Merge pull request #5033 from MicrosoftDocs/ngp-move

Next-generation protection content move

.openpublishing.redirection.json

@@ -2282,7 +2282,7 @@
     },
     {
       "source_path": "windows/threat-protection/windows-defender-antivirus/collect-diagnostic-data-update-compliance.md",
-      "redirect_url": "/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data-update-compliance",
+      "redirect_url": "/microsoft-365/security/defender-endpoint/collect-diagnostic-data-update-compliance",
       "redirect_document_id": false
     },
     {
@@ -2327,7 +2327,7 @@
     },
     {
       "source_path": "windows/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md",
-      "redirect_url": "/windows/security/threat-protection/microsoft-defender-antivirus/configure-local-policy-overrides-microsoft-defender-antivirus",
+      "redirect_url": "/microsoft-365/security/defender-endpoint/configure-local-policy-overrides-microsoft-defender-antivirus",
       "redirect_document_id": false
     },
     {
@@ -9477,7 +9477,7 @@
     },
     {
       "source_path": "windows/keep-secure/configure-advanced-scan-types-windows-defender-antivirus.md",
-      "redirect_url": "/windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus",
+      "redirect_url": "/microsoft-365/security/defender-endpoint/configure-advanced-scan-types-microsoft-defender-antivirus",
       "redirect_document_id": false
     },
     {
@@ -16127,7 +16127,7 @@
     },
     {
       "source_path": "windows/security/threat-protection/windows-defender-antivirus/collect-diagnostic-data-update-compliance.md",
-      "redirect_url": "/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data-update-compliance",
+      "redirect_url": "/microsoft-365/security/defender-endpoint/collect-diagnostic-data-update-compliance",
       "redirect_document_id": false
     },
     {
@@ -16372,7 +16372,7 @@
     },
     {
       "source_path": "windows/security/threat-protection/windows-defender-antivirus/collect-diagnostic-data.md",
-      "redirect_url": "/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data",
+      "redirect_url": "/microsoft-365/security/defender-endpoint/collect-diagnostic-data",
       "redirect_document_id": false
     },
     {
@@ -18484,6 +18484,281 @@
       "source_path": "windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md",
       "redirect_url": "/microsoft-365/security/defender-endpoint/controlled-folders",
       "redirect_document_id": false
-    }          
+    },
+    {
+      "source_path": "command-line-arguments-microsoft-defender-antivirus.md",
+      "redirect_url": "/microsoft-365/security/defender-endpoint/command-line-arguments-microsoft-defender-antivirus",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "common-exclusion-mistakes-microsoft-defender-antivirus.md",
+      "redirect_url": "/microsoft-365/security/defender-endpoint/common-exclusion-mistakes-microsoft-defender-antivirus",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "configuration-management-reference-microsoft-defender-antivirus.md",
+      "redirect_url": "/microsoft-365/security/defender-endpoint/configuration-management-reference-microsoft-defender-antivirus",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "configure-advanced-scan-types-microsoft-defender-antivirus.md",
+      "redirect_url": "/microsoft-365/security/defender-endpoint/configure-advanced-scan-types-microsoft-defender-antivirus",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "configure-block-at-first-sight-microsoft-defender-antivirus.md",
+      "redirect_url": "/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "configure-cloud-block-timeout-period-microsoft-defender-antivirus.md",
+      "redirect_url": "/microsoft-365/security/defender-endpoint/configure-cloud-block-timeout-period-microsoft-defender-antivirus",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "configure-end-user-interaction-microsoft-defender-antivirus.md",
+      "redirect_url": "/microsoft-365/security/defender-endpoint/configure-end-user-interaction-microsoft-defender-antivirus",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "configure-exclusions-microsoft-defender-antivirus.md",
+      "redirect_url": "/microsoft-365/security/defender-endpoint/configure-exclusions-microsoft-defender-antivirus",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "configure-extension-file-exclusions-microsoft-defender-antivirus.md",
+      "redirect_url": "/microsoft-365/security/defender-endpoint/configure-extension-file-exclusions-microsoft-defender-antivirus",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "configure-local-policy-overrides-microsoft-defender-antivirus.md",
+      "redirect_url": "/microsoft-365/security/defender-endpoint/configure-local-policy-overrides-microsoft-defender-antivirus",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "configure-microsoft-defender-antivirus-features.md",
+      "redirect_url": "/microsoft-365/security/defender-endpoint/configure-microsoft-defender-antivirus-features",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "configure-network-connections-microsoft-defender-antivirus.md",
+      "redirect_url": "/microsoft-365/security/defender-endpoint/configure-network-connections-microsoft-defender-antivirus",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "configure-notifications-microsoft-defender-antivirus.md",
+      "redirect_url": "/microsoft-365/security/defender-endpoint/configure-notifications-microsoft-defender-antivirus",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "configure-process-opened-file-exclusions-microsoft-defender-antivirus.md",
+      "redirect_url": "/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "configure-protection-features-microsoft-defender-antivirus.md",
+      "redirect_url": "/microsoft-365/security/defender-endpoint/configure-protection-features-microsoft-defender-antivirus",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "configure-real-time-protection-microsoft-defender-antivirus.md",
+      "redirect_url": "/microsoft-365/security/defender-endpoint/configure-real-time-protection-microsoft-defender-antivirus",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "configure-remediation-microsoft-defender-antivirus.md",
+      "redirect_url": "/microsoft-365/security/defender-endpoint/configure-remediation-microsoft-defender-antivirus",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "configure-server-exclusions-microsoft-defender-antivirus.md",
+      "redirect_url": "/microsoft-365/security/defender-endpoint/configure-server-exclusions-microsoft-defender-antivirus",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "customize-run-review-remediate-scans-microsoft-defender-antivirus.md",
+      "redirect_url": "/microsoft-365/security/defender-endpoint/customize-run-review-remediate-scans-microsoft-defender-antivirus",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "customize-run-review-remediate-scans-windows-defender-antivirus.md",
+      "redirect_url": "/microsoft-365/security/defender-endpoint/customize-run-review-remediate-scans-windows-defender-antivirus",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "deploy-manage-report-microsoft-defender-antivirus.md",
