deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-15 14:57:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

reference, wdo, and parent topics check

Browse Source
This commit is contained in:
Iaan D'Souza-Wiltshire 2017-03-21 21:30:40 -07:00
parent 2a2dc09885
commit b3345c950e
21 changed files with 457 additions and 769 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
windows/keep-secure/WDAV-working/command-line-arguments-windows-defender-antivirus.md
View File

@ -1,6 +1,6 @@
---
title: Learn how to run a scan from command line in Windows Defender (Windows 10)
description: Windows Defender utility enables IT professionals to use command line to run antivirus scans.
title: Use the command line to manage Windows Defender AV
description: Windows Defender AV has a dedicated command-line utility that can run scans and configure protection.
keywords: run windows defender scan, run antivirus scan from command line, run windows defender scan from command line, mpcmdrun, defender
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@ -9,41 +9,36 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: mjcaparas
author: iawilt
---
# Run a Windows Defender scan from the command line
# Use the mpcmdrun.exe command-line tool to configure and manage Windows Defender Antivirus
**Applies to:**
- Windows 10
IT professionals can use a command-line utility to run a Windows Defender scan.
The utility is available in _%Program Files%\Windows Defender\MpCmdRun.exe_.
You can use a dedicated command-line tool to perform various functions in Windows Defender Antivirus.
This utility can be handy when you want to automate the use of Windows Defender.
This utility can be handy when you want to automate the use of Windows Defender Antivirus.
**To run a quick scan from the command line**
The utility is available in _%Program Files%\Windows Defender\MpCmdRun.exe_ and must be run from a command prompt.
1. Click **Start**, type **cmd**, and press **Enter**.
2. Navigate to _%ProgramFiles%\Windows Defender_ and enter the following command, and press **Enter**:
```
C:\Program Files\Windows Defender\mpcmdrun.exe -scan -scantype 1
```
The quick scan will start. When the scan completes, you'll see a message indicating that the scan is finished.
> [!NOTE]
> You may need to open an administrator-level version of the command prompt. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
The utility also provides other commands that you can run:
The utility has the following commands:
```
```DOS
MpCmdRun.exe [command] [-options]
```
Command | Description
:---|:---
\- ? / -h | Displays all available options for the tool
\- ? **or** -h | Displays all available options for the tool
\-Scan [-ScanType #] [-File <path> [-DisableRemediation] [-BootSectorScan]][-Timeout <days>] | Scans for malicious software
\-Trace [-Grouping #] [-Level #]| Starts diagnostic tracing
\-GetFiles | Collects support information
@ -51,5 +46,14 @@ Command | Description
\-AddDynamicSignature [-Path] | Loads a dynamic signature
\-ListAllDynamicSignature [-Path] | Lists the loaded dynamic signatures
\-RemoveDynamicSignature [-SignatureSetID] | Removes a dynamic signature
<br>
The command-line utility provides detailed information on the other commands supported by the tool.
\-ValidateMapsConnection | Used to validate connection to the [cloud-delivered protection service](configure-network-connections-windows-defender-antivirus.md)
## Related topics
- [Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md)
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)

122
windows/keep-secure/WDAV-working/configuration-management-reference-windows-defender-antivirus.md
View File

@ -1,120 +1,44 @@
---
title: Detect and block Potentially Unwanted Application with Windows Defender
description: In Windows 10, you can enable the Potentially Unwanted Application (PUA) feature in Managed Windows Defender to identify and block unwanted software during download and install time.
keywords: pua, enable, detect pua, block pua, windows defender and pua
title: Windows Defender AV reference for management tools
description: Learn how Group Policy, Configuration Manager, PowerShell, WMI, Intune, and the comman line can be used to manage Windows Defender AV
keywords: group policy, gpo, config manager, sccm, scep, powershell, wmi, intune, defender, antivirus, antimalware, security, protection
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: detect
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: dulcemv
author: iaanw
---
# Detect and block Potentially Unwanted Application in Windows 10
# Reference topics for management and configuration tools
**Applies to:**
- Windows 10
You can enable the Potentially Unwanted Application (PUA) feature in Managed Windows Defender to identify and block unwanted software during download and install time.
**Audience**
Potentially Unwanted Application (PUA) refers to applications that are not considered viruses, malware, or other types of threats, but might perform actions on your computer that adversely affect your computing experience. It also refers to applications considered to have a poor reputation.
- Enterprise security administrators
Typical examples of PUA behavior include:
* Various types of software bundling
* Ad-injection into your browsers
* Driver and registry optimizers that detect issues, request payment to fix them, and persist
Windows Defender Antivirus can be managed and configured with the following tools:
These applications can increase the risk of your network being infected with malware, cause malware infections to be harder to identify among the noise, and can waste helpdesk, IT, and user time in cleaning up the applications.
- Group Policy
- System Center Configuration Manager and Microsoft Intune
- PowerShell cmdlets
- Windows Management Instruction (WMI)
- The mpcmdrun.exe utility
Since the stakes are higher in an enterprise environment, the potential disaster and potential productivity and performance disruptions that PUA brings can be a cause of concern. Hence, it is important to deliver trusted protection in this field.
The topics in this section provide further information, links, and resources for using these tools in conjunction with Windows Defender AV.
##Enable PUA protection in System Center Configuration Manager and Intune
## In this section
The PUA feature is available for enterprise users who are running System Center Configuration Manager or Intune in their infrastructure.
Topic | Description
---|---
[Use Group Policy settings to configure and manage Windows Defender AV](use-group-policy-windows-defender-antivirus.md)|List of all Group Policy settings located in the Windows 10, version 1703 ADMX templates
[Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender AV](use-intune-config-manager-windows-defender-antivirus.md)|Information on using System Center Configuration Manager and Microsoft Intune to deploy, manage, report, and configure Windows Defender AV
[Use PowerShell cmdlets to configure and manage Windows Defender AV](use-powershell-cmdlets-windows-defender-antivirus.md)|Instructions on using PowerShell cmdlets in the Defender Module and links to documentation for all cmdlets and allowed parameters
[Use Windows Management Instrumentation (WMI) to configure and manage Windows Defender AV](use-wmi-windows-defender-antivirus.md)| Instructions on using WMI to manage Windows Defender AV and links to documentation for the Windows Defender WMIv2 APIs (including all classes, methods, and properties)
[Use the mpcmdrun.exe command-line tool to configure and manage Windows Defender Antivirus](command-line-arguments-windows-defender-antivirus.md)|Instructions on using the dedicated command-line tool to manage and use Windows Defender AV
###Configure PUA in System Center Configuration Manager
For System Center Configuration Manager users, PUA is enabled by default. See the following topics for configuration details:
If you are using these versions | See these topics
:---|:---
System Center Configuration Manager (current branch) version 1606 | [Create a new antimalware policy](https://technet.microsoft.com/en-US/library/mt613199.aspx#To-create-a-new-antimalware-policy)<br>[Real-time Protection Settings](https://technet.microsoft.com/en-US/library/mt613199.aspx#Real-time-Protection-Settings)
System Center 2012 R2 Endpoint Protection<br>System Center 2012 Configuration Manager<br>System Center 2012 Configuration Manager SP1<br>System Center 2012 Configuration Manager SP2<br>System Center 2012 R2 Configuration Manager<br>System Center 2012 Endpoint Protection SP1<br>System Center 2012 Endpoint Protection<br>System Center 2012 R2 Configuration Manager SP1| [How to Deploy Potentially Unwanted Application Protection Policy for Endpoint Protection in Configuration Manager](https://technet.microsoft.com/library/hh508770.aspx#BKMK_PUA)
<br>
###Use PUA audit mode in System Center Configuration Manager
You can use PowerShell to detect PUA without blocking them. In fact, you can run audit mode on individual machines. This feature is useful if your company is conducting an internal software security compliance check and youd like to avoid any false positives.
1. Open PowerShell as Administrator: <br>
a. Click **Start**, type **powershell**, and press **Enter**.
b. Click **Windows PowerShell** to open the interface.
>[!NOTE]
>You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
2. Enter the PowerShell command:
```text
set-mpPreference -puaprotection 2
```
> [!NOTE]
> PUA events are reported in the Windows Event Viewer and not in System Center Configuration Manager.
###Configure PUA in Intune
PUA is not enabled by default. You need to [Create and deploy a PUA configuration policy to use it](https://docs.microsoft.com/en-us/intune/deploy-use/manage-settings-and-features-on-your-devices-with-microsoft-intune-policies). See the [Potentially Unwanted Application Detection policy setting](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune) for details.
###Use PUA audit mode in Intune
You can detect PUA without blocking them from your client so you can gain insights into what can be blocked.
1. Open PowerShell as Administrator: <br>
a. Click **Start**, type **powershell**, and press **Enter**.
b. Click **Windows PowerShell** to open the interface.
>[!NOTE]
>You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
2. Enter the PowerShell command:
```text
set-mpPreference -puaprotection 1
```
##View PUA events
PUA events are reported in the Windows Event Viewer and not in System Center Configuration Manager or Intune. To view PUA events:
1. Open **Event Viewer**.
2. In the console tree, expand **Applications and Services Logs**, then **Microsoft**, then **Windows**, then **Windows Defender**.
3. Double-click on **Operational**.
4. In the details pane, view the list of individual events to find your event. PUA events are under Event ID 1160 along with detection details.
You can find a complete list of the Microsoft antimalware event IDs, the symbol, and the description of each ID in [Windows Server Antimalware Events TechNet](https://technet.microsoft.com/library/dn913615.aspx).
##What PUA notifications look like
When a detection occurs, end users who enabled the PUA detection feature will see the following notification:
To see historical PUA detections that occurred on a PC, users can go to History, then **Quarantined items** or **All detected items**.
