deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-15 10:23:37 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Content reorg and rebranding changes

Browse Source
This commit is contained in:
Andrea Bichsel
2018-08-09 18:19:20 -07:00
parent b85686248d
commit 82de7e4fb5
22 changed files with 428 additions and 468 deletions
Download Patch File Download Diff File Expand all files Collapse all files

105
windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md
View File

@ -14,61 +14,74 @@ ms.author: v-anbic
ms.date: 07/10/2018
---
# Enable cloud-delivered protection in Windows Defender AV
# Enable cloud-delivered protection
**Manageability available with**
- Group Policy
- Microsoft Intune
- System Center Configuration Manager
- Group Policy
- PowerShell cmdlets
- Windows Management Instruction (WMI)
- Microsoft Intune
- Windows Defender Security Center app
>[!NOTE]
>The antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud; rather, it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional signature updates.
>[!NOTE]
>The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional signature updates.
You can enable or disable antivirus cloud-delivered protection with Microsoft Intune, System Center Configuration Manager, Group Policy, PowerShell cmdlets, or on individual clients in the Windows Defender Security Center app.
See [Use Microsoft cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) for an overview of Windows Defender Antivirus cloud-delivered protection.
You can enable or disable Windows Defender Antivirus cloud-delivered protection with Group Policy, System Center Configuration Manager, PowerShell cmdlets, Microsoft Intune, or on individual clients in the Windows Defender Security Center app.
See [Utilize Microsoft cloud-delivered protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) for an overview of Windows Defender Antivirus cloud-delivered protection.
There are specific network-connectivity requirements to ensure your endpoints can connect to the cloud-delivered protection service. See [Configure and validate network connections for Windows Defender AV](configure-network-connections-windows-defender-antivirus.md) for more details.
There are specific network-connectivity requirements to ensure your endpoints can connect to the cloud-delivered protection service. See [Configure and validate network connections](configure-network-connections-windows-defender-antivirus.md) for more details.
>[!NOTE]
>In Windows 10, there is no difference between the **Basic** and **Advanced** options described in this topic. This is a legacy distinction and choosing either setting will result in the same level of cloud-delivered protection. There is no difference in the type or amount of information that is shared. See the [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=521839) for more information on what we collect.
**Use Intune to enable cloud-delivered protection**
**Use Group Policy to enable cloud-delivered protection:**
1. Sign in to the [Azure portal](https://portal.azure.com).
2. Select **All services > Intune**.
3. In the **Intune** pane, select **Device configuration > Profiles**, and then select the **Device restrictions** profile type you want to configure. If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure).
4. Select **Properties**, select **Settings: Configure**, and then select **Windows Defender Antivirus**.
5. On the **Cloud-delivered protection** switch, select **Enable**.
6. In the **Prompt users before sample submission** dropdown, select **Send all data without prompting**.
7. In the **Submit samples consent** dropdown, select one of the following:
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration**.
4. Click **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender Antivirus > MAPS**
1. Double-click the **Join Microsoft MAPS** setting and ensure the option is enabled and set to **Basic MAPS** or **Advanced MAPS**. Click **OK**.
1. Double-click the **Send file samples when further analysis is required** setting and ensure the option is set to **Enabled** and the additional options are either of the following:
1. **Send safe samples** (1)
1. **Send all samples** (3)
- **Send safe samples automatically**
- **Send all samples automatically**
> [!WARNING]
> Setting to 0 (Always Prompt) will lower the protection state of the device. Setting to 2 (Never send) means the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature will not function.
1. Click **OK**.
> Setting to **Always Prompt** will lower the protection state of the device. Setting to **Never send** means the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature will not function.
8. Click **OK** to exit the **Windows Defender Antivirus** settings pane, click **OK** to exit the **Device restrictions** pane, and then click **Save** to save the changes to your **Device restrictions** profile.
For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/en-us/intune/device-profiles)
**Use Configuration Manager to enable cloud-delivered protection:**
See [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) for details on configuring System Center Configuration Manager (current branch).
**Use Group Policy to enable cloud-delivered protection:**
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
2. In the **Group Policy Management Editor** go to **Computer configuration**.
3. Click **Administrative templates**.
4. Expand the tree to **Windows components > Windows Defender Antivirus > MAPS**
5. Double-click **Join Microsoft MAPS** and ensure the option is enabled and set to **Basic MAPS** or **Advanced MAPS**. Click **OK**.
6. Double-click **Send file samples when further analysis is required** and ensure the option is set to **Enabled** and the additional options are either of the following:
1. **Send safe samples** (1)
2. **Send all samples** (3)
> [!WARNING]
> Setting to 0 (Always Prompt) will lower the protection state of the device. Setting to 2 (Never send) means the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature will not function.
7. Click **OK**.
**Use PowerShell cmdlets to enable cloud-delivered protection:**
@ -78,10 +91,10 @@ Use the following cmdlets to enable cloud-delivered protection:
Set-MpPreference -MAPSReporting Advanced
Set-MpPreference -SubmitSamplesConsent Always
```
>[!NOTE]
>You can also set -SubmitSamplesConsent to `None`. Setting it to `Never` will lower the protection state of the device, and setting it to 2 means the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature will not function.
See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus.
**Use Windows Management Instruction (WMI) to enable cloud-delivered protection:**
@ -96,36 +109,18 @@ SubmitSamplesConsent
See the following for more information and allowed parameters:
- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx)
**Use Intune to enable cloud-delivered protection**
1. Sign in to the [Azure portal](https://portal.azure.com).
2. Select **All services > Intune**.
3. In the **Intune** pane, select **Device configuration > Profiles**, and then select the **Device restrictions** profile type you want to configure. If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure).
4. Select **Properties**, select **Settings: Configure**, and then select **Windows Defender Antivirus**.
5. On the **Cloud-delivered protection** switch, select **Enable**.
6. In the **Prompt users before sample submission** dropdown, select **Send all data without prompting**.
7. In the **Submit samples consent** dropdown, select one of the following:
1. **Send safe samples automatically**
2. **Send all samples automatically**
> [!WARNING]
> Setting to **Always Prompt** will lower the protection state of the device. Setting to **Never send** means the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature will not function.
8. Click **OK** to exit the **Windows Defender Antivirus** settings pane, click **OK** to exit the **Device restrictions** pane, and then click **Save** to save the changes to your **Device restrictions** profile.
For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/en-us/intune/device-profiles)
**Enable cloud-delivered protection on individual clients with the Windows Defender Security Center app**
> [!NOTE]
> If the **Configure local setting override for reporting Microsoft MAPS** Group Policy setting is set to **Disabled**, then the **Cloud-based protection** setting in Windows Settings will be greyed-out and unavailable. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings.
1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label:
![Screenshot of the Virus & threat protection settings label in the Windows Defender Security Center app](images/defender/wdav-protection-settings-wdsc.png)
3. Confirm that **Cloud-based Protection** and **Automatic sample submission** are switched to **On**.
![Screenshot of the Virus & threat protection settings label in the Windows Defender Security Center app](images/defender/wdav-protection-settings-wdsc.png)
3. Confirm that **Cloud-based Protection** and **Automatic sample submission** are switched to **On**.
>[!NOTE]
>If automatic sample submission has been configured with Group Policy then the setting will be greyed-out and unavailable.
@ -133,10 +128,10 @@ For more information about Intune device profiles, including how to create and c
## Related topics
- [Configure the cloud block timeout period](configure-cloud-block-timeout-period-windows-defender-antivirus.md)
- [Configure the block at first sight feature](configure-block-at-first-sight-windows-defender-antivirus.md)
- [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md)
- [Configure block at first sight](configure-block-at-first-sight-windows-defender-antivirus.md)
- [Use PowerShell cmdlets to manage next generation protection](use-powershell-cmdlets-windows-defender-antivirus.md)
- [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune)]
- [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx)
- [Utilize Microsoft cloud-delivered protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
- [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service)
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Next generation protection in Windows 10](windows-defender-antivirus-in-windows-10.md)

25
windows/security/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md
View File

@ -1,5 +1,5 @@
---
title: Evaluate Windows Defender Antivirus
title: Evaluate next generation protection
description: Businesses of all sizes can use this guide to evaluate and test the protection offered by Windows Defender Antivirus in Windows 10.
keywords: windows defender antivirus, cloud protection, cloud, antimalware, security, defender, evaluate, test, protection, compare, real-time protection
search.product: eADQiWindows 10XVcnh
@ -14,37 +14,34 @@ ms.author: v-anbic
ms.date: 04/30/2018
---
# Evaluate Windows Defender Antivirus protection
# Evaluate next generation protection
If you're an enterprise security administrator, and you want to determine how well Windows Defender Antivirus protects you from viruses, malware, and potentially unwanted applications, then you can use this guide to help you evaluate Microsoft protection.
Use this guide to determine how well next generation protection protects you from viruses, malware, and potentially unwanted applications.
>[!TIP]
>You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working and see how they work:
>You can also visit the Windows Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working and see how they work:
>- Cloud-delivered protection
>- Fast learning (including Block at first sight)
>- Potentially unwanted application blocking
It explains the important features available for both small and large enterprises in Windows Defender, and how they will increase malware detection and protection across your network.
It explains the important next generation protection features available for both small and large enterprises, and how they increase malware detection and protection across your network.
You can choose to configure and evaluate each setting independently, or all at once. We have grouped similar settings based upon typical evaluation scenarios, and include instructions for using PowerShell to enable the settings.
The guide is available in PDF format for offline viewing:
- [Download the guide in PDF format](https://www.microsoft.com/download/details.aspx?id=54795)
You can also download a PowerShell that will enable all the settings described in the guide automatically. You can obtain the script alongside the PDF download above, or individually from PowerShell Gallery:
- [Download the PowerShell script to automatically configure the settings](https://www.powershellgallery.com/packages/WindowsDefender_InternalEvaluationSettings/1.2/DisplayScript)
> [!IMPORTANT]
> The guide is currently intended for single-machine evaluation of Windows Defender Antivirus protection. Enabling all of the settings in this guide may not be suitable for real-world deployment.
> The guide is currently intended for single-machine evaluation of next generation protection. Enabling all of the settings in this guide may not be suitable for real-world deployment.
>
> For the latest recommendations for real-world deployment and monitoring of Windows Defender Antivirus across a network, see the [Deploy, manage, and report](deploy-manage-report-windows-defender-antivirus.md) topic in this library.
> For the latest recommendations for real-world deployment and monitoring of next generation protection across a network, see [Deploy next generation](deploy-manage-report-windows-defender-antivirus.md).
## Related topics
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Deploy, manage, and report](deploy-manage-report-windows-defender-antivirus.md)
- [Next generation protection in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Deploy next generation protection](deploy-manage-report-windows-defender-antivirus.md)

27
windows/security/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md
View File

@ -1,6 +1,6 @@
---
title: Enable the limited periodic scanning feature in Windows Defender AV
description: Limited periodic scanning lets you use Windows Defender AV in addition to your other installed AV providers
title: Enable the limited periodic antivirus scanning feature
description: Limited periodic scanning lets you use next generation protection in addition to your other installed AV providers
keywords: lps, limited, periodic, scan, scanning, compatibility, 3rd party, other av, disable
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@ -16,46 +16,39 @@ ms.date: 04/30/2018
# Use limited periodic scanning in Windows Defender AV
# Use limited periodic scanning in next generation protection
**Manageability available with**
- Windows Defender Security Center app
Limited periodic scanning is a special type of threat detection and remediation that can be enabled when you have installed another antivirus product on a Windows 10 device.
It can only be enabled in certain situations. See the [Windows Defender Antivirus compatibility](windows-defender-antivirus-compatibility.md) topic for more information on when limited periodic scanning can be enabled, and how Windows Defender Antivirus works with other AV products.
It can only be enabled in certain situations. See [Antivirus compatibility](windows-defender-antivirus-compatibility.md) for more information on when limited periodic scanning can be enabled, and how next generation protection works with other AV products.
**Microsoft does not recommend using this feature in enterprise environments. This is a feature primarily intended for consumers.** This feature only uses a very limited subset of the capabilities of Windows Defender Antivirus to detect malware, and will not be able to detect most malware and potentially unwanted software. Also, management and reporting capabilities will be limited. Microsoft recommends enterprises choose their primary antivirus solution and use it exclusively.
