delivered protection 1. Sign in to the [Azure portal](https://portal.azure.com). 2. Select **All services > Intune**. 3. In the **Intune** pane, select **Device configuration > Profiles**, and then select the **Device restrictions** profile type you want to configure. If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure). -4. Select **Properties**, select **Settings: Configure**, and then select **Windows Defender Antivirus**. +4. Select **Properties**, select **Settings: Configure**, and then select **Microsoft Defender Antivirus**. 5. On the **File Blocking Level** switch, select one of the following: 1. **High**: Applies a strong level of detection. 2. **High +**: Uses the **High** level and applies additional protection measures (may impact client performance). 3. **Zero tolerance**: Blocks all unknown executables. -8. Click **OK** to exit the **Windows Defender Antivirus** settings pane, click **OK** to exit the **Device restrictions** pane, and then click **Save** to save the changes to your **Device restrictions** profile. +8. Click **OK** to exit the **Microsoft Defender Antivirus** settings pane, click **OK** to exit the **Device restrictions** pane, and then click **Save** to save the changes to your **Device restrictions** profile. For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/intune/device-profiles) @@ -59,10 +59,10 @@ See [How to create and deploy antimalware policies: Cloud-protection service](ht 4. Click **Administrative templates**. -5. Expand the tree to **Windows components > Windows Defender Antivirus > MpEngine**. +5. Expand the tree to **Windows components > Microsoft Defender Antivirus > MpEngine**. 6. Double-click the **Select cloud protection level** setting and set it to **Enabled**. Select the level of protection: - - **Default Windows Defender Antivirus blocking level** provides strong detection without increasing the risk of detecting legitimate files. + - **Default Microsoft Defender Antivirus blocking level** provides strong detection without increasing the risk of detecting legitimate files. - **High blocking level** applies a strong level of detection while optimizing client performance (greater chance of false positives). - **High + blocking level** applies additional protection measures (may impact client performance and increase risk of false positives). - **Zero tolerance blocking level** blocks all unknown executables. @@ -75,8 +75,8 @@ See [How to create and deploy antimalware policies: Cloud-protection service](ht ## Related articles -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) -- [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) +- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) +- [Enable cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md) - [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) diff --git a/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md similarity index 83% rename from windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md rename to windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md index 8b02e56f61..68ce4eebbd 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md @@ -1,6 +1,6 @@ --- title: Windows Defender AV event IDs and error codes -description: Look up the causes and solutions for Windows Defender Antivirus event IDs and errors +description: Look up the causes and solutions for Microsoft Defender Antivirus event IDs and errors keywords: event, error code, siem, logging, troubleshooting, wef, windows event forwarding search.product: eADQiWindows 10XVcnh ms.pagetype: security @@ -17,19 +17,19 @@ ms.reviewer: manager: dansimp --- -# Review event logs and error codes to troubleshoot issues with Windows Defender Antivirus +# Review event logs and error codes to troubleshoot issues with Microsoft Defender Antivirus **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -If you encounter a problem with Windows Defender Antivirus, you can search the tables in this topic to find a matching issue and potential solution. +If you encounter a problem with Microsoft Defender Antivirus, you can search the tables in this topic to find a matching issue and potential solution. The tables list: -- [Windows Defender Antivirus event IDs](#windows-defender-av-ids) (these apply to both Windows 10 and Windows Server 2016) -- [Windows Defender Antivirus client error codes](#error-codes) -- [Internal Windows Defender Antivirus client error codes (used by Microsoft during development and testing)](#internal-error-codes) +- [Microsoft Defender Antivirus event IDs](#windows-defender-av-ids) (these