deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-15 14:57:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Content reorg and rebranding changes

Browse Source
This commit is contained in:
Andrea Bichsel 2018-08-09 15:40:41 -07:00
parent a62b0855f1
commit c5ad334960
36 changed files with 344 additions and 678 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
windows/security/threat-protection/windows-defender-antivirus/collect-diagnostic-data-update-compliance.md
View File

@ -1,6 +1,6 @@
---
title: Collect diagnostic data for Update Compliance and antivirus
description: Use a tool to collect data to troubleshoot Update Compliance issues when using the Windows Defender AV Assessment add in
description: Use a tool to collect data to troubleshoot Update Compliance issues when using the antivirus Assessment add in
keywords: troubleshoot, error, fix, update compliance, oms, monitor, report, windows defender av
search.product: eADQiWindows 10XVcnh
ms.pagetype: security

51
windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md
View File

@ -1,6 +1,6 @@
---
title: Remediate and resolve infections detected by Windows Defender AV
description: Configure what Windows Defender AV should do when it detects a threat, and how long quarantined files should be retained in the quarantine folder
title: Remediate and resolve infections detected by antivirus
description: Configure what antivirus should do when it detects a threat, and how long quarantined files should be retained in the quarantine folder
keywords: remediation, fix, remove, threats, quarantine, scan, restore
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@ -14,16 +14,7 @@ ms.author: v-anbic
ms.date: 07/10/2018
---
# Configure remediation for Windows Defender AV scans
**Applies to**
- Windows 10
**Audience**
- Enterprise security administrators
# Configure remediation for antivirus scans
**Manageability available with**
@ -33,7 +24,7 @@ ms.date: 07/10/2018
- Windows Management Instrumentation (WMI)
- Microsoft Intune
When Windows Defender Antivirus runs a scan, it will attempt to remediate or remove threats that it finds. You can configure how Windows Defender AV should react to certain threats, whether it should create a restore point before remediating, and when it should remove remediated threats.
When antivirus runs a scan, it will attempt to remediate or remove threats that it finds. You can configure how antivirus should react to certain threats, whether it should create a restore point before remediating, and when it should remove remediated threats.
This topic describes how to configure these settings with Group Policy, but you can also use [System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#threat-overrides-settings) and [Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure).
@ -45,40 +36,38 @@ You can configure how remediation works with the Group Policy settings described
To configure these settings:
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender Antivirus** and then the **Location** specified in the table below.
6. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings.
3. Expand the tree to **Windows components > Windows Defender Antivirus** and then the **Location** specified in the table below.
4. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings.
Location | Setting | Description | Default setting (if not configured)
---|---|---|---
Scan | Create a system restore point | A system restore point will be created each day before cleaning or scanning is attempted | Disabled
Scan | Turn on removal of items from scan history folder | Specify how many days items should be kept in the scan history | 30 days
Root | Turn off routine remediation | You can specify whether Windows Defender AV automatically remediates threats, or if it should ask the endpoint user what to do. | Disabled (threats are remediated automatically)
Root | Turn off routine remediation | You can specify whether antivirus automatically remediates threats, or if it should ask the endpoint user what to do. | Disabled (threats are remediated automatically)
Quarantine | Configure removal of items from Quarantine folder | Specify how many days items should be kept in quarantine before being removed | Never removed
Threats | Specify threat alert levels at which default action should not be taken when detected | Every threat that is detected by Windows Defender AV is assigned a threat level (low, medium, high, or severe). You can use this setting to define how all threats for each of the threat levels should be remediated (quarantined, removed, or ignored) | Not applicable
Threats | Specify threat alert levels at which default action should not be taken when detected | Every threat that is detected by antivirus is assigned a threat level (low, medium, high, or severe). You can use this setting to define how all threats for each of the threat levels should be remediated (quarantined, removed, or ignored) | Not applicable
Threats | Specify threats upon which default action should not be taken when detected | Specify how specific threats (using their threat ID) should be remediated. You can specify whether the specific threat should be quarantined, removed, or ignored | Not applicable
>[!IMPORTANT]
>Windows Defender Antivirus detects and remediates files based on many factors. Sometimes, completing a remediation requires a reboot. Even if the detection is later determined to be a false positive, the reboot must be completed to ensure all additional remediation steps have been completed.
>Antivirus detects and remediates files based on many factors. Sometimes, completing a remediation requires a reboot. Even if the detection is later determined to be a false positive, the reboot must be completed to ensure all additional remediation steps have been completed.
></p>
>If you are certain Windows Defender AV quarantined a file based on a false positive, you can restore the file from quarantine after the device reboots. See [Restore quarantined files in Windows Defender AV](restore-quarantined-files-windows-defender-antivirus.md).
>If you are certain antivirus quarantined a file based on a false positive, you can restore the file from quarantine after the device reboots. See [Restore quarantined files in antivirus](restore-quarantined-files-windows-defender-antivirus.md).
></p>
>To avoid this problem in the future, you can exclude files from the scans. See [Configure and validate exclusions for Windows Defender AV scans](configure-exclusions-windows-defender-antivirus.md).
>To avoid this problem in the future, you can exclude files from the scans. See [Configure and validate exclusions for antivirus scans](configure-exclusions-windows-defender-antivirus.md).
Also see the [Configure remediation-required scheduled full scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md#remed) topic for more remediation-related settings.
Also see [Configure remediation-required scheduled full antivirus scans](scheduled-catch-up-scans-windows-defender-antivirus.md#remed) for more remediation-related settings.
## Related topics
- [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md)
- [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md)
- [Configure and run on-demand Windows Defender AV scans](run-scan-windows-defender-antivirus.md)
- [Configure antivirus scanning options](configure-advanced-scan-types-windows-defender-antivirus.md)
- [Configure scheduled antivirus scans](scheduled-catch-up-scans-windows-defender-antivirus.md)
- [Configure and run on-demand antivirus scans](run-scan-windows-defender-antivirus.md)
- [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md)
- [Configure end-user interaction with Windows Defender AV](configure-end-user-interaction-windows-defender-antivirus.md)
- [Customize, initiate, and review the results of Windows Defender AV scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Configure end-user antivirus interaction](configure-end-user-interaction-windows-defender-antivirus.md)
- [Customize, initiate, and review the results of antivirus scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
- [Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)