**Microsoft does not recommend using this feature in enterprise environments. This is a feature primarily intended for consumers.** This feature only uses a very limited subset of the antivirus capabilities to detect malware, and will not be able to detect most malware and potentially unwanted software. Also, management and reporting capabilities will be limited. Microsoft recommends enterprises choose their primary antivirus solution and use it exclusively.
## How to enable limited periodic scanning
By default, Windows Defender AV will enable itself on a Windows 10 device if there is no other antivirus product installed, or if the other AV product is out-of-date, expired, or not working correctly.
By default, antivirus will enable itself on a Windows 10 device if there is no other antivirus product installed, or if the other product is out-of-date, expired, or not working correctly.
If Windows Defender AV is enabled, the usual options will appear to configure Windows Defender AV on that device:
If antivirus is enabled, the usual options will appear to configure it on that device:
![Windows Defender Security Center app showing Windows Defender AV options, including scan options, settings, and update options](images/vtp-wdav.png)
If another AV product is installed and working correctly, Windows Defender AV will disable itself. The Windows Defender Security Center app will change the **Virus & threat protection** section to show status about the AV product, and provide a link to the product's configuration options:
If another antivirus product is installed and working correctly, Windows antivirus will disable itself. The Windows Defender Security Center app will change the **Virus & threat protection** section to show status about the AV product, and provide a link to the product's configuration options:
![Windows Defender Security Center app showing ContosoAV as the installed and running antivirus provider. There is a single link to open ContosoAV settings.](images/vtp-3ps.png)
Underneath any 3rd party AV products, a new link will appear as **Windows Defender Antivirus options**. Clicking this link will expand to show the toggle that enables limited periodic scanning.
![The limited periodic option is a toggle to enable or disable **periodic scanning**](images/vtp-3ps-lps.png)
Sliding the swtich to **On** will show the standard Windows Defender AV options underneath the 3rd party AV product. The limited periodic scanning option will appear at the bottom of the page.
![When enabled, periodic scanning shows the normal Windows Defender AV options](images/vtp-3ps-lps-on.png)
![When enabled, periodic scanning shows the normal antivirus options](images/vtp-3ps-lps-on.png)
## Related topics
- [Configure behavioral, heuristic, and real-time protection](configure-protection-features-windows-defender-antivirus.md)
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Next generation protection in Windows 10](windows-defender-antivirus-in-windows-10.md)

121
windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md
View File

@ -1,6 +1,6 @@
---
title: Apply Windows Defender AV updates after certain events
description: Manage how Windows Defender Antivirus applies proteciton updates after startup or receiving cloud-delivered detection reports.
title: Apply next generation protection updates after certain events
description: Manage how antivirus applies protection updates after startup or receiving cloud-delivered detection reports.
keywords: updates, protection, force updates, events, startup, check for latest, notifications
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@ -18,43 +18,40 @@ ms.date: 04/30/2018
**Manageability available with**
- Group Policy
- System Center Configuration Manager
- Group Policy
- PowerShell cmdlets
- Windows Management Instruction (WMI)
Windows Defender AV allows you to determine if updates should (or should not) occur after certain events, such as at startup or after receiving specific reports from the cloud-delivered protection service.
Next generation protection allows you to determine if updates should (or should not) occur after certain events, such as at startup or after receiving specific reports from the cloud-delivered protection service.
## Check for protection updates before running a scan
You can use Group Policy, Configuration Manager, PowerShell cmdlets, and WMI to force Windows Defender AV to check and download protection updates before running a scheduled scan.
**Use Group Policy to check for protection updates before running a scan:**
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration**.
4. Click **Policies** then **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender Antivirus > Scan**.
6. Double-click the **Check for the latest virus and spyware definitions before running a scheduled scan** setting and set the option to **Enabled**.
7. Click **OK**.
You can use System Center Configuration Manager, Group Policy, PowerShell cmdlets, and WMI to force antivirus to check and download protection updates before running a scheduled scan.
**Use Configuration Manager to check for protection updates before running a scan:**
1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
2. Go to the **Scheduled scans** section and set **Check for the latest definition updates before running a scan** to **Yes**.
2. Go to the **Scheduled scans** section and set **Check for the latest definition updates before running a scan** to **Yes**.
3. Click **OK**.
4. [Deploy the updated policy as usual](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers).
4.[Deploy the updated policy as usual](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers).
**Use Group Policy to check for protection updates before running a scan:**
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
2. In the **Group Policy Management Editor** go to **Computer configuration**.
3. Click **Policies** then **Administrative templates**.
4. Expand the tree to **Windows components > Windows Defender Antivirus > Scan**.
5. Double-click **Check for the latest virus and spyware definitions before running a scheduled scan** and set the option to **Enabled**.
6. Click **OK**.
**Use PowerShell cmdlets to check for protection updates before running a scan:**
@ -66,7 +63,6 @@ Set-MpPreference -CheckForSignaturesBeforeRunningScan
See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus.
**Use Windows Management Instruction (WMI) to check for protection updates before running a scan**
Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties:
@ -78,46 +74,39 @@ CheckForSignaturesBeforeRunningScan
See the following for more information:
- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx)
## Check for protection updates on startup
You can use Group Policy to force Windows Defender AV to check and download protection updates when the machine is started.
You can use Group Policy to force antivirus to check and download protection updates when the machine is started.
**Use Group Policy to download protection updates at startup:**
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
2. In the **Group Policy Management Editor** go to **Computer configuration**.
3. In the **Group Policy Management Editor** go to **Computer configuration**.
3. Click **Policies** then **Administrative templates**.
4. Click **Policies** then **Administrative templates**.
4. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates**.
5. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates**.
5. Double-click **Check for the latest virus and spyware definitions on startup** and set the option to **Enabled**.
5. Double-click the **Check for the latest virus and spyware definitions on startup** setting and set the option to **Enabled**.
6. Click **OK**.
6. Click **OK**.
You can also use Group Policy, PowerShell, or WMI to configure antivirus to check for updates at startup even when it is not running.
You can also use Group Policy, PowerShell, or WMI to configure Windows Defender AV to check for updates at startup even when it is not running.
**Use Group Policy to download updates when Windows antivirus is not present:**
**Use Group Policy to download updates when Windows Defender AV is not present:**
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
2. In the **Group Policy Management Editor** go to **Computer configuration**.
3. In the **Group Policy Management Editor** go to **Computer configuration**.
3. Click **Policies** then **Administrative templates**.
4. Click **Policies** then **Administrative templates**.
4. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates**.
5. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates**.
5. Double-click **Initiate definition update on startup** and set the option to **Enabled**.
6. Double-click the **Initiate definition update on startup** setting and set the option to **Enabled**.
6. Click **OK**.
7. Click **OK**.
**Use PowerShell cmdlets to download updates when Windows Defender AV is not present:**
**Use PowerShell cmdlets to download updates when Windows antivirus is not present:**
Use the following cmdlets:
@ -125,10 +114,9 @@ Use the following cmdlets:
Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine
```
See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus.
See [Use PowerShell cmdlets to manage next generation protection](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus.
**Use Windows Management Instruction (WMI) to download updates when Windows Defender AV is not present:**
**Use Windows Management Instruction (WMI) to download updates when Windows antivirus not present:**
Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties:
@ -139,11 +127,8 @@ SignatureDisableUpdateOnStartupWithoutEngine
See the following for more information:
- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx)
<a id="cloud-report-updates"></a>
## Allow ad hoc changes to protection based on cloud-delivered protection
Windows Defender AV can make changes to its protection based on cloud-delivered protection. This can occur outside of normal or scheduled protection updates.
@ -152,27 +137,21 @@ If you have enabled cloud-delivered protection, Windows Defender AV will send fi
**Use Group Policy to automatically download recent updates based on cloud-delivered protection:**
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration**.
4. Click **Policies** then **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates** and configure the following:
1. Double-click the **Allow real-time definition updates based on reports to Microsoft MAPS** setting and set the option to **Enabled**. Click **OK**.
2. Double-click the **Allow notifications to disable definitions based reports to Microsoft MAPS** setting and set the option to **Enabled**. Click **OK**.
2. In the **Group Policy Management Editor** go to **Computer configuration**.
3. Click **Policies** then **Administrative templates**.
4. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates** and configure the following:
1. Double-click **Allow real-time definition updates based on reports to Microsoft MAPS** and set the option to **Enabled**. Click **OK**.
2. Double-click **Allow notifications to disable definitions based reports to Microsoft MAPS** and set the option to **Enabled**. Click **OK**.
## Related topics
- [Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md)
- [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md)
- [Manage Windows Defender Antivirus protection and definition updates](manage-protection-updates-windows-defender-antivirus.md)
- [Deploy next generation protection](deploy-manage-report-windows-defender-antivirus.md)
- [Manage next generation protection updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md)
- [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md)
- [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md)
- [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Next generation protection in Windows 10](windows-defender-antivirus-in-windows-10.md)

60
windows/security/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md
View File

@ -18,36 +18,47 @@ ms.date: 04/30/2018
**Manageability available with**
- Group Policy
- System Center Configuration Manager
- Group Policy
- PowerShell cmdlets
- Windows Management Instruction (WMI)
Windows Defender AV lets you define how long an endpoint can avoid an update or how many scans it can miss before it is required to update and scan itself. This is especially useful in environments where devices are not often connected to a corporate or external network, or devices that are not used on a daily basis.
Next generation protection lets you define how long an endpoint can avoid an update or how many scans it can miss before it is required to update and scan itself. This is especially useful in environments where devices are not often connected to a corporate or external network, or devices that are not used on a daily basis.
For example, an employee that uses a particular PC is on break for three days and does not log on to their PC during that time.
When the user returns to work and logs on to their PC, Windows Defender AV will immediately check and download the latest protection updates, and run a scan.
When the user returns to work and logs on to their PC, antivirus will immediately check and download the latest protection updates, and run a scan.
## Set up catch-up protection updates for endpoints that haven't updated for a while
If Windows Defender AV did not download protection updates for a specified period, you can set it up to automatically check and download the latest update at the next log on. This is useful if you have [globally disabled automatic update downloads on startup](manage-event-based-updates-windows-defender-antivirus.md).
If antivirus did not download protection updates for a specified period, you can set it up to automatically check and download the latest update at the next log on. This is useful if you have [globally disabled automatic update downloads on startup](manage-event-based-updates-windows-defender-antivirus.md).
**Use Configuration Manager to configure catch-up protection updates:**
1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
2. Go to the **Definition updates** section and configure the following settings:
1. Set **Force a definition update if the client computer is offline for more than two consecutive scheduled updates** to **Yes**.
2. For the **If Configuration Manager is used as a source for definition updates...**, specify the hours before which the protection updates delivered by Configuration Manager should be considered out-of-date. This will cause the next update location to be used, based on the defined [fallback source order](manage-protection-updates-windows-defender-antivirus.md#fallback-order).
3. Click **OK**.
4. [Deploy the updated policy as usual](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers).
**Use Group Policy to enable and configure the catch-up update feature:**
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration**.
2. In the **Group Policy Management Editor** go to **Computer configuration**.
4. Click **Policies** then **Administrative templates**.
3. Click **Policies** then **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates**.
4. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates**.
6. Double-click the **Define the number of days after which a catch-up definition update is required** setting and set the option to **Enabled**. Enter the number of days after which you want Windows Defender AV to check for and download the latest protection update.
5. Double-click the **Define the number of days after which a catch-up definition update is required** setting and set the option to **Enabled**. Enter the number of days after which you want Windows Defender AV to check for and download the latest protection update.
7. Click **OK**.
6. Click **OK**.
**Use PowerShell cmdlets to configure catch-up protection updates:**
@ -71,23 +82,11 @@ See the following for more information and allowed parameters:
- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx)
**Use Configuration Manager to configure catch-up protection updates:**
1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
2. Go to the **Definition updates** section and configure the following settings:
1. Set **Force a definition update if the client computer is offline for more than two consecutive scheduled updates** to **Yes**.
2. For the **If Configuration Manager is used as a source for definition updates...**, specify the hours before which the protection updates delivered by Configuration Manager should be considered out-of-date. This will cause the next update location to be used, based on the defined [fallback source order](manage-protection-updates-windows-defender-antivirus.md#fallback-order).
3. Click **OK**.
4. [Deploy the updated policy as usual](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers).