apply to both Windows 10 and Windows Server 2016) +- [Microsoft Defender Antivirus client error codes](#error-codes) +- [Internal Microsoft Defender Antivirus client error codes (used by Microsoft during development and testing)](#internal-error-codes) > [!TIP] > You can also visit the Microsoft Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working: @@ -39,18 +39,18 @@ The tables list: > - Potentially unwanted application blocking -## Windows Defender Antivirus event IDs +## Microsoft Defender Antivirus event IDs -Windows Defender Antivirus records event IDs in the Windows event log. +Microsoft Defender Antivirus records event IDs in the Windows event log. -You can directly view the event log, or if you have a third-party security information and event management (SIEM) tool, you can also consume [Windows Defender Antivirus client event IDs](troubleshoot-windows-defender-antivirus.md#windows-defender-av-ids) to review specific events and errors from your endpoints. +You can directly view the event log, or if you have a third-party security information and event management (SIEM) tool, you can also consume [Microsoft Defender Antivirus client event IDs](troubleshoot-microsoft-defender-antivirus.md#windows-defender-av-ids) to review specific events and errors from your endpoints. -The table in this section lists the main Windows Defender Antivirus event IDs and, where possible, provides suggested solutions to fix or resolve the error. +The table in this section lists the main Microsoft Defender Antivirus event IDs and, where possible, provides suggested solutions to fix or resolve the error. -## To view a Windows Defender Antivirus event +## To view a Microsoft Defender Antivirus event 1. Open **Event Viewer**. -2. In the console tree, expand **Applications and Services Logs**, then **Microsoft**, then **Windows**, then **Windows Defender Antivirus**. +2. In the console tree, expand **Applications and Services Logs**, then **Microsoft**, then **Windows**, then **Microsoft Defender Antivirus**. 3. Double-click on **Operational**. 4. In the details pane, view the list of individual events to find your event. 5. Click the event to see specific details about an event in the lower pane, under the **General** and **Details** tabs. @@ -324,7 +324,7 @@ Description of the error. User action:
- Run the scan again. @@ -432,7 +432,7 @@ Message: Description:
- User: <Domain>\<User>
- Name: <Threat name> @@ -484,7 +484,7 @@ Message: Description:
- User: <Domain>\<User>
- Name: <Threat name> @@ -543,7 +543,7 @@ Message: Description:
- Name: <Threat name>
- ID: <Threat ID> @@ -587,7 +587,7 @@ Message: Description:
- Name: <Threat name>
- ID: <Threat ID> @@ -634,7 +634,7 @@ Message: Description:
For more information, see the following: +Microsoft Defender Antivirus has deleted an item from quarantine.
For more information, see the following:
- Name: <Threat name>
- ID: <Threat ID> @@ -677,7 +677,7 @@ Message: Description:
- Name: <Threat name> @@ -725,7 +725,7 @@ Message: Description:
- Time: The time when the event occurred, for example when the history is purged. This parameter is not used in threat events so that there is no confusion regarding whether it is remediation time or infection time. For those, we specifically call them as Action Time or Detection Time.
- User: <Domain>\<User> @@ -756,7 +756,7 @@ The antimalware platform could not delete history of malware and other potential Description:
- Time: The time when the event occurred, for example when the history is purged. This parameter is not used in threat events so that there is no confusion regarding whether it is remediation time or infection time. For those, we specifically call them as Action Time or Detection Time.
- User: <Domain>\<User> @@ -791,7 +791,7 @@ Message: Description:
For more information, see the following: +Microsoft Defender Antivirus has detected a suspicious behavior.
For more information, see the following:
- Name: <Threat name>
- ID: <Threat ID> @@ -868,7 +868,7 @@ Message: Description:
For more information, see the following: +Microsoft Defender Antivirus has detected malware or other potentially unwanted software.
For more information, see the following:
- Name: <Threat name>
- ID: <Threat ID> @@ -921,7 +921,7 @@ UAC User action:
For more information, see the following: +Microsoft Defender Antivirus has taken action to protect this machine from malware or other potentially unwanted software.
For more information, see the following:
- Name: <Threat name>
- ID: <Threat ID> @@ -1010,7 +1010,7 @@ Description of the error.
