deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-13 13:57:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

config

Browse Source
This commit is contained in:
Iaan D'Souza-Wiltshire 2017-03-27 16:27:59 -07:00
parent 3fa1f32ed0
commit 9a662ffe3c
8 changed files with 217 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
windows/keep-secure/configure-advanced-scan-types-windows-defender-antivirus.md
View File

@ -18,9 +18,22 @@ author: iaanw
**Applies to**
- Windows 10
**Audience**
- Enterprise security administrators
**Manageability available with**
- Group Policy
- System Center Configuration Manager
- PowerShell
- Windows Management Instrumentation (WMI)
- Microsoft Intune
Scan Turn on e-mail scanning
Scan Turn on reparse point scanning

163
windows/keep-secure/configure-exclusions-windows-defender-antivirus.md
View File

@ -33,18 +33,19 @@ author: iaanw
- Microsoft Intune
- Windows Defender Security Center
You can exclude certain files, folders, and process-modified files from being scanned by Windows Defender AV. The exclusions apply to both [scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md) and [always-on real-time protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md).
You can exclude certain files, folders, processes, and process-modified files from being scanned by Windows Defender AV. The exclusions apply to [scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md), [on-demand scans](run-scan-windows-defender-antivirus.md), and [always-on real-time protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md).
Changes made via Group Policy to the exclusion lists will show in the lists in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions).
However, changes made in the Windows Defender Security Center app will not show in the lists in the Group Policy settings.
You can add, remove, and review the lists for exclusions in Group Policy, System Center Configuration Manager, Microsoft Intune, and with the Windows Defender Security Center app.
## Exclude file extensions from Windows Defender AV scans
You can also use PowerShell cmdlets and WMI to configure the exclusion lists, although you will need to use several different cmdlets.
You can exclude certain file extenstions from being scanned by Windows Defender AV.
## Use Group Policy to configure exclusion lists
**Use Group Policy to exclude specified file extensions from scans:**
**Use Group Policy to configure file extension exclusions:**
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
@ -64,12 +65,7 @@ You can exclude certain file extenstions from being scanned by Windows Defender
7. Click **OK**.
![The Group Policy setting for file exclusions](images/defender/wdav-extension-exclusions.png)
## Exclude paths and files from Windows Defender AV scans
<a id="exclude-paths-files"></a>
**Use Group Policy to exclude specified paths or folders from scans:**
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
@ -91,15 +87,11 @@ You can exclude certain file extenstions from being scanned by Windows Defender
![The Group Policy setting for folder exclusions](images/defender/wdav-path-exclusions.png)
## Exclude files opened by processes from Windows Defender AV scns
You can exclude files that are opened by specified processes from being scanned. The specified process won't be excluded - but any files that are opened by that process will be.
You can only exclude executable files.
**Use Group Policy to exclude files that have been used or modified by specified processes from scans:**
>[!NOTE] You can exclude files that are opened by specified processes from being scanned. The specified process won't be excluded - but any files that are opened by that process will be. If you need to exclude the process itself, [exclude it as a file](#exclude-paths-files).
>You can only exclude files modified by processes if the process is an executable.
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration**.
@ -113,21 +105,150 @@ You can only exclude executable files.
1. Set the option to **Enabled**.
2. Under the **Options** section, click **Show...**
3. Enter each process on its own line under the **Value name** column. Ensure you enter a fully qualified path to the process, including the drive letter, folder path, filename, and extesnsion. Enter **0** in the **Value** column for all processes.
3. Enter each process on its own line under the **Value name** column. Ensure you enter a fully qualified path to the process, including the drive letter, folder path, filename, and extesnsion. The process must be an executable. Enter **0** in the **Value** column for all processes.
7. Click **OK**.
![The Group Policy setting for specifying process exclusions](images/defender/wdav-process-exclusions.png)
## Use PowerShell cmdlets and WMI to configure exclusion lists
Excluding and reviewing file extensions, paths and files (including processes), and files opened by processes with PowerShell requires using a combination of four cmdlets and the appropriate exclusion list parameter. The cmdlets are all in the Defender module.
There are three exclusion lists:
- ExclusionExtension
- ExclusionPath
- ExclusionProcess
You can modify each of the lists with the following cmdlets:
- Set-MpPreference to create or overwrite the defined list
- Add-MpPreference to add new items to the defined list
- Remove-MpPreference to remove or delete items from the defined list
- Get-MpPreference to review the items in the list, either all at once with all other Windows Defender AV settings, or individually for each of the lists
The format for the command is:
```PowerShell
**Use PowerShell cmdlets to create a new list of file extension exclusions:**
1. Review the current list of exclusions:
```PowerShell
Get-MpPreference
Set-MpPreference -ExclusionExtension
Add-MpPreference -ExclusionExtension
Remove-MpPreference -ExclusionExtension
```
>[!IMPORTANT]
>Use the `Set-MpPreference` cmdlet to create a list. This will overwrite the existing list.
>Use `Add-MpPreference` to add items to the list, and `Remove-MpPreference` to remove or delete items from the list.
>Assigning `Get-MpPreference` to a variable and then querying `ExclusionExtension` will place the items from each instance of `Add-MpPreference` on its own line. Using `Get-MpPreference` on its own will place all items together.