## Set the number of days before protection is reported as out-of-date
You can also specify the number of days after which Windows Defender AV protection is considered old or out-of-date. After the specified number of days, the client will report itself as out-of-date, and show an error to the user of the PC. It may also cause Windows Defender AV to attempt to download an update from other sources (based on the defined [fallback source order](manage-protection-updates-windows-defender-antivirus.md#fallback-order)), such as when using MMPC as a secondary source after setting WSUS or Microsoft Update as the first source.
You can also specify the number of days after which antivirus protection is considered old or out-of-date. After the specified number of days, the client will report itself as out-of-date, and show an error to the user of the PC. It may also cause antivirus to attempt to download an update from other sources (based on the defined [fallback source order](manage-protection-updates-windows-defender-antivirus.md#fallback-order)), such as when using MMPC as a secondary source after setting WSUS or Microsoft Update as the first source.
**Use Group Policy to specify the number of days before protection is considered out-of-date:**
@ -112,7 +111,7 @@ You can also specify the number of days after which Windows Defender AV protecti
## Set up catch-up scans for endpoints that have not been scanned for a while
You can set the number of consecutive scheduled scans that can be missed before Windows Defender AV will force a scan.
You can set the number of consecutive scheduled scans that can be missed before antivirus will force a scan.
The process for enabling this feature is:
@ -152,7 +151,7 @@ Set-MpPreference -DisableCatchupQuickScan
```
See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus.
See [Use PowerShell cmdlets to manage next generation protection](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus.
**Use Windows Management Instruction (WMI) to configure catch-up scans:**
@ -180,10 +179,9 @@ See the following for more information and allowed parameters:
## Related topics
- [Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md)
- [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md)
- [Manage Windows Defender Antivirus protection and definition updates](manage-protection-updates-windows-defender-antivirus.md)
- [Deploy next generation protection](deploy-manage-report-windows-defender-antivirus.md)
- [Manage next generation protection updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md)
- [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md)
- [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md)
- [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Next generation protection in Windows 10](windows-defender-antivirus-in-windows-10.md)

47
windows/security/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md
View File

@ -18,13 +18,13 @@ ms.date: 04/30/2018
**Manageability available with**
- Group Policy
- System Center Configuration Manager
- Group Policy
- PowerShell cmdlets
- Windows Management Instruction (WMI)
Windows Defender AV lets you determine when it should look for and download updates.
Next generation protection lets you determine when it should look for and download updates.
You can schedule updates for your endpoints by:
@ -34,24 +34,6 @@ You can schedule updates for your endpoints by:
You can also randomize the times when each endpoint checks and downloads protection updates. See the [Schedule scans](scheduled-catch-up-scans-windows-defender-antivirus.md) topic for more information.
**Use Group Policy to schedule protection updates:**
> [!IMPORTANT]
> By default, Windows Defender AV will check for an update 15 minutes before the time of any scheduled scans. Enabling these settings will override that default.
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration**.
4. Click **Policies** then **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates** and configure the following settings:
1. Double-click the **Specify the interval to check for definition updates** setting and set the option to **Enabled**. Enter the number of hours between updates. Click **OK**.
2. Double-click the **Specify the day of the week to check for definition updates** setting and set the option to **Enabled**. Enter the day of the week to check for updates. Click **OK**.
3. Double-click the **Specify the time to check for definition updates** setting and set the option to **Enabled**. Enter the time when updates should be checked. The time is based on the local time of the endpoint. Click **OK**.
**Use Configuration Manager to schedule protection updates:**
1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
@ -66,6 +48,24 @@ You can also randomize the times when each endpoint checks and downloads protect
5. [Deploy the updated policy as usual](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers).
**Use Group Policy to schedule protection updates:**
> [!IMPORTANT]
> By default, antivirus will check for an update 15 minutes before the time of any scheduled scans. Enabling these settings will override that default.
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration**.
4. Click **Policies** then **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates** and configure the following settings:
1. Double-click the **Specify the interval to check for definition updates** setting and set the option to **Enabled**. Enter the number of hours between updates. Click **OK**.
2. Double-click the **Specify the day of the week to check for definition updates** setting and set the option to **Enabled**. Enter the day of the week to check for updates. Click **OK**.
3. Double-click the **Specify the time to check for definition updates** setting and set the option to **Enabled**. Enter the time when updates should be checked. The time is based on the local time of the endpoint. Click **OK**.
**Use PowerShell cmdlets to schedule protection updates:**
@ -95,13 +95,12 @@ See the following for more information and allowed parameters:
## Related topics
- [Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md)
- [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md)
- [Manage Windows Defender Antivirus protection and definition updates](manage-protection-updates-windows-defender-antivirus.md)
- [Deploy next generation protection](deploy-manage-report-windows-defender-antivirus.md)
- [Manage next generation protection updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md)
- [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md)
- [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md)
- [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Next generation protection in Windows 10](windows-defender-antivirus-in-windows-10.md)

10
windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md
View File

@ -30,7 +30,7 @@ There are two components to managing protection updates - where the updates are
This topic describes where you can specify the updates should be downloaded from, also known as the fallback order.
See the [Manage Windows Defender AV updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md) topic for an overview on how updates work, and how to configure other aspects of updates (such as scheduling updates).
See [Manage next generation protection updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md) topic for an overview on how updates work, and how to configure other aspects of updates (such as scheduling updates).
<a id="fallback-order"></a>
@ -150,11 +150,11 @@ See the following for more information:
## Related topics
- [Deploy, manage updates, and report on Windows Defender AV](deploy-manage-report-windows-defender-antivirus.md)
- [Manage Windows Defender AV updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md)
- [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md)
- [Deploy next generation protection](deploy-manage-report-windows-defender-antivirus.md)
- [Manage next generation protection updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md)
- [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md)
- [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md)
- [Manage updates for mobile devices and VMs](manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
- [Windows Defender AV in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Next generation protection in Windows 10](windows-defender-antivirus-in-windows-10.md)

8
windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md
View File

@ -14,9 +14,9 @@ ms.author: v-anbic
ms.date: 04/30/2018
---
# Manage Windows Defender Antivirus updates and apply baselines
# Manage next generation protection updates and apply baselines
There are two types of updates related to keeping Windows Defender Antivirus:
There are two types of updates related to keeping antivirus up to date:
1. Protection updates
2. Product updates
@ -24,14 +24,14 @@ You can also apply [Windows security baselines](https://technet.microsoft.com/en
## Protection updates
Windows Defender AV uses both [cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) (also called the Microsoft Advanced Protection Service or MAPS) and periodically downloaded protection updates to provide protection. These protection updates are also known as "definitions" or "signature updates".
Antivirus uses both [cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) (also called the Microsoft Advanced Protection Service or MAPS) and periodically downloaded protection updates to provide protection. These protection updates are also known as "definitions" or "signature updates".
The cloud-delivered protection is always on and requires an active connection to the Internet to function, while the protection updates generally occur once a day (although this can be configured). See the [Utilize Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) topic for more details about enabling and configuring cloud-provided protection.
## Product updates
Windows Defender AV requires [monthly updates](https://support.microsoft.com/en-us/help/4052623/update-for-windows-defender-antimalware-platform) (known as "engine updates" and "platform updates"), and will receive major feature updates alongside Windows 10 releases.
Next generation protection requires [monthly updates](https://support.microsoft.com/en-us/help/4052623/update-for-windows-defender-antimalware-platform) (known as "engine updates" and "platform updates"), and will receive major feature updates alongside Windows 10 releases.
You can manage the distribution of updates through Windows Server Update Service (WSUS), with [System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/sum/understand/software-updates-introduction), or in the normal manner that you deploy Microsoft and Windows updates to endpoints in your network.

8
windows/security/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md
View File

@ -37,7 +37,7 @@ The following topics may also be useful in these situations:
## Opt-in to Microsoft Update on mobile computers without a WSUS connection
You can use Microsoft Update to keep definitions on mobile devices running Windows Defender AV up to date when they are not connected to the corporate network or don't otherwise have a WSUS connection.
You can use Microsoft Update to keep definitions on mobile devices running antivirus up to date when they are not connected to the corporate network or don't otherwise have a WSUS connection.
This means that protection updates can be delivered to devices (via Microsoft Update) even if you have set WSUS to override Microsoft Update.
@ -74,7 +74,7 @@ You can opt-in to Microsoft Update on the mobile device in one of the following
## Prevent definition updates when running on battery power
You can configure Windows Defender AV to only download protection updates when the PC is connected to a wired power source.
You can configure antivirus to only download protection updates when the PC is connected to a wired power source.
**Use Group Policy to prevent definition updates on battery power:**
@ -95,5 +95,5 @@ You can configure Windows Defender AV to only download protection updates when t
## Related topics
- [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md)
- [Update and manage Windows Defender in Windows 10](deploy-manage-report-windows-defender-antivirus.md)
- [Manage next generationprotection updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md)
- [Update and manage next generation protection in Windows 10](deploy-manage-report-windows-defender-antivirus.md)

12
windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md
View File

@ -14,13 +14,13 @@ ms.author: v-anbic
ms.date: 04/30/2018
---
# Prevent users from seeing or interacting with the Windows Defender AV user interface
# Prevent users from seeing or interacting with the antivirus user interface
You can use Group Policy to prevent users on endpoints from seeing the Windows Defender Antivirus interface. You can also prevent them from pausing scans.
You can use Group Policy to prevent users on endpoints from seeing the antivirus interface. You can also prevent them from pausing scans.
## Hide the Windows Defender Antivirus interface
## Hide the antivirus interface
In Windows 10, versions 1703, hiding the interface will hide Windows Defender AV notifications and prevent the Virus & threat protection tile from appearing in the Windows Defender Security Center app.
In Windows 10, versions 1703, hiding the interface will hide antivirus notifications and prevent the Virus & threat protection tile from appearing in the Windows Defender Security Center app.
With the setting set to **Enabled**:
@ -31,7 +31,7 @@ With the setting set to **Disabled** or not configured:
![Scheenshot of Windows Defender Security Center showing the shield icon and virus and threat protection section](images/defender/wdav-headless-mode-off-1703.png)
>[!NOTE]
>Hiding the interface will also prevent Windows Defender AV notifications from appearing on the endpoint. Windows Defender Advanced Threat Protection notifications will still appear. You can also individually [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md)
>Hiding the interface will also prevent antivirus notifications from appearing on the endpoint. Windows Defender Advanced Threat Protection notifications will still appear. You can also individually [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md)
In earlier versions of Windows 10, the setting will hide the Windows Defender client interface. If the user attempts to open it, they will receive a warning "Your system administrator has restricted access to this app.":
@ -76,4 +76,4 @@ You can prevent users from pausing scans. This can be helpful to ensure schedule
- [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md)
- [Configure end-user interaction with Windows Defender AV](configure-end-user-interaction-windows-defender-antivirus.md)
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Next generation protection in Windows 10](windows-defender-antivirus-in-windows-10.md)

12
windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md
View File

@ -14,15 +14,15 @@ ms.author: v-anbic
ms.date: 07/10/2018
---
# Report on Windows Defender Antivirus protection
# Report on next generation protection
There are a number of ways you can review protection status and alerts, depending on the management tool you are using for Windows Defender AV.
There are a number of ways you can review protection status and alerts, depending on the management tool you are using for next generation protection.
You can use System Center Configuration Manager to [monitor Windows Defender AV protection](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/monitor-endpoint-protection) or [create email alerts](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-configure-alerts), or you can also monitor protection using [Microsoft Intune](https://docs.microsoft.com/en-us/intune/introduction-intune).
You can use System Center Configuration Manager to [monitor next generation protection](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/monitor-endpoint-protection) or [create email alerts](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-configure-alerts), or you can also monitor protection using [Microsoft Intune](https://docs.microsoft.com/en-us/intune/introduction-intune).
Microsoft Operations Management Suite has an [Update Compliance add-in](/windows/deployment/update/update-compliance-get-started) that reports on key Windows Defender AV issues, including protection updates and real-time protection settings.
Microsoft Operations Management Suite has an [Update Compliance add-in](/windows/deployment/update/update-compliance-get-started) that reports on key antivirus issues, including protection updates and real-time protection settings.
If you have a third-party security information and event management (SIEM) tool, you can also consume [Windows Defender client events](https://msdn.microsoft.com/en-us/library/windows/desktop/aa964766(v=vs.85).aspx).