+      "redirect_url": "/microsoft-365/security/defender-endpoint/deploy-manage-report-microsoft-defender-antivirus",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "deploy-microsoft-defender-antivirus.md",
+      "redirect_url": "/microsoft-365/security/defender-endpoint/deploy-microsoft-defender-antivirus",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "deployment-vdi-microsoft-defender-antivirus.md",
+      "redirect_url": "/microsoft-365/security/defender-endpoint/deployment-vdi-microsoft-defender-antivirus",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md",
+      "redirect_url": "/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "enable-cloud-protection-microsoft-defender-antivirus.md",
+      "redirect_url": "/microsoft-365/security/defender-endpoint/enable-cloud-protection-microsoft-defender-antivirus",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "evaluate-microsoft-defender-antivirus.md",
+      "redirect_url": "/microsoft-365/security/defender-endpoint/evaluate-microsoft-defender-antivirus",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "limited-periodic-scanning-microsoft-defender-antivirus.md",
+      "redirect_url": "/microsoft-365/security/defender-endpoint/limited-periodic-scanning-microsoft-defender-antivirus",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "manage-event-based-updates-microsoft-defender-antivirus.md",
+      "redirect_url": "/microsoft-365/security/defender-endpoint/manage-event-based-updates-microsoft-defender-antivirus",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "manage-outdated-endpoints-microsoft-defender-antivirus.md",
+      "redirect_url": "/microsoft-365/security/defender-endpoint/manage-outdated-endpoints-microsoft-defender-antivirus",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "manage-protection-update-schedule-microsoft-defender-antivirus.md",
+      "redirect_url": "/microsoft-365/security/defender-endpoint/manage-protection-update-schedule-microsoft-defender-antivirus",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "manage-protection-updates-microsoft-defender-antivirus.md",
+      "redirect_url": "/microsoft-365/security/defender-endpoint/manage-protection-updates-microsoft-defender-antivirus",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md",
+      "redirect_url": "/microsoft-365/security/defender-endpoint/manage-updates-mobile-devices-vms-microsoft-defender-antivirus",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "microsoft-defender-antivirus-compatibility.md",
+      "redirect_url": "/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "microsoft-defender-antivirus-in-windows-10.md",
+      "redirect_url": "/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "microsoft-defender-antivirus-on-windows-server-2016.md",
+      "redirect_url": "/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-on-windows-server",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "microsoft-defender-offline.md",
+      "redirect_url": "/microsoft-365/security/defender-endpoint/microsoft-defender-offline",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "microsoft-defender-security-center-antivirus.md",
+      "redirect_url": "/microsoft-365/security/defender-endpoint/microsoft-defender-security-center-antivirus",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "office-365-microsoft-defender-antivirus.md",
+      "redirect_url": "/microsoft-365/security/defender-endpoint/office-365-microsoft-defender-antivirus",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "prevent-changes-to-security-settings-with-tamper-protection.md",
+      "redirect_url": "/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "prevent-end-user-interaction-microsoft-defender-antivirus.md",
+      "redirect_url": "/microsoft-365/security/defender-endpoint/prevent-end-user-interaction-microsoft-defender-antivirus",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "report-monitor-microsoft-defender-antivirus.md",
+      "redirect_url": "/microsoft-365/security/defender-endpoint/report-monitor-microsoft-defender-antivirus",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "restore-quarantined-files-microsoft-defender-antivirus.md",
+      "redirect_url": "/microsoft-365/security/defender-endpoint/restore-quarantined-files-microsoft-defender-antivirus",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "review-scan-results-microsoft-defender-antivirus.md",
+      "redirect_url": "/microsoft-365/security/defender-endpoint/review-scan-results-microsoft-defender-antivirus",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "run-scan-microsoft-defender-antivirus.md",
+      "redirect_url": "/microsoft-365/security/defender-endpoint/run-scan-microsoft-defender-antivirus",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "scheduled-catch-up-scans-microsoft-defender-antivirus.md",
+      "redirect_url": "/microsoft-365/security/defender-endpoint/scheduled-catch-up-scans-microsoft-defender-antivirus",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "specify-cloud-protection-level-microsoft-defender-antivirus.md",
+      "redirect_url": "/microsoft-365/security/defender-endpoint/specify-cloud-protection-level-microsoft-defender-antivirus",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "troubleshoot-microsoft-defender-antivirus-when-migrating.md",
+      "redirect_url": "/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus-when-migrating",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "troubleshoot-microsoft-defender-antivirus.md",
+      "redirect_url": "/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "troubleshoot-reporting.md",
+      "redirect_url": "/microsoft-365/security/defender-endpoint/troubleshoot-reporting",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "use-group-policy-microsoft-defender-antivirus.md",
+      "redirect_url": "/microsoft-365/security/defender-endpoint/use-group-policy-microsoft-defender-antivirus",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "use-intune-config-manager-microsoft-defender-antivirus.md",
+      "redirect_url": "/microsoft-365/security/defender-endpoint/use-intune-config-manager-microsoft-defender-antivirus",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "use-powershell-cmdlets-microsoft-defender-antivirus.md",
+      "redirect_url": "/microsoft-365/security/defender-endpoint/use-powershell-cmdlets-microsoft-defender-antivirus",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "use-wmi-microsoft-defender-antivirus.md",
+      "redirect_url": "/microsoft-365/security/defender-endpoint/use-wmi-microsoft-defender-antivirus",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md",
+      "redirect_url": "/microsoft-365/security/defender-endpoint/utilize-microsoft-cloud-protection-microsoft-defender-antivirus",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "why-use-microsoft-defender-antivirus.md",
+      "redirect_url": "/microsoft-365/security/defender-endpoint/why-use-microsoft-defender-antivirus",
+      "redirect_document_id": false
+    }     
 	    ]
 }