320
windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md
View File

@ -1,7 +1,7 @@
---
title: Automatic and customized exclusions for Windows Defender AV on Windows Server 2016
description: Windows Server 2016 includes automatic exclusions, based on Server Role. You can also add custom exclusions.
keywords: exclusions, server, auto-exclusions, automatic, custom, scans
title: Configure antivirus exclusions on Windows Server 2016
description: Windows Server 2016 includes automatic exclusions, based on server role. You can also add custom exclusions.
keywords: exclusions, server, auto-exclusions, automatic, custom, scans, antivirus
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@ -14,17 +14,7 @@ ms.author: v-anbic
ms.date: 05/17/2018
---
# Configure exclusions in Windows Defender AV on Windows Server
**Applies to:**
- Windows Server 2016
**Audience**
- Enterprise security administrators
# Configure antivirus exclusions on Windows Server
**Manageability available with**
@ -32,25 +22,25 @@ ms.date: 05/17/2018
- PowerShell
- Windows Management Instrumentation (WMI)
If you are using Windows Defender Antivirus to protect Windows Server 2016 machines, you are automatically enrolled in certain exclusions, as defined by your specified Windows Server Role. A list of these exclusions is provided at [the end of this topic](#list-of-automatic-exclusions).
Antivirus on Windows Server 2016 computers automatically enrolls you in certain exclusions, as defined by your specified server role. See [the end of this topic](#list-of-automatic-exclusions) for a list of these exclusions.
These exclusions will not appear in the standard exclusion lists shown in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions).
You can still add or remove custom exclusions (in addition to the Server Role-defined automatic exclusions) as described in the other exclusion-related topics:
You can still add or remove custom exclusions (in addition to the server role-defined automatic exclusions) as described in these exclusion-related topics:
- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md)
- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md)
Custom exclusions take precedence over the automatic exclusions.
Custom exclusions take precedence over automatic exclusions.
> [!TIP]
> Custom and duplicate exclusions do not conflict with automatic exclusions.
Windows Defender AV uses the Deployment Image Servicing and Management (DSIM) tools to determine which roles are installed on your computer.
Antivirus uses the Deployment Image Servicing and Management (DISM) tools to determine which roles are installed on your computer.
## Opt out of automatic exclusions
In Windows Server 2016 the predefined exclusions delivered by definition updates only exclude the default paths for a role or feature. If you installed a role or feature in a custom path, or you want to manually control the set of exclusions, you need to opt-out of the automatic exclusions delivered in definition updates.
In Windows Server 2016, the predefined exclusions delivered by definition updates only exclude the default paths for a role or feature. If you installed a role or feature in a custom path, or you want to manually control the set of exclusions, you need to opt out of the automatic exclusions delivered in definition updates.
> [!WARNING]
> Opting out of automatic exclusions may adversely impact performance, or result in data corruption. The exclusions that are delivered automatically are optimized for Windows Server 2016 roles.
@ -58,17 +48,17 @@ In Windows Server 2016 the predefined exclusions delivered by definition updates
> [!NOTE]
> This setting is only supported on Windows Server 2016. While this setting exists in Windows 10, it doesn't have an effect on exclusions.
You can disable the auto-exclusions lists with Group Policy, PowerShell cmdlets, and WMI.
You can disable the automatic exclusion lists with Group Policy, PowerShell cmdlets, and WMI.
**Use Group Policy to disable the auto-exclusions list on Windows Server 2016:**
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender Antivirus > Exclusions**.
3. Expand the tree to **Windows components > Windows Defender Antivirus > Exclusions**.
6. Double-click the **Turn off Auto Exclusions** setting and set the option to **Enabled**. Click **OK**.
4. Double-click **Turn off Auto Exclusions** and set the option to **Enabled**. Click **OK**.
**Use PowerShell cmdlets to disable the auto-exclusions list on Windows Server 2016:**
@ -91,311 +81,305 @@ DisableAutoExclusions
See the following for more information and allowed parameters:
- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx)
## List of automatic exclusions
The following sections contain the exclusions that are delivered with automatic exclusions file paths and file types.
### Default exclusions for all roles
This section lists the default exclusions for all Windows Server 2016 roles.
- Windows "temp.edb" files:
- Windows "temp.edb" files:
- *%windir%*\SoftwareDistribution\Datastore\\*\tmp.edb
- *%windir%*\SoftwareDistribution\Datastore\\*\tmp.edb
- *%ProgramData%*\Microsoft\Search\Data\Applications\Windows\\*\\\*.log
- *%ProgramData%*\Microsoft\Search\Data\Applications\Windows\\*\\\*.log
- Windows Update files or Automatic Update files:
- Windows Update files or Automatic Update files:
- *%windir%*\SoftwareDistribution\Datastore\\*\Datastore.edb
- *%windir%*\SoftwareDistribution\Datastore\\*\Datastore.edb
- *%windir%*\SoftwareDistribution\Datastore\\*\edb.chk
- *%windir%*\SoftwareDistribution\Datastore\\*\edb.chk
- *%windir%*\SoftwareDistribution\Datastore\\*\edb\*.log
- *%windir%*\SoftwareDistribution\Datastore\\*\edb\*.log
- *%windir%*\SoftwareDistribution\Datastore\\*\Edb\*.jrs
- *%windir%*\SoftwareDistribution\Datastore\\*\Edb\*.jrs
- *%windir%*\SoftwareDistribution\Datastore\\*\Res\*.log
- *%windir%*\SoftwareDistribution\Datastore\\*\Res\*.log
- Windows Security files:
- Windows Security files:
- *%windir%*\Security\database\\*.chk
- *%windir%*\Security\database\\*.chk
- *%windir%*\Security\database\\*.edb
- *%windir%*\Security\database\\*.edb
- *%windir%*\Security\database\\*.jrs
- *%windir%*\Security\database\\*.jrs
- *%windir%*\Security\database\\*.log
- *%windir%*\Security\database\\*.log
- *%windir%*\Security\database\\*.sdb
- *%windir%*\Security\database\\*.sdb
- Group Policy files:
- Group Policy files:
- *%allusersprofile%*\NTUser.pol
- *%allusersprofile%*\NTUser.pol
- *%SystemRoot%*\System32\GroupPolicy\Machine\registry.pol
- *%SystemRoot%*\System32\GroupPolicy\Machine\registry.pol
- *%SystemRoot%*\System32\GroupPolicy\User\registry.pol
- *%SystemRoot%*\System32\GroupPolicy\User\registry.pol
- WINS files:
- WINS files:
- *%systemroot%*\System32\Wins\\*\\\*.chk
- *%systemroot%*\System32\Wins\\*\\\*.chk
- *%systemroot%*\System32\Wins\\*\\\*.log
- *%systemroot%*\System32\Wins\\*\\\*.log
- *%systemroot%*\System32\Wins\\*\\\*.mdb
- *%systemroot%*\System32\Wins\\*\\\*.mdb
- *%systemroot%*\System32\LogFiles\
- *%systemroot%*\System32\LogFiles\
- *%systemroot%*\SysWow64\LogFiles\
- *%systemroot%*\SysWow64\LogFiles\
- File Replication Service (FRS) exclusions:
- File Replication Service (FRS) exclusions:
- Files in the File Replication Service (FRS) working folder. The FRS working folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Working Directory`
- Files in the File Replication Service (FRS) working folder. The FRS working folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Working Directory`
- *%windir%*\Ntfrs\jet\sys\\*\edb.chk
- *%windir%*\Ntfrs\jet\sys\\*\edb.chk
- *%windir%*\Ntfrs\jet\\*\Ntfrs.jdb
- *%windir%*\Ntfrs\jet\\*\Ntfrs.jdb
- *%windir%*\Ntfrs\jet\log\\*\\\*.log
- *%windir%*\Ntfrs\jet\log\\*\\\*.log
- FRS Database log files. The FRS Database log file folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\Ntfrs\Parameters\DB Log File Directory`
- FRS Database log files. The FRS Database log file folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\Ntfrs\Parameters\DB Log File Directory`
- *%windir%*\Ntfrs\\*\Edb\*.log
-*%windir%*\Ntfrs\\*\Edb\*.log
- The FRS staging folder. The staging folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\NtFrs\Parameters\Replica Sets\GUID\Replica Set Stage`
- The FRS staging folder. The staging folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\NtFrs\Parameters\Replica Sets\GUID\Replica Set Stage`
- *%systemroot%*\Sysvol\\*\Nntfrs_cmp\*\
- *%systemroot%*\Sysvol\\*\Nntfrs_cmp\*\
- The FRS preinstall folder. This folder is specified by the folder `Replica_root\DO_NOT_REMOVE_NtFrs_PreInstall_Directory`
- The FRS preinstall folder. This folder is specified by the folder `Replica_root\DO_NOT_REMOVE_NtFrs_PreInstall_Directory`
- *%systemroot%*\SYSVOL\domain\DO_NOT_REMOVE_NtFrs_PreInstall_Directory\\*\Ntfrs\*\
- *%systemroot%*\SYSVOL\domain\DO_NOT_REMOVE_NtFrs_PreInstall_Directory\\*\Ntfrs\*\
- The Distributed File System Replication (DFSR) database and working folders. These folders are specified by the registry key `HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\DFSR\Parameters\Replication Groups\GUID\Replica Set Configuration File`
- The Distributed File System Replication (DFSR) database and working folders. These folders are specified by the registry key `HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\DFSR\Parameters\Replication Groups\GUID\Replica Set Configuration File`
- *%systemdrive%*\System Volume Information\DFSR\\$db_normal$
- *%systemdrive%*\System Volume Information\DFSR\\$db_normal$
- *%systemdrive%*\System Volume Information\DFSR\FileIDTable_*
- *%systemdrive%*\System Volume Information\DFSR\FileIDTable_*
- *%systemdrive%*\System Volume Information\DFSR\SimilarityTable_*
- *%systemdrive%*\System Volume Information\DFSR\SimilarityTable_*
- *%systemdrive%*\System Volume Information\DFSR\\*.XML
- *%systemdrive%*\System Volume Information\DFSR\\*.XML
- *%systemdrive%*\System Volume Information\DFSR\\$db_dirty$
- *%systemdrive%*\System Volume Information\DFSR\\$db_dirty$
- *%systemdrive%*\System Volume Information\DFSR\\$db_clean$
- *%systemdrive%*\System Volume Information\DFSR\\$db_clean$
- *%systemdrive%*\System Volume Information\DFSR\\$db_lostl$
- *%systemdrive%*\System Volume Information\DFSR\\$db_lostl$
- *%systemdrive%*\System Volume Information\DFSR\Dfsr.db
- *%systemdrive%*\System Volume Information\DFSR\Dfsr.db
- *%systemdrive%*\System Volume Information\DFSR\\*.frx
- *%systemdrive%*\System Volume Information\DFSR\\*.frx
- *%systemdrive%*\System Volume Information\DFSR\\*.log
- *%systemdrive%*\System Volume Information\DFSR\\*.log
- *%systemdrive%*\System Volume Information\DFSR\Fsr*.jrs
- *%systemdrive%*\System Volume Information\DFSR\Fsr*.jrs
- *%systemdrive%*\System Volume Information\DFSR\Tmp.edb
- *%systemdrive%*\System Volume Information\DFSR\Tmp.edb
- Process exclusions
- Process exclusions
- *%systemroot%*\System32\dfsr.exe
- *%systemroot%*\System32\dfsr.exe
- *%systemroot%*\System32\dfsrs.exe
- *%systemroot%*\System32\dfsrs.exe
- Hyper-V exclusions:
- Hyper-V exclusions:
- This section lists the file type exclusions, folder exclusions, and process exclusions that are delivered automatically when you install the Hyper-V role
- This section lists the file type exclusions, folder exclusions, and process exclusions that are delivered automatically when you install the Hyper-V role
- File type exclusions:
- File type exclusions:
- *.vhd
- *.vhd
- *.vhdx
- *.vhdx
- *.avhd
- *.avhd
- *.avhdx
- *.avhdx
- *.vsv
- *.vsv
- *.iso
- *.iso
- *.rct
- *.rct
- *.vmcx
- *.vmcx
- *.vmrs
- *.vmrs
- Folder exclusions:
- Folder exclusions:
- *%ProgramData%*\Microsoft\Windows\Hyper-V
- *%ProgramData%*\Microsoft\Windows\Hyper-V
- *%ProgramFiles%*\Hyper-V
- *%ProgramFiles%*\Hyper-V
- *%SystemDrive%*\ProgramData\Microsoft\Windows\Hyper-V\Snapshots
- *%SystemDrive%*\ProgramData\Microsoft\Windows\Hyper-V\Snapshots
- *%Public%*\Documents\Hyper-V\Virtual Hard Disks
- *%Public%*\Documents\Hyper-V\Virtual Hard Disks
- Process exclusions:
- Process exclusions:
- *%systemroot%*\System32\Vmms.exe
- *%systemroot%*\System32\Vmms.exe
- *%systemroot%*\System32\Vmwp.exe
- *%systemroot%*\System32\Vmwp.exe
- SYSVOL files:
- SYSVOL files:
- *%systemroot%*\Sysvol\Domain\\*.adm
- *%systemroot%*\Sysvol\Domain\\*.adm
- *%systemroot%*\Sysvol\Domain\\*.admx
- *%systemroot%*\Sysvol\Domain\\*.admx
- *%systemroot%*\Sysvol\Domain\\*.adml
- *%systemroot%*\Sysvol\Domain\\*.adml
- *%systemroot%*\Sysvol\Domain\Registry.pol
- *%systemroot%*\Sysvol\Domain\Registry.pol
- *%systemroot%*\Sysvol\Domain\\*.aas
- *%systemroot%*\Sysvol\Domain\\*.aas
- *%systemroot%*\Sysvol\Domain\\*.inf
- *%systemroot%*\Sysvol\Domain\\*.inf
- *%systemroot%*\Sysvol\Domain\\*.Scripts.ini
- *%systemroot%*\Sysvol\Domain\\*.Scripts.ini
- *%systemroot%*\Sysvol\Domain\\*.ins
- *%systemroot%*\Sysvol\Domain\\*.ins
- *%systemroot%*\Sysvol\Domain\Oscfilter.ini
- *%systemroot%*\Sysvol\Domain\Oscfilter.ini
### Active Directory exclusions
This section lists the exclusions that are delivered automatically when you install Active Directory Domain Services.
- NTDS database files. The database files are specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Database File`
- NTDS database files. The database files are specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Database File`
- %windir%\Ntds\ntds.dit
- %windir%\Ntds\ntds.dit
- %windir%\Ntds\ntds.pat
- %windir%\Ntds\ntds.pat
- The AD DS transaction log files. The transaction log files are specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\Database Log Files`
- The AD DS transaction log files. The transaction log files are specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\Database Log Files`
- %windir%\Ntds\EDB*.log
- %windir%\Ntds\EDB*.log
- %windir%\Ntds\Res*.log
- %windir%\Ntds\Res*.log
- %windir%\Ntds\Edb*.jrs
- %windir%\Ntds\Edb*.jrs
- %windir%\Ntds\Ntds*.pat
- %windir%\Ntds\Ntds*.pat
- %windir%\Ntds\EDB*.log
- %windir%\Ntds\EDB*.log
- %windir%\Ntds\TEMP.edb
- %windir%\Ntds\TEMP.edb
- The NTDS working folder. This folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Working Directory`
- The NTDS working folder. This folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Working Directory`
- %windir%\Ntds\Temp.edb
- %windir%\Ntds\Temp.edb
- %windir%\Ntds\Edb.chk
- %windir%\Ntds\Edb.chk
- Process exclusions for AD DS and AD DS-related support files:
- Process exclusions for AD DS and AD DS-related support files:
- %systemroot%\System32\ntfrs.exe
- %systemroot%\System32\ntfrs.exe
- %systemroot%\System32\lsass.exe
- %systemroot%\System32\lsass.exe
### DHCP Server exclusions
This section lists the exclusions that are delivered automatically when you install the DHCP Server role. The DHCP Server file locations are specified by the *DatabasePath*, *DhcpLogFilePath*, and *BackupDatabasePath* parameters in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DHCPServer\Parameters`
- *%systemroot%*\System32\DHCP\\*\\\*.mdb
- *%systemroot%*\System32\DHCP\\*\\\*.mdb
- *%systemroot%*\System32\DHCP\\*\\\*.pat
- *%systemroot%*\System32\DHCP\\*\\\*.pat
- *%systemroot%*\System32\DHCP\\*\\\*.log
- *%systemroot%*\System32\DHCP\\*\\\*.log
- *%systemroot%*\System32\DHCP\\*\\\*.chk
- *%systemroot%*\System32\DHCP\\*\\\*.chk
- *%systemroot%*\System32\DHCP\\*\\\*.edb
- *%systemroot%*\System32\DHCP\\*\\\*.edb
### DNS Server exclusions
This section lists the file and folder exclusions and the process exclusions that are delivered automatically when you install the DNS Server role.
- File and folder exclusions for the DNS Server role:
- File and folder exclusions for the DNS Server role:
- *%systemroot%*\System32\Dns\\*\\\*.log
- *%systemroot%*\System32\Dns\\*\\\*.log
- *%systemroot%*\System32\Dns\\*\\\*.dns
- *%systemroot%*\System32\Dns\\*\\\*.dns
- *%systemroot%*\System32\Dns\\*\\\*.scc
- *%systemroot%*\System32\Dns\\*\\\*.scc
- *%systemroot%*\System32\Dns\\*\BOOT
- *%systemroot%*\System32\Dns\\*\BOOT
- Process exclusions for the DNS Server role:
- Process exclusions for the DNS Server role:
- *%systemroot%*\System32\dns.exe
- *%systemroot%*\System32\dns.exe
### File and Storage Services exclusions
This section lists the file and folder exclusions that are delivered automatically when you install the File and Storage Services role. The exclusions listed below do not include exclusions for the Clustering role.
- *%SystemDrive%*\ClusterStorage
- *%SystemDrive%*\ClusterStorage
- *%clusterserviceaccount%*\Local Settings\Temp
- *%clusterserviceaccount%*\Local Settings\Temp
- *%SystemDrive%*\mscs
- *%SystemDrive%*\mscs
### Print Server exclusions
This section lists the file type exclusions, folder exclusions, and the process exclusions that are delivered automatically when you install the Print Server role.
- File type exclusions:
- File type exclusions:
- *.shd
- *.shd
- *.spl
- *.spl
- Folder exclusions. This folder is specified in the registry key `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Printers\DefaultSpoolDirectory`
- Folder exclusions. This folder is specified in the registry key `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Printers\DefaultSpoolDirectory`
- *%system32%*\spool\printers\\*
- *%system32%*\spool\printers\\*
- Process exclusions:
- Process exclusions:
- spoolsv.exe
- spoolsv.exe
### Web Server exclusions
This section lists the folder exclusions and the process exclusions that are delivered automatically when you install the Web Server role.
- Folder exclusions:
- Folder exclusions:
- *%SystemRoot%*\IIS Temporary Compressed Files
- *%SystemRoot%*\IIS Temporary Compressed Files
- *%SystemDrive%*\inetpub\temp\IIS Temporary Compressed Files
- *%SystemDrive%*\inetpub\temp\IIS Temporary Compressed Files
- *%SystemDrive%*\inetpub\temp\ASP Compiled Templates
- *%SystemDrive%*\inetpub\temp\ASP Compiled Templates
- *%systemDrive%*\inetpub\logs
- *%systemDrive%*\inetpub\logs
- *%systemDrive%*\inetpub\wwwroot
- *%systemDrive%*\inetpub\wwwroot
- Process exclusions:
- Process exclusions:
- *%SystemRoot%*\system32\inetsrv\w3wp.exe
- *%SystemRoot%*\system32\inetsrv\w3wp.exe
- *%SystemRoot%*\SysWOW64\inetsrv\w3wp.exe
- *%SystemRoot%*\SysWOW64\inetsrv\w3wp.exe
- *%SystemDrive%*\PHP5433\php-cgi.exe
- *%SystemDrive%*\PHP5433\php-cgi.exe
### Windows Server Update Services exclusions
This section lists the folder exclusions that are delivered automatically when you install the Windows Server Update Services (WSUS) role. The WSUS folder is specified in the registry key `HKEY_LOCAL_MACHINE\Software\Microsoft\Update Services\Server\Setup`
- *%systemroot%*\WSUS\WSUSContent
- *%systemroot%*\WSUS\UpdateServicesDBFiles
- *%systemroot%*\SoftwareDistribution\Datastore
- *%systemroot%*\SoftwareDistribution\Download
- *%systemroot%*\WSUS\WSUSContent
- *%systemroot%*\WSUS\UpdateServicesDBFiles
- *%systemroot%*\SoftwareDistribution\Datastore
- *%systemroot%*\SoftwareDistribution\Download
## Related topics
- [Configure and validate exclusions for Windows Defender AV scans](configure-exclusions-windows-defender-antivirus.md)
- [Configure and validate exclusions for antivirus scans](configure-exclusions-windows-defender-antivirus.md)
- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md)
- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md)
- [Customize, initiate, and review the results of Windows Defender AV scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Customize, initiate, and review the results of antivirus scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
- [Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)