@ -37,5 +37,5 @@ For monitoring or determining status with PowerShell, WMI, or Microsoft Azure, s
## Related topics
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md)
- [Next generation protection in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Deploy next generation protection](deploy-manage-report-windows-defender-antivirus.md)

4
windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md
View File

@ -20,7 +20,7 @@ ms.date: 04/23/2018
- Windows Defender Security Center
If Windows Defender Antivirus is configured to detect and remediate threats on your device, Windows Defender AV quarantines suspicious files. If you are certain these files do not present a threat, you can restore them.
If next generation protection is configured to detect and remediate threats on your device, antivirus quarantines suspicious files. If you are certain these files do not present a threat, you can restore them.
1. Open **Windows Defender Security Center**.
2. Click **Virus & threat protection** and then click **Scan history**.
@ -33,5 +33,5 @@ If Windows Defender Antivirus is configured to detect and remediate threats on y
- [Review scan results](review-scan-results-windows-defender-antivirus.md)
- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md)
- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md)
- [Configure exclusions in Windows Defender AV on Windows Server](configure-server-exclusions-windows-defender-antivirus.md)
- [Configure antivirus exclusions on Windows Server](configure-server-exclusions-windows-defender-antivirus.md)

31
windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md
View File

@ -14,26 +14,32 @@ ms.author: v-anbic
ms.date: 07/10/2018
---
# Review Windows Defender AV scan results
# Review antivirus scan results
**Manageability available with**
- Microsoft Intune
- System Center Configuration Manager
- PowerShell
- Windows Management Instrumentation (WMI)
- System Center Configuration Manager
- Microsoft Intune
- Windows Defender Security Center app
After Windows Defender Antivirus has completed a scan, whether it is an [on-demand](run-scan-windows-defender-antivirus.md) or [scheduled scan](scheduled-catch-up-scans-windows-defender-antivirus.md), the results are recorded and you can view the results.
After an antivirus scan completes, whether it is an [on-demand](run-scan-windows-defender-antivirus.md) or [scheduled scan](scheduled-catch-up-scans-windows-defender-antivirus.md), the results are recorded and you can view the results.
**Use Configuration Manager to review Windows Defender AV scan results:**
**Use Microsoft Intune to review scan results:**
1. In Intune, go to **Devices > All Devices** and select the device you want to scan.
2. Click the scan results in **Device actions status**.
**Use Configuration Manager to review scan results:**
See [How to monitor Endpoint Protection status](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/monitor-endpoint-protection).
**Use the Windows Defender Security Center app to review Windows Defender AV scan results:**
**Use the Windows Defender Security Center app to review scan results:**
1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
@ -45,7 +51,7 @@ See [How to monitor Endpoint Protection status](https://docs.microsoft.com/en-us
**Use PowerShell cmdlets to review Windows Defender AV scan results:**
**Use PowerShell cmdlets to review scan results:**
The following cmdlet will return each detection on the endpoint. If there are multiple detections of the same threat, each detection will be listed separately, based on the time of each detection:
@ -67,20 +73,15 @@ Get-MpThreat
See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
**Use Windows Management Instruction (WMI) to review Windows Defender AV scan results:**
**Use Windows Management Instruction (WMI) to review scan results:**
Use the [**Get** method of the **MSFT_MpThreat** and **MSFT_MpThreatDetection**](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx) classes.
**Use Microsoft Intune to review Windows Defender AV scan results:**
1. In Intune, go to **Devices > All Devices** and select the device you want to scan.
2. Click the scan results in **Device actions status**.
## Related topics
- [Customize, initiate, and review the results of Windows Defender AV scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Customize, initiate, and review the results of antivirus scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
- [Next generation protection in Windows 10](windows-defender-antivirus-in-windows-10.md)

32
windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md
View File

@ -14,15 +14,15 @@ ms.author: v-anbic
ms.date: 07/10/2018
---
# Configure and run on-demand Windows Defender AV scans
# Configure and run on-demand antivirus scans
**Manageability available with**
- Windows Defender AV mpcmdrun utility
- Microsoft Intune
- System Center Configuration Manager
- PowerShell
- Windows Management Instrumentation (WMI)
- System Center Configuration Manager
- Microsoft Intune
- Mpcmdrun utility
- Windows Defender Security Center app
You can run an on-demand scan on individual endpoints. These scans will start immediately, and you can define parameters for the scan, such as the location or type.
@ -32,13 +32,17 @@ You can run an on-demand scan on individual endpoints. These scans will start im
Quick scan looks at all the locations where there could be malware registered to start with the system, such as registry keys and known Windows startup folders.
Combined with [always-on real-time protection capability](configure-real-time-protection-windows-defender-antivirus.md) - which reviews files when they are opened and closed, and whenever a user navigates to a folder - a quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware.
Combined with [always-on real-time protection capability](configure-real-time-protection-windows-defender-antivirus.md)--which reviews files when they are opened and closed, and whenever a user navigates to a folder--a quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware.
In most instances, this means a quick scan is adequate to find malware that wasn't picked up by real-time protection.
A full scan can be useful on endpoints that have encountered a malware threat to identify if there are any inactive components that require a more thorough clean-up, and can be ideal when running on-demand scans.
**Use Configuration Manager to run a scan:**
See [Antimalware and firewall tasks: How to perform an on-demand scan](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-firewall#how-to-perform-an-on-demand-scan-of-computers) for details on using System Center Configuration Manager (current branch) to run a scan.
**Use the mpcmdrum.exe command-line utility to run a scan:**
Use the following `-scan` parameter:
@ -53,10 +57,11 @@ See [Use the mpcmdrun.exe commandline tool to configure and manage Windows Defen
**Use Configuration Manager to run a scan:**
**Use Microsoft Intune to run a scan:**
See [Antimalware and firewall tasks: How to perform an on-demand scan](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-firewall#how-to-perform-an-on-demand-scan-of-computers) for details on using System Center Configuration Manager (current branch) to run a scan.
1. In Intune, go to **Devices > All Devices** and select the device you want to scan.
2. Select **...More** and then select **Quick Scan** or **Full Scan**.
**Use the Windows Defender Security Center app to run a scan:**
@ -84,16 +89,9 @@ See the following for more information and allowed parameters:
- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx)
**Use Microsoft Intune to run a scan:**
1. In Intune, go to **Devices > All Devices** and select the device you want to scan.
2. Select **...More** and then select **Quick Scan** or **Full Scan**.
## Related topics
- [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md)
- [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md)
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Configure antivirus scanning options](configure-advanced-scan-types-windows-defender-antivirus.md)
- [Configure scheduled antivirus scans](scheduled-catch-up-scans-windows-defender-antivirus.md)
- [Next generation protection in Windows 10](windows-defender-antivirus-in-windows-10.md)

16
windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md
View File

@ -14,9 +14,7 @@ ms.author: v-anbic
ms.date: 07/26/2018
---
# Configure scheduled quick or full scans for Windows Defender AV
- Enterprise security administrators
# Configure scheduled quick or full antivirus scans
**Manageability available with**
@ -28,7 +26,7 @@ ms.date: 07/26/2018
> [!NOTE]
> By default, Windows Defender AV will check for an update 15 minutes before the time of any scheduled scans. You can [Manage the schedule for when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) to override this default.
> By default, antivirus checks for an update 15 minutes before the time of any scheduled scans. You can [Manage the schedule for when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) to override this default.
In addition to always-on real-time protection and [on-demand](run-scan-windows-defender-antivirus.md) scans, you can set up regular, scheduled scans.
@ -76,7 +74,7 @@ Location | Setting | Description | Default setting (if not configured)
Scan | Specify the scan type to use for a scheduled scan | Quick scan
Scan | Specify the day of the week to run a scheduled scan | Specify the day (or never) to run a scan. | Never
Scan | Specify the time of day to run a scheduled scan | Specify the number of minutes after midnight (for example, enter **60** for 1 am). | 2 am
Root | Randomize scheduled task times | Randomize the start time of the scan to any interval from 0 to 4 hours, or to any interval plus or minus 30 minutes for non-Windows Defender scans. This can be useful in VM or VDI deployments. | Enabled
Root | Randomize scheduled task times | Randomize the start time of the scan to any interval from 0 to 4 hours, or to any interval plus or minus 30 minutes for non-Windows antivirus scans. This can be useful in VM or VDI deployments. | Enabled
**Use PowerShell cmdlets to schedule scans:**
@ -231,8 +229,8 @@ Signature updates | Turn on scan after signature update | A scan will occur imme
- [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
- [Configure and run on-demand Windows Defender AV scans](run-scan-windows-defender-antivirus.md)
- [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md)
- [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md)
- [Configure and run on-demand antivirus scans](run-scan-windows-defender-antivirus.md)
- [Configure antivirus scanning options](configure-advanced-scan-types-windows-defender-antivirus.md)
- [Manage antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md)
- [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md)
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Next generation protection in Windows 10](windows-defender-antivirus-in-windows-10.md)

49
windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md
View File

@ -22,34 +22,13 @@ ms.date: 07/19/2018
- System Center Configuration Manager (current branch)
- Intune
You can specify the level of cloud-protection offered by Windows Defender Antivirus with Group Policy and System Center Configuration Manager.
You can specify the level of cloud-protection offered by antivirus with Group Policy and System Center Configuration Manager.
>[!NOTE]
>The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional signature updates.
>The antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional signature updates.
**Use Group Policy to specify the level of cloud-delivered protection:**
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration**.
4. Click **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender Antivirus > MpEngine**.
1. Double-click the **Select cloud protection level** setting and set it to **Enabled**. Select the level of protection:
1. Setting to **Default Windows Defender Antivirus blocking level** will provide strong detection without increasing the risk of detecting legitimate files.
2. Setting to **High blocking level** will apply a strong level of detection. While unlikely, some legitimate files may be detected (although you will have the option to unblock or dispute that detection).
1. Click **OK**.
**Use Configuration Manager to specify the level of cloud-delivered protection:**
1. See [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) for details on configuring System Center Configuration Manager (current branch).
**Use Intune to specify the level of cloud-delivered protection:**
1. Sign in to the [Azure portal](https://portal.azure.com).
@ -70,10 +49,32 @@ You can specify the level of cloud-protection offered by Windows Defender Antivi
For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/en-us/intune/device-profiles)
**Use Configuration Manager to specify the level of cloud-delivered protection:**
1. See [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) for details on configuring System Center Configuration Manager (current branch).
**Use Group Policy to specify the level of cloud-delivered protection:**
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration**.
4. Click **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender Antivirus > MpEngine**.
1. Double-click the **Select cloud protection level** setting and set it to **Enabled**. Select the level of protection:
1. Setting to **Default Windows Defender Antivirus blocking level** will provide strong detection without increasing the risk of detecting legitimate files.
2. Setting to **High blocking level** will apply a strong level of detection. While unlikely, some legitimate files may be detected (although you will have the option to unblock or dispute that detection).
1. Click **OK**.
## Related topics
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Next generation protection in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md)
- [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service)

14
windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md
View File

@ -14,16 +14,16 @@ ms.author: v-anbic
ms.date: 04/30/2018
---
# Troubleshoot Windows Defender Antivirus reporting in Update Compliance
# Troubleshoot antivirus reporting in Update Compliance
When you use [Windows Analytics Update Compliance to obtain reporting into the protection status of machines or endpoints](/windows/deployment/update/update-compliance-using#wdav-assessment) in your network that are using Windows Defender Antivirus, you may encounter problems or issues.
When you use [Windows Analytics Update Compliance to obtain reporting into the protection status of machines or endpoints](/windows/deployment/update/update-compliance-using#wdav-assessment) in your network that are using next generation protection, you may encounter problems or issues.
Typically, the most common indicators of a problem are:
- You only see a small number or subset of all the devices you were expecting to see
- You do not see any devices at all
- The reports and information you do see is outdated (older than a few days)
For common error codes and event IDs related to the Windows Defender AV service that are not related to Update Compliance, see the [Windows Defender Antivirus events](troubleshoot-windows-defender-antivirus.md) topic.
For common error codes and event IDs related to the antivirus service that are not related to Update Compliance, see [Antivirus events](troubleshoot-windows-defender-antivirus.md).
There are three steps to troubleshooting these problems:
@ -32,12 +32,12 @@ There are three steps to troubleshooting these problems:
3. Submit support logs
>[!IMPORTANT]
>It typically takes 3 days for devices to start appearing in Update Compliance
>It typically takes 3 days for devices to start appearing in Update Compliance.