##PUA threat naming convention
When enabled, potentially unwanted applications are identified with threat names that start with “PUA:”, such as, PUA:Win32/Creprote.
##PUA blocking conditions
PUA protection quarantines the file so they wont run. PUA will be blocked only at download or install-time. A file will be included for blocking if it has been identified as PUA and meets one of the following conditions:
* The file is being scanned from the browser
* The file is in the %downloads% folder
* Or if the file in the %temp% folder

28
windows/keep-secure/WDAV-working/configure-end-user-interaction-windows-defender-antivirus.md
View File

@ -1,7 +1,7 @@
---
title: Enable and configure protection features in Windows Defender AV
description: Enable behavior-based, heuristic, and real-time protection in Windows Defender AV.
keywords: heuristic, machine-learning, behavior monitor, real-time protection, always-on, windows defender antivirus, antimalware, security, defender
title: Configure how users can interact with Windows Defender AV
description: Configure how end-users interact with Windows Defender AV, what notifications they see, and if they can override settings.
keywords: endpoint, user, interaction, notifications, ui lockdown mode, headless mode, hide interface
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@ -12,7 +12,7 @@ localizationpriority: medium
author: iaanw
---
# Configure behavioral, heuristic, and real-time protection
# Configure end-user interaction with Windows Defender Antivirus
**Applies to:**
@ -22,22 +22,18 @@ author: iaanw
- Enterprise security administrators
Windows Defender Antivirus uses several methods to provide threat protection:
**Manageability available with**
- Cloud-delivered protection for near-instant detection and blocking of new and emerging threats
- Always-on scanning, using file and process behavior monitoring and other heuristics (also known as "real-time protection")
- Dedicated protection updates based on machine-learning, human and automated big-data analysis, and in-depth threat resistance research
- Group Policy
You can configure how Windows Defender AV uses these methods with Group Policy, System Center Configuration Manage, PowerShell cmdlets, and Windows Management Instrumentation (WMI).
This section covers configuration for always-on scanning, including how to detect and block apps that are deemed unsafe, but may not be detected as malware.
See the [Utilize Microsoft cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) section for how to enable and configure Windows Defender AV cloud-delivered protection.
You can configure how users of the endpoints on your network can interact with Windows Defender Antivirus.
This includes whether they see the Windows Defender AV interface, what notifications they see, and if they can locally override globally deployed Group Policy settings.
## In this section
Topic | Description
Topic | Description
---|---
[Detect and block potentially unwanted applications](detect-block-potentially-unwanted-apps-windows-defender-antivirus.md) | Detect and block apps that may be unwanted in your network, such as adware, browser modifiers and toolbars, and rogue or fake antivirus apps
[Enable and configure Windows Defender AV protection capabilities](configure-real-time-protection-windows-defender-antivirus.md) | Enable and configure real-time protection, heuristics, and other always-on antivirus monitoring features
[Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md) | Configure and customize additional notifications, customized text for notifications, and notifications about reboots for remediation
[Prevent users from seeing or interacting with the Windows Defender AV user interface](prevent-end-user-interaction-windows-defender-antivirus.md) | Hide the user interface from users
[Prevent users from locally modifying policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) | Prevent (or allow) users from overriding policy settings on their individual endpoints

107
windows/keep-secure/WDAV-working/configure-local-policy-overrides-windows-defender-antivirus.md
View File

@ -1,120 +1,35 @@
---
title: Detect and block Potentially Unwanted Application with Windows Defender
description: In Windows 10, you can enable the Potentially Unwanted Application (PUA) feature in Managed Windows Defender to identify and block unwanted software during download and install time.
keywords: pua, enable, detect pua, block pua, windows defender and pua
title:
description:
keywords:
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: detect
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: dulcemv
author: iaanw
---
# Detect and block Potentially Unwanted Application in Windows 10
# Prevent users from locally modifying policy settings
**Applies to:**
- Windows 10
You can enable the Potentially Unwanted Application (PUA) feature in Managed Windows Defender to identify and block unwanted software during download and install time.
**Audience**
Potentially Unwanted Application (PUA) refers to applications that are not considered viruses, malware, or other types of threats, but might perform actions on your computer that adversely affect your computing experience. It also refers to applications considered to have a poor reputation.
Typical examples of PUA behavior include:
* Various types of software bundling
* Ad-injection into your browsers
* Driver and registry optimizers that detect issues, request payment to fix them, and persist
These applications can increase the risk of your network being infected with malware, cause malware infections to be harder to identify among the noise, and can waste helpdesk, IT, and user time in cleaning up the applications.
Since the stakes are higher in an enterprise environment, the potential disaster and potential productivity and performance disruptions that PUA brings can be a cause of concern. Hence, it is important to deliver trusted protection in this field.
##Enable PUA protection in System Center Configuration Manager and Intune
The PUA feature is available for enterprise users who are running System Center Configuration Manager or Intune in their infrastructure.
###Configure PUA in System Center Configuration Manager
For System Center Configuration Manager users, PUA is enabled by default. See the following topics for configuration details:
If you are using these versions | See these topics
:---|:---
System Center Configuration Manager (current branch) version 1606 | [Create a new antimalware policy](https://technet.microsoft.com/en-US/library/mt613199.aspx#To-create-a-new-antimalware-policy)<br>[Real-time Protection Settings](https://technet.microsoft.com/en-US/library/mt613199.aspx#Real-time-Protection-Settings)
System Center 2012 R2 Endpoint Protection<br>System Center 2012 Configuration Manager<br>System Center 2012 Configuration Manager SP1<br>System Center 2012 Configuration Manager SP2<br>System Center 2012 R2 Configuration Manager<br>System Center 2012 Endpoint Protection SP1<br>System Center 2012 Endpoint Protection<br>System Center 2012 R2 Configuration Manager SP1| [How to Deploy Potentially Unwanted Application Protection Policy for Endpoint Protection in Configuration Manager](https://technet.microsoft.com/library/hh508770.aspx#BKMK_PUA)
<br>
###Use PUA audit mode in System Center Configuration Manager
You can use PowerShell to detect PUA without blocking them. In fact, you can run audit mode on individual machines. This feature is useful if your company is conducting an internal software security compliance check and youd like to avoid any false positives.
1. Open PowerShell as Administrator: <br>
a. Click **Start**, type **powershell**, and press **Enter**.
b. Click **Windows PowerShell** to open the interface.
>[!NOTE]
>You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
2. Enter the PowerShell command:
```text
set-mpPreference -puaprotection 2
```
> [!NOTE]
> PUA events are reported in the Windows Event Viewer and not in System Center Configuration Manager.
- Enterprise security administrators
###Configure PUA in Intune
PUA is not enabled by default. You need to [Create and deploy a PUA configuration policy to use it](https://docs.microsoft.com/en-us/intune/deploy-use/manage-settings-and-features-on-your-devices-with-microsoft-intune-policies). See the [Potentially Unwanted Application Detection policy setting](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune) for details.
###Use PUA audit mode in Intune
You can detect PUA without blocking them from your client so you can gain insights into what can be blocked.
1. Open PowerShell as Administrator: <br>
a. Click **Start**, type **powershell**, and press **Enter**.
b. Click **Windows PowerShell** to open the interface.
>[!NOTE]
>You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
2. Enter the PowerShell command:
```text
set-mpPreference -puaprotection 1
```
##View PUA events
PUA events are reported in the Windows Event Viewer and not in System Center Configuration Manager or Intune. To view PUA events:
1. Open **Event Viewer**.
2. In the console tree, expand **Applications and Services Logs**, then **Microsoft**, then **Windows**, then **Windows Defender**.
3. Double-click on **Operational**.
4. In the details pane, view the list of individual events to find your event. PUA events are under Event ID 1160 along with detection details.
You can find a complete list of the Microsoft antimalware event IDs, the symbol, and the description of each ID in [Windows Server Antimalware Events TechNet](https://technet.microsoft.com/library/dn913615.aspx).
##What PUA notifications look like
When a detection occurs, end users who enabled the PUA detection feature will see the following notification:
To see historical PUA detections that occurred on a PC, users can go to History, then **Quarantined items** or **All detected items**.
## Related topics
##PUA threat naming convention
When enabled, potentially unwanted applications are identified with threat names that start with “PUA:”, such as, PUA:Win32/Creprote.
##PUA blocking conditions
PUA protection quarantines the file so they wont run. PUA will be blocked only at download or install-time. A file will be included for blocking if it has been identified as PUA and meets one of the following conditions:
* The file is being scanned from the browser
* The file is in the %downloads% folder
* Or if the file in the %temp% folder
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Configure end-user interaction with Windows Defender AV](configure-end-user-interaction-windows-defender-antivirus.md)

2
windows/keep-secure/WDAV-working/configure-network-connections-windows-defender-antivirus.md
View File

@ -147,7 +147,7 @@ Use the following argument with the Windows Defender AV command line utility (*m
MpCmdRun - ValidateMapsConnection
```
See [Run a Windows Defender scan from the command line](run-scan-command-line-windows-defender-antivirus) and [Command line arguments](command-line-arguments-windows-defender-antivirus.md) for more information on how to use the *mpcmdrun.exe* utility.
See [Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender Antivirus](command-line-arguments-windows-defender-antivirus.md) for more information on how to use the *mpcmdrun.exe* utility.
**Attempt to download a fake malware file from Microsoft:**