36
windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md
View File

@ -1,7 +1,7 @@
---
title: Configure Windows Defender Antivirus features (Windows 10)
description: You can configure features for Windows Defender Antivirus using Configuration Manager, MDM software (such as Intune), PowerShell, and with Group Policy settings.
keywords: windows defender antivirus, antimalware, security, defender, configure, configuration, Config Manager, System Center Configuration Manager, SCCM, Intune, MDM, mobile device management, GP, group policy, PowerShell
title: Configure antivirus features
description: You can configure antivirus features with Intune, System Center Configuration Manager, Group Policy, and PowerShell.
keywords: antivirus, antimalware, security, defender, configure, configuration, Config Manager, System Center Configuration Manager, SCCM, Intune, MDM, mobile device management, GP, group policy, PowerShell
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@ -14,25 +14,15 @@ ms.author: v-anbic
ms.date: 08/26/2017
---
# Configure Windows Defender Antivirus features
# Configure antivirus features
You can configure antivirus with a number of tools, including:
**Applies to:**
- Windows 10
**Audience**
- Enterprise security administrators
Windows Defender Antivirus can be configured with a number of tools, including:
- Group Policy settings
- Microsoft Intune
- System Center Configuration Manager
- Group Policy
- PowerShell cmdlets
- Windows Management Instrumentation (WMI)
- Microsoft Intune
The following broad categories of features can be configured:
@ -40,17 +30,13 @@ The following broad categories of features can be configured:
- Always-on real-time protection, including behavioral, heuristic, and machine-learning-based protection
- How end-users interact with the client on individual endpoints
The topics in this section describe how to perform key tasks when configuring Windows Defender AV. Each topic includes instructions for the applicable configuration tool (or tools).
The topics in this section describe how to perform key tasks when configuring antivirus. Each topic includes instructions for the applicable configuration tool (or tools).
You can also review the [Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md) topic for an overview of each tool and links to further help.
## In this section
Topic | Description
:---|:---
[Utilize Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) | Cloud-delivered protection provides an advanced level of fast, robust antivirus detection
[Configure behavioral, heuristic, and real-time protection](configure-protection-features-windows-defender-antivirus.md)|Enable behavior-based, heuristic, and real-time protection in Windows Defender AV
[Configure end-user interaction with Windows Defender Antivirus](configure-end-user-interaction-windows-defender-antivirus.md)|Configure how end-users interact with Windows Defender AV, what notifications they see, and if they can override settings
[Utilize Microsoft cloud-provided antivirus protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) | Cloud-delivered protection provides an advanced level of fast, robust antivirus detection
[Configure behavioral, heuristic, and real-time protection](configure-protection-features-windows-defender-antivirus.md)|Enable behavior-based, heuristic, and real-time antivirus protection
[Configure end-user antivirus interaction](configure-end-user-interaction-windows-defender-antivirus.md)|Configure how end-users interact with antivirus, what notifications they see, and whether they can override settings