## Confirm pre-requisites
In order for devices to properly show up in Update Compliance, you have to meet certain pre-requisites for both the Update Compliance service and for Windows Defender AV protection:
In order for devices to properly show up in Update Compliance, you have to meet certain pre-requisites for both the Update Compliance service and for next generation protection:
>[!div class="checklist"]
>- Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Windows Defender AV to disable itself](windows-defender-antivirus-compatibility.md) and the endpoint will not be reported in Update Compliance.
@ -58,5 +58,5 @@ If the above pre-requisites have all been met, you may need to proceed to the ne
## Related topics
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md)
- [Next generation protection in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Deploy next generation protection](deploy-manage-report-windows-defender-antivirus.md)

189
windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md
View File

@ -14,32 +14,33 @@ ms.author: v-anbic
ms.date: 04/16/2018
---
# Review event logs and error codes to troubleshoot issues with Windows Defender AV
# Review event logs and error codes to troubleshoot issues with antivirus
If you encounter a problem with Windows Defender Antivirus, you can search the tables in this topic to find a matching issue and potential solution.
If you encounter a problem with antivirus, you can search the tables in this topic to find a matching issue and potential solution.
The tables list:
- [Windows Defender AV event IDs](#windows-defender-av-ids) (these apply to both Windows 10 and Windows Server 2016)
- [Windows Defender AV client error codes](#error-codes)
- [Internal Windows Defender AV client error codes (used by Microsoft during development and testing)](#internal-error-codes)
- [Antivirus event IDs](#windows-defender-av-ids) (these apply to both Windows 10 and Windows Server 2016)
- [Antivirus client error codes](#error-codes)
- [Internal antivirus client error codes (used by Microsoft during development and testing)](#internal-error-codes)
>[!TIP]
>You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working:
>You can also visit the Windows Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working:
>- Cloud-delivered protection
>- Fast learning (including Block at first sight)
>- Potentially unwanted application blocking
<a id="windows-defender-av-ids"></a>
## Windows Defender AV event IDs
## Antivirus event IDs
Windows Defender AV records event IDs in the Windows event log.
Antivirus records event IDs in the Windows event log.
You can directly view the event log, or if you have a third-party security information and event management (SIEM) tool, you can also consume [Windows Defender client event IDs](troubleshoot-windows-defender-antivirus.md#windows-defender-av-ids) to review specific events and errors from your endpoints.
You can directly view the event log, or if you have a third-party security information and event management (SIEM) tool, you can also consume [antivirus client event IDs](troubleshoot-windows-defender-antivirus.md#windows-defender-av-ids) to review specific events and errors from your endpoints.
The table in this section lists the main Windows Defender AV event IDs and, where possible, provides suggested solutions to fix or resolve the error.
The table in this section lists the main antivirus event IDs and, where possible, provides suggested solutions to fix or resolve the error.
**To view a Windows Defender AV event**
**To view an antivirus event**
1. Open **Event Viewer**.
2. In the console tree, expand **Applications and Services Logs**, then **Microsoft**, then **Windows**, then **Windows Defender Antivirus**.
@ -320,7 +321,7 @@ Description of the error. </dt>
User action:
</td>
<td >
The Windows Defender client encountered an error, and the current scan has stopped. The scan might fail due to a client-side issue. This event record includes the scan ID, type of scan (antivirus, antispyware, antimalware), scan parameters, the user that started the scan, the error code, and a description of the error.
The antivirus client encountered an error, and the current scan has stopped. The scan might fail due to a client-side issue. This event record includes the scan ID, type of scan (antivirus, antispyware, antimalware), scan parameters, the user that started the scan, the error code, and a description of the error.
To troubleshoot this event:
<ol>
<li>Run the scan again.</li>
@ -428,7 +429,7 @@ Message:
Description:
</td>
<td >
Windows Defender has taken action to protect this machine from malware or other potentially unwanted software. For more information please see the following:
Antivirus has taken action to protect this machine from malware or other potentially unwanted software. For more information please see the following:
<dl>
<dt>User: &lt;Domain&gt;\\&lt;User&gt;</dt>
<dt>Name: &lt;Threat name&gt;</dt>
@ -480,7 +481,7 @@ Message:
Description:
</td>
<td >
Windows Defender has encountered an error when taking action on malware or other potentially unwanted software. For more information please see the following:
Antivirus has encountered an error when taking action on malware or other potentially unwanted software. For more information please see the following:
<dl>
<dt>User: &lt;Domain&gt;\\&lt;User&gt;</dt>
<dt>Name: &lt;Threat name&gt;</dt>
@ -539,7 +540,7 @@ Message:
Description:
</td>
<td >
Windows Defender has restored an item from quarantine. For more information please see the following:
Antivirus has restored an item from quarantine. For more information please see the following:
<dl>
<dt>Name: &lt;Threat name&gt;</dt>
<dt>ID: &lt;Threat ID&gt;</dt>
@ -583,7 +584,7 @@ Message:
Description:
</td>
<td >
Windows Defender has encountered an error trying to restore an item from quarantine. For more information please see the following:
Antivirus has encountered an error trying to restore an item from quarantine. For more information please see the following:
<dl>
<dt>Name: &lt;Threat name&gt;</dt>
<dt>ID: &lt;Threat ID&gt;</dt>
@ -630,7 +631,7 @@ Message:
Description:
</td>
<td >
Windows Defender has deleted an item from quarantine.
Antivirus has deleted an item from quarantine.
For more information please see the following:
<dl>
<dt>Name: &lt;Threat name&gt;</dt>
@ -674,7 +675,7 @@ Message:
Description:
</td>
<td >
Windows Defender has encountered an error trying to delete an item from quarantine.
Antivirus has encountered an error trying to delete an item from quarantine.
For more information please see the following:
<dl>
<dt>Name: &lt;Threat name&gt;</dt>
@ -722,7 +723,7 @@ Message:
Description:
</td>
<td >
Windows Defender has removed history of malware and other potentially unwanted software.
Antivirus has removed history of malware and other potentially unwanted software.
<dl>
<dt>Time: The time when the event occurred, for example when the history is purged. Note that this parameter is not used in threat events so that there is no confusion regarding whether it is remediation time or infection time. For those, we specifically call them as Action Time or Detection Time.</dt>
<dt>User: &lt;Domain&gt;\\&lt;User&gt;</dt>
@ -753,7 +754,7 @@ The antimalware platform could not delete history of malware and other potential
Description:
</td>
<td >
Windows Defender has encountered an error trying to remove history of malware and other potentially unwanted software.
Antivirus has encountered an error trying to remove history of malware and other potentially unwanted software.
<dl>
<dt>Time: The time when the event occurred, for example when the history is purged. Note that this parameter is not used in threat events so that there is no confusion regarding whether it is remediation time or infection time. For those, we specifically call them as Action Time or Detection Time.</dt>
<dt>User: &lt;Domain&gt;\\&lt;User&gt;</dt>
@ -788,7 +789,7 @@ Message:
Description:
</td>
<td >
Windows Defender has detected a suspicious behavior.
Antivirus has detected a suspicious behavior.
For more information please see the following:
<dl>
<dt>Name: &lt;Threat name&gt;</dt>
@ -866,7 +867,7 @@ Message:
Description:
</td>
<td >
Windows Defender has detected malware or other potentially unwanted software.
Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
<dl>
<dt>Name: &lt;Threat name&gt;</dt>
@ -920,7 +921,7 @@ UAC</dt>
User action:
</td>
<td >
No action is required. Windows Defender can suspend and take routine action on this threat. If you want to remove the threat manually, in the Windows Defender interface, click <b>Clean Computer</b>.
No action is required. Antivirus can suspend and take routine action on this threat. If you want to remove the threat manually, in the antivirus interface, click <b>Clean Computer</b>.
</td>
</tr>
<tr>
@ -948,7 +949,7 @@ Message:
Description:
</td>
<td >
Windows Defender has taken action to protect this machine from malware or other potentially unwanted software.
Antivirus has taken action to protect this machine from malware or other potentially unwanted software.
For more information please see the following:
<dl>
<dt>Name: &lt;Threat name&gt;</dt>
@ -1010,7 +1011,7 @@ Description of the error. </dt>
<dt>Signature Version: &lt;Definition version&gt;</dt>
<dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
NOTE:
Whenever Windows Defender, Microsoft Security Essentials, Malicious Software Removal Tool, or System Center Endpoint Protection detects a malware, it will restore the following system settings and services which the malware might have changed:<ul>
Whenever antivirus, Microsoft Security Essentials, Malicious Software Removal Tool, or System Center Endpoint Protection detects a malware, it will restore the following system settings and services which the malware might have changed:<ul>
<li>Default Internet Explorer or Microsoft Edge setting</li>
<li>User Access Control settings</li>
<li>Chrome settings</li>
@ -1049,7 +1050,7 @@ Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Se
User action:
</td>
<td >
No action is necessary. Windows Defender removed or quarantined a threat.
No action is necessary. Antivirus removed or quarantined a threat.
</td>
</tr>
<tr>
@ -1076,7 +1077,7 @@ Message:
Description:
</td>
<td >
Windows Defender has encountered a non-critical error when taking action on malware or other potentially unwanted software.
Antivirus has encountered a non-critical error when taking action on malware or other potentially unwanted software.
For more information please see the following:
<dl>
<dt>Name: &lt;Threat name&gt;</dt>
@ -1145,7 +1146,7 @@ Description of the error. </dt>
User action:
</td>
<td >
No action is necessary. Windows Defender failed to complete a task related to the malware remediation. This is not a critical failure.
No action is necessary. Antivirus failed to complete a task related to the malware remediation. This is not a critical failure.
</td>
</tr>
<tr>
@ -1172,7 +1173,7 @@ Message:
Description:
</td>
<td >
Windows Defender has encountered a critical error when taking action on malware or other potentially unwanted software.
Antivirus has encountered a critical error when taking action on malware or other potentially unwanted software.
For more information please see the following:
<dl>
<dt>Name: &lt;Threat name&gt;</dt>
@ -1241,7 +1242,7 @@ Description of the error. </dt>
User action:
</td>
<td >
The Windows Defender client encountered this error due to critical issues. The endpoint might not be protected. Review the error description then follow the relevant <b>User action</b> steps below.
The antivirus client encountered this error due to critical issues. The endpoint might not be protected. Review the error description then follow the relevant <b>User action</b> steps below.
<table>
<tr>
<th>Action</th>
@ -1304,7 +1305,7 @@ Symbolic name:
Message:
</td>
<td >
<b>Windows Defender has deduced the hashes for a threat resource.</b>
<b>Antivirus has deduced the hashes for a threat resource.</b>
</td>
</tr>
<tr>
@ -1312,7 +1313,7 @@ Message:
Description:
</td>
<td >
Windows Defender client is up and running in a healthy state.
Antivirus client is up and running in a healthy state.
<dl>
<dt>Current Platform Version: &lt;Current platform version&gt;</dt>
<dt>Threat Resource Path: &lt;Path&gt;</dt>
@ -1351,7 +1352,7 @@ Message:
Description:
</td>
<td >
Windows Defender client is up and running in a healthy state.
Antivirus client is up and running in a healthy state.
<dl>
<dt>Platform Version: &lt;Current platform version&gt;</dt>
<dt>Signature Version: &lt;Definition version&gt;</dt>
@ -1364,7 +1365,7 @@ Windows Defender client is up and running in a healthy state.
User action:
</td>
<td >
No action is necessary. The Windows Defender Antivirus client is in a healthy state. This event is reported on an hourly basis.
No action is necessary. The antivirus client is in a healthy state. This event is reported on an hourly basis.
</td>
</tr>
@ -1392,7 +1393,7 @@ Message:
Description:
</td>
<td >
Windows Defender client health report.
Antivirus client health report.
<dl>
<dt>Platform Version: &lt;Current platform version&gt;</dt>
<dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
@ -1446,7 +1447,7 @@ Message:
Description:
</td>
<td >
Windows Defender signature version has been updated.
Antivirus signature version has been updated.
<dl>
<dt>Current Signature Version: &lt;Current signature version&gt;</dt>
<dt>Previous Signature Version: &lt;Previous signature version&gt;</dt>
@ -1469,7 +1470,7 @@ Windows Defender signature version has been updated.
User action:
</td>
<td >
No action is necessary. The Windows Defender client is in a healthy state. This event is reported when signatures are successfully updated.
No action is necessary. The antivirus client is in a healthy state. This event is reported when signatures are successfully updated.
</td>
</tr>
<tr>
@ -1496,7 +1497,7 @@ Message:
Description:
</td>
<td >
Windows Defender has encountered an error trying to update signatures.
Antivirus has encountered an error trying to update signatures.
