From c6a5dadd2fea0c1d2f70dfc1132d8ff54a99b90b Mon Sep 17 00:00:00 2001 From: LauraKellerGitHub Date: Fri, 20 Dec 2019 18:40:05 -0800 Subject: [PATCH 01/19] fifteen files for system config rebrand --- ...ially-unwanted-apps-windows-defender-antivirus.md | 10 +++++----- ...le-cloud-protection-windows-defender-antivirus.md | 4 ++-- ...event-based-updates-windows-defender-antivirus.md | 4 ++-- ...-outdated-endpoints-windows-defender-antivirus.md | 4 ++-- ...ion-update-schedule-windows-defender-antivirus.md | 2 +- ...-protection-updates-windows-defender-antivirus.md | 10 +++++----- ...e-updates-baselines-windows-defender-antivirus.md | 2 +- ...es-to-security-settings-with-tamper-protection.md | 6 +++--- .../report-monitor-windows-defender-antivirus.md | 2 +- ...review-scan-results-windows-defender-antivirus.md | 2 +- .../run-scan-windows-defender-antivirus.md | 2 +- ...uled-catch-up-scans-windows-defender-antivirus.md | 2 +- ...ud-protection-level-windows-defender-antivirus.md | 4 ++-- ...tune-config-manager-windows-defender-antivirus.md | 6 +++--- ...ft-cloud-protection-windows-defender-antivirus.md | 12 ++++++------ 15 files changed, 36 insertions(+), 36 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md index 0013143d29..43e244ba36 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md @@ -79,7 +79,7 @@ The notification will appear in the usual [quarantine list within the Windows Se #### Configure PUA protection in Windows Defender Antivirus -You can enable PUA protection with Microsoft Intune, System Center Configuration Manager, Group Policy, or via PowerShell cmdlets. +You can enable PUA protection with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, or via PowerShell cmdlets. You can also use the PUA audit mode to detect PUAs without blocking them. The detections will be captured in the Windows event log. @@ -94,14 +94,14 @@ See [Configure device restriction settings in Microsoft Intune](https://docs.mic ##### Use Configuration Manager to configure PUA protection -PUA protection is enabled by default in the System Center Configuration Manager (Current Branch), starting with version 1606. +PUA protection is enabled by default in the Microsoft Endpoint Configuration Manager (Current Branch), starting with version 1606. -See [How to create and deploy antimalware policies: Scheduled scans settings](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#real-time-protection-settings) for details on configuring System Center Configuration Manager (Current Branch). +See [How to create and deploy antimalware policies: Scheduled scans settings](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#real-time-protection-settings) for details on configuring Microsoft Endpoint Configuration Manager (Current Branch). For Configuration Manager 2012, see [How to Deploy Potentially Unwanted Application Protection Policy for Endpoint Protection in Configuration Manager](https://technet.microsoft.com/library/hh508770.aspx#BKMK_PUA). > [!NOTE] -> PUA events blocked by Windows Defender Antivirus are reported in the Windows Event Viewer and not in System Center Configuration Manager. +> PUA events blocked by Windows Defender Antivirus are reported in the Windows Event Viewer and not in Microsoft Endpoint Configuration Manager. ##### Use Group Policy to configure PUA protection @@ -133,7 +133,7 @@ See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use #### View PUA events -PUA events are reported in the Windows Event Viewer, but not in System Center Configuration Manager or in Intune. +PUA events are reported in the Windows Event Viewer, but not in Microsoft Endpoint Configuration Manager or in Intune. You can turn on email notifications to receive mail about PUA detections. diff --git a/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md index 328b3fc5a0..6d7e496eec 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md @@ -28,7 +28,7 @@ ms.custom: nextgen Windows Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender ATP next generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/). ![List of Windows Defender AV engines](images/microsoft-defender-atp-next-generation-protection-engines.png) -You can enable or disable Windows Defender Antivirus cloud-delivered protection with Microsoft Intune, System Center Configuration Manager, Group Policy, PowerShell cmdlets, or on individual clients in the Windows Security app. +You can enable or disable Windows Defender Antivirus cloud-delivered protection with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, or on individual clients in the Windows Security app. See [Use Microsoft cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) for an overview of Windows Defender Antivirus cloud-delivered protection. @@ -62,7 +62,7 @@ For more information about Intune device profiles, including how to create and c **Use Configuration Manager to enable cloud-delivered protection:** -See [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) for details on configuring System Center Configuration Manager (current branch). +See [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) for details on configuring Microsoft Endpoint Configuration Manager (current branch). **Use Group Policy to enable cloud-delivered protection:** diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md index c238f05823..20d523d368 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md @@ -27,11 +27,11 @@ Windows Defender Antivirus allows you to determine if updates should (or should ## Check for protection updates before running a scan -You can use System Center Configuration Manager, Group Policy, PowerShell cmdlets, and WMI to force Windows Defender Antivirus to check and download protection updates before running a scheduled scan. +You can use Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, and WMI to force Windows Defender Antivirus to check and download protection updates before running a scheduled scan. ### Use Configuration Manager to check for protection updates before running a scan -1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**) +1. On your Microsoft Endpoint Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**) 2. Go to the **Scheduled scans** section and set **Check for the latest security intelligence updates before running a scan** to **Yes**. diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md index fabe399119..9a6e186de0 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md @@ -35,7 +35,7 @@ If Windows Defender Antivirus did not download protection updates for a specifie ### Use Configuration Manager to configure catch-up protection updates -1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**) +1. On your Microsoft Endpoint Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**) 2. Go to the **Security intelligence updates** section and configure the following settings: @@ -164,7 +164,7 @@ See the following for more information and allowed parameters: ### Use Configuration Manager to configure catch-up scans -1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**) +1. On your Microsoft Endpoint Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**) 2. Go to the **Scheduled scans** section and **Force a scan of the selected scan type if client computer is offline...** to **Yes**. diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md index 0185b12a58..c67fd41aa8 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md @@ -36,7 +36,7 @@ You can also randomize the times when each endpoint checks and downloads protect ## Use Configuration Manager to schedule protection updates -1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**) +1. On your Microsoft Endpoint Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**) 2. Go to the **Security intelligence updates** section. diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md index f76c49cd91..e84e13a57e 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md @@ -52,11 +52,11 @@ There are five locations where you can specify where an endpoint should obtain u - [Microsoft Update](https://support.microsoft.com/help/12373/windows-update-faq) - [Windows Server Update Service](https://docs.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus) -- [System Center Configuration Manager](https://docs.microsoft.com/sccm/core/servers/manage/updates) +- [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/sccm/core/servers/manage/updates) - [Network file share](https://docs.microsoft.com/windows-server/storage/nfs/nfs-overview) - [Security intelligence updates for Windows Defender Antivirus and other Microsoft antimalware](https://www.microsoft.com/en-us/wdsi/defenderupdates) (Your policy and registry might have this listed as Microsoft Malware Protection Center (MMPC) security intelligence, its former name.) -To ensure the best level of protection, Microsoft Update allows for rapid releases, which means smaller downloads on a frequent basis. The Windows Server Update Service, System Center Configuration Manager, and Microsoft security intelligence updates sources deliver less frequent updates. Thus, the delta can be larger, resulting in larger downloads. +To ensure the best level of protection, Microsoft Update allows for rapid releases, which means smaller downloads on a frequent basis. The Windows Server Update Service, Microsoft Endpoint Configuration Manager, and Microsoft security intelligence updates sources deliver less frequent updates. Thus, the delta can be larger, resulting in larger downloads. > [!IMPORTANT] > If you have set [Microsoft Malware Protection Center Security intelligence page](https://www.microsoft.com/security/portal/definitions/adl.aspx) (MMPC) updates as a fallback source after Windows Server Update Service or Microsoft Update, updates are only downloaded from security intelligence updates when the current update is considered out-of-date. (By default, this is 14 consecutive days of not being able to apply updates from the Windows Server Update Service or Microsoft Update services). @@ -70,11 +70,11 @@ Each source has typical scenarios that depend on how your network is configured, |Windows Server Update Service | You are using Windows Server Update Service to manage updates for your network.| |Microsoft Update | You want your endpoints to connect directly to Microsoft Update. This can be useful for endpoints that irregularly connect to your enterprise network, or if you do not use Windows Server Update Service to manage your updates.| |File share | You have non-Internet-connected devices (such as VMs). You can use your Internet-connected VM host to download the updates to a network share, from which the VMs can obtain the updates. See the [VDI deployment guide](deployment-vdi-windows-defender-antivirus.md) for how file shares can be used in virtual desktop infrastructure (VDI) environments.| -|System Center Configuration Manager | You are using System Center Configuration Manager to update your endpoints.| +|Microsoft Endpoint Configuration Manager | You are using Microsoft Endpoint Configuration Manager to update your endpoints.| |Security intelligence updates for Windows Defender Antivirus and other Microsoft antimalware (formerly referred to as MMPC) |[Make sure your devices are updated to support SHA-2](https://support.microsoft.com/help/4472027/2019-sha-2-code-signing-support-requirement-for-windows-and-wsus). Microsoft Defender Antivirus Security intelligence updates are delivered through Windows Update, and starting Monday October 21, 2019 security intelligence updates will be SHA-2 signed exclusively.
Download the latest protection updates because of a recent infection or to help provision a strong, base image for [VDI deployment](deployment-vdi-windows-defender-antivirus.md). This option should generally be used only as a final fallback source, and not the primary source. It will only be used if updates cannot be downloaded from Windows Server Update Service or Microsoft Update for [a specified number of days](https://docs.microsoft.com/windows/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus#set-the-number-of-days-before-protection-is-reported-as-out-of-date).| -You can manage the order in which update sources are used with Group Policy, System Center Configuration Manager, PowerShell cmdlets, and WMI. +You can manage the order in which update sources are used with Group Policy, Microsoft Endpoint Configuration Manager, PowerShell cmdlets, and WMI. > [!IMPORTANT] > If you set Windows Server Update Service as a download location, you must approve the updates, regardless of the management tool you use to specify the location. You can set up an automatic approval rule with Windows Server Update Service, which might be useful as updates arrive at least once a day. To learn more, see [synchronize endpoint protection updates in standalone Windows Server Update Service](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-definitions-wsus#to-synchronize-endpoint-protection-definition-updates-in-standalone-wsus). @@ -113,7 +113,7 @@ The procedures in this article first describe how to set the order, and then how ## Use Configuration Manager to manage the update location -See [Configure Security intelligence Updates for Endpoint Protection](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-definition-updates) for details on configuring System Center Configuration Manager (current branch). +See [Configure Security intelligence Updates for Endpoint Protection](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-definition-updates) for details on configuring Microsoft Endpoint Configuration Manager (current branch). ## Use PowerShell cmdlets to manage the update location diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md index 775068abed..40bc802e34 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md @@ -40,7 +40,7 @@ The cloud-delivered protection is always on and requires an active connection to Windows Defender Antivirus requires [monthly updates](https://support.microsoft.com/help/4052623/update-for-windows-defender-antimalware-platform) (known as "engine updates" and "platform updates"), and will receive major feature updates alongside Windows 10 releases. -You can manage the distribution of updates through Windows Server Update Service (WSUS), with [System Center Configuration Manager](https://docs.microsoft.com/sccm/sum/understand/software-updates-introduction), or in the normal manner that you deploy Microsoft and Windows updates to endpoints in your network. +You can manage the distribution of updates through Windows Server Update Service (WSUS), with [ Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/sccm/sum/understand/software-updates-introduction), or in the normal manner that you deploy Microsoft and Windows updates to endpoints in your network. ## In this section diff --git a/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md b/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md index 817ec8cbb1..c9f0ee3311 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md +++ b/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md @@ -141,15 +141,15 @@ Value DisableRealtimeMonitoring = 0 Configuring Tamper Protection in Intune can be targeted to your entire organization as well as to devices and user groups with Intune. -### Can I configure Tamper Protection in System Center Configuration Manager? +### Can I configure Tamper Protection in Microsoft Endpoint Configuration Manager? -Currently we do not have support to manage Tamper Protection through System Center Configuration Manager. +Currently we do not have support to manage Tamper Protection through Microsoft Endpoint Configuration Manager. ### I have the Windows E3 enrollment. Can I use configuring Tamper Protection in Intune? Currently, configuring Tamper Protection in Intune is only available for customers who have [Microsoft Defender Advanced Threat Protection E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp). -### What happens if I try to change Microsoft Defender ATP settings in Intune, System Center Configuration Manager, and Windows Management Instrumentation when Tamper Protection is enabled on a device? +### What happens if I try to change Microsoft Defender ATP settings in Intune, Microsoft Endpoint Configuration Manager, and Windows Management Instrumentation when Tamper Protection is enabled on a device? You won’t be able to change the features that are protected by Tamper Protection; those change requests are ignored. diff --git a/windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md index 16f606bbae..b454b8490d 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md @@ -23,7 +23,7 @@ manager: dansimp - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -With Windows Defender Antivirus, you have several options for reviewing protection status and alerts. You can use System Center Configuration Manager to [monitor Windows Defender Antivirus](https://docs.microsoft.com/sccm/protect/deploy-use/monitor-endpoint-protection) or [create email alerts](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-configure-alerts). Or, you can monitor protection using [Microsoft Intune](https://docs.microsoft.com/intune/introduction-intune). +With Windows Defender Antivirus, you have several options for reviewing protection status and alerts. You can use Microsoft Endpoint Configuration Manager to [monitor Windows Defender Antivirus](https://docs.microsoft.com/sccm/protect/deploy-use/monitor-endpoint-protection) or [create email alerts](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-configure-alerts). Or, you can monitor protection using [Microsoft Intune](https://docs.microsoft.com/intune/introduction-intune). Microsoft Operations Management Suite has an [Update Compliance add-in](/windows/deployment/update/update-compliance-get-started) that reports on key Windows Defender Antivirus issues, including protection updates and real-time protection settings. diff --git a/windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md index 78fed4d5d4..7e8c703d2d 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md @@ -1,6 +1,6 @@ --- title: Review the results of Windows Defender AV scans -description: Review the results of scans using System Center Configuration Manager, Microsoft Intune, or the Windows Security app +description: Review the results of scans using Microsoft Endpoint Configuration Manager, Microsoft Intune, or the Windows Security app keywords: scan results, remediation, full scan, quick scan search.product: eADQiWindows 10XVcnh ms.pagetype: security diff --git a/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md index 66db88455e..4db84ce762 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md @@ -41,7 +41,7 @@ A full scan can be useful on endpoints that have encountered a malware threat to ## Use Configuration Manager to run a scan -See [Antimalware and firewall tasks: How to perform an on-demand scan](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-firewall#how-to-perform-an-on-demand-scan-of-computers) for details on using System Center Configuration Manager (current branch) to run a scan. +See [Antimalware and firewall tasks: How to perform an on-demand scan](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-firewall#how-to-perform-an-on-demand-scan-of-computers) for details on using Microsoft Endpoint Configuration Manager (current branch) to run a scan. ## Use the mpcmdrun.exe command-line utility to run a scan diff --git a/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md index e49771c6ae..82c22fd0a3 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md @@ -31,7 +31,7 @@ In addition to always-on real-time protection and [on-demand](run-scan-windows-d You can configure the type of scan, when the scan should occur, and if the scan should occur after a [protection update](manage-protection-updates-windows-defender-antivirus.md) or if the endpoint is being used. You can also specify when special scans to complete remediation should occur. -This topic describes how to configure scheduled scans with Group Policy, PowerShell cmdlets, and WMI. You can also configure schedules scans with [System Center Configuration Manager](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#scheduled-scans-settings) or [Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure). +This topic describes how to configure scheduled scans with Group Policy, PowerShell cmdlets, and WMI. You can also configure schedules scans with [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#scheduled-scans-settings) or [Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure). To configure the Group Policy settings described in this topic: diff --git a/windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md index e6b6bf10d0..0480d91f4e 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md @@ -23,7 +23,7 @@ ms.custom: nextgen - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -You can specify the level of cloud-protection offered by Windows Defender Antivirus with Group Policy and System Center Configuration Manager. +You can specify the level of cloud-protection offered by Windows Defender Antivirus with Group Policy and Microsoft Endpoint Configuration Manager. >[!NOTE] >The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates. @@ -47,7 +47,7 @@ For more information about Intune device profiles, including how to create and c ## Use Configuration Manager to specify the level of cloud-delivered protection -See [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) for details on configuring System Center Configuration Manager (current branch). +See [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) for details on configuring Microsoft Endpoint Configuration Manager (current branch). ## Use Group Policy to specify the level of cloud-delivered protection diff --git a/windows/security/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md index 6ed604307a..df5a122dda 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md @@ -1,6 +1,6 @@ --- title: Configure Windows Defender Antivirus with Configuration Manager and Intune -description: Use System Center Configuration Manager and Microsoft Intune to configure Windows Defender AV and Endpoint Protection +description: Use Microsoft Endpoint Configuration Manager and Microsoft Intune to configure Windows Defender AV and Endpoint Protection keywords: scep, intune, endpoint protection, configuration search.product: eADQiWindows 10XVcnh ms.pagetype: security @@ -17,13 +17,13 @@ ms.reviewer: manager: dansimp --- -# Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender Antivirus +# Use Microsoft Endpoint Configuration Manager and Microsoft Intune to configure and manage Windows Defender Antivirus **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -If you are using System Center Configuration Manager or Microsoft Intune to manage the endpoints on your network, you can also use them to manage Windows Defender Antivirus scans. +If you are using Microsoft Endpoint Configuration Manager or Microsoft Intune to manage the endpoints on your network, you can also use them to manage Windows Defender Antivirus scans. In some cases, the protection will be labeled as Endpoint Protection, although the engine is the same as that used by Windows Defender Antivirus. diff --git a/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md index e1d2d9c8e9..c263d97a41 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md @@ -60,10 +60,10 @@ Organizations running Windows 10 E5, version 1803 can also take advantage of eme >You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. -The following table describes the differences in cloud-delivered protection between recent versions of Windows and System Center Configuration Manager. +The following table describes the differences in cloud-delivered protection between recent versions of Windows and Microsoft Endpoint Configuration Manager. -Feature | Windows 8.1 (Group Policy) | Windows 10, version 1607 (Group Policy) | Windows 10, version 1703 (Group Policy) | System Center Configuration Manager 2012 | System Center Configuration Manager (Current Branch) | Microsoft Intune +Feature | Windows 8.1 (Group Policy) | Windows 10, version 1607 (Group Policy) | Windows 10, version 1703 (Group Policy) | System Center Configuration Manager 2012 | Microsoft Endpoint Configuration Manager (Current Branch) | Microsoft Intune ---|---|---|---|---|---|--- Cloud-protection service label | Microsoft Advanced Protection Service | Microsoft Advanced Protection Service | Cloud-based Protection | NA | Cloud protection service | Microsoft Advanced Protection Service Reporting level (MAPS membership level) | Basic, Advanced | Advanced | Advanced | Dependent on Windows version | Dependent on Windows version | Dependent on Windows version @@ -76,8 +76,8 @@ You can also [configure Windows Defender AV to automatically receive new protect Topic | Description ---|--- -[Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) | You can enable cloud-delivered protection with System Center Configuration Manager, Group Policy, Microsoft Intune, and PowerShell cmdlets. -[Specify the cloud-delivered protection level](specify-cloud-protection-level-windows-defender-antivirus.md) | You can specify the level of protection offered by the cloud with Group Policy and System Center Configuration Manager. The protection level will affect the amount of information shared with the cloud and how aggressively new files are blocked. +[Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) | You can enable cloud-delivered protection with Microsoft Endpoint Configuration Manager, Group Policy, Microsoft Intune, and PowerShell cmdlets. +[Specify the cloud-delivered protection level](specify-cloud-protection-level-windows-defender-antivirus.md) | You can specify the level of protection offered by the cloud with Group Policy and Microsoft Endpoint Configuration Manager. The protection level will affect the amount of information shared with the cloud and how aggressively new files are blocked. [Configure and validate network connections for Windows Defender Antivirus](configure-network-connections-windows-defender-antivirus.md) | There are certain Microsoft URLs that your network and endpoints must be able to connect to for cloud-delivered protection to work effectively. This topic lists the URLs that should be allowed via firewall or network filtering rules, and instructions for confirming your network is properly enrolled in cloud-delivered protection. -[Configure the block at first sight feature](configure-block-at-first-sight-windows-defender-antivirus.md) | The Block at First Sight feature can block new malware within seconds, without having to wait hours for traditional Security intelligence . You can enable and configure it with System Center Configuration Manager and Group Policy. -[Configure the cloud block timeout period](configure-cloud-block-timeout-period-windows-defender-antivirus.md) | Windows Defender Antivirus can block suspicious files from running while it queries our cloud-delivered protection service. You can configure the amount of time the file will be prevented from running with System Center Configuration Manager and Group Policy. +[Configure the block at first sight feature](configure-block-at-first-sight-windows-defender-antivirus.md) | The Block at First Sight feature can block new malware within seconds, without having to wait hours for traditional Security intelligence . You can enable and configure it with Microsoft Endpoint Configuration Manager and Group Policy. +[Configure the cloud block timeout period](configure-cloud-block-timeout-period-windows-defender-antivirus.md) | Windows Defender Antivirus can block suspicious files from running while it queries our cloud-delivered protection service. You can configure the amount of time the file will be prevented from running with Microsoft Endpoint Configuration Manager and Group Policy. From 96f2accf27e11730caf9f7016ed12ce46cc3d487 Mon Sep 17 00:00:00 2001 From: LauraKellerGitHub Date: Sat, 21 Dec 2019 05:58:13 -0800 Subject: [PATCH 02/19] adding updated files to PR --- ...types-windows-defender-antivirus - Copy.md | 104 +++++ ...sight-windows-defender-antivirus - Copy.md | 166 ++++++++ ...sions-windows-defender-antivirus - Copy.md | 366 ++++++++++++++++++ ...tions-windows-defender-antivirus - Copy.md | 130 +++++++ ...tions-windows-defender-antivirus - Copy.md | 106 +++++ ...sions-windows-defender-antivirus - Copy.md | 199 ++++++++++ ...ation-windows-defender-antivirus - Copy.md | 72 ++++ ...dows-defender-antivirus-features - Copy.md | 49 +++ ...scans-windows-defender-antivirus - Copy.md | 37 ++ ...eport-windows-defender-antivirus - Copy.md | 85 ++++ ...eploy-windows-defender-antivirus - Copy.md | 38 ++ ...-apps-windows-defender-antivirus - Copy.md | 149 +++++++ ...ction-windows-defender-antivirus - Copy.md | 143 +++++++ 13 files changed, 1644 insertions(+) create mode 100644 windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus - Copy.md create mode 100644 windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus - Copy.md create mode 100644 windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus - Copy.md create mode 100644 windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus - Copy.md create mode 100644 windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus - Copy.md create mode 100644 windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus - Copy.md create mode 100644 windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus - Copy.md create mode 100644 windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features - Copy.md create mode 100644 windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus - Copy.md create mode 100644 windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus - Copy.md create mode 100644 windows/security/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus - Copy.md create mode 100644 windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus - Copy.md create mode 100644 windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus - Copy.md diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus - Copy.md b/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus - Copy.md new file mode 100644 index 0000000000..1ec92d64e6 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus - Copy.md @@ -0,0 +1,104 @@ +--- +title: Configure scanning options for Windows Defender AV +description: You can configure Windows Defender AV to scan email storage files, back-up or reparse points, network files, and archived files (such as .zip files). +keywords: advanced scans, scanning, email, archive, zip, rar, archive, reparse scanning +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen +ms.date: 10/25/2018 +ms.reviewer: +manager: dansimp + +--- + +# Configure Windows Defender Antivirus scanning options + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +**Use Microsoft Intune to configure scanning options** + +See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure) and [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#windows-defender-antivirus) for more details. + + + +**Use Configuration Manager to configure scanning options:** + +See [How to create and deploy antimalware policies: Scan settings](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#scan-settings) for details on configuring Microsoft Endpoint Configuration Manager (current branch). + +**Use Group Policy to configure scanning options** + +To configure the Group Policy settings described in the following table: + +1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. + +3. Expand the tree to **Windows components > Windows Defender Antivirus** and then the **Location** specified in the table below. + +4. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings. + +Description | Location and setting | Default setting (if not configured) | PowerShell `Set-MpPreference` parameter or WMI property for `MSFT_MpPreference` class +---|---|---|--- +See [Email scanning limitations](#ref1)) below | Scan > Turn on e-mail scanning | Disabled | `-DisableEmailScanning` +Scan [reparse points](https://msdn.microsoft.com/library/windows/desktop/aa365503.aspx) | Scan > Turn on reparse point scanning | Disabled | Not available +Scan mapped network drives | Scan > Run full scan on mapped network drives | Disabled | `-DisableScanningMappedNetworkDrivesForFullScan` + Scan archive files (such as .zip or .rar files). The [extensions exclusion list](configure-extension-file-exclusions-windows-defender-antivirus.md) will take precedence over this setting. | Scan > Scan archive files | Enabled | `-DisableArchiveScanning` +Scan files on the network | Scan > Scan network files | Disabled | `-DisableScanningNetworkFiles` +Scan packed executables | Scan > Scan packed executables | Enabled | Not available +Scan removable drives during full scans only | Scan > Scan removable drives | Disabled | `-DisableRemovableDriveScanning` +Specify the level of subfolders within an archive folder to scan | Scan > Specify the maximum depth to scan archive files | 0 | Not available + Specify the maximum CPU load (as a percentage) during a scan. Note: This is not a hard limit but rather a guidance for the scanning engine to not exceed this maximum on average. | Scan > Specify the maximum percentage of CPU utilization during a scan | 50 | `-ScanAvgCPULoadFactor` + Specify the maximum size (in kilobytes) of archive files that should be scanned. The default, **0**, applies no limit | Scan > Specify the maximum size of archive files to be scanned | No limit | Not available + Configure low CPU priority for scheduled scans | Scan > Configure low CPU priority for scheduled scans | Disabled | Not available + +>[!NOTE] +>If real-time protection is enabled, files are scanned before they are accessed and executed. The scanning scope includes all files, including those on mounted removable devices such as USB drives. + +**Use PowerShell to configure scanning options** + +See [Manage Windows Defender Antivirus with PowerShell cmdlets](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. + +**Use WMI to configure scanning options** + +For using WMI classes, see [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx). + +### Email scanning limitations + +We recommend using [always-on real-time protection](configure-real-time-protection-windows-defender-antivirus.md) to protect against email-based malware. + +Always-on protection scans emails as they arrive and as they are manipulated, just like normal files in the operating system. This provides the strongest form of protection and is the recommended setting for scanning emails. + +You can also use this Group Policy to enable scanning of older email files used by Outlook 2003 and older during on-demand and scheduled scans. Embedded objects within an email file (such as attachments and archived files) are also scanned. The following file format types can be scanned and remediated: + +- DBX +- MBX +- MIME + +PST files used by Outlook 2003 or older (where the archive type is set to non-unicode) can also be scanned, but Windows Defender cannot remediate threats detected inside PST files. This is another reason why we recommend using [always-on real-time protection](configure-real-time-protection-windows-defender-antivirus.md) to protect against email-based malware. + +If Windows Defender Antivirus detects a threat inside an email, it will show you the following information to assist you in identifying the compromised email, so you can remediate the threat: + +- Email subject +- Attachment name + +>[!WARNING] +>There are some risks associated with scanning some Microsoft Outlook files and email messages. You can read about tips and risks associated with scanning Outlook files and email messages in the following articles: +> +> - [Scanning Outlook files in Outlook 2013](https://technet.microsoft.com/library/dn769141.aspx#bkmk-1) +> - [Scanning email messages in Outlook 2013](https://technet.microsoft.com/library/dn769141.aspx#bkmk-2) + +## Related topics + +- [Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md) +- [Configure and run on-demand Windows Defender Antivirus scans](run-scan-windows-defender-antivirus.md) +- [Configure scheduled Windows Defender Antivirus scans](scheduled-catch-up-scans-windows-defender-antivirus.md) +- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus - Copy.md b/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus - Copy.md new file mode 100644 index 0000000000..1fb5ff7d26 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus - Copy.md @@ -0,0 +1,166 @@ +--- +title: Enable Block at First Sight to detect malware in seconds +description: Enable the Block at First sight feature to detect and block malware within seconds, and validate that it is configured correctly. +keywords: scan, BAFS, malware, first seen, first sight, cloud, defender +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: denisebmsft +ms.author: deniseb +ms.reviewer: +manager: dansimp +ms.custom: nextgen +--- + +# Enable block at first sight + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +Block at first sight is a feature of next-generation protection that provides a way to detect and block new malware within seconds. This protection is enabled by default when certain prerequisite settings are also enabled. In most cases, these prerequisite settings are also enabled by default, so the feature is running without any intervention. + +You can [specify how long the file should be prevented from running](configure-cloud-block-timeout-period-windows-defender-antivirus.md) while the cloud-based protection service analyzes the file. And, you can [customize the message displayed on users' desktops](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information) when a file is blocked. You can change the company name, contact information, and message URL. + +>[!TIP] +>Visit the Microsoft Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the features are working and see how they work. + +## How it works + +When Windows Defender Antivirus encounters a suspicious but undetected file, it queries our cloud protection backend. The cloud backend applies heuristics, machine learning, and automated analysis of the file to determine whether the files are malicious or clean. + +Windows Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender ATP next generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/). +![List of Windows Defender AV engines](images/microsoft-defender-atp-next-generation-protection-engines.png) + +In Windows 10, version 1803, block at first sight can now block non-portable executable files (such as JS, VBS, or macros) as well as executable files. + +Block at first sight only uses the cloud protection backend for executable files and non-portable executable files that are downloaded from the Internet, or that originate from the Internet zone. A hash value of the .exe file is checked via the cloud backend to determine if this is a previously undetected file. + +If the cloud backend is unable to make a determination, Windows Defender Antivirus locks the file and uploads a copy to the cloud. The cloud performs additional analysis to reach a determination before it either allows the file to run or blocks it in all future encounters, depending on whether it determines the file to be malicious or safe. + +In many cases, this process can reduce the response time for new malware from hours to seconds. + +## Confirm and validate that block at first sight is enabled + +Block at first sight requires a number of settings to be configured correctly or it will not work. These settings are enabled by default in most enterprise Windows Defender Antivirus deployments. + +### Confirm block at first sight is enabled with Intune + +1. In Intune, navigate to **Device configuration - Profiles > *Profile name* > Device restrictions > Windows Defender Antivirus**. + + > [!NOTE] + > The profile you select must be a Device Restriction profile type, not an Endpoint Protection profile type. + +2. Verify these settings are configured as follows: + + - **Cloud-delivered protection**: **Enable** + - **File Blocking Level**: **High** + - **Time extension for file scanning by the cloud**: **50** + - **Prompt users before sample submission**: **Send all data without prompting** + + ![Intune config](images/defender/intune-block-at-first-sight.png) + + > [!WARNING] + > Setting the file blocking level to **High** will apply a strong level of detection. In the unlikely event that it causes a false positive detection of legitimate files, use the option to [restore the quarantined files](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus). + +For more information about configuring Windows Defender Antivirus device restrictions in Intune, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure). + +For a list of Windows Defender Antivirus device restrictions in Intune, see [Device restriction for Windows 10 (and newer) settings in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#windows-defender-antivirus). + +### Enable block at first sight with SCCM + +1. In Microsoft Endpoint Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **AntiMalware Policies**. + +2. Click **Home** > **Create Antimalware Policy**. + +3. Enter a name and a description, and add these settings: + - **Real time protection** + - **Advanced** + - **Cloud Protection Service** + +4. In the left column, click **Real time protection**, set **Enable real-time protection** to **Yes**, and set **Scan system files** to **Scan incoming and outgoing files**. + ![Enable real-time protection](images/defender/sccm-real-time-protection.png) + +5. Click **Advanced**, set **Enable real-time protection** to **Yes**, and set **Scan system files** to **Scan incoming and outgoing files**. + ![Enable Advanced settings](images/defender/sccm-advanced-settings.png) + +6. Click **Cloud Protection Service**, set **Cloud Protection Service membership type** to **Advanced membership**, set **Level for blocking malicious files** to **High**, and set **Allow extended cloud check to block and scan suspicious files for up to (seconds)** to **50** seconds. + ![Enable Cloud Protection Service](images/defender/sccm-cloud-protection-service.png) + +7. Click **OK** to create the policy. + + +### Confirm block at first sight is enabled with Group Policy + +1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. + +3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **MAPS**, configure the following Group Policies, and then click **OK**: + + - Double-click **Join Microsoft MAPS** and ensure the option is set to **Enabled**. Click **OK**. + + - Double-click **Send file samples when further analysis is required** and ensure the option is set to **Enabled** and the additional options are either **Send safe samples (1)** or **Send all samples (3)**. + + > [!WARNING] + > Setting to **Always prompt (0)** will lower the protection state of the device. Setting to **Never send (2)** means block at first sight will not function. + +4. In the **Group Policy Management Editor**, expand the tree to **Windows components** > **Windows Defender Antivirus** > **Real-time Protection**: + + 1. Double-click **Scan all downloaded files and attachments** and ensure the option is set to **Enabled**, and then click **OK**. + + 2. Double-click **Turn off real-time protection** and ensure the option is set to **Disabled**, and then click **OK**. + +If you had to change any of the settings, you should re-deploy the Group Policy Object across your network to ensure all endpoints are covered. + +### Confirm block at first sight is enabled with the Windows Security app + +You can confirm that block at first sight is enabled in Windows Settings. + +Block at first sight is automatically enabled as long as **Cloud-based protection** and **Automatic sample submission** are both turned on. + +### Confirm Block at First Sight is enabled on individual clients + +1. Open the Windows Security app by clicking the shield icon in the task bar. + +2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then click **Manage Settings** under **Virus & threat protection settings**: + + ![Screenshot of the Virus & threat protection settings label in the Windows Security app](images/defender/wdav-protection-settings-wdsc.png) + +3. Confirm that **Cloud-based Protection** and **Automatic sample submission** are switched to **On**. + +> [!NOTE] +> If the prerequisite settings are configured and deployed using Group Policy, the settings described in this section will be greyed-out and unavailable for use on individual endpoints. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings. + +### Validate block at first sight is working + +You can validate that the feature is working by following the steps outlined in [Validate connections between your network and the cloud](configure-network-connections-windows-defender-antivirus.md#validate-connections-between-your-network-and-the-cloud). + +## Disable block at first sight + +> [!WARNING] +> Disabling block at first sight will lower the protection state of the endpoint and your network. + +You may choose to disable block at first sight if you want to retain the prerequisite settings without using block at first sight protection. You might wish to do this if you are experiencing latency issues or you want to test the feature's impact on your network. + +### Disable block at first sight with Group Policy + +1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure, and then click **Edit**. + +2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. + +3. Expand the tree through **Windows components** > **Windows Defender Antivirus** > **MAPS**. + +4. Double-click **Configure the 'Block at First Sight' feature** and set the option to **Disabled**. + + > [!NOTE] + > Disabling block at first sight will not disable or alter the prerequisite group policies. + +## Related topics + +- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) +- [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus - Copy.md b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus - Copy.md new file mode 100644 index 0000000000..6ab53e6c67 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus - Copy.md @@ -0,0 +1,366 @@ +--- +title: Configure and validate exclusions based on extension, name, or location +description: Exclude files from Windows Defender Antivirus scans based on their file extension, file name, or location. +keywords: exclusions, files, extension, file type, folder name, file name, scans +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen +ms.date: 12/10/2018 +ms.reviewer: +manager: dansimp +--- + +# Configure and validate exclusions based on file extension and folder location + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +> [!IMPORTANT] +> Windows Defender Antivirus exclusions don't apply to other Microsoft Defender ATP capabilities, including [endpoint detection and response (EDR)](../microsoft-defender-atp/overview-endpoint-detection-response.md), [attack surface reduction (ASR) rules](../microsoft-defender-atp/attack-surface-reduction.md), and [controlled folder access](../microsoft-defender-atp/controlled-folders.md). Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections. To exclude files broadly, add them to the Microsoft Defender ATP [custom indicators](../microsoft-defender-atp/manage-indicators.md). + +## Exclusion lists + +You can exclude certain files from Windows Defender Antivirus scans by modifying exclusion lists. **Generally, you shouldn't need to apply exclusions**. Windows Defender Antivirus includes a number of automatic exclusions based on known operating system behaviors and typical management files, such as those used in enterprise management, database management, and other enterprise scenarios and situations. + +> [!NOTE] +> Automatic exclusions apply only to Windows Server 2016 and above. The default antimalware policy we deploy at Microsoft doesn't set any exclusions by default. + +This topic describes how to configure exclusion lists for the files and folders. + +Exclusion | Examples | Exclusion list +---|---|--- +Any file with a specific extension | All files with the `.test` extension, anywhere on the machine | Extension exclusions +Any file under a specific folder | All files under the `c:\test\sample` folder | File and folder exclusions +A specific file in a specific folder | The file `c:\sample\sample.test` only | File and folder exclusions +A specific process | The executable file `c:\test\process.exe` | File and folder exclusions + +Exclusion lists have the following characteristics: + +- Folder exclusions will apply to all files and folders under that folder, unless the subfolder is a reparse point. Reparse point subfolders must be excluded separately. +- File extensions will apply to any file name with the defined extension if a path or folder is not defined. + +>[!IMPORTANT] +>The use of wildcards such as the asterisk (\*) will alter how the exclusion rules are interpreted. See the [Use wildcards in the file name and folder path or extension exclusion lists](#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists) section for important information about how wildcards work. +> +>You cannot exclude mapped network drives. You must specify the actual network path. +> +>Folders that are reparse points that are created after the Windows Defender Antivirus service starts and that have been added to the exclusion list will not be included. You must restart the service (by restarting Windows) for new reparse points to be recognized as a valid exclusion target. + +To exclude files opened by a specific process, see [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md). + +The exclusions apply to [scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md), [on-demand scans](run-scan-windows-defender-antivirus.md), and [real-time protection](configure-real-time-protection-windows-defender-antivirus.md). + +>[!IMPORTANT] +>Exclusion list changes made with Group Policy **will show** in the lists in the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions). +> +>Changes made in the Windows Security app **will not show** in the Group Policy lists. + +By default, local changes made to the lists (by users with administrator privileges, including changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists will take precedence when there are conflicts. + +You can [configure how locally and globally defined exclusions lists are merged](configure-local-policy-overrides-windows-defender-antivirus.md#merge-lists) to allow local changes to override managed deployment settings. + +## Configure the list of exclusions based on folder name or file extension + +### Use Intune to configure file name, folder, or file extension exclusions + +See the following articles: +- [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure) +- [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#windows-defender-antivirus) + +### Use Configuration Manager to configure file name, folder, or file extension exclusions + +See [How to create and deploy antimalware policies: Exclusion settings](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) for details on configuring Microsoft Endpoint Configuration Manager (current branch). + +### Use Group Policy to configure folder or file extension exclusions + +>[!NOTE] +>If you specify a fully qualified path to a file, then only that file is excluded. If a folder is defined in the exclusion, then all files and subdirectories under that folder are excluded. + +1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. + +3. Expand the tree to **Windows components > Windows Defender Antivirus > Exclusions**. + +4. Double-click the **Path Exclusions** setting and add the exclusions: + + 1. Set the option to **Enabled**. + 2. Under the **Options** section, click **Show...**. + 3. Enter each folder on its own line under the **Value name** column. If you are entering a file, ensure you enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column. + +5. Click **OK**. + + ![The Group Policy setting for file and folder exclusions](images/defender/wdav-path-exclusions.png) + +6. Double-click the **Extension Exclusions** setting and add the exclusions: + + 1. Set the option to **Enabled**. + 2. Under the **Options** section, click **Show...**. + 3. Enter each file extension on its own line under the **Value name** column. Enter **0** in the **Value** column. + +7. Click **OK**. + + ![The Group Policy setting for extension exclusions](images/defender/wdav-extension-exclusions.png) + + + +### Use PowerShell cmdlets to configure file name, folder, or file extension exclusions + +Using PowerShell to add or remove exclusions for files based on the extension, location, or file name requires using a combination of three cmdlets and the appropriate exclusion list parameter. The cmdlets are all in the [Defender module](https://technet.microsoft.com/itpro/powershell/windows/defender/defender). + +The format for the cmdlets is: + +```PowerShell + - "" +``` + +The following are allowed as the \: + +Configuration action | PowerShell cmdlet +---|--- +Create or overwrite the list | `Set-MpPreference` +Add to the list | `Add-MpPreference` +Remove item from the list | `Remove-MpPreference` + +The following are allowed as the \: + +Exclusion type | PowerShell parameter +---|--- +All files with a specified file extension | `-ExclusionExtension` +All files under a folder (including files in subdirectories), or a specific file | `-ExclusionPath` + +>[!IMPORTANT] +>If you have created a list, either with `Set-MpPreference` or `Add-MpPreference`, using the `Set-MpPreference` cmdlet again will overwrite the existing list. + +For example, the following code snippet would cause Windows Defender AV scans to exclude any file with the `.test` file extension: + +```PowerShell +Add-MpPreference -ExclusionExtension ".test" +``` + +For more information, see [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index). + +### Use Windows Management Instruction (WMI) to configure file name, folder, or file extension exclusions + +Use the [**Set**, **Add**, and **Remove** methods of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties: + +```WMI +ExclusionExtension +ExclusionPath +``` + +The use of **Set**, **Add**, and **Remove** is analogous to their counterparts in PowerShell: `Set-MpPreference`, `Add-MpPreference`, and `Remove-MpPreference`. + +For more information, see [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx). + + + +### Use the Windows Security app to configure file name, folder, or file extension exclusions + +See [Add exclusions in the Windows Security app](windows-defender-security-center-antivirus.md#exclusions) for instructions. + + +## Use wildcards in the file name and folder path or extension exclusion lists + +You can use the asterisk `*`, question mark `?`, or environment variables (such as `%ALLUSERSPROFILE%`) as wildcards when defining items in the file name or folder path exclusion list. The way in which these wildcards are interpreted differs from their usual usage in other apps and languages. Make sure to read this section to understand their specific limitations. + +>[!IMPORTANT] +>There are key limitations and usage scenarios for these wildcards: +> +>- Environment variable usage is limited to machine variables and those applicable to processes running as an NT AUTHORITY\SYSTEM account. +>- You cannot use a wildcard in place of a drive letter. +>- An asterisk `*` in a folder exclusion will stand in place for a single folder. Use multiple instances of `\*\` to indicate multiple nested folders with unspecified names. + +The following table describes how the wildcards can be used and provides some examples. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
WildcardUse in file name and file extension exclusionsUse in folder exclusionsExample useExample matches
* (asterisk)Replaces any number of characters.