windows/security/threat-protection/TOC.md

@@ -1,95 +1,92 @@
 # [Threat protection](index.md)
 
 ## [Next-generation protection with Microsoft Defender Antivirus]()
-### [Microsoft Defender Antivirus overview](microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md)
+### [Microsoft Defender Antivirus overview](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10)
-### [Evaluate Microsoft Defender Antivirus](microsoft-defender-antivirus/evaluate-microsoft-defender-antivirus.md)
+### [Evaluate Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/evaluate-microsoft-defender-antivirus)
 
 ### [Configure Microsoft Defender Antivirus]()
-#### [Configure Microsoft Defender Antivirus features](microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md)
+#### [Configure Microsoft Defender Antivirus features](/microsoft-365/security/defender-endpoint/configure-microsoft-defender-antivirus-features)
    
-#### [Use Microsoft cloud-delivered protection](microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md)
+#### [Use Microsoft cloud-delivered protection](/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus)
-##### [Enable cloud-delivered protection](microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md)
+##### [Prevent security settings changes with tamper protection](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection)
-##### [Specify the cloud-delivered protection level](microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md)
+##### [Enable Block at first sight](/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus)
-##### [Configure and validate network connections](microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md)
+##### [Configure the cloud block timeout period](/microsoft-365/security/defender-endpoint/configure-cloud-block-timeout-period-microsoft-defender-antivirus)
-##### [Prevent security settings changes with tamper protection](microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md)
-##### [Enable Block at first sight](microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md)
-##### [Configure the cloud block timeout period](microsoft-defender-antivirus/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md)
    
 #### [Configure behavioral, heuristic, and real-time protection]()
-##### [Configuration overview](microsoft-defender-antivirus/configure-protection-features-microsoft-defender-antivirus.md)
+##### [Configuration overview](/microsoft-365/security/defender-endpoint/configure-protection-features-microsoft-defender-antivirus)
-##### [Detect and block Potentially Unwanted Applications](microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md)
+##### [Detect and block Potentially Unwanted Applications](/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus)
-##### [Enable and configure always-on protection and monitoring](microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md)
+##### [Enable and configure always-on protection and monitoring](/microsoft-365/security/defender-endpoint/configure-real-time-protection-microsoft-defender-antivirus)
    
-#### [Antivirus on Windows Server](microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md)
+#### [Antivirus on Windows Server](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-on-windows-server)
    
 #### [Antivirus compatibility]()
-##### [Compatibility charts](microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md)
+##### [Compatibility charts](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility)
-##### [Use limited periodic antivirus scanning](microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus.md)
+##### [Use limited periodic antivirus scanning](/microsoft-365/security/defender-endpoint/limited-periodic-scanning-microsoft-defender-antivirus)
 
 #### [Manage Microsoft Defender Antivirus in your business]()
-##### [Management overview](microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md)
+##### [Management overview](/microsoft-365/security/defender-endpoint/configuration-management-reference-microsoft-defender-antivirus)
-##### [Use Microsoft Intune and Microsoft Endpoint Manager to manage Microsoft Defender Antivirus](microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md)
+##### [Use Microsoft Intune and Microsoft Endpoint Manager to manage Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/use-intune-config-manager-microsoft-defender-antivirus)
-##### [Use Group Policy settings to manage Microsoft Defender Antivirus](microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md)
+##### [Use Group Policy settings to manage Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/use-group-policy-microsoft-defender-antivirus)
-##### [Use PowerShell cmdlets to manage Microsoft Defender Antivirus](microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md)
+##### [Use PowerShell cmdlets to manage Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/use-powershell-cmdlets-microsoft-defender-antivirus)
-##### [Use Windows Management Instrumentation (WMI) to manage Microsoft Defender Antivirus](microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md)
+##### [Use Windows Management Instrumentation (WMI) to manage Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/use-wmi-microsoft-defender-antivirus)
-##### [Use the mpcmdrun.exe command line tool to manage Microsoft Defender Antivirus](microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md)
+##### [Use the mpcmdrun.exe command line tool to manage Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/command-line-arguments-microsoft-defender-antivirus)
    
 #### [Deploy, manage updates, and report on Microsoft Defender Antivirus]()
-##### [Preparing to deploy](microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md)
+##### [Preparing to deploy](/microsoft-365/security/defender-endpoint/deploy-manage-report-microsoft-defender-antivirus)
-##### [Deploy and enable Microsoft Defender Antivirus](microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md)
+##### [Deploy and enable Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/deploy-microsoft-defender-antivirus)
-##### [Deployment guide for VDI environments](microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md)
+##### [Deployment guide for VDI environments](/microsoft-365/security/defender-endpoint/deployment-vdi-microsoft-defender-antivirus)
    
 ##### [Report on antivirus protection]()
-##### [Review protection status and alerts](microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md)
+##### [Review protection status and alerts](/microsoft-365/security/defender-endpoint/report-monitor-microsoft-defender-antivirus)
-##### [Troubleshoot antivirus reporting in Update Compliance](microsoft-defender-antivirus/troubleshoot-reporting.md)
+##### [Troubleshoot antivirus reporting in Update Compliance](/microsoft-365/security/defender-endpoint/troubleshoot-reporting)
-##### [Learn about the recent updates](microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md)
+##### [Learn about the recent updates](/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus)
-##### [Manage protection and security intelligence updates](microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md)
+##### [Manage protection and security intelligence updates](/microsoft-365/security/defender-endpoint/manage-protection-updates-microsoft-defender-antivirus)
-##### [Manage when protection updates should be downloaded and applied](microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md)
+##### [Manage when protection updates should be downloaded and applied](/microsoft-365/security/defender-endpoint/manage-protection-update-schedule-microsoft-defender-antivirus)
-##### [Manage updates for endpoints that are out of date](microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus.md)
+##### [Manage updates for endpoints that are out of date](/microsoft-365/security/defender-endpoint/manage-outdated-endpoints-microsoft-defender-antivirus)
-##### [Manage event-based forced updates](microsoft-defender-antivirus/manage-event-based-updates-microsoft-defender-antivirus.md)
+##### [Manage event-based forced updates](/microsoft-365/security/defender-endpoint/manage-event-based-updates-microsoft-defender-antivirus)
-##### [Manage updates for mobile devices and VMs](microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md)
+##### [Manage updates for mobile devices and VMs](/microsoft-365/security/defender-endpoint/manage-updates-mobile-devices-vms-microsoft-defender-antivirus)
    
 #### [Customize, initiate, and review the results of scans and remediation]()
-##### [Configuration overview](microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md)
+##### [Configuration overview](/microsoft-365/security/defender-endpoint/customize-run-review-remediate-scans-microsoft-defender-antivirus)
    