- Signature Version: <Definition version>
- Engine Version: <Antimalware Engine version> NOTE: -Whenever Windows Defender Antivirus, Microsoft Security Essentials, Malicious Software Removal Tool, or System Center Endpoint Protection detects a malware, it will restore the following system settings and services that the malware might have changed:
- Default Internet Explorer or Microsoft Edge setting
- User Access Control settings
- Chrome settings @@ -1049,7 +1049,7 @@ Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Se User action:
-
+Whenever Microsoft Defender Antivirus, Microsoft Security Essentials, Malicious Software Removal Tool, or System Center Endpoint Protection detects a malware, it will restore the following system settings and services that the malware might have changed:
For more information, see the following: +Microsoft Defender Antivirus has encountered a non-critical error when taking action on malware or other potentially unwanted software.
For more information, see the following:
- Name: <Threat name>
- ID: <Threat ID> @@ -1144,7 +1144,7 @@ Description of the error. User action:
For more information, see the following: +Microsoft Defender Antivirus has encountered a critical error when taking action on malware or other potentially unwanted software.
For more information, see the following:
- Name: <Threat name>
- ID: <Threat ID> @@ -1239,7 +1239,7 @@ Description of the error. User action:
| Action | @@ -1302,7 +1302,7 @@ Symbolic name: Message:-Windows Defender Antivirus has deduced the hashes for a threat resource. +Microsoft Defender Antivirus has deduced the hashes for a threat resource. | ||||||||
|---|---|---|---|---|---|---|---|---|---|
-Windows Defender Antivirus client is up and running in a healthy state.
+Microsoft Defender Antivirus client is up and running in a healthy state.
|
-Windows Defender Antivirus client is up and running in a healthy state.
+Microsoft Defender Antivirus client is up and running in a healthy state.
|
-No action is necessary. The Windows Defender Antivirus client is in a healthy state. This event is reported on an hourly basis. +No action is necessary. The Microsoft Defender Antivirus client is in a healthy state. This event is reported on an hourly basis. | -No action is necessary. The Windows Defender Antivirus client is in a healthy state. This event is reported when signatures are successfully updated. +No action is necessary. The Microsoft Defender Antivirus client is in a healthy state. This event is reported when signatures are successfully updated. | ||||||
-Windows Defender Antivirus has encountered an error trying to update signatures.
+Microsoft Defender Antivirus has encountered an error trying to update signatures.
|
-Windows Defender Antivirus engine version has been updated.
+Microsoft Defender Antivirus engine version has been updated.
|
-No action is necessary. The Windows Defender Antivirus client is in a healthy state. This event is reported when the antimalware engine is successfully updated. +No action is necessary. The Microsoft Defender Antivirus client is in a healthy state. This event is reported when the antimalware engine is successfully updated. | |||||||
-Windows Defender Antivirus has encountered an error trying to update the engine.
+Microsoft Defender Antivirus has encountered an error trying to update the engine.
|
-The Windows Defender Antivirus client update failed. This event occurs when the client fails to update itself. This event is usually due to an interruption in network connectivity during an update.
+The Microsoft Defender Antivirus client update failed. This event occurs when the client fails to update itself. This event is usually due to an interruption in network connectivity during an update.
To troubleshoot this event:
|
-Windows Defender Antivirus has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures.
+Microsoft Defender Antivirus has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures.
|
-The Windows Defender Antivirus client attempted to download and install the latest definitions file and failed. This error can occur when the client encounters an error while trying to load the definitions, or if the file is corrupt. Windows Defender Antivirus will attempt to revert back to a known-good set of definitions.
+The Microsoft Defender Antivirus client attempted to download and install the latest definitions file and failed. This error can occur when the client encounters an error while trying to load the definitions, or if the file is corrupt. Microsoft Defender Antivirus will attempt to revert back to a known-good set of definitions.
To troubleshoot this event:
|
-Windows Defender Antivirus could not load antimalware engine because current platform version is not supported. Windows Defender Antivirus will revert back to the last known-good engine and a platform update will be attempted.
+Microsoft Defender Antivirus could not load antimalware engine because current platform version is not supported. Microsoft Defender Antivirus will revert back to the last known-good engine and a platform update will be attempted.
|
-Windows Defender Antivirus has encountered an error trying to update the platform.