107
windows/keep-secure/WDAV-working/configure-notifications-windows-defender-antivirus.md
View File

@ -1,6 +1,6 @@
---
title: Configure enhanced notifications for Windows Defender
description: In Windows 10, you can enable advanced notifications for endpoints throughout your enterprise network.
title: Configure notifications for Windows Defender Antivirus
description: Configure and customize notifications from Windows Defender AV.
keywords: notifications, defender, endpoint, management, admin
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@ -12,35 +12,116 @@ localizationpriority: medium
author: iaanw
---
# Configure enhanced notifications for Windows Defender in Windows 10
# Configure the notifications that appear on endpoints
**Applies to:**
- Windows 10, version 1607
- Windows 10, version 1703
**Audience**
- Enterprise security administrators
**Manageability available with**
- Group Policy
- Windows Defender Security Center app
In Windows 10, application notifications about malware detection and remediation by Windows Defender are more robust, consistent, and concise.
Notifications will appear on endpoints when manually triggered and scheduled scans are completed and threats are detected. These notifications will also be seen in the **Notification Center**, and a summary of scans and threat detections will also appear at regular time intervals.
You can enable and disable enhanced notifications in Windows Settings.
You can also configure how standard notifications appear on endpoints, such as notfications for reboot or when a threat has been detected and remediated.
## Disable notifications
## Configure the additional notifications that appear on endpoints
You can disable enhanced notifications on individual endpoints in Windows Settings.
You can configure the display of additional notifications, such as recent threat detection summaries, in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md) and with Group Policy.
**Use Windows Settings to disable enhanced notifications on individual endpoints**
> [!NOTE]
> In Windows 10, version 1607, the feature was called **Enhanced notifications** and could be configured under **Windows Settings** > **Update & security** > **Windows Defender**.
1. Open the **Start** menu and click or type **Settings**.
> [!IMPORTANT]
> Disabling additional notifications will not disable critical notifications, such as threat detection and remediation alerts.
1. Click **Update & Security** and then **Windows Defender**. Scroll to the bottom of the settings page until you see the **Enhanced notifications** section.
**Use the Windows Defender Security Center app to disable additional notifications:**
1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label:
![Screenshot of the Virus & threat protection settings label in the Windows Defender Security Center](images/defender/wdav-protection-settings-wdsc.png)
3. Scroll to the **Notifications** section and click **Change notification settings**.
4. Slide the switch to **Off** or **On** to disable or enable additional notifications.
**Use Group Policy to disable additional notifications:**
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration**.
4. Click **Policies** then **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender Antivirus > Reporting**.
6. Double-click the **Turn off enhanced notifications** setting and set the option to **Enabled**. Click **OK**. This will prevent additional notifications from appearing.
## Configure standard notifications on endpoints
You can use Group Policy to:
- Display additional, customized text on endpoints when the user needs to perform an action
- Hide all notifications on endpoints
- Hide reboot notifications on endpoints
> [!NOTE]
> Hiding notifications will only occur on endpoints to which the policy has been deployed. Notifications related to actions that must be taken (such as a reboot) will still appear on the [System Center Configuration Manager Endpoint Protection monitoring dashboard and reports](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/monitor-endpoint-protection).
**Use Group Policy to display additional, custom text in notifications:**
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration**.
4. Click **Policies** then **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender Antivirus > Client interface**.
6. Double-click the **Display additional text to clients when they need to perform an action** setting and set the option to **Enabled**.
7. Enter the additional text you want to be shown to users. Click **OK**.
**Use Group Policy to hide notifications:**
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration**.
4. Click **Policies** then **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender Antivirus > Client interface**.
6. Double-click the **Suppress all notifications** setting and set the option to **Enabled**. Click **OK**. This will prevent additional notifications from appearing.
**Use Group Policy to hide reboot notifications:**
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration**.
4. Click **Policies** then **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender Antivirus > Client interface**.
6. Double-click the **Suppresses reboot notifications** setting and set the option to **Enabled**. Click **OK**. This will prevent additional notifications from appearing.
1. Toggle the setting between **On** and **Off**.
![Windows Defender enhanced notifications](images/defender/enhanced-notifications.png)
## Related topics
- [Windows Defender in Windows 10](windows-defender-in-windows-10.md)
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Configure end-user interaction with Windows Defender AV](configure-end-user-interaction-windows-defender-antivirus.md)

53
windows/keep-secure/WDAV-working/configure-windows-defender-antivirus-features.md
View File

@ -17,39 +17,38 @@ author: iaanw
**Applies to:**
- Windows 10, version 1703
- Windows 10
**Audience**
- Enterprise security administrators
You can configure Windows Defender Antivirus features in a number of ways, including:
Microsoft Active Directory or Windows Server Update Services (WSUS), apply updates to endpoints, and manage scans using:
Windows Defender Antivirus can be configured with a number of tools, including:
- Group Policy Settings
- Windows Management Instrumentation (WMI)
- PowerShell
## Related topics
- [Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md)
- [Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md)
## Related topics
- [Windows Defender in Windows 10](windows-defender-in-windows-10.md)
- Group Policy settings
- System Center Configuration Manager
- PowerShell cmdlets
- Windows Management Instrumentation (WMI)
- Microsoft Intune
The following broad categories of features can be configured:
- Cloud-delivered protection
- Always-on real-time protection, including behavioral, heuristic, and machine-learning-based protection
- How end-users interact with the client on individual endpoints
The topics in this section describe how to perform key tasks when configuring Windows Defender AV. Each topic includes instructions for the applicable configuration tool (or tools).
You can also review the [Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md) topic for an overview of each tool and links to further help.
## In this section
Topic | Description
:---|:---
[Utilize Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) | Cloud-delivered protection provides an advanced level of fast, robust antivirus detection
[Configure behavioral, heuristic, and real-time protection](configure-protection-features-windows-defender-antivirus.md)|Enable behavior-based, heuristic, and real-time protection in Windows Defender AV
[Configure end-user interaction with WDAM](configure-end-user-interaction-windows-defender-antivirus.md)|Configure how end-users interact with Windows Defender AV, what notifications they see, and if they can override settings

4
windows/keep-secure/WDAV-working/deploy-manage-report-windows-defender-antivirus.md
View File

@ -1,7 +1,7 @@
---
title: Deploy, manage, and report on Windows Defender Antivirus
description:
keywords:
description: You can deploy and manage Windows Defender Antivirus with Group Policy, Configuration Manager, WMI, PowerShell, or Intune
keywords: deploy, manage, update, protection, windows defender antivirus
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10

4
windows/keep-secure/WDAV-working/deploy-windows-defender-antivirus.md
View File

@ -1,7 +1,7 @@
---
title: Deploy and enable Windows Defender Antivirus
description: Deploy Windows Defender AV for protection of your endpoints, using System Center Configuration Manager, Microsoft Intune, Group Policy, PowerShell cmdlets, or WMI.
keywords:
description: Deploy Windows Defender AV for protection of your endpoints with Configuration Manager, Microsoft Intune, Group Policy, PowerShell cmdlets, or WMI.
keywords: deploy, enable, windows defender av
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10

1
windows/keep-secure/WDAV-working/deployment-vdi-windows-defender-antivirus.md
View File

@ -30,6 +30,7 @@ author: iaanw
In addition to standard on-premises or hardware configurations, you can also use Windows Defender Antivirus (Windows Defender AV) in a remote desktop (RDS) or virtual desktop infrastructure (VDI) environment.
Boot storms can be a problem in large-scale VDIs; this guide will help reduce the overall network bandwidth and performance impact on your hardware. For more details on the best configuration options to ensure a good balance between performance and protection, see the [Configure endpoints for optimal performance](#configure-endpoints-for-optimal-performance) section.
See the [Microsoft Desktop virtualization site](https://www.microsoft.com/en-us/server-cloud/products/virtual-desktop-infrastructure/) for more details on Microsoft Remote Desktop Services and VDI support.

144
windows/keep-secure/WDAV-working/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md
View File