-##### [Configure and validate exclusions in antivirus scans](microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md)
+##### [Configure and validate exclusions in antivirus scans](/microsoft-365/security/defender-endpoint/configure-exclusions-microsoft-defender-antivirus)
-##### [Configure and validate exclusions based on file name, extension, and folder location](microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md)
+##### [Configure and validate exclusions based on file name, extension, and folder location](/microsoft-365/security/defender-endpoint/configure-extension-file-exclusions-microsoft-defender-antivirus)
-##### [Configure and validate exclusions for files opened by processes](microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md)
+##### [Configure and validate exclusions for files opened by processes](/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus)
-##### [Configure antivirus exclusions Windows Server](microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md)
+##### [Configure antivirus exclusions Windows Server](/microsoft-365/security/defender-endpoint/configure-server-exclusions-microsoft-defender-antivirus)
-##### [Common mistakes when defining exclusions](microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md)
+##### [Common mistakes when defining exclusions](/microsoft-365/security/defender-endpoint/common-exclusion-mistakes-microsoft-defender-antivirus)
-##### [Configure scanning antivirus options](microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md)
+##### [Configure scanning antivirus options](/microsoft-365/security/defender-endpoint/configure-advanced-scan-types-microsoft-defender-antivirus)
-##### [Configure remediation for scans](microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md)
+##### [Configure remediation for scans](/microsoft-365/security/defender-endpoint/configure-remediation-microsoft-defender-antivirus)
-##### [Configure scheduled scans](microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md)
+##### [Configure scheduled scans](/microsoft-365/security/defender-endpoint/scheduled-catch-up-scans-microsoft-defender-antivirus)
-##### [Configure and run scans](microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md)
+##### [Configure and run scans](/microsoft-365/security/defender-endpoint/run-scan-microsoft-defender-antivirus)
-##### [Review scan results](microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md)
+##### [Review scan results](/microsoft-365/security/defender-endpoint/review-scan-results-microsoft-defender-antivirus)
-##### [Run and review the results of an offline scan](microsoft-defender-antivirus/microsoft-defender-offline.md)
+##### [Run and review the results of an offline scan](/microsoft-365/security/defender-endpoint//microsoft-defender-offline)
    
-#### [Restore quarantined files](microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md)
+#### [Restore quarantined files](/microsoft-365/security/defender-endpoint/restore-quarantined-files-microsoft-defender-antivirus)
    
 #### [Manage scans and remediation]()
-##### [Management overview](microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md)
+##### [Management overview](/microsoft-365/security/defender-endpoint/customize-run-review-remediate-scans-microsoft-defender-antivirus)
    
 ##### [Configure and validate exclusions in antivirus scans]()
-##### [Exclusions overview](microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md)
+##### [Exclusions overview](/microsoft-365/security/defender-endpoint/configure-exclusions-microsoft-defender-antivirus)
-##### [Configure and validate exclusions based on file name, extension, and folder location](microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md)
+##### [Configure and validate exclusions based on file name, extension, and folder location](/microsoft-365/security/defender-endpoint/configure-extension-file-exclusions-microsoft-defender-antivirus)
-##### [Configure and validate exclusions for files opened by processes](microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md)
+##### [Configure and validate exclusions for files opened by processes](/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus)
-##### [Configure antivirus exclusions on Windows Server](microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md)
+##### [Configure antivirus exclusions on Windows Server](/microsoft-365/security/defender-endpoint/configure-server-exclusions-microsoft-defender-antivirus)
    
-##### [Configure scanning options](microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md)
+##### [Configure scanning options](/microsoft-365/security/defender-endpoint/configure-advanced-scan-types-microsoft-defender-antivirus)
 
-#### [Configure remediation for scans](microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md)
+#### [Configure remediation for scans](/microsoft-365/security/defender-endpoint/configure-remediation-microsoft-defender-antivirus)
-##### [Configure scheduled scans](microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md)
+##### [Configure scheduled scans](/microsoft-365/security/defender-endpoint/scheduled-catch-up-scans-microsoft-defender-antivirus)
-##### [Configure and run scans](microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md)
+##### [Configure and run scans](/microsoft-365/security/defender-endpoint/run-scan-microsoft-defender-antivirus)
-##### [Review scan results](microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md)
+##### [Review scan results](/microsoft-365/security/defender-endpoint/review-scan-results-microsoft-defender-antivirus)
-##### [Run and review the results of an offline scan](microsoft-defender-antivirus/microsoft-defender-offline.md)
+##### [Run and review the results of an offline scan](/microsoft-365/security/defender-endpoint/microsoft-defender-offline)
-##### [Restore quarantined files](microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md)
+##### [Restore quarantined files](/microsoft-365/security/defender-endpoint/restore-quarantined-files-microsoft-defender-antivirus)
 
 ### [Troubleshoot Microsoft Defender Antivirus]()
-#### [Troubleshoot Microsoft Defender Antivirus issues](microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md)
+#### [Troubleshoot Microsoft Defender Antivirus issues](/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus)
-#### [Troubleshoot Microsoft Defender Antivirus migration issues](microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus-when-migrating.md)
+#### [Troubleshoot Microsoft Defender Antivirus migration issues](/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus-when-migrating)
    
-## [Better together: Microsoft Defender Antivirus and Microsoft Defender for Endpoint](microsoft-defender-antivirus/why-use-microsoft-defender-antivirus.md)
+## [Better together: Microsoft Defender Antivirus and Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/why-use-microsoft-defender-antivirus)
-## [Better together: Microsoft Defender Antivirus and Office 365](microsoft-defender-antivirus/office-365-microsoft-defender-antivirus.md)
+## [Better together: Microsoft Defender Antivirus and Office 365](/microsoft-365/security/defender-endpoint/office-365-microsoft-defender-antivirus)
 
 ## [Hardware-based isolation]()
 

windows/security/threat-protection/device-control/control-usb-devices-using-intune.md

@@ -68,7 +68,7 @@ To prevent malware infections or data loss, an organization may restrict USB dri
 
 All of the above controls can be set through the Intune [Administrative Templates](/intune/administrative-templates-windows). The relevant policies are located here in the Intune Administrator Templates:
 
-![AdminTemplates](images/admintemplates.png)
+![screenshot of list of Admin Templates](images/admintemplates.png)
 
 >[!Note]
 >Using Intune, you can apply device configuration policies to Azure AD user and/or device groups.
@@ -211,13 +211,13 @@ You can prevent installation of the prohibited peripherals with matching device
 
 Using Intune, you can limit the services that can use Bluetooth through the ["Bluetooth allowed services"](/windows/client-management/mdm/policy-csp-bluetooth#servicesallowedlist-usage-guide). The default state of "Bluetooth allowed services" settings means everything is allowed.  As soon as a service is added, that becomes the allowed list. If the customer adds the Keyboards and Mice values, and doesn’t add the file transfer GUIDs, file transfer should be blocked.
 
-![Bluetooth](images/bluetooth.png)
+![screenshot of Bluetooth settings page](images/bluetooth.png)
 
 ### Use Microsoft Defender for Endpoint baseline settings
 
-The Microsoft Defender for Endpoint baseline settings represent the recommended configuration for ATP. Configuration settings for baseline are located in the edit profile page of the configuration settings.
+The Microsoft Defender for Endpoint baseline settings represent the recommended configuration for threat protection. Configuration settings for baseline are located in the edit profile page of the configuration settings.
 