+Microsoft Defender Antivirus has encountered an error trying to update the platform.
|
-Windows Defender Antivirus will soon require a newer platform version to support future versions of the antimalware engine. Download the latest Windows Defender Antivirus platform to maintain the best level of protection available.
+Microsoft Defender Antivirus will soon require a newer platform version to support future versions of the antimalware engine. Download the latest Microsoft Defender Antivirus platform to maintain the best level of protection available.
|
-Windows Defender Antivirus used Dynamic Signature Service to retrieve additional signatures to help protect your machine.
+Microsoft Defender Antivirus used Dynamic Signature Service to retrieve additional signatures to help protect your machine.
|
-Windows Defender Antivirus used Dynamic Signature Service to discard obsolete signatures.
+Microsoft Defender Antivirus used Dynamic Signature Service to discard obsolete signatures.
|
-No action is necessary. The Windows Defender Antivirus client is in a healthy state. This event is reported when the Dynamic Signature Service successfully deletes out-of-date dynamic definitions. +No action is necessary. The Microsoft Defender Antivirus client is in a healthy state. This event is reported when the Dynamic Signature Service successfully deletes out-of-date dynamic definitions. |
-Windows Defender Antivirus has encountered an error trying to use Dynamic Signature Service.
+Microsoft Defender Antivirus has encountered an error trying to use Dynamic Signature Service.
|
-Windows Defender Antivirus discarded all Dynamic Signature Service signatures.
+Microsoft Defender Antivirus discarded all Dynamic Signature Service signatures.
|
-Windows Defender Antivirus downloaded a clean file.
+Microsoft Defender Antivirus downloaded a clean file.
|
-Windows Defender Antivirus has encountered an error trying to download a clean file.
+Microsoft Defender Antivirus has encountered an error trying to download a clean file.
|
Check your Internet connectivity settings. -The Windows Defender Antivirus client encountered an error when using the Dynamic Signature Service to download the latest definitions to a specific threat. This error is likely caused by a network connectivity issue. +The Microsoft Defender Antivirus client encountered an error when using the Dynamic Signature Service to download the latest definitions to a specific threat. This error is likely caused by a network connectivity issue. | |||||
| -Windows Defender Antivirus downloaded and configured offline antivirus to run on the next reboot. +Microsoft Defender Antivirus downloaded and configured offline antivirus to run on the next reboot. | |||||||||
-Windows Defender Antivirus has encountered an error trying to download and configure offline antivirus.
+Microsoft Defender Antivirus has encountered an error trying to download and configure offline antivirus.
|
-The support for your operating system will expire shortly. Running Windows Defender Antivirus on an out of support operating system is not an adequate solution to protect against threats. +The support for your operating system will expire shortly. Running Microsoft Defender Antivirus on an out of support operating system is not an adequate solution to protect against threats. | ||||||||
| -The support for your operating system has expired. Running Windows Defender Antivirus on an out of support operating system is not an adequate solution to protect against threats. +The support for your operating system has expired. Running Microsoft Defender Antivirus on an out of support operating system is not an adequate solution to protect against threats. | |||||||||
| -The support for your operating system has expired. Windows Defender Antivirus is no longer supported on your operating system, has stopped functioning, and is not protecting against malware threats. +The support for your operating system has expired. Microsoft Defender Antivirus is no longer supported on your operating system, has stopped functioning, and is not protecting against malware threats. | |||||||||
-Windows Defender Antivirus Real-Time Protection feature has encountered an error and failed.
+Microsoft Defender Antivirus Real-Time Protection feature has encountered an error and failed.
|
You should restart the system then run a full scan because it's possible the system was not protected for some time. -The Windows Defender Antivirus client's real-time protection feature encountered an error because one of the services failed to start. +The Microsoft Defender Antivirus client's real-time protection feature encountered an error because one of the services failed to start. If it is followed by a 3007 event ID, the failure was temporary and the antimalware client recovered from the failure. | @@ -2310,7 +2310,7 @@ Message: Description:
-Windows Defender Antivirus Real-time Protection has restarted a feature. It is recommended that you run a full system scan to detect any items that may have been missed while this agent was down.