@ -1,7 +1,7 @@
---
title: Detect and block Potentially Unwanted Application with Windows Defender
description: In Windows 10, you can enable the Potentially Unwanted Application (PUA) feature in Managed Windows Defender to identify and block unwanted software during download and install time.
keywords: pua, enable, detect pua, block pua, windows defender and pua
title: Block Potentially Unwanted Applications with Windows Defender AV
description: Enable the Potentially Unwanted Application (PUA) feature in Windows Defender Antivirus to block unwanted software such as adware.
keywords: pua, enable, unwanted software, unwanted apps, adware, browser toolbar, detect, block, windows defender
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@ -9,112 +9,102 @@ ms.mktglfcycl: detect
ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: dulcemv
author: iawilt
---
# Detect and block Potentially Unwanted Application in Windows 10
# Detect and block Potentially Unwanted Applications
**Applies to:**
- Windows 10
You can enable the Potentially Unwanted Application (PUA) feature in Managed Windows Defender to identify and block unwanted software during download and install time.
**Audience**
Potentially Unwanted Application (PUA) refers to applications that are not considered viruses, malware, or other types of threats, but might perform actions on your computer that adversely affect your computing experience. It also refers to applications considered to have a poor reputation.
- Enterprise security administrators
Typical examples of PUA behavior include:
* Various types of software bundling
* Ad-injection into your browsers
* Driver and registry optimizers that detect issues, request payment to fix them, and persist
**Manageability available with**
These applications can increase the risk of your network being infected with malware, cause malware infections to be harder to identify among the noise, and can waste helpdesk, IT, and user time in cleaning up the applications.
- System Center Configuration Manager
- PowerShell cmdlets
- Microsoft Intune
Since the stakes are higher in an enterprise environment, the potential disaster and potential productivity and performance disruptions that PUA brings can be a cause of concern. Hence, it is important to deliver trusted protection in this field.
The Potentially Unwanted Application (PUA) protection feature in Windows Defender Antivirus can identify and block PUAs from downloading and installing on endpoints in your network.
##Enable PUA protection in System Center Configuration Manager and Intune
These applications are not considered viruses, malware, or other types of threats, but might perform actions on endpoints that adversely affect their performance or use. PUA can also refer to applications that are considered to have a poor reputation.
The PUA feature is available for enterprise users who are running System Center Configuration Manager or Intune in their infrastructure.
Typical PUA behavior includes:
- Various types of software bundling
- Ad-injection into web browsers
- Driver and registry optimizers that detect issues, request payment to fix the errors, but remain on the endpoint and make no changes or optimizations (also known as "rogue antivirus" programs)
###Configure PUA in System Center Configuration Manager
These applications can increase the risk of your network being infected with malware, cause malware infections to be harder to identify, and can waste IT resources in cleaning up the applications.
For System Center Configuration Manager users, PUA is enabled by default. See the following topics for configuration details:
## How it works
If you are using these versions | See these topics
:---|:---
System Center Configuration Manager (current branch) version 1606 | [Create a new antimalware policy](https://technet.microsoft.com/en-US/library/mt613199.aspx#To-create-a-new-antimalware-policy)<br>[Real-time Protection Settings](https://technet.microsoft.com/en-US/library/mt613199.aspx#Real-time-Protection-Settings)
System Center 2012 R2 Endpoint Protection<br>System Center 2012 Configuration Manager<br>System Center 2012 Configuration Manager SP1<br>System Center 2012 Configuration Manager SP2<br>System Center 2012 R2 Configuration Manager<br>System Center 2012 Endpoint Protection SP1<br>System Center 2012 Endpoint Protection<br>System Center 2012 R2 Configuration Manager SP1| [How to Deploy Potentially Unwanted Application Protection Policy for Endpoint Protection in Configuration Manager](https://technet.microsoft.com/library/hh508770.aspx#BKMK_PUA)
PUAs are blocked when a user attempts to download or install the detected file, and if the file meets one of the following conditions:
- The file is being scanned from the browser
- The file is in the %downloads% folder
- The file is in the %temp% folder
<br>
###Use PUA audit mode in System Center Configuration Manager
The file is placed in the quarantine section so it wont run.
You can use PowerShell to detect PUA without blocking them. In fact, you can run audit mode on individual machines. This feature is useful if your company is conducting an internal software security compliance check and youd like to avoid any false positives.
When a PUA is detected on an endpoint, the endpoint will present a notification to the user ([unless notifications have been disabled](configure-notifications-windows-defender-antivirus.md)) in the same format as normal threat detections (prefaced with "PUA:").
1. Open PowerShell as Administrator: <br>
They will also appear in the usual [quarantine list in the Windows Defender Security Center app](windows-defender-security-center-antivirus.md#detection-history).
a. Click **Start**, type **powershell**, and press **Enter**.
b. Click **Windows PowerShell** to open the interface.
>[!NOTE]
>You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
2. Enter the PowerShell command:
```text
set-mpPreference -puaprotection 2
```
## View PUA events
PUA events are reported in the Windows Event Viewer and not in System Center Configuration Manager or Intune.
See [Troubleshoot event IDs](troubleshoot-windows-defender-antivirus.md) for details on viewing Windows Defender Antivirus events. PUA events are recorded under event ID 1160.
## Configure the PUA protection feature
You can enable the PUA protection feature with System Center Configuration Manager, PowerShell cmdlets, or Microsoft Intune.
You can also use the PUA audit mode to detect PUA without blocking them. The detections will be captured in the Windows event log.
This feature is useful if your company is conducting an internal software security compliance check and youd like to avoid any false positives.
**Use Configuration Manager to configure the PUA protection feature:**
PUA protection is enabled by default in System Center Configuration Manager (current branch), including version 1606 and later.
See [How to create and deploy antimalware policies: Scheduled scans settings](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#real-time-protection-settings) for details on configuring System Center Configuration Manager (current branch).
For Configuration Manager 2012, see [How to Deploy Potentially Unwanted Application Protection Policy for Endpoint Protection in Configuration Manager](https://technet.microsoft.com/library/hh508770.aspx#BKMK_PUA).
> [!NOTE]
> PUA events are reported in the Windows Event Viewer and not in System Center Configuration Manager.
**Use PowerShell cmdlets to configure the PUA protection feature:**
###Configure PUA in Intune
Use the following cmdlet:
PUA is not enabled by default. You need to [Create and deploy a PUA configuration policy to use it](https://docs.microsoft.com/en-us/intune/deploy-use/manage-settings-and-features-on-your-devices-with-microsoft-intune-policies). See the [Potentially Unwanted Application Detection policy setting](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune) for details.
```PowerShell
Set-MpPreference -PUAProtection
```
Setting the value for this cmdlet to `Enabled` will turn the feature on if it has been disabled.
Setting `AuditMode` will detect PUAs but will not block them.
See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus.
###Use PUA audit mode in Intune
You can detect PUA without blocking them from your client so you can gain insights into what can be blocked.
**Use Intune to configure the PUA protection feature**
1. Open PowerShell as Administrator: <br>
a. Click **Start**, type **powershell**, and press **Enter**.
b. Click **Windows PowerShell** to open the interface.
>[!NOTE]
>You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
2. Enter the PowerShell command:
```text
set-mpPreference -puaprotection 1
```
##View PUA events
PUA events are reported in the Windows Event Viewer and not in System Center Configuration Manager or Intune. To view PUA events:
1. Open **Event Viewer**.
2. In the console tree, expand **Applications and Services Logs**, then **Microsoft**, then **Windows**, then **Windows Defender**.
3. Double-click on **Operational**.
4. In the details pane, view the list of individual events to find your event. PUA events are under Event ID 1160 along with detection details.
You can find a complete list of the Microsoft antimalware event IDs, the symbol, and the description of each ID in [Windows Server Antimalware Events TechNet](https://technet.microsoft.com/library/dn913615.aspx).
See [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune) and [Windows Defender policy settings in Windows 10](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune#windows-defender-1) for more details.
##What PUA notifications look like
When a detection occurs, end users who enabled the PUA detection feature will see the following notification:
## Related topics
- [Windows Defender Antivirus](windows-defender-antivirus-in-windows-10.md)
- [Configure behavioral, heuristic, and real-time protection](configure-protection-features-windows-defender-antivirus.md)
To see historical PUA detections that occurred on a PC, users can go to History, then **Quarantined items** or **All detected items**.
##PUA threat naming convention
When enabled, potentially unwanted applications are identified with threat names that start with “PUA:”, such as, PUA:Win32/Creprote.
##PUA blocking conditions
PUA protection quarantines the file so they wont run. PUA will be blocked only at download or install-time. A file will be included for blocking if it has been identified as PUA and meets one of the following conditions:
* The file is being scanned from the browser
* The file is in the %downloads% folder
* Or if the file in the %temp% folder

2
windows/keep-secure/WDAV-working/evaluate-windows-defender-antivirus.md
View File

@ -1,5 +1,5 @@
---
title: Evaluate Windows Defender Antivirus (Windows 10)
title: Evaluate Windows Defender Antivirus
description: Businesses of all sizes can use this guide to evaluate and test the protection offered by Windows Defender Antivirus in Windows 10.
keywords: windows defender antivirus, cloud protection, cloud, antimalware, security, defender, evaluate, test, protection, compare, real-time protection
search.product: eADQiWindows 10XVcnh

33
windows/keep-secure/WDAV-working/prevent-end-user-interaction-windows-defender-antivirus.md
View File

@ -1,7 +1,7 @@
---
title: Enable and configure protection features in Windows Defender AV
description: Enable behavior-based, heuristic, and real-time protection in Windows Defender AV.
keywords: heuristic, machine-learning, behavior monitor, real-time protection, always-on, windows defender antivirus, antimalware, security, defender
title:
description:
keywords:
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@ -12,8 +12,7 @@ localizationpriority: medium
author: iaanw
---
# Configure behavioral, heuristic, and real-time protection
# Prevent users from seeing or interacting with the Windows Defender AV user interface
**Applies to:**
- Windows 10
@ -22,22 +21,14 @@ author: iaanw
- Enterprise security administrators
Windows Defender Antivirus uses several methods to provide threat protection:
- Cloud-delivered protection for near-instant detection and blocking of new and emerging threats
- Always-on scanning, using file and process behavior monitoring and other heuristics (also known as "real-time protection")
- Dedicated protection updates based on machine-learning, human and automated big-data analysis, and in-depth threat resistance research
You can configure how Windows Defender AV uses these methods with Group Policy, System Center Configuration Manage, PowerShell cmdlets, and Windows Management Instrumentation (WMI).
This section covers configuration for always-on scanning, including how to detect and block apps that are deemed unsafe, but may not be detected as malware.
See the [Utilize Microsoft cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) section for how to enable and configure Windows Defender AV cloud-delivered protection.
## In this section
Topic | Description
---|---
[Detect and block potentially unwanted applications](detect-block-potentially-unwanted-apps-windows-defender-antivirus.md) | Detect and block apps that may be unwanted in your network, such as adware, browser modifiers and toolbars, and rogue or fake antivirus apps
[Enable and configure Windows Defender AV protection capabilities](configure-real-time-protection-windows-defender-antivirus.md) | Enable and configure real-time protection, heuristics, and other always-on antivirus monitoring features
## Related topics
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Configure end-user interaction with Windows Defender AV](configure-end-user-interaction-windows-defender-antivirus.md)

