deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-16 19:03:46 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

update WDO draft

Browse Source
This commit is contained in:
iaanw
2016-07-26 18:38:42 -07:00
parent 5aeb15c994
commit 56ba5ad15a
1 changed files with 171 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files

204
windows/keep-secure/windows-defender-offline.md
View File

@ -1,7 +1,7 @@
--- ---
title: Use PowerShell cmdlets to configure and run Windows Defender in Windows 10 title: Windows Defender Offline in Windows 10
description: In Windows 10, you can use PowerShell cmdlets to run scans, update definitions, and change settings in Windows Defender. description:
keywords: scan, command line, mpcmdrun, defender keywords: scan, defender
search.product: eADQiWindows 10XVcnh search.product: eADQiWindows 10XVcnh
ms.pagetype: security ms.pagetype: security
ms.prod: w10 ms.prod: w10
@ -11,33 +11,171 @@ ms.pagetype: security
author: iaanw author: iaanw
--- ---
# Use PowerShell cmdlets to configure and run Windows Defender # Windows Defender Offline in Windows 10
**Applies to:** **Applies to:**
- Windows 10, version 1607
- Windows 10
Windows Defender Offline (WDO) is an offline scanning tool that lets you boot from a trusted environment. The tool is effective in detecting and removing persistent malware such as rootkits.
You can use PowerShell to perform various functions in Windows Defender. Similar to the command prompt or command line, PowerShell is a task-based command-line shell and scripting language designed especially for system administration, and you can read more about it at the [PowerShell hub on MSDN](https://msdn.microsoft.com/en-us/powershell/mt173057.aspx).
Read more in [What is Windows Defender Offline](http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline)
For a list of the cmdlets and their functions and available parameters, see the [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) topic.
In Windows 10 Windows Defender Offline can be run with one click directly from the Windows Defender client. In previous versions of Windows, a user had to install Windows Defender Offline to bootable media, restart the endpoint, and load the bootable media.
PowerShell cmdlets are most useful in Windows Server environments that don't rely on a graphical user interface (GUI) to configure software.
## Pre-requisites and requirements
> **Note:**  PowerShell cmdlets should not be used as a replacement for a full network policy management infrastructure, such as [System Center Configuration Manager](https://technet.microsoft.com/en-us/library/gg682129.aspx), [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx), or [Windows Defender Group Policy ADMX templates](https://support.microsoft.com/en-us/kb/927367).
Windows Defender Offline in Windows 10 has the same hardware requirements as Windows 10. For more information, see:
PowerShell is typically installed under the folder _%SystemRoot%\system32\WindowsPowerShell_.
- Minimum hardware requirements(https://msdn.microsoft.com/library/windows/hardware/dn915086(v=vs.85).aspx)
**Use Windows Defender PowerShell cmdlets** > **Note:**  Windows Defender Offline is not supported on machines with ARM processors, or on Windows Server Stock Keeping Units.
1. Click **Start**, type **powershell**, and press **Enter**. - Hardware component guidelines(https://msdn.microsoft.com/library/windows/hardware/dn915049(v=vs.85).aspx)
2. Click **Windows PowerShell** to open the interface.
> **Note:**  You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt. To run Windows Defender Offline, you must have administrator privileges on the PC.
3. Enter the command and parameters.
## Windows Defender Offline updates
To open online help for any of the cmdlets type the following:
Windows Defender Offline uses the most up-to-date signature definitions available; it<69>s updated through the same update session as Windows Defender <20> usually though Microsoft Update or through the Microsoft Malware Protection Center(https://www.microsoft.com/security/portal/definitions/adl.aspx). The Windows Defender Offline image is the same platform connected through the hardwired network, so it can update itself from the wired network.
```text
Get-Help <cmdlet> -Online You can still download Windows Defender Offline and create bootable media to run on any PCs that are not connected to the internet. {{This still true?]]
```
Omit the `-online` parameter to get locally cached help. ## Usage scenarios
In most instances, you will run Windows Defender Offline after being prompted to do so by Windows Defender. You might also choose to run Windows Defender Offline if:
- You have reason to suspect malware is on the endpoint but it is not being detected by Windows Defender
- You want to perform the most complete scan available to ensure the endpoint is not infected
- Windows Defender reports that it has successfully cleaned or remediated a threat, however the threat returns
If Windows Defender determines that Windows Defender Offline needs to be run, it will prompt the user on the endpoint. {{Is this also revealed on SCCM or to the admin? How is that managed?}}
The prompt can occur via a notification, similar to the following:
The user will also be notified within the Windows Defender client:
## Manage notifications
You can suppress Windows Defender Offline notifications with Group Policy.
**Suppress notifications with the Group Policy Management Console**
1. On your GP management machine, open the [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx), right-click the GPO you want to configure, and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration**.