+Microsoft Defender Antivirus Real-time Protection has restarted a feature. It is recommended that you run a full system scan to detect any items that may have been missed while this agent was down.
|
@@ -2357,7 +2357,7 @@ Message:
Description:
-Windows Defender Antivirus real-time protection scanning for malware and other potentially unwanted software was enabled. +Microsoft Defender Antivirus real-time protection scanning for malware and other potentially unwanted software was enabled. | ||||||
| -Windows Defender Antivirus real-time protection scanning for malware and other potentially unwanted software was disabled. +Microsoft Defender Antivirus real-time protection scanning for malware and other potentially unwanted software was disabled. | |||||||||
-Windows Defender Antivirus real-time protection feature configuration has changed.
+Microsoft Defender Antivirus real-time protection feature configuration has changed.
|
-Windows Defender Antivirus configuration has changed. If this is an unexpected event, you should review the settings as this may be the result of malware.
+Microsoft Defender Antivirus configuration has changed. If this is an unexpected event, you should review the settings as this may be the result of malware.
|
-Windows Defender Antivirus engine has been terminated due to an unexpected error.
+Microsoft Defender Antivirus engine has been terminated due to an unexpected error.
|
-The Windows Defender Antivirus client engine stopped due to an unexpected error.
+The Microsoft Defender Antivirus client engine stopped due to an unexpected error.
To troubleshoot this event:
|
-Windows Defender Antivirus scanning for malware and other potentially unwanted software has been enabled. +Microsoft Defender Antivirus scanning for malware and other potentially unwanted software has been enabled. | |||||
| -Windows Defender Antivirus scanning for malware and other potentially unwanted software is disabled. +Microsoft Defender Antivirus scanning for malware and other potentially unwanted software is disabled. | |||||||||
| -Windows Defender Antivirus scanning for viruses has been enabled. +Microsoft Defender Antivirus scanning for viruses has been enabled. | |||||||||
| -Windows Defender Antivirus scanning for viruses is disabled. +Microsoft Defender Antivirus scanning for viruses is disabled. | |||||||||
-Windows Defender Antivirus has entered a grace period and will soon expire. After expiration, this program will disable protection against viruses, spyware, and other potentially unwanted software.
+Microsoft Defender Antivirus has entered a grace period and will soon expire. After expiration, this program will disable protection against viruses, spyware, and other potentially unwanted software.
|
-Windows Defender Antivirus grace period has expired. Protection against viruses, spyware, and other potentially unwanted software is disabled.
+Microsoft Defender Antivirus grace period has expired. Protection against viruses, spyware, and other potentially unwanted software is disabled.
|
| Resolution |
|
| Possible reason | -This error indicates that Windows Defender Antivirus failed to quarantine a threat. +This error indicates that Microsoft Defender Antivirus failed to quarantine a threat. |
| ERROR_MP_PLATFORM_OUTDATED | |
| Possible reason | -This error indicates that Windows Defender Antivirus does not support the current version of the platform and requires a new version of the platform. +This error indicates that Microsoft Defender Antivirus does not support the current version of the platform and requires a new version of the platform. |
| Resolution |
-You can only use Windows Defender Antivirus in Windows 10. For Windows 8, Windows 7 and Windows Vista, you can use System Center Endpoint Protection. |
+You can only use Microsoft Defender Antivirus in Windows 10. For Windows 8, Windows 7 and Windows Vista, you can use System Center Endpoint Protection.
Or,
+| 17 | Microsoft Defender Advanced Threat Protection service failed to change the Connected User Experiences and Telemetry service location. Failure code: variable. |
An error occurred with the Windows telemetry service. | -Ensure the diagnostic data service is enabled. + | Ensure the diagnostic data service is enabled. Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. See Onboard Windows 10 machines. |
@@ -198,8 +198,8 @@ See Onboard Windows 10 machines.28 | Microsoft Defender Advanced Threat Protection Connected User Experiences and Telemetry service registration failed. Failure code: variable. |
An error occurred with the Windows telemetry service. | -Ensure the diagnostic data service is enabled. + | Ensure the diagnostic data service is enabled. Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. See Onboard Windows 10 machines. |
@@ -220,8 +220,8 @@ See Onboard Windows 10 machines34 | Microsoft Defender Advanced Threat Protection service failed to add itself as a dependency on the Connected User Experiences and Telemetry service, causing onboarding process to fail. Failure code: variable. |
An error occurred with the Windows telemetry service. | -Ensure the diagnostic data service is enabled. + | Ensure the diagnostic data service is enabled. Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. See Onboard Windows 10 machines. |
diff --git a/windows/security/threat-protection/microsoft-defender-atp/feedback-loop-blocking.md b/windows/security/threat-protection/microsoft-defender-atp/feedback-loop-blocking.md
index d4be39d220..7f62a2a426 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/feedback-loop-blocking.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/feedback-loop-blocking.md
@@ -30,7 +30,7 @@ Feedback-loop blocking, also referred to as rapid protection, is a component of
## How feedback-loop blocking works
-When a suspicious behavior or file is detected, such as by [Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10), information about that artifact is sent to multiple classifiers. The rapid protection loop engine inspects and correlates the information with other signals to arrive at a decision as to whether to block a file. Checking and classifying artifacts happens quickly. It results in rapid blocking of confirmed malware, and drives protection across the entire ecosystem.
+When a suspicious behavior or file is detected, such as by [Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10), information about that artifact is sent to multiple classifiers. The rapid protection loop engine inspects and correlates the information with other signals to arrive at a decision as to whether to block a file. Checking and classifying artifacts happens quickly. It results in rapid blocking of confirmed malware, and drives protection across the entire ecosystem.
With rapid protection in place, an attack can be stopped on a device, other devices in the organization, and devices in other organizations, as an attack attempts to broaden its foothold.
@@ -47,7 +47,7 @@ If your organization is using Microsoft Defender ATP, feedback-loop blocking is
- [Attack surface reduction](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction)
-- [Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features) (antivirus)
+- [Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features) (antivirus)
## Related articles
diff --git a/windows/security/threat-protection/microsoft-defender-atp/fix-unhealthy-sensors.md b/windows/security/threat-protection/microsoft-defender-atp/fix-unhealthy-sensors.md
index d34f5a6332..5c7423def3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/fix-unhealthy-sensors.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/fix-unhealthy-sensors.md
@@ -82,8 +82,8 @@ Follow theses actions to correct known issues related to a misconfigured machine
- [Ensure the diagnostic data service is enabled](troubleshoot-onboarding.md#ensure-the-diagnostics-service-is-enabled)
If the machines aren't reporting correctly, you might need to check that the Windows 10 diagnostic data service is set to automatically start and is running on the endpoint.
-- [Ensure that Windows Defender Antivirus is not disabled by policy](troubleshoot-onboarding.md#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy)
-If your machines are running a third-party antimalware client, the Microsoft Defender ATP agent needs the Windows Defender Antivirus Early Launch Antimalware (ELAM) driver to be enabled.
+- [Ensure that Microsoft Defender Antivirus is not disabled by policy](troubleshoot-onboarding.md#ensure-that-microsoft-defender-antivirus-is-not-disabled-by-a-policy)
+If your machines are running a third-party antimalware client, the Microsoft Defender ATP agent needs the Microsoft Defender Antivirus Early Launch Antimalware (ELAM) driver to be enabled.
If you took corrective actions and the machine status is still misconfigured, [open a support ticket](https://go.microsoft.com/fwlink/?LinkID=761093&clcid=0x409).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md b/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md
index 7e0983fb5f..c5927c9a88 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md
@@ -56,7 +56,7 @@ For more information on how to configure exclusions from JAMF, Intune, or anothe
Open the Microsoft Defender ATP application and navigate to **Manage settings** > **Add or Remove Exclusion...**, as shown in the following screenshot:
-
+
Select the type of exclusion that you wish to add and follow the prompts.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md
index f1928bc4d1..ebaa93dac7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md
@@ -51,20 +51,20 @@ To complete this process, you must have admin privileges on the machine.