30
windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md
View File

@ -1,7 +1,7 @@
---
title: Run and customize scheduled and on-demand scans
description: Customize and initiate scans using Windows Defender AV on endpoints across your network.
keywords: scan, schedule, customize, exclusions, exclude files, remediation, scan results, quarantine, remove threat, quick scan, full scan
description: Customize and initiate antivirus scans on endpoints across your network.
keywords: scan, schedule, customize, exclusions, exclude files, remediation, scan results, quarantine, remove threat, quick scan, full scan, antivirus
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@ -14,29 +14,17 @@ ms.author: v-anbic
ms.date: 08/26/2017
---
# Customize, initiate, and review the results of Windows Defender AV scans and remediation
**Applies to:**
- Windows 10
**Audience**
- Enterprise security administrators
You can use Group Policy, PowerShell, and Windows Management Instrumentation (WMI) to configure scans run by Windows Defender Antivirus.
# Customize, initiate, and review the results of antivirus scans and remediation
You can use Group Policy, PowerShell, and Windows Management Instrumentation (WMI) to configure antivirus scans.
## In this section
Topic | Description
Topic | Description
---|---
[Configure and validate file, folder, and process-opened file exclusions in Windows Defender AV scans](configure-exclusions-windows-defender-antivirus.md) | You can exclude files (including files modified by specified processes) and folders from on-demand scans, scheduled scans, and always-on real-time protection monitoring and scanning
[Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md) | You can configure Windows Defender AV to include certain types of email storage files, back-up or reparse points, and archived files (such as .zip files) in scans. You can also enable network file scanning
[Configure remediation for scans](configure-remediation-windows-defender-antivirus.md) | Configure what Windows Defender AV should do when it detects a threat, and how long quarantined files should be retained in the quarantine folder
[Configure and validate file, folder, and process-opened file exclusions in antivirus scans](configure-exclusions-windows-defender-antivirus.md) | You can exclude files (including files modified by specified processes) and folders from on-demand scans, scheduled scans, and always-on real-time protection monitoring and scanning
[Configure antivirus scanning options](configure-advanced-scan-types-windows-defender-antivirus.md) | You can configure antivirus to include certain types of email storage files, back-up or reparse points, and archived files (such as .zip files) in scans. You can also enable network file scanning
[Configure remediation for scans](configure-remediation-windows-defender-antivirus.md) | Configure what antivirus should do when it detects a threat, and how long quarantined files should be retained in the quarantine folder
[Configure scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md) | Set up recurring (scheduled) scans, including when they should run and whether they run as full or quick scans
[Configure and run scans](run-scan-windows-defender-antivirus.md) | Run and configure on-demand scans using PowerShell, Windows Management Instrumentation, or individually on endpoints with the Windows Defender Security Center app
[Configure and run scans](run-scan-windows-defender-antivirus.md) | Run and configure on-demand scans using PowerShell, Windows Management Instrumentation, or individually on endpoints with the Windows Defender Security Center app
[Review scan results](review-scan-results-windows-defender-antivirus.md) | Review the results of scans using System Center Configuration Manager, Microsoft Intune, or the Windows Defender Security Center app

49
windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md
View File

@ -1,6 +1,6 @@
---
title: Deploy, manage, and report on Windows Defender Antivirus
description: You can deploy and manage Windows Defender Antivirus with Group Policy, Configuration Manager, WMI, PowerShell, or Intune
title: Deploy, manage, and report on antivirus
description: You can deploy and manage antivirus with Intune, System Center Configuration Manager, Group Policy, PowerShell, or WMI
keywords: deploy, manage, update, protection, windows defender antivirus
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@ -14,46 +14,36 @@ ms.author: v-anbic
ms.date: 07/19/2018
---
# Deploy, manage, and report on Windows Defender Antivirus
# Deploy, manage, and report on antivirus
**Applies to:**
You can deploy, manage, and report on antivirus in a number of ways.
- Windows 10
Because the antivirus client is installed as a core part of Windows 10, traditional deployment of a client to your endpoints does not apply.
**Audience**
- IT administrators
You can deploy, manage, and report on Windows Defender Antivirus in a number of ways.
As the Windows Defender AV client is installed as a core part of Windows 10, traditional deployment of a client to your endpoints does not apply.
However, in most cases you will still need to enable the protection service on your endpoints with System Center Configuration Manager, Microsoft Intune, Azure Security Center, or Group Policy Objects, which is described in the following table.
However, in most cases you will still need to enable the protection service on your endpoints with Microsoft Intune, System Center Configuration Manager, Azure Security Center, or Group Policy Objects, which is described in the following table.
You'll also see additional links for:
- Managing Windows Defender Antivirus protection, including managing product and protection updates
- Reporting on Windows Defender Antivirus protection
- Managing antivirus protection, including managing product and protection updates
- Reporting on antivirus protection
> [!IMPORTANT]
> In most cases, Windows 10 will disable Windows Defender Antivirus if it finds another antivirus product running and up-to-date. You must disable or uninstall third-party antivirus products before Windows Defender Antivirus will be functioning. If you re-enable or install third-party antivirus products, then Windows 10 will automatically disable Windows Defender Antivirus.
> In most cases, Windows 10 will disable antivirus if it finds another antivirus product that is running and up-to-date. You must disable or uninstall third-party antivirus products before antivirus will function. If you re-enable or install third-party antivirus products, then Windows 10 automatically disables antivirus.
Tool|Deployment options (<a href="#fn2" id="ref2">2</a>)|Management options (network-wide configuration and policy or baseline deployment) ([3](#fn3))|Reporting options
---|---|---|---
System Center Configuration Manager ([1](#fn1))|Use the [Endpoint Protection point site system role][] and [enable Endpoint Protection with custom client settings][]|With [default and customized antimalware policies][] and [client management][]|With the default [Configuration Manager Monitoring workspace][] and [email alerts][]
Microsoft Intune|[Add endpoint protection settings in Intune](https://docs.microsoft.com/en-us/intune/endpoint-protection-configure)|[Configure device restriction settings in Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure)| [Use the Intune console to manage devices](https://docs.microsoft.com/en-us/intune/device-management)
Windows Management Instrumentation|Deploy with Group Policy, System Center Configuration Manager, or manually on individual endpoints.|Use the [Set method of the MSFT_MpPreference class][] and the [Update method of the MSFT_MpSignature class][]|Use the [MSFT_MpComputerStatus][] class and the get method of associated classes in the [Windows Defender WMIv2 Provider][]
PowerShell|Deploy with Group Policy, System Center Configuration Manager, or manually on individual endpoints.|Use the [Set-MpPreference][] and [Update-MpSignature] [] cmdlets available in the Defender module|Use the appropriate [Get- cmdlets available in the Defender module][]
System Center Configuration Manager ([1](#fn1))|Use the [Endpoint Protection point site system role][] and [enable Endpoint Protection with custom client settings][]|With [default and customized antimalware policies][] and [client management][]|With the default [Configuration Manager Monitoring workspace][] and [email alerts][]
Group Policy and Active Directory (domain-joined)|Use a Group Policy Object to deploy configuration changes and ensure Windows Defender Antivirus is enabled.|Use Group Policy Objects (GPOs) to [Configure update options for Windows Defender Antivirus][] and [Configure Windows Defender features][]|Endpoint reporting is not available with Group Policy. You can generate a list of [Group Policies to determine if any settings or policies are not applied][]
PowerShell|Deploy with Group Policy, System Center Configuration Manager, or manually on individual endpoints.|Use the [Set-MpPreference][] and [Update-MpSignature] [] cmdlets available in the Defender module|Use the appropriate [Get- cmdlets available in the Defender module][]
Windows Management Instrumentation|Deploy with Group Policy, System Center Configuration Manager, or manually on individual endpoints.|Use the [Set method of the MSFT_MpPreference class][] and the [Update method of the MSFT_MpSignature class][]|Use the [MSFT_MpComputerStatus][] class and the get method of associated classes in the [Windows Defender WMIv2 Provider][]
Microsoft Azure|Deploy Microsoft Antimalware for Azure in the [Azure portal, by using Visual Studio virtual machine configuration, or using Azure PowerShell cmdlets](https://docs.microsoft.com/en-us/azure/security/azure-security-antimalware#antimalware-deployment-scenarios). You can also [Install Endpoint protection in Azure Security Center](https://docs.microsoft.com/en-us/azure/security-center/security-center-install-endpoint-protection)|Configure [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/en-us/powershell/servicemanagement/azure.antimalware/v3.4.0/azure.antimalware) or [use code samples](https://gallery.technet.microsoft.com/Antimalware-For-Azure-5ce70efe)|Use [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/en-us/powershell/servicemanagement/azure.antimalware/v3.4.0/azure.antimalware) to enable monitoring. You can also review usage reports in Azure Active Directory to determine suspicious activity, including the [Possibly infected devices][] report and configure an SIEM tool to report on [Windows Defender Antivirus events][] and add that tool as an app in AAD.
1. <span id="fn1" />The availability of some functions and features, especially related to cloud-delivered protection, differ between System Center Configuration Manager (Current Branch) and System Center Configuration Manager 2012. In this library, we've focused on Windows 10, Windows Server 2016, and System Center Configuration Manager (Current Branch). See [Use Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) for a table that describes the major differences. [(Return to table)](#ref2)
2. <span id="fn2" />In Windows 10, Windows Defender Antivirus is a component available without installation or deployment of an additional client or service. It will automatically be enabled when third-party antivirus products are either uninstalled or out of date ([except on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md)). Traditional deployment therefore is not required. Deployment here refers to ensuring the Windows Defender Antivirus component is available and enabled on endpoints or servers. [(Return to table)](#ref2)
3. <span id="fn3" />Configuration of features and protection, including configuring product and protection updates, are further described in the [Configure Windows Defender Antivirus features](configure-notifications-windows-defender-antivirus.md) section in this library. [(Return to table)](#ref2)
3. <span id="fn3" />Configuration of features and protection, including configuring product and protection updates, are further described in the [Configure antivirus features](configure-notifications-windows-defender-antivirus.md) section in this library. [(Return to table)](#ref2)
[Endpoint Protection point site system role]: https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-protection-site-role
[default and customized antimalware policies]: https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies
@ -79,13 +69,10 @@ Microsoft Azure|Deploy Microsoft Antimalware for Azure in the [Azure portal, by
[Possibly infected devices]: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-reporting-sign-ins-from-possibly-infected-devices
[Windows Defender Antivirus events]: troubleshoot-windows-defender-antivirus.md
## In this section
Topic | Description
Topic | Description
---|---
[Deploy and enable Windows Defender Antivirus protection](deploy-windows-defender-antivirus.md) | While the client is installed as a core part of Windows 10, and traditional deployment does not apply, you will still need to enable the client on your endpoints with System Center Configuration Manager, Microsoft Intune, or Group Policy Objects.
[Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md) | There are two parts to updating Windows Defender Antivirus: updating the client on endpoints (product updates), and updating definitions (protection updates). You can update definitions in a number of ways, using System Center Configuration Manager, Group Policy, PowerShell, and WMI.
[Monitor and report on Windows Defender Antivirus protection](report-monitor-windows-defender-antivirus.md) | You can use System Center Configuration Manager, the Update Compliance add-in for Microsoft Operations Management Suite, a third-party SIEM product (by consuming Windows event logs), or Microsoft Intune to monitor protection status and create reports about endpoint protection
[Deploy and enable antivirus protection](deploy-windows-defender-antivirus.md) | While the client is installed as a core part of Windows 10, and traditional deployment does not apply, you will still need to enable the client on your endpoints with System Center Configuration Manager, Microsoft Intune, or Group Policy Objects.
[Manage antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md) | There are two parts to updating antivirus: updating the client on endpoints (product updates), and updating definitions (protection updates). You can update definitions in a number of ways, using System Center Configuration Manager, Group Policy, PowerShell, and WMI.
[Monitor and report on antivirus protection](report-monitor-windows-defender-antivirus.md) | You can use Microsoft Intune, System Center Configuration Manager, the Update Compliance add-in for Microsoft Operations Management Suite, or a third-party SIEM product (by consuming Windows event logs) to monitor protection status and create reports about endpoint protection.