6
windows/keep-secure/WDAV-working/report-monitor-windows-defender-antivirus.md
View File

@ -1,7 +1,7 @@
---
title: Monitor and report on Windows Defender Antivirus protection
description:
keywords:
description: Use Configuration Manager or SIEM tools to consume reports, and monitor Windows Defender AV with PowerShell and WMI.
keywords: siem, monitor, report, windows defender av
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@ -34,5 +34,5 @@ For monitoring or determining status with PowerShell, WMI, or Microsoft Azure, s
## Related topics
- [Windows Defender Antivirus in Windows 10](windows-defender-in-windows-10.md)
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md)

120
windows/keep-secure/WDAV-working/requirements-windows-defender-antivirus.md
View File

@ -1,120 +0,0 @@
---
title: Detect and block Potentially Unwanted Application with Windows Defender
description: In Windows 10, you can enable the Potentially Unwanted Application (PUA) feature in Managed Windows Defender to identify and block unwanted software during download and install time.
keywords: pua, enable, detect pua, block pua, windows defender and pua
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: detect
ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: dulcemv
---
# Detect and block Potentially Unwanted Application in Windows 10
**Applies to:**
- Windows 10
You can enable the Potentially Unwanted Application (PUA) feature in Managed Windows Defender to identify and block unwanted software during download and install time.
Potentially Unwanted Application (PUA) refers to applications that are not considered viruses, malware, or other types of threats, but might perform actions on your computer that adversely affect your computing experience. It also refers to applications considered to have a poor reputation.
Typical examples of PUA behavior include:
* Various types of software bundling
* Ad-injection into your browsers
* Driver and registry optimizers that detect issues, request payment to fix them, and persist
These applications can increase the risk of your network being infected with malware, cause malware infections to be harder to identify among the noise, and can waste helpdesk, IT, and user time in cleaning up the applications.
Since the stakes are higher in an enterprise environment, the potential disaster and potential productivity and performance disruptions that PUA brings can be a cause of concern. Hence, it is important to deliver trusted protection in this field.
##Enable PUA protection in System Center Configuration Manager and Intune
The PUA feature is available for enterprise users who are running System Center Configuration Manager or Intune in their infrastructure.
###Configure PUA in System Center Configuration Manager
For System Center Configuration Manager users, PUA is enabled by default. See the following topics for configuration details:
If you are using these versions | See these topics
:---|:---
System Center Configuration Manager (current branch) version 1606 | [Create a new antimalware policy](https://technet.microsoft.com/en-US/library/mt613199.aspx#To-create-a-new-antimalware-policy)<br>[Real-time Protection Settings](https://technet.microsoft.com/en-US/library/mt613199.aspx#Real-time-Protection-Settings)
System Center 2012 R2 Endpoint Protection<br>System Center 2012 Configuration Manager<br>System Center 2012 Configuration Manager SP1<br>System Center 2012 Configuration Manager SP2<br>System Center 2012 R2 Configuration Manager<br>System Center 2012 Endpoint Protection SP1<br>System Center 2012 Endpoint Protection<br>System Center 2012 R2 Configuration Manager SP1| [How to Deploy Potentially Unwanted Application Protection Policy for Endpoint Protection in Configuration Manager](https://technet.microsoft.com/library/hh508770.aspx#BKMK_PUA)
<br>
###Use PUA audit mode in System Center Configuration Manager
You can use PowerShell to detect PUA without blocking them. In fact, you can run audit mode on individual machines. This feature is useful if your company is conducting an internal software security compliance check and youd like to avoid any false positives.
1. Open PowerShell as Administrator: <br>
a. Click **Start**, type **powershell**, and press **Enter**.
b. Click **Windows PowerShell** to open the interface.
>[!NOTE]
>You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
2. Enter the PowerShell command:
```text
set-mpPreference -puaprotection 2
```
> [!NOTE]
> PUA events are reported in the Windows Event Viewer and not in System Center Configuration Manager.
###Configure PUA in Intune
PUA is not enabled by default. You need to [Create and deploy a PUA configuration policy to use it](https://docs.microsoft.com/en-us/intune/deploy-use/manage-settings-and-features-on-your-devices-with-microsoft-intune-policies). See the [Potentially Unwanted Application Detection policy setting](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune) for details.
###Use PUA audit mode in Intune
You can detect PUA without blocking them from your client so you can gain insights into what can be blocked.
1. Open PowerShell as Administrator: <br>
a. Click **Start**, type **powershell**, and press **Enter**.
b. Click **Windows PowerShell** to open the interface.
>[!NOTE]
>You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
2. Enter the PowerShell command:
```text
set-mpPreference -puaprotection 1
```
##View PUA events
PUA events are reported in the Windows Event Viewer and not in System Center Configuration Manager or Intune. To view PUA events:
1. Open **Event Viewer**.
2. In the console tree, expand **Applications and Services Logs**, then **Microsoft**, then **Windows**, then **Windows Defender**.
3. Double-click on **Operational**.
4. In the details pane, view the list of individual events to find your event. PUA events are under Event ID 1160 along with detection details.
You can find a complete list of the Microsoft antimalware event IDs, the symbol, and the description of each ID in [Windows Server Antimalware Events TechNet](https://technet.microsoft.com/library/dn913615.aspx).
##What PUA notifications look like
When a detection occurs, end users who enabled the PUA detection feature will see the following notification:
To see historical PUA detections that occurred on a PC, users can go to History, then **Quarantined items** or **All detected items**.
##PUA threat naming convention
When enabled, potentially unwanted applications are identified with threat names that start with “PUA:”, such as, PUA:Win32/Creprote.
##PUA blocking conditions
PUA protection quarantines the file so they wont run. PUA will be blocked only at download or install-time. A file will be included for blocking if it has been identified as PUA and meets one of the following conditions:
* The file is being scanned from the browser
* The file is in the %downloads% folder
* Or if the file in the %temp% folder

127
windows/keep-secure/WDAV-working/run-scan-windows-defender-antivirus.md
View File

@ -1,7 +1,7 @@
---
title: Detect and block Potentially Unwanted Application with Windows Defender
description: In Windows 10, you can enable the Potentially Unwanted Application (PUA) feature in Managed Windows Defender to identify and block unwanted software during download and install time.
keywords: pua, enable, detect pua, block pua, windows defender and pua
title:
description:
keywords:
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@ -9,112 +9,51 @@ ms.mktglfcycl: detect
ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: dulcemv
author: iawilt
---
# Detect and block Potentially Unwanted Application in Windows 10
#
# Run a Windows Defender scan from the command line
**Applies to:**
- Windows 10
You can enable the Potentially Unwanted Application (PUA) feature in Managed Windows Defender to identify and block unwanted software during download and install time.
IT professionals can use a command-line utility to run a Windows Defender scan.
Potentially Unwanted Application (PUA) refers to applications that are not considered viruses, malware, or other types of threats, but might perform actions on your computer that adversely affect your computing experience. It also refers to applications considered to have a poor reputation.
The utility is available in _%Program Files%\Windows Defender\MpCmdRun.exe_.
Typical examples of PUA behavior include:
* Various types of software bundling
* Ad-injection into your browsers
* Driver and registry optimizers that detect issues, request payment to fix them, and persist
This utility can be handy when you want to automate the use of Windows Defender.
These applications can increase the risk of your network being infected with malware, cause malware infections to be harder to identify among the noise, and can waste helpdesk, IT, and user time in cleaning up the applications.
**To run a quick scan from the command line**
Since the stakes are higher in an enterprise environment, the potential disaster and potential productivity and performance disruptions that PUA brings can be a cause of concern. Hence, it is important to deliver trusted protection in this field.
1. Click **Start**, type **cmd**, and press **Enter**.
2. Navigate to _%ProgramFiles%\Windows Defender_ and enter the following command, and press **Enter**:
##Enable PUA protection in System Center Configuration Manager and Intune
```
C:\Program Files\Windows Defender\mpcmdrun.exe -scan -scantype 1
```
The quick scan will start. When the scan completes, you'll see a message indicating that the scan is finished.
The PUA feature is available for enterprise users who are running System Center Configuration Manager or Intune in their infrastructure.
###Configure PUA in System Center Configuration Manager
The utility also provides other commands that you can run:
For System Center Configuration Manager users, PUA is enabled by default. See the following topics for configuration details:
```
MpCmdRun.exe [command] [-options]
```
If you are using these versions | See these topics
Command | Description
:---|:---
System Center Configuration Manager (current branch) version 1606 | [Create a new antimalware policy](https://technet.microsoft.com/en-US/library/mt613199.aspx#To-create-a-new-antimalware-policy)<br>[Real-time Protection Settings](https://technet.microsoft.com/en-US/library/mt613199.aspx#Real-time-Protection-Settings)
System Center 2012 R2 Endpoint Protection<br>System Center 2012 Configuration Manager<br>System Center 2012 Configuration Manager SP1<br>System Center 2012 Configuration Manager SP2<br>System Center 2012 R2 Configuration Manager<br>System Center 2012 Endpoint Protection SP1<br>System Center 2012 Endpoint Protection<br>System Center 2012 R2 Configuration Manager SP1| [How to Deploy Potentially Unwanted Application Protection Policy for Endpoint Protection in Configuration Manager](https://technet.microsoft.com/library/hh508770.aspx#BKMK_PUA)
\- ? / -h | Displays all available options for the tool
\-Scan [-ScanType #] [-File <path> [-DisableRemediation] [-BootSectorScan]][-Timeout <days>] | Scans for malicious software
\-Trace [-Grouping #] [-Level #]| Starts diagnostic tracing
\-GetFiles | Collects support information
\-RemoveDefinitions [-All] | Restores the installed signature definitions to a previous backup copy or to the original default set of signatures
\-AddDynamicSignature [-Path] | Loads a dynamic signature
\-ListAllDynamicSignature [-Path] | Lists the loaded dynamic signatures
\-RemoveDynamicSignature [-SignatureSetID] | Removes a dynamic signature
<br>
###Use PUA audit mode in System Center Configuration Manager
You can use PowerShell to detect PUA without blocking them. In fact, you can run audit mode on individual machines. This feature is useful if your company is conducting an internal software security compliance check and youd like to avoid any false positives.
1. Open PowerShell as Administrator: <br>
a. Click **Start**, type **powershell**, and press **Enter**.
b. Click **Windows PowerShell** to open the interface.
>[!NOTE]
>You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
2. Enter the PowerShell command:
```text
set-mpPreference -puaprotection 2
```
> [!NOTE]
> PUA events are reported in the Windows Event Viewer and not in System Center Configuration Manager.
###Configure PUA in Intune
PUA is not enabled by default. You need to [Create and deploy a PUA configuration policy to use it](https://docs.microsoft.com/en-us/intune/deploy-use/manage-settings-and-features-on-your-devices-with-microsoft-intune-policies). See the [Potentially Unwanted Application Detection policy setting](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune) for details.
###Use PUA audit mode in Intune
You can detect PUA without blocking them from your client so you can gain insights into what can be blocked.
1. Open PowerShell as Administrator: <br>
a. Click **Start**, type **powershell**, and press **Enter**.
b. Click **Windows PowerShell** to open the interface.
>[!NOTE]
>You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
2. Enter the PowerShell command:
```text
set-mpPreference -puaprotection 1
```
##View PUA events
PUA events are reported in the Windows Event Viewer and not in System Center Configuration Manager or Intune. To view PUA events:
1. Open **Event Viewer**.
2. In the console tree, expand **Applications and Services Logs**, then **Microsoft**, then **Windows**, then **Windows Defender**.
3. Double-click on **Operational**.
4. In the details pane, view the list of individual events to find your event. PUA events are under Event ID 1160 along with detection details.
You can find a complete list of the Microsoft antimalware event IDs, the symbol, and the description of each ID in [Windows Server Antimalware Events TechNet](https://technet.microsoft.com/library/dn913615.aspx).
##What PUA notifications look like
When a detection occurs, end users who enabled the PUA detection feature will see the following notification:
To see historical PUA detections that occurred on a PC, users can go to History, then **Quarantined items** or **All detected items**.
##PUA threat naming convention
When enabled, potentially unwanted applications are identified with threat names that start with “PUA:”, such as, PUA:Win32/Creprote.
##PUA blocking conditions
PUA protection quarantines the file so they wont run. PUA will be blocked only at download or install-time. A file will be included for blocking if it has been identified as PUA and meets one of the following conditions:
* The file is being scanned from the browser
* The file is in the %downloads% folder
* Or if the file in the %temp% folder
The command-line utility provides detailed information on the other commands supported by the tool.