1. Navigate to the downloaded wdav.pkg in Finder and open it.
- 
+ 
2. Select **Continue**, agree with the License terms, and enter the password when prompted.
- 
+ 
> [!IMPORTANT]
> You will be prompted to allow a driver from Microsoft to be installed (either "System Extension Blocked" or "Installation is on hold" or both. The driver must be allowed to be installed.
- 
+ 
3. Select **Open Security Preferences** or **Open System Preferences > Security & Privacy**. Select **Allow**:
- 
+ 
The installation proceeds.
@@ -100,7 +100,7 @@ The installation proceeds.
After installation, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner.
- 
+ 
## How to Allow Full Disk Access
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md
index 08235662b7..cf50d3ac04 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md
@@ -63,7 +63,7 @@ Download the installation and onboarding packages from Microsoft Defender Securi
4. In Section 2 of the page, select **Download onboarding package**. Save it as _WindowsDefenderATPOnboardingPackage.zip_ to the same directory.
5. Download **IntuneAppUtil** from [https://docs.microsoft.com/intune/lob-apps-macos](https://docs.microsoft.com/intune/lob-apps-macos).
- 
+ 
6. From a command prompt, verify that you have the three files.
Extract the contents of the .zip files:
@@ -110,11 +110,11 @@ You do not need any special provisioning for a Mac device beyond a standard [Com
1. Confirm device management.
-
+
Select **Open System Preferences**, locate **Management Profile** on the list, and select **Approve...**. Your Management Profile would be displayed as **Verified**:
-
+
2. Select **Continue** and complete the enrollment.
@@ -122,7 +122,7 @@ You may now enroll more devices. You can also enroll them later, after you have
3. In Intune, open **Manage** > **Devices** > **All devices**. Here you can see your device among those listed:
-
+
## Create System Configuration profiles
@@ -131,7 +131,7 @@ You may now enroll more devices. You can also enroll them later, after you have
3. Open the configuration profile and upload intune/kext.xml. This file was created in one of the preceding sections.
4. Select **OK**.
- 
+ 
5. Select **Manage** > **Assignments**. In the **Include** tab, select **Assign to All Users & All devices**.
6. Repeat steps 1 through 5 for more profiles.
@@ -306,7 +306,7 @@ You may now enroll more devices. You can also enroll them later, after you have
Once the Intune changes are propagated to the enrolled devices, you can see them listed under **Monitor** > **Device status**:
-
+
## Publish application
@@ -322,38 +322,38 @@ Once the Intune changes are propagated to the enrolled devices, you can see them
>
> If the version uploaded by Intune is lower than the version on the device, then the lower version will be installed, effectively downgrading Defender. This could result in a non-functioning application. See [Deploy updates for Microsoft Defender ATP for Mac](mac-updates.md) for additional information about how the product is updated. If you deployed Defender with *Ignore app version* set to **No**, please change it to **Yes**. If Defender still cannot be installed on a client machine, then uninstall Defender and push the updated policy.
- 
+ 
7. Select **OK** and **Add**.
- 
+ 
8. It may take a few moments to upload the package. After it's done, select the package from the list and go to **Assignments** and **Add group**.
- 
+ 
9. Change **Assignment type** to **Required**.
10. Select **Included Groups**. Select **Make this app required for all devices=Yes**. Select **Select group to include** and add a group that contains the users you want to target. Select **OK** and **Save**.
- 
+ 
11. After some time the application will be published to all enrolled devices. You can see it listed in **Monitor** > **Device**, under **Device install status**:
- 
+ 
## Verify client device state
1. After the configuration profiles are deployed to your devices, open **System Preferences** > **Profiles** on your Mac device.
- 