<dl>
<dt>New Signature Version: &lt;New version number&gt;</dt>
<dt>Previous Signature Version: &lt;Previous signature version&gt;</dt>
@ -1574,7 +1575,7 @@ Message:
Description:
</td>
<td >
Windows Defender engine version has been updated.
Antivirus engine version has been updated.
<dl>
<dt>Current Engine Version: &lt;Current engine version&gt;</dt>
<dt>Previous Engine Version: &lt;Previous engine version&gt;</dt>
@ -1588,7 +1589,7 @@ Windows Defender engine version has been updated.
User action:
</td>
<td >
No action is necessary. The Windows Defender client is in a healthy state. This event is reported when the antimalware engine is successfully updated.
No action is necessary. The antivirus client is in a healthy state. This event is reported when the antimalware engine is successfully updated.
</td>
</tr>
<tr>
@ -1615,7 +1616,7 @@ Message:
Description:
</td>
<td >
Windows Defender has encountered an error trying to update the engine.
Antivirus has encountered an error trying to update the engine.
<dl>
<dt>New Engine Version:</dt>
<dt>Previous Engine Version: &lt;Previous engine version&gt;</dt>
@ -1633,7 +1634,7 @@ Description of the error. </dt>
User action:
</td>
<td >
The Windows Defender client update failed. This event occurs when the client fails to update itself. This event is usually due to an interruption in network connectivity during an update.
The antivirus client update failed. This event occurs when the client fails to update itself. This event is usually due to an interruption in network connectivity during an update.
To troubleshoot this event:
<ol>
<li>[Update definitions](manage-updates-baselines-windows-defender-antivirus.md) and force a rescan directly on the endpoint.</li>
@ -1665,7 +1666,7 @@ Message:
Description:
</td>
<td >
Windows Defender has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures.
Antivirus has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures.
<dl>
<dt>Signatures Attempted:</dt>
<dt>Error Code: &lt;Error code&gt;
@ -1682,7 +1683,7 @@ Description of the error. </dt>
User action:
</td>
<td >
The Windows Defender client attempted to download and install the latest definitions file and failed. This error can occur when the client encounters an error while trying to load the definitions, or if the file is corrupt. Windows Defender will attempt to revert back to a known-good set of definitions.
The antivirus client attempted to download and install the latest definitions file and failed. This error can occur when the client encounters an error while trying to load the definitions, or if the file is corrupt. Antivirus will attempt to revert back to a known-good set of definitions.
To troubleshoot this event:
<ol>
<li>Restart the computer and try again.</li>
@ -1717,7 +1718,7 @@ Message:
Description:
</td>
<td >
Windows Defender could not load antimalware engine because current platform version is not supported. Windows Defender will revert back to the last known-good engine and a platform update will be attempted.
Antivirus could not load antimalware engine because current platform version is not supported. Antivirus will revert back to the last known-good engine and a platform update will be attempted.
<dl>
<dt>Current Platform Version: &lt;Current platform version&gt;</dt>
</dl>
@ -1748,7 +1749,7 @@ Message:
Description:
</td>
<td >
Windows Defender has encountered an error trying to update the platform.
Antivirus has encountered an error trying to update the platform.
<dl>
<dt>Current Platform Version: &lt;Current platform version&gt;</dt>
<dt>Error Code: &lt;Error code&gt;
@ -1781,7 +1782,7 @@ Message:
Description:
</td>
<td >
Windows Defender will soon require a newer platform version to support future versions of the antimalware engine. Download the latest Windows Defender platform to maintain the best level of protection available.
Antivirus will soon require a newer platform version to support future versions of the antimalware engine. Download the latest antivirus platform to maintain the best level of protection available.
<dl>
<dt>Current Platform Version: &lt;Current platform version&gt;</dt>
</dl>
@ -1812,7 +1813,7 @@ Message:
Description:
</td>
<td >
Windows Defender used <i>Dynamic Signature Service</i> to retrieve additional signatures to help protect your machine.
Antivirus used <i>Dynamic Signature Service</i> to retrieve additional signatures to help protect your machine.
<dl>
<dt>Current Signature Version: &lt;Current signature version&gt;</dt>
<dt>Signature Type: &lt;Signature type&gt;, for example: <ul>
@ -1870,7 +1871,7 @@ Message:
Description:
</td>
<td >
Windows Defender used <i>Dynamic Signature Service</i> to discard obsolete signatures.
Antivirus used <i>Dynamic Signature Service</i> to discard obsolete signatures.
<dl>
<dt>Current Signature Version: &lt;Current signature version&gt;</dt>
<dt>Signature Type: &lt;Signature type&gt;, for example: <ul>
@ -1909,7 +1910,7 @@ Windows Defender used <i>Dynamic Signature Service</i> to discard obsolete signa
User action:
</td>
<td >
No action is necessary. The Windows Defender client is in a healthy state. This event is reported when the Dynamic Signature Service successfully deletes out-of-date dynamic definitions.
No action is necessary. The antivirus client is in a healthy state. This event is reported when the Dynamic Signature Service successfully deletes out-of-date dynamic definitions.
</td>
</tr>
<tr>
@ -1937,7 +1938,7 @@ Message:
Description:
</td>
<td >
Windows Defender has encountered an error trying to use <i>Dynamic Signature Service</i>.
Antivirus has encountered an error trying to use <i>Dynamic Signature Service</i>.
<dl>
<dt>Current Signature Version: &lt;Current signature version&gt;</dt>
<dt>Signature Type: &lt;Signature type&gt;, for example: <ul>
@ -2007,7 +2008,7 @@ Message:
Description:
</td>
<td >
Windows Defender discarded all <i>Dynamic Signature Service</i> signatures.
Antivirus discarded all <i>Dynamic Signature Service</i> signatures.
<dl>
<dt>Current Signature Version: &lt;Current signature version&gt;</dt>
</dl>
@ -2038,7 +2039,7 @@ Message:
Description:
</td>
<td >
Windows Defender downloaded a clean file.
Antivirus downloaded a clean file.
<dl>
<dt>Filename: &lt;File name&gt;
Name of the file.</dt>
@ -2071,7 +2072,7 @@ Message:
Description:
</td>
<td >
Windows Defender has encountered an error trying to download a clean file.
Antivirus has encountered an error trying to download a clean file.
<dl>
<dt>Filename: &lt;File name&gt;
Name of the file.</dt>
@ -2090,7 +2091,7 @@ User action:
</td>
<td >
Check your Internet connectivity settings.
The Windows Defender client encountered an error when using the Dynamic Signature Service to download the latest definitions to a specific threat. This error is likely caused by a network connectivity issue.
The antivirus client encountered an error when using the Dynamic Signature Service to download the latest definitions to a specific threat. This error is likely caused by a network connectivity issue.
</td>
</tr>
<tr>
@ -2116,7 +2117,7 @@ Message:
Description:
</td>
<td >
Windows Defender downloaded and configured Windows Defender Offline to run on the next reboot.
Antivirus downloaded and configured offline antivirus to run on the next reboot.
</td>
</tr>
<tr>
@ -2143,7 +2144,7 @@ Message:
Description:
</td>
<td >
Windows Defender has encountered an error trying to download and configure Windows Defender Offline.
Antivirus has encountered an error trying to download and configure offline antivirus.
<dl>
<dt>Error Code: &lt;Error code&gt;
Result code associated with threat status. Standard HRESULT values.</dt>
@ -2177,7 +2178,7 @@ Message:
Description:
</td>
<td >
The support for your operating system will expire shortly. Running Windows Defender on an out of support operating system is not an adequate solution to protect against threats.
The support for your operating system will expire shortly. Running antivirus on an out of support operating system is not an adequate solution to protect against threats.
</td>
</tr>
<tr>
@ -2205,7 +2206,7 @@ Message:
Description:
</td>
<td >
The support for your operating system has expired. Running Windows Defender on an out of support operating system is not an adequate solution to protect against threats.
The support for your operating system has expired. Running antivirus on an out of support operating system is not an adequate solution to protect against threats.
</td>
</tr>
<tr>
@ -2233,7 +2234,7 @@ Message:
Description:
</td>
<td >
The support for your operating system has expired. Windows Defender is no longer supported on your operating system, has stopped functioning, and is not protecting against malware threats.
The support for your operating system has expired. Antivirus is no longer supported on your operating system, has stopped functioning, and is not protecting against malware threats.
</td>
</tr>
<tr>
@ -2260,7 +2261,7 @@ Message:
Description:
</td>
<td >
Windows Defender Real-Time Protection feature has encountered an error and failed.
Antivirus Real-Time Protection feature has encountered an error and failed.
<dl>
<dt>Feature: &lt;Feature&gt;, for example:
<ul>
@ -2274,7 +2275,7 @@ Windows Defender Real-Time Protection feature has encountered an error and faile
Result code associated with threat status. Standard HRESULT values.</dt>
<dt>Error Description: &lt;Error description&gt;
Description of the error. </dt>
<dt>Reason: The reason Windows Defender real-time protection has restarted a feature.</dt>
<dt>Reason: The reason antivirus real-time protection has restarted a feature.</dt>
</dl>
</td>
</tr>
@ -2284,7 +2285,7 @@ User action:
</td>
<td >
You should restart the system then run a full scan because it's possible the system was not protected for some time.
The Windows Defender client's real-time protection feature encountered an error because one of the services failed to start.
The antivirus client's real-time protection feature encountered an error because one of the services failed to start.
If it is followed by a 3007 event ID, the failure was temporary and the antimalware client recovered from the failure.
</td>
</tr>
@ -2312,7 +2313,7 @@ Message:
Description:
</td>
<td >
Windows Defender Real-time Protection has restarted a feature. It is recommended that you run a full system scan to detect any items that may have been missed while this agent was down.
antivirus Real-time Protection has restarted a feature. It is recommended that you run a full system scan to detect any items that may have been missed while this agent was down.
<dl>
<dt>Feature: &lt;Feature&gt;, for example:
<ul>
@ -2322,7 +2323,7 @@ Windows Defender Real-time Protection has restarted a feature. It is recommended
<li>Network Inspection System</li>
</ul>
</dt>
<dt>Reason: The reason Windows Defender real-time protection has restarted a feature.</dt>
<dt>Reason: The reason antivirus real-time protection has restarted a feature.</dt>
</dl>
</td>
</tr>
@ -2359,7 +2360,7 @@ Message:
Description:
</td>
<td >
Windows Defender Real-time Protection scanning for malware and other potentially unwanted software was enabled.
Antivirus real-time protection scanning for malware and other potentially unwanted software was enabled.
</td>
</tr>
<tr>
@ -2386,7 +2387,7 @@ Message:
Description:
</td>
<td >
Windows Defender Real-time Protection scanning for malware and other potentially unwanted software was disabled.
Antivirus real-time protection scanning for malware and other potentially unwanted software was disabled.
</td>
</tr>
<tr>
@ -2414,7 +2415,7 @@ Message:
Description:
</td>
<td >
Windows Defender Real-time Protection feature configuration has changed.
Antivirus real-time protection feature configuration has changed.
<dl>
<dt>Feature: &lt;Feature&gt;, for example:
<ul>
@ -2452,12 +2453,12 @@ Message:
Description:
</td>
<td >
Windows Defender Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Antivirus configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
<dl>
<dt>Old value: &lt;Old value number&gt;
Old Windows Defender configuration value.</dt>
Old antivirus configuration value.</dt>
<dt>New value: &lt;New value number&gt;
New Windows Defender configuration value.</dt>
New antivirus configuration value.</dt>
</dl>
</td>
</tr>
@ -2484,7 +2485,7 @@ Message:
Description:
</td>
<td >
Windows Defender engine has been terminated due to an unexpected error.
Antivirus engine has been terminated due to an unexpected error.
<dl>
<dt>Failure Type: &lt;Failure type&gt;, for example:
Crash
@ -2515,7 +2516,7 @@ To troubleshoot this event:<ol>
User action:
</td>
<td >
The Windows Defender client engine stopped due to an unexpected error.
The antivirus client engine stopped due to an unexpected error.
To troubleshoot this event:
<ol>
<li>Run the scan again.</li>
@ -2550,7 +2551,7 @@ Message:
Description:
</td>
<td >
Windows Defender scanning for malware and other potentially unwanted software has been enabled.
Antivirus scanning for malware and other potentially unwanted software has been enabled.
</td>
</tr>
<tr>
@ -2577,7 +2578,7 @@ Message:
Description:
</td>
<td >
Windows Defender scanning for malware and other potentially unwanted software is disabled.