56
windows/keep-secure/WDAV-working/troublshoot-windows-defender-antivirus.md → windows/keep-secure/WDAV-working/troubleshoot-windows-defender-antivirus.md
View File

@ -1,32 +1,44 @@
---
title: Troubleshoot Windows Defender in Windows 10 (Windows 10)
description: IT professionals can review information about event IDs in Windows Defender for Windows 10 and see any relevant action they can take.
title: Windows Defender AV event IDs and error codes
description: Look up the causes and solutions for Windows Defender Antivirus event IDs and errors
keywords: event, error code, siem, logging, troubleshooting, wef, windows event forwarding
ms.assetid: EE488CC1-E340-4D47-B50B-35BD23CB4D70
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: jasesso
author: iawilt
---
# Troubleshoot Windows Defender in Windows 10
# Review event logs and error codes to troubleshoot issues with Windows Defender AV
**Applies to**
- Windows 10
IT professionals can review information about event IDs in Windows Defender for Windows 10 and see any relevant action they can take.
<span id="windows-defender-av-ids" />
## Windows Defender client event IDs
**Audience**
This section provides the following information about Windows Defender client events:
- Enterprise security administrators
- The text of the message as it appears in the event
- The name of the source of the message
- The symbolic name that identifies each message in the programming source code
- Additional information about the message
Use the information in this table to help troubleshoot Windows Defender client events; these are located in the **Windows Event Viewer**, under **Windows Logs**.
If you encounter a problem with Windows Defender Antivirus, you can search the tables in this topic to find a matching issue and potential solution.
The tables list:
- [Windows Defender AV client event IDs](#windows-defender-av-ids)
- [Windows Defender AV client error codes](#error-codes)
- [Internal Windows Defender AV client error codes (used by Microsoft during development and testing)](#internal-error-codes)
<a id="windows-defender-av-ids"></a>
## Windows Defender AV client event IDs
Windows Defender AV records event IDs in the Windows event log.
You can directly view the event log, or if you have a third-party security information and event management (SIEM) tool, you can also consume [Windows Defender client event IDs](troubleshoot-windows-defender-antivirus.md#windows-defender-av-ids) to review specific events and errors from your endpoints.
The table in this section lists the main Windows Defender Antivirus client event IDs and, where possible, provides suggested solutions to fix or resolve the error.
**To view a Windows Defender client event**
@ -36,7 +48,7 @@ Use the information in this table to help troubleshoot Windows Defender client e
4. In the details pane, view the list of individual events to find your event.
5. Click the event to see specific details about an event in the lower pane, under the **General** and **Details** tabs.
You can find a complete list of the Microsoft antimalware event IDs, the symbol, and the description of each ID in [Windows Server Antimalware Events TechNet](https://technet.microsoft.com/library/dn913615.aspx).
<table>
<tr>
@ -2697,13 +2709,14 @@ Description of the error. </dt>
</tr>
</table>
<a id="error-codes"></a>
## Windows Defender client error codes
If Windows Defender experiences any issues it will usually give you an error code to help you troubleshoot the issue. Most often an error means there was a problem installing an update.
This section provides the following information about Windows Defender client errors.
If Windows Defender Antivirus experiences any issues it will usually give you an error code to help you troubleshoot the issue. Most often an error means there was a problem installing an update.
This section provides the following information about Windows Defender Antivirus client errors.
- The error code
- The possible reason for the error
- Advice on what to do now
Use the information in these tables to help troubleshoot Windows Defender error codes.
Use the information in these tables to help troubleshoot Windows Defender Antivirus error codes.
<table>
<tr>
<th colspan="4">External error codes</th>
@ -2955,7 +2968,10 @@ article</a>.</p>
</td>
</tr>
</table>
<p> </p>
<a id="internal-error-codes"></a>
The following error codes are used during internal testing of Windows Defender AV.
<table>
<tr>
<th colspan="4">Internal error codes</th>
@ -3305,5 +3321,5 @@ article</a>.</p>
## Related topics
- [Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md)
- [Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md)
- [Report on Windows Defender Antivirus protection](report-monitor-windows-defender-antivirus.md)
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)

11
windows/keep-secure/WDAV-working/use-powershell-cmdlets-windows-defender-antivirus.md
View File