33
windows/security/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md
View File

@ -1,7 +1,7 @@
---
title: Deploy and enable Windows Defender Antivirus
description: Deploy Windows Defender AV for protection of your endpoints with Configuration Manager, Microsoft Intune, Group Policy, PowerShell cmdlets, or WMI.
keywords: deploy, enable, windows defender av
title: Deploy and enable antivirus
description: Deploy antivirus for protection of your endpoints with Microsoft Intune, System Center Configuration Manager, Group Policy, PowerShell cmdlets, or WMI.
keywords: deploy, enable, antivirus
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@ -14,29 +14,18 @@ ms.author: v-anbic
ms.date: 04/30/2018
---
# Deploy and enable Windows Defender Antivirus
# Deploy and enable antivirus
Depending on the management tool you are using, you may need to specifically enable or configure antivirus protection.
**Applies to:**
See the table in [Deploy, manage, and report on antivirus](deploy-manage-report-windows-defender-antivirus.md#ref2) for instructions on how to enable protection with Microsoft Intune, System Center Configuration Manager, Group Policy, Active Directory, Microsoft Azure, PowerShell cmdlets, and Windows Management Instruction (WMI).
- Windows 10
Some scenarios require additional guidance on how to successfully deploy or configure antivirus protection, such as Virtual Desktop Infrastructure (VDI) environments.
**Audience**
- Network administrators
- IT administrators
Depending on the management tool you are using, you may need to specifically enable or configure Windows Defender AV protection.
See the table in the [Deploy, manage, and report on Windows Defender AV](deploy-manage-report-windows-defender-antivirus.md#ref2) topic for instructions on how to enable protection with System Center Configuration Manager, Group Policy, Active Directory, Microsoft Azure, Microsoft Intune, PowerShell cmdlets, and Windows Management Instruction (WMI).
Some scenarios require additional guidance on how to successfully deploy or configure Windows Defender AV protection, such as Virtual Desktop Infrastructure (VDI) environments.
The remaining topic in this section provides end-to-end advice and best practices for [setting up Windows Defender AV on virtual machines (VMs) in a VDI or Remote Desktop Services (RDS) environment](deployment-vdi-windows-defender-antivirus.md).
The remaining topic in this section provides end-to-end advice and best practices for [setting up antivirus on virtual machines (VMs) in a VDI or Remote Desktop Services (RDS) environment](deployment-vdi-windows-defender-antivirus.md).
## Related topics
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md)
- [Deployment guide for Windows Defender Antivirus in a virtual desktop infrastructure (VDI) environment](deployment-vdi-windows-defender-antivirus.md)
- [Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Deploy, manage updates, and report on antivirus](deploy-manage-report-windows-defender-antivirus.md)
- [Deployment guide for antivirus in a virtual desktop infrastructure (VDI) environment](deployment-vdi-windows-defender-antivirus.md)