Only applies to files in the last folder defined in the argument. 		Replaces a single folder.
Use multiple * with folder slashes \ to indicate multiple, nested folders.
After matching the number of wild carded and named folders, all subfolders will also be included.		 +
    +
  1. C:\MyData\*.txt
    2. +
  2. C:\somepath\*\Data
    3. +
  3. C:\Serv\*\*\Backup +
+ 		+
    +
  1. C:\MyData\notes.txt
    2. +
  2. Any file in: +
      +
    • C:\somepath\Archives\Data and its subfolders
      • +
    • C:\somepath\Authorized\Data and its subfolders
      • +
    +
  3. Any file in: +
      +
    • C:\Serv\Primary\Denied\Backup and its subfolders
      • +
    • C:\Serv\Secondary\Allowed\Backup and its subfolders
      • +
    +
+
+ ? (question mark) + + Replaces a single character.
+ Only applies to files in the last folder defined in the argument. + 		+ Replaces a single character in a folder name.
+ After matching the number of wild carded and named folders, all subfolders will also be included. + 		+
    +
  1. C:\MyData\my?.zip
    2. +
  2. C:\somepath\?\Data
    3. +
  3. C:\somepath\test0?\Data
    4. +
+ 		+
    +
  1. C:\MyData\my1.zip
    2. +
  2. Any file in C:\somepath\P\Data and its subfolders
    3. +
  3. Any file in C:\somepath\test01\Data and its subfolders
    4. +
+
Environment variablesThe defined variable will be populated as a path when the exclusion is evaluated.Same as file and extension use. +
    +
  1. %ALLUSERSPROFILE%\CustomLogFiles
    2. +
+ 		+
    +
  1. C:\ProgramData\CustomLogFiles\Folder1\file1.txt
    2. +
+
+ +>[!IMPORTANT] +>If you mix a file exclusion argument with a folder exclusion argument, the rules will stop at the file argument match in the matched folder, and will not look for file matches in any subfolders. +> +>For example, you can exclude all files that start with "date" in the folders `c:\data\final\marked` and `c:\data\review\marked` by using the rule argument c:\data\\\*\marked\date*.\*. +> +>This argument, however, will not match any files in **subfolders** under `c:\data\final\marked` or `c:\data\review\marked`. + + + +## Review the list of exclusions + +You can retrieve the items in the exclusion list using one of the following methods: +- [Intune](https://docs.microsoft.com/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune) +- [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) +- MpCmdRun +- PowerShell +- [Windows Security app](windows-defender-security-center-antivirus.md#exclusions) + +>[!IMPORTANT] +>Exclusion list changes made with Group Policy **will show** in the lists in the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions). +> +>Changes made in the Windows Security app **will not show** in the Group Policy lists. + +If you use PowerShell, you can retrieve the list in two ways: + +- Retrieve the status of all Windows Defender Antivirus preferences. Each of the lists will be displayed on separate lines, but the items within each list will be combined into the same line. +- Write the status of all preferences to a variable, and use that variable to only call the specific list you are interested in. Each use of `Add-MpPreference` is written to a new line. + +### Validate the exclusion list by using MpCmdRun + +To check exclusions with the dedicated [command-line tool mpcmdrun.exe](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus?branch=v-anbic-wdav-new-mpcmdrun-options), use the following command: + +```DOS +MpCmdRun.exe -CheckExclusion -path +``` + +>[!NOTE] +>Checking exclusions with MpCmdRun requires Windows Defender Antivirus CAMP version 4.18.1812.3 (released in December 2018) or later. + +### Review the list of exclusions alongside all other Windows Defender Antivirus preferences by using PowerShell + +Use the following cmdlet: + +```PowerShell +Get-MpPreference +``` + +In the following example, the items contained in the `ExclusionExtension` list are highlighted: + +![PowerShell output for Get-MpPreference showing the exclusion list alongside other preferences](images/defender/wdav-powershell-get-exclusions-all.png) + +For more information, see [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index). + +### Retrieve a specific exclusions list by using PowerShell + +Use the following code snippet (enter each line as a separate command); replace **WDAVprefs** with whatever label you want to name the variable: + +```PowerShell +$WDAVprefs = Get-MpPreference +$WDAVprefs.ExclusionExtension +$WDAVprefs.ExclusionPath +``` + +In the following example, the list is split into new lines for each use of the `Add-MpPreference` cmdlet: + +![PowerShell output showing only the entries in the exclusion list](images/defender/wdav-powershell-get-exclusions-variable.png) + +For more information, see [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index). + + + +## Validate exclusions lists with the EICAR test file + +You can validate that your exclusion lists are working by using PowerShell with either the `Invoke-WebRequest` cmdlet or the .NET WebClient class to download a test file. + +In the following PowerShell snippet, replace *test.txt* with a file that conforms to your exclusion rules. For example, if you have excluded the `.testing` extension, replace `test.txt` with `test.testing`. If you are testing a path, ensure you run the cmdlet within that path. + +```PowerShell +Invoke-WebRequest "http://www.eicar.org/download/eicar.com.txt" -OutFile "test.txt" +``` + +If Windows Defender Antivirus reports malware, then the rule is not working. If there is no report of malware, and the downloaded file exists, then the exclusion is working. You can open the file to confirm the contents are the same as what is described on the [EICAR test file website](http://www.eicar.org/86-0-Intended-use.html). + +You can also use the following PowerShell code, which calls the .NET WebClient class to download the test file - as with the `Invoke-WebRequest` cmdlet; replace *c:\test.txt* with a file that conforms to the rule you are validating: + +```PowerShell +$client = new-object System.Net.WebClient +$client.DownloadFile("http://www.eicar.org/download/eicar.com.txt","c:\test.txt") +``` + +If you do not have Internet access, you can create your own EICAR test file by writing the EICAR string to a new text file with the following PowerShell command: + +```PowerShell +[io.file]::WriteAllText("test.txt",'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*') +``` + +You can also copy the string into a blank text file and attempt to save it with the file name or in the folder you are attempting to exclude. + +## Related topics + +- [Configure and validate exclusions in Windows Defender Antivirus scans](configure-exclusions-windows-defender-antivirus.md) +- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md) +- [Configure Windows Defender Antivirus exclusions on Windows Server](configure-server-exclusions-windows-defender-antivirus.md) +- [Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md) +- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus - Copy.md b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus - Copy.md new file mode 100644 index 0000000000..39f0cb02b4 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus - Copy.md @@ -0,0 +1,130 @@ +--- +title: Configure and validate Windows Defender Antivirus network connections +description: Configure and test your connection to the Windows Defender Antivirus cloud protection service. +keywords: antivirus, windows defender antivirus, antimalware, security, defender, cloud, aggressiveness, protection level +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen +ms.date: 10/08/2018 +ms.reviewer: +manager: dansimp +--- + +# Configure and validate Windows Defender Antivirus network connections + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +To ensure Windows Defender Antivirus cloud-delivered protection works properly, you need to configure your network to allow connections between your endpoints and certain Microsoft servers. + +This article lists the connections that must be allowed, such as by using firewall rules, and provides instructions for validating your connection. Configuring your protection properly helps ensure that you receive the best value from your cloud-delivered protection services. + +See the blog post [Important changes to Microsoft Active Protection Services endpoint](https://techcommunity.microsoft.com/t5/Configuration-Manager-Archive/Important-changes-to-Microsoft-Active-Protection-Service-MAPS/ba-p/274006) for some details about network connectivity. + +>[!TIP] +>You can also visit the Microsoft Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working: +> +>- Cloud-delivered protection +>- Fast learning (including block at first sight) +>- Potentially unwanted application blocking + +## Allow connections to the Windows Defender Antivirus cloud service + +The Windows Defender Antivirus cloud service provides fast, strong protection for your endpoints. Enabling the cloud-delivered protection service is optional, however it is highly recommended because it provides important protection against malware on your endpoints and across your network. + +>[!NOTE] +>The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates. + +See [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) for details on enabling the service with Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, or on individual clients in the Windows Security app. + +After you've enabled the service, you may need to configure your network or firewall to allow connections between it and your endpoints. + +Because your protection is a cloud service, computers must have access to the internet and reach the ATP machine learning services. Do not exclude the URL `*.blob.core.windows.net` from any kind of network inspection. The table below lists the services and their associated URLs. Make sure that there are no firewall or network filtering rules denying access to these URLs, or you may need to create an allow rule specifically for them (excluding the URL `*.blob.core.windows.net`). Below mention URLs are using port 443 for communication. + + +| **Service**| **Description** |**URL** | +| :--: | :-- | :-- | +| Windows Defender Antivirus cloud-delivered protection service, also referred to as Microsoft Active Protection Service (MAPS)|Used by Windows Defender Antivirus to provide cloud-delivered protection|`*.wdcp.microsoft.com`
`*.wdcpalt.microsoft.com`
`*.wd.microsoft.com`| +| Microsoft Update Service (MU)| Security intelligence and product updates |`*.update.microsoft.com`| +|Security intelligence updates Alternate Download Location (ADL)| Alternate location for Windows Defender Antivirus Security intelligence updates if the installed Security intelligence is out of date (7 or more days behind)| `*.download.microsoft.com`| +| Malware submission storage|Upload location for files submitted to Microsoft via the Submission form or automatic sample submission | `ussus1eastprod.blob.core.windows.net`
`ussus1westprod.blob.core.windows.net`
`usseu1northprod.blob.core.windows.net`
`usseu1westprod.blob.core.windows.net`
`ussuk1southprod.blob.core.windows.net`
`ussuk1westprod.blob.core.windows.net`
`ussas1eastprod.blob.core.windows.net`
`ussas1southeastprod.blob.core.windows.net`
`ussau1eastprod.blob.core.windows.net`
`ussau1southeastprod.blob.core.windows.net` | +| Certificate Revocation List (CRL)|Used by Windows when creating the SSL connection to MAPS for updating the CRL | `https://www.microsoft.com/pkiops/crl/`
`https://www.microsoft.com/pkiops/certs`
`https://crl.microsoft.com/pki/crl/products`
`https://www.microsoft.com/pki/certs` | +| Symbol Store|Used by Windows Defender Antivirus to restore certain critical files during remediation flows | `https://msdl.microsoft.com/download/symbols` | +| Universal Telemetry Client| Used by Windows to send client diagnostic data; Windows Defender Antivirus uses this for product quality monitoring purposes | This update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints: `vortex-win.data.microsoft.com`
`settings-win.data.microsoft.com`| + +## Validate connections between your network and the cloud + +After whitelisting the URLs listed above, you can test if you are connected to the Windows Defender Antivirus cloud service and are correctly reporting and receiving information to ensure you are fully protected. + +**Use the cmdline tool to validate cloud-delivered protection:** + +Use the following argument with the Windows Defender Antivirus command-line utility (`mpcmdrun.exe`) to verify that your network can communicate with the Windows Defender Antivirus cloud service: + +```DOS +"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -ValidateMapsConnection +``` + +> [!NOTE] +> You need to open an administrator-level version of the command prompt. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt. This command will only work on Windows 10, version 1703 or higher. + +For more information, see [Manage Windows Defender Antivirus with the mpcmdrun.exe commandline tool](command-line-arguments-windows-defender-antivirus.md). + +**Attempt to download a fake malware file from Microsoft:** + +You can download a sample file that Windows Defender Antivirus will detect and block if you are properly connected to the cloud. + +Download the file by visiting the following link: +- https://aka.ms/ioavtest + +>[!NOTE] +>This file is not an actual piece of malware. It is a fake file that is designed to test if you are properly connected to the cloud. + +If you are properly connected, you will see a warning Windows Defender Antivirus notification: + +![Windows Defender Antivirus notification informing the user that malware was found](images/defender/wdav-malware-detected.png) + +If you are using Microsoft Edge, you'll also see a notification message: + +![Microsoft Edge informing the user that malware was found](images/defender/wdav-bafs-edge.png) + +A similar message occurs if you are using Internet Explorer: + +![Windows Defender Antivirus notification informing the user that malware was found](images/defender/wdav-bafs-ie.png) + +You will also see a detection under **Quarantined threats** in the **Scan history** section in the Windows Security app: + +1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. + +2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Scan history** label: + + ![Screenshot of the Scan history label in the Windows Security app](images/defender/wdav-history-wdsc.png) + +3. Under the **Quarantined threats** section, click the **See full history** label to see the detected fake malware: + + ![Screenshot of quarantined items in the Windows Security app](images/defender/wdav-quarantined-history-wdsc.png) + +>[!NOTE] +>Versions of Windows 10 before version 1703 have a different user interface. See [Windows Defender Antivirus in the Windows Security app](windows-defender-security-center-antivirus.md). + +The Windows event log will also show [Windows Defender client event ID 2050](troubleshoot-windows-defender-antivirus.md). + +>[!IMPORTANT] +>You will not be able to use a proxy auto-config (.pac) file to test network connections to these URLs. You will need to verify your proxy servers and any network filtering tools manually to ensure connectivity. + +## Related articles + +- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) + +- [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) + +- [Run an Windows Defender Antivirus scan from the command line](command-line-arguments-windows-defender-antivirus.md) and [Command line arguments](command-line-arguments-windows-defender-antivirus.md) + +- [Important changes to Microsoft Active Protection Services endpoint](https://techcommunity.microsoft.com/t5/Configuration-Manager-Archive/Important-changes-to-Microsoft-Active-Protection-Service-MAPS/ba-p/274006) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus - Copy.md b/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus - Copy.md new file mode 100644 index 0000000000..03afa1681f --- /dev/null +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus - Copy.md @@ -0,0 +1,106 @@ +--- +title: Configure Windows Defender Antivirus notifications +description: Configure and customize Windows Defender Antivirus notifications. +keywords: notifications, defender, antivirus, endpoint, management, admin +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen +ms.date: 09/03/2018 +ms.reviewer: +manager: dansimp +--- + +# Configure the notifications that appear on endpoints + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +In Windows 10, application notifications about malware detection and remediation are more robust, consistent, and concise. + +Notifications appear on endpoints when manually triggered and scheduled scans are completed and threats are detected. These notifications also appear in the **Notification Center**, and a summary of scans and threat detections appear at regular time intervals. + +You can also configure how standard notifications appear on endpoints, such as notifications for reboot or when a threat has been detected and remediated. + +## Configure the additional notifications that appear on endpoints + +You can configure the display of additional notifications, such as recent threat detection summaries, in the [Windows Security app](windows-defender-security-center-antivirus.md) and with Group Policy. + +> [!NOTE] +> In Windows 10, version 1607 the feature was called **Enhanced notifications** and could be configured under **Windows Settings** > **Update & security** > **Windows Defender**. In Group Policy settings in all versions of Windows 10, it is called **Enhanced notifications**. + +> [!IMPORTANT] +> Disabling additional notifications will not disable critical notifications, such as threat detection and remediation alerts. + +**Use the Windows Security app to disable additional notifications:** + +1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. + +2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label: + + ![Screenshot of the Virus & threat protection settings label in the Windows Security app](images/defender/wdav-protection-settings-wdsc.png) + +3. Scroll to the **Notifications** section and click **Change notification settings**. + +4. Slide the switch to **Off** or **On** to disable or enable additional notifications. + +**Use Group Policy to disable additional notifications:** + +1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +2. In the **Group Policy Management Editor** go to **Computer configuration**. + +3. Click **Administrative templates**. + +4. Expand the tree to **Windows components > Windows Defender Antivirus > Reporting**. + +5. Double-click **Turn off enhanced notifications** and set the option to **Enabled**. Click **OK**. This will prevent additional notifications from appearing. + +## Configure standard notifications on endpoints + +You can use Group Policy to: + +- Display additional, customized text on endpoints when the user needs to perform an action +- Hide all notifications on endpoints +- Hide reboot notifications on endpoints + +Hiding notifications can be useful in situations where you can't hide the entire Windows Defender Antivirus interface. See [Prevent users from seeing or interacting with the Windows Defender Antivirus user interface](prevent-end-user-interaction-windows-defender-antivirus.md) for more information. + +> [!NOTE] +> Hiding notifications will only occur on endpoints to which the policy has been deployed. Notifications related to actions that must be taken (such as a reboot) will still appear on the [Microsoft Endpoint Configuration Manager Endpoint Protection monitoring dashboard and reports](https://docs.microsoft.com/sccm/protect/deploy-use/monitor-endpoint-protection). + +See [Customize the Windows Security app for your organization](../windows-defender-security-center/windows-defender-security-center.md) for instructions to add custom contact information to the notifications that users see on their machines. + +**Use Group Policy to hide notifications:** + +1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure, and click **Edit**. + +2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. + +3. Expand the tree to **Windows components > Windows Defender Antivirus > Client interface**. + +4. Double-click **Suppress all notifications** and set the option to **Enabled**. Click **OK**. This will prevent additional notifications from appearing. + +**Use Group Policy to hide reboot notifications:** + +1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +2. In the **Group Policy Management Editor** go to **Computer configuration**. + +3. Click **Administrative templates**. + +4. Expand the tree to **Windows components > Windows Defender Antivirus > Client interface**. + +5. Double-click **Suppresses reboot notifications** and set the option to **Enabled**. Click **OK**. This will prevent additional notifications from appearing. + +## Related topics + +- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) +- [Configure end-user interaction with Windows Defender Antivirus](configure-end-user-interaction-windows-defender-antivirus.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus - Copy.md b/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus - Copy.md new file mode 100644 index 0000000000..79e9d90a7b --- /dev/null +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus - Copy.md @@ -0,0 +1,199 @@ +--- +title: Configure exclusions for files opened by specific processes +description: You can exclude files from scans if they have been opened by a specific process. +keywords: Windows Defender Antivirus, process, exclusion, files, scans +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen +ms.date: 12/10/2018 +ms.reviewer: +manager: dansimp +--- + +# Configure exclusions for files opened by processes + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +You can exclude files that have been opened by specific processes from Windows Defender Antivirus scans. + +This topic describes how to configure exclusion lists for the following: + + + +Exclusion | Example +---|--- +Any file on the machine that is opened by any process with a specific file name | Specifying "test.exe" would exclude files opened by:
  • c:\sample\test.exe
  • d:\internal\files\test.exe
+Any file on the machine that is opened by any process under a specific folder | Specifying "c:\test\sample\\*" would exclude files opened by:
  • c:\test\sample\test.exe
  • c:\test\sample\test2.exe
  • c:\test\sample\utility.exe
+Any file on the machine that is opened by a specific process in a specific folder | Specifying "c:\test\process.exe" would exclude files only opened by c:\test\process.exe + +When you add a process to the process exclusion list, Windows Defender Antivirus won't scan files opened by that process, no matter where the files are located. The process itself, however, will be scanned unless it has also been added to the [file exclusion list](configure-extension-file-exclusions-windows-defender-antivirus.md). + +The exclusions only apply to [always-on real-time protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md). They don't apply to scheduled or on-demand scans. + +Changes made with Group Policy to the exclusion lists **will show** in the lists in the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions). However, changes made in the Windows Security app **will not show** in the Group Policy lists. + +You can add, remove, and review the lists for exclusions in [Group Policy](#gp), [Microsoft Endpoint Configuration Manager, Microsoft Intune, and with the Windows Security app](#man-tools), and you can [use wildcards](#wildcards) to further customize the lists. + +You can also [use PowerShell cmdlets and WMI to configure the exclusion lists](#ps), including [reviewing](#review) your lists. + +By default, local changes made to the lists (by users with administrator privileges; this includes changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists will take precedence in the case of conflicts. + +You can [configure how locally and globally defined exclusions lists are merged](configure-local-policy-overrides-windows-defender-antivirus.md#merge-lists) to allow local changes to override managed deployment settings. + +## Configure the list of exclusions for files opened by specified processes + + + +### Use Microsoft Intune to exclude files that have been opened by specified processes from scans + +See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure) and [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#windows-defender-antivirus) for more details. + +### Use Microsoft Endpoint Configuration Manager to exclude files that have been opened by specified processes from scans + +See [How to create and deploy antimalware policies: Exclusion settings](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) for details on configuring Microsoft Endpoint Configuration Manager (current branch). + +### Use Group Policy to exclude files that have been opened by specified processes from scans + +1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. + +3. Expand the tree to **Windows components > Windows Defender Antivirus > Exclusions**. + +4. Double-click **Process Exclusions** and add the exclusions: + + 1. Set the option to **Enabled**. + 2. Under the **Options** section, click **Show...**. + 3. Enter each process on its own line under the **Value name** column. See the [example table](#examples) for the different types of process exclusions. Enter **0** in the **Value** column for all processes. + +5. Click **OK**. + +![The Group Policy setting for specifying process exclusions](images/defender/wdav-process-exclusions.png) + + + +### Use PowerShell cmdlets to exclude files that have been opened by specified processes from scans + +Using PowerShell to add or remove exclusions for files that have been opened by processes requires using a combination of three cmdlets with the `-ExclusionProcess` parameter. The cmdlets are all in the [Defender module](https://technet.microsoft.com/itpro/powershell/windows/defender/defender). + +The format for the cmdlets is: + +```PowerShell + -ExclusionProcess "" +``` + +The following are allowed as the \: + +Configuration action | PowerShell cmdlet +---|--- +Create or overwrite the list | `Set-MpPreference` +Add to the list | `Add-MpPreference` +Remove items from the list | `Remove-MpPreference` + +>[!IMPORTANT] +>If you have created a list, either with `Set-MpPreference` or `Add-MpPreference`, using the `Set-MpPreference` cmdlet again will overwrite the existing list. + +For example, the following code snippet would cause Windows Defender AV scans to exclude any file that is opened by the specified process: + +```PowerShell +Add-MpPreference -ExclusionProcess "c:\internal\test.exe" +``` + +See [Manage antivirus with PowerShell cmdlets](use-powershell-cmdlets-windows-defender-Windows Defender Antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. + +### Use Windows Management Instruction (WMI) to exclude files that have been opened by specified processes from scans + +Use the [**Set**, **Add**, and **Remove** methods of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties: + +```WMI +ExclusionProcess +``` + +The use of **Set**, **Add**, and **Remove** is analogous to their counterparts in PowerShell: `Set-MpPreference`, `Add-MpPreference`, and `Remove-MpPreference`. + +See the following for more information and allowed parameters: + +- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) + + + +### Use the Windows Security app to exclude files that have been opened by specified processes from scans + +See [Add exclusions in the Windows Security app](windows-defender-security-center-antivirus.md#exclusions) for instructions. + + + +## Use wildcards in the process exclusion list + +The use of wildcards in the process exclusion list is different from their use in other exclusion lists. + +In particular, you cannot use the question mark ? wildcard, and the asterisk \* wildcard can only be used at the end of a complete path. You can still use environment variables (such as %ALLUSERSPROFILE%) as wildcards when defining items in the process exclusion list. + +The following table describes how the wildcards can be used in the process exclusion list: + +Wildcard | Use | Example use | Example matches +---|---|---|--- +\* (asterisk) | Replaces any number of characters |
  • C:\MyData\\*
|
  • Any file opened by C:\MyData\file.exe
+? (question mark) | Not available | \- | \- +Environment variables | The defined variable will be populated as a path when the exclusion is evaluated |
  • %ALLUSERSPROFILE%\CustomLogFiles\file.exe
|
  • Any file opened by C:\ProgramData\CustomLogFiles\file.exe
+ + + +## Review the list of exclusions + +You can retrieve the items in the exclusion list with MpCmdRun, PowerShell, [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings), [Intune](https://docs.microsoft.com/intune/device-restrictions-configure), or the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions). + +If you use PowerShell, you can retrieve the list in two ways: + +- Retrieve the status of all Windows Defender Antivirus preferences. Each of the lists will be displayed on separate lines, but the items within each list will be combined into the same line. +- Write the status of all preferences to a variable, and use that variable to only call the specific list you are interested in. Each use of `Add-MpPreference` is written to a new line. + +### Validate the exclusion list by using MpCmdRun + +To check exclusions with the dedicated [command-line tool mpcmdrun.exe](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus?branch=v-anbic-wdav-new-mpcmdrun-options), use the following command: + +```DOS +MpCmdRun.exe -CheckExclusion -path +``` + +>[!NOTE] +>Checking exclusions with MpCmdRun requires Windows Defender Antivirus CAMP version 4.18.1812.3 (released in December 2018) or later. + + +### Review the list of exclusions alongside all other Windows Defender Antivirus preferences by using PowerShell + +Use the following cmdlet: + +```PowerShell +Get-MpPreference +``` + +See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. + +### Retrieve a specific exclusions list by using PowerShell + +Use the following code snippet (enter each line as a separate command); replace **WDAVprefs** with whatever label you want to name the variable: + +```PowerShell +$WDAVprefs = Get-MpPreference +$WDAVprefs.ExclusionProcess +``` + +See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. + +## Related articles + +- [Configure and validate exclusions in Windows Defender Antivirus scans](configure-exclusions-windows-defender-antivirus.md) +- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md) +- [Configure Windows Defender Antivirus exclusions on Windows Server](configure-server-exclusions-windows-defender-antivirus.md) +- [Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md) +- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus - Copy.md b/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus - Copy.md new file mode 100644 index 0000000000..7b22fa2f60 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus - Copy.md @@ -0,0 +1,72 @@ +--- +title: Remediate and resolve infections detected by Windows Defender Antivirus +description: Configure what Windows Defender Antivirus should do when it detects a threat, and how long quarantined files should be retained in the quarantine folder +keywords: remediation, fix, remove, threats, quarantine, scan, restore +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen +ms.date: 09/03/2018 +ms.reviewer: +manager: dansimp +--- + +# Configure remediation for Windows Defender Antivirus scans + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +When Windows Defender Antivirus runs a scan, it will attempt to remediate or remove threats that it finds. You can configure how Windows Defender Antivirus should react to certain threats, whether it should create a restore point before remediating, and when it should remove remediated threats. + +This topic describes how to configure these settings with Group Policy, but you can also use [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#threat-overrides-settings) and [Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure). + +You can also use the [`Set-MpPreference` PowerShell cmdlet](https://technet.microsoft.com/itpro/powershell/windows/defender/set-mppreference) or [`MSFT_MpPreference` WMI class](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) to configure these settings. + +## Configure remediation options + +You can configure how remediation works with the Group Policy settings described in this section. + +To configure these settings: + +1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. + +3. Expand the tree to **Windows components > Windows Defender Antivirus** and then the **Location** specified in the table below. + +4. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings. + +Location | Setting | Description | Default setting (if not configured) +---|---|---|--- +Scan | Create a system restore point | A system restore point will be created each day before cleaning or scanning is attempted | Disabled +Scan | Turn on removal of items from scan history folder | Specify how many days items should be kept in the scan history | 30 days +Root | Turn off routine remediation | You can specify whether Windows Defender Antivirus automatically remediates threats, or if it should ask the endpoint user what to do. | Disabled (threats are remediated automatically) +Quarantine | Configure removal of items from Quarantine folder | Specify how many days items should be kept in quarantine before being removed | Never removed +Threats | Specify threat alert levels at which default action should not be taken when detected | Every threat that is detected by Windows Defender Antivirus is assigned a threat level (low, medium, high, or severe). You can use this setting to define how all threats for each of the threat levels should be remediated (quarantined, removed, or ignored) | Not applicable +Threats | Specify threats upon which default action should not be taken when detected | Specify how specific threats (using their threat ID) should be remediated. You can specify whether the specific threat should be quarantined, removed, or ignored | Not applicable + +> [!IMPORTANT] +> Windows Defender Antivirus detects and remediates files based on many factors. Sometimes, completing a remediation requires a reboot. Even if the detection is later determined to be a false positive, the reboot must be completed to ensure all additional remediation steps have been completed. +>

+> If you are certain Windows Defender Antivirus quarantined a file based on a false positive, you can restore the file from quarantine after the device reboots. See [Restore quarantined files in Windows Defender Antivirus](restore-quarantined-files-windows-defender-antivirus.md). +>

+> To avoid this problem in the future, you can exclude files from the scans. See [Configure and validate exclusions for Windows Defender Antivirus scans](configure-exclusions-windows-defender-antivirus.md). + +Also see [Configure remediation-required scheduled full Windows Defender Antivirus scans](scheduled-catch-up-scans-windows-defender-antivirus.md#remed) for more remediation-related settings. + +## Related topics + +- [Configure Windows Defender Antivirus scanning options](configure-advanced-scan-types-windows-defender-antivirus.md) +- [Configure scheduled Windows Defender Antivirus scans](scheduled-catch-up-scans-windows-defender-antivirus.md) +- [Configure and run on-demand Windows Defender Antivirus scans](run-scan-windows-defender-antivirus.md) +- [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md) +- [Configure end-user Windows Defender Antivirus interaction](configure-end-user-interaction-windows-defender-antivirus.md) +- [Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md) +- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features - Copy.md b/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features - Copy.md new file mode 100644 index 0000000000..3532148261 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features - Copy.md @@ -0,0 +1,49 @@ +--- +title: Configure Windows Defender Antivirus features +description: You can configure Windows Defender Antivirus features with Intune, Microsoft Endpoint Configuration Manager, Group Policy, and PowerShell. +keywords: Windows Defender Antivirus, antimalware, security, defender, configure, configuration, Config Manager, Microsoft Endpoint Configuration Manager, SCCM, Intune, MDM, mobile device management, GP, group policy, PowerShell +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen +ms.date: 09/03/2018 +ms.reviewer: +manager: dansimp +--- + +# Configure Windows Defender Antivirus features + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +You can configure Windows Defender Antivirus with a number of tools, including: + +- Microsoft Intune +- Microsoft Endpoint Configuration Manager +- Group Policy +- PowerShell cmdlets +- Windows Management Instrumentation (WMI) + +The following broad categories of features can be configured: + +- Cloud-delivered protection +- Always-on real-time protection, including behavioral, heuristic, and machine-learning-based protection +- How end-users interact with the client on individual endpoints + +The topics in this section describe how to perform key tasks when configuring Windows Defender Antivirus. Each topic includes instructions for the applicable configuration tool (or tools). + +You can also review the [Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md) topic for an overview of each tool and links to further help. + +## In this section +Topic | Description +:---|:--- +[Utilize Microsoft cloud-provided Windows Defender Antivirus protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) | Cloud-delivered protection provides an advanced level of fast, robust antivirus detection +[Configure behavioral, heuristic, and real-time protection](configure-protection-features-windows-defender-antivirus.md)|Enable behavior-based, heuristic, and real-time antivirus protection +[Configure end-user interaction with Windows Defender Antivirus](configure-end-user-interaction-windows-defender-antivirus.md)|Configure how end-users interact with Windows Defender Antivirus, what notifications they see, and whether they can override settings diff --git a/windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus - Copy.md b/windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus - Copy.md new file mode 100644 index 0000000000..b0b2030e32 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus - Copy.md @@ -0,0 +1,37 @@ +--- +title: Run and customize scheduled and on-demand scans +description: Customize and initiate Windows Defender Antivirus scans on endpoints across your network. +keywords: scan, schedule, customize, exclusions, exclude files, remediation, scan results, quarantine, remove threat, quick scan, full scan, Windows Defender Antivirus +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen +ms.date: 09/03/2018 +ms.reviewer: +manager: dansimp +--- + +# Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +You can use Group Policy, PowerShell, and Windows Management Instrumentation (WMI) to configure Windows Defender Antivirus scans. + +## In this section + +Topic | Description +---|--- +[Configure and validate file, folder, and process-opened file exclusions in Windows Defender Antivirus scans](configure-exclusions-windows-defender-antivirus.md) | You can exclude files (including files modified by specified processes) and folders from on-demand scans, scheduled scans, and always-on real-time protection monitoring and scanning +[Configure Windows Defender Antivirus scanning options](configure-advanced-scan-types-windows-defender-antivirus.md) | You can configure Windows Defender Antivirus to include certain types of email storage files, back-up or reparse points, and archived files (such as .zip files) in scans. You can also enable network file scanning +[Configure remediation for scans](configure-remediation-windows-defender-antivirus.md) | Configure what Windows Defender Antivirus should do when it detects a threat, and how long quarantined files should be retained in the quarantine folder +[Configure scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md) | Set up recurring (scheduled) scans, including when they should run and whether they run as full or quick scans +[Configure and run scans](run-scan-windows-defender-antivirus.md) | Run and configure on-demand scans using PowerShell, Windows Management Instrumentation, or individually on endpoints with the Windows Security app +[Review scan results](review-scan-results-windows-defender-antivirus.md) | Review the results of scans using Microsoft Endpoint Configuration Manager, Microsoft Intune, or the Windows Security app diff --git a/windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus - Copy.md b/windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus - Copy.md new file mode 100644 index 0000000000..295d507e65 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus - Copy.md @@ -0,0 +1,85 @@ +--- +title: Deploy, manage, and report on Windows Defender Antivirus +description: You can deploy and manage Windows Defender Antivirus with Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell, or WMI +keywords: deploy, manage, update, protection, windows defender antivirus +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen +ms.date: 09/03/2018 +ms.reviewer: +manager: dansimp +--- + +# Deploy, manage, and report on Windows Defender Antivirus + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +You can deploy, manage, and report on Windows Defender Antivirus in a number of ways. + +Because the Windows Defender Antivirus client is installed as a core part of Windows 10, traditional deployment of a client to your endpoints does not apply. + +However, in most cases you will still need to enable the protection service on your endpoints with Microsoft Intune, Microsoft Endpoint Configuration Manager, Azure Security Center, or Group Policy Objects, which is described in the following table. + +You'll also see additional links for: + +- Managing Windows Defender Antivirus protection, including managing product and protection updates +- Reporting on Windows Defender Antivirus protection + +> [!IMPORTANT] +> In most cases, Windows 10 will disable Windows Defender Antivirus if it finds another antivirus product that is running and up-to-date. You must disable or uninstall third-party antivirus products before Windows Defender Antivirus will function. If you re-enable or install third-party antivirus products, then Windows 10 automatically disables Windows Defender Antivirus. + +Tool|Deployment options (2)|Management options (network-wide configuration and policy or baseline deployment) ([3](#fn3))|Reporting options +---|---|---|--- +Microsoft Intune|[Add endpoint protection settings in Intune](https://docs.microsoft.com/intune/endpoint-protection-configure)|[Configure device restriction settings in Intune](https://docs.microsoft.com/intune/device-restrictions-configure)| [Use the Intune console to manage devices](https://docs.microsoft.com/intune/device-management) +Microsoft Endpoint Configuration Manager ([1](#fn1))|Use the [Endpoint Protection point site system role][] and [enable Endpoint Protection with custom client settings][]|With [default and customized antimalware policies][] and [client management][]|With the default [Configuration Manager Monitoring workspace][] and [email alerts][] +Group Policy and Active Directory (domain-joined)|Use a Group Policy Object to deploy configuration changes and ensure Windows Defender Antivirus is enabled.