Antivirus scanning for malware and other potentially unwanted software is disabled.
</td>
</tr>
<tr>
@ -2603,7 +2604,7 @@ Message:
Description:
</td>
<td >
Windows Defender scanning for viruses has been enabled.
Antivirus scanning for viruses has been enabled.
</td>
</tr>
<tr>
@ -2631,7 +2632,7 @@ Message:
Description:
</td>
<td >
Windows Defender scanning for viruses is disabled.
Antivirus scanning for viruses is disabled.
</td>
</tr>
<tr>
@ -2659,10 +2660,10 @@ Message:
Description:
</td>
<td >
Windows Defender has entered a grace period and will soon expire. After expiration, this program will disable protection against viruses, spyware, and other potentially unwanted software.
Antivirus has entered a grace period and will soon expire. After expiration, this program will disable protection against viruses, spyware, and other potentially unwanted software.
<dl>
<dt>Expiration Reason: The reason Windows Defender will expire.</dt>
<dt>Expiration Date: The date Windows Defender will expire.</dt>
<dt>Expiration Reason: The reason antivirus will expire.</dt>
<dt>Expiration Date: The date antivirus will expire.</dt>
</dl>
</td>
</tr>
@ -2691,7 +2692,7 @@ Message:
Description:
</td>
<td >
Windows Defender grace period has expired. Protection against viruses, spyware, and other potentially unwanted software is disabled.
Antivirus grace period has expired. Protection against viruses, spyware, and other potentially unwanted software is disabled.
<dl>
<dt>Expiration Reason:</dt>
<dt>Expiration Date: </dt>
@ -2705,14 +2706,14 @@ Description of the error. </dt>
</table>
<a id="error-codes"></a>
## Windows Defender client error codes
If Windows Defender Antivirus experiences any issues it will usually give you an error code to help you troubleshoot the issue. Most often an error means there was a problem installing an update.
This section provides the following information about Windows Defender Antivirus client errors.
## Antivirus client error codes
If antivirus experiences any issues it will usually give you an error code to help you troubleshoot the issue. Most often an error means there was a problem installing an update.
This section provides the following information about antivirus client errors.
- The error code
- The possible reason for the error
- Advice on what to do now
Use the information in these tables to help troubleshoot Windows Defender Antivirus error codes.
Use the information in these tables to help troubleshoot antivirus error codes.
<table class="oridealign">
@ -2755,7 +2756,7 @@ This error indicates that there might be a problem with your security product.
</tr><tr><td>Resolution</td><td>
<ol>
<li>Update the definitions. Either:<ol>
<li>Click the <b>Update definitions</b> button on the <b>Update</b> tab in Windows Defender. <img src="images/defender-updatedefs2.png" alt="Update definitions in Windows Defender"/>Or,
<li>Click the <b>Update definitions</b> button on the <b>Update</b> tab in antivirus. <img src="images/defender-updatedefs2.png" alt="Update definitions in antivirus"/>Or,
</li>
<li>Download the latest definitions from the <a href="https://aka.ms/wdsi">Windows Defender Security Intelligence site</a>.
Note: The size of the definitions file downloaded from the site can exceed 60 MB and should not be used as a long-term solution for updating definitions.
@ -2787,7 +2788,7 @@ data that does not allow the engine to function properly.
</b>
</td></tr><tr><td>Possible reason</td>
<td>
This error indicates that Windows Defender failed to quarantine a threat.
This error indicates that antivirus failed to quarantine a threat.
</td>
</tr>
<tr>
@ -2855,7 +2856,7 @@ Follow the manual remediation steps outlined in the <a href="https://www.microso
<td>
This error indicates that removal inside the container type might not be not supported.
</td></tr><tr><td>Resolution</td><td>
Windows Defender is not able to remediate threats detected inside the archive. Consider manually removing the detected resources.
Antivirus is not able to remediate threats detected inside the archive. Consider manually removing the detected resources.
</td>
</tr>
<tr>
@ -2894,7 +2895,7 @@ Run a full system scan.
<td>
This error indicates that an offline scan is required.
</td></tr><tr><td>Resolution</td><td>
Run Windows Defender Offline. You can read about how to do this in the <a href="http://windows.microsoft.com/windows/what-is-windows-defender-offline">Windows Defender Offline
Run offline antivirus. You can read about how to do this in the <a href="http://windows.microsoft.com/windows/what-is-windows-defender-offline">offline antivirus
article</a>.
</td>
</tr>
@ -2906,15 +2907,15 @@ article</a>.
</b>
</td></tr><tr><td>Possible reason</td>
<td>
This error indicates that Windows Defender does not support the current version of the platform and requires a new version of the platform.
This error indicates that antivirus does not support the current version of the platform and requires a new version of the platform.
</td></tr><tr><td>Resolution</td><td>
You can only use Windows Defender in Windows 10. For Windows 8, Windows 7 and Windows Vista, you can use <a href="https://www.microsoft.com/server-cloud/system-center/endpoint-protection-2012.aspx">System Center Endpoint Protection</a>.
You can only use antivirus in Windows 10. For Windows 8, Windows 7 and Windows Vista, you can use <a href="https://www.microsoft.com/server-cloud/system-center/endpoint-protection-2012.aspx">System Center Endpoint Protection</a>.
</td>
</tr>
</table>
<a id="internal-error-codes"></a>
The following error codes are used during internal testing of Windows Defender AV.
The following error codes are used during internal testing of antivirus.
If you see these errors, you can try to [update definitions](manage-updates-baselines-windows-defender-antivirus.md) and force a rescan directly on the endpoint.
@ -3246,5 +3247,5 @@ This is an internal error. It might have triggered when a scan fails to complete
## Related topics
- [Report on Windows Defender Antivirus protection](report-monitor-windows-defender-antivirus.md)
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Report on antivirus protection](report-monitor-windows-defender-antivirus.md)
- [Next generation protection in Windows 10](windows-defender-antivirus-in-windows-10.md)

98
windows/security/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md
View File

@ -1,6 +1,6 @@
---
title: Configure Windows Defender AV with Group Policy
description: Configure Windows Defender AV settings with Group Policy
title: Configure antivirus with Group Policy
description: Configure antivirus settings with Group Policy
keywords: group policy, GPO, configuration, settings
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@ -14,11 +14,11 @@ ms.author: v-anbic
ms.date: 04/30/2018
---
# Use Group Policy settings to configure and manage Windows Defender AV
# Use Group Policy settings to configure and manage next generation protection
You can use [Group Policy](https://msdn.microsoft.com/en-us/library/ee663280(v=vs.85).aspx) to configure and manage Windows Defender Antivirus on your endpoints.
You can use [Group Policy](https://msdn.microsoft.com/en-us/library/ee663280(v=vs.85).aspx) to configure and manage next generation protection on your endpoints.
In general, you can use the following procedure to configure or change Windows Defender AV group policy settings:
In general, you can use the following procedure to configure or change antivirus group policy settings:
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
@ -37,15 +37,15 @@ The following table in this topic lists the Group Policy settings available in W
Location | Setting | Documented in topic
---|---|---
Client interface | Enable headless UI mode | [Prevent users from seeing or interacting with the Windows Defender AV user interface](prevent-end-user-interaction-windows-defender-antivirus.md)
Client interface | Enable headless UI mode | [Prevent users from seeing or interacting with the antivirus user interface](prevent-end-user-interaction-windows-defender-antivirus.md)
Client interface | Display additional text to clients when they need to perform an action | [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md)
Client interface | Suppress all notifications | [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md)
Client interface | Suppresses reboot notifications | [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md)
Exclusions | Extension Exclusions | [Configure and validate exclusions in Windows Defender AV scans](configure-exclusions-windows-defender-antivirus.md)
Exclusions | Path Exclusions | [Configure and validate exclusions in Windows Defender AV scans](configure-exclusions-windows-defender-antivirus.md)
Exclusions | Process Exclusions | [Configure and validate exclusions in Windows Defender AV scans](configure-exclusions-windows-defender-antivirus.md)
Exclusions | Turn off Auto Exclusions | [Configure and validate exclusions in Windows Defender AV scans](configure-exclusions-windows-defender-antivirus.md)
MAPS | Configure the 'Block at First Sight' feature | [Enable the Block at First Sight feature](configure-block-at-first-sight-windows-defender-antivirus.md)
Exclusions | Extension Exclusions | [Configure and validate exclusions in antivirus scans](configure-exclusions-windows-defender-antivirus.md)
Exclusions | Path Exclusions | [Configure and validate exclusions in antivirus scans](configure-exclusions-windows-defender-antivirus.md)
Exclusions | Process Exclusions | [Configure and validate exclusions in antivirus scans](configure-exclusions-windows-defender-antivirus.md)
Exclusions | Turn off Auto Exclusions | [Configure and validate exclusions in antivirus scans](configure-exclusions-windows-defender-antivirus.md)
MAPS | Configure the 'Block at First Sight' feature | [Enable block at first sight](configure-block-at-first-sight-windows-defender-antivirus.md)
MAPS | Join Microsoft MAPS | [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md)
MAPS | Send file samples when further analysis is required | [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md)
MAPS | Configure local setting override for reporting to Microsoft MAPS | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
@ -55,23 +55,23 @@ Network inspection system | Specify additional definition sets for network traff
Network inspection system | Turn on definition retirement | Not used
Network inspection system | Turn on protocol recognition | Not used
Quarantine | Configure local setting override for the removal of items from Quarantine folder | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
Quarantine | Configure removal of items from Quarantine folder | [Configure remediation for Windows Defender AV scans](configure-remediation-windows-defender-antivirus.md)
Quarantine | Configure removal of items from Quarantine folder | [Configure remediation for antivirus scans](configure-remediation-windows-defender-antivirus.md)
Real-time protection | Configure local setting override for monitoring file and program activity on your computer | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
Real-time protection | Configure local setting override for monitoring for incoming and outgoing file activity | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
Real-time protection | Configure local setting override for scanning all downloaded files and attachments | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
Real-time protection | Configure local setting override for turn on behavior monitoring | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
Real-time protection | Configure local setting override to turn on real-time protection | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
Real-time protection | Define the maximum size of downloaded files and attachments to be scanned | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
Real-time protection | Monitor file and program activity on your computer | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
Real-time protection | Scan all downloaded files and attachments | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
Real-time protection | Turn off real-time protection | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
Real-time protection | Turn on behavior monitoring | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
Real-time protection | Turn on process scanning whenever real-time protection is enabled | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
Real-time protection | Turn on raw volume write notifications | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
Real-time protection | Configure monitoring for incoming and outgoing file and program activity | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
Real-time protection | Define the maximum size of downloaded files and attachments to be scanned | [Enable and configure antivirus always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
Real-time protection | Monitor file and program activity on your computer | [Enable and configure antivirus always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
Real-time protection | Scan all downloaded files and attachments | [Enable and configure antivirus always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
Real-time protection | Turn off real-time protection | [Enable and configure antivirus always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
Real-time protection | Turn on behavior monitoring | [Enable and configure antivirus always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
Real-time protection | Turn on process scanning whenever real-time protection is enabled | [Enable and configure antivirus always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
Real-time protection | Turn on raw volume write notifications | [Enable and configure antivirus always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
Real-time protection | Configure monitoring for incoming and outgoing file and program activity | [Enable and configure antivirus always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
Remediation | Configure local setting override for the time of day to run a scheduled full scan to complete remediation | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
Remediation | Specify the day of the week to run a scheduled full scan to complete remediation | [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md)
Remediation | Specify the time of day to run a scheduled full scan to complete remediation | [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md)
Remediation | Specify the day of the week to run a scheduled full scan to complete remediation | [Configure scheduled antivirus scans](scheduled-catch-up-scans-windows-defender-antivirus.md)
Remediation | Specify the time of day to run a scheduled full scan to complete remediation | [Configure scheduled antivirus scans](scheduled-catch-up-scans-windows-defender-antivirus.md)
Reporting | Configure Watson events | Not used
Reporting | Configure Windows software trace preprocessor components | Not used
Reporting | Configure WPP tracing level | Not used
@ -85,11 +85,11 @@ Root | Define addresses to bypass proxy server | Not used
Root | Define proxy auto-config (.pac) for connecting to the network | Not used
Root | Define proxy server for connecting to the network | Not used
Root | Configure local administrator merge behavior for lists | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
Root | Allow antimalware service to startup with normal priority | [Configure remediation for Windows Defender AV scans](configure-remediation-windows-defender-antivirus.md)
Root | Allow antimalware service to remain running always | [Configure remediation for Windows Defender AV scans](configure-remediation-windows-defender-antivirus.md)