@ -1,6 +1,6 @@
---
title: Use PowerShell cmdlets to configure and run Windows Defender in Windows 10
description: In Windows 10, you can use PowerShell cmdlets to run scans, update definitions, and change settings in Windows Defender.
title: Use PowerShell cmdlets to configure and run Windows Defender AV
description: In Windows 10, you can use PowerShell cmdlets to run scans, update definitions, and change settings in Windows Defender Antivirus.
keywords: scan, command line, mpcmdrun, defender
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@ -12,7 +12,7 @@ localizationpriority: medium
author: iaanw
---
# Use PowerShell cmdlets to configure and run Windows Defender Antivirus
# Use PowerShell cmdlets to configure and manage Windows Defender AV
**Applies to:**
@ -40,11 +40,12 @@ PowerShell is typically installed under the folder _%SystemRoot%\system32\Window
To open online help for any of the cmdlets type the following:
```text
```PowerShell
Get-Help <cmdlet> -Online
```
Omit the `-online` parameter to get locally cached help.
## Related topics
- [Windows Defender in Windows 10](windows-defender-in-windows-10.md)
- [Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md)
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)

91
windows/keep-secure/WDAV-working/windows-defender-antivirus-in-windows-10.md
View File

@ -1,48 +1,51 @@
---
title: Windows Defender in Windows 10 (Windows 10)
description: This topic provides an overview of Windows Defender, including a list of system requirements and new features.
title: Windows Defender Antivirus
description: Learn how to manage, configure, and use Windows Defender AV, the built-in antimalware and antivirus product available in Windows 10.
keywords: windows defender antivirus, windows defender, antimalware, scep, system center endpoint protection, system center configuration manager, virus, malware, threat, detection, protection, security
ms.assetid: 6A9EB85E-1F3A-40AC-9A47-F44C4A2B55E2
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: jasesso
author: iawilt
---
# Windows Defender in Windows 10
# Windows Defender Antivirus in Windows 10
**Applies to**
- Windows 10
Windows Defender in Windows 10 is a built-in antimalware solution that provides security and antimalware management for desktops, portable computers, and servers.
This topic provides an overview of Windows Defender, including a list of system requirements and new features.
Windows Defender Antivirus is a built-in antimalware solution that provides security and antimalware management for desktops, portable computers, and servers.
This library of documentation is aimed for enterprise security administrators who are either considering deployment, or have already deployed and are wanting to manage and configure Windows Defender AV on PC endpoints in their network.
For more important information about running Windows Defender on a server platform, see [Windows Defender Overview for Windows Server](https://technet.microsoft.com/library/dn765478.aspx).
## What's new in Windows 10, version 1703
New features for Windows Defender AV in Windows 10, version 1703 include:
- [Updates to how the Block at First Sight feature can be configured](configure-block-at-first-sight-windows-defender-antivirus.md)
- [The ability to specify the level of cloud-protection](specify-cloud-protection-level-windows-defender-antivirus.md)
- [Windows Defender Antivirus protection in the Windows Defender Security Center app](windows-defender-security-center-antivirus.md)
We've expanded this documentation library to cover end-to-end deployment, management, and configuration for Windows Defender AV, and we've added some new guides that can help with evaluating and deploying Windows Defender AV in certain scenarios:
- [Evaluation guide for Windows Defender AV](evaluate-windows-defender-antivirus.md)
- [Deployment guide for Windows Defender AV in a virtual desktop infrastructure environment](deployment-vdi-windows-defender-antivirus.md)
See the [In this library](#in-this-library) list at the end of this topic for links to each of the updated sections in this library.
## Cloud-delivered protection
## Minimum system requirements
Windows Defender has the same hardware requirements as Windows 10. For more information, see:
- [Minimum hardware requirements](https://msdn.microsoft.com/library/windows/hardware/dn915086.aspx)
- [Hardware component guidelines](https://msdn.microsoft.com/library/windows/hardware/dn915049.aspx)
## Always on real-time protection
Some features require a certain version of Windows 10 - the minimum version required is specified at the top of each topic.
For more important information about running Windows Defender on a server platform, see [Windows Defender Overview for Windows Server Technical Preview](https://technet.microsoft.com/library/dn765478.aspx).
Take advantage of Windows Defender by configuring settings and definitions using the following tools:
- Microsoft Active Directory *Group Policy* for settings
- Windows Server Update Services (WSUS) for definitions
Windows Defender provides the most protection when cloud-based protection is enabled. Learn how to enable cloud-based protection in [Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md).
> **Note:**  System Center 2012 R2 Configuration Manager SP1, System Center 2012 Configuration Manager SP2, and Microsoft Intune can provide centralized management of Windows Defender, including:
- Settings management
- Definition update management
- Alerts and alert management
- Reports and report management
When you enable endpoint protection for your clients, it will install an additional management layer on Windows Defender to manage the in-box Windows Defender agent. While the client user interface will still appear as Windows Defender, the management layer for Endpoint Protection will be listed in the **Add/Remove Programs** control panel, though it will appear as if the full product is installed.
### Compatibility with Windows Defender Advanced Threat Protection
## Compatibility with Windows Defender Advanced Threat Protection
Windows Defender Advanced Threat Protection (ATP) is an additional service that helps enterprises to detect, investigate, and respond to advanced persistent threats on their network.
@ -52,36 +55,20 @@ If you are enrolled in Windows Defender ATP, and you are not using Windows Defen
In passive mode, Windows Defender will continue to run (using the *msmpeng.exe* process), and will continue to be updated, however there will be no Windows Defender user interface, scheduled scans wont run, and Windows Defender will not provide real-time protection from malware.
You can [configure updates for Windows Defender](configure-windows-defender-in-windows-10.md), however you can't move Windows Defender into the normal active mode if your endpoints have an up-to-date third-party product providing real-time protection from malware.
You can still [manage updates for Windows Defender](manage-updates-baselines-windows-defender-antivirus.md), however you can't move Windows Defender into the normal active mode if your endpoints have an up-to-date third-party product providing real-time protection from malware.
If you uninstall the other product, and choose to use Windows Defender to provide protection to your endpoints, Windows Defender will automatically return to its normal active mode.
 
### Minimum system requirements
Windows Defender has the same hardware requirements as Windows 10. For more information, see:
- [Minimum hardware requirements](https://msdn.microsoft.com/library/windows/hardware/dn915086.aspx)
- [Hardware component guidelines](https://msdn.microsoft.com/library/windows/hardware/dn915049.aspx)
### New and changed functionality
- **Improved detection for unwanted applications and emerging threats using cloud-based protection.** Use the Microsoft Active Protection Service to improve protection against unwanted applications and advanced persistent threats in your enterprise.
- **Windows 10 integration.** All Windows Defender in Windows 10 endpoints will show the Windows Defender user interface, even when the endpoint is managed.
- **Operating system, enterprise-level management, and bring your own device (BYOD) integration.** Windows 10 introduces a mobile device management (MDM) interface for devices running Windows 10. Administrators can use MDM-capable products, such as Intune, to manage Windows Defender on Windows 10 devices.
For more information about what's new in Windows Defender in Windows 10, see [Windows Defender in Windows 10: System integration](https://www.microsoft.com/security/portal/enterprise/threatreports_august_2015.aspx) on the Microsoft Active Protection Service website.
## In this section
## In this library
Topic | Description
:---|:---
[Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md)|Use Active Directory or Windows Server Update Services to manage and deploy updates to endpoints on your network. Configure and run special scans, including archive and email scans.
[Configure updates for Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md)|Configure definition updates and cloud-based protection with Active Directory and Windows Server Update Services.
[Windows Defender Offline in Windows 10](windows-defender-offline.md)|Manually run an offline scan directly from winthin Windows without having to download and create bootable media.
[Use PowerShell cmdlets for Windows Defender](use-powershell-cmdlets-windows-defender-for-windows-10.md)|Run scans and configure Windows Defender options with Windows PowerShell cmdlets in Windows 10.
[Enable the Block at First Sight feature in Windows 10](windows-defender-block-at-first-sight.md)|Use the Block at First Sight feature to leverage the Windows Defender cloud.
[Configure enhanced notifications for Windows Defender in Windows 10](windows-defender-enhanced-notifications.md)|Enable or disable enhanced notifications on endpoints running Windows Defender for greater details about threat detections and removal.
[Run a Windows Defender scan from the command line](run-cmd-scan-windows-defender-for-windows-10.md)|Use the command-line utility to run a Windows Defender scan.
[Detect and block Potentially Unwanted Applications with Windows Defender](enable-pua-windows-defender-for-windows-10.md)|Use the Potentially Unwanted Application (PUA) feature in Managed Windows Defender to identify and block unwanted software during download and install time.
[Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md)|Review event IDs in Windows Defender for Windows 10 and take the appropriate actions.
[Evaluate Windows Defender Antivirus protection](evaluate-windows-defender-antivirus.md) | Evaluate the protection capabilities of Windows Defender Antivirus with a specialized evaluation guide and powershell script.
[Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md) | While traditional client deployment is not required for Windows Defender AV, you will need to enable the service. You can also manage how protection and product updates are applies, and receive reports from Configuration Manager, Intune, and with some security information and event monitoring (SIEM) tools.
[Configure Windows Defender features](configure-windows-defender-antivirus-features.md) | Windows Defender AV has a large set of configurable features and options. You can use a number of management tools, including Group Policy, System Center Configuration Manager, Microsoft Intune, PowerShell cmdlets, and Windows Management Instrumentation (WMI). You can configure options such as cloud-delivered protection, always-on monitoring and scanning, and how end-users can interact or override global policy settings.
[Customize, initiate, and review the results of scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md) | You can set up scheduled scans, run on-demand scans, and configure how remediation works when threats are detected.
[Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-antivirus.md)|Review event IDs in Windows Defender Antivirus and take the appropriate actions.
[Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md)|The management and configuration tools that you can use with Windows Defender AV are listed and described here.

160
windows/keep-secure/WDAV-working/windows-defender-offline.md
View File

@ -1,6 +1,6 @@
---
title: Windows Defender Offline in Windows 10
description: You can use Windows Defender Offline straight from the Windows Defender client. You can also manage how it is deployed in your network.
description: You can use Windows Defender Offline straight from the Windows Defender Antivirus app. You can also manage how it is deployed in your network.
keywords: scan, defender, offline
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@ -12,15 +12,26 @@ localizationpriority: medium
author: iaanw
---
# Windows Defender Offline in Windows 10
# Run and review the results of a Windows Defender Offline scan
**Applies to:**
- Windows 10, version 1607
**Audience**
- Enterprise security administrators
**Manageability available with**
- Group Policy