See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
**Use Windows Management Instruction (WMI) to configure file extension exclusions:**
Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties:
```WMI
DisableAutoExclusions
```
See the following for more information and allowed parameters:
- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx)
## Use System Center Configuration Manager, Intune, or the Windows Defender Security Center app to configure exclusion lists
**Use Configuration Manager to configure file extension exclusions:**
See [How to create and deploy antimalware policies: Exclusion settings](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) for details on configuring System Center Configuration Manager (current branch).
**Use Microsoft Intune to configure file extension exclusions:**
See [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune) and [Windows Defender policy settings in Windows 10](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune#windows-defender-1) for more details.
**Use the Windows Defender Security app to add exclusions to Windows Defender AV:**
See [Add exclusions in the Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions) for instructions.
## Configure auto exclusions lists for Windows Server deployments
If you are using Windows Defender AV to protect Windows Server endpoints or machines, you are [automatically enrolled in certain exclusions](https://technet.microsoft.com/en-us/windows-server-docs/security/windows-defender/automatic-exclusions-for-windows-defender), as defined by your specified Server role.
If you are using Windows Defender AV to protect Windows Server endpoints or machines, you are [automatically enrolled in certain exclusions](https://technet.microsoft.com/en-us/windows-server-docs/security/windows-defender/automatic-exclusions-for-windows-defender), as defined by your specified Windows Server Role.
These exclusions will not appear in the standard exclusion lists shown in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions).
You can also [add custom exclusions to the auto exclusions with PowerShell](https://technet.microsoft.com/en-us/windows-server-docs/security/windows-defender/windows-defender-overview-windows-server#BKMK_DefExclusions).
Exclusions | Turn off Auto Exclusions |
You can still add or remove custom exclusions (in addition to the Server Role-defined auto exclusions) as described in the other sections in this topic.
You can also disable the auto-exclusions lists with Group Policy, PowerShell cmdlets, and WMI.
**Use Group Policy to disable the auto-exclusions list on Windows Server 2016:**
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration**.
4. Click **Policies** then **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender Antivirus > Exclusions**.
6. Double-click the **Turn off Auto Exclusions** setting and set the option to **Enabled**. Click **OK**.
**Use PowerShell cmdlets to disable the auto-exclusions list on Windows Server 2016:**
Use the following cmdlets:
```PowerShell
Set-MpPreference -DisableAutoExclusions
```
See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
**Use Windows Management Instruction (WMI) to disable the auto-exclusions list on Windows Server 2016:**
Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties:
```WMI
DisableAutoExclusions
```
See the following for more information and allowed parameters:
- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx)

2
windows/keep-secure/configure-real-time-protection-windows-defender-antivirus.md
View File

@ -67,7 +67,7 @@ Real-time protection | Turn on process scanning whenever real-time protection is
Real-time protection | Turn on behavior monitoring | The AV engine will monitor file processes, file and registry changes, and other events on your endpoints for suspicious and known malicious activity | Enabled
Real-time protection | Turn on raw volume write notifications | Information about raw volume writes will be analysed by behavior monitoring | Enabled
Real-time protection | Define the maximum size of downloaded files and attachments to be scanned | You can define the size in kilobytes | Enabled
Real-time protection | Configure monitoring for incoming and outgoing file and program activity | Specify whether monitoring should occur on incoming, outgoing, both, or neither direction. This is relevant for Windows Server installations where you have defined specific servers or server roles that see large amounts of file changes in only one direction and you want to improve network performance. Note that fully updated endpoints (and servers) on a network will see little performance impact irrespective of the number or direction of file changes.
Real-time protection | Configure monitoring for incoming and outgoing file and program activity | Specify whether monitoring should occur on incoming, outgoing, both, or neither direction. This is relevant for Windows Server installations where you have defined specific servers or Server Roles that see large amounts of file changes in only one direction and you want to improve network performance. Note that fully updated endpoints (and servers) on a network will see little performance impact irrespective of the number or direction of file changes.
Scan | Turn on heuristics | Heuristic protection will disable or block suspicious activity immediately before the AV engine is asked to detect the activity | Enabled (both directions)

4
windows/keep-secure/deploy-manage-report-windows-defender-antivirus.md
View File

@ -26,7 +26,7 @@ You can deploy, manage, and report on Windows Defender Antivirus in a number of
As the Windows Defender AV client is installed as a core part of Windows 10, traditional deployment of a client to your endpoints does not apply.
However, in most cases you will still need to enable the protection service on your endpoints with System Center Configuration Manager, Microsoft Intune, Azure Secrutiy Center, or Group Policy Objects, which is described in the following table.
However, in most cases you will still need to enable the protection service on your endpoints with System Center Configuration Manager, Microsoft Intune, Azure Security Center, or Group Policy Objects, which is described in the following table.