215
windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md
View File

@ -16,26 +16,16 @@ ms.date: 04/30/2018
# Deployment guide for Windows Defender Antivirus in a virtual desktop infrastructure (VDI) environment
**Applies to:**
- Windows 10
**Audience**
- Enterprise security administrators
**Manageability available with**
- System Center Configuration Manager (current branch)
- Group Policy
In addition to standard on-premises or hardware configurations, you can also use antivirus in a remote desktop (RDS) or virtual desktop infrastructure (VDI) environment.
Boot storms can be a problem in large-scale VDIs; this guide will help reduce the overall network bandwidth and performance impact on your hardware.
In addition to standard on-premises or hardware configurations, you can also use Windows Defender Antivirus (Windows Defender AV) in a remote desktop (RDS) or virtual desktop infrastructure (VDI) environment.
Boot storms can be a problem in large-scale VDIs; this guide will help reduce the overall network bandwidth and performance impact on your hardware.
We recommend setting the following when deploying Windows Defender AV in a VDI environment:
We recommend setting the following when deploying antivirus in a VDI environment:
Location | Setting | Suggested configuration
---|---|---
@ -46,17 +36,20 @@ Root | Randomize scheduled task times | Enabled
Signature updates | Turn on scan after signature update | Enabled
Scan | Turn on catch up quick scan | Enabled
For more details on the best configuration options to ensure a good balance between performance and protection, including detailed instructions for Group Policy and System Center Configuration Manager, see the [Configure endpoints for optimal performance](#configure-endpoints-for-optimal-performance) section.
For more details on the best configuration options to ensure a good balance between performance and protection, including detailed instructions for System Center Configuration Manager and Group Policy, see the [Configure endpoints for optimal performance](#configure-endpoints-for-optimal-performance) section.
See the [Microsoft Desktop virtualization site](https://www.microsoft.com/en-us/server-cloud/products/virtual-desktop-infrastructure/) for more details on Microsoft Remote Desktop Services and VDI support.
For Azure-based virtual machines, you can also review the [Install Endpoint Protection in Azure Security Center](https://docs.microsoft.com/en-us/azure/security-center/security-center-install-endpoint-protection) topic.
There are three main steps in this guide to help roll out Windows Defender AV protection across your VDI:
There are three main steps in this guide to help roll out antivirus protection across your VDI:
1. [Create and deploy the base image (for example, as a virtual hard disk (VHD)) that your virtual machines (VMs) will use](#create-and-deploy-the-base-image)
2. [Manage the base image and updates for your VMs](#manage-your-vms-and-base-image)
3. [Configure the VMs for optimal protection and performance](#configure-endpoints-for-optimal-performance), including:
1. [Create and deploy the base image (for example, as a virtual hard disk (VHD)) that your virtual machines (VMs) will use](#create-and-deploy-the-base-image)
2. [Manage the base image and updates for your VMs](#manage-your-vms-and-base-image)
3. [Configure the VMs for optimal protection and performance](#configure-endpoints-for-optimal-performance), including:
- [Randomize scheduled scans](#randomize-scheduled-scans)
- [Use quick scans](#use-quick-scans)
- [Prevent notifications](#prevent-notifications)
@ -66,47 +59,49 @@ There are three main steps in this guide to help roll out Windows Defender AV pr
>[!IMPORTANT]
> While the VDI can be hosted on Windows Server 2012 or Windows Server 2016, the virtual machines (VMs) should be running Windows 10, 1607 at a minimum, due to increased protection technologies and features that are unavailable in earlier versions of Windows.
>[!NOTE]
>When you manage Windows with System Center Configuration Manager, Windows Defender AV protection will be referred to as Endpoint Protection or System Center Endpoint Protection. See the [Endpoint Protection section at the Configuration Manager library]( https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-protection) for more information.
>[!NOTE]
>When you manage Windows with System Center Configuration Manager, antivirus protection will be referred to as Endpoint Protection or System Center Endpoint Protection. See the [Endpoint Protection section at the Configuration Manager library]( https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-protection) for more information.
## Create and deploy the base image
## Create and deploy the base image
The main steps in this section include:
1. Create your standard base image according to your requirements
2. Apply Windows Defender AV protection updates to your base image
3. Seal or “lock” the image to create a “known-good” image
4. Deploy your image to your VMs
1. Create your standard base image according to your requirements
2. Apply Windows Defender AV protection updates to your base image
3. Seal or “lock” the image to create a “known-good” image
4. Deploy your image to your VMs
### Create the base image
First, you should create your base image according to your business needs, applying or installing the relevant line of business (LOB) apps and settings as you normally would. Typically, this would involve creating a VHD or customized .iso, depending on how you will deploy the image to your VMs.
### Apply protection updates to the base image
After creating the image, you should ensure it is fully updated. See [Configure Windows Defender in Windows 10]( https://technet.microsoft.com/en-us/itpro/windows/keep-secure/configure-windows-defender-in-windows-10) for instructions on how to update Windows Defender AV protection via WSUS, Microsoft Update, the MMPC site, or UNC file shares. You should ensure that your initial base image is also fully patched with Microsoft and Windows updates and patches.
After creating the image, you should ensure it is fully updated. See [Configure Windows Defender in Windows 10]( https://technet.microsoft.com/en-us/itpro/windows/keep-secure/configure-windows-defender-in-windows-10) for instructions on how to update antivirus protection via WSUS, Microsoft Update, the MMPC site, or UNC file shares. You should ensure that your initial base image is also fully patched with Microsoft and Windows updates and patches.
### Seal the base image
When the base image is fully updated, you should run a quick scan on the image.
After running a scan and buliding the cache, remove the machine GUID that uniquely identifies the device in telemetry for both Windows Defender Antivirus and the Microsoft Security Removal Tool. This key is located here:
When the base image is fully updated, you should run a quick scan on the image.
After running a scan and buliding the cache, remove the machine GUID that uniquely identifies the device in telemetry for both antivirus and the Microsoft Security Removal Tool. This key is located here:
'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemovalTools\MRT'
Remove the string found in the 'GUID' value
This “sealing” or “locking” of the image helps Windows Defender AV build a cache of known-good files and avoid scanning them again on your VMs. In turn, this can help ensure performance on the VM is not impacted.
This “sealing” or “locking” of the image helps antivirus build a cache of known-good files and avoid scanning them again on your VMs. In turn, this can help ensure performance on the VM is not impacted.
You can run a quick scan [from the command line](command-line-arguments-windows-defender-antivirus.md) or via [System Center Configuration Manager](run-scan-windows-defender-antivirus.md).
>[!NOTE]
>[!NOTE]
><b>Quick scan versus full scan</b>
>Quick scan looks at all the locations where there could be malware registered to start with the system, such as registry keys and known Windows startup folders. Combined with our always on real-time protection capability - which reviews files when they are opened and closed, and whenever a user navigates to a folder quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware.
>Therefore, when considering performance especially for creating a new or updated image in preparation for deployment it makes sense to use a quick scan only.
>Therefore, when considering performance especially for creating a new or updated image in preparation for deployment it makes sense to use a quick scan only.
>A full scan, however, can be useful on a VM that has encountered a malware threat to identify if there are any inactive components lying around and help perform a thorough clean-up.
### Deploy the base image
### Deploy the base image
You'll then need to deploy the base image across your VDI. For example, you can create or clone a VHD from your base image, and then use that VHD when you create or start your VMs.
You'll then need to deploy the base image across your VDI. For example, you can create or clone a VHD from your base image, and then use that VHD when you create or start your VMs.
The following references provide ways you can create and deploy the base image across your VDI:
@ -116,58 +111,57 @@ The following references provide ways you can create and deploy the base image a
- [Create a virtual machine in Hyper-V (with a VHD)](https://technet.microsoft.com/en-us/windows-server-docs/compute/hyper-v/get-started/create-a-virtual-machine-in-hyper-v)
- [Build Virtual Desktop templates]( https://technet.microsoft.com/en-us/library/dn645526(v=ws.11).aspx)
## Manage your VMs and base image
How you manage your VDI will affect the performance impact of Windows Defender AV on your VMs and infrastructure.
Because Windows Defender AV downloads protection updates every day, or [based on your protection update settings](manage-protection-updates-windows-defender-antivirus.md), network bandwidth can be a problem if multiple VMs attempt to download updates at the same time.
Because antivirus downloads protection updates every day, or [based on your protection update settings](manage-protection-updates-windows-defender-antivirus.md), network bandwidth can be a problem if multiple VMs attempt to download updates at the same time.
Following the guidelines in this means the VMs will only need to download “delta” updates, which are the differences between an existing definition set and the next one. Delta updates are typically much smaller (a few kilobytes) than a full definition download (which can average around 150 mb).
### Manage updates for persistent VDIs
If you are using a persistent VDI, you should update the base image monthly, and set up protection updates to be delivered daily via a file share, as follows:
1. Create a dedicated file share location on your network that can be accessed by your VMs and your VM host (or other, persistent machine, such as a dedicated admin console that you use to manage your VMs).
2. Set up a scheduled task on your VM host to automatically download updates from the MMPC website or Microsoft Update and save them to the file share (the [SignatureDownloadCustomTask PowerShell script](https://www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4/DisplayScript) can help with this).
3. [Configure the VMs to pull protection updates from the file share](manage-protection-updates-windows-defender-antivirus.md).
4. Disable or delay automatic Microsoft updates on your VMs. See [Update Windows 10 in the enterprise](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-update-windows-10) for information on managing operating system updates with WSUS, SCCM, and others.
5. On or just after each Patch Tuesday (the second Tuesday of each month), [update your base image with the latest protection updates from the MMPC website, WSUS, or Microsoft Update](manage-protection-updates-windows-defender-antivirus.md) Also apply all other Windows patches and fixes that were delivered on the Patch Tuesday. You can automate this by following the instructions in [Orchestrated offline VM Patching using Service Management Automation](https://blogs.technet.microsoft.com/privatecloud/2013/12/06/orchestrated-offline-vm-patching-using-service-management-automation/).
5. [Run a quick scan](run-scan-windows-defender-antivirus.md) on your base image before deploying it to your VMs.
A benefit to aligning your image update to the monthly Microsoft Update is that you ensure your VMs will have the latest Windows security patches and other important Microsoft updates without each VM needing to individually download them.
6. [Run a quick scan](run-scan-windows-defender-antivirus.md) on your base image before deploying it to your VMs.
A benefit to aligning your image update to the monthly Microsoft Update is that you ensure your VMs will have the latest Windows security patches and other important Microsoft updates without each VM needing to individually download them.
### Manage updates for non-persistent VDIs
If you are using a non-persistent VDI, you can update the base image daily (or nightly) and directly apply the latest updates to the image.
An example:
1. Every night or other time when you can safely take your VMs offline, update your base image with the latest [protection updates from the MMPC website, WSUS, or Microsoft Update](manage-protection-updates-windows-defender-antivirus.md).
2. [Run a quick scan](run-scan-windows-defender-antivirus.md) on your base image before deploying it to your VMs.
## Configure endpoints for optimal performance
There are a number of settings that can help ensure optimal performance on your VMs and VDI without affecting the level of protection, including:
- [Randomize scheduled scans](#randomize-scheduled-scans)
- [Use quick scans](#use-quick-scans)
- [Prevent notifications](#prevent-notifications)
- [Disable scans from occurring after every update](#disable-scans-after-an-update)
- [Scan out-of-date machines or machines that have been offline for a while](#scan-vms-that-have-been-offline)
- [Randomize scheduled scans](#randomize-scheduled-scans)
- [Use quick scans](#use-quick-scans)
- [Prevent notifications](#prevent-notifications)
- [Disable scans from occurring after every update](#disable-scans-after-an-update)
- [Scan out-of-date machines or machines that have been offline for a while](#scan-vms-that-have-been-offline)
These settings can be configured as part of creating your base image, or as a day-to-day management function of your VDI infrastructure or network.
### Randomize scheduled scans
Windows Defender AV supports the randomization of scheduled scans and signature updates. This can be extremely helpful in reducing boot storms (especially when used in conjunction with [Disable scans from occurring after every update](#disable-scans-after-an-update) and [Scan out-of-date machines or machines that have been offline for a while](#scan-vms-that-have-been-offline).
Antivirus supports the randomization of scheduled scans and signature updates. This can be extremely helpful in reducing boot storms (especially when used in conjunction with [Disable scans from occurring after every update](#disable-scans-after-an-update) and [Scan out-of-date machines or machines that have been offline for a while](#scan-vms-that-have-been-offline).
Scheduled scans run in addition to [real-time protection and scanning](configure-real-time-protection-windows-defender-antivirus.md).
@ -177,17 +171,17 @@ The start time of the scan itself is still based on the scheduled scan policy
**Use Group Policy to randomize scheduled scan start times:**
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration**.
2. In the **Group Policy Management Editor** go to **Computer configuration**.
4. Click **Policies** then **Administrative templates**.
3. Click **Policies** then **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender** and configure the following setting:
1. Double-click the **Randomize scheduled task times** setting and set the option to **Enabled**. Click **OK**. This adds a true randomization (it is still random if the disk image is replicated) of plus or minus 30 minutes (using all of the intervals) to the start of the scheduled scan and the signature update. For example, if the schedule start time was set at 2.30pm, then enabling this setting could cause one machine to scan and update at 2.33pm and another machine to scan and update at 2.14pm.
4. Expand the tree to **Windows components > Windows Defender** and configure the following setting:
**Use Configuration Manager to randomize schedule scans:**
- Double-click **Randomize scheduled task times** and set the option to **Enabled**. Click **OK**. This adds a true randomization (it is still random if the disk image is replicated) of plus or minus 30 minutes (using all of the intervals) to the start of the scheduled scan and the signature update. For example, if the schedule start time was set at 2.30pm, then enabling this setting could cause one machine to scan and update at 2.33pm and another machine to scan and update at 2.14pm.
**Use Configuration Manager to randomize scheduled scans:**
See [How to create and deploy antimalware policies: Advanced settings]( https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#advanced-settings) for details on configuring System Center Configuration Manager (current branch).
@ -196,18 +190,19 @@ See [Schedule scans](scheduled-catch-up-scans-windows-defender-antivirus.md) for
### Use quick scans
You can specify the type of scan that should be performed during a scheduled scan.
Quick scans are the preferred approach as they are designed to look in all places where malware needs to reside to be active.
Quick scans are the preferred approach as they are designed to look in all places where malware needs to reside to be active.
**Use Group Policy to specify the type of scheduled scan:**
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
2. In the **Group Policy Management Editor** go to **Computer configuration**.
2. In the **Group Policy Management Editor** go to **Computer configuration**.
3. Click **Policies** then **Administrative templates**.
3. Click **Policies** then **Administrative templates**.
4. Expand the tree to **Windows components > Windows Defender > Scan** and configure the following setting:
1. Double-click the **Specify the scan type to use for a scheduled scan** setting and set the option to **Enabled** and **Quick scan**. Click **OK**.
4. Expand the tree to **Windows components > Windows Defender > Scan** and configure the following setting:
- Double-click **Specify the scan type to use for a scheduled scan** and set the option to **Enabled** and **Quick scan**. Click **OK**.
**Use Configuration Manager to specify the type of scheduled scan:**
@ -217,34 +212,34 @@ See [Schedule scans](scheduled-catch-up-scans-windows-defender-antivirus.md) for
### Prevent notifications
Sometimes, Windows Defender AV notifications may be sent to or persist across multiple sessions. In order to minimize this problem, you can use the lock down the user interface for Windows Defender AV.
Sometimes, antivirus notifications may be sent to or persist across multiple sessions. In order to minimize this problem, you can use the lock down the antivirus user interface.
**Use Group Policy to hide notifications:**
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration**.
2. In the **Group Policy Management Editor** go to **Computer configuration**.
4. Click **Policies** then **Administrative templates**.
3. Click **Policies** then **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender > Client Interface** and configure the following settings:
1. Double-click the **Suppress all notifications** setting and set the option to **Enabled**. Click **OK**. This prevents notifications from Windows Defender AV appearing in the action center on Windows 10 when scans or remediation is performed.
2. Double-click the **Enable headless UI mode** setting and set the option to **Enabled**. Click **OK**. This hides the entire Windows Defender AV user interface from users.
4. Expand the tree to **Windows components > Windows Defender > Client Interface** and configure the following settings:
- Double-click **Suppress all notifications** and set the option to **Enabled**. Click **OK**. This prevents notifications from Windows Defender AV appearing in the action center on Windows 10 when scans or remediation is performed.
- Double-click **Enable headless UI mode** and set the option to **Enabled**. Click **OK**. This hides the entire Windows Defender AV user interface from users.
**Use Configuration Manager to hide notifications:**
1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
2. Go to the **Advanced** section and configure the following settings:
2. Go to the **Advanced** section and configure the following settings:
1. Set **Disable the client user interface** to **Yes**. This hides the entire Windows Defender AV user interface.
2. Set **Show notifications messages on the client computer...** to **Yes**. This hides notifications from appearing.
1. Set **Disable the client user interface** to **Yes**. This hides the entire Windows Defender AV user interface.
3. Click **OK**.
2. Set **Show notifications messages on the client computer...** to **Yes**. This hides notifications from appearing.
3. [Deploy the updated policy as usual](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers).
3. Click **OK**.
3. [Deploy the updated policy as usual](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers).
### Disable scans after an update
@ -255,68 +250,58 @@ This setting will prevent a scan from occurring after receiving an update. You c
**Use Group Policy to disable scans after an update:**
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration**.
2. In the **Group Policy Management Editor** go to **Computer configuration**.
4. Click **Policies** then **Administrative templates**.
3. Click **Policies** then **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender > Signature Updates** and configure the following setting:
1. Double-click the **Turn on scan after signature update** setting and set the option to **Disabled**. Click **OK**. This prevents a scan from running immediately after an update.
4. Expand the tree to **Windows components > Windows Defender > Signature Updates** and configure the following setting:
- Double-click **Turn on scan after signature update** and set the option to **Disabled**. Click **OK**. This prevents a scan from running immediately after an update.
**Use Configuration Manager to disable scans after an update:**
1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
2. Go to the **Scheduled scans** section and configure the following setting:
1. Set **Check for the latest definition updates before running a scan** to **No**. This prevents a scan after an update.
3. Click **OK**.
2. [Deploy the updated policy as usual](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers).
1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
2. Go to the **Scheduled scans** section and configure the following setting:
3. Set **Check for the latest definition updates before running a scan** to **No**. This prevents a scan after an update.
4. Click **OK**.
5. [Deploy the updated policy as usual](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers).
### Scan VMs that have been offline
This setting will help ensure protection for a VM that has been offline for some time or has otherwise missed a scheduled scan.
This setting will help ensure protection for a VM that has been offline for some time or has otherwise missed a scheduled scan.
**Use Group Policy to enable a catch-up scan:**
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration**.
4. Click **Policies** then **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender > Scan** and configure the following setting:
1. Double-click the **Turn on catch-up quick scan** setting and set the option to **Enabled**. Click **OK**. This forces a scan if the VM has missed two or more consecutive scheduled scans.
2. In the **Group Policy Management Editor** go to **Computer configuration**.
3. Click **Policies** then **Administrative templates**.
4. Expand the tree to **Windows components > Windows Defender > Scan** and configure the following setting:
5. Double-click the **Turn on catch-up quick scan** setting and set the option to **Enabled**. Click **OK**. This forces a scan if the VM has missed two or more consecutive scheduled scans.
**Use Configuration Manager to disable scans after an update:**
1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
2. Go to the **Scheduled scans** section and configure the following setting:
2. Go to the **Scheduled scans** section and configure the following setting:
1. Set **Force a scan of the selected scan type if client computer is offline during...** to **Yes**. This forces a scan if the VM has missed two or more consecutive scheduled scans.
3. Click **OK**.
2. [Deploy the updated policy as usual](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers).
3. Set **Force a scan of the selected scan type if client computer is offline during...** to **Yes**. This forces a scan if the VM has missed two or more consecutive scheduled scans.
4. Click **OK**.
5. [Deploy the updated policy as usual](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers).
### Exclusions
Windows Server 2016 contains Windows Defender Antivirus and will automatically deliver the right exclusions for servers running a VDI environment. However, if you are running an older Windows server version, you can refer to the exclusions that are applied on this page:
Windows Server 2016 antivirus will automatically deliver the right exclusions for servers running a VDI environment. However, if you are running an older Windows server version, you can refer to the exclusions that are applied on this page:
- [Automatic exclusions for Windows Server Antimalware](https://technet.microsoft.com/en-us/windows-server-docs/security/windows-defender/automatic-exclusions-for-windows-defender)
## Additional resources
@ -324,4 +309,4 @@ Windows Server 2016 contains Windows Defender Antivirus and will automatically d
- [Video: Microsoft Senior Program Manager Bryan Keller on how System Center Configuration Manger 2012 manages VDI and integrates with App-V]( http://channel9.msdn.com/Shows/Edge/Edge-Show-5-Manage-VDI-using-SCCM-2012#time=03m02s)
- [Project VRC: Antivirus impact and best practices on VDI](https://blogs.technet.microsoft.com/privatecloud/2013/12/06/orchestrated-offline-vm-patching-using-service-management-automation/)
- [TechNet forums on Remote Desktop Services and VDI](https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverTS)
- [SignatureDownloadCustomTask PowerShell script](https://www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4/DisplayScript)
- [SignatureDownloadCustomTask PowerShell script](https://www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4/DisplayScript)

58
windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md
View File

@ -1,7 +1,7 @@
---
title: Block Potentially Unwanted Applications with Windows Defender AV
description: Enable the Potentially Unwanted Application (PUA) feature in Windows Defender Antivirus to block unwanted software such as adware.
keywords: pua, enable, unwanted software, unwanted apps, adware, browser toolbar, detect, block, windows defender
title: Block potentially unwanted applications with antivirus
description: Enable the potentially unwanted application (PUA) antivirus feature to block unwanted software such as adware.
keywords: pua, enable, unwanted software, unwanted apps, adware, browser toolbar, detect, block, antivirus
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@ -14,73 +14,68 @@ ms.author: v-anbic
ms.date: 07/10/2018
---
# Detect and block Potentially Unwanted Applications
**Applies to:**
- Windows 10
**Audience**
- Enterprise security administrators
# Detect and block potentially unwanted applications
**Manageability available with**
- Microsoft Intune
- System Center Configuration Manager
- PowerShell cmdlets
- Microsoft Intune
The Potentially Unwanted Application (PUA) protection feature in Windows Defender Antivirus can identify and block PUAs from downloading and installing on endpoints in your network.
The potentially unwanted application (PUA) antivirus protection feature can identify and block PUAs from downloading and installing on endpoints in your network.
These applications are not considered viruses, malware, or other types of threats, but might perform actions on endpoints that adversely affect their performance or use. PUA can also refer to applications that are considered to have a poor reputation.
Typical PUA behavior includes:
- Various types of software bundling
- Ad-injection into web browsers
- Ad injection into web browsers
- Driver and registry optimizers that detect issues, request payment to fix the errors, but remain on the endpoint and make no changes or optimizations (also known as "rogue antivirus" programs)
These applications can increase the risk of your network being infected with malware, cause malware infections to be harder to identify, and can waste IT resources in cleaning up the applications.
>[!TIP]
>You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
>You can also visit the Windows Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
## How it works
PUAs are blocked when a user attempts to download or install the detected file, and if the file meets one of the following conditions:
- The file is being scanned from the browser
- The file is in a folder with "**downloads**" in the path
- The file is in a folder with "**temp**" in the path
- The file is on the user's Desktop
- The file is on the user's desktop
- The file does not meet one of these conditions and is not under *%programfiles%*, *%appdata%*, or *%windows%*
The file is placed in the quarantine section so it won't run.
The file is placed in the quarantine section so it won't run.
When a PUA is detected on an endpoint, the endpoint will present a notification to the user ([unless notifications have been disabled](configure-notifications-windows-defender-antivirus.md)) in the same format as normal threat detections (prefaced with "PUA:").
They will also appear in the usual [quarantine list in the Windows Defender Security Center app](windows-defender-security-center-antivirus.md#detection-history).
## View PUA events
PUA events are reported in the Windows Event Viewer and not in System Center Configuration Manager or Intune.
PUA events are reported in the Windows Event Viewer and not in System Center Configuration Manager or Intune.
Hoever, PUA detections will be reported if you have set up email notifications for detections.
See [Troubleshoot event IDs](troubleshoot-windows-defender-antivirus.md) for details on viewing Windows Defender Antivirus events. PUA events are recorded under event ID 1160.
## Configure PUA protection
## Configure the PUA protection feature
You can enable PUA protection with Microsoft Intune, System Center Configuration Manager, or PowerShell cmdlets.
You can enable the PUA protection feature with System Center Configuration Manager, PowerShell cmdlets, or Microsoft Intune.
You can also use the PUA audit mode to detect PUA without blocking them. The detections will be captured in the Windows event log.
You can also use the PUA audit mode to detect PUA without blocking them. The detections will be captured in the Windows event log.
This feature is useful if your company is conducting an internal software security compliance check and you'd like to avoid any false positives.
**Use Intune to configure the PUA protection feature**
See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure) and [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-windows-10#windows-defender-antivirus) for more details.
**Use Configuration Manager to configure the PUA protection feature:**
PUA protection is enabled by default in System Center Configuration Manager (current branch), including version 1606 and later.
PUA protection is enabled by default in System Center Configuration Manager (current branch), including version 1606 and later.
See [How to create and deploy antimalware policies: Scheduled scans settings](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#real-time-protection-settings) for details on configuring System Center Configuration Manager (current branch).
@ -101,18 +96,9 @@ Setting the value for this cmdlet to `Enabled` will turn the feature on if it ha
Setting `AuditMode` will detect PUAs but will not block them.
See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus.
**Use Intune to configure the PUA protection feature**
See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure) and [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-windows-10#windows-defender-antivirus) for more details.
See [Use PowerShell cmdlets to configure and run antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus.
## Related topics
- [Windows Defender Antivirus](windows-defender-antivirus-in-windows-10.md)
- [Next gen protection](windows-defender-antivirus-in-windows-10.md)
- [Configure behavioral, heuristic, and real-time protection](configure-protection-features-windows-defender-antivirus.md)

10
windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md
View File

@ -16,16 +16,6 @@ ms.date: 07/10/2018
# Enable cloud-delivered protection in Windows Defender AV
**Applies to:**
- Windows 10
**Audience**
- Enterprise security administrators
**Manageability available with**
- Group Policy

10
windows/security/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md
View File

@ -16,16 +16,6 @@ ms.date: 04/30/2018
# Evaluate Windows Defender Antivirus protection
**Applies to:**
- Windows 10, version 1703 and later
**Audience**
- Enterprise security administrators
If you're an enterprise security administrator, and you want to determine how well Windows Defender Antivirus protects you from viruses, malware, and potentially unwanted applications, then you can use this guide to help you evaluate Microsoft protection.
>[!TIP]

12
windows/security/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md
View File

@ -18,18 +18,6 @@ ms.date: 04/30/2018
# Use limited periodic scanning in Windows Defender AV
**Applies to:**
- Windows 10, version 1703 and later
**Audience**
- Enterprise security administrators
**Manageability available with**
- Windows Defender Security Center app

7
windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md
View File

@ -16,13 +16,6 @@ ms.date: 04/30/2018
# Manage event-based forced updates
**Applies to**
- Windows 10
**Audience**
- Network administrators
**Manageability available with**
- Group Policy

7
windows/security/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md
View File

@ -16,13 +16,6 @@ ms.date: 04/30/2018
# Manage updates and scans for endpoints that are out of date
**Applies to**
- Windows 10
**Audience**
- Network administrators
**Manageability available with**
- Group Policy

7
windows/security/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md
View File

@ -16,13 +16,6 @@ ms.date: 04/30/2018
# Manage the schedule for when protection updates should be downloaded and applied
**Applies to**
- Windows 10
**Audience**
- Network administrators
**Manageability available with**
- Group Policy

7
windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md
View File

@ -16,13 +16,6 @@ ms.date: 04/30/2018
# Manage the sources for Windows Defender Antivirus protection updates
**Applies to**
- Windows 10
**Audience**
- Enterprise security administrators
**Manageability available with**
- Group Policy

9
windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md
View File

@ -16,15 +16,6 @@ ms.date: 04/30/2018
# Manage Windows Defender Antivirus updates and apply baselines
**Applies to:**
- Windows 10
**Audience**
- Network administrators
There are two types of updates related to keeping Windows Defender Antivirus:
1. Protection updates
2. Product updates

7
windows/security/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md
View File

@ -16,13 +16,6 @@ ms.date: 04/30/2018
# Manage updates for mobile devices and virtual machines (VMs)
**Applies to**
- Windows 10
**Audience**
- Network administrators
**Manageability available with**
- Group Policy

12
windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md
View File

@ -15,18 +15,6 @@ ms.date: 04/30/2018
---
# Prevent users from seeing or interacting with the Windows Defender AV user interface
**Applies to:**
- Windows 10
**Audience**
- Enterprise security administrators
**Manageability available with**
- Group Policy
You can use Group Policy to prevent users on endpoints from seeing the Windows Defender Antivirus interface. You can also prevent them from pausing scans.

8
windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md
View File

@ -16,14 +16,6 @@ ms.date: 07/10/2018
# Report on Windows Defender Antivirus protection
**Applies to:**
- Windows 10
**Audience**
- IT administrators
There are a number of ways you can review protection status and alerts, depending on the management tool you are using for Windows Defender AV.

10
windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md
View File

@ -16,16 +16,6 @@ ms.date: 04/23/2018
# Restore quarantined files in Windows Defender AV
**Applies to:**
- Windows 10
- Windows Server 2016
**Audience**
- Enterprise security administrators
**Manageability available with**
- Windows Defender Security Center

9
windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md
View File

@ -16,15 +16,6 @@ ms.date: 07/10/2018
# Review Windows Defender AV scan results
**Applies to:**
- Windows 10
**Audience**
- Enterprise security administrators
**Manageability available with**
- PowerShell

12
windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md
View File

@ -14,20 +14,8 @@ ms.author: v-anbic
ms.date: 07/10/2018
---
# Configure and run on-demand Windows Defender AV scans
**Applies to:**
- Windows 10
**Audience**
- Enterprise security administrators
**Manageability available with**
- Windows Defender AV mpcmdrun utility

8
windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md
View File

@ -14,16 +14,8 @@ ms.author: v-anbic
ms.date: 07/26/2018
---
# Configure scheduled quick or full scans for Windows Defender AV
**Applies to**
- Windows 10
**Audience**
- Enterprise security administrators
**Manageability available with**

10
windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md
View File

@ -16,16 +16,6 @@ ms.date: 07/19/2018
# Specify the cloud-delivered protection level
**Applies to:**
- Windows 10, version 1703 and later
**Audience**
- Enterprise security administrators
**Manageability available with**
- Group Policy

8
windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md
View File

@ -16,14 +16,6 @@ ms.date: 04/30/2018
# Troubleshoot Windows Defender Antivirus reporting in Update Compliance
**Applies to:**
- Windows 10
**Audience**
- IT administrators
When you use [Windows Analytics Update Compliance to obtain reporting into the protection status of machines or endpoints](/windows/deployment/update/update-compliance-using#wdav-assessment) in your network that are using Windows Defender Antivirus, you may encounter problems or issues.
Typically, the most common indicators of a problem are:

10
windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md
View File

@ -16,16 +16,6 @@ ms.date: 04/16/2018
# Review event logs and error codes to troubleshoot issues with Windows Defender AV
**Applies to**
- Windows 10
- Windows Server 2016
**Audience**
- Enterprise security administrators
If you encounter a problem with Windows Defender Antivirus, you can search the tables in this topic to find a matching issue and potential solution.
The tables list:

4
windows/security/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md
View File

@ -16,10 +16,6 @@ ms.date: 04/30/2018
# Use Group Policy settings to configure and manage Windows Defender AV
**Applies to:**
- Windows 10, version 1703
You can use [Group Policy](https://msdn.microsoft.com/en-us/library/ee663280(v=vs.85).aspx) to configure and manage Windows Defender Antivirus on your endpoints.
In general, you can use the following procedure to configure or change Windows Defender AV group policy settings:

4
windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md
View File

@ -16,10 +16,6 @@ ms.date: 12/12/2017
# Use PowerShell cmdlets to configure and manage Windows Defender AV
**Applies to:**
- Windows 10
You can use PowerShell to perform various functions in Windows Defender. Similar to the command prompt or command line, PowerShell is a task-based command-line shell and scripting language designed especially for system administration, and you can read more about it at the [PowerShell hub on MSDN](https://msdn.microsoft.com/en-us/powershell/mt173057.aspx).
For a list of the cmdlets and their functions and available parameters, see the [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) topic.

4
windows/security/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md
View File

@ -16,10 +16,6 @@ ms.date: 08/26/2017
# Use Windows Management Instrumentation (WMI) to configure and manage Windows Defender AV
**Applies to:**
- Windows 10
Windows Management Instrumentation (WMI) is a scripting interface that allows you to retrieve, modify, and update settings.
Read more about WMI at the [Microsoft Developer Network System Administration library](https://msdn.microsoft.com/en-us/library/aa394582(v=vs.85).aspx).

8
windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md
View File

@ -16,14 +16,6 @@ ms.date: 05/21/2018
# Use next-gen technologies in Windows Defender Antivirus through cloud-delivered protection
**Applies to:**
- Windows 10, version 1703 and later
**Audience**
- Enterprise security administrators
Microsoft next-gen technologies in Windows Defender Antivirus provide near-instant, automated protection against new and emerging threats. To dynamically identify new threats, these technologies work with large sets of interconnected data in the Microsoft Intelligent Security Graph and powerful artificial intelligence (AI) systems driven by advanced machine learning models.
To take advantage of the power and speed of these next-gen technologies, Windows Defender Antivirus works seamlessly with Microsoft cloud services. These cloud protection services, also referred to as Microsoft Advanced Protection Service (MAPS), enhances standard real-time protection, providing arguably the best antivirus defense.

12
windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
View File

@ -14,20 +14,8 @@ ms.author: v-anbic
ms.date: 04/04/2018
---
# Windows Defender Antivirus compatibility
**Applies to:**
- Windows 10
- Windows Server 2016
**Audience**
- Enterprise security administrators
Windows Defender Antivirus is automatically enabled and installed on endpoints and devices that are running Windows 10.
However, on endpoints and devices that are protected with a non-Microsoft antivirus or antimalware app, Windows Defender AV will automatically disable itself. You can then choose to enable an optional, limited protection feature, called [limited periodic scanning](limited-periodic-scanning-windows-defender-antivirus.md).

4
windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md
View File

@ -16,10 +16,6 @@ ms.date: 04/30/2018
# Windows Defender Antivirus in Windows 10 and Windows Server 2016
**Applies to**
- Windows 10
- Windows Server 2016
Windows Defender Antivirus is a built-in antimalware solution that provides security and antimalware management for desktops, portable computers, and servers.
This library of documentation is for enterprise security administrators who are either considering deployment, or have already deployed and are wanting to manage and configure Windows Defender AV on PC endpoints in their network.

12
windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md
View File

@ -14,20 +14,8 @@ ms.author: v-anbic
ms.date: 04/11/2018
---
# Windows Defender Antivirus on Windows Server 2016
**Applies to:**
- Windows Server 2016
**Audience**
- Enterprise security administrators
- Network administrators
**Manageability available with**
- Group Policy

9
windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline.md
View File

@ -16,15 +16,6 @@ ms.date: 04/30/2018
# Run and review the results of a Windows Defender Offline scan
**Applies to:**
- Windows 10, version 1607 and later
**Audience**
- Enterprise security administrators
**Manageability available with**
- Group Policy

8
windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md
View File

@ -16,14 +16,6 @@ ms.date: 04/30/2018
# Windows Defender Antivirus in the Windows Defender Security Center app
**Applies to**
- Windows 10, version 1703 and later
**Audience**
- End-users
**Manageability available with**
- Windows Defender Security Center app