4. Click **Policies** then **Administrative templates**.
5. Expand the tree through **Windows components > Windows Defender > Client Interface**.
1. Double-click the **Suppresses reboot notifications** setting and set the option to **Enabled**.
{{Is this the correct setting in GPMC? I can<61>t find a WDO suppress GP setting <20> this is the only one but it matches the description in the .adm template section. Which makes me wonder if the name of the setting in the template is correct or outdated? See the image below}}
**Suppress notifications with the ADM template**
1. Download the windowsdefender.adm Group Policy from [Group Policy ADM files](https://www.microsoft.com/en-us/download/details.aspx?id=18664) on the Microsoft Download Center if it is not already deployed in Windows and visible in the Group Policy Object Editor or Group Policy Management Console.
2. Add the windowsdefender.adm [Group Policy template as described in the Add or remove an Administrative Template (.adm file)](https://technet.microsoft.com/en-us/library/cc739134(v=ws.10).aspx) topic.
3. Use the following Group Policy setting: {{ Is this template distributed by default in Windows? Or does an admin need to download it from somewhere? Can they get it from here https://www.microsoft.com/en-us/download/details.aspx?id=18664}}
- Setting name: **SuppressWdoNotification**
- Group Policy location: **Computer Configuration\Administrative Templates\Windows Components\Windows Defender\Client Interface**
- Registry path and value name: **HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\UXConfiguration**
- Description: **Suppresses WDO notification in UI only (for cases where UI cannot be in lockdown mode).**
For information about managing ADMX files and using a central store for Administrative Templates files, see Managing Group Policy ADMX Files Step-by-Step Guide. For Group Policy planning information, see Group Policy Planning and Deployment Guide.
## Run a scan
Windows Defender Offline uses up-to-date threat definitions to scan your PC for malware that might be hidden.
> **Note:**&nbsp;&nbsp;Before you use Windows Defender Offline, make sure you save any files and shut down running programs. The Windows Defender Offline scan takes about 15 minutes to run. When it<69>s complete, your PC will restart.
You can set up a Windows Defender Offline scan with the following:
- Windows Defender
- Windows **Update and Security** settings
- Windows Management Instrumentation (WMI)
- PowerShell
- Group Policy
> **Note:**&nbsp;&nbsp;The scan is performed outside of the usual Windows operating environment. The user interface will appear different to a normal scan performed by Windows Defender. After the scan is completed, the endpoint will be restarted and Windows will load normally.
**Run Windows Defender Offline from Windows Defender**
1. Open the **Start** menu, type **windows defender**, and press **Enter** to open the Windows Defender client.
2. On the **Home** tab, click **Download and Run**.
3. Follow the prompts to continue with the scan. You might be warned that you<6F>ll be signed out of Windows and that the endpoint will restart.
**Run Windows Defender Offline from Windows Settings**
1. Open the **Start** menu, and click or type **Settings**.
2. Click **Update & Security** and then **Windows Defender**. Scroll to the bottom of the settings page until you see the **Windows Defender Offline** section.
4. Click **Scan offline**.
5. Follow the prompts to continue with the scan. You might be warned that you<6F>ll be signed out of Windows and that the endpoint will restart.
**Use WMI to configure and run Windows Defender Offline**
Use the `MSFT_MpWDOScan` class (part of the Windows Defender WMI provider) to run a Windows Defender Offline scan.
The following WMI script snippet will immediately run a Windows Defender Offline scan, which will cause the endpoint to restart, run the offline scan, and then restart and boot into Windows.
```WMI
wmic /namespace:\\root\Microsoft\Windows\Defender path MSFT_MpWDOScan call Start
```
See the following topics for configuration parameters and options:
- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/windows/desktop/dn439477(v=vs.85).aspx)
- [MSFT_MpWDOScan class article](https://msdn.microsoft.com/library/windows/desktop/mt622458(v=vs.85).aspx)
You can also use WMI to enable and disable certain features in WDO. For example, you can use `Set-MpPreference` to change the `UILockdown` setting to disable and enable notifications.
See the following topics for configuration parameters and options:
- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/windows/desktop/dn439477(v=vs.85).aspx)
- [Windows Defender MSFT_MpPreference class](https://msdn.microsoft.com/en-us/library/windows/desktop/dn455323(v=vs.85).aspx)
To run WDO remotely, xxx. {{How do we do this? Still in pipeline?}}
**Run Windows Defender Offline using PowerShell**
Use the PowerShell parameter `Start-MpWDOScan` to run a Windows Defender Offline scan.
See the [Use PowerShell cmdlets to configure and run Windows Defender](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/use-powershell-cmdlets-windows-defender-for-windows-10) topic for more details on available cmdlets and options.
## Review scan results
Windows Defender Offline scan results will be listed in the main Windows Defender user interface after performing the scan.
1. Open the **Start** menu, type **windows defender**, and press **Enter** to open the Windows Defender client.
2. Go to the **History** tab.
1. Select **All detected items**.
2. Click **View details**.
Any detected items will display. Items that are detected by Windows Defender Offline will be listed as **Offline** in the **Detection source**: