Updated content

windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md

@@ -1,5 +1,5 @@
 ---
-title: Configure always-on real-time Windows Defender Antivirus protection
+title: Enable and configure Windows Defender Antivirus protection capabilities
 description: Enable and configure Windows Defender Antivirus real-time protection features such as behavior monitoring, heuristics, and machine-learning
 keywords: antivirus, real-time protection, rtp, machine-learning, behavior monitoring, heuristics
 search.product: eADQiWindows 10XVcnh
@@ -11,63 +11,90 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: dansimp
 ms.author: dansimp
-ms.date: 11/13/2018
+ms.date: 11/19/2019
 ms.reviewer: 
 manager: dansimp
 ---
 
-# Enable and configure antivirus always-on protection and monitoring
+# Enable and configure Windows Defender Antivirus protection capabilities
 
 **Applies to:**
 
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-Always-on protection consists of real-time protection, behavior monitoring, and heuristics to identify malware based on known suspicious and malicious activities.
+Windows Defender Antivirus protection capabilities include real-time protection, heuristics, and other always-on Windows Defender Antivirus monitoring features, which identify malware based on known suspicious and malicious activities.
 
-These activities include events such as processes making unusual changes to existing files, modifying or creating automatic startup registry keys and startup locations (also known as auto-start extensibility points, or ASEPs), and other changes to the file system or file structure.
+These activities include events, such as processes making unusual changes to existing files, modifying or creating automatic startup registry keys and startup locations (also known as auto-start extensibility points, or ASEPs), and other changes to the file system or file structure.
 
-## Configure and enable always-on protection
+## Use Group Policy to enable and configure Windows Defender Antivirus protection
 
-You can configure how always-on protection works with the Group Policy settings described in this section.
+You can use **Local Group Policy Editor** to enable and configure Windows Defender Antivirus policy settings.
 
-To configure these settings:
+1. Open **Local Group Policy Editor**.
+    1. In your Windows 10 taskbar search box, type **gpedit**.
+    2. Under **Best match**, click **Edit group policy** to launch **Local Group Policy Editor**.
+![GPEdit taskbar search result](images/gpedit-search.png)
+2. In **Local Group Policy Editor** right pane, expand the tree to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender Antivirus**. 
+![Windows Defender Antivirus](images/gpedit-windows-defender-antivirus.png)
+3. Configure the Windows Defender Antivirus antimalware service policy settings.
+    1. Double-click the **Setting** as specified in the following table:
 
-1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+    | Setting | Description | Default setting |
+    |-----------------------------|------------------------|-------------------------------|
+    | Allow antimalware service to startup with normal priority | You can lower the priority of the Windows Defender Antivirus engine, which may be useful in lightweight deployments where you want to have as lean a startup process as possible. This may impact protection on the endpoint. | Enabled
+    | Allow antimalware service to remain running always | If protection updates have been disabled, you can set Windows Defender Antivirus to still run. This lowers the protection on the endpoint. | Disabled
+    2. Configure the setting as appropriate, and click **OK**.
+    3. Repeat the previous steps for each setting in the table.
 
-2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+4. Configure the Windows Defender Antivirus real-time protection policy settings.
+    1. In the **Windows Defender Antivirus** details pane, double-click **Real-time Protection**. Or, from Windows Defender Antivirus console tree on left pane, click **Real-time Protection**.
+    ![Windows Defender Antivirus Real-time Protection options](images/gpedit-real-time-protection.png)
+    2. In the **Real-time Protection** details pane, double-click the setting as specified in the following table:
 
-3. Expand the tree to **Windows components > Windows Defender Antivirus** and then the **Location** specified in the table below.
+    | Setting | Description | Default setting |
+    |-----------------------------|------------------------|-------------------------------|
+    | Monitor file and program activity on your computer | The Windows Defender Antivirus engine makes note of any file changes (file writes, such as moves, copies, or modifications) and general program activity (programs that are opened or running and that cause other programs to run) | Enabled |
+    | Scan all downloaded files and attachments | Downloaded files and attachments are automatically scanned. This operates in addition to the Windows Defender SmartScreen filter, which scans files before and during downloading | Enabled |
+    | Turn on process scanning whenever real-time protection is enabled | You can independently enable the Microsoft Defender Antivirus engine to scan running processes for suspicious modifications or behaviors. This is useful if you have temporarily disabled real-time protection and want to automatically scan processes that started while it was disabled | Enabled |
+    | Turn on behavior monitoring | The AV engine will monitor file processes, file and registry changes, and other events on your endpoints for suspicious and known malicious activity | Enabled |
+    | Turn on raw volume write notifications | Information about raw volume writes will be analyzed by behavior monitoring | Enabled |
+    | Define the maximum size of downloaded files and attachments to be scanned | You can define the size in kilobytes | Enabled |
+    | Configure monitoring for incoming and outgoing file and program activity | Specify whether monitoring should occur on incoming, outgoing, both, or neither direction. This is relevant for Windows Server installations where you have defined specific servers or Server Roles that see large amounts of file changes in only one direction and you want to improve network performance. Fully updated endpoints (and servers) on a network will see little performance impact irrespective of the number or direction of file changes. | Enabled (both directions) |
+    3. Configure the setting as appropriate, and click **OK**.
+    4. Repeat the previous steps for each setting in the table.
 
-4. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK** and repeat for any other settings.
+5. Configure the Windows Defender Antivirus scanning policy setting. 
+    1. From the **Windows Defender Antivirus** tree on left pane, click **Scan**.
+    ![Windows Defender Antivirus Scan options](images/gpedit-windows-defender-antivirus-scan.png)
+
+    2. In the **Scan** details pane, double-click the setting as specified in the following table:
+
+    | Setting | Description | Default setting |
+    |-----------------------------|------------------------|-------------------------------|    
+    | Turn on heuristics | Heuristic protection will disable or block suspicious activity immediately before the Windows Defender Antivirus engine is asked to detect the activity | Enabled |
+    3. Configure the setting as appropriate, and click **OK**.
+6. Close **Local Group Policy Editor**.
 
-Location | Setting | Description | Default setting (if not configured)
----|---|---|---
-Real-time protection | Monitor file and program activity on your computer | The Windows Defender Antivirus engine makes note of any file changes (file writes, such as moves, copies, or modifications) and general program activity (programs that are opened or running and that cause other programs to run) | Enabled
-Real-time protection | Scan all downloaded files and attachments | Downloaded files and attachments are automatically scanned. This operates in addition to the SmartScreen filter, which scans files before and during downloading | Enabled
-Real-time protection | Turn on process scanning whenever real-time protection is enabled | You can independently enable the Windows Defender Antivirus engine to scan running processes for suspicious modifications or behaviors. This is useful if you have temporarily disabled real-time protection and want to automatically scan processes that started while it was disabled | Enabled
-Real-time protection | Turn on behavior monitoring | The AV engine will monitor file processes, file and registry changes, and other events on your endpoints for suspicious and known malicious activity | Enabled
-Real-time protection | Turn on raw volume write notifications | Information about raw volume writes will be analyzed by behavior monitoring | Enabled
-Real-time protection | Define the maximum size of downloaded files and attachments to be scanned | You can define the size in kilobytes | Enabled
-Real-time protection | Configure monitoring for incoming and outgoing file and program activity | Specify whether monitoring should occur on incoming, outgoing, both, or neither direction. This is relevant for Windows Server installations where you have defined specific servers or Server Roles that see large amounts of file changes in only one direction and you want to improve network performance. Note that fully updated endpoints (and servers) on a network will see little performance impact irrespective of the number or direction of file changes. | Enabled (both directions)
-Scan | Turn on heuristics | Heuristic protection will disable or block suspicious activity immediately before the Windows Defender Antivirus engine is asked to detect the activity | Enabled
-Root | Allow antimalware service to startup with normal priority | You can lower the priority of the Windows Defender Antivirus engine, which may be useful in lightweight deployments where you want to have as lean a startup process as possible. This may impact protection on the endpoint. | Enabled
-Root | Allow antimalware service to remain running always | If protection updates have been disabled, you can set Windows Defender Antivirus to still run. This lowers the protection on the endpoint. | Disabled
 
 ## Disable real-time protection
 > [!WARNING]
-> Disabling real-time protection will drastically reduce the protection on your endpoints and is not recommended.
+> Disabling real-time protection drastically reduces the protection on your endpoints and is not recommended.
 
-The main real-time protection capability is enabled by default, but you can disable it with Group Policy:
+The main real-time protection capability is enabled by default, but you can disable it by using **Local Group Policy Editor**.
 
-**Use Group Policy to disable real-time protection:**
+1. Open **Local Group Policy Editor**.
+    1. In your Windows 10 taskbar search box, type **gpedit**.
+    2. Under **Best match**, click **Edit group policy** to launch **Local Group Policy Editor**.
 
-1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+2.  In **Local Group Policy Editor** right pane, expand the tree to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender Antivirus** > **Real-time Protection**.
 
-2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+3. Double-click **Turn off real-time protection**.
+![Turn off real-time protection](images/gpedit-turn-off-real-time-protection.png)
 
-3. Expand the tree to **Windows components > Windows Defender Antivirus > Real-time protection**.
+4. In the **Turn off real-time protection** setting window, set the option to **Enabled**.
-
+![Turn off real-time protection enabled](images/gpedit-turn-off-real-time-protection-enabled.png)
-4. Double-click the **Turn off real-time protection** setting and set the option to **Enabled**. Click **OK**.
+5. Click **OK**.
+6. Close **Local Group Policy Editor**.
 
 ## Related topics