|Use Group Policy Objects (GPOs) to [Configure update options for Windows Defender Antivirus][] and [Configure Windows Defender features][]|Endpoint reporting is not available with Group Policy. You can generate a list of [Group Policies to determine if any settings or policies are not applied][] +PowerShell|Deploy with Group Policy, Microsoft Endpoint Configuration Manager, or manually on individual endpoints.|Use the [Set-MpPreference] and [Update-MpSignature] cmdlets available in the Defender module.|Use the appropriate [Get- cmdlets available in the Defender module][] +Windows Management Instrumentation|Deploy with Group Policy, Microsoft Endpoint Configuration Manager, or manually on individual endpoints.|Use the [Set method of the MSFT_MpPreference class][] and the [Update method of the MSFT_MpSignature class][]|Use the [MSFT_MpComputerStatus][] class and the get method of associated classes in the [Windows Defender WMIv2 Provider][] +Microsoft Azure|Deploy Microsoft Antimalware for Azure in the [Azure portal, by using Visual Studio virtual machine configuration, or using Azure PowerShell cmdlets](https://docs.microsoft.com/azure/security/azure-security-antimalware#antimalware-deployment-scenarios). You can also [Install Endpoint protection in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-install-endpoint-protection)|Configure [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/azure/security/azure-security-antimalware#enable-and-configure-antimalware-using-powershell-cmdlets) or [use code samples](https://gallery.technet.microsoft.com/Antimalware-For-Azure-5ce70efe)|Use [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/azure/security/azure-security-antimalware#enable-and-configure-antimalware-using-powershell-cmdlets) to enable monitoring. You can also review usage reports in Azure Active Directory to determine suspicious activity, including the [Possibly infected devices][] report and configure an SIEM tool to report on [Windows Defender Antivirus events][] and add that tool as an app in AAD. + +1. The availability of some functions and features, especially related to cloud-delivered protection, differ between Microsoft Endpoint Configuration Manager (Current Branch) and System Center Configuration Manager 2012. In this library, we've focused on Windows 10, Windows Server 2016, and Microsoft Endpoint Configuration Manager (Current Branch). See [Use Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) for a table that describes the major differences. [(Return to table)](#ref2) + +2. In Windows 10, Windows Defender Antivirus is a component available without installation or deployment of an additional client or service. It will automatically be enabled when third-party antivirus products are either uninstalled or out of date ([except on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md)). Traditional deployment therefore is not required. Deployment here refers to ensuring the Windows Defender Antivirus component is available and enabled on endpoints or servers. [(Return to table)](#ref2) + +3. Configuration of features and protection, including configuring product and protection updates, are further described in the [Configure Windows Defender Antivirus features](configure-notifications-windows-defender-antivirus.md) section in this library. [(Return to table)](#ref2) + +[Endpoint Protection point site system role]: https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-protection-site-role +[default and customized antimalware policies]: https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies +[client management]: https://docs.microsoft.com/sccm/core/clients/manage/manage-clients +[enable Endpoint Protection with custom client settings]: https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-protection-configure-client +[Configuration Manager Monitoring workspace]: https://docs.microsoft.com/sccm/protect/deploy-use/monitor-endpoint-protection +[email alerts]: https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-configure-alerts +[Deploy the Microsoft Intune client to endpoints]: https://docs.microsoft.com/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune +[custom Intune policy]: https://docs.microsoft.com/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#configure-microsoft-intune-endpoint-protection + [custom Intune policy]: https://docs.microsoft.com/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#configure-microsoft-intune-endpoint-protection +[manage tasks]: https://docs.microsoft.com/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#choose-management-tasks-for-endpoint-protection +[Monitor endpoint protection in the Microsoft Intune administration console]: https://docs.microsoft.com/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#monitor-endpoint-protection +[Set method of the MSFT_MpPreference class]: https://msdn.microsoft.com/library/dn439474 +[Update method of the MSFT_MpSignature class]: https://msdn.microsoft.com/library/dn439474 +[MSFT_MpComputerStatus]: https://msdn.microsoft.com/library/dn455321 +[Windows Defender WMIv2 Provider]: https://msdn.microsoft.com/library/dn439477 +[Set-MpPreference]: https://technet.microsoft.com/itpro/powershell/windows/defender/set-mppreference.md +[Update-MpSignature]: https://technet.microsoft.com/itpro/powershell/windows/defender/update-mpsignature +[Get- cmdlets available in the Defender module]: https://technet.microsoft.com/itpro/powershell/windows/defender/index +[Configure update options for Windows Defender Antivirus]: manage-updates-baselines-windows-defender-antivirus.md +[Configure Windows Defender features]: configure-windows-defender-antivirus-features.md +[Group Policies to determine if any settings or policies are not applied]: https://technet.microsoft.com/library/cc771389.aspx +[Possibly infected devices]: https://docs.microsoft.com/azure/active-directory/active-directory-reporting-sign-ins-from-possibly-infected-devices +[Windows Defender Antivirus events]: troubleshoot-windows-defender-antivirus.md + +## In this section + +Topic | Description +---|--- +[Deploy and enable Windows Defender Antivirus protection](deploy-windows-defender-antivirus.md) | While the client is installed as a core part of Windows 10, and traditional deployment does not apply, you will still need to enable the client on your endpoints with Microsoft Endpoint Configuration Manager, Microsoft Intune, or Group Policy Objects. +[Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md) | There are two parts to updating Windows Defender Antivirus: updating the client on endpoints (product updates), and updating Security intelligence (protection updates). You can update Security intelligence in a number of ways, using Microsoft Endpoint Configuration Manager, Group Policy, PowerShell, and WMI. +[Monitor and report on Windows Defender Antivirus protection](report-monitor-windows-defender-antivirus.md) | You can use Microsoft Intune, Microsoft Endpoint Configuration Manager, the Update Compliance add-in for Microsoft Operations Management Suite, or a third-party SIEM product (by consuming Windows event logs) to monitor protection status and create reports about endpoint protection. diff --git a/windows/security/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus - Copy.md b/windows/security/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus - Copy.md new file mode 100644 index 0000000000..6f8dd3363b --- /dev/null +++ b/windows/security/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus - Copy.md @@ -0,0 +1,38 @@ +--- +title: Deploy and enable Windows Defender Antivirus +description: Deploy Windows Defender Antivirus for protection of your endpoints with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, or WMI. +keywords: deploy, enable, Windows Defender Antivirus +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen +ms.date: 09/03/2018 +ms.reviewer: +manager: dansimp +--- + +# Deploy and enable Windows Defender Antivirus + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +Depending on the management tool you are using, you may need to specifically enable or configure Windows Defender Antivirus protection. + +See the table in [Deploy, manage, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md#ref2) for instructions on how to enable protection with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, Active Directory, Microsoft Azure, PowerShell cmdlets, and Windows Management Instruction (WMI). + +Some scenarios require additional guidance on how to successfully deploy or configure Windows Defender Antivirus protection, such as Virtual Desktop Infrastructure (VDI) environments. + +The remaining topic in this section provides end-to-end advice and best practices for [setting up Windows Defender Antivirus on virtual machines (VMs) in a VDI or Remote Desktop Services (RDS) environment](deployment-vdi-windows-defender-antivirus.md). + +## Related topics + +- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) +- [Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md) +- [Deployment guide for Windows Defender Antivirus in a virtual desktop infrastructure (VDI) environment](deployment-vdi-windows-defender-antivirus.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus - Copy.md b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus - Copy.md new file mode 100644 index 0000000000..43e244ba36 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus - Copy.md @@ -0,0 +1,149 @@ +--- +title: Block potentially unwanted applications with Windows Defender Antivirus +description: Enable the potentially unwanted application (PUA) antivirus feature to block unwanted software such as adware. +keywords: pua, enable, unwanted software, unwanted apps, adware, browser toolbar, detect, block, Windows Defender Antivirus +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: detect +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen +audience: ITPro +ms.date: 10/02/2018 +ms.reviewer: +manager: dansimp +--- + +# Detect and block potentially unwanted applications + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/microsoft-edge) + +Potentially unwanted applications are not considered viruses, malware, or other types of threats, but they might perform actions on endpoints which adversely affect endpoint performance or use. _PUA_ can also refer to an application that has a poor reputation, as assessed by Microsoft Defender ATP, due to certain kinds of undesirable behavior. + +For example: + +* **Advertising software:** Software that displays advertisements or promotions, including software that inserts advertisements to webpages. +* **Bundling software:** Software that offers to install other software that is not digitally signed by the same entity. Also, software that offers to install other software that qualify as PUA. +* **Evasion software:** Software that actively tries to evade detection by security products, including software that behaves differently in the presence of security products. + +For more examples and a discussion of the criteria we use to label applications for special attention from security features, see [How Microsoft identifies malware and potentially unwanted applications](../intelligence/criteria.md). + +Potentially unwanted applications can increase the risk of your network being infected with actual malware, make malware infections harder to identify, or waste IT resources in cleaning them up. + +## How it works + +### Microsoft Edge + +The next major version of Microsoft Edge, which is Chromium-based, blocks potentially unwanted application downloads and associated resource URLs. This feature is provided via [Windows Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md). + +#### Enable PUA protection in Chromium-based Microsoft Edge + +Although potentially unwanted application protection in Microsoft Edge (Chromium-based) is off by default, it can easily be turned on from within the browser. + +1. From the tool bar, select **Settings and more** > **Settings** +1. Select **Privacy and services** +1. Under the **Services** section, you can toggle **Potentially unwanted app blocking** on or off + +> [!TIP] +> If you are running Microsoft Edge (Chromium-based), you can safely explore the URL-blocking feature of PUA protection by testing it out on one of our Windows Defender SmartScreen [demo pages](https://demo.smartscreen.msft.net/). + +#### Blocking URLs with Windows Defender SmartScreen + +In Chromium-based Edge with PUA protection turned on, Windows Defender SmartScreen will protect you from PUA-associated URLs. + +Admins can [configure](https://docs.microsoft.com/DeployEdge/configure-microsoft-edge) how Microsoft Edge and Windows Defender SmartScreen work together to protect groups of users from PUA-associated URLs. There are several group policy [settings](https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#smartscreen-settings) explicitly for Windows +Defender SmartScreen available, including [one for blocking PUA](https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#smartscreenpuaenabled). In addition, admins can +[configure Windows Defender SmartScreen](https://docs.microsoft.com/microsoft-edge/deploy/available-policies?source=docs#configure-windows-defender-smartscreen) as a whole, using group policy settings to turn Windows Defender SmartScreen on or off. + +Although Microsoft Defender ATP has its own block list, based upon a data set managed by Microsoft, you can customize this list based on your own threat intelligence. If you [create and manage indicators](../microsoft-defender-atp/manage-indicators.md#create-indicators-for-ips-and-urlsdomains-preview) in the Microsoft Defender ATP portal, Windows Defender SmartScreen will respect the new settings. + +### Windows Defender Antivirus + +The potentially unwanted application (PUA) protection feature in Windows Defender Antivirus can detect and block PUAs on endpoints in your network. + +> [!NOTE] +> This feature is only available in Windows 10. + +Windows Defender Antivirus blocks detected PUA files, and any attempts to download, move, run, or install them. Blocked PUA files are then moved to quarantine. + +When a PUA is detected on an endpoint, Windows Defender Antivirus sends a notification to the user ([unless notifications have been disabled](configure-notifications-windows-defender-antivirus.md)) in the same format as other threat detections. The notification will be prefaced with _PUA:_ to indicate its content. + +The notification will appear in the usual [quarantine list within the Windows Security app](windows-defender-security-center-antivirus.md#detection-history). + +#### Configure PUA protection in Windows Defender Antivirus + +You can enable PUA protection with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, or via PowerShell cmdlets. + +You can also use the PUA audit mode to detect PUAs without blocking them. The detections will be captured in the Windows event log. + +> [!TIP] +> You can visit the Microsoft Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com/Page/UrlRep) to confirm that the feature is working, and see it in action. + +PUA audit mode is useful if your company is conducting an internal software security compliance check and you'd like to avoid any false positives. + +##### Use Intune to configure PUA protection + +See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure) and [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#windows-defender-antivirus) for more details. + +##### Use Configuration Manager to configure PUA protection + +PUA protection is enabled by default in the Microsoft Endpoint Configuration Manager (Current Branch), starting with version 1606. + +See [How to create and deploy antimalware policies: Scheduled scans settings](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#real-time-protection-settings) for details on configuring Microsoft Endpoint Configuration Manager (Current Branch). + +For Configuration Manager 2012, see [How to Deploy Potentially Unwanted Application Protection Policy for Endpoint Protection in Configuration Manager](https://technet.microsoft.com/library/hh508770.aspx#BKMK_PUA). + +> [!NOTE] +> PUA events blocked by Windows Defender Antivirus are reported in the Windows Event Viewer and not in Microsoft Endpoint Configuration Manager. + +##### Use Group Policy to configure PUA protection + +1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure, and select **Edit**. + +2. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**. + +3. Expand the tree to **Windows components > Windows Defender Antivirus**. + +4. Double-click **Configure protection for potentially unwanted applications**. + +5. Select **Enabled** to enable PUA protection. + +6. In **Options**, select **Block** to block potentially unwanted applications, or select **Audit Mode** to test how the setting will work in your environment. Select **OK**. + +##### Use PowerShell cmdlets to configure PUA protection + +Use the following cmdlet: + +```PowerShell +Set-MpPreference -PUAProtection +``` + +Setting the value for this cmdlet to `Enabled` will turn the feature on if it has been disabled. + +Setting `AuditMode` will detect PUAs without blocking them. + +See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus. + +#### View PUA events + +PUA events are reported in the Windows Event Viewer, but not in Microsoft Endpoint Configuration Manager or in Intune. + +You can turn on email notifications to receive mail about PUA detections. + +See [Troubleshoot event IDs](troubleshoot-windows-defender-antivirus.md) for details on viewing Windows Defender Antivirus events. PUA events are recorded under event ID **1160**. + +#### Allow-listing apps + +Sometimes a file is erroneously blocked by PUA protection, or a feature of a PUA is required to complete a task. In these cases, a file can be allow-listed. See [How to Configure Endpoint Protection in Configuration Manager](https://docs.microsoft.com/previous-versions/system-center/system-center-2012-R2/hh508770(v=technet.10)#to-exclude-specific-files-or-folders) for information on allowing files which are currently blocked by PUA protection in Windows Defender Antivirus. + +## Related articles + +- [Next-generation protection](windows-defender-antivirus-in-windows-10.md) +- [Configure behavioral, heuristic, and real-time protection](configure-protection-features-windows-defender-antivirus.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus - Copy.md b/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus - Copy.md new file mode 100644 index 0000000000..6d7e496eec --- /dev/null +++ b/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus - Copy.md @@ -0,0 +1,143 @@ +--- +title: Enable cloud-delivered protection in Windows Defender Antivirus +description: Enable cloud-delivered protection to benefit from fast and advanced protection features. +keywords: windows defender antivirus, antimalware, security, cloud, block at first sight +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: denisebmsft +ms.author: deniseb +ms.reviewer: +manager: dansimp +ms.custom: nextgen +--- + +# Enable cloud-delivered protection + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +>[!NOTE] +>The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud; rather, it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates. + +Windows Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender ATP next generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/). +![List of Windows Defender AV engines](images/microsoft-defender-atp-next-generation-protection-engines.png) + +You can enable or disable Windows Defender Antivirus cloud-delivered protection with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, or on individual clients in the Windows Security app. + +See [Use Microsoft cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) for an overview of Windows Defender Antivirus cloud-delivered protection. + +There are specific network-connectivity requirements to ensure your endpoints can connect to the cloud-delivered protection service. See [Configure and validate network connections](configure-network-connections-windows-defender-antivirus.md) for more details. + +>[!NOTE] +>In Windows 10, there is no difference between the **Basic** and **Advanced** options described in this topic. This is a legacy distinction and choosing either setting will result in the same level of cloud-delivered protection. There is no difference in the type or amount of information that is shared. See the [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=521839) for more information on what we collect. + +**Use Intune to enable cloud-delivered protection** + +1. Sign in to the [Azure portal](https://portal.azure.com). +2. Select **All services > Intune**. +3. In the **Intune** pane, select **Device configuration > Profiles**, and then select the **Device restrictions** profile type you want to configure. If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure). +4. Select **Properties**, select **Settings: Configure**, and then select **Windows Defender Antivirus**. +5. On the **Cloud-delivered protection** switch, select **Enable**. +6. In the **Prompt users before sample submission** dropdown, select **Send all data without prompting**. +7. In the **Submit samples consent** dropdown, select one of the following: + + - **Send safe samples automatically** + - **Send all samples automatically** + + >[!NOTE] + >**Send safe samples automatically** option means that most samples will be sent automatically. Files that are likely to contain personal information will still prompt and require additional confirmation. + + > [!WARNING] + > Setting to **Always Prompt** will lower the protection state of the device. Setting to **Never send** means the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature will not function. + +8. Click **OK** to exit the **Windows Defender Antivirus** settings pane, click **OK** to exit the **Device restrictions** pane, and then click **Save** to save the changes to your **Device restrictions** profile. + +For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/intune/device-profiles) + +**Use Configuration Manager to enable cloud-delivered protection:** + +See [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) for details on configuring Microsoft Endpoint Configuration Manager (current branch). + +**Use Group Policy to enable cloud-delivered protection:** + +1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +2. In the **Group Policy Management Editor** go to **Computer configuration**. + +3. Click **Administrative templates**. + +4. Expand the tree to **Windows components > Windows Defender Antivirus > MAPS** + +5. Double-click **Join Microsoft MAPS** and ensure the option is enabled and set to **Basic MAPS** or **Advanced MAPS**. Click **OK**. + +6. Double-click **Send file samples when further analysis is required** and ensure the option is set to **Enabled** and the additional options are either of the following: + + 1. **Send safe samples** (1) + 2. **Send all samples** (3) + + >[!NOTE] + >**Send safe samples automatically** option means that most samples will be sent automatically. Files that are likely to contain personal information will still prompt and require additional confirmation. + + > [!WARNING] + > Setting to 0 (Always Prompt) will lower the protection state of the device. Setting to 2 (Never send) means the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature will not function. + +7. Click **OK**. + +**Use PowerShell cmdlets to enable cloud-delivered protection:** + +Use the following cmdlets to enable cloud-delivered protection: + +```PowerShell +Set-MpPreference -MAPSReporting Advanced +Set-MpPreference -SubmitSamplesConsent AlwaysPrompt +``` + +>[!NOTE] +>You can also set -SubmitSamplesConsent to `None`. Setting it to `Never` will lower the protection state of the device, and setting it to 2 means the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature will not function. + +See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus. + +**Use Windows Management Instruction (WMI) to enable cloud-delivered protection:** + +Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn439474(v=vs.85).aspx) class for the following properties: + +```WMI +MAPSReporting +SubmitSamplesConsent +``` + +See the following for more information and allowed parameters: +- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) + +**Enable cloud-delivered protection on individual clients with the Windows Security app** + +> [!NOTE] +> If the **Configure local setting override for reporting Microsoft MAPS** Group Policy setting is set to **Disabled**, then the **Cloud-based protection** setting in Windows Settings will be greyed-out and unavailable. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings. + +1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. + +2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label: + + ![Screenshot of the Virus & threat protection settings label in the Windows Security app](images/defender/wdav-protection-settings-wdsc.png) + +3. Confirm that **Cloud-based Protection** and **Automatic sample submission** are switched to **On**. + +>[!NOTE] +>If automatic sample submission has been configured with Group Policy then the setting will be greyed-out and unavailable. + +## Related topics + +- [Configure the cloud block timeout period](configure-cloud-block-timeout-period-windows-defender-antivirus.md) +- [Configure block at first sight](configure-block-at-first-sight-windows-defender-antivirus.md) +- [Use PowerShell cmdlets to manage Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) +- [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune)] +- [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) +- [Utilize Microsoft cloud-delivered protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) +- [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) +- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) From 83f3c54c4b6b66d46f3ff079f9a9f510ebf89814 Mon Sep 17 00:00:00 2001 From: LauraKellerGitHub Date: Wed, 22 Jan 2020 12:07:23 -0800 Subject: [PATCH 03/19] removing files --- ...types-windows-defender-antivirus - Copy.md | 104 ----- ...sight-windows-defender-antivirus - Copy.md | 166 -------- ...sions-windows-defender-antivirus - Copy.md | 366 ------------------ ...tions-windows-defender-antivirus - Copy.md | 130 ------- ...tions-windows-defender-antivirus - Copy.md | 106 ----- ...sions-windows-defender-antivirus - Copy.md | 199 ---------- ...ation-windows-defender-antivirus - Copy.md | 72 ---- ...dows-defender-antivirus-features - Copy.md | 49 --- ...scans-windows-defender-antivirus - Copy.md | 37 -- ...eport-windows-defender-antivirus - Copy.md | 85 ---- ...eploy-windows-defender-antivirus - Copy.md | 38 -- ...-apps-windows-defender-antivirus - Copy.md | 149 ------- ...ction-windows-defender-antivirus - Copy.md | 143 ------- 13 files changed, 1644 deletions(-) delete mode 100644 windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus - Copy.md delete mode 100644 windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus - Copy.md delete mode 100644 windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus - Copy.md delete mode 100644 windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus - Copy.md delete mode 100644 windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus - Copy.md delete mode 100644 windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus - Copy.md delete mode 100644 windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus - Copy.md delete mode 100644 windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features - Copy.md delete mode 100644 windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus - Copy.md delete mode 100644 windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus - Copy.md delete mode 100644 windows/security/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus - Copy.md delete mode 100644 windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus - Copy.md delete mode 100644 windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus - Copy.md diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus - Copy.md b/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus - Copy.md deleted file mode 100644 index 1ec92d64e6..0000000000 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus - Copy.md +++ /dev/null @@ -1,104 +0,0 @@ ---- -title: Configure scanning options for Windows Defender AV -description: You can configure Windows Defender AV to scan email storage files, back-up or reparse points, network files, and archived files (such as .zip files). -keywords: advanced scans, scanning, email, archive, zip, rar, archive, reparse scanning -search.product: eADQiWindows 10XVcnh -ms.pagetype: security -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: denisebmsft -ms.author: deniseb -ms.custom: nextgen -ms.date: 10/25/2018 -ms.reviewer: -manager: dansimp - ---- - -# Configure Windows Defender Antivirus scanning options - -**Applies to:** - -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - -**Use Microsoft Intune to configure scanning options** - -See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure) and [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#windows-defender-antivirus) for more details. - - - -**Use Configuration Manager to configure scanning options:** - -See [How to create and deploy antimalware policies: Scan settings](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#scan-settings) for details on configuring Microsoft Endpoint Configuration Manager (current branch). - -**Use Group Policy to configure scanning options** - -To configure the Group Policy settings described in the following table: - -1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. - -2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. - -3. Expand the tree to **Windows components > Windows Defender Antivirus** and then the **Location** specified in the table below. - -4. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings. - -Description | Location and setting | Default setting (if not configured) | PowerShell `Set-MpPreference` parameter or WMI property for `MSFT_MpPreference` class ----|---|---|--- -See [Email scanning limitations](#ref1)) below | Scan > Turn on e-mail scanning | Disabled | `-DisableEmailScanning` -Scan [reparse points](https://msdn.microsoft.com/library/windows/desktop/aa365503.aspx) | Scan > Turn on reparse point scanning | Disabled | Not available -Scan mapped network drives | Scan > Run full scan on mapped network drives | Disabled | `-DisableScanningMappedNetworkDrivesForFullScan` - Scan archive files (such as .zip or .rar files). The [extensions exclusion list](configure-extension-file-exclusions-windows-defender-antivirus.md) will take precedence over this setting. | Scan > Scan archive files | Enabled | `-DisableArchiveScanning` -Scan files on the network | Scan > Scan network files | Disabled | `-DisableScanningNetworkFiles` -Scan packed executables | Scan > Scan packed executables | Enabled | Not available -Scan removable drives during full scans only | Scan > Scan removable drives | Disabled | `-DisableRemovableDriveScanning` -Specify the level of subfolders within an archive folder to scan | Scan > Specify the maximum depth to scan archive files | 0 | Not available - Specify the maximum CPU load (as a percentage) during a scan. Note: This is not a hard limit but rather a guidance for the scanning engine to not exceed this maximum on average. | Scan > Specify the maximum percentage of CPU utilization during a scan | 50 | `-ScanAvgCPULoadFactor` - Specify the maximum size (in kilobytes) of archive files that should be scanned. The default, **0**, applies no limit | Scan > Specify the maximum size of archive files to be scanned | No limit | Not available - Configure low CPU priority for scheduled scans | Scan > Configure low CPU priority for scheduled scans | Disabled | Not available - ->[!NOTE] ->If real-time protection is enabled, files are scanned before they are accessed and executed. The scanning scope includes all files, including those on mounted removable devices such as USB drives. - -**Use PowerShell to configure scanning options** - -See [Manage Windows Defender Antivirus with PowerShell cmdlets](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. - -**Use WMI to configure scanning options** - -For using WMI classes, see [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx). - -### Email scanning limitations - -We recommend using [always-on real-time protection](configure-real-time-protection-windows-defender-antivirus.md) to protect against email-based malware. - -Always-on protection scans emails as they arrive and as they are manipulated, just like normal files in the operating system. This provides the strongest form of protection and is the recommended setting for scanning emails. - -You can also use this Group Policy to enable scanning of older email files used by Outlook 2003 and older during on-demand and scheduled scans. Embedded objects within an email file (such as attachments and archived files) are also scanned. The following file format types can be scanned and remediated: - -- DBX -- MBX -- MIME - -PST files used by Outlook 2003 or older (where the archive type is set to non-unicode) can also be scanned, but Windows Defender cannot remediate threats detected inside PST files. This is another reason why we recommend using [always-on real-time protection](configure-real-time-protection-windows-defender-antivirus.md) to protect against email-based malware. - -If Windows Defender Antivirus detects a threat inside an email, it will show you the following information to assist you in identifying the compromised email, so you can remediate the threat: - -- Email subject -- Attachment name - ->[!WARNING] ->There are some risks associated with scanning some Microsoft Outlook files and email messages. You can read about tips and risks associated with scanning Outlook files and email messages in the following articles: -> -> - [Scanning Outlook files in Outlook 2013](https://technet.microsoft.com/library/dn769141.aspx#bkmk-1) -> - [Scanning email messages in Outlook 2013](https://technet.microsoft.com/library/dn769141.aspx#bkmk-2) - -## Related topics - -- [Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md) -- [Configure and run on-demand Windows Defender Antivirus scans](run-scan-windows-defender-antivirus.md) -- [Configure scheduled Windows Defender Antivirus scans](scheduled-catch-up-scans-windows-defender-antivirus.md) -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus - Copy.md b/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus - Copy.md deleted file mode 100644 index 1fb5ff7d26..0000000000 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus - Copy.md +++ /dev/null @@ -1,166 +0,0 @@ ---- -title: Enable Block at First Sight to detect malware in seconds -description: Enable the Block at First sight feature to detect and block malware within seconds, and validate that it is configured correctly. -keywords: scan, BAFS, malware, first seen, first sight, cloud, defender -search.product: eADQiWindows 10XVcnh -ms.pagetype: security -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: denisebmsft -ms.author: deniseb -ms.reviewer: -manager: dansimp -ms.custom: nextgen ---- - -# Enable block at first sight - -**Applies to:** - -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - -Block at first sight is a feature of next-generation protection that provides a way to detect and block new malware within seconds. This protection is enabled by default when certain prerequisite settings are also enabled. In most cases, these prerequisite settings are also enabled by default, so the feature is running without any intervention. - -You can [specify how long the file should be prevented from running](configure-cloud-block-timeout-period-windows-defender-antivirus.md) while the cloud-based protection service analyzes the file. And, you can [customize the message displayed on users' desktops](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information) when a file is blocked. You can change the company name, contact information, and message URL. - ->[!TIP] ->Visit the Microsoft Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the features are working and see how they work. - -## How it works - -When Windows Defender Antivirus encounters a suspicious but undetected file, it queries our cloud protection backend. The cloud backend applies heuristics, machine learning, and automated analysis of the file to determine whether the files are malicious or clean. - -Windows Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender ATP next generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/). -![List of Windows Defender AV engines](images/microsoft-defender-atp-next-generation-protection-engines.png) - -In Windows 10, version 1803, block at first sight can now block non-portable executable files (such as JS, VBS, or macros) as well as executable files. - -Block at first sight only uses the cloud protection backend for executable files and non-portable executable files that are downloaded from the Internet, or that originate from the Internet zone. A hash value of the .exe file is checked via the cloud backend to determine if this is a previously undetected file. - -If the cloud backend is unable to make a determination, Windows Defender Antivirus locks the file and uploads a copy to the cloud. The cloud performs additional analysis to reach a determination before it either allows the file to run or blocks it in all future encounters, depending on whether it determines the file to be malicious or safe. - -In many cases, this process can reduce the response time for new malware from hours to seconds. - -## Confirm and validate that block at first sight is enabled - -Block at first sight requires a number of settings to be configured correctly or it will not work. These settings are enabled by default in most enterprise Windows Defender Antivirus deployments. - -### Confirm block at first sight is enabled with Intune - -1. In Intune, navigate to **Device configuration - Profiles > *Profile name* > Device restrictions > Windows Defender Antivirus**. - - > [!NOTE] - > The profile you select must be a Device Restriction profile type, not an Endpoint Protection profile type. - -2. Verify these settings are configured as follows: - - - **Cloud-delivered protection**: **Enable** - - **File Blocking Level**: **High** - - **Time extension for file scanning by the cloud**: **50** - - **Prompt users before sample submission**: **Send all data without prompting** - - ![Intune config](images/defender/intune-block-at-first-sight.png) - - > [!WARNING] - > Setting the file blocking level to **High** will apply a strong level of detection. In the unlikely event that it causes a false positive detection of legitimate files, use the option to [restore the quarantined files](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus). - -For more information about configuring Windows Defender Antivirus device restrictions in Intune, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure). - -For a list of Windows Defender Antivirus device restrictions in Intune, see [Device restriction for Windows 10 (and newer) settings in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#windows-defender-antivirus). - -### Enable block at first sight with SCCM - -1. In Microsoft Endpoint Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **AntiMalware Policies**. - -2. Click **Home** > **Create Antimalware Policy**. - -3. Enter a name and a description, and add these settings: - - **Real time protection** - - **Advanced** - - **Cloud Protection Service** - -4. In the left column, click **Real time protection**, set **Enable real-time protection** to **Yes**, and set **Scan system files** to **Scan incoming and outgoing files**. - ![Enable real-time protection](images/defender/sccm-real-time-protection.png) - -5. Click **Advanced**, set **Enable real-time protection** to **Yes**, and set **Scan system files** to **Scan incoming and outgoing files**. - ![Enable Advanced settings](images/defender/sccm-advanced-settings.png) - -6. Click **Cloud Protection Service**, set **Cloud Protection Service membership type** to **Advanced membership**, set **Level for blocking malicious files** to **High**, and set **Allow extended cloud check to block and scan suspicious files for up to (seconds)** to **50** seconds. - ![Enable Cloud Protection Service](images/defender/sccm-cloud-protection-service.png) - -7. Click **OK** to create the policy. - - -### Confirm block at first sight is enabled with Group Policy - -1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. - -2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. - -3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **MAPS**, configure the following Group Policies, and then click **OK**: - - - Double-click **Join Microsoft MAPS** and ensure the option is set to **Enabled**. Click **OK**. - - - Double-click **Send file samples when further analysis is required** and ensure the option is set to **Enabled** and the additional options are either **Send safe samples (1)** or **Send all samples (3)**. - - > [!WARNING] - > Setting to **Always prompt (0)** will lower the protection state of the device. Setting to **Never send (2)** means block at first sight will not function. - -4. In the **Group Policy Management Editor**, expand the tree to **Windows components** > **Windows Defender Antivirus** > **Real-time Protection**: - - 1. Double-click **Scan all downloaded files and attachments** and ensure the option is set to **Enabled**, and then click **OK**. - - 2. Double-click **Turn off real-time protection** and ensure the option is set to **Disabled**, and then click **OK**. - -If you had to change any of the settings, you should re-deploy the Group Policy Object across your network to ensure all endpoints are covered. - -### Confirm block at first sight is enabled with the Windows Security app - -You can confirm that block at first sight is enabled in Windows Settings. - -Block at first sight is automatically enabled as long as **Cloud-based protection** and **Automatic sample submission** are both turned on. - -### Confirm Block at First Sight is enabled on individual clients - -1. Open the Windows Security app by clicking the shield icon in the task bar. - -2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then click **Manage Settings** under **Virus & threat protection settings**: - - ![Screenshot of the Virus & threat protection settings label in the Windows Security app](images/defender/wdav-protection-settings-wdsc.png) - -3. Confirm that **Cloud-based Protection** and **Automatic sample submission** are switched to **On**. - -> [!NOTE] -> If the prerequisite settings are configured and deployed using Group Policy, the settings described in this section will be greyed-out and unavailable for use on individual endpoints. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings. - -### Validate block at first sight is working - -You can validate that the feature is working by following the steps outlined in [Validate connections between your network and the cloud](configure-network-connections-windows-defender-antivirus.md#validate-connections-between-your-network-and-the-cloud). - -## Disable block at first sight - -> [!WARNING] -> Disabling block at first sight will lower the protection state of the endpoint and your network. - -You may choose to disable block at first sight if you want to retain the prerequisite settings without using block at first sight protection. You might wish to do this if you are experiencing latency issues or you want to test the feature's impact on your network. - -### Disable block at first sight with Group Policy - -1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure, and then click **Edit**. - -2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. - -3. Expand the tree through **Windows components** > **Windows Defender Antivirus** > **MAPS**. - -4. Double-click **Configure the 'Block at First Sight' feature** and set the option to **Disabled**. - - > [!NOTE] - > Disabling block at first sight will not disable or alter the prerequisite group policies. - -## Related topics - -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) -- [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus - Copy.md b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus - Copy.md deleted file mode 100644 index 6ab53e6c67..0000000000 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus - Copy.md +++ /dev/null @@ -1,366 +0,0 @@ ---- -title: Configure and validate exclusions based on extension, name, or location -description: Exclude files from Windows Defender Antivirus scans based on their file extension, file name, or location. -keywords: exclusions, files, extension, file type, folder name, file name, scans -search.product: eADQiWindows 10XVcnh -ms.pagetype: security -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: denisebmsft -ms.author: deniseb -ms.custom: nextgen -ms.date: 12/10/2018 -ms.reviewer: -manager: dansimp ---- - -# Configure and validate exclusions based on file extension and folder location - -**Applies to:** - -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - -> [!IMPORTANT] -> Windows Defender Antivirus exclusions don't apply to other Microsoft Defender ATP capabilities, including [endpoint detection and response (EDR)](../microsoft-defender-atp/overview-endpoint-detection-response.md), [attack surface reduction (ASR) rules](../microsoft-defender-atp/attack-surface-reduction.md), and [controlled folder access](../microsoft-defender-atp/controlled-folders.md). Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections. To exclude files broadly, add them to the Microsoft Defender ATP [custom indicators](../microsoft-defender-atp/manage-indicators.md). - -## Exclusion lists - -You can exclude certain files from Windows Defender Antivirus scans by modifying exclusion lists. **Generally, you shouldn't need to apply exclusions**. Windows Defender Antivirus includes a number of automatic exclusions based on known operating system behaviors and typical management files, such as those used in enterprise management, database management, and other enterprise scenarios and situations. - -> [!NOTE] -> Automatic exclusions apply only to Windows Server 2016 and above. The default antimalware policy we deploy at Microsoft doesn't set any exclusions by default. - -This topic describes how to configure exclusion lists for the files and folders. - -Exclusion | Examples | Exclusion list ----|---|--- -Any file with a specific extension | All files with the `.test` extension, anywhere on the machine | Extension exclusions -Any file under a specific folder | All files under the `c:\test\sample` folder | File and folder exclusions -A specific file in a specific folder | The file `c:\sample\sample.test` only | File and folder exclusions -A specific process | The executable file `c:\test\process.exe` | File and folder exclusions - -Exclusion lists have the following characteristics: - -- Folder exclusions will apply to all files and folders under that folder, unless the subfolder is a reparse point. Reparse point subfolders must be excluded separately. -- File extensions will apply to any file name with the defined extension if a path or folder is not defined. - ->[!IMPORTANT] ->The use of wildcards such as the asterisk (\*) will alter how the exclusion rules are interpreted. See the [Use wildcards in the file name and folder path or extension exclusion lists](#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists) section for important information about how wildcards work. -> ->You cannot exclude mapped network drives. You must specify the actual network path. -> ->Folders that are reparse points that are created after the Windows Defender Antivirus service starts and that have been added to the exclusion list will not be included. You must restart the service (by restarting Windows) for new reparse points to be recognized as a valid exclusion target. - -To exclude files opened by a specific process, see [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md). - -The exclusions apply to [scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md), [on-demand scans](run-scan-windows-defender-antivirus.md), and [real-time protection](configure-real-time-protection-windows-defender-antivirus.md). - ->[!IMPORTANT] ->Exclusion list changes made with Group Policy **will show** in the lists in the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions). -> ->Changes made in the Windows Security app **will not show** in the Group Policy lists. - -By default, local changes made to the lists (by users with administrator privileges, including changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists will take precedence when there are conflicts. - -You can [configure how locally and globally defined exclusions lists are merged](configure-local-policy-overrides-windows-defender-antivirus.md#merge-lists) to allow local changes to override managed deployment settings. - -## Configure the list of exclusions based on folder name or file extension - -### Use Intune to configure file name, folder, or file extension exclusions - -See the following articles: -- [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure) -- [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#windows-defender-antivirus) - -### Use Configuration Manager to configure file name, folder, or file extension exclusions - -See [How to create and deploy antimalware policies: Exclusion settings](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) for details on configuring Microsoft Endpoint Configuration Manager (current branch). - -### Use Group Policy to configure folder or file extension exclusions - ->[!NOTE] ->If you specify a fully qualified path to a file, then only that file is excluded. If a folder is defined in the exclusion, then all files and subdirectories under that folder are excluded. - -1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. - -2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. - -3. Expand the tree to **Windows components > Windows Defender Antivirus > Exclusions**. - -4. Double-click the **Path Exclusions** setting and add the exclusions: - - 1. Set the option to **Enabled**. - 2. Under the **Options** section, click **Show...**. - 3. Enter each folder on its own line under the **Value name** column. If you are entering a file, ensure you enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column. - -5. Click **OK**. - - ![The Group Policy setting for file and folder exclusions](images/defender/wdav-path-exclusions.png) - -6. Double-click the **Extension Exclusions** setting and add the exclusions: - - 1. Set the option to **Enabled**. - 2. Under the **Options** section, click **Show...**. - 3. Enter each file extension on its own line under the **Value name** column. Enter **0** in the **Value** column. - -7. Click **OK**. - - ![The Group Policy setting for extension exclusions](images/defender/wdav-extension-exclusions.png) - - - -### Use PowerShell cmdlets to configure file name, folder, or file extension exclusions - -Using PowerShell to add or remove exclusions for files based on the extension, location, or file name requires using a combination of three cmdlets and the appropriate exclusion list parameter. The cmdlets are all in the [Defender module](https://technet.microsoft.com/itpro/powershell/windows/defender/defender). - -The format for the cmdlets is: - -```PowerShell - - "" -``` - -The following are allowed as the \: - -Configuration action | PowerShell cmdlet ----|--- -Create or overwrite the list | `Set-MpPreference` -Add to the list | `Add-MpPreference` -Remove item from the list | `Remove-MpPreference` - -The following are allowed as the \: - -Exclusion type | PowerShell parameter ----|--- -All files with a specified file extension | `-ExclusionExtension` -All files under a folder (including files in subdirectories), or a specific file | `-ExclusionPath` - ->[!IMPORTANT] ->If you have created a list, either with `Set-MpPreference` or `Add-MpPreference`, using the `Set-MpPreference` cmdlet again will overwrite the existing list. - -For example, the following code snippet would cause Windows Defender AV scans to exclude any file with the `.test` file extension: - -```PowerShell -Add-MpPreference -ExclusionExtension ".test" -``` - -For more information, see [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index). - -### Use Windows Management Instruction (WMI) to configure file name, folder, or file extension exclusions - -Use the [**Set**, **Add**, and **Remove** methods of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties: - -```WMI -ExclusionExtension -ExclusionPath -``` - -The use of **Set**, **Add**, and **Remove** is analogous to their counterparts in PowerShell: `Set-MpPreference`, `Add-MpPreference`, and `Remove-MpPreference`. - -For more information, see [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx). - - - -### Use the Windows Security app to configure file name, folder, or file extension exclusions - -See [Add exclusions in the Windows Security app](windows-defender-security-center-antivirus.md#exclusions) for instructions. - - -## Use wildcards in the file name and folder path or extension exclusion lists - -You can use the asterisk `*`, question mark `?`, or environment variables (such as `%ALLUSERSPROFILE%`) as wildcards when defining items in the file name or folder path exclusion list. The way in which these wildcards are interpreted differs from their usual usage in other apps and languages. Make sure to read this section to understand their specific limitations. - ->[!IMPORTANT] ->There are key limitations and usage scenarios for these wildcards: -> ->- Environment variable usage is limited to machine variables and those applicable to processes running as an NT AUTHORITY\SYSTEM account. ->- You cannot use a wildcard in place of a drive letter. ->- An asterisk `*` in a folder exclusion will stand in place for a single folder. Use multiple instances of `\*\` to indicate multiple nested folders with unspecified names. - -The following table describes how the wildcards can be used and provides some examples. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
WildcardUse in file name and file extension exclusionsUse in folder exclusionsExample useExample matches
* (asterisk)Replaces any number of characters.
Only applies to files in the last folder defined in the argument. 		Replaces a single folder.
Use multiple * with folder slashes \ to indicate multiple, nested folders.
After matching the number of wild carded and named folders, all subfolders will also be included.		 -
    -
  1. C:\MyData\*.txt
    2. -
  2. C:\somepath\*\Data
    3. -
  3. C:\Serv\*\*\Backup -
- 		-
    -
  1. C:\MyData\notes.txt
    2. -
  2. Any file in: -
      -
    • C:\somepath\Archives\Data and its subfolders
      • -
    • C:\somepath\Authorized\Data and its subfolders
      • -
    -
  3. Any file in: -
      -
    • C:\Serv\Primary\Denied\Backup and its subfolders
      • -
    • C:\Serv\Secondary\Allowed\Backup and its subfolders
      • -
    -
-
- ? (question mark) - - Replaces a single character.
- Only applies to files in the last folder defined in the argument. - 		- Replaces a single character in a folder name.
- After matching the number of wild carded and named folders, all subfolders will also be included. - 		-
    -
  1. C:\MyData\my?.zip
    2. -
  2. C:\somepath\?\Data
    3. -
  3. C:\somepath\test0?\Data
    4. -
- 		-
    -
  1. C:\MyData\my1.zip
    2. -
  2. Any file in C:\somepath\P\Data and its subfolders
    3. -
  3. Any file in C:\somepath\test01\Data and its subfolders
    4. -
-
Environment variablesThe defined variable will be populated as a path when the exclusion is evaluated.Same as file and extension use. -
    -
  1. %ALLUSERSPROFILE%\CustomLogFiles
    2. -
- 		-
    -
  1. C:\ProgramData\CustomLogFiles\Folder1\file1.txt
    2. -
-
- ->[!IMPORTANT] ->If you mix a file exclusion argument with a folder exclusion argument, the rules will stop at the file argument match in the matched folder, and will not look for file matches in any subfolders. -> ->For example, you can exclude all files that start with "date" in the folders `c:\data\final\marked` and `c:\data\review\marked` by using the rule argument c:\data\\\*\marked\date*.\*. -> ->This argument, however, will not match any files in **subfolders** under `c:\data\final\marked` or `c:\data\review\marked`. - - - -## Review the list of exclusions - -You can retrieve the items in the exclusion list using one of the following methods: -- [Intune](https://docs.microsoft.com/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune) -- [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) -- MpCmdRun -- PowerShell -- [Windows Security app](windows-defender-security-center-antivirus.md#exclusions) - ->[!IMPORTANT] ->Exclusion list changes made with Group Policy **will show** in the lists in the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions). -> ->Changes made in the Windows Security app **will not show** in the Group Policy lists. - -If you use PowerShell, you can retrieve the list in two ways: - -- Retrieve the status of all Windows Defender Antivirus preferences. Each of the lists will be displayed on separate lines, but the items within each list will be combined into the same line. -- Write the status of all preferences to a variable, and use that variable to only call the specific list you are interested in. Each use of `Add-MpPreference` is written to a new line. - -### Validate the exclusion list by using MpCmdRun - -To check exclusions with the dedicated [command-line tool mpcmdrun.exe](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus?branch=v-anbic-wdav-new-mpcmdrun-options), use the following command: - -```DOS -MpCmdRun.exe -CheckExclusion -path -``` - ->[!NOTE] ->Checking exclusions with MpCmdRun requires Windows Defender Antivirus CAMP version 4.18.1812.3 (released in December 2018) or later. - -### Review the list of exclusions alongside all other Windows Defender Antivirus preferences by using PowerShell - -Use the following cmdlet: - -```PowerShell -Get-MpPreference -``` - -In the following example, the items contained in the `ExclusionExtension` list are highlighted: - -![PowerShell output for Get-MpPreference showing the exclusion list alongside other preferences](images/defender/wdav-powershell-get-exclusions-all.png) - -For more information, see [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index). - -### Retrieve a specific exclusions list by using PowerShell - -Use the following code snippet (enter each line as a separate command); replace **WDAVprefs** with whatever label you want to name the variable: - -```PowerShell -$WDAVprefs = Get-MpPreference -$WDAVprefs.ExclusionExtension -$WDAVprefs.ExclusionPath -``` - -In the following example, the list is split into new lines for each use of the `Add-MpPreference` cmdlet: - -![PowerShell output showing only the entries in the exclusion list](images/defender/wdav-powershell-get-exclusions-variable.png) - -For more information, see [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index). - - - -## Validate exclusions lists with the EICAR test file - -You can validate that your exclusion lists are working by using PowerShell with either the `Invoke-WebRequest` cmdlet or the .NET WebClient class to download a test file. - -In the following PowerShell snippet, replace *test.txt* with a file that conforms to your exclusion rules. For example, if you have excluded the `.testing` extension, replace `test.txt` with `test.testing`. If you are testing a path, ensure you run the cmdlet within that path. - -```PowerShell -Invoke-WebRequest "http://www.eicar.org/download/eicar.com.txt" -OutFile "test.txt" -``` - -If Windows Defender Antivirus reports malware, then the rule is not working. If there is no report of malware, and the downloaded file exists, then the exclusion is working. You can open the file to confirm the contents are the same as what is described on the [EICAR test file website](http://www.eicar.org/86-0-Intended-use.html). - -You can also use the following PowerShell code, which calls the .NET WebClient class to download the test file - as with the `Invoke-WebRequest` cmdlet; replace *c:\test.txt* with a file that conforms to the rule you are validating: - -```PowerShell -$client = new-object System.Net.WebClient -$client.DownloadFile("http://www.eicar.org/download/eicar.com.txt","c:\test.txt") -``` - -If you do not have Internet access, you can create your own EICAR test file by writing the EICAR string to a new text file with the following PowerShell command: - -```PowerShell -[io.file]::WriteAllText("test.txt",'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*') -``` - -You can also copy the string into a blank text file and attempt to save it with the file name or in the folder you are attempting to exclude. - -## Related topics - -- [Configure and validate exclusions in Windows Defender Antivirus scans](configure-exclusions-windows-defender-antivirus.md) -- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md) -- [Configure Windows Defender Antivirus exclusions on Windows Server](configure-server-exclusions-windows-defender-antivirus.md) -- [Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md) -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus - Copy.md b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus - Copy.md deleted file mode 100644 index 39f0cb02b4..0000000000 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus - Copy.md +++ /dev/null @@ -1,130 +0,0 @@ ---- -title: Configure and validate Windows Defender Antivirus network connections -description: Configure and test your connection to the Windows Defender Antivirus cloud protection service. -keywords: antivirus, windows defender antivirus, antimalware, security, defender, cloud, aggressiveness, protection level -search.product: eADQiWindows 10XVcnh -ms.pagetype: security -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: denisebmsft -ms.author: deniseb -ms.custom: nextgen -ms.date: 10/08/2018 -ms.reviewer: -manager: dansimp ---- - -# Configure and validate Windows Defender Antivirus network connections - -**Applies to:** - -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - -To ensure Windows Defender Antivirus cloud-delivered protection works properly, you need to configure your network to allow connections between your endpoints and certain Microsoft servers. - -This article lists the connections that must be allowed, such as by using firewall rules, and provides instructions for validating your connection. Configuring your protection properly helps ensure that you receive the best value from your cloud-delivered protection services. - -See the blog post [Important changes to Microsoft Active Protection Services endpoint](https://techcommunity.microsoft.com/t5/Configuration-Manager-Archive/Important-changes-to-Microsoft-Active-Protection-Service-MAPS/ba-p/274006) for some details about network connectivity. - ->[!TIP] ->You can also visit the Microsoft Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working: -> ->- Cloud-delivered protection ->- Fast learning (including block at first sight) ->- Potentially unwanted application blocking - -## Allow connections to the Windows Defender Antivirus cloud service - -The Windows Defender Antivirus cloud service provides fast, strong protection for your endpoints. Enabling the cloud-delivered protection service is optional, however it is highly recommended because it provides important protection against malware on your endpoints and across your network. - ->[!NOTE] ->The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates. - -See [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) for details on enabling the service with Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, or on individual clients in the Windows Security app. - -After you've enabled the service, you may need to configure your network or firewall to allow connections between it and your endpoints. - -Because your protection is a cloud service, computers must have access to the internet and reach the ATP machine learning services. Do not exclude the URL `*.blob.core.windows.net` from any kind of network inspection. The table below lists the services and their associated URLs. Make sure that there are no firewall or network filtering rules denying access to these URLs, or you may need to create an allow rule specifically for them (excluding the URL `*.blob.core.windows.net`). Below mention URLs are using port 443 for communication. - - -| **Service**| **Description** |**URL** | -| :--: | :-- | :-- | -| Windows Defender Antivirus cloud-delivered protection service, also referred to as Microsoft Active Protection Service (MAPS)|Used by Windows Defender Antivirus to provide cloud-delivered protection|`*.wdcp.microsoft.com`
`*.wdcpalt.microsoft.com`
`*.wd.microsoft.com`| -| Microsoft Update Service (MU)| Security intelligence and product updates |`*.update.microsoft.com`| -|Security intelligence updates Alternate Download Location (ADL)| Alternate location for Windows Defender Antivirus Security intelligence updates if the installed Security intelligence is out of date (7 or more days behind)| `*.download.microsoft.com`| -| Malware submission storage|Upload location for files submitted to Microsoft via the Submission form or automatic sample submission | `ussus1eastprod.blob.core.windows.net`
`ussus1westprod.blob.core.windows.net`
`usseu1northprod.blob.core.windows.net`
`usseu1westprod.blob.core.windows.net`
`ussuk1southprod.blob.core.windows.net`
`ussuk1westprod.blob.core.windows.net`
`ussas1eastprod.blob.core.windows.net`
`ussas1southeastprod.blob.core.windows.net`
`ussau1eastprod.blob.core.windows.net`
`ussau1southeastprod.blob.core.windows.net` | -| Certificate Revocation List (CRL)|Used by Windows when creating the SSL connection to MAPS for updating the CRL | `https://www.microsoft.com/pkiops/crl/`
`https://www.microsoft.com/pkiops/certs`
`https://crl.microsoft.com/pki/crl/products`
`https://www.microsoft.com/pki/certs` | -| Symbol Store|Used by Windows Defender Antivirus to restore certain critical files during remediation flows | `https://msdl.microsoft.com/download/symbols` | -| Universal Telemetry Client| Used by Windows to send client diagnostic data; Windows Defender Antivirus uses this for product quality monitoring purposes | This update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints: `vortex-win.data.microsoft.com`
`settings-win.data.microsoft.com`| - -## Validate connections between your network and the cloud - -After whitelisting the URLs listed above, you can test if you are connected to the Windows Defender Antivirus cloud service and are correctly reporting and receiving information to ensure you are fully protected. - -**Use the cmdline tool to validate cloud-delivered protection:** - -Use the following argument with the Windows Defender Antivirus command-line utility (`mpcmdrun.exe`) to verify that your network can communicate with the Windows Defender Antivirus cloud service: - -```DOS -"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -ValidateMapsConnection -``` - -> [!NOTE] -> You need to open an administrator-level version of the command prompt. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt. This command will only work on Windows 10, version 1703 or higher. - -For more information, see [Manage Windows Defender Antivirus with the mpcmdrun.exe commandline tool](command-line-arguments-windows-defender-antivirus.md). - -**Attempt to download a fake malware file from Microsoft:** - -You can download a sample file that Windows Defender Antivirus will detect and block if you are properly connected to the cloud. - -Download the file by visiting the following link: -- https://aka.ms/ioavtest - ->[!NOTE] ->This file is not an actual piece of malware. It is a fake file that is designed to test if you are properly connected to the cloud. - -If you are properly connected, you will see a warning Windows Defender Antivirus notification: - -![Windows Defender Antivirus notification informing the user that malware was found](images/defender/wdav-malware-detected.png) - -If you are using Microsoft Edge, you'll also see a notification message: - -![Microsoft Edge informing the user that malware was found](images/defender/wdav-bafs-edge.png) - -A similar message occurs if you are using Internet Explorer: - -![Windows Defender Antivirus notification informing the user that malware was found](images/defender/wdav-bafs-ie.png) - -You will also see a detection under **Quarantined threats** in the **Scan history** section in the Windows Security app: - -1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. - -2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Scan history** label: - - ![Screenshot of the Scan history label in the Windows Security app](images/defender/wdav-history-wdsc.png) - -3. Under the **Quarantined threats** section, click the **See full history** label to see the detected fake malware: - - ![Screenshot of quarantined items in the Windows Security app](images/defender/wdav-quarantined-history-wdsc.png) - ->[!NOTE] ->Versions of Windows 10 before version 1703 have a different user interface. See [Windows Defender Antivirus in the Windows Security app](windows-defender-security-center-antivirus.md). - -The Windows event log will also show [Windows Defender client event ID 2050](troubleshoot-windows-defender-antivirus.md). - ->[!IMPORTANT] ->You will not be able to use a proxy auto-config (.pac) file to test network connections to these URLs. You will need to verify your proxy servers and any network filtering tools manually to ensure connectivity. - -## Related articles - -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) - -- [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) - -- [Run an Windows Defender Antivirus scan from the command line](command-line-arguments-windows-defender-antivirus.md) and [Command line arguments](command-line-arguments-windows-defender-antivirus.md) - -- [Important changes to Microsoft Active Protection Services endpoint](https://techcommunity.microsoft.com/t5/Configuration-Manager-Archive/Important-changes-to-Microsoft-Active-Protection-Service-MAPS/ba-p/274006) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus - Copy.md b/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus - Copy.md deleted file mode 100644 index 03afa1681f..0000000000 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus - Copy.md +++ /dev/null @@ -1,106 +0,0 @@ ---- -title: Configure Windows Defender Antivirus notifications -description: Configure and customize Windows Defender Antivirus notifications. -keywords: notifications, defender, antivirus, endpoint, management, admin -search.product: eADQiWindows 10XVcnh -ms.pagetype: security -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: denisebmsft -ms.author: deniseb -ms.custom: nextgen -ms.date: 09/03/2018 -ms.reviewer: -manager: dansimp ---- - -# Configure the notifications that appear on endpoints - -**Applies to:** - -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - -In Windows 10, application notifications about malware detection and remediation are more robust, consistent, and concise. - -Notifications appear on endpoints when manually triggered and scheduled scans are completed and threats are detected. These notifications also appear in the **Notification Center**, and a summary of scans and threat detections appear at regular time intervals. - -You can also configure how standard notifications appear on endpoints, such as notifications for reboot or when a threat has been detected and remediated. - -## Configure the additional notifications that appear on endpoints - -You can configure the display of additional notifications, such as recent threat detection summaries, in the [Windows Security app](windows-defender-security-center-antivirus.md) and with Group Policy. - -> [!NOTE] -> In Windows 10, version 1607 the feature was called **Enhanced notifications** and could be configured under **Windows Settings** > **Update & security** > **Windows Defender**. In Group Policy settings in all versions of Windows 10, it is called **Enhanced notifications**. - -> [!IMPORTANT] -> Disabling additional notifications will not disable critical notifications, such as threat detection and remediation alerts. - -**Use the Windows Security app to disable additional notifications:** - -1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. - -2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label: - - ![Screenshot of the Virus & threat protection settings label in the Windows Security app](images/defender/wdav-protection-settings-wdsc.png) - -3. Scroll to the **Notifications** section and click **Change notification settings**. - -4. Slide the switch to **Off** or **On** to disable or enable additional notifications. - -**Use Group Policy to disable additional notifications:** - -1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. - -2. In the **Group Policy Management Editor** go to **Computer configuration**. - -3. Click **Administrative templates**. - -4. Expand the tree to **Windows components > Windows Defender Antivirus > Reporting**. - -5. Double-click **Turn off enhanced notifications** and set the option to **Enabled**. Click **OK**. This will prevent additional notifications from appearing. - -## Configure standard notifications on endpoints - -You can use Group Policy to: - -- Display additional, customized text on endpoints when the user needs to perform an action -- Hide all notifications on endpoints -- Hide reboot notifications on endpoints - -Hiding notifications can be useful in situations where you can't hide the entire Windows Defender Antivirus interface. See [Prevent users from seeing or interacting with the Windows Defender Antivirus user interface](prevent-end-user-interaction-windows-defender-antivirus.md) for more information. - -> [!NOTE] -> Hiding notifications will only occur on endpoints to which the policy has been deployed. Notifications related to actions that must be taken (such as a reboot) will still appear on the [Microsoft Endpoint Configuration Manager Endpoint Protection monitoring dashboard and reports](https://docs.microsoft.com/sccm/protect/deploy-use/monitor-endpoint-protection). - -See [Customize the Windows Security app for your organization](../windows-defender-security-center/windows-defender-security-center.md) for instructions to add custom contact information to the notifications that users see on their machines. - -**Use Group Policy to hide notifications:** - -1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure, and click **Edit**. - -2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. - -3. Expand the tree to **Windows components > Windows Defender Antivirus > Client interface**. - -4. Double-click **Suppress all notifications** and set the option to **Enabled**. Click **OK**. This will prevent additional notifications from appearing. - -**Use Group Policy to hide reboot notifications:** - -1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. - -2. In the **Group Policy Management Editor** go to **Computer configuration**. - -3. Click **Administrative templates**. - -4. Expand the tree to **Windows components > Windows Defender Antivirus > Client interface**. - -5. Double-click **Suppresses reboot notifications** and set the option to **Enabled**. Click **OK**. This will prevent additional notifications from appearing. - -## Related topics - -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) -- [Configure end-user interaction with Windows Defender Antivirus](configure-end-user-interaction-windows-defender-antivirus.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus - Copy.md b/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus - Copy.md deleted file mode 100644 index 79e9d90a7b..0000000000 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus - Copy.md +++ /dev/null @@ -1,199 +0,0 @@ ---- -title: Configure exclusions for files opened by specific processes -description: You can exclude files from scans if they have been opened by a specific process. -keywords: Windows Defender Antivirus, process, exclusion, files, scans -search.product: eADQiWindows 10XVcnh -ms.pagetype: security -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: denisebmsft -ms.author: deniseb -ms.custom: nextgen -ms.date: 12/10/2018 -ms.reviewer: -manager: dansimp ---- - -# Configure exclusions for files opened by processes - -**Applies to:** - -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - -You can exclude files that have been opened by specific processes from Windows Defender Antivirus scans. - -This topic describes how to configure exclusion lists for the following: - - - -Exclusion | Example ----|--- -Any file on the machine that is opened by any process with a specific file name | Specifying "test.exe" would exclude files opened by:
  • c:\sample\test.exe
  • d:\internal\files\test.exe
-Any file on the machine that is opened by any process under a specific folder | Specifying "c:\test\sample\\*" would exclude files opened by:
  • c:\test\sample\test.exe
  • c:\test\sample\test2.exe
  • c:\test\sample\utility.exe
-Any file on the machine that is opened by a specific process in a specific folder | Specifying "c:\test\process.exe" would exclude files only opened by c:\test\process.exe - -When you add a process to the process exclusion list, Windows Defender Antivirus won't scan files opened by that process, no matter where the files are located. The process itself, however, will be scanned unless it has also been added to the [file exclusion list](configure-extension-file-exclusions-windows-defender-antivirus.md). - -The exclusions only apply to [always-on real-time protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md). They don't apply to scheduled or on-demand scans. - -Changes made with Group Policy to the exclusion lists **will show** in the lists in the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions). However, changes made in the Windows Security app **will not show** in the Group Policy lists. - -You can add, remove, and review the lists for exclusions in [Group Policy](#gp), [Microsoft Endpoint Configuration Manager, Microsoft Intune, and with the Windows Security app](#man-tools), and you can [use wildcards](#wildcards) to further customize the lists. - -You can also [use PowerShell cmdlets and WMI to configure the exclusion lists](#ps), including [reviewing](#review) your lists. - -By default, local changes made to the lists (by users with administrator privileges; this includes changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists will take precedence in the case of conflicts. - -You can [configure how locally and globally defined exclusions lists are merged](configure-local-policy-overrides-windows-defender-antivirus.md#merge-lists) to allow local changes to override managed deployment settings. - -## Configure the list of exclusions for files opened by specified processes - - - -### Use Microsoft Intune to exclude files that have been opened by specified processes from scans - -See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure) and [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#windows-defender-antivirus) for more details. - -### Use Microsoft Endpoint Configuration Manager to exclude files that have been opened by specified processes from scans - -See [How to create and deploy antimalware policies: Exclusion settings](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) for details on configuring Microsoft Endpoint Configuration Manager (current branch). - -### Use Group Policy to exclude files that have been opened by specified processes from scans - -1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. - -2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. - -3. Expand the tree to **Windows components > Windows Defender Antivirus > Exclusions**. - -4. Double-click **Process Exclusions** and add the exclusions: - - 1. Set the option to **Enabled**. - 2. Under the **Options** section, click **Show...**. - 3. Enter each process on its own line under the **Value name** column. See the [example table](#examples) for the different types of process exclusions. Enter **0** in the **Value** column for all processes. - -5. Click **OK**. - -![The Group Policy setting for specifying process exclusions](images/defender/wdav-process-exclusions.png) - - - -### Use PowerShell cmdlets to exclude files that have been opened by specified processes from scans - -Using PowerShell to add or remove exclusions for files that have been opened by processes requires using a combination of three cmdlets with the `-ExclusionProcess` parameter. The cmdlets are all in the [Defender module](https://technet.microsoft.com/itpro/powershell/windows/defender/defender). - -The format for the cmdlets is: - -```PowerShell - -ExclusionProcess "" -``` - -The following are allowed as the \: - -Configuration action | PowerShell cmdlet ----|--- -Create or overwrite the list | `Set-MpPreference` -Add to the list | `Add-MpPreference` -Remove items from the list | `Remove-MpPreference` - ->[!IMPORTANT] ->If you have created a list, either with `Set-MpPreference` or `Add-MpPreference`, using the `Set-MpPreference` cmdlet again will overwrite the existing list. - -For example, the following code snippet would cause Windows Defender AV scans to exclude any file that is opened by the specified process: - -```PowerShell -Add-MpPreference -ExclusionProcess "c:\internal\test.exe" -``` - -See [Manage antivirus with PowerShell cmdlets](use-powershell-cmdlets-windows-defender-Windows Defender Antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. - -### Use Windows Management Instruction (WMI) to exclude files that have been opened by specified processes from scans - -Use the [**Set**, **Add**, and **Remove** methods of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties: - -```WMI -ExclusionProcess -``` - -The use of **Set**, **Add**, and **Remove** is analogous to their counterparts in PowerShell: `Set-MpPreference`, `Add-MpPreference`, and `Remove-MpPreference`. - -See the following for more information and allowed parameters: - -- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) - - - -### Use the Windows Security app to exclude files that have been opened by specified processes from scans - -See [Add exclusions in the Windows Security app](windows-defender-security-center-antivirus.md#exclusions) for instructions. - - - -## Use wildcards in the process exclusion list - -The use of wildcards in the process exclusion list is different from their use in other exclusion lists. - -In particular, you cannot use the question mark ? wildcard, and the asterisk \* wildcard can only be used at the end of a complete path. You can still use environment variables (such as %ALLUSERSPROFILE%) as wildcards when defining items in the process exclusion list. - -The following table describes how the wildcards can be used in the process exclusion list: - -Wildcard | Use | Example use | Example matches ----|---|---|--- -\* (asterisk) | Replaces any number of characters |