You'll also see additional links for:
- Managing Windows Defender Antivirus protection, including managing product and protection updates
@ -49,7 +49,7 @@ Microsoft Azure|Deploy Microsoft Antimalware for Azure in the [Azure portal, by
1. <span id="fn2" />Configuration of features and protection, including configuring product and protection updates, are further described in the [Configure Windows Defender Antivirus features](configure-notifications-windows-defender-antivirus.md) section in this library. [(Return to table)](#ref2)
1. <span id="fn3" />In Windows 10, Windows Defender Antivirus is a component available without installation or deployment of an additional client or service. It will automatically be enabled when third-party antivirus products are either uninstalled or out of date. Traditional deployment therefore is not required. Deployment here refers to ensuring the Windows Defender Antivirus component is available and enabled on endpoints or servers. [(Return to table)](#ref3)
1. <span id="fn3" />In Windows 10, Windows Defender Antivirus is a component available without installation or deployment of an additional client or service. It will automatically be enabled when third-party antivirus products are either uninstalled or out of date ([except on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md). Traditional deployment therefore is not required. Deployment here refers to ensuring the Windows Defender Antivirus component is available and enabled on endpoints or servers. [(Return to table)](#ref3)

3
windows/keep-secure/use-wmi-windows-defender-antivirus.md
View File

@ -12,4 +12,5 @@ localizationpriority: medium
author: iaanw
---
# Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender AV
# Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender AV

6
windows/keep-secure/windows-defender-antivirus-in-windows-10.md
View File

@ -35,7 +35,7 @@ We've expanded this documentation library to cover end-to-end deployment, manage
See the [In this library](#in-this-library) list at the end of this topic for links to each of the updated sections in this library.
<a id="sysreq"></a>
## Minimum system requirements
Windows Defender has the same hardware requirements as Windows 10. For more information, see:
@ -45,13 +45,15 @@ Windows Defender has the same hardware requirements as Windows 10. For more info
Some features require a certain version of Windows 10 - the minimum version required is specified at the top of each topic.
Functionality, configuration, and management is largely the same when using Windows Defender Antivirus on Windows Server 2016, however [there are some differences](windows-defender-antivirus-on-windows-server-2016.md).
## Compatibility with Windows Defender Advanced Threat Protection
Windows Defender Advanced Threat Protection (ATP) is an additional service that helps enterprises to detect, investigate, and respond to advanced persistent threats on their network.
See the [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md) topics for more information about the service.
If you are enrolled in Windows Defender ATP, and you are not using Windows Defender as your real-time protection service on your endpoints, Windows Defender will automatically enter into a passive mode.
If you are enrolled in Windows Defender ATP, and you are not using Windows Defender AV as your real-time protection service on your endpoints, Windows Defender will automatically enter into a passive mode. On Windows Server 2016 SKUs, Windows Defender AV will not enter into the passive mode and will run alongisde your other antivirus product.
In passive mode, Windows Defender will continue to run (using the *msmpeng.exe* process), and will continue to be updated, however there will be no Windows Defender user interface, scheduled scans wont run, and Windows Defender will not provide real-time protection from malware.

50
windows/keep-secure/windows-defender-antivirus-on-windows-server-2016.md Normal file
View File

@ -0,0 +1,50 @@
---
title: Windows Defender Antivirus on Windows Server 2016
description: Compare the differences when Windows Defender AV is on a Windows Server SKU versus a Windows 10 endpoint
keywords: windows defender, server, scep, system center endpoint protection, server 2016, current branch, server 2012
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: iaanw
---
# Windows Defender Antivirus on Windows Server
**Applies to:**
- Windows Server 2016
**Audience**
- Enterprise security administrators
- Network administrators
**Manageability available with**
- Group Policy
- System Center Configuration Manager
- PowerShell
- Windows Management Instrumentation (WMI)
Windows Defender Antivirus is available on Windows Server 2016. In some instances it is referred to as Endpoint Protection - however, the protection engine is the same.
See [Windows Defender Overview for Windows Server](https://technet.microsoft.com/windows-server-docs/security/windows-defender/windows-defender-overview-windows-server) for more information on enabling the client interface and configuring roles and specific server features.
While the functionality, configuration, and management is largely the same for Windows Defender AV either on Windows 10 or Windows Server 2016, there are a few key differences:
- In Windows Server 2016, [automatic exclusions](configure-exclusions-windows-defender-antivirus.md) are applied based on your defined Server Role.
- In Windows Server 2016, [Windows Defender AV will not disable itself if you are running another antivirus product](windows-defender-antivirus-on-windows-server-2016.md#sysreq).
## Related topics
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md)

3
windows/keep-secure/windows-defender-security-center-antivirus.md
View File

@ -42,6 +42,9 @@ The app also includes the settings and status of:
- Windows Defender SmartScreen Filter
- Parental and Family Controls
>[!NOTE]
>The Windows Defender Security Center app is a client interface on Windows 10, version 1703. It is not the Windows Defender Advanced Security Center, which is the web portal used to review and manage [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md).
**Review virus and threat protection settings in the Windows Defender Security Center app:**
1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**.