- PowerShell cmdlets
- Windows Management Instruction (WMI)
Windows Defender Offline is an antimalware scanning tool that lets you boot and run a scan from a trusted environment. The scan runs from outside the normal Windows kernel so it can target malware that attempts to bypass the Windows shell, such as viruses and rootkits that infect or overwrite the master boot record (MBR).
In Windows 10, Windows Defender Offline can be run with one click directly from the Windows Defender client. In previous versions of Windows, a user had to install Windows Defender Offline to bootable media, restart the endpoint, and load the bootable media.
In Windows 10, Windows Defender Offline can be run with one click directly from the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md). In previous versions of Windows, a user had to install Windows Defender Offline to bootable media, restart the endpoint, and load the bootable media.
## Pre-requisites and requirements
@ -39,16 +50,18 @@ To run Windows Defender Offline from the endpoint, the user must be logged in wi
## Windows Defender Offline updates
Windows Defender Offline uses the most up-to-date signature definitions available on the endpoint; it's updated whenever Windows Defender is updated with new signature definitions. Depending on your setup, this is usually though Microsoft Update or through the [Microsoft Malware Protection Center](https://www.microsoft.com/security/portal/definitions/adl.aspx).
Windows Defender Offline uses the most recent protection updates available on the endpoint; it's updated whenever Windows Defender Antivirus is updated.
> [!NOTE]
> Before running an offline scan, you should attempt to update the definitions on the endpoint. You can either force an update via Group Policy or however you normally deploy updates to endpoints, or you can manually download and install the latest updates from the [Microsoft Malware Protection Center](https://www.microsoft.com/security/portal/definitions/adl.aspx).
> Before running an offline scan, you should attempt to update Windows Defender AV protection. You can either force an update with Group Policy or however you normally deploy updates to endpoints, or you can manually download and install the latest protection updates from the [Microsoft Malware Protection Center](https://www.microsoft.com/security/portal/definitions/adl.aspx).
For information on setting up Windows Defender updates, see the [Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md) topic.
See the [Manage Windows Defender Antivirus protection and definition updates](manage-protection-updates-windows-defender-antivirus.md) topic for more information.
## Usage scenarios
In Windows 10, version 1607, you can manually force an offline scan. Alternatively, if Windows Defender determines that Windows Defender Offline needs to run, it will prompt the user on the endpoint. The need to perform an offline scan will also be revealed in System Center Configuration Manager, if you're using it to manage your endpoints.
In Windows 10, version 1607, you can manually force an offline scan. Alternatively, if Windows Defender determines that Windows Defender Offline needs to run, it will prompt the user on the endpoint.
The need to perform an offline scan will also be revealed in System Center Configuration Manager if you're using it to manage your endpoints.
The prompt can occur via a notification, similar to the following:
@ -58,125 +71,76 @@ The user will also be notified within the Windows Defender client:
![Windows Defender showing the requirement to run Windows Defender Offline](images/defender/client.png)
In Configuration Manager, you can identify the status of endpoints by navigating to **Monitoring > Overview > Security > Endpoint Protection Status > System Center Endpoint Protection Status**. Windows Defender Offline scans are indicated under **Malware remediation status** as **Offline scan required**.
In Configuration Manager, you can identify the status of endpoints by navigating to **Monitoring > Overview > Security > Endpoint Protection Status > System Center Endpoint Protection Status**.
Windows Defender Offline scans are indicated under **Malware remediation status** as **Offline scan required**.
![System Center Configuration Manager indicating a Windows Defender Offline scan is required](images/defender/sccm-wdo.png)
## Manage notifications
## Configure notifications
<a name="manage-notifications"></a>
You can suppress Windows Defender Offline notifications with Group Policy.
Windows Defender Offline notifications are configured in the same policy setting as other Windows Defender AV notifications.
> [!NOTE]
> Changing these settings will affect *all* notifications from Windows Defender. Disabling notifications will mean the endpoint user will not see any messages about any threats detected, removed, or if additional steps are required.
**Use Group Policy to suppress Windows Defender notifications:**
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration**.
4. Click **Policies** then **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender > Client Interface**.
1. Double-click the **Suppress all notifications** setting and set the option to **Enabled**. Click **OK**. This will disable all notifications shown by the Windows Defender client.
## Configure Windows Defender Offline settings
You can use Windows Management Instrumentation to enable and disable certain features in Windows Defender Offline. For example, you can use `Set-MpPreference` to change the `UILockdown` setting to disable and enable notifications.
For more information about using Windows Management Instrumentation to configure Windows Defender Offline, including configuration parameters and options, see the following topics:
- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/windows/desktop/dn439477(v=vs.85).aspx)
- [Windows Defender MSFT_MpPreference class](https://msdn.microsoft.com/en-us/library/windows/desktop/dn455323(v=vs.85).aspx)
For more information about notifications in Windows Defender, see the [Configure enhanced notifications in Windows Defender](windows-defender-enhanced-notifications.md)] topic.
For more information about notifications in Windows Defender, see the [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md) topic.
## Run a scan
Windows Defender Offline uses up-to-date threat definitions to scan the endpoint for malware that might be hidden. In Windows 10, version 1607, you can manually force an offline scan using Windows Update and Security settings.
> [!IMPORTANT]
> Before you use Windows Defender Offline, make sure you save any files and shut down running programs. The Windows Defender Offline scan takes about 15 minutes to run. It will restart the endpoint when the scan is complete. The scan is performed outside of the usual Windows operating environment. The user interface will appear different to a normal scan performed by Windows Defender. After the scan is completed, the endpoint will be restarted and Windows will load normally.
> [!NOTE]
> Before you use Windows Defender Offline, make sure you save any files and shut down running programs. The Windows Defender Offline scan takes about 15 minutes to run. It will restart the endpoint when the scan is complete.
You can run a Windows Defender Offline scan with the following:
You can set up a Windows Defender Offline scan with the following:
- Windows Update and Security settings
- Windows Defender
- Windows Management Instrumentation
- Windows PowerShell
- Group Policy
> [!NOTE]
> The scan is performed outside of the usual Windows operating environment. The user interface will appear different to a normal scan performed by Windows Defender. After the scan is completed, the endpoint will be restarted and Windows will load normally.
**Run Windows Defender Offline from Windows Settings:**
1. Open the **Start** menu and click or type **Settings**.
1. Click **Update & Security** and then **Windows Defender**. Scroll to the bottom of the settings page until you see the **Windows Defender Offline** section.
1. Click **Scan offline**.
![Windows Defender Offline setting](images/defender/settings-wdo.png)
1. Follow the prompts to continue with the scan. You might be warned that you'll be signed out of Windows and that the endpoint will restart.
**Run Windows Defender Offline from Windows Defender:**
1. Open the **Start** menu, type **windows defender**, and press **Enter** to open the Windows Defender client.
1. On the **Home** tab click **Download and Run**.
![Windows Defender home tab showing the Download and run button](images/defender/download-wdo.png)
1. Follow the prompts to continue with the scan. You might be warned that you'll be signed out of Windows and that the endpoint will restart.
- PowerShell
- Windows Management Instrumentation (WMI)
- The Windows Defender Security Center app
**Use Windows Management Instrumentation to configure and run Windows Defender Offline:**
Use the `MSFT_MpWDOScan` class (part of the Windows Defender Windows Management Instrumentation provider) to run a Windows Defender Offline scan.
The following Windows Management Instrumentation script snippet will immediately run a Windows Defender Offline scan, which will cause the endpoint to restart, run the offline scan, and then restart and boot into Windows.
**Use PowerShell cmdlets to run an offline scan:**
Use the following cmdlets:
```PowerShell
Start-MpWDOScan
```
See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus.
**Use Windows Management Instruction (WMI) to run an offline scan:**
Use the [**MSFT_MpWDOScan**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class to run an offline scan.
The following WMI script snippet will immediately run a Windows Defender Offline scan, which will cause the endpoint to restart, run the offline scan, and then restart and boot into Windows.
```WMI
wmic /namespace:\\root\Microsoft\Windows\Defender path MSFT_MpWDOScan call Start
```
For more information about using Windows Management Instrumentation to run a scan in Windows Defender, including configuration parameters and options, see the following topics:
See the following for more information:
- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx)
- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/windows/desktop/dn439477(v=vs.85).aspx)
- [MSFT_MpWDOScan class article](https://msdn.microsoft.com/library/windows/desktop/mt622458(v=vs.85).aspx)
**Use the Windows Defender Security app to run an offline scan:**
**Run Windows Defender Offline using PowerShell:**
1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
Use the PowerShell parameter `Start-MpWDOScan` to run a Windows Defender Offline scan.
2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Advanced scan** label:
3. Select **Windows Defender Offline scan** and click **Scan now**.
> [!NOTE]
> In Windows 10, version 1607, the offline scan could be run from under **Windows Settings** > **Update & security** > **Windows Defender** or from the Windows Defender client.
For more information on available cmdlets and optios, see the [Use PowerShell cmdlets to configure and run Windows Defender](use-powershell-cmdlets-windows-defender-for-windows-10.md) topic.
## Review scan results
Windows Defender Offline scan results will be listed in the main Windows Defender user interface after performing the scan.
Windows Defender Offline scan results will be listed in the [Scan history section of the Windows Defender Security Center app](windows-defender-security-center-antivirus.md#detection-history).
1. Open the **Start** menu, type **windows defender**, and press **Enter** to open the Windows Defender client.
1. Go to the **History** tab.
1. Select **All detected items**.
1. Click **View details**.
Any detected items will display. Items that are detected by Windows Defender Offline will be listed as **Offline** in the **Detection source**:
![Windows Defender detection source showing as Offline](images/defender/detection-source.png)
## Related topics
- [Windows Defender in Windows 10](windows-defender-in-windows-10.md)
- [Customize, initiate, and review the results of scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
- [Windows Defender Antivirus](windows-defender-antivirus-in-windows-10.md)

4
windows/keep-secure/WDAV-working/windows-defender-security-center-antivirus.md
View File

@ -1,6 +1,6 @@
---
title: Windows Defender Antivirus in the Windows Defender Security Center app
description: Windows Defender AV is now included in the Windows Defender Security Center app
description: Windows Defender AV is now included in the Windows Defender Security Center app.
keywords: wdav, antivirus, firewall, security, windows
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@ -125,7 +125,7 @@ This section describes how to perform some of the most common tasks when reviewi
5. Click the plus icon to choose the type and set the options for each exclusion.
<a id="detection-history"></a>
**Review threat detection history in the Windows Defender Security Center app**
1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**.