  • C:\MyData\\*
|
  • Any file opened by C:\MyData\file.exe
-? (question mark) | Not available | \- | \- -Environment variables | The defined variable will be populated as a path when the exclusion is evaluated |
  • %ALLUSERSPROFILE%\CustomLogFiles\file.exe
|
  • Any file opened by C:\ProgramData\CustomLogFiles\file.exe
- - - -## Review the list of exclusions - -You can retrieve the items in the exclusion list with MpCmdRun, PowerShell, [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings), [Intune](https://docs.microsoft.com/intune/device-restrictions-configure), or the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions). - -If you use PowerShell, you can retrieve the list in two ways: - -- Retrieve the status of all Windows Defender Antivirus preferences. Each of the lists will be displayed on separate lines, but the items within each list will be combined into the same line. -- Write the status of all preferences to a variable, and use that variable to only call the specific list you are interested in. Each use of `Add-MpPreference` is written to a new line. - -### Validate the exclusion list by using MpCmdRun - -To check exclusions with the dedicated [command-line tool mpcmdrun.exe](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus?branch=v-anbic-wdav-new-mpcmdrun-options), use the following command: - -```DOS -MpCmdRun.exe -CheckExclusion -path -``` - ->[!NOTE] ->Checking exclusions with MpCmdRun requires Windows Defender Antivirus CAMP version 4.18.1812.3 (released in December 2018) or later. - - -### Review the list of exclusions alongside all other Windows Defender Antivirus preferences by using PowerShell - -Use the following cmdlet: - -```PowerShell -Get-MpPreference -``` - -See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. - -### Retrieve a specific exclusions list by using PowerShell - -Use the following code snippet (enter each line as a separate command); replace **WDAVprefs** with whatever label you want to name the variable: - -```PowerShell -$WDAVprefs = Get-MpPreference -$WDAVprefs.ExclusionProcess -``` - -See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. - -## Related articles - -- [Configure and validate exclusions in Windows Defender Antivirus scans](configure-exclusions-windows-defender-antivirus.md) -- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md) -- [Configure Windows Defender Antivirus exclusions on Windows Server](configure-server-exclusions-windows-defender-antivirus.md) -- [Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md) -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus - Copy.md b/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus - Copy.md deleted file mode 100644 index 7b22fa2f60..0000000000 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus - Copy.md +++ /dev/null @@ -1,72 +0,0 @@ ---- -title: Remediate and resolve infections detected by Windows Defender Antivirus -description: Configure what Windows Defender Antivirus should do when it detects a threat, and how long quarantined files should be retained in the quarantine folder -keywords: remediation, fix, remove, threats, quarantine, scan, restore -search.product: eADQiWindows 10XVcnh -ms.pagetype: security -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: denisebmsft -ms.author: deniseb -ms.custom: nextgen -ms.date: 09/03/2018 -ms.reviewer: -manager: dansimp ---- - -# Configure remediation for Windows Defender Antivirus scans - -**Applies to:** - -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - -When Windows Defender Antivirus runs a scan, it will attempt to remediate or remove threats that it finds. You can configure how Windows Defender Antivirus should react to certain threats, whether it should create a restore point before remediating, and when it should remove remediated threats. - -This topic describes how to configure these settings with Group Policy, but you can also use [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#threat-overrides-settings) and [Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure). - -You can also use the [`Set-MpPreference` PowerShell cmdlet](https://technet.microsoft.com/itpro/powershell/windows/defender/set-mppreference) or [`MSFT_MpPreference` WMI class](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) to configure these settings. - -## Configure remediation options - -You can configure how remediation works with the Group Policy settings described in this section. - -To configure these settings: - -1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. - -2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. - -3. Expand the tree to **Windows components > Windows Defender Antivirus** and then the **Location** specified in the table below. - -4. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings. - -Location | Setting | Description | Default setting (if not configured) ----|---|---|--- -Scan | Create a system restore point | A system restore point will be created each day before cleaning or scanning is attempted | Disabled -Scan | Turn on removal of items from scan history folder | Specify how many days items should be kept in the scan history | 30 days -Root | Turn off routine remediation | You can specify whether Windows Defender Antivirus automatically remediates threats, or if it should ask the endpoint user what to do. | Disabled (threats are remediated automatically) -Quarantine | Configure removal of items from Quarantine folder | Specify how many days items should be kept in quarantine before being removed | Never removed -Threats | Specify threat alert levels at which default action should not be taken when detected | Every threat that is detected by Windows Defender Antivirus is assigned a threat level (low, medium, high, or severe). You can use this setting to define how all threats for each of the threat levels should be remediated (quarantined, removed, or ignored) | Not applicable -Threats | Specify threats upon which default action should not be taken when detected | Specify how specific threats (using their threat ID) should be remediated. You can specify whether the specific threat should be quarantined, removed, or ignored | Not applicable - -> [!IMPORTANT] -> Windows Defender Antivirus detects and remediates files based on many factors. Sometimes, completing a remediation requires a reboot. Even if the detection is later determined to be a false positive, the reboot must be completed to ensure all additional remediation steps have been completed. ->

-> If you are certain Windows Defender Antivirus quarantined a file based on a false positive, you can restore the file from quarantine after the device reboots. See [Restore quarantined files in Windows Defender Antivirus](restore-quarantined-files-windows-defender-antivirus.md). ->

-> To avoid this problem in the future, you can exclude files from the scans. See [Configure and validate exclusions for Windows Defender Antivirus scans](configure-exclusions-windows-defender-antivirus.md). - -Also see [Configure remediation-required scheduled full Windows Defender Antivirus scans](scheduled-catch-up-scans-windows-defender-antivirus.md#remed) for more remediation-related settings. - -## Related topics - -- [Configure Windows Defender Antivirus scanning options](configure-advanced-scan-types-windows-defender-antivirus.md) -- [Configure scheduled Windows Defender Antivirus scans](scheduled-catch-up-scans-windows-defender-antivirus.md) -- [Configure and run on-demand Windows Defender Antivirus scans](run-scan-windows-defender-antivirus.md) -- [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md) -- [Configure end-user Windows Defender Antivirus interaction](configure-end-user-interaction-windows-defender-antivirus.md) -- [Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md) -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features - Copy.md b/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features - Copy.md deleted file mode 100644 index 3532148261..0000000000 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features - Copy.md +++ /dev/null @@ -1,49 +0,0 @@ ---- -title: Configure Windows Defender Antivirus features -description: You can configure Windows Defender Antivirus features with Intune, Microsoft Endpoint Configuration Manager, Group Policy, and PowerShell. -keywords: Windows Defender Antivirus, antimalware, security, defender, configure, configuration, Config Manager, Microsoft Endpoint Configuration Manager, SCCM, Intune, MDM, mobile device management, GP, group policy, PowerShell -search.product: eADQiWindows 10XVcnh -ms.pagetype: security -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: denisebmsft -ms.author: deniseb -ms.custom: nextgen -ms.date: 09/03/2018 -ms.reviewer: -manager: dansimp ---- - -# Configure Windows Defender Antivirus features - -**Applies to:** - -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - -You can configure Windows Defender Antivirus with a number of tools, including: - -- Microsoft Intune -- Microsoft Endpoint Configuration Manager -- Group Policy -- PowerShell cmdlets -- Windows Management Instrumentation (WMI) - -The following broad categories of features can be configured: - -- Cloud-delivered protection -- Always-on real-time protection, including behavioral, heuristic, and machine-learning-based protection -- How end-users interact with the client on individual endpoints - -The topics in this section describe how to perform key tasks when configuring Windows Defender Antivirus. Each topic includes instructions for the applicable configuration tool (or tools). - -You can also review the [Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md) topic for an overview of each tool and links to further help. - -## In this section -Topic | Description -:---|:--- -[Utilize Microsoft cloud-provided Windows Defender Antivirus protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) | Cloud-delivered protection provides an advanced level of fast, robust antivirus detection -[Configure behavioral, heuristic, and real-time protection](configure-protection-features-windows-defender-antivirus.md)|Enable behavior-based, heuristic, and real-time antivirus protection -[Configure end-user interaction with Windows Defender Antivirus](configure-end-user-interaction-windows-defender-antivirus.md)|Configure how end-users interact with Windows Defender Antivirus, what notifications they see, and whether they can override settings diff --git a/windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus - Copy.md b/windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus - Copy.md deleted file mode 100644 index b0b2030e32..0000000000 --- a/windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus - Copy.md +++ /dev/null @@ -1,37 +0,0 @@ ---- -title: Run and customize scheduled and on-demand scans -description: Customize and initiate Windows Defender Antivirus scans on endpoints across your network. -keywords: scan, schedule, customize, exclusions, exclude files, remediation, scan results, quarantine, remove threat, quick scan, full scan, Windows Defender Antivirus -search.product: eADQiWindows 10XVcnh -ms.pagetype: security -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: denisebmsft -ms.author: deniseb -ms.custom: nextgen -ms.date: 09/03/2018 -ms.reviewer: -manager: dansimp ---- - -# Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation - -**Applies to:** - -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - -You can use Group Policy, PowerShell, and Windows Management Instrumentation (WMI) to configure Windows Defender Antivirus scans. - -## In this section - -Topic | Description ----|--- -[Configure and validate file, folder, and process-opened file exclusions in Windows Defender Antivirus scans](configure-exclusions-windows-defender-antivirus.md) | You can exclude files (including files modified by specified processes) and folders from on-demand scans, scheduled scans, and always-on real-time protection monitoring and scanning -[Configure Windows Defender Antivirus scanning options](configure-advanced-scan-types-windows-defender-antivirus.md) | You can configure Windows Defender Antivirus to include certain types of email storage files, back-up or reparse points, and archived files (such as .zip files) in scans. You can also enable network file scanning -[Configure remediation for scans](configure-remediation-windows-defender-antivirus.md) | Configure what Windows Defender Antivirus should do when it detects a threat, and how long quarantined files should be retained in the quarantine folder -[Configure scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md) | Set up recurring (scheduled) scans, including when they should run and whether they run as full or quick scans -[Configure and run scans](run-scan-windows-defender-antivirus.md) | Run and configure on-demand scans using PowerShell, Windows Management Instrumentation, or individually on endpoints with the Windows Security app -[Review scan results](review-scan-results-windows-defender-antivirus.md) | Review the results of scans using Microsoft Endpoint Configuration Manager, Microsoft Intune, or the Windows Security app diff --git a/windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus - Copy.md b/windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus - Copy.md deleted file mode 100644 index 295d507e65..0000000000 --- a/windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus - Copy.md +++ /dev/null @@ -1,85 +0,0 @@ ---- -title: Deploy, manage, and report on Windows Defender Antivirus -description: You can deploy and manage Windows Defender Antivirus with Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell, or WMI -keywords: deploy, manage, update, protection, windows defender antivirus -search.product: eADQiWindows 10XVcnh -ms.pagetype: security -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: denisebmsft -ms.author: deniseb -ms.custom: nextgen -ms.date: 09/03/2018 -ms.reviewer: -manager: dansimp ---- - -# Deploy, manage, and report on Windows Defender Antivirus - -**Applies to:** - -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - -You can deploy, manage, and report on Windows Defender Antivirus in a number of ways. - -Because the Windows Defender Antivirus client is installed as a core part of Windows 10, traditional deployment of a client to your endpoints does not apply. - -However, in most cases you will still need to enable the protection service on your endpoints with Microsoft Intune, Microsoft Endpoint Configuration Manager, Azure Security Center, or Group Policy Objects, which is described in the following table. - -You'll also see additional links for: - -- Managing Windows Defender Antivirus protection, including managing product and protection updates -- Reporting on Windows Defender Antivirus protection - -> [!IMPORTANT] -> In most cases, Windows 10 will disable Windows Defender Antivirus if it finds another antivirus product that is running and up-to-date. You must disable or uninstall third-party antivirus products before Windows Defender Antivirus will function. If you re-enable or install third-party antivirus products, then Windows 10 automatically disables Windows Defender Antivirus. - -Tool|Deployment options (2)|Management options (network-wide configuration and policy or baseline deployment) ([3](#fn3))|Reporting options ----|---|---|--- -Microsoft Intune|[Add endpoint protection settings in Intune](https://docs.microsoft.com/intune/endpoint-protection-configure)|[Configure device restriction settings in Intune](https://docs.microsoft.com/intune/device-restrictions-configure)| [Use the Intune console to manage devices](https://docs.microsoft.com/intune/device-management) -Microsoft Endpoint Configuration Manager ([1](#fn1))|Use the [Endpoint Protection point site system role][] and [enable Endpoint Protection with custom client settings][]|With [default and customized antimalware policies][] and [client management][]|With the default [Configuration Manager Monitoring workspace][] and [email alerts][] -Group Policy and Active Directory (domain-joined)|Use a Group Policy Object to deploy configuration changes and ensure Windows Defender Antivirus is enabled.|Use Group Policy Objects (GPOs) to [Configure update options for Windows Defender Antivirus][] and [Configure Windows Defender features][]|Endpoint reporting is not available with Group Policy. You can generate a list of [Group Policies to determine if any settings or policies are not applied][] -PowerShell|Deploy with Group Policy, Microsoft Endpoint Configuration Manager, or manually on individual endpoints.|Use the [Set-MpPreference] and [Update-MpSignature] cmdlets available in the Defender module.|Use the appropriate [Get- cmdlets available in the Defender module][] -Windows Management Instrumentation|Deploy with Group Policy, Microsoft Endpoint Configuration Manager, or manually on individual endpoints.|Use the [Set method of the MSFT_MpPreference class][] and the [Update method of the MSFT_MpSignature class][]|Use the [MSFT_MpComputerStatus][] class and the get method of associated classes in the [Windows Defender WMIv2 Provider][] -Microsoft Azure|Deploy Microsoft Antimalware for Azure in the [Azure portal, by using Visual Studio virtual machine configuration, or using Azure PowerShell cmdlets](https://docs.microsoft.com/azure/security/azure-security-antimalware#antimalware-deployment-scenarios). You can also [Install Endpoint protection in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-install-endpoint-protection)|Configure [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/azure/security/azure-security-antimalware#enable-and-configure-antimalware-using-powershell-cmdlets) or [use code samples](https://gallery.technet.microsoft.com/Antimalware-For-Azure-5ce70efe)|Use [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/azure/security/azure-security-antimalware#enable-and-configure-antimalware-using-powershell-cmdlets) to enable monitoring. You can also review usage reports in Azure Active Directory to determine suspicious activity, including the [Possibly infected devices][] report and configure an SIEM tool to report on [Windows Defender Antivirus events][] and add that tool as an app in AAD. - -1. The availability of some functions and features, especially related to cloud-delivered protection, differ between Microsoft Endpoint Configuration Manager (Current Branch) and System Center Configuration Manager 2012. In this library, we've focused on Windows 10, Windows Server 2016, and Microsoft Endpoint Configuration Manager (Current Branch). See [Use Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) for a table that describes the major differences. [(Return to table)](#ref2) - -2. In Windows 10, Windows Defender Antivirus is a component available without installation or deployment of an additional client or service. It will automatically be enabled when third-party antivirus products are either uninstalled or out of date ([except on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md)). Traditional deployment therefore is not required. Deployment here refers to ensuring the Windows Defender Antivirus component is available and enabled on endpoints or servers. [(Return to table)](#ref2) - -3. Configuration of features and protection, including configuring product and protection updates, are further described in the [Configure Windows Defender Antivirus features](configure-notifications-windows-defender-antivirus.md) section in this library. [(Return to table)](#ref2) - -[Endpoint Protection point site system role]: https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-protection-site-role -[default and customized antimalware policies]: https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies -[client management]: https://docs.microsoft.com/sccm/core/clients/manage/manage-clients -[enable Endpoint Protection with custom client settings]: https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-protection-configure-client -[Configuration Manager Monitoring workspace]: https://docs.microsoft.com/sccm/protect/deploy-use/monitor-endpoint-protection -[email alerts]: https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-configure-alerts -[Deploy the Microsoft Intune client to endpoints]: https://docs.microsoft.com/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune -[custom Intune policy]: https://docs.microsoft.com/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#configure-microsoft-intune-endpoint-protection - [custom Intune policy]: https://docs.microsoft.com/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#configure-microsoft-intune-endpoint-protection -[manage tasks]: https://docs.microsoft.com/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#choose-management-tasks-for-endpoint-protection -[Monitor endpoint protection in the Microsoft Intune administration console]: https://docs.microsoft.com/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#monitor-endpoint-protection -[Set method of the MSFT_MpPreference class]: https://msdn.microsoft.com/library/dn439474 -[Update method of the MSFT_MpSignature class]: https://msdn.microsoft.com/library/dn439474 -[MSFT_MpComputerStatus]: https://msdn.microsoft.com/library/dn455321 -[Windows Defender WMIv2 Provider]: https://msdn.microsoft.com/library/dn439477 -[Set-MpPreference]: https://technet.microsoft.com/itpro/powershell/windows/defender/set-mppreference.md -[Update-MpSignature]: https://technet.microsoft.com/itpro/powershell/windows/defender/update-mpsignature -[Get- cmdlets available in the Defender module]: https://technet.microsoft.com/itpro/powershell/windows/defender/index -[Configure update options for Windows Defender Antivirus]: manage-updates-baselines-windows-defender-antivirus.md -[Configure Windows Defender features]: configure-windows-defender-antivirus-features.md -[Group Policies to determine if any settings or policies are not applied]: https://technet.microsoft.com/library/cc771389.aspx -[Possibly infected devices]: https://docs.microsoft.com/azure/active-directory/active-directory-reporting-sign-ins-from-possibly-infected-devices -[Windows Defender Antivirus events]: troubleshoot-windows-defender-antivirus.md - -## In this section - -Topic | Description ----|--- -[Deploy and enable Windows Defender Antivirus protection](deploy-windows-defender-antivirus.md) | While the client is installed as a core part of Windows 10, and traditional deployment does not apply, you will still need to enable the client on your endpoints with Microsoft Endpoint Configuration Manager, Microsoft Intune, or Group Policy Objects. -[Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md) | There are two parts to updating Windows Defender Antivirus: updating the client on endpoints (product updates), and updating Security intelligence (protection updates). You can update Security intelligence in a number of ways, using Microsoft Endpoint Configuration Manager, Group Policy, PowerShell, and WMI. -[Monitor and report on Windows Defender Antivirus protection](report-monitor-windows-defender-antivirus.md) | You can use Microsoft Intune, Microsoft Endpoint Configuration Manager, the Update Compliance add-in for Microsoft Operations Management Suite, or a third-party SIEM product (by consuming Windows event logs) to monitor protection status and create reports about endpoint protection. diff --git a/windows/security/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus - Copy.md b/windows/security/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus - Copy.md deleted file mode 100644 index 6f8dd3363b..0000000000 --- a/windows/security/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus - Copy.md +++ /dev/null @@ -1,38 +0,0 @@ ---- -title: Deploy and enable Windows Defender Antivirus -description: Deploy Windows Defender Antivirus for protection of your endpoints with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, or WMI. -keywords: deploy, enable, Windows Defender Antivirus -search.product: eADQiWindows 10XVcnh -ms.pagetype: security -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: denisebmsft -ms.author: deniseb -ms.custom: nextgen -ms.date: 09/03/2018 -ms.reviewer: -manager: dansimp ---- - -# Deploy and enable Windows Defender Antivirus - -**Applies to:** - -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - -Depending on the management tool you are using, you may need to specifically enable or configure Windows Defender Antivirus protection. - -See the table in [Deploy, manage, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md#ref2) for instructions on how to enable protection with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, Active Directory, Microsoft Azure, PowerShell cmdlets, and Windows Management Instruction (WMI). - -Some scenarios require additional guidance on how to successfully deploy or configure Windows Defender Antivirus protection, such as Virtual Desktop Infrastructure (VDI) environments. - -The remaining topic in this section provides end-to-end advice and best practices for [setting up Windows Defender Antivirus on virtual machines (VMs) in a VDI or Remote Desktop Services (RDS) environment](deployment-vdi-windows-defender-antivirus.md). - -## Related topics - -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) -- [Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md) -- [Deployment guide for Windows Defender Antivirus in a virtual desktop infrastructure (VDI) environment](deployment-vdi-windows-defender-antivirus.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus - Copy.md b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus - Copy.md deleted file mode 100644 index 43e244ba36..0000000000 --- a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus - Copy.md +++ /dev/null @@ -1,149 +0,0 @@ ---- -title: Block potentially unwanted applications with Windows Defender Antivirus -description: Enable the potentially unwanted application (PUA) antivirus feature to block unwanted software such as adware. -keywords: pua, enable, unwanted software, unwanted apps, adware, browser toolbar, detect, block, Windows Defender Antivirus -search.product: eADQiWindows 10XVcnh -ms.pagetype: security -ms.prod: w10 -ms.mktglfcycl: detect -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: denisebmsft -ms.author: deniseb -ms.custom: nextgen -audience: ITPro -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp ---- - -# Detect and block potentially unwanted applications - -**Applies to:** - -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -- [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/microsoft-edge) - -Potentially unwanted applications are not considered viruses, malware, or other types of threats, but they might perform actions on endpoints which adversely affect endpoint performance or use. _PUA_ can also refer to an application that has a poor reputation, as assessed by Microsoft Defender ATP, due to certain kinds of undesirable behavior. - -For example: - -* **Advertising software:** Software that displays advertisements or promotions, including software that inserts advertisements to webpages. -* **Bundling software:** Software that offers to install other software that is not digitally signed by the same entity. Also, software that offers to install other software that qualify as PUA. -* **Evasion software:** Software that actively tries to evade detection by security products, including software that behaves differently in the presence of security products. - -For more examples and a discussion of the criteria we use to label applications for special attention from security features, see [How Microsoft identifies malware and potentially unwanted applications](../intelligence/criteria.md). - -Potentially unwanted applications can increase the risk of your network being infected with actual malware, make malware infections harder to identify, or waste IT resources in cleaning them up. - -## How it works - -### Microsoft Edge - -The next major version of Microsoft Edge, which is Chromium-based, blocks potentially unwanted application downloads and associated resource URLs. This feature is provided via [Windows Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md). - -#### Enable PUA protection in Chromium-based Microsoft Edge - -Although potentially unwanted application protection in Microsoft Edge (Chromium-based) is off by default, it can easily be turned on from within the browser. - -1. From the tool bar, select **Settings and more** > **Settings** -1. Select **Privacy and services** -1. Under the **Services** section, you can toggle **Potentially unwanted app blocking** on or off - -> [!TIP] -> If you are running Microsoft Edge (Chromium-based), you can safely explore the URL-blocking feature of PUA protection by testing it out on one of our Windows Defender SmartScreen [demo pages](https://demo.smartscreen.msft.net/). - -#### Blocking URLs with Windows Defender SmartScreen - -In Chromium-based Edge with PUA protection turned on, Windows Defender SmartScreen will protect you from PUA-associated URLs. - -Admins can [configure](https://docs.microsoft.com/DeployEdge/configure-microsoft-edge) how Microsoft Edge and Windows Defender SmartScreen work together to protect groups of users from PUA-associated URLs. There are several group policy [settings](https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#smartscreen-settings) explicitly for Windows -Defender SmartScreen available, including [one for blocking PUA](https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#smartscreenpuaenabled). In addition, admins can -[configure Windows Defender SmartScreen](https://docs.microsoft.com/microsoft-edge/deploy/available-policies?source=docs#configure-windows-defender-smartscreen) as a whole, using group policy settings to turn Windows Defender SmartScreen on or off. - -Although Microsoft Defender ATP has its own block list, based upon a data set managed by Microsoft, you can customize this list based on your own threat intelligence. If you [create and manage indicators](../microsoft-defender-atp/manage-indicators.md#create-indicators-for-ips-and-urlsdomains-preview) in the Microsoft Defender ATP portal, Windows Defender SmartScreen will respect the new settings. - -### Windows Defender Antivirus - -The potentially unwanted application (PUA) protection feature in Windows Defender Antivirus can detect and block PUAs on endpoints in your network. - -> [!NOTE] -> This feature is only available in Windows 10. - -Windows Defender Antivirus blocks detected PUA files, and any attempts to download, move, run, or install them. Blocked PUA files are then moved to quarantine. - -When a PUA is detected on an endpoint, Windows Defender Antivirus sends a notification to the user ([unless notifications have been disabled](configure-notifications-windows-defender-antivirus.md)) in the same format as other threat detections. The notification will be prefaced with _PUA:_ to indicate its content. - -The notification will appear in the usual [quarantine list within the Windows Security app](windows-defender-security-center-antivirus.md#detection-history). - -#### Configure PUA protection in Windows Defender Antivirus - -You can enable PUA protection with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, or via PowerShell cmdlets. - -You can also use the PUA audit mode to detect PUAs without blocking them. The detections will be captured in the Windows event log. - -> [!TIP] -> You can visit the Microsoft Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com/Page/UrlRep) to confirm that the feature is working, and see it in action. - -PUA audit mode is useful if your company is conducting an internal software security compliance check and you'd like to avoid any false positives. - -##### Use Intune to configure PUA protection - -See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure) and [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#windows-defender-antivirus) for more details. - -##### Use Configuration Manager to configure PUA protection - -PUA protection is enabled by default in the Microsoft Endpoint Configuration Manager (Current Branch), starting with version 1606. - -See [How to create and deploy antimalware policies: Scheduled scans settings](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#real-time-protection-settings) for details on configuring Microsoft Endpoint Configuration Manager (Current Branch). - -For Configuration Manager 2012, see [How to Deploy Potentially Unwanted Application Protection Policy for Endpoint Protection in Configuration Manager](https://technet.microsoft.com/library/hh508770.aspx#BKMK_PUA). - -> [!NOTE] -> PUA events blocked by Windows Defender Antivirus are reported in the Windows Event Viewer and not in Microsoft Endpoint Configuration Manager. - -##### Use Group Policy to configure PUA protection - -1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure, and select **Edit**. - -2. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**. - -3. Expand the tree to **Windows components > Windows Defender Antivirus**. - -4. Double-click **Configure protection for potentially unwanted applications**. - -5. Select **Enabled** to enable PUA protection. - -6. In **Options**, select **Block** to block potentially unwanted applications, or select **Audit Mode** to test how the setting will work in your environment. Select **OK**. - -##### Use PowerShell cmdlets to configure PUA protection - -Use the following cmdlet: - -```PowerShell -Set-MpPreference -PUAProtection -``` - -Setting the value for this cmdlet to `Enabled` will turn the feature on if it has been disabled. - -Setting `AuditMode` will detect PUAs without blocking them. - -See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus. - -#### View PUA events - -PUA events are reported in the Windows Event Viewer, but not in Microsoft Endpoint Configuration Manager or in Intune. - -You can turn on email notifications to receive mail about PUA detections. - -See [Troubleshoot event IDs](troubleshoot-windows-defender-antivirus.md) for details on viewing Windows Defender Antivirus events. PUA events are recorded under event ID **1160**. - -#### Allow-listing apps - -Sometimes a file is erroneously blocked by PUA protection, or a feature of a PUA is required to complete a task. In these cases, a file can be allow-listed. See [How to Configure Endpoint Protection in Configuration Manager](https://docs.microsoft.com/previous-versions/system-center/system-center-2012-R2/hh508770(v=technet.10)#to-exclude-specific-files-or-folders) for information on allowing files which are currently blocked by PUA protection in Windows Defender Antivirus. - -## Related articles - -- [Next-generation protection](windows-defender-antivirus-in-windows-10.md) -- [Configure behavioral, heuristic, and real-time protection](configure-protection-features-windows-defender-antivirus.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus - Copy.md b/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus - Copy.md deleted file mode 100644 index 6d7e496eec..0000000000 --- a/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus - Copy.md +++ /dev/null @@ -1,143 +0,0 @@ ---- -title: Enable cloud-delivered protection in Windows Defender Antivirus -description: Enable cloud-delivered protection to benefit from fast and advanced protection features. -keywords: windows defender antivirus, antimalware, security, cloud, block at first sight -search.product: eADQiWindows 10XVcnh -ms.pagetype: security -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: denisebmsft -ms.author: deniseb -ms.reviewer: -manager: dansimp -ms.custom: nextgen ---- - -# Enable cloud-delivered protection - -**Applies to:** - -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - ->[!NOTE] ->The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud; rather, it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates. - -Windows Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender ATP next generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/). -![List of Windows Defender AV engines](images/microsoft-defender-atp-next-generation-protection-engines.png) - -You can enable or disable Windows Defender Antivirus cloud-delivered protection with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, or on individual clients in the Windows Security app. - -See [Use Microsoft cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) for an overview of Windows Defender Antivirus cloud-delivered protection. - -There are specific network-connectivity requirements to ensure your endpoints can connect to the cloud-delivered protection service. See [Configure and validate network connections](configure-network-connections-windows-defender-antivirus.md) for more details. - ->[!NOTE] ->In Windows 10, there is no difference between the **Basic** and **Advanced** options described in this topic. This is a legacy distinction and choosing either setting will result in the same level of cloud-delivered protection. There is no difference in the type or amount of information that is shared. See the [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=521839) for more information on what we collect. - -**Use Intune to enable cloud-delivered protection** - -1. Sign in to the [Azure portal](https://portal.azure.com). -2. Select **All services > Intune**. -3. In the **Intune** pane, select **Device configuration > Profiles**, and then select the **Device restrictions** profile type you want to configure. If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure). -4. Select **Properties**, select **Settings: Configure**, and then select **Windows Defender Antivirus**. -5. On the **Cloud-delivered protection** switch, select **Enable**. -6. In the **Prompt users before sample submission** dropdown, select **Send all data without prompting**. -7. In the **Submit samples consent** dropdown, select one of the following: - - - **Send safe samples automatically** - - **Send all samples automatically** - - >[!NOTE] - >**Send safe samples automatically** option means that most samples will be sent automatically. Files that are likely to contain personal information will still prompt and require additional confirmation. - - > [!WARNING] - > Setting to **Always Prompt** will lower the protection state of the device. Setting to **Never send** means the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature will not function. - -8. Click **OK** to exit the **Windows Defender Antivirus** settings pane, click **OK** to exit the **Device restrictions** pane, and then click **Save** to save the changes to your **Device restrictions** profile. - -For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/intune/device-profiles) - -**Use Configuration Manager to enable cloud-delivered protection:** - -See [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) for details on configuring Microsoft Endpoint Configuration Manager (current branch). - -**Use Group Policy to enable cloud-delivered protection:** - -1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. - -2. In the **Group Policy Management Editor** go to **Computer configuration**. - -3. Click **Administrative templates**. - -4. Expand the tree to **Windows components > Windows Defender Antivirus > MAPS** - -5. Double-click **Join Microsoft MAPS** and ensure the option is enabled and set to **Basic MAPS** or **Advanced MAPS**. Click **OK**. - -6. Double-click **Send file samples when further analysis is required** and ensure the option is set to **Enabled** and the additional options are either of the following: - - 1. **Send safe samples** (1) - 2. **Send all samples** (3) - - >[!NOTE] - >**Send safe samples automatically** option means that most samples will be sent automatically. Files that are likely to contain personal information will still prompt and require additional confirmation. - - > [!WARNING] - > Setting to 0 (Always Prompt) will lower the protection state of the device. Setting to 2 (Never send) means the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature will not function. - -7. Click **OK**. - -**Use PowerShell cmdlets to enable cloud-delivered protection:** - -Use the following cmdlets to enable cloud-delivered protection: - -```PowerShell -Set-MpPreference -MAPSReporting Advanced -Set-MpPreference -SubmitSamplesConsent AlwaysPrompt -``` - ->[!NOTE] ->You can also set -SubmitSamplesConsent to `None`. Setting it to `Never` will lower the protection state of the device, and setting it to 2 means the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature will not function. - -See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus. - -**Use Windows Management Instruction (WMI) to enable cloud-delivered protection:** - -Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn439474(v=vs.85).aspx) class for the following properties: - -```WMI -MAPSReporting -SubmitSamplesConsent -``` - -See the following for more information and allowed parameters: -- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) - -**Enable cloud-delivered protection on individual clients with the Windows Security app** - -> [!NOTE] -> If the **Configure local setting override for reporting Microsoft MAPS** Group Policy setting is set to **Disabled**, then the **Cloud-based protection** setting in Windows Settings will be greyed-out and unavailable. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings. - -1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. - -2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label: - - ![Screenshot of the Virus & threat protection settings label in the Windows Security app](images/defender/wdav-protection-settings-wdsc.png) - -3. Confirm that **Cloud-based Protection** and **Automatic sample submission** are switched to **On**. - ->[!NOTE] ->If automatic sample submission has been configured with Group Policy then the setting will be greyed-out and unavailable. - -## Related topics - -- [Configure the cloud block timeout period](configure-cloud-block-timeout-period-windows-defender-antivirus.md) -- [Configure block at first sight](configure-block-at-first-sight-windows-defender-antivirus.md) -- [Use PowerShell cmdlets to manage Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) -- [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune)] -- [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) -- [Utilize Microsoft cloud-delivered protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) -- [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) From 190dbd830a60e80cd335920db47f81da3e0473ea Mon Sep 17 00:00:00 2001 From: Laura Keller Date: Wed, 22 Jan 2020 12:13:41 -0800 Subject: [PATCH 04/19] Delete configure-advanced-scan-types-windows-defender-antivirus - Copy.md --- ...types-windows-defender-antivirus - Copy.md | 104 ------------------ 1 file changed, 104 deletions(-) delete mode 100644 windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus - Copy.md diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus - Copy.md b/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus - Copy.md deleted file mode 100644 index 1ec92d64e6..0000000000 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus - Copy.md +++ /dev/null @@ -1,104 +0,0 @@ ---- -title: Configure scanning options for Windows Defender AV -description: You can configure Windows Defender AV to scan email storage files, back-up or reparse points, network files, and archived files (such as .zip files). -keywords: advanced scans, scanning, email, archive, zip, rar, archive, reparse scanning -search.product: eADQiWindows 10XVcnh -ms.pagetype: security -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: denisebmsft -ms.author: deniseb -ms.custom: nextgen -ms.date: 10/25/2018 -ms.reviewer: -manager: dansimp - ---- - -# Configure Windows Defender Antivirus scanning options - -**Applies to:** - -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - -**Use Microsoft Intune to configure scanning options** - -See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure) and [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#windows-defender-antivirus) for more details. - - - -**Use Configuration Manager to configure scanning options:** - -See [How to create and deploy antimalware policies: Scan settings](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#scan-settings) for details on configuring Microsoft Endpoint Configuration Manager (current branch). - -**Use Group Policy to configure scanning options** - -To configure the Group Policy settings described in the following table: - -1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. - -2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. - -3. Expand the tree to **Windows components > Windows Defender Antivirus** and then the **Location** specified in the table below. - -4. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings. - -Description | Location and setting | Default setting (if not configured) | PowerShell `Set-MpPreference` parameter or WMI property for `MSFT_MpPreference` class ----|---|---|--- -See [Email scanning limitations](#ref1)) below | Scan > Turn on e-mail scanning | Disabled | `-DisableEmailScanning` -Scan [reparse points](https://msdn.microsoft.com/library/windows/desktop/aa365503.aspx) | Scan > Turn on reparse point scanning | Disabled | Not available -Scan mapped network drives | Scan > Run full scan on mapped network drives | Disabled | `-DisableScanningMappedNetworkDrivesForFullScan` - Scan archive files (such as .zip or .rar files). The [extensions exclusion list](configure-extension-file-exclusions-windows-defender-antivirus.md) will take precedence over this setting. | Scan > Scan archive files | Enabled | `-DisableArchiveScanning` -Scan files on the network | Scan > Scan network files | Disabled | `-DisableScanningNetworkFiles` -Scan packed executables | Scan > Scan packed executables | Enabled | Not available -Scan removable drives during full scans only | Scan > Scan removable drives | Disabled | `-DisableRemovableDriveScanning` -Specify the level of subfolders within an archive folder to scan | Scan > Specify the maximum depth to scan archive files | 0 | Not available - Specify the maximum CPU load (as a percentage) during a scan. Note: This is not a hard limit but rather a guidance for the scanning engine to not exceed this maximum on average. | Scan > Specify the maximum percentage of CPU utilization during a scan | 50 | `-ScanAvgCPULoadFactor` - Specify the maximum size (in kilobytes) of archive files that should be scanned. The default, **0**, applies no limit | Scan > Specify the maximum size of archive files to be scanned | No limit | Not available - Configure low CPU priority for scheduled scans | Scan > Configure low CPU priority for scheduled scans | Disabled | Not available - ->[!NOTE] ->If real-time protection is enabled, files are scanned before they are accessed and executed. The scanning scope includes all files, including those on mounted removable devices such as USB drives. - -**Use PowerShell to configure scanning options** - -See [Manage Windows Defender Antivirus with PowerShell cmdlets](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. - -**Use WMI to configure scanning options** - -For using WMI classes, see [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx). - -### Email scanning limitations - -We recommend using [always-on real-time protection](configure-real-time-protection-windows-defender-antivirus.md) to protect against email-based malware. - -Always-on protection scans emails as they arrive and as they are manipulated, just like normal files in the operating system. This provides the strongest form of protection and is the recommended setting for scanning emails. - -You can also use this Group Policy to enable scanning of older email files used by Outlook 2003 and older during on-demand and scheduled scans. Embedded objects within an email file (such as attachments and archived files) are also scanned. The following file format types can be scanned and remediated: - -- DBX -- MBX -- MIME - -PST files used by Outlook 2003 or older (where the archive type is set to non-unicode) can also be scanned, but Windows Defender cannot remediate threats detected inside PST files. This is another reason why we recommend using [always-on real-time protection](configure-real-time-protection-windows-defender-antivirus.md) to protect against email-based malware. - -If Windows Defender Antivirus detects a threat inside an email, it will show you the following information to assist you in identifying the compromised email, so you can remediate the threat: - -- Email subject -- Attachment name - ->[!WARNING] ->There are some risks associated with scanning some Microsoft Outlook files and email messages. You can read about tips and risks associated with scanning Outlook files and email messages in the following articles: -> -> - [Scanning Outlook files in Outlook 2013](https://technet.microsoft.com/library/dn769141.aspx#bkmk-1) -> - [Scanning email messages in Outlook 2013](https://technet.microsoft.com/library/dn769141.aspx#bkmk-2) - -## Related topics - -- [Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md) -- [Configure and run on-demand Windows Defender Antivirus scans](run-scan-windows-defender-antivirus.md) -- [Configure scheduled Windows Defender Antivirus scans](scheduled-catch-up-scans-windows-defender-antivirus.md) -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) From c48b07ab431fcbedf22f125ddf74b0b1a4ae87e6 Mon Sep 17 00:00:00 2001 From: Laura Keller Date: Wed, 22 Jan 2020 12:14:01 -0800 Subject: [PATCH 05/19] Delete configure-block-at-first-sight-windows-defender-antivirus - Copy.md --- ...sight-windows-defender-antivirus - Copy.md | 166 ------------------ 1 file changed, 166 deletions(-) delete mode 100644 windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus - Copy.md diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus - Copy.md b/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus - Copy.md deleted file mode 100644 index 1fb5ff7d26..0000000000 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus - Copy.md +++ /dev/null @@ -1,166 +0,0 @@ ---- -title: Enable Block at First Sight to detect malware in seconds -description: Enable the Block at First sight feature to detect and block malware within seconds, and validate that it is configured correctly. -keywords: scan, BAFS, malware, first seen, first sight, cloud, defender -search.product: eADQiWindows 10XVcnh -ms.pagetype: security -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: denisebmsft -ms.author: deniseb -ms.reviewer: -manager: dansimp -ms.custom: nextgen ---- - -# Enable block at first sight - -**Applies to:** - -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - -Block at first sight is a feature of next-generation protection that provides a way to detect and block new malware within seconds. This protection is enabled by default when certain prerequisite settings are also enabled. In most cases, these prerequisite settings are also enabled by default, so the feature is running without any intervention. - -You can [specify how long the file should be prevented from running](configure-cloud-block-timeout-period-windows-defender-antivirus.md) while the cloud-based protection service analyzes the file. And, you can [customize the message displayed on users' desktops](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information) when a file is blocked. You can change the company name, contact information, and message URL. - ->[!TIP] ->Visit the Microsoft Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the features are working and see how they work. - -## How it works - -When Windows Defender Antivirus encounters a suspicious but undetected file, it queries our cloud protection backend. The cloud backend applies heuristics, machine learning, and automated analysis of the file to determine whether the files are malicious or clean. - -Windows Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender ATP next generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/). -![List of Windows Defender AV engines](images/microsoft-defender-atp-next-generation-protection-engines.png) - -In Windows 10, version 1803, block at first sight can now block non-portable executable files (such as JS, VBS, or macros) as well as executable files. - -Block at first sight only uses the cloud protection backend for executable files and non-portable executable files that are downloaded from the Internet, or that originate from the Internet zone. A hash value of the .exe file is checked via the cloud backend to determine if this is a previously undetected file. - -If the cloud backend is unable to make a determination, Windows Defender Antivirus locks the file and uploads a copy to the cloud. The cloud performs additional analysis to reach a determination before it either allows the file to run or blocks it in all future encounters, depending on whether it determines the file to be malicious or safe. - -In many cases, this process can reduce the response time for new malware from hours to seconds. - -## Confirm and validate that block at first sight is enabled - -Block at first sight requires a number of settings to be configured correctly or it will not work. These settings are enabled by default in most enterprise Windows Defender Antivirus deployments. - -### Confirm block at first sight is enabled with Intune - -1. In Intune, navigate to **Device configuration - Profiles > *Profile name* > Device restrictions > Windows Defender Antivirus**. - - > [!NOTE] - > The profile you select must be a Device Restriction profile type, not an Endpoint Protection profile type. - -2. Verify these settings are configured as follows: - - - **Cloud-delivered protection**: **Enable** - - **File Blocking Level**: **High** - - **Time extension for file scanning by the cloud**: **50** - - **Prompt users before sample submission**: **Send all data without prompting** - - ![Intune config](images/defender/intune-block-at-first-sight.png) - - > [!WARNING] - > Setting the file blocking level to **High** will apply a strong level of detection. In the unlikely event that it causes a false positive detection of legitimate files, use the option to [restore the quarantined files](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus). - -For more information about configuring Windows Defender Antivirus device restrictions in Intune, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure). - -For a list of Windows Defender Antivirus device restrictions in Intune, see [Device restriction for Windows 10 (and newer) settings in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#windows-defender-antivirus). - -### Enable block at first sight with SCCM - -1. In Microsoft Endpoint Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **AntiMalware Policies**. - -2. Click **Home** > **Create Antimalware Policy**. - -3. Enter a name and a description, and add these settings: - - **Real time protection** - - **Advanced** - - **Cloud Protection Service** - -4. In the left column, click **Real time protection**, set **Enable real-time protection** to **Yes**, and set **Scan system files** to **Scan incoming and outgoing files**. - ![Enable real-time protection](images/defender/sccm-real-time-protection.png) - -5. Click **Advanced**, set **Enable real-time protection** to **Yes**, and set **Scan system files** to **Scan incoming and outgoing files**. - ![Enable Advanced settings](images/defender/sccm-advanced-settings.png) - -6. Click **Cloud Protection Service**, set **Cloud Protection Service membership type** to **Advanced membership**, set **Level for blocking malicious files** to **High**, and set **Allow extended cloud check to block and scan suspicious files for up to (seconds)** to **50** seconds. - ![Enable Cloud Protection Service](images/defender/sccm-cloud-protection-service.png) - -7. Click **OK** to create the policy. - - -### Confirm block at first sight is enabled with Group Policy - -1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. - -2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. - -3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **MAPS**, configure the following Group Policies, and then click **OK**: - - - Double-click **Join Microsoft MAPS** and ensure the option is set to **Enabled**. Click **OK**. - - - Double-click **Send file samples when further analysis is required** and ensure the option is set to **Enabled** and the additional options are either **Send safe samples (1)** or **Send all samples (3)**. - - > [!WARNING] - > Setting to **Always prompt (0)** will lower the protection state of the device. Setting to **Never send (2)** means block at first sight will not function. - -4. In the **Group Policy Management Editor**, expand the tree to **Windows components** > **Windows Defender Antivirus** > **Real-time Protection**: - - 1. Double-click **Scan all downloaded files and attachments** and ensure the option is set to **Enabled**, and then click **OK**. - - 2. Double-click **Turn off real-time protection** and ensure the option is set to **Disabled**, and then click **OK**. - -If you had to change any of the settings, you should re-deploy the Group Policy Object across your network to ensure all endpoints are covered. - -### Confirm block at first sight is enabled with the Windows Security app - -You can confirm that block at first sight is enabled in Windows Settings. - -Block at first sight is automatically enabled as long as **Cloud-based protection** and **Automatic sample submission** are both turned on. - -### Confirm Block at First Sight is enabled on individual clients - -1. Open the Windows Security app by clicking the shield icon in the task bar. - -2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then click **Manage Settings** under **Virus & threat protection settings**: - - ![Screenshot of the Virus & threat protection settings label in the Windows Security app](images/defender/wdav-protection-settings-wdsc.png) - -3. Confirm that **Cloud-based Protection** and **Automatic sample submission** are switched to **On**. - -> [!NOTE] -> If the prerequisite settings are configured and deployed using Group Policy, the settings described in this section will be greyed-out and unavailable for use on individual endpoints. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings. - -### Validate block at first sight is working - -You can validate that the feature is working by following the steps outlined in [Validate connections between your network and the cloud](configure-network-connections-windows-defender-antivirus.md#validate-connections-between-your-network-and-the-cloud). - -## Disable block at first sight - -> [!WARNING] -> Disabling block at first sight will lower the protection state of the endpoint and your network. - -You may choose to disable block at first sight if you want to retain the prerequisite settings without using block at first sight protection. You might wish to do this if you are experiencing latency issues or you want to test the feature's impact on your network. - -### Disable block at first sight with Group Policy - -1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure, and then click **Edit**. - -2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. - -3. Expand the tree through **Windows components** > **Windows Defender Antivirus** > **MAPS**. - -4. Double-click **Configure the 'Block at First Sight' feature** and set the option to **Disabled**. - - > [!NOTE] - > Disabling block at first sight will not disable or alter the prerequisite group policies. - -## Related topics - -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) -- [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) From 3849fde3440e4eafd97b1a43d56592b3393960ac Mon Sep 17 00:00:00 2001 From: Laura Keller Date: Wed, 22 Jan 2020 12:14:23 -0800 Subject: [PATCH 06/19] Delete configure-network-connections-windows-defender-antivirus - Copy.md --- ...tions-windows-defender-antivirus - Copy.md | 130 ------------------ 1 file changed, 130 deletions(-) delete mode 100644 windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus - Copy.md diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus - Copy.md b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus - Copy.md deleted file mode 100644 index 39f0cb02b4..0000000000 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus - Copy.md +++ /dev/null @@ -1,130 +0,0 @@ ---- -title: Configure and validate Windows Defender Antivirus network connections -description: Configure and test your connection to the Windows Defender Antivirus cloud protection service. -keywords: antivirus, windows defender antivirus, antimalware, security, defender, cloud, aggressiveness, protection level -search.product: eADQiWindows 10XVcnh -ms.pagetype: security -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: denisebmsft -ms.author: deniseb -ms.custom: nextgen -ms.date: 10/08/2018 -ms.reviewer: -manager: dansimp ---- - -# Configure and validate Windows Defender Antivirus network connections - -**Applies to:** - -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - -To ensure Windows Defender Antivirus cloud-delivered protection works properly, you need to configure your network to allow connections between your endpoints and certain Microsoft servers. - -This article lists the connections that must be allowed, such as by using firewall rules, and provides instructions for validating your connection. Configuring your protection properly helps ensure that you receive the best value from your cloud-delivered protection services. - -See the blog post [Important changes to Microsoft Active Protection Services endpoint](https://techcommunity.microsoft.com/t5/Configuration-Manager-Archive/Important-changes-to-Microsoft-Active-Protection-Service-MAPS/ba-p/274006) for some details about network connectivity. - ->[!TIP] ->You can also visit the Microsoft Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working: -> ->- Cloud-delivered protection ->- Fast learning (including block at first sight) ->- Potentially unwanted application blocking - -## Allow connections to the Windows Defender Antivirus cloud service - -The Windows Defender Antivirus cloud service provides fast, strong protection for your endpoints. Enabling the cloud-delivered protection service is optional, however it is highly recommended because it provides important protection against malware on your endpoints and across your network. - ->[!NOTE] ->The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates. - -See [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) for details on enabling the service with Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, or on individual clients in the Windows Security app. - -After you've enabled the service, you may need to configure your network or firewall to allow connections between it and your endpoints. - -Because your protection is a cloud service, computers must have access to the internet and reach the ATP machine learning services. Do not exclude the URL `*.blob.core.windows.net` from any kind of network inspection. The table below lists the services and their associated URLs. Make sure that there are no firewall or network filtering rules denying access to these URLs, or you may need to create an allow rule specifically for them (excluding the URL `*.blob.core.windows.net`). Below mention URLs are using port 443 for communication. - - -| **Service**| **Description** |**URL** | -| :--: | :-- | :-- | -| Windows Defender Antivirus cloud-delivered protection service, also referred to as Microsoft Active Protection Service (MAPS)|Used by Windows Defender Antivirus to provide cloud-delivered protection|`*.wdcp.microsoft.com`
`*.wdcpalt.microsoft.com`
`*.wd.microsoft.com`| -| Microsoft Update Service (MU)| Security intelligence and product updates |`*.update.microsoft.com`| -|Security intelligence updates Alternate Download Location (ADL)| Alternate location for Windows Defender Antivirus Security intelligence updates if the installed Security intelligence is out of date (7 or more days behind)| `*.download.microsoft.com`| -| Malware submission storage|Upload location for files submitted to Microsoft via the Submission form or automatic sample submission | `ussus1eastprod.blob.core.windows.net`
`ussus1westprod.blob.core.windows.net`
`usseu1northprod.blob.core.windows.net`
`usseu1westprod.blob.core.windows.net`
`ussuk1southprod.blob.core.windows.net`
`ussuk1westprod.blob.core.windows.net`
`ussas1eastprod.blob.core.windows.net`
`ussas1southeastprod.blob.core.windows.net`
`ussau1eastprod.blob.core.windows.net`
`ussau1southeastprod.blob.core.windows.net` | -| Certificate Revocation List (CRL)|Used by Windows when creating the SSL connection to MAPS for updating the CRL | `https://www.microsoft.com/pkiops/crl/`
`https://www.microsoft.com/pkiops/certs`
`https://crl.microsoft.com/pki/crl/products`
`https://www.microsoft.com/pki/certs` | -| Symbol Store|Used by Windows Defender Antivirus to restore certain critical files during remediation flows | `https://msdl.microsoft.com/download/symbols` | -| Universal Telemetry Client| Used by Windows to send client diagnostic data; Windows Defender Antivirus uses this for product quality monitoring purposes | This update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints: `vortex-win.data.microsoft.com`
`settings-win.data.microsoft.com`| - -## Validate connections between your network and the cloud - -After whitelisting the URLs listed above, you can test if you are connected to the Windows Defender Antivirus cloud service and are correctly reporting and receiving information to ensure you are fully protected. - -**Use the cmdline tool to validate cloud-delivered protection:** - -Use the following argument with the Windows Defender Antivirus command-line utility (`mpcmdrun.exe`) to verify that your network can communicate with the Windows Defender Antivirus cloud service: - -```DOS -"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -ValidateMapsConnection -``` - -> [!NOTE] -> You need to open an administrator-level version of the command prompt. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt. This command will only work on Windows 10, version 1703 or higher. - -For more information, see [Manage Windows Defender Antivirus with the mpcmdrun.exe commandline tool](command-line-arguments-windows-defender-antivirus.md). - -**Attempt to download a fake malware file from Microsoft:** - -You can download a sample file that Windows Defender Antivirus will detect and block if you are properly connected to the cloud. - -Download the file by visiting the following link: -- https://aka.ms/ioavtest - ->[!NOTE] ->This file is not an actual piece of malware. It is a fake file that is designed to test if you are properly connected to the cloud. - -If you are properly connected, you will see a warning Windows Defender Antivirus notification: - -![Windows Defender Antivirus notification informing the user that malware was found](images/defender/wdav-malware-detected.png) - -If you are using Microsoft Edge, you'll also see a notification message: - -![Microsoft Edge informing the user that malware was found](images/defender/wdav-bafs-edge.png) - -A similar message occurs if you are using Internet Explorer: - -![Windows Defender Antivirus notification informing the user that malware was found](images/defender/wdav-bafs-ie.png) - -You will also see a detection under **Quarantined threats** in the **Scan history** section in the Windows Security app: - -1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. - -2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Scan history** label: - - ![Screenshot of the Scan history label in the Windows Security app](images/defender/wdav-history-wdsc.png) - -3. Under the **Quarantined threats** section, click the **See full history** label to see the detected fake malware: - - ![Screenshot of quarantined items in the Windows Security app](images/defender/wdav-quarantined-history-wdsc.png) - ->[!NOTE] ->Versions of Windows 10 before version 1703 have a different user interface. See [Windows Defender Antivirus in the Windows Security app](windows-defender-security-center-antivirus.md). - -The Windows event log will also show [Windows Defender client event ID 2050](troubleshoot-windows-defender-antivirus.md). - ->[!IMPORTANT] ->You will not be able to use a proxy auto-config (.pac) file to test network connections to these URLs. You will need to verify your proxy servers and any network filtering tools manually to ensure connectivity. - -## Related articles - -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) - -- [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) - -- [Run an Windows Defender Antivirus scan from the command line](command-line-arguments-windows-defender-antivirus.md) and [Command line arguments](command-line-arguments-windows-defender-antivirus.md) - -- [Important changes to Microsoft Active Protection Services endpoint](https://techcommunity.microsoft.com/t5/Configuration-Manager-Archive/Important-changes-to-Microsoft-Active-Protection-Service-MAPS/ba-p/274006) From d8d3ee5ff9239b42592b66fd7a417e7b6619cfab Mon Sep 17 00:00:00 2001 From: Laura Keller Date: Wed, 22 Jan 2020 12:14:35 -0800 Subject: [PATCH 07/19] Delete configure-notifications-windows-defender-antivirus - Copy.md --- ...tions-windows-defender-antivirus - Copy.md | 106 ------------------ 1 file changed, 106 deletions(-) delete mode 100644 windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus - Copy.md diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus - Copy.md b/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus - Copy.md deleted file mode 100644 index 03afa1681f..0000000000 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus - Copy.md +++ /dev/null @@ -1,106 +0,0 @@ ---- -title: Configure Windows Defender Antivirus notifications -description: Configure and customize Windows Defender Antivirus notifications. -keywords: notifications, defender, antivirus, endpoint, management, admin -search.product: eADQiWindows 10XVcnh -ms.pagetype: security -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: denisebmsft -ms.author: deniseb -ms.custom: nextgen -ms.date: 09/03/2018 -ms.reviewer: -manager: dansimp ---- - -# Configure the notifications that appear on endpoints - -**Applies to:** - -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - -In Windows 10, application notifications about malware detection and remediation are more robust, consistent, and concise. - -Notifications appear on endpoints when manually triggered and scheduled scans are completed and threats are detected. These notifications also appear in the **Notification Center**, and a summary of scans and threat detections appear at regular time intervals. - -You can also configure how standard notifications appear on endpoints, such as notifications for reboot or when a threat has been detected and remediated. - -## Configure the additional notifications that appear on endpoints - -You can configure the display of additional notifications, such as recent threat detection summaries, in the [Windows Security app](windows-defender-security-center-antivirus.md) and with Group Policy. - -> [!NOTE] -> In Windows 10, version 1607 the feature was called **Enhanced notifications** and could be configured under **Windows Settings** > **Update & security** > **Windows Defender**. In Group Policy settings in all versions of Windows 10, it is called **Enhanced notifications**. - -> [!IMPORTANT] -> Disabling additional notifications will not disable critical notifications, such as threat detection and remediation alerts. - -**Use the Windows Security app to disable additional notifications:** - -1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. - -2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label: - - ![Screenshot of the Virus & threat protection settings label in the Windows Security app](images/defender/wdav-protection-settings-wdsc.png) - -3. Scroll to the **Notifications** section and click **Change notification settings**. - -4. Slide the switch to **Off** or **On** to disable or enable additional notifications. - -**Use Group Policy to disable additional notifications:** - -1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. - -2. In the **Group Policy Management Editor** go to **Computer configuration**. - -3. Click **Administrative templates**. - -4. Expand the tree to **Windows components > Windows Defender Antivirus > Reporting**. - -5. Double-click **Turn off enhanced notifications** and set the option to **Enabled**. Click **OK**. This will prevent additional notifications from appearing. - -## Configure standard notifications on endpoints - -You can use Group Policy to: - -- Display additional, customized text on endpoints when the user needs to perform an action -- Hide all notifications on endpoints -- Hide reboot notifications on endpoints - -Hiding notifications can be useful in situations where you can't hide the entire Windows Defender Antivirus interface. See [Prevent users from seeing or interacting with the Windows Defender Antivirus user interface](prevent-end-user-interaction-windows-defender-antivirus.md) for more information. - -> [!NOTE] -> Hiding notifications will only occur on endpoints to which the policy has been deployed. Notifications related to actions that must be taken (such as a reboot) will still appear on the [Microsoft Endpoint Configuration Manager Endpoint Protection monitoring dashboard and reports](https://docs.microsoft.com/sccm/protect/deploy-use/monitor-endpoint-protection). - -See [Customize the Windows Security app for your organization](../windows-defender-security-center/windows-defender-security-center.md) for instructions to add custom contact information to the notifications that users see on their machines. - -**Use Group Policy to hide notifications:** - -1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure, and click **Edit**. - -2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. - -3. Expand the tree to **Windows components > Windows Defender Antivirus > Client interface**. - -4. Double-click **Suppress all notifications** and set the option to **Enabled**. Click **OK**. This will prevent additional notifications from appearing. - -**Use Group Policy to hide reboot notifications:** - -1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. - -2. In the **Group Policy Management Editor** go to **Computer configuration**. - -3. Click **Administrative templates**. - -4. Expand the tree to **Windows components > Windows Defender Antivirus > Client interface**. - -5. Double-click **Suppresses reboot notifications** and set the option to **Enabled**. Click **OK**. This will prevent additional notifications from appearing. - -## Related topics - -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) -- [Configure end-user interaction with Windows Defender Antivirus](configure-end-user-interaction-windows-defender-antivirus.md) From 86534618270f6d5ef3f5e493f8c65071daab0b53 Mon Sep 17 00:00:00 2001 From: Laura Keller Date: Wed, 22 Jan 2020 12:14:59 -0800 Subject: [PATCH 08/19] Delete configure-process-opened-file-exclusions-windows-defender-antivirus - Copy.md --- ...sions-windows-defender-antivirus - Copy.md | 199 ------------------ 1 file changed, 199 deletions(-) delete mode 100644 windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus - Copy.md diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus - Copy.md b/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus - Copy.md deleted file mode 100644 index 79e9d90a7b..0000000000 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus - Copy.md +++ /dev/null @@ -1,199 +0,0 @@ ---- -title: Configure exclusions for files opened by specific processes -description: You can exclude files from scans if they have been opened by a specific process. -keywords: Windows Defender Antivirus, process, exclusion, files, scans -search.product: eADQiWindows 10XVcnh -ms.pagetype: security -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: denisebmsft -ms.author: deniseb -ms.custom: nextgen -ms.date: 12/10/2018 -ms.reviewer: -manager: dansimp ---- - -# Configure exclusions for files opened by processes - -**Applies to:** - -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - -You can exclude files that have been opened by specific processes from Windows Defender Antivirus scans. - -This topic describes how to configure exclusion lists for the following: - - - -Exclusion | Example ----|--- -Any file on the machine that is opened by any process with a specific file name | Specifying "test.exe" would exclude files opened by:
  • c:\sample\test.exe
  • d:\internal\files\test.exe
-Any file on the machine that is opened by any process under a specific folder | Specifying "c:\test\sample\\*" would exclude files opened by:
  • c:\test\sample\test.exe
  • c:\test\sample\test2.exe
  • c:\test\sample\utility.exe
-Any file on the machine that is opened by a specific process in a specific folder | Specifying "c:\test\process.exe" would exclude files only opened by c:\test\process.exe - -When you add a process to the process exclusion list, Windows Defender Antivirus won't scan files opened by that process, no matter where the files are located. The process itself, however, will be scanned unless it has also been added to the [file exclusion list](configure-extension-file-exclusions-windows-defender-antivirus.md). - -The exclusions only apply to [always-on real-time protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md). They don't apply to scheduled or on-demand scans. - -Changes made with Group Policy to the exclusion lists **will show** in the lists in the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions). However, changes made in the Windows Security app **will not show** in the Group Policy lists. - -You can add, remove, and review the lists for exclusions in [Group Policy](#gp), [Microsoft Endpoint Configuration Manager, Microsoft Intune, and with the Windows Security app](#man-tools), and you can [use wildcards](#wildcards) to further customize the lists. - -You can also [use PowerShell cmdlets and WMI to configure the exclusion lists](#ps), including [reviewing](#review) your lists. - -By default, local changes made to the lists (by users with administrator privileges; this includes changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists will take precedence in the case of conflicts. - -You can [configure how locally and globally defined exclusions lists are merged](configure-local-policy-overrides-windows-defender-antivirus.md#merge-lists) to allow local changes to override managed deployment settings. - -## Configure the list of exclusions for files opened by specified processes - - - -### Use Microsoft Intune to exclude files that have been opened by specified processes from scans - -See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure) and [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#windows-defender-antivirus) for more details. - -### Use Microsoft Endpoint Configuration Manager to exclude files that have been opened by specified processes from scans - -See [How to create and deploy antimalware policies: Exclusion settings](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) for details on configuring Microsoft Endpoint Configuration Manager (current branch). - -### Use Group Policy to exclude files that have been opened by specified processes from scans - -1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. - -2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. - -3. Expand the tree to **Windows components > Windows Defender Antivirus > Exclusions**. - -4. Double-click **Process Exclusions** and add the exclusions: - - 1. Set the option to **Enabled**. - 2. Under the **Options** section, click **Show...**. - 3. Enter each process on its own line under the **Value name** column. See the [example table](#examples) for the different types of process exclusions. Enter **0** in the **Value** column for all processes. - -5. Click **OK**. - -![The Group Policy setting for specifying process exclusions](images/defender/wdav-process-exclusions.png) - - - -### Use PowerShell cmdlets to exclude files that have been opened by specified processes from scans - -Using PowerShell to add or remove exclusions for files that have been opened by processes requires using a combination of three cmdlets with the `-ExclusionProcess` parameter. The cmdlets are all in the [Defender module](https://technet.microsoft.com/itpro/powershell/windows/defender/defender). - -The format for the cmdlets is: - -```PowerShell - -ExclusionProcess "" -``` - -The following are allowed as the \: - -Configuration action | PowerShell cmdlet ----|--- -Create or overwrite the list | `Set-MpPreference` -Add to the list | `Add-MpPreference` -Remove items from the list | `Remove-MpPreference` - ->[!IMPORTANT] ->If you have created a list, either with `Set-MpPreference` or `Add-MpPreference`, using the `Set-MpPreference` cmdlet again will overwrite the existing list. - -For example, the following code snippet would cause Windows Defender AV scans to exclude any file that is opened by the specified process: - -```PowerShell -Add-MpPreference -ExclusionProcess "c:\internal\test.exe" -``` - -See [Manage antivirus with PowerShell cmdlets](use-powershell-cmdlets-windows-defender-Windows Defender Antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. - -### Use Windows Management Instruction (WMI) to exclude files that have been opened by specified processes from scans - -Use the [**Set**, **Add**, and **Remove** methods of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties: - -```WMI -ExclusionProcess -``` - -The use of **Set**, **Add**, and **Remove** is analogous to their counterparts in PowerShell: `Set-MpPreference`, `Add-MpPreference`, and `Remove-MpPreference`. - -See the following for more information and allowed parameters: - -- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) - - - -### Use the Windows Security app to exclude files that have been opened by specified processes from scans - -See [Add exclusions in the Windows Security app](windows-defender-security-center-antivirus.md#exclusions) for instructions. - - - -## Use wildcards in the process exclusion list - -The use of wildcards in the process exclusion list is different from their use in other exclusion lists. - -In particular, you cannot use the question mark ? wildcard, and the asterisk \* wildcard can only be used at the end of a complete path. You can still use environment variables (such as %ALLUSERSPROFILE%) as wildcards when defining items in the process exclusion list. - -The following table describes how the wildcards can be used in the process exclusion list: - -Wildcard | Use | Example use | Example matches ----|---|---|--- -\* (asterisk) | Replaces any number of characters |