-![Baselines](images/baselines.png)
+![Baselines in MEM](images/baselines.png)
 
 ## Prevent threats from removable storage
   
@@ -245,7 +245,7 @@ For more information about controlling USB devices, see the [Microsoft Defender
 
 ### Enable Microsoft Defender Antivirus Scanning
 
-Protecting authorized removable storage with Microsoft Defender Antivirus requires [enabling real-time protection](../microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md) or scheduling scans and configuring removable drives for scans.
+Protecting authorized removable storage with Microsoft Defender Antivirus requires [enabling real-time protection](/microsoft-365/security/defender-endpoint/configure-real-time-protection-microsoft-defender-antivirus) or scheduling scans and configuring removable drives for scans.
 
 - If real-time protection is enabled, files are scanned before they are accessed and executed. The scanning scope includes all files, including those on mounted removable devices such as USB drives. You can optionally [run a PowerShell script to perform a custom scan](/samples/browse/?redirectedfrom=TechNet-Gallery) of a USB drive after it is mounted, so that Microsoft Defender Antivirus starts scanning all files on a removable device once the removable device is attached. However, we recommend enabling real-time protection for improved scanning performance, especially for large storage devices.
 - If scheduled scans are used, then you need to disable the DisableRemovableDriveScanning setting (enabled by default) to scan the removable device during a full scan. Removable devices are scanned during a quick or custom scan regardless of the DisableRemovableDriveScanning setting.
@@ -265,7 +265,7 @@ This can be done by setting **Untrusted and unsigned processes that run from USB
 With this rule, admins can prevent or audit unsigned or untrusted executable files from running from USB removable drives, including SD cards.
 Affected file types include executable files (such as .exe, .dll, or .scr) and script files such as a PowerShell (.ps), VisualBasic (.vbs), or JavaScript (.js) files.
 
-These settings require [enabling real-time protection](../microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md).
+These settings require [enabling real-time protection](/microsoft-365/security/defender-endpoint/configure-real-time-protection-microsoft-defender-antivirus).
 
 1. Sign in to the [Microsoft Endpoint Manager](https://endpoint.microsoft.com/).
 2. Click **Devices** > **Windows** > **Configuration Policies** > **Create profile**. 
@@ -322,7 +322,7 @@ For example, using either approach, you can automatically have the Microsoft Def
 
 ## Related topics
 
-- [Configure real-time protection for Microsoft Defender Antivirus](../microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md)
+- [Configure real-time protection for Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/configure-real-time-protection-microsoft-defender-antivirus)
 - [Defender/AllowFullScanRemovableDriveScanning](/windows/client-management/mdm/policy-csp-defender#defender-allowfullscanremovabledrivescanning)
 - [Policy/DeviceInstallation CSP](/windows/client-management/mdm/policy-csp-deviceinstallation)
 - [Perform a custom scan of a removable device](/samples/browse/?redirectedfrom=TechNet-Gallery)

windows/security/threat-protection/index.md

@@ -81,14 +81,14 @@ The attack surface reduction set of capabilities provide the first line of defen
 
 <a name="ngp"></a>
 
-**[Next-generation protection](microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md)**<br>
+**[Next-generation protection](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10)**<br>
 To further reinforce the security perimeter of your network, Microsoft Defender for Endpoint uses next-generation protection designed to catch all types of emerging threats.
 
-- [Behavior monitoring](./microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md)
+- [Behavior monitoring](/microsoft-365/security/defender-endpoint/configure-real-time-protection-microsoft-defender-antivirus)
-- [Cloud-based protection](./microsoft-defender-antivirus/configure-protection-features-microsoft-defender-antivirus.md)
+- [Cloud-based protection](/microsoft-365/security/defender-endpoint/configure-protection-features-microsoft-defender-antivirus)
-- [Machine learning](./microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md)
+- [Machine learning](/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus)
-- [URL Protection](./microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md)
+- [URL Protection](/microsoft-365/security/defender-endpoint/configure-network-connections-microsoft-defender-antivirus)
-- [Automated sandbox service](./microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md)
+- [Automated sandbox service](/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus)
 
 <a name="edr"></a>
 

windows/security/threat-protection/intelligence/criteria.md

@@ -164,7 +164,7 @@ Microsoft maintains a worldwide network of analysts and intelligence systems whe
 
 ## Potentially unwanted application (PUA)
 
-Our PUA protection aims to safeguard user productivity and ensure enjoyable Windows experiences. This protection helps deliver more productive, performant, and delightful Windows experiences. For instruction on how to enable PUA protection in Chromium-based Microsoft Edge and Microsoft Defender Antivirus, see [Detect and block potentially unwanted applications](../microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md).
+Our PUA protection aims to safeguard user productivity and ensure enjoyable Windows experiences. This protection helps deliver more productive, performant, and delightful Windows experiences. For instruction on how to enable PUA protection in Chromium-based Microsoft Edge and Microsoft Defender Antivirus, see [Detect and block potentially unwanted applications](/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus).
 
 *PUAs are not considered malware.*
 

windows/security/threat-protection/intelligence/developer-resources.md

@@ -41,4 +41,4 @@ Find more guidance about the file submission and detection dispute process in ou
 
 ### Scan your software
 
-Use [Microsoft Defender Antivirus](../microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md) to check your software against the latest Security intelligence and cloud protection from Microsoft.
+Use [Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10) to check your software against the latest Security intelligence and cloud protection from Microsoft.

windows/security/threat-protection/intelligence/support-scams.md

@@ -46,7 +46,7 @@ It is also important to keep the following in mind:
 
 * Use [Microsoft Edge](https://www.microsoft.com/windows/microsoft-edge) when browsing the internet. It blocks known support scam sites using Windows Defender SmartScreen (which is also used by Internet Explorer). Furthermore, Microsoft Edge can stop pop-up dialogue loops used by these sites.
 
-* Enable [Microsoft Defender Antivirus](../microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md) in Windows 10. It detects and removes known support scam malware.
+* Enable [Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10) in Windows 10. It detects and removes known support scam malware.
 
 ## What to do if information has been given to a tech support person
 

windows/security/threat-protection/intelligence/trojans-malware.md

@@ -41,7 +41,7 @@ Trojans can come in many different varieties, but generally they do the followin
 
 Use the following free Microsoft software to detect and remove it:
 
-- [Microsoft Defender Antivirus](../microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md) for Windows 10 and Windows 8.1, or [Microsoft Security Essentials](https://www.microsoft.com/download/details.aspx?id=5201) for previous versions of Windows.
+- [Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10) for Windows 10 and Windows 8.1, or [Microsoft Security Essentials](https://www.microsoft.com/download/details.aspx?id=5201) for previous versions of Windows.
 