Root | Turn off routine remediation | [Configure remediation for Windows Defender AV scans](configure-remediation-windows-defender-antivirus.md)
Root | Randomize scheduled task times | [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md)
Scan | Allow users to pause scan | [Prevent users from seeing or interacting with the Windows Defender AV user interface](prevent-end-user-interaction-windows-defender-antivirus.md)
Root | Allow antimalware service to startup with normal priority | [Configure remediation for antivirus scans](configure-remediation-windows-defender-antivirus.md)
Root | Allow antimalware service to remain running always | [Configure remediation for antivirus scans](configure-remediation-windows-defender-antivirus.md)
Root | Turn off routine remediation | [Configure remediation for antivirus scans](configure-remediation-windows-defender-antivirus.md)
Root | Randomize scheduled task times | [Configure scheduled scans for antivirus](scheduled-catch-up-scans-windows-defender-antivirus.md)
Scan | Allow users to pause scan | [Prevent users from seeing or interacting with the antivirus user interface](prevent-end-user-interaction-windows-defender-antivirus.md)
Scan | Check for the latest virus and spyware definitions before running a scheduled scan | [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md)
Scan | Define the number of days after which a catch-up scan is forced | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md)
Scan | Turn on catch up full scan | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md)
@ -99,25 +99,25 @@ Scan | Configure local setting override for schedule scan day | [Prevent or allo
Scan | Configure local setting override for scheduled quick scan time | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
Scan | Configure local setting override for scheduled scan time | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
Scan | Configure local setting override for the scan type to use for a scheduled scan | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
Scan | Create a system restore point | [Configure remediation for Windows Defender AV scans](configure-remediation-windows-defender-antivirus.md)
Scan | Turn on removal of items from scan history folder | [Configure remediation for Windows Defender AV scans](configure-remediation-windows-defender-antivirus.md)
Scan | Turn on heuristics | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
Scan | Turn on e-mail scanning | [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md)
Scan | Turn on reparse point scanning | [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md)
Scan | Run full scan on mapped network drives | [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md)
Scan | Scan archive files | [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md)
Scan | Scan network files | [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md)
Scan | Scan packed executables | [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md)
Scan | Scan removable drives | [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md)
Scan | Specify the maximum depth to scan archive files | [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md)
Scan | Specify the maximum percentage of CPU utilization during a scan | [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md)
Scan | Specify the maximum size of archive files to be scanned | [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md)
Scan | Specify the day of the week to run a scheduled scan | [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md)
Scan | Specify the interval to run quick scans per day | [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md)
Scan | Specify the scan type to use for a scheduled scan | [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md)
Scan | Specify the time for a daily quick scan | [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md)
Scan | Specify the time of day to run a scheduled scan | [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md)
Scan | Start the scheduled scan only when computer is on but not in use | [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md)
Scan | Create a system restore point | [Configure remediation for antivirus scans](configure-remediation-windows-defender-antivirus.md)
Scan | Turn on removal of items from scan history folder | [Configure remediation for antivirus scans](configure-remediation-windows-defender-antivirus.md)
Scan | Turn on heuristics | [Enable and configure antivirus always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
Scan | Turn on e-mail scanning | [Configure scanning options in antivirus](configure-advanced-scan-types-windows-defender-antivirus.md)
Scan | Turn on reparse point scanning | [Configure scanning options in antivirus](configure-advanced-scan-types-windows-defender-antivirus.md)
Scan | Run full scan on mapped network drives | [Configure scanning options in antivirus](configure-advanced-scan-types-windows-defender-antivirus.md)
Scan | Scan archive files | [Configure scanning options in antivirus](configure-advanced-scan-types-windows-defender-antivirus.md)
Scan | Scan network files | [Configure scanning options in antivirus](configure-advanced-scan-types-windows-defender-antivirus.md)
Scan | Scan packed executables | [Configure scanning options in antivirus](configure-advanced-scan-types-windows-defender-antivirus.md)
Scan | Scan removable drives | [Configure scanning options in antivirus](configure-advanced-scan-types-windows-defender-antivirus.md)
Scan | Specify the maximum depth to scan archive files | [Configure scanning options in antivirus](configure-advanced-scan-types-windows-defender-antivirus.md)
Scan | Specify the maximum percentage of CPU utilization during a scan | [Configure scanning options in antivirus](configure-advanced-scan-types-windows-defender-antivirus.md)
Scan | Specify the maximum size of archive files to be scanned | [Configure scanning options in antivirus](configure-advanced-scan-types-windows-defender-antivirus.md)
Scan | Specify the day of the week to run a scheduled scan | [Configure scheduled scans for antivirus](scheduled-catch-up-scans-windows-defender-antivirus.md)
Scan | Specify the interval to run quick scans per day | [Configure scheduled scans for antivirus](scheduled-catch-up-scans-windows-defender-antivirus.md)
Scan | Specify the scan type to use for a scheduled scan | [Configure scheduled scans for antivirus](scheduled-catch-up-scans-windows-defender-antivirus.md)
Scan | Specify the time for a daily quick scan | [Configure scheduled scans for antivirus](scheduled-catch-up-scans-windows-defender-antivirus.md)
Scan | Specify the time of day to run a scheduled scan | [Configure scheduled scans for antivirus](scheduled-catch-up-scans-windows-defender-antivirus.md)
Scan | Start the scheduled scan only when computer is on but not in use | [Configure scheduled scans for antivirus](scheduled-catch-up-scans-windows-defender-antivirus.md)
Signature updates | Allow definition updates from Microsoft Update | [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
Signature updates | Allow definition updates when running on battery power | [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
Signature updates | Allow notifications to disable definitions based repots to Microsoft MAPS | [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md)
@ -132,9 +132,9 @@ Signature updates | Initiate definition update on startup | [Manage event-based
Signature updates | Specify the day of the week to check for definition updates | [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md)
Signature updates | Specify the interval to check for definition updates | [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md)
Signature updates | Specify the time to check for definition updates | [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md)
Signature updates | Turn on scan after signature update | [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md)
Threats | Specify threat alert levels at which default action should not be taken when detected | [Configure remediation for Windows Defender AV scans](configure-remediation-windows-defender-antivirus.md)
Threats | Specify threats upon which default action should not be taken when detected | [Configure remediation for Windows Defender AV scans](configure-remediation-windows-defender-antivirus.md)
Signature updates | Turn on scan after signature update | [Configure scheduled scans for antivirus](scheduled-catch-up-scans-windows-defender-antivirus.md)
Threats | Specify threat alert levels at which default action should not be taken when detected | [Configure remediation for antivirus scans](configure-remediation-windows-defender-antivirus.md)
Threats | Specify threats upon which default action should not be taken when detected | [Configure remediation for antivirus scans](configure-remediation-windows-defender-antivirus.md)

10
windows/security/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md
View File

@ -1,5 +1,5 @@
---
title: Configure Windows Defender AV with Configuration Manager and Intune
title: Configure antivirus with Configuration Manager and Intune
description: Use System Center Configuration Manager and Microsoft Intune to configure Windows Defender AV and Endpoint Protection
keywords: scep, intune, endpoint protection, configuration
search.product: eADQiWindows 10XVcnh
@ -14,11 +14,11 @@ ms.author: v-anbic
ms.date: 07/19/2018
---
# Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender AV
# Use System Center Configuration Manager and Microsoft Intune to configure and manage next generation protection
If you are using System Center Configuration Manager or Microsoft Intune to manage the endpoints on your network, you can also use them to manage Windows Defender AV.
If you are using System Center Configuration Manager or Microsoft Intune to manage the endpoints on your network, you can also use them to manage antivirus scans.
In some cases, the protection will be labeled as Endpoint Protection, although the engine is the same as that used by Windows Defender AV.
In some cases, the protection will be labeled as Endpoint Protection, although the engine is the same as that used by antivirus.
See the [Endpoint Protection](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-protection) library on docs.microsoft.com for information on using Configuration Manager.
@ -28,4 +28,4 @@ For Microsoft Intune, consult the [Microsoft Intune library](https://docs.micros
## Related topics
- [Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md)
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Next generation protection in Windows 10](windows-defender-antivirus-in-windows-10.md)

8
windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md
View File

@ -14,7 +14,7 @@ ms.author: v-anbic
ms.date: 12/12/2017
---
# Use PowerShell cmdlets to configure and manage Windows Defender AV
# Use PowerShell cmdlets to configure and manage next generation protection
You can use PowerShell to perform various functions in Windows Defender. Similar to the command prompt or command line, PowerShell is a task-based command-line shell and scripting language designed especially for system administration, and you can read more about it at the [PowerShell hub on MSDN](https://msdn.microsoft.com/en-us/powershell/mt173057.aspx).
@ -23,7 +23,7 @@ For a list of the cmdlets and their functions and available parameters, see the
PowerShell cmdlets are most useful in Windows Server environments that don't rely on a graphical user interface (GUI) to configure software.
> [!NOTE]
> PowerShell cmdlets should not be used as a replacement for a full network policy management infrastructure, such as [System Center Configuration Manager](https://technet.microsoft.com/en-us/library/gg682129.aspx), [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx), or [Windows Defender Group Policy ADMX templates](https://support.microsoft.com/en-us/kb/927367).
> PowerShell cmdlets should not be used as a replacement for a full network policy management infrastructure, such as [System Center Configuration Manager](https://technet.microsoft.com/en-us/library/gg682129.aspx), [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx), or [Antivirus Group Policy ADMX templates](https://support.microsoft.com/en-us/kb/927367).
Changes made with PowerShell will affect local settings on the endpoint where the changes are deployed or made. This means that deployments of policy with Group Policy, System Center Configuration Manager, or Microsoft Intune can overwrite changes made with PowerShell.
@ -32,7 +32,7 @@ You can [configure which settings can be overridden locally with local policy ov
PowerShell is typically installed under the folder _%SystemRoot%\system32\WindowsPowerShell_.
**Use Windows Defender AV PowerShell cmdlets:**
**Use antivirus PowerShell cmdlets:**
1. Click **Start**, type **powershell**, and press **Enter**.
2. Click **Windows PowerShell** to open the interface.
@ -51,4 +51,4 @@ Omit the `-online` parameter to get locally cached help.
## Related topics
- [Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md)
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Next generation protection in Windows 10](windows-defender-antivirus-in-windows-10.md)

10
windows/security/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md
View File

@ -1,5 +1,5 @@
---
title: Configure Windows Defender AV with WMI
title: Configure next generation protection with WMI
description: Use WMI scripts to configure Windows Defender AV.
keywords: wmi, scripts, windows management instrumentation, configuration
search.product: eADQiWindows 10XVcnh
@ -14,15 +14,15 @@ ms.author: v-anbic
ms.date: 08/26/2017
---
# Use Windows Management Instrumentation (WMI) to configure and manage Windows Defender AV
# Use Windows Management Instrumentation (WMI) to configure and manage next generation protection
Windows Management Instrumentation (WMI) is a scripting interface that allows you to retrieve, modify, and update settings.
Read more about WMI at the [Microsoft Developer Network System Administration library](https://msdn.microsoft.com/en-us/library/aa394582(v=vs.85).aspx).
Windows Defender AV has a number of specific WMI classes that can be used to perform most of the same functions as Group Policy and other management tools. Many of the classes are analogous to [Defender PowerShell cmdlets](use-powershell-cmdlets-windows-defender-antivirus.md).
Antivirus has a number of specific WMI classes that can be used to perform most of the same functions as Group Policy and other management tools. Many of the classes are analogous to [Defender PowerShell cmdlets](use-powershell-cmdlets-windows-defender-antivirus.md).
The [MSDN Windows Defender WMIv2 Provider reference library](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx) lists the available WMI classes for Windows Defender AV, and includes example scripts.
The [MSDN Windows Defender WMIv2 Provider reference library](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx) lists the available WMI classes for antivirus, and includes example scripts.
Changes made with WMI will affect local settings on the endpoint where the changes are deployed or made. This means that deployments of policy with Group Policy, System Center Configuration Manager, or Microsoft Intune can overwrite changes made with WMI.
@ -31,4 +31,4 @@ You can [configure which settings can be overridden locally with local policy o
## Related topics
- [Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md)
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Next generation protection in Windows 10](windows-defender-antivirus-in-windows-10.md)