  • C:\MyData\\*
|
  • Any file opened by C:\MyData\file.exe
-? (question mark) | Not available | \- | \- -Environment variables | The defined variable will be populated as a path when the exclusion is evaluated |
  • %ALLUSERSPROFILE%\CustomLogFiles\file.exe
|
  • Any file opened by C:\ProgramData\CustomLogFiles\file.exe
- - - -## Review the list of exclusions - -You can retrieve the items in the exclusion list with MpCmdRun, PowerShell, [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings), [Intune](https://docs.microsoft.com/intune/device-restrictions-configure), or the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions). - -If you use PowerShell, you can retrieve the list in two ways: - -- Retrieve the status of all Windows Defender Antivirus preferences. Each of the lists will be displayed on separate lines, but the items within each list will be combined into the same line. -- Write the status of all preferences to a variable, and use that variable to only call the specific list you are interested in. Each use of `Add-MpPreference` is written to a new line. - -### Validate the exclusion list by using MpCmdRun - -To check exclusions with the dedicated [command-line tool mpcmdrun.exe](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus?branch=v-anbic-wdav-new-mpcmdrun-options), use the following command: - -```DOS -MpCmdRun.exe -CheckExclusion -path -``` - ->[!NOTE] ->Checking exclusions with MpCmdRun requires Windows Defender Antivirus CAMP version 4.18.1812.3 (released in December 2018) or later. - - -### Review the list of exclusions alongside all other Windows Defender Antivirus preferences by using PowerShell - -Use the following cmdlet: - -```PowerShell -Get-MpPreference -``` - -See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. - -### Retrieve a specific exclusions list by using PowerShell - -Use the following code snippet (enter each line as a separate command); replace **WDAVprefs** with whatever label you want to name the variable: - -```PowerShell -$WDAVprefs = Get-MpPreference -$WDAVprefs.ExclusionProcess -``` - -See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. - -## Related articles - -- [Configure and validate exclusions in Windows Defender Antivirus scans](configure-exclusions-windows-defender-antivirus.md) -- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md) -- [Configure Windows Defender Antivirus exclusions on Windows Server](configure-server-exclusions-windows-defender-antivirus.md) -- [Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md) -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) From 8cd32f18ff6447691046762ae420d097f0241998 Mon Sep 17 00:00:00 2001 From: Laura Keller Date: Wed, 22 Jan 2020 12:15:13 -0800 Subject: [PATCH 09/19] Delete configure-remediation-windows-defender-antivirus - Copy.md --- ...ation-windows-defender-antivirus - Copy.md | 72 ------------------- 1 file changed, 72 deletions(-) delete mode 100644 windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus - Copy.md diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus - Copy.md b/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus - Copy.md deleted file mode 100644 index 7b22fa2f60..0000000000 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus - Copy.md +++ /dev/null @@ -1,72 +0,0 @@ ---- -title: Remediate and resolve infections detected by Windows Defender Antivirus -description: Configure what Windows Defender Antivirus should do when it detects a threat, and how long quarantined files should be retained in the quarantine folder -keywords: remediation, fix, remove, threats, quarantine, scan, restore -search.product: eADQiWindows 10XVcnh -ms.pagetype: security -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: denisebmsft -ms.author: deniseb -ms.custom: nextgen -ms.date: 09/03/2018 -ms.reviewer: -manager: dansimp ---- - -# Configure remediation for Windows Defender Antivirus scans - -**Applies to:** - -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - -When Windows Defender Antivirus runs a scan, it will attempt to remediate or remove threats that it finds. You can configure how Windows Defender Antivirus should react to certain threats, whether it should create a restore point before remediating, and when it should remove remediated threats. - -This topic describes how to configure these settings with Group Policy, but you can also use [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#threat-overrides-settings) and [Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure). - -You can also use the [`Set-MpPreference` PowerShell cmdlet](https://technet.microsoft.com/itpro/powershell/windows/defender/set-mppreference) or [`MSFT_MpPreference` WMI class](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) to configure these settings. - -## Configure remediation options - -You can configure how remediation works with the Group Policy settings described in this section. - -To configure these settings: - -1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. - -2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. - -3. Expand the tree to **Windows components > Windows Defender Antivirus** and then the **Location** specified in the table below. - -4. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings. - -Location | Setting | Description | Default setting (if not configured) ----|---|---|--- -Scan | Create a system restore point | A system restore point will be created each day before cleaning or scanning is attempted | Disabled -Scan | Turn on removal of items from scan history folder | Specify how many days items should be kept in the scan history | 30 days -Root | Turn off routine remediation | You can specify whether Windows Defender Antivirus automatically remediates threats, or if it should ask the endpoint user what to do. | Disabled (threats are remediated automatically) -Quarantine | Configure removal of items from Quarantine folder | Specify how many days items should be kept in quarantine before being removed | Never removed -Threats | Specify threat alert levels at which default action should not be taken when detected | Every threat that is detected by Windows Defender Antivirus is assigned a threat level (low, medium, high, or severe). You can use this setting to define how all threats for each of the threat levels should be remediated (quarantined, removed, or ignored) | Not applicable -Threats | Specify threats upon which default action should not be taken when detected | Specify how specific threats (using their threat ID) should be remediated. You can specify whether the specific threat should be quarantined, removed, or ignored | Not applicable - -> [!IMPORTANT] -> Windows Defender Antivirus detects and remediates files based on many factors. Sometimes, completing a remediation requires a reboot. Even if the detection is later determined to be a false positive, the reboot must be completed to ensure all additional remediation steps have been completed. ->

-> If you are certain Windows Defender Antivirus quarantined a file based on a false positive, you can restore the file from quarantine after the device reboots. See [Restore quarantined files in Windows Defender Antivirus](restore-quarantined-files-windows-defender-antivirus.md). ->

-> To avoid this problem in the future, you can exclude files from the scans. See [Configure and validate exclusions for Windows Defender Antivirus scans](configure-exclusions-windows-defender-antivirus.md). - -Also see [Configure remediation-required scheduled full Windows Defender Antivirus scans](scheduled-catch-up-scans-windows-defender-antivirus.md#remed) for more remediation-related settings. - -## Related topics - -- [Configure Windows Defender Antivirus scanning options](configure-advanced-scan-types-windows-defender-antivirus.md) -- [Configure scheduled Windows Defender Antivirus scans](scheduled-catch-up-scans-windows-defender-antivirus.md) -- [Configure and run on-demand Windows Defender Antivirus scans](run-scan-windows-defender-antivirus.md) -- [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md) -- [Configure end-user Windows Defender Antivirus interaction](configure-end-user-interaction-windows-defender-antivirus.md) -- [Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md) -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) From 0ffa525977f8d1768102dbdcc70ede0ca937c007 Mon Sep 17 00:00:00 2001 From: Laura Keller Date: Wed, 22 Jan 2020 12:15:24 -0800 Subject: [PATCH 10/19] Delete configure-windows-defender-antivirus-features - Copy.md --- ...dows-defender-antivirus-features - Copy.md | 49 ------------------- 1 file changed, 49 deletions(-) delete mode 100644 windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features - Copy.md diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features - Copy.md b/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features - Copy.md deleted file mode 100644 index 3532148261..0000000000 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features - Copy.md +++ /dev/null @@ -1,49 +0,0 @@ ---- -title: Configure Windows Defender Antivirus features -description: You can configure Windows Defender Antivirus features with Intune, Microsoft Endpoint Configuration Manager, Group Policy, and PowerShell. -keywords: Windows Defender Antivirus, antimalware, security, defender, configure, configuration, Config Manager, Microsoft Endpoint Configuration Manager, SCCM, Intune, MDM, mobile device management, GP, group policy, PowerShell -search.product: eADQiWindows 10XVcnh -ms.pagetype: security -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: denisebmsft -ms.author: deniseb -ms.custom: nextgen -ms.date: 09/03/2018 -ms.reviewer: -manager: dansimp ---- - -# Configure Windows Defender Antivirus features - -**Applies to:** - -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - -You can configure Windows Defender Antivirus with a number of tools, including: - -- Microsoft Intune -- Microsoft Endpoint Configuration Manager -- Group Policy -- PowerShell cmdlets -- Windows Management Instrumentation (WMI) - -The following broad categories of features can be configured: - -- Cloud-delivered protection -- Always-on real-time protection, including behavioral, heuristic, and machine-learning-based protection -- How end-users interact with the client on individual endpoints - -The topics in this section describe how to perform key tasks when configuring Windows Defender Antivirus. Each topic includes instructions for the applicable configuration tool (or tools). - -You can also review the [Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md) topic for an overview of each tool and links to further help. - -## In this section -Topic | Description -:---|:--- -[Utilize Microsoft cloud-provided Windows Defender Antivirus protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) | Cloud-delivered protection provides an advanced level of fast, robust antivirus detection -[Configure behavioral, heuristic, and real-time protection](configure-protection-features-windows-defender-antivirus.md)|Enable behavior-based, heuristic, and real-time antivirus protection -[Configure end-user interaction with Windows Defender Antivirus](configure-end-user-interaction-windows-defender-antivirus.md)|Configure how end-users interact with Windows Defender Antivirus, what notifications they see, and whether they can override settings From 88a89ced2364eb8cc7b74822cefb190d549dcdbb Mon Sep 17 00:00:00 2001 From: Laura Keller Date: Wed, 22 Jan 2020 12:15:42 -0800 Subject: [PATCH 11/19] Delete configure-extension-file-exclusions-windows-defender-antivirus - Copy.md --- ...sions-windows-defender-antivirus - Copy.md | 366 ------------------ 1 file changed, 366 deletions(-) delete mode 100644 windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus - Copy.md diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus - Copy.md b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus - Copy.md deleted file mode 100644 index 6ab53e6c67..0000000000 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus - Copy.md +++ /dev/null @@ -1,366 +0,0 @@ ---- -title: Configure and validate exclusions based on extension, name, or location -description: Exclude files from Windows Defender Antivirus scans based on their file extension, file name, or location. -keywords: exclusions, files, extension, file type, folder name, file name, scans -search.product: eADQiWindows 10XVcnh -ms.pagetype: security -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: denisebmsft -ms.author: deniseb -ms.custom: nextgen -ms.date: 12/10/2018 -ms.reviewer: -manager: dansimp ---- - -# Configure and validate exclusions based on file extension and folder location - -**Applies to:** - -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - -> [!IMPORTANT] -> Windows Defender Antivirus exclusions don't apply to other Microsoft Defender ATP capabilities, including [endpoint detection and response (EDR)](../microsoft-defender-atp/overview-endpoint-detection-response.md), [attack surface reduction (ASR) rules](../microsoft-defender-atp/attack-surface-reduction.md), and [controlled folder access](../microsoft-defender-atp/controlled-folders.md). Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections. To exclude files broadly, add them to the Microsoft Defender ATP [custom indicators](../microsoft-defender-atp/manage-indicators.md). - -## Exclusion lists - -You can exclude certain files from Windows Defender Antivirus scans by modifying exclusion lists. **Generally, you shouldn't need to apply exclusions**. Windows Defender Antivirus includes a number of automatic exclusions based on known operating system behaviors and typical management files, such as those used in enterprise management, database management, and other enterprise scenarios and situations. - -> [!NOTE] -> Automatic exclusions apply only to Windows Server 2016 and above. The default antimalware policy we deploy at Microsoft doesn't set any exclusions by default. - -This topic describes how to configure exclusion lists for the files and folders. - -Exclusion | Examples | Exclusion list ----|---|--- -Any file with a specific extension | All files with the `.test` extension, anywhere on the machine | Extension exclusions -Any file under a specific folder | All files under the `c:\test\sample` folder | File and folder exclusions -A specific file in a specific folder | The file `c:\sample\sample.test` only | File and folder exclusions -A specific process | The executable file `c:\test\process.exe` | File and folder exclusions - -Exclusion lists have the following characteristics: - -- Folder exclusions will apply to all files and folders under that folder, unless the subfolder is a reparse point. Reparse point subfolders must be excluded separately. -- File extensions will apply to any file name with the defined extension if a path or folder is not defined. - ->[!IMPORTANT] ->The use of wildcards such as the asterisk (\*) will alter how the exclusion rules are interpreted. See the [Use wildcards in the file name and folder path or extension exclusion lists](#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists) section for important information about how wildcards work. -> ->You cannot exclude mapped network drives. You must specify the actual network path. -> ->Folders that are reparse points that are created after the Windows Defender Antivirus service starts and that have been added to the exclusion list will not be included. You must restart the service (by restarting Windows) for new reparse points to be recognized as a valid exclusion target. - -To exclude files opened by a specific process, see [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md). - -The exclusions apply to [scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md), [on-demand scans](run-scan-windows-defender-antivirus.md), and [real-time protection](configure-real-time-protection-windows-defender-antivirus.md). - ->[!IMPORTANT] ->Exclusion list changes made with Group Policy **will show** in the lists in the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions). -> ->Changes made in the Windows Security app **will not show** in the Group Policy lists. - -By default, local changes made to the lists (by users with administrator privileges, including changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists will take precedence when there are conflicts. - -You can [configure how locally and globally defined exclusions lists are merged](configure-local-policy-overrides-windows-defender-antivirus.md#merge-lists) to allow local changes to override managed deployment settings. - -## Configure the list of exclusions based on folder name or file extension - -### Use Intune to configure file name, folder, or file extension exclusions - -See the following articles: -- [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure) -- [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#windows-defender-antivirus) - -### Use Configuration Manager to configure file name, folder, or file extension exclusions - -See [How to create and deploy antimalware policies: Exclusion settings](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) for details on configuring Microsoft Endpoint Configuration Manager (current branch). - -### Use Group Policy to configure folder or file extension exclusions - ->[!NOTE] ->If you specify a fully qualified path to a file, then only that file is excluded. If a folder is defined in the exclusion, then all files and subdirectories under that folder are excluded. - -1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. - -2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. - -3. Expand the tree to **Windows components > Windows Defender Antivirus > Exclusions**. - -4. Double-click the **Path Exclusions** setting and add the exclusions: - - 1. Set the option to **Enabled**. - 2. Under the **Options** section, click **Show...**. - 3. Enter each folder on its own line under the **Value name** column. If you are entering a file, ensure you enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column. - -5. Click **OK**. - - ![The Group Policy setting for file and folder exclusions](images/defender/wdav-path-exclusions.png) - -6. Double-click the **Extension Exclusions** setting and add the exclusions: - - 1. Set the option to **Enabled**. - 2. Under the **Options** section, click **Show...**. - 3. Enter each file extension on its own line under the **Value name** column. Enter **0** in the **Value** column. - -7. Click **OK**. - - ![The Group Policy setting for extension exclusions](images/defender/wdav-extension-exclusions.png) - - - -### Use PowerShell cmdlets to configure file name, folder, or file extension exclusions - -Using PowerShell to add or remove exclusions for files based on the extension, location, or file name requires using a combination of three cmdlets and the appropriate exclusion list parameter. The cmdlets are all in the [Defender module](https://technet.microsoft.com/itpro/powershell/windows/defender/defender). - -The format for the cmdlets is: - -```PowerShell - - "" -``` - -The following are allowed as the \: - -Configuration action | PowerShell cmdlet ----|--- -Create or overwrite the list | `Set-MpPreference` -Add to the list | `Add-MpPreference` -Remove item from the list | `Remove-MpPreference` - -The following are allowed as the \: - -Exclusion type | PowerShell parameter ----|--- -All files with a specified file extension | `-ExclusionExtension` -All files under a folder (including files in subdirectories), or a specific file | `-ExclusionPath` - ->[!IMPORTANT] ->If you have created a list, either with `Set-MpPreference` or `Add-MpPreference`, using the `Set-MpPreference` cmdlet again will overwrite the existing list. - -For example, the following code snippet would cause Windows Defender AV scans to exclude any file with the `.test` file extension: - -```PowerShell -Add-MpPreference -ExclusionExtension ".test" -``` - -For more information, see [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index). - -### Use Windows Management Instruction (WMI) to configure file name, folder, or file extension exclusions - -Use the [**Set**, **Add**, and **Remove** methods of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties: - -```WMI -ExclusionExtension -ExclusionPath -``` - -The use of **Set**, **Add**, and **Remove** is analogous to their counterparts in PowerShell: `Set-MpPreference`, `Add-MpPreference`, and `Remove-MpPreference`. - -For more information, see [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx). - - - -### Use the Windows Security app to configure file name, folder, or file extension exclusions - -See [Add exclusions in the Windows Security app](windows-defender-security-center-antivirus.md#exclusions) for instructions. - - -## Use wildcards in the file name and folder path or extension exclusion lists - -You can use the asterisk `*`, question mark `?`, or environment variables (such as `%ALLUSERSPROFILE%`) as wildcards when defining items in the file name or folder path exclusion list. The way in which these wildcards are interpreted differs from their usual usage in other apps and languages. Make sure to read this section to understand their specific limitations. - ->[!IMPORTANT] ->There are key limitations and usage scenarios for these wildcards: -> ->- Environment variable usage is limited to machine variables and those applicable to processes running as an NT AUTHORITY\SYSTEM account. ->- You cannot use a wildcard in place of a drive letter. ->- An asterisk `*` in a folder exclusion will stand in place for a single folder. Use multiple instances of `\*\` to indicate multiple nested folders with unspecified names. - -The following table describes how the wildcards can be used and provides some examples. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
WildcardUse in file name and file extension exclusionsUse in folder exclusionsExample useExample matches
* (asterisk)Replaces any number of characters.
Only applies to files in the last folder defined in the argument. 		Replaces a single folder.
Use multiple * with folder slashes \ to indicate multiple, nested folders.
After matching the number of wild carded and named folders, all subfolders will also be included.		 -
    -
  1. C:\MyData\*.txt
    2. -
  2. C:\somepath\*\Data
    3. -
  3. C:\Serv\*\*\Backup -
- 		-
    -
  1. C:\MyData\notes.txt
    2. -
  2. Any file in: -
      -
    • C:\somepath\Archives\Data and its subfolders
      • -
    • C:\somepath\Authorized\Data and its subfolders
      • -
    -
  3. Any file in: -
      -
    • C:\Serv\Primary\Denied\Backup and its subfolders
      • -
    • C:\Serv\Secondary\Allowed\Backup and its subfolders
      • -
    -
-
- ? (question mark) - - Replaces a single character.
- Only applies to files in the last folder defined in the argument. - 		- Replaces a single character in a folder name.
- After matching the number of wild carded and named folders, all subfolders will also be included. - 		-
    -
  1. C:\MyData\my?.zip
    2. -
  2. C:\somepath\?\Data
    3. -
  3. C:\somepath\test0?\Data
    4. -
- 		-
    -
  1. C:\MyData\my1.zip
    2. -
  2. Any file in C:\somepath\P\Data and its subfolders
    3. -
  3. Any file in C:\somepath\test01\Data and its subfolders
    4. -
-
Environment variablesThe defined variable will be populated as a path when the exclusion is evaluated.Same as file and extension use. -
    -
  1. %ALLUSERSPROFILE%\CustomLogFiles
    2. -
- 		-
    -
  1. C:\ProgramData\CustomLogFiles\Folder1\file1.txt
    2. -
-
- ->[!IMPORTANT] ->If you mix a file exclusion argument with a folder exclusion argument, the rules will stop at the file argument match in the matched folder, and will not look for file matches in any subfolders. -> ->For example, you can exclude all files that start with "date" in the folders `c:\data\final\marked` and `c:\data\review\marked` by using the rule argument c:\data\\\*\marked\date*.\*. -> ->This argument, however, will not match any files in **subfolders** under `c:\data\final\marked` or `c:\data\review\marked`. - - - -## Review the list of exclusions - -You can retrieve the items in the exclusion list using one of the following methods: -- [Intune](https://docs.microsoft.com/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune) -- [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) -- MpCmdRun -- PowerShell -- [Windows Security app](windows-defender-security-center-antivirus.md#exclusions) - ->[!IMPORTANT] ->Exclusion list changes made with Group Policy **will show** in the lists in the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions). -> ->Changes made in the Windows Security app **will not show** in the Group Policy lists. - -If you use PowerShell, you can retrieve the list in two ways: - -- Retrieve the status of all Windows Defender Antivirus preferences. Each of the lists will be displayed on separate lines, but the items within each list will be combined into the same line. -- Write the status of all preferences to a variable, and use that variable to only call the specific list you are interested in. Each use of `Add-MpPreference` is written to a new line. - -### Validate the exclusion list by using MpCmdRun - -To check exclusions with the dedicated [command-line tool mpcmdrun.exe](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus?branch=v-anbic-wdav-new-mpcmdrun-options), use the following command: - -```DOS -MpCmdRun.exe -CheckExclusion -path -``` - ->[!NOTE] ->Checking exclusions with MpCmdRun requires Windows Defender Antivirus CAMP version 4.18.1812.3 (released in December 2018) or later. - -### Review the list of exclusions alongside all other Windows Defender Antivirus preferences by using PowerShell - -Use the following cmdlet: - -```PowerShell -Get-MpPreference -``` - -In the following example, the items contained in the `ExclusionExtension` list are highlighted: - -![PowerShell output for Get-MpPreference showing the exclusion list alongside other preferences](images/defender/wdav-powershell-get-exclusions-all.png) - -For more information, see [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index). - -### Retrieve a specific exclusions list by using PowerShell - -Use the following code snippet (enter each line as a separate command); replace **WDAVprefs** with whatever label you want to name the variable: - -```PowerShell -$WDAVprefs = Get-MpPreference -$WDAVprefs.ExclusionExtension -$WDAVprefs.ExclusionPath -``` - -In the following example, the list is split into new lines for each use of the `Add-MpPreference` cmdlet: - -![PowerShell output showing only the entries in the exclusion list](images/defender/wdav-powershell-get-exclusions-variable.png) - -For more information, see [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index). - - - -## Validate exclusions lists with the EICAR test file - -You can validate that your exclusion lists are working by using PowerShell with either the `Invoke-WebRequest` cmdlet or the .NET WebClient class to download a test file. - -In the following PowerShell snippet, replace *test.txt* with a file that conforms to your exclusion rules. For example, if you have excluded the `.testing` extension, replace `test.txt` with `test.testing`. If you are testing a path, ensure you run the cmdlet within that path. - -```PowerShell -Invoke-WebRequest "http://www.eicar.org/download/eicar.com.txt" -OutFile "test.txt" -``` - -If Windows Defender Antivirus reports malware, then the rule is not working. If there is no report of malware, and the downloaded file exists, then the exclusion is working. You can open the file to confirm the contents are the same as what is described on the [EICAR test file website](http://www.eicar.org/86-0-Intended-use.html). - -You can also use the following PowerShell code, which calls the .NET WebClient class to download the test file - as with the `Invoke-WebRequest` cmdlet; replace *c:\test.txt* with a file that conforms to the rule you are validating: - -```PowerShell -$client = new-object System.Net.WebClient -$client.DownloadFile("http://www.eicar.org/download/eicar.com.txt","c:\test.txt") -``` - -If you do not have Internet access, you can create your own EICAR test file by writing the EICAR string to a new text file with the following PowerShell command: - -```PowerShell -[io.file]::WriteAllText("test.txt",'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*') -``` - -You can also copy the string into a blank text file and attempt to save it with the file name or in the folder you are attempting to exclude. - -## Related topics - -- [Configure and validate exclusions in Windows Defender Antivirus scans](configure-exclusions-windows-defender-antivirus.md) -- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md) -- [Configure Windows Defender Antivirus exclusions on Windows Server](configure-server-exclusions-windows-defender-antivirus.md) -- [Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md) -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) From 68c0222c52d30994d5f02f6ee6a0d03975823d7e Mon Sep 17 00:00:00 2001 From: Laura Keller Date: Wed, 22 Jan 2020 12:16:00 -0800 Subject: [PATCH 12/19] Delete customize-run-review-remediate-scans-windows-defender-antivirus - Copy.md --- ...scans-windows-defender-antivirus - Copy.md | 37 ------------------- 1 file changed, 37 deletions(-) delete mode 100644 windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus - Copy.md diff --git a/windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus - Copy.md b/windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus - Copy.md deleted file mode 100644 index b0b2030e32..0000000000 --- a/windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus - Copy.md +++ /dev/null @@ -1,37 +0,0 @@ ---- -title: Run and customize scheduled and on-demand scans -description: Customize and initiate Windows Defender Antivirus scans on endpoints across your network. -keywords: scan, schedule, customize, exclusions, exclude files, remediation, scan results, quarantine, remove threat, quick scan, full scan, Windows Defender Antivirus -search.product: eADQiWindows 10XVcnh -ms.pagetype: security -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: denisebmsft -ms.author: deniseb -ms.custom: nextgen -ms.date: 09/03/2018 -ms.reviewer: -manager: dansimp ---- - -# Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation - -**Applies to:** - -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - -You can use Group Policy, PowerShell, and Windows Management Instrumentation (WMI) to configure Windows Defender Antivirus scans. - -## In this section - -Topic | Description ----|--- -[Configure and validate file, folder, and process-opened file exclusions in Windows Defender Antivirus scans](configure-exclusions-windows-defender-antivirus.md) | You can exclude files (including files modified by specified processes) and folders from on-demand scans, scheduled scans, and always-on real-time protection monitoring and scanning -[Configure Windows Defender Antivirus scanning options](configure-advanced-scan-types-windows-defender-antivirus.md) | You can configure Windows Defender Antivirus to include certain types of email storage files, back-up or reparse points, and archived files (such as .zip files) in scans. You can also enable network file scanning -[Configure remediation for scans](configure-remediation-windows-defender-antivirus.md) | Configure what Windows Defender Antivirus should do when it detects a threat, and how long quarantined files should be retained in the quarantine folder -[Configure scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md) | Set up recurring (scheduled) scans, including when they should run and whether they run as full or quick scans -[Configure and run scans](run-scan-windows-defender-antivirus.md) | Run and configure on-demand scans using PowerShell, Windows Management Instrumentation, or individually on endpoints with the Windows Security app -[Review scan results](review-scan-results-windows-defender-antivirus.md) | Review the results of scans using Microsoft Endpoint Configuration Manager, Microsoft Intune, or the Windows Security app From 64dffe84400ca520cacc698816ff3bc1dd56be34 Mon Sep 17 00:00:00 2001 From: Laura Keller Date: Wed, 22 Jan 2020 12:16:13 -0800 Subject: [PATCH 13/19] Delete deploy-manage-report-windows-defender-antivirus - Copy.md --- ...eport-windows-defender-antivirus - Copy.md | 85 ------------------- 1 file changed, 85 deletions(-) delete mode 100644 windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus - Copy.md diff --git a/windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus - Copy.md b/windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus - Copy.md deleted file mode 100644 index 295d507e65..0000000000 --- a/windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus - Copy.md +++ /dev/null @@ -1,85 +0,0 @@ ---- -title: Deploy, manage, and report on Windows Defender Antivirus -description: You can deploy and manage Windows Defender Antivirus with Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell, or WMI -keywords: deploy, manage, update, protection, windows defender antivirus -search.product: eADQiWindows 10XVcnh -ms.pagetype: security -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: denisebmsft -ms.author: deniseb -ms.custom: nextgen -ms.date: 09/03/2018 -ms.reviewer: -manager: dansimp ---- - -# Deploy, manage, and report on Windows Defender Antivirus - -**Applies to:** - -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - -You can deploy, manage, and report on Windows Defender Antivirus in a number of ways. - -Because the Windows Defender Antivirus client is installed as a core part of Windows 10, traditional deployment of a client to your endpoints does not apply. - -However, in most cases you will still need to enable the protection service on your endpoints with Microsoft Intune, Microsoft Endpoint Configuration Manager, Azure Security Center, or Group Policy Objects, which is described in the following table. - -You'll also see additional links for: - -- Managing Windows Defender Antivirus protection, including managing product and protection updates -- Reporting on Windows Defender Antivirus protection - -> [!IMPORTANT] -> In most cases, Windows 10 will disable Windows Defender Antivirus if it finds another antivirus product that is running and up-to-date. You must disable or uninstall third-party antivirus products before Windows Defender Antivirus will function. If you re-enable or install third-party antivirus products, then Windows 10 automatically disables Windows Defender Antivirus. - -Tool|Deployment options (2)|Management options (network-wide configuration and policy or baseline deployment) ([3](#fn3))|Reporting options ----|---|---|--- -Microsoft Intune|[Add endpoint protection settings in Intune](https://docs.microsoft.com/intune/endpoint-protection-configure)|[Configure device restriction settings in Intune](https://docs.microsoft.com/intune/device-restrictions-configure)| [Use the Intune console to manage devices](https://docs.microsoft.com/intune/device-management) -Microsoft Endpoint Configuration Manager ([1](#fn1))|Use the [Endpoint Protection point site system role][] and [enable Endpoint Protection with custom client settings][]|With [default and customized antimalware policies][] and [client management][]|With the default [Configuration Manager Monitoring workspace][] and [email alerts][] -Group Policy and Active Directory (domain-joined)|Use a Group Policy Object to deploy configuration changes and ensure Windows Defender Antivirus is enabled.|Use Group Policy Objects (GPOs) to [Configure update options for Windows Defender Antivirus][] and [Configure Windows Defender features][]|Endpoint reporting is not available with Group Policy. You can generate a list of [Group Policies to determine if any settings or policies are not applied][] -PowerShell|Deploy with Group Policy, Microsoft Endpoint Configuration Manager, or manually on individual endpoints.|Use the [Set-MpPreference] and [Update-MpSignature] cmdlets available in the Defender module.|Use the appropriate [Get- cmdlets available in the Defender module][] -Windows Management Instrumentation|Deploy with Group Policy, Microsoft Endpoint Configuration Manager, or manually on individual endpoints.|Use the [Set method of the MSFT_MpPreference class][] and the [Update method of the MSFT_MpSignature class][]|Use the [MSFT_MpComputerStatus][] class and the get method of associated classes in the [Windows Defender WMIv2 Provider][] -Microsoft Azure|Deploy Microsoft Antimalware for Azure in the [Azure portal, by using Visual Studio virtual machine configuration, or using Azure PowerShell cmdlets](https://docs.microsoft.com/azure/security/azure-security-antimalware#antimalware-deployment-scenarios). You can also [Install Endpoint protection in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-install-endpoint-protection)|Configure [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/azure/security/azure-security-antimalware#enable-and-configure-antimalware-using-powershell-cmdlets) or [use code samples](https://gallery.technet.microsoft.com/Antimalware-For-Azure-5ce70efe)|Use [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/azure/security/azure-security-antimalware#enable-and-configure-antimalware-using-powershell-cmdlets) to enable monitoring. You can also review usage reports in Azure Active Directory to determine suspicious activity, including the [Possibly infected devices][] report and configure an SIEM tool to report on [Windows Defender Antivirus events][] and add that tool as an app in AAD. - -1. The availability of some functions and features, especially related to cloud-delivered protection, differ between Microsoft Endpoint Configuration Manager (Current Branch) and System Center Configuration Manager 2012. In this library, we've focused on Windows 10, Windows Server 2016, and Microsoft Endpoint Configuration Manager (Current Branch). See [Use Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) for a table that describes the major differences. [(Return to table)](#ref2) - -2. In Windows 10, Windows Defender Antivirus is a component available without installation or deployment of an additional client or service. It will automatically be enabled when third-party antivirus products are either uninstalled or out of date ([except on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md)). Traditional deployment therefore is not required. Deployment here refers to ensuring the Windows Defender Antivirus component is available and enabled on endpoints or servers. [(Return to table)](#ref2) - -3. Configuration of features and protection, including configuring product and protection updates, are further described in the [Configure Windows Defender Antivirus features](configure-notifications-windows-defender-antivirus.md) section in this library. [(Return to table)](#ref2) - -[Endpoint Protection point site system role]: https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-protection-site-role -[default and customized antimalware policies]: https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies -[client management]: https://docs.microsoft.com/sccm/core/clients/manage/manage-clients -[enable Endpoint Protection with custom client settings]: https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-protection-configure-client -[Configuration Manager Monitoring workspace]: https://docs.microsoft.com/sccm/protect/deploy-use/monitor-endpoint-protection -[email alerts]: https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-configure-alerts -[Deploy the Microsoft Intune client to endpoints]: https://docs.microsoft.com/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune -[custom Intune policy]: https://docs.microsoft.com/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#configure-microsoft-intune-endpoint-protection - [custom Intune policy]: https://docs.microsoft.com/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#configure-microsoft-intune-endpoint-protection -[manage tasks]: https://docs.microsoft.com/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#choose-management-tasks-for-endpoint-protection -[Monitor endpoint protection in the Microsoft Intune administration console]: https://docs.microsoft.com/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#monitor-endpoint-protection -[Set method of the MSFT_MpPreference class]: https://msdn.microsoft.com/library/dn439474 -[Update method of the MSFT_MpSignature class]: https://msdn.microsoft.com/library/dn439474 -[MSFT_MpComputerStatus]: https://msdn.microsoft.com/library/dn455321 -[Windows Defender WMIv2 Provider]: https://msdn.microsoft.com/library/dn439477 -[Set-MpPreference]: https://technet.microsoft.com/itpro/powershell/windows/defender/set-mppreference.md -[Update-MpSignature]: https://technet.microsoft.com/itpro/powershell/windows/defender/update-mpsignature -[Get- cmdlets available in the Defender module]: https://technet.microsoft.com/itpro/powershell/windows/defender/index -[Configure update options for Windows Defender Antivirus]: manage-updates-baselines-windows-defender-antivirus.md -[Configure Windows Defender features]: configure-windows-defender-antivirus-features.md -[Group Policies to determine if any settings or policies are not applied]: https://technet.microsoft.com/library/cc771389.aspx -[Possibly infected devices]: https://docs.microsoft.com/azure/active-directory/active-directory-reporting-sign-ins-from-possibly-infected-devices -[Windows Defender Antivirus events]: troubleshoot-windows-defender-antivirus.md - -## In this section - -Topic | Description ----|--- -[Deploy and enable Windows Defender Antivirus protection](deploy-windows-defender-antivirus.md) | While the client is installed as a core part of Windows 10, and traditional deployment does not apply, you will still need to enable the client on your endpoints with Microsoft Endpoint Configuration Manager, Microsoft Intune, or Group Policy Objects. -[Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md) | There are two parts to updating Windows Defender Antivirus: updating the client on endpoints (product updates), and updating Security intelligence (protection updates). You can update Security intelligence in a number of ways, using Microsoft Endpoint Configuration Manager, Group Policy, PowerShell, and WMI. -[Monitor and report on Windows Defender Antivirus protection](report-monitor-windows-defender-antivirus.md) | You can use Microsoft Intune, Microsoft Endpoint Configuration Manager, the Update Compliance add-in for Microsoft Operations Management Suite, or a third-party SIEM product (by consuming Windows event logs) to monitor protection status and create reports about endpoint protection. From 33a9ba3c06660f4cba1f04c06f62ee5d39ad9be4 Mon Sep 17 00:00:00 2001 From: Laura Keller Date: Wed, 22 Jan 2020 12:16:25 -0800 Subject: [PATCH 14/19] Delete deploy-windows-defender-antivirus - Copy.md --- ...eploy-windows-defender-antivirus - Copy.md | 38 ------------------- 1 file changed, 38 deletions(-) delete mode 100644 windows/security/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus - Copy.md diff --git a/windows/security/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus - Copy.md b/windows/security/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus - Copy.md deleted file mode 100644 index 6f8dd3363b..0000000000 --- a/windows/security/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus - Copy.md +++ /dev/null @@ -1,38 +0,0 @@ ---- -title: Deploy and enable Windows Defender Antivirus -description: Deploy Windows Defender Antivirus for protection of your endpoints with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, or WMI. -keywords: deploy, enable, Windows Defender Antivirus -search.product: eADQiWindows 10XVcnh -ms.pagetype: security -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: denisebmsft -ms.author: deniseb -ms.custom: nextgen -ms.date: 09/03/2018 -ms.reviewer: -manager: dansimp ---- - -# Deploy and enable Windows Defender Antivirus - -**Applies to:** - -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - -Depending on the management tool you are using, you may need to specifically enable or configure Windows Defender Antivirus protection. - -See the table in [Deploy, manage, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md#ref2) for instructions on how to enable protection with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, Active Directory, Microsoft Azure, PowerShell cmdlets, and Windows Management Instruction (WMI). - -Some scenarios require additional guidance on how to successfully deploy or configure Windows Defender Antivirus protection, such as Virtual Desktop Infrastructure (VDI) environments. - -The remaining topic in this section provides end-to-end advice and best practices for [setting up Windows Defender Antivirus on virtual machines (VMs) in a VDI or Remote Desktop Services (RDS) environment](deployment-vdi-windows-defender-antivirus.md). - -## Related topics - -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) -- [Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md) -- [Deployment guide for Windows Defender Antivirus in a virtual desktop infrastructure (VDI) environment](deployment-vdi-windows-defender-antivirus.md) From b48f71aae0cac4146f88368269ac8febc4d19e48 Mon Sep 17 00:00:00 2001 From: Laura Keller Date: Wed, 22 Jan 2020 12:16:37 -0800 Subject: [PATCH 15/19] Delete detect-block-potentially-unwanted-apps-windows-defender-antivirus - Copy.md --- ...-apps-windows-defender-antivirus - Copy.md | 149 ------------------ 1 file changed, 149 deletions(-) delete mode 100644 windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus - Copy.md diff --git a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus - Copy.md b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus - Copy.md deleted file mode 100644 index 43e244ba36..0000000000 --- a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus - Copy.md +++ /dev/null @@ -1,149 +0,0 @@ ---- -title: Block potentially unwanted applications with Windows Defender Antivirus -description: Enable the potentially unwanted application (PUA) antivirus feature to block unwanted software such as adware. -keywords: pua, enable, unwanted software, unwanted apps, adware, browser toolbar, detect, block, Windows Defender Antivirus -search.product: eADQiWindows 10XVcnh -ms.pagetype: security -ms.prod: w10 -ms.mktglfcycl: detect -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: denisebmsft -ms.author: deniseb -ms.custom: nextgen -audience: ITPro -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp ---- - -# Detect and block potentially unwanted applications - -**Applies to:** - -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -- [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/microsoft-edge) - -Potentially unwanted applications are not considered viruses, malware, or other types of threats, but they might perform actions on endpoints which adversely affect endpoint performance or use. _PUA_ can also refer to an application that has a poor reputation, as assessed by Microsoft Defender ATP, due to certain kinds of undesirable behavior. - -For example: - -* **Advertising software:** Software that displays advertisements or promotions, including software that inserts advertisements to webpages. -* **Bundling software:** Software that offers to install other software that is not digitally signed by the same entity. Also, software that offers to install other software that qualify as PUA. -* **Evasion software:** Software that actively tries to evade detection by security products, including software that behaves differently in the presence of security products. - -For more examples and a discussion of the criteria we use to label applications for special attention from security features, see [How Microsoft identifies malware and potentially unwanted applications](../intelligence/criteria.md). - -Potentially unwanted applications can increase the risk of your network being infected with actual malware, make malware infections harder to identify, or waste IT resources in cleaning them up. - -## How it works - -### Microsoft Edge - -The next major version of Microsoft Edge, which is Chromium-based, blocks potentially unwanted application downloads and associated resource URLs. This feature is provided via [Windows Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md). - -#### Enable PUA protection in Chromium-based Microsoft Edge - -Although potentially unwanted application protection in Microsoft Edge (Chromium-based) is off by default, it can easily be turned on from within the browser. - -1. From the tool bar, select **Settings and more** > **Settings** -1. Select **Privacy and services** -1. Under the **Services** section, you can toggle **Potentially unwanted app blocking** on or off - -> [!TIP] -> If you are running Microsoft Edge (Chromium-based), you can safely explore the URL-blocking feature of PUA protection by testing it out on one of our Windows Defender SmartScreen [demo pages](https://demo.smartscreen.msft.net/). - -#### Blocking URLs with Windows Defender SmartScreen - -In Chromium-based Edge with PUA protection turned on, Windows Defender SmartScreen will protect you from PUA-associated URLs. - -Admins can [configure](https://docs.microsoft.com/DeployEdge/configure-microsoft-edge) how Microsoft Edge and Windows Defender SmartScreen work together to protect groups of users from PUA-associated URLs. There are several group policy [settings](https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#smartscreen-settings) explicitly for Windows -Defender SmartScreen available, including [one for blocking PUA](https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#smartscreenpuaenabled). In addition, admins can -[configure Windows Defender SmartScreen](https://docs.microsoft.com/microsoft-edge/deploy/available-policies?source=docs#configure-windows-defender-smartscreen) as a whole, using group policy settings to turn Windows Defender SmartScreen on or off. - -Although Microsoft Defender ATP has its own block list, based upon a data set managed by Microsoft, you can customize this list based on your own threat intelligence. If you [create and manage indicators](../microsoft-defender-atp/manage-indicators.md#create-indicators-for-ips-and-urlsdomains-preview) in the Microsoft Defender ATP portal, Windows Defender SmartScreen will respect the new settings. - -### Windows Defender Antivirus - -The potentially unwanted application (PUA) protection feature in Windows Defender Antivirus can detect and block PUAs on endpoints in your network. - -> [!NOTE] -> This feature is only available in Windows 10. - -Windows Defender Antivirus blocks detected PUA files, and any attempts to download, move, run, or install them. Blocked PUA files are then moved to quarantine. - -When a PUA is detected on an endpoint, Windows Defender Antivirus sends a notification to the user ([unless notifications have been disabled](configure-notifications-windows-defender-antivirus.md)) in the same format as other threat detections. The notification will be prefaced with _PUA:_ to indicate its content. - -The notification will appear in the usual [quarantine list within the Windows Security app](windows-defender-security-center-antivirus.md#detection-history). - -#### Configure PUA protection in Windows Defender Antivirus - -You can enable PUA protection with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, or via PowerShell cmdlets. - -You can also use the PUA audit mode to detect PUAs without blocking them. The detections will be captured in the Windows event log. - -> [!TIP] -> You can visit the Microsoft Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com/Page/UrlRep) to confirm that the feature is working, and see it in action. - -PUA audit mode is useful if your company is conducting an internal software security compliance check and you'd like to avoid any false positives. - -##### Use Intune to configure PUA protection - -See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure) and [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#windows-defender-antivirus) for more details. - -##### Use Configuration Manager to configure PUA protection - -PUA protection is enabled by default in the Microsoft Endpoint Configuration Manager (Current Branch), starting with version 1606. - -See [How to create and deploy antimalware policies: Scheduled scans settings](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#real-time-protection-settings) for details on configuring Microsoft Endpoint Configuration Manager (Current Branch). - -For Configuration Manager 2012, see [How to Deploy Potentially Unwanted Application Protection Policy for Endpoint Protection in Configuration Manager](https://technet.microsoft.com/library/hh508770.aspx#BKMK_PUA). - -> [!NOTE] -> PUA events blocked by Windows Defender Antivirus are reported in the Windows Event Viewer and not in Microsoft Endpoint Configuration Manager. - -##### Use Group Policy to configure PUA protection - -1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure, and select **Edit**. - -2. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**. - -3. Expand the tree to **Windows components > Windows Defender Antivirus**. - -4. Double-click **Configure protection for potentially unwanted applications**. - -5. Select **Enabled** to enable PUA protection. - -6. In **Options**, select **Block** to block potentially unwanted applications, or select **Audit Mode** to test how the setting will work in your environment. Select **OK**. - -##### Use PowerShell cmdlets to configure PUA protection - -Use the following cmdlet: - -```PowerShell -Set-MpPreference -PUAProtection -``` - -Setting the value for this cmdlet to `Enabled` will turn the feature on if it has been disabled. - -Setting `AuditMode` will detect PUAs without blocking them. - -See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus. - -#### View PUA events - -PUA events are reported in the Windows Event Viewer, but not in Microsoft Endpoint Configuration Manager or in Intune. - -You can turn on email notifications to receive mail about PUA detections. - -See [Troubleshoot event IDs](troubleshoot-windows-defender-antivirus.md) for details on viewing Windows Defender Antivirus events. PUA events are recorded under event ID **1160**. - -#### Allow-listing apps - -Sometimes a file is erroneously blocked by PUA protection, or a feature of a PUA is required to complete a task. In these cases, a file can be allow-listed. See [How to Configure Endpoint Protection in Configuration Manager](https://docs.microsoft.com/previous-versions/system-center/system-center-2012-R2/hh508770(v=technet.10)#to-exclude-specific-files-or-folders) for information on allowing files which are currently blocked by PUA protection in Windows Defender Antivirus. - -## Related articles - -- [Next-generation protection](windows-defender-antivirus-in-windows-10.md) -- [Configure behavioral, heuristic, and real-time protection](configure-protection-features-windows-defender-antivirus.md) From 7d66536c2a05822df20c2ce508fd1b08c3c6762b Mon Sep 17 00:00:00 2001 From: Laura Keller Date: Wed, 22 Jan 2020 12:17:01 -0800 Subject: [PATCH 16/19] Delete enable-cloud-protection-windows-defender-antivirus - Copy.md --- ...ction-windows-defender-antivirus - Copy.md | 143 ------------------ 1 file changed, 143 deletions(-) delete mode 100644 windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus - Copy.md diff --git a/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus - Copy.md b/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus - Copy.md deleted file mode 100644 index 6d7e496eec..0000000000 --- a/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus - Copy.md +++ /dev/null @@ -1,143 +0,0 @@ ---- -title: Enable cloud-delivered protection in Windows Defender Antivirus -description: Enable cloud-delivered protection to benefit from fast and advanced protection features. -keywords: windows defender antivirus, antimalware, security, cloud, block at first sight -search.product: eADQiWindows 10XVcnh -ms.pagetype: security -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: denisebmsft -ms.author: deniseb -ms.reviewer: -manager: dansimp -ms.custom: nextgen ---- - -# Enable cloud-delivered protection - -**Applies to:** - -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - ->[!NOTE] ->The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud; rather, it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates. - -Windows Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender ATP next generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/). -![List of Windows Defender AV engines](images/microsoft-defender-atp-next-generation-protection-engines.png) - -You can enable or disable Windows Defender Antivirus cloud-delivered protection with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, or on individual clients in the Windows Security app. - -See [Use Microsoft cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) for an overview of Windows Defender Antivirus cloud-delivered protection. - -There are specific network-connectivity requirements to ensure your endpoints can connect to the cloud-delivered protection service. See [Configure and validate network connections](configure-network-connections-windows-defender-antivirus.md) for more details. - ->[!NOTE] ->In Windows 10, there is no difference between the **Basic** and **Advanced** options described in this topic. This is a legacy distinction and choosing either setting will result in the same level of cloud-delivered protection. There is no difference in the type or amount of information that is shared. See the [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=521839) for more information on what we collect. - -**Use Intune to enable cloud-delivered protection** - -1. Sign in to the [Azure portal](https://portal.azure.com). -2. Select **All services > Intune**. -3. In the **Intune** pane, select **Device configuration > Profiles**, and then select the **Device restrictions** profile type you want to configure. If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure). -4. Select **Properties**, select **Settings: Configure**, and then select **Windows Defender Antivirus**. -5. On the **Cloud-delivered protection** switch, select **Enable**. -6. In the **Prompt users before sample submission** dropdown, select **Send all data without prompting**. -7. In the **Submit samples consent** dropdown, select one of the following: - - - **Send safe samples automatically** - - **Send all samples automatically** - - >[!NOTE] - >**Send safe samples automatically** option means that most samples will be sent automatically. Files that are likely to contain personal information will still prompt and require additional confirmation. - - > [!WARNING] - > Setting to **Always Prompt** will lower the protection state of the device. Setting to **Never send** means the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature will not function. - -8. Click **OK** to exit the **Windows Defender Antivirus** settings pane, click **OK** to exit the **Device restrictions** pane, and then click **Save** to save the changes to your **Device restrictions** profile. - -For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/intune/device-profiles) - -**Use Configuration Manager to enable cloud-delivered protection:** - -See [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) for details on configuring Microsoft Endpoint Configuration Manager (current branch). - -**Use Group Policy to enable cloud-delivered protection:** - -1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. - -2. In the **Group Policy Management Editor** go to **Computer configuration**. - -3. Click **Administrative templates**. - -4. Expand the tree to **Windows components > Windows Defender Antivirus > MAPS** - -5. Double-click **Join Microsoft MAPS** and ensure the option is enabled and set to **Basic MAPS** or **Advanced MAPS**. Click **OK**. - -6. Double-click **Send file samples when further analysis is required** and ensure the option is set to **Enabled** and the additional options are either of the following: - - 1. **Send safe samples** (1) - 2. **Send all samples** (3) - - >[!NOTE] - >**Send safe samples automatically** option means that most samples will be sent automatically. Files that are likely to contain personal information will still prompt and require additional confirmation. - - > [!WARNING] - > Setting to 0 (Always Prompt) will lower the protection state of the device. Setting to 2 (Never send) means the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature will not function. - -7. Click **OK**. - -**Use PowerShell cmdlets to enable cloud-delivered protection:** - -Use the following cmdlets to enable cloud-delivered protection: - -```PowerShell -Set-MpPreference -MAPSReporting Advanced -Set-MpPreference -SubmitSamplesConsent AlwaysPrompt -``` - ->[!NOTE] ->You can also set -SubmitSamplesConsent to `None`. Setting it to `Never` will lower the protection state of the device, and setting it to 2 means the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature will not function. - -See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus. - -**Use Windows Management Instruction (WMI) to enable cloud-delivered protection:** - -Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn439474(v=vs.85).aspx) class for the following properties: - -```WMI -MAPSReporting -SubmitSamplesConsent -``` - -See the following for more information and allowed parameters: -- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) - -**Enable cloud-delivered protection on individual clients with the Windows Security app** - -> [!NOTE] -> If the **Configure local setting override for reporting Microsoft MAPS** Group Policy setting is set to **Disabled**, then the **Cloud-based protection** setting in Windows Settings will be greyed-out and unavailable. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings. - -1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. - -2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label: - - ![Screenshot of the Virus & threat protection settings label in the Windows Security app](images/defender/wdav-protection-settings-wdsc.png) - -3. Confirm that **Cloud-based Protection** and **Automatic sample submission** are switched to **On**. - ->[!NOTE] ->If automatic sample submission has been configured with Group Policy then the setting will be greyed-out and unavailable. - -## Related topics - -- [Configure the cloud block timeout period](configure-cloud-block-timeout-period-windows-defender-antivirus.md) -- [Configure block at first sight](configure-block-at-first-sight-windows-defender-antivirus.md) -- [Use PowerShell cmdlets to manage Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) -- [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune)] -- [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) -- [Utilize Microsoft cloud-delivered protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) -- [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) From 9b9b38cc2758d48a0c6ea80952cdfd46df795776 Mon Sep 17 00:00:00 2001 From: LauraKellerGitHub Date: Wed, 22 Jan 2020 17:49:59 -0800 Subject: [PATCH 17/19] two link corrections --- .../review-scan-results-windows-defender-antivirus.md | 2 +- .../scheduled-catch-up-scans-windows-defender-antivirus.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md index 7e8c703d2d..ad189470ba 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md @@ -34,7 +34,7 @@ After an Windows Defender Antivirus scan completes, whether it is an [on-demand] ## Use Configuration Manager to review scan results -See [How to monitor Endpoint Protection status](https://docs.microsoft.com/sccm/protect/deploy-use/monitor-endpoint-protection). +See [How to monitor Endpoint Protection status](https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection). ## Use the Windows Security app to review scan results diff --git a/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md index 82c22fd0a3..b2b391a114 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md @@ -31,7 +31,7 @@ In addition to always-on real-time protection and [on-demand](run-scan-windows-d You can configure the type of scan, when the scan should occur, and if the scan should occur after a [protection update](manage-protection-updates-windows-defender-antivirus.md) or if the endpoint is being used. You can also specify when special scans to complete remediation should occur. -This topic describes how to configure scheduled scans with Group Policy, PowerShell cmdlets, and WMI. You can also configure schedules scans with [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#scheduled-scans-settings) or [Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure). +This topic describes how to configure scheduled scans with Group Policy, PowerShell cmdlets, and WMI. You can also configure schedules scans with [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#scheduled-scans-settings) or [Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure). To configure the Group Policy settings described in this topic: From 7b0a0657fc7bd2f0a1defeb49a9cf37af172d21b Mon Sep 17 00:00:00 2001 From: LauraKellerGitHub Date: Thu, 23 Jan 2020 06:40:52 -0800 Subject: [PATCH 18/19] corrected 2012 name in two files --- ...-potentially-unwanted-apps-windows-defender-antivirus.md | 6 +++--- ...microsoft-cloud-protection-windows-defender-antivirus.md | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md index 803b7d3dc7..fc883cd71d 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md @@ -94,11 +94,11 @@ See [Configure device restriction settings in Microsoft Intune](https://docs.mic ##### Use Configuration Manager to configure PUA protection -PUA protection is enabled by default in the Microsoft Endpoint Configuration Manager (Current Branch), starting with version 1606. +PUA protection is enabled by default in the Microsoft Endpoint Configuration Manager (Current Branch). -See [How to create and deploy antimalware policies: Scheduled scans settings](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#real-time-protection-settings) for details on configuring Microsoft Endpoint Configuration Manager (Current Branch). +See [How to create and deploy antimalware policies: Scheduled scans settings](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#real-time-protection-settings) for details on configuring Microsoft Endpoint Configuration Manager (Current Branch). -For Configuration Manager 2012, see [How to Deploy Potentially Unwanted Application Protection Policy for Endpoint Protection in Configuration Manager](https://technet.microsoft.com/library/hh508770.aspx#BKMK_PUA). +For System Center 2012 Configuration Manager, see [How to Deploy Potentially Unwanted Application Protection Policy for Endpoint Protection in Configuration Manager](https://technet.microsoft.com/library/hh508770.aspx#BKMK_PUA). > [!NOTE] > PUA events blocked by Windows Defender Antivirus are reported in the Windows Event Viewer and not in Microsoft Endpoint Configuration Manager. diff --git a/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md index c263d97a41..9fff5a8a0c 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md @@ -60,10 +60,10 @@ Organizations running Windows 10 E5, version 1803 can also take advantage of eme >You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. -The following table describes the differences in cloud-delivered protection between recent versions of Windows and Microsoft Endpoint Configuration Manager. +The following table describes the differences in cloud-delivered protection between recent versions of Windows and Configuration Manager. -Feature | Windows 8.1 (Group Policy) | Windows 10, version 1607 (Group Policy) | Windows 10, version 1703 (Group Policy) | System Center Configuration Manager 2012 | Microsoft Endpoint Configuration Manager (Current Branch) | Microsoft Intune +Feature | Windows 8.1 (Group Policy) | Windows 10, version 1607 (Group Policy) | Windows 10, version 1703 (Group Policy) | System Center 2012 Configuration Manager | Microsoft Endpoint Configuration Manager (Current Branch) | Microsoft Intune ---|---|---|---|---|---|--- Cloud-protection service label | Microsoft Advanced Protection Service | Microsoft Advanced Protection Service | Cloud-based Protection | NA | Cloud protection service | Microsoft Advanced Protection Service Reporting level (MAPS membership level) | Basic, Advanced | Advanced | Advanced | Dependent on Windows version | Dependent on Windows version | Dependent on Windows version @@ -79,5 +79,5 @@ You can also [configure Windows Defender AV to automatically receive new protect [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) | You can enable cloud-delivered protection with Microsoft Endpoint Configuration Manager, Group Policy, Microsoft Intune, and PowerShell cmdlets. [Specify the cloud-delivered protection level](specify-cloud-protection-level-windows-defender-antivirus.md) | You can specify the level of protection offered by the cloud with Group Policy and Microsoft Endpoint Configuration Manager. The protection level will affect the amount of information shared with the cloud and how aggressively new files are blocked. [Configure and validate network connections for Windows Defender Antivirus](configure-network-connections-windows-defender-antivirus.md) | There are certain Microsoft URLs that your network and endpoints must be able to connect to for cloud-delivered protection to work effectively. This topic lists the URLs that should be allowed via firewall or network filtering rules, and instructions for confirming your network is properly enrolled in cloud-delivered protection. -[Configure the block at first sight feature](configure-block-at-first-sight-windows-defender-antivirus.md) | The Block at First Sight feature can block new malware within seconds, without having to wait hours for traditional Security intelligence . You can enable and configure it with Microsoft Endpoint Configuration Manager and Group Policy. +[Configure the block at first sight feature](configure-block-at-first-sight-windows-defender-antivirus.md) | The Block at First Sight feature can block new malware within seconds, without having to wait hours for traditional Security intelligence. You can enable and configure it with Microsoft Endpoint Configuration Manager and Group Policy. [Configure the cloud block timeout period](configure-cloud-block-timeout-period-windows-defender-antivirus.md) | Windows Defender Antivirus can block suspicious files from running while it queries our cloud-delivered protection service. You can configure the amount of time the file will be prevented from running with Microsoft Endpoint Configuration Manager and Group Policy. From ee2afb197aff67d80ec79a1eee01313bdf6b7cdb Mon Sep 17 00:00:00 2001 From: LauraKellerGitHub Date: Mon, 27 Jan 2020 11:58:22 -0800 Subject: [PATCH 19/19] corrections in six files --- .../enable-cloud-protection-windows-defender-antivirus.md | 4 ++-- .../manage-protection-updates-windows-defender-antivirus.md | 6 +++--- .../manage-updates-baselines-windows-defender-antivirus.md | 2 +- .../report-monitor-windows-defender-antivirus.md | 2 +- .../run-scan-windows-defender-antivirus.md | 2 +- ...ify-cloud-protection-level-windows-defender-antivirus.md | 4 ++-- 6 files changed, 10 insertions(+), 10 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md index 6d7e496eec..985b6f0b7c 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md @@ -62,7 +62,7 @@ For more information about Intune device profiles, including how to create and c **Use Configuration Manager to enable cloud-delivered protection:** -See [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) for details on configuring Microsoft Endpoint Configuration Manager (current branch). +See [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) for details on configuring Microsoft Endpoint Configuration Manager (current branch). **Use Group Policy to enable cloud-delivered protection:** @@ -139,5 +139,5 @@ See the following for more information and allowed parameters: - [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune)] - [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) - [Utilize Microsoft cloud-delivered protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) -- [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) +- [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) - [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md index 05002ff7a5..be5477b03f 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md @@ -52,7 +52,7 @@ There are five locations where you can specify where an endpoint should obtain u - [Microsoft Update](https://support.microsoft.com/help/12373/windows-update-faq) - [Windows Server Update Service](https://docs.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus) -- [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/sccm/core/servers/manage/updates) +- [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/core/servers/manage/updates) - [Network file share](https://docs.microsoft.com/windows-server/storage/nfs/nfs-overview) - [Security intelligence updates for Windows Defender Antivirus and other Microsoft antimalware](https://www.microsoft.com/en-us/wdsi/defenderupdates) (Your policy and registry might have this listed as Microsoft Malware Protection Center (MMPC) security intelligence, its former name.) @@ -76,7 +76,7 @@ Each source has typical scenarios that depend on how your network is configured, You can manage the order in which update sources are used with Group Policy, Microsoft Endpoint Configuration Manager, PowerShell cmdlets, and WMI. > [!IMPORTANT] -> If you set Windows Server Update Service as a download location, you must approve the updates, regardless of the management tool you use to specify the location. You can set up an automatic approval rule with Windows Server Update Service, which might be useful as updates arrive at least once a day. To learn more, see [synchronize endpoint protection updates in standalone Windows Server Update Service](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-definitions-wsus#to-synchronize-endpoint-protection-definition-updates-in-standalone-wsus). +> If you set Windows Server Update Service as a download location, you must approve the updates, regardless of the management tool you use to specify the location. You can set up an automatic approval rule with Windows Server Update Service, which might be useful as updates arrive at least once a day. To learn more, see [synchronize endpoint protection updates in standalone Windows Server Update Service](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-definitions-wsus#to-synchronize-endpoint-protection-definition-updates-in-standalone-wsus). The procedures in this article first describe how to set the order, and then how to set up the **File share** option if you have enabled it. @@ -110,7 +110,7 @@ The procedures in this article first describe how to set the order, and then how ## Use Configuration Manager to manage the update location -See [Configure Security intelligence Updates for Endpoint Protection](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-definition-updates) for details on configuring Microsoft Endpoint Configuration Manager (current branch). +See [Configure Security intelligence Updates for Endpoint Protection](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-definition-updates) for details on configuring Microsoft Endpoint Configuration Manager (current branch). ## Use PowerShell cmdlets to manage the update location diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md index 40bc802e34..7ebc368cbc 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md @@ -40,7 +40,7 @@ The cloud-delivered protection is always on and requires an active connection to Windows Defender Antivirus requires [monthly updates](https://support.microsoft.com/help/4052623/update-for-windows-defender-antimalware-platform) (known as "engine updates" and "platform updates"), and will receive major feature updates alongside Windows 10 releases. -You can manage the distribution of updates through Windows Server Update Service (WSUS), with [ Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/sccm/sum/understand/software-updates-introduction), or in the normal manner that you deploy Microsoft and Windows updates to endpoints in your network. +You can manage the distribution of updates through Windows Server Update Service (WSUS), with [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/sum/understand/software-updates-introduction), or in the normal manner that you deploy Microsoft and Windows updates to endpoints in your network. ## In this section diff --git a/windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md index b454b8490d..caea14600c 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md @@ -23,7 +23,7 @@ manager: dansimp - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -With Windows Defender Antivirus, you have several options for reviewing protection status and alerts. You can use Microsoft Endpoint Configuration Manager to [monitor Windows Defender Antivirus](https://docs.microsoft.com/sccm/protect/deploy-use/monitor-endpoint-protection) or [create email alerts](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-configure-alerts). Or, you can monitor protection using [Microsoft Intune](https://docs.microsoft.com/intune/introduction-intune). +With Windows Defender Antivirus, you have several options for reviewing protection status and alerts. You can use Microsoft Endpoint Configuration Manager to [monitor Windows Defender Antivirus](https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection) or [create email alerts](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-configure-alerts). Or, you can monitor protection using [Microsoft Intune](https://docs.microsoft.com/intune/introduction-intune). Microsoft Operations Management Suite has an [Update Compliance add-in](/windows/deployment/update/update-compliance-get-started) that reports on key Windows Defender Antivirus issues, including protection updates and real-time protection settings. diff --git a/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md index 4db84ce762..f36197fe0f 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md @@ -41,7 +41,7 @@ A full scan can be useful on endpoints that have encountered a malware threat to ## Use Configuration Manager to run a scan -See [Antimalware and firewall tasks: How to perform an on-demand scan](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-firewall#how-to-perform-an-on-demand-scan-of-computers) for details on using Microsoft Endpoint Configuration Manager (current branch) to run a scan. +See [Antimalware and firewall tasks: How to perform an on-demand scan](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-firewall#how-to-perform-an-on-demand-scan-of-computers) for details on using Microsoft Endpoint Configuration Manager (current branch) to run a scan. ## Use the mpcmdrun.exe command-line utility to run a scan diff --git a/windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md index 0480d91f4e..d04a0c0bd5 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md @@ -47,7 +47,7 @@ For more information about Intune device profiles, including how to create and c ## Use Configuration Manager to specify the level of cloud-delivered protection -See [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) for details on configuring Microsoft Endpoint Configuration Manager (current branch). +See [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) for details on configuring Microsoft Endpoint Configuration Manager (current branch). ## Use Group Policy to specify the level of cloud-delivered protection @@ -77,6 +77,6 @@ See [How to create and deploy antimalware policies: Cloud-protection service](ht - [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) - [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) -- [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) +- [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service)