 - [Microsoft Safety Scanner](safety-scanner-download.md)
 

windows/security/threat-protection/intelligence/unwanted-software.md

@@ -44,7 +44,7 @@ To prevent unwanted software infection, download software only from official web
 
 Use [Microsoft Edge](/microsoft-edge/deploy/index) when browsing the internet. Microsoft Edge includes additional protections that effectively block browser modifiers that can change your browser settings. Microsoft Edge also blocks known websites hosting unwanted software using [Windows Defender SmartScreen](/microsoft-edge/deploy/index) (also used by Internet Explorer).
 
-Enable [Microsoft Defender Antivirus](../microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md) in Windows 10. It provides real-time protection against threats and detects and removes known unwanted software.
+Enable [Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10) in Windows 10. It provides real-time protection against threats and detects and removes known unwanted software.
 
 Download [Microsoft Security Essentials](https://www.microsoft.com/download/details.aspx?id=5201) for real-time protection in Windows 7 or Windows Vista.
 

windows/security/threat-protection/intelligence/worms-malware.md

@@ -39,16 +39,16 @@ Both Bondat and Gamarue have clever ways of obscuring themselves to evade detect
 
 This image shows how a worm can quickly spread through a shared USB drive.
 
-![Worm example](./images/WormUSB_flight.png)
+![Worm example](./images/WormUSB-flight.png) 
 
 ### *Figure worm spreading from a shared USB drive*
 
 ## How to protect against worms
 
-Enable [Microsoft Defender Antivirus](../microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md) in Windows 10. It provides real-time protection against threats and detects and removes known unwanted software.
+Enable [Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10) in Windows 10. It provides real-time protection against threats and detects and removes known unwanted software.
 
 Download [Microsoft Security Essentials](https://www.microsoft.com/download/details.aspx?id=5201) for real-time protection in Windows 7 or Windows Vista.
 
 In case threat removal is unsuccessful, read about [troubleshooting malware detection and removal problems](https://www.microsoft.com/wdsi/help/troubleshooting-infection).
 
-For more general tips, see [prevent malware infection](prevent-malware-infection.md).
+For more general tips, see [prevent malware infection](/microsoft-365/security/defender-endpoint/prevent-malware-infection).

windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data-update-compliance.md

@@ -1,69 +0,0 @@
----
-title: Collect diagnostic data for Update Compliance and Windows Defender Microsoft Defender Antivirus
-description: Use a tool to collect data to troubleshoot Update Compliance issues when using the Microsoft Defender Antivirus Assessment add in
-keywords: troubleshoot, error, fix, update compliance, oms, monitor, report, Microsoft Defender AV
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: denisebmsft
-ms.author: deniseb
-ms.custom: nextgen
-ms.date: 09/03/2018
-ms.reviewer: 
-manager: dansimp
-ms.technology: mde
----
-
-# Collect Update Compliance diagnostic data for Microsoft Defender AV Assessment
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
-
-This article describes how to collect diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues you may encounter when using the Microsoft Defender AV Assessment section in the Update Compliance add-in.
-
-Before attempting this process, ensure you have read [Troubleshoot Microsoft Defender Antivirus reporting](troubleshoot-reporting.md), met all require prerequisites, and taken any other suggested troubleshooting steps.
-
-On at least two devices that are not reporting or showing up in Update Compliance, obtain the .cab diagnostic file by taking the following steps:
-
-1. Open an administrator-level version of the command prompt as follows:
-        
-    a. Open the **Start** menu.
-
-    b. Type **cmd**. Right-click on **Command Prompt** and click **Run as administrator**.
-
-    c. Enter administrator credentials or approve the prompt.
-        
-2. Navigate to the Windows Defender directory. By default, this is `C:\Program Files\Windows Defender`.
-
-3. Type the following command, and then press **Enter**
-        
-    ```Dos
-    mpcmdrun -getfiles
-    ```
-    
-4. A .cab file will be generated that contains various diagnostic logs. The location of the file will be specified in the output in the command prompt. By default, the location is `C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab`.
-
-5. Copy these .cab files to a location that can be accessed by Microsoft support. An example could be a password-protected OneDrive folder that you can share with us.
-
-6. Send an email using the <a href="mailto:ucsupport@microsoft.com?subject=WDAV assessment issue&body=I%20am%20encountering%20the%20following%20issue%20when%20using%20Windows%20Defender%20AV%20in%20Update%20Compliance%3a%20%0d%0aI%20have%20provided%20at%20least%202%20support%20.cab%20files%20at%20the%20following%20location%3a%20%3Caccessible%20share%2c%20including%20access%20details%20such%20as%20password%3E%0d%0aMy%20OMS%20workspace%20ID%20is%3a%20%0d%0aPlease%20contact%20me%20at%3a">Update Compliance support email template</a>, and fill out the template with the following information:
-  
-    ```
-    I am encountering the following issue when using Microsoft Defender Antivirus in Update Compliance:
-    
-    I have provided at least 2 support .cab files at the following location: <accessible share, including access details such as password>
-
-    My OMS workspace ID is:
-
-    Please contact me at:
-    ```
-
-## See also
-
-- [Troubleshoot Windows Defender Microsoft Defender Antivirus reporting](troubleshoot-reporting.md)

windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md

@@ -1,117 +0,0 @@
----
-title: Collect diagnostic data of Microsoft Defender Antivirus
-description: Use a tool to collect data to troubleshoot Microsoft Defender Antivirus
-keywords: troubleshoot, error, fix, update compliance, oms, monitor, report, Microsoft Defender av, group policy object, setting, diagnostic data
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: denisebmsft
-ms.author: deniseb
-ms.custom: nextgen
-ms.date: 06/29/2020
-ms.reviewer: 
-manager: dansimp
-ms.technology: mde
----
-
-# Collect Microsoft Defender AV diagnostic data
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
-
-This article describes how to collect diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues you might encounter when using the Microsoft Defender AV.
-
-> [!NOTE]
-> As part of the investigation or response process, you can collect an investigation package from a device. Here's how: [Collect investigation package from devices](/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts#collect-investigation-package-from-devices).
-
-On at least two devices that are experiencing the same issue, obtain the .cab diagnostic file by taking the following steps:
-
-1. Open an administrator-level version of the command prompt as follows:
-
-    a. Open the **Start** menu.
-
-    b. Type **cmd**. Right-click on **Command Prompt** and click **Run as administrator**.
-
-    c. Enter administrator credentials or approve the prompt.
-
-2. Navigate to the Microsoft Defender directory. By default, this is `C:\Program Files\Windows Defender`.
-
-> [!NOTE]
-> If you're running an [updated Microsoft Defender Platform version](https://support.microsoft.com/help/4052623/update-for-microsoft-defender-antimalware-platform), please run `MpCmdRun` from the following location: `C:\ProgramData\Microsoft\Windows Defender\Platform\<version>`.
-
-3. Type the following command, and then press **Enter**  
-
-    ```Dos
-    mpcmdrun.exe -GetFiles
-    ```
-  
-4. A .cab file will be generated that contains various diagnostic logs. The location of the file will be specified in the output in the command prompt. By default, the location is `C:\ProgramData\Microsoft\Microsoft Defender\Support\MpSupportFiles.cab`.
-
-> [!NOTE]
-> To redirect the cab file to a a different path or UNC share, use the following command: `mpcmdrun.exe -GetFiles -SupportLogLocation <path>`  <br/>For more information, see [Redirect diagnostic data to a UNC share](#redirect-diagnostic-data-to-a-unc-share).
-
-5. Copy these .cab files to a location that can be accessed by Microsoft support. An example could be a password-protected OneDrive folder that you can share with us.
-
-> [!NOTE]
->If you have a problem with Update compliance, send an email using the <a href="mailto:ucsupport@microsoft.com?subject=WDAV assessment issue&body=I%20am%20encountering%20the%20following%20issue%20when%20using%20Windows%20Defender%20AV%20in%20Update%20Compliance%3a%20%0d%0aI%20have%20provided%20at%20least%202%20support%20.cab%20files%20at%20the%20following%20location%3a%20%3Caccessible%20share%2c%20including%20access%20details%20such%20as%20password%3E%0d%0aMy%20OMS%20workspace%20ID%20is%3a%20%0d%0aPlease%20contact%20me%20at%3a">Update Compliance support email template</a>, and fill out the template with the following information:
->```
-> I am encountering the following issue when using Microsoft Defender Antivirus in Update Compliance:
-> I have provided at least 2 support .cab files at the following location:  
-> <accessible share, including access details such as password>
->
->    My OMS workspace ID is:
->
->    Please contact me at:
-
-## Redirect diagnostic data to a UNC share
-To collect diagnostic data on a central repository, you can specify the SupportLogLocation parameter.
-
-```Dos
-mpcmdrun.exe -GetFiles -SupportLogLocation <path>
-```
-
-Copies the diagnostic data to the specified path. If the path is not specified, the diagnostic data will be copied to the location specified in the Support Log Location Configuration.
-
-When the SupportLogLocation parameter is used, a folder structure like as follows will be created in the destination path:
-
-```Dos
-<path>\<MMDD>\MpSupport-<hostname>-<HHMM>.cab
-```
-
-| field  | Description   |
-|:----|:----|
-| path | The path as specified on the command line or retrieved from configuration
-| MMDD | Month and day when the diagnostic data was collected (for example, 0530)
-| hostname | The hostname of the device on which the diagnostic data was collected
-| HHMM | Hours and minutes when the diagnostic data was collected (for example, 1422)
-
-> [!NOTE]
-> When using a file share please make sure that account used to collect the diagnostic package has write access to the share.  
-
-## Specify location where diagnostic data is created
-
-You can also specify where the diagnostic .cab file will be created using a Group Policy Object (GPO). 
-
-1. Open the Local Group Policy Editor and find the SupportLogLocation GPO at: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SupportLogLocation`
-   
-1. Select **Define the directory path to copy support log files**.
-
-    ![Screenshot of local group policy editor](images/GPO1-SupportLogLocationDefender.png)  
-        
-     ![Screenshot of define path for log files setting](images/GPO2-SupportLogLocationGPPage.png)  
-3. Inside the policy editor, select **Enabled**.
-       
-4. Specify the directory path where you want to copy the support log files in the **Options** field.
-     ![Screenshot of Enabled directory path custom setting](images/GPO3-SupportLogLocationGPPageEnabledExample.png) 
-5. Select **OK** or **Apply**.
-
-## See also
-
-- [Troubleshoot Microsoft Defender Antivirus reporting](troubleshoot-reporting.md)

windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md

@@ -1,83 +0,0 @@
----
-title: Use the command line to manage Microsoft Defender Antivirus
-description: Run Microsoft Defender Antivirus scans and configure next-generation protection with a dedicated command-line utility.
-keywords: run windows defender scan, run antivirus scan from command line, run windows defender scan from command line, mpcmdrun, defender
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.localizationpriority: medium
-author: denisebmsft
-ms.author: deniseb
-ms.custom: nextgen
-ms.reviewer: ksarens
-manager: dansimp
-ms.date: 03/19/2021
-ms.technology: mde
----
-
-# Configure and manage Microsoft Defender Antivirus with the mpcmdrun.exe command-line tool
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
-
-You can perform various Microsoft Defender Antivirus functions with the dedicated command-line tool **mpcmdrun.exe**. This utility is useful when you want to automate Microsoft Defender Antivirus use. You can find the utility in `%ProgramFiles%\Windows Defender\MpCmdRun.exe`. You must run it from a command prompt.
-
-> [!NOTE]
-> You might need to open an administrator-level version of the command prompt. When you search for **Command Prompt** on the Start menu, choose **Run as administrator**.
-> If you're running an updated Microsoft Defender Platform version, run `**MpCmdRun**` from the following location: `C:\ProgramData\Microsoft\Windows Defender\Platform\<version>`.
-
-The utility has the following commands:
-
-```console
-MpCmdRun.exe [command] [-options]
-```
-Here's an example:
-
-```console
-MpCmdRun.exe -Scan -ScanType 2
-``` 
-
-| Command  | Description   |
-|:----|:----|
-| `-?` **or** `-h`   | Displays all available options for this tool |
-| `-Scan [-ScanType [0\|1\|2\|3]] [-File <path> [-DisableRemediation] [-BootSectorScan] [-CpuThrottling]] [-Timeout <days>] [-Cancel]` | Scans for malicious software. Values for **ScanType** are: **0** Default, according to your configuration, **-1** Quick scan, **-2** Full scan, **-3** File and directory custom scan.  CpuThrottling will honor the configured CPU throttling from policy |
-| `-Trace [-Grouping #] [-Level #]` | Starts diagnostic tracing |
-| `-GetFiles [-SupportLogLocation <path>]` | Collects support information. See '[collecting diagnostic data](collect-diagnostic-data.md)'  |
-| `-GetFilesDiagTrack`  | Same as `-GetFiles`, but outputs to temporary DiagTrack folder |
-| `-RemoveDefinitions [-All]` | Restores the installed Security intelligence to a previous backup copy or to the original default set |
-| `-RemoveDefinitions [-DynamicSignatures]` | Removes only the dynamically downloaded Security intelligence |
-| `-RemoveDefinitions [-Engine]` | Restores the previous installed engine |
-| `-SignatureUpdate [-UNC \| -MMPC]` | Checks for new Security intelligence updates |
-| `-Restore  [-ListAll \| [[-Name <name>] [-All] \| [-FilePath <filePath>]] [-Path <path>]]` | Restores or lists quarantined item(s) |
-| `-AddDynamicSignature [-Path]` | Loads dynamic Security intelligence |
-| `-ListAllDynamicSignatures` | Lists the loaded dynamic Security intelligence |
-| `-RemoveDynamicSignature [-SignatureSetID]` | Removes dynamic Security intelligence |
-| `-CheckExclusion -path <path>` | Checks whether a path is excluded |
-| `-ValidateMapsConnection` | Verifies that your network can communicate with the Microsoft Defender Antivirus cloud service. This command will only work on Windows 10, version 1703 or higher.|
-
-
-## Common errors in running commands via mpcmdrun.exe 
-
-|Error message | Possible reason
-|:----|:----|
-| `ValidateMapsConnection failed (800106BA) or 0x800106BA` | The Microsoft Defender Antivirus service is disabled. Enable the service and try again. <br> 	**Note:**  In Windows 10 1909 or older, and Windows Server 2019 or older, the service used to be called "Windows Defender Antivirus" service.|
-| `0x80070667` | You're running the `-ValidateMapsConnection` command from a computer that is Windows 10 version 1607 or older, or Windows Server 2016 or older. Run the command from a machine that is Windows 10 version 1703 or newer, or Windows Server 2019 or newer.|
-| `'MpCmdRun' is not recognized as an internal or external command, operable program or batch file.` | The tool needs to be run from either: `%ProgramFiles%\Windows Defender` or `C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2012.4-0` (where `2012.4-0` might differ since platform updates are monthly except for March)|
-| `ValidateMapsConnection failed to establish a connection to MAPS (hr=80070005 httpcode=450)` | Not enough privileges. Use the command prompt (cmd.exe) as an administrator.|
-| `ValidateMapsConnection failed to establish a connection to MAPS (hr=80070006 httpcode=451)` | The firewall is blocking the connection or conducting SSL inspection. |
-| `ValidateMapsConnection failed to establish a connection to MAPS (hr=80004005 httpcode=450)` | Possible network-related issues, like name resolution problems|
-| `ValidateMapsConnection failed to establish a connection to MAPS (hr=0x80508015` | The firewall is blocking the connection or conducting SSL inspection. |
-| `ValidateMapsConnection failed to establish a connection to MAPS (hr=800722F0D` | The firewall is blocking the connection or conducting SSL inspection. |
-| `ValidateMapsConnection failed to establish a connection to MAPS (hr=80072EE7 httpcode=451)` | The firewall is blocking the connection or conducting SSL inspection. |
-
-## See also
-
-- [Configure Microsoft Defender Antivirus features](configure-microsoft-defender-antivirus-features.md)
-- [Manage Microsoft Defender Antivirus in your business](configuration-management-reference-microsoft-defender-antivirus.md)
-- [Reference topics for management and configuration tools](configuration-management-reference-microsoft-defender-antivirus.md)
-- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)

windows/security/threat-protection/microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md

@@ -1,61 +0,0 @@
----
-title: Common mistakes to avoid when defining exclusions
-description: Avoid common mistakes when defining exclusions for Microsoft Defender Antivirus scans.
-keywords: exclusions, files, extension, file type, folder name, file name, scans
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: denisebmsft
-ms.author: deniseb
-ms.custom: nextgen
-ms.reviewer: 
-manager: dansimp
-ms.technology: mde
----
-
-# Common mistakes to avoid when defining exclusions
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-You can define an exclusion list for items that you don't want Microsoft Defender Antivirus to scan. Such excluded items could contain threats that make your device vulnerable. 
-
-This article describes some common mistake that you should avoid when defining exclusions. 
-
-Before defining your exclusion lists, see [Recommendations for defining exclusions](configure-exclusions-microsoft-defender-antivirus.md#recommendations-for-defining-exclusions).
-
-## Excluding certain trusted items
-
-Certain files, file types, folders, or processes should not be excluded from scanning even though you trust them to be not malicious. 
-
-Do not define exclusions for the folder locations, file extensions, and processes that are listed in the following table:
-
-| Folder locations | File extensions | Processes |
-|:--|:--|:--|
-| `%systemdrive%` <br/> `C:`<br/> `C:\` <br/> `C:\*` <br/> `%ProgramFiles%\Java` <br/> `C:\Program Files\Java` <br/> `%ProgramFiles%\Contoso\` <br/> `C:\Program Files\Contoso\` <br/> `%ProgramFiles(x86)%\Contoso\` <br/> `C:\Program Files (x86)\Contoso\` <br/> `C:\Temp` <br/> `C:\Temp\` <br/> `C:\Temp\*` <br/> `C:\Users\` <br/> `C:\Users\*` <br/> `C:\Users\<UserProfileName>\AppData\Local\Temp\` <br/> `C:\Users\<UserProfileName>\AppData\LocalLow\Temp\` <br/> `C:\Users\<UserProfileName>\AppData\Roaming\Temp\` <br/> `%Windir%\Prefetch` <br/> `C:\Windows\Prefetch` <br/> `C:\Windows\Prefetch\` <br/> `C:\Windows\Prefetch\*` <br/> `%Windir%\System32\Spool` <br/> `C:\Windows\System32\Spool` <br/> `C:\Windows\System32\CatRoot2` <br/> `%Windir%\Temp` <br/> `C:\Windows\Temp` <br/> `C:\Windows\Temp\` <br/> `C:\Windows\Temp\*` | `.7z` <br/> `.bat` <br/> `.bin` <br/> `.cab` <br/> `.cmd` <br/> `.com` <br/> `.cpl` <br/> `.dll` <br/> `.exe` <br/> `.fla` <br/> `.gif` <br/> `.gz` <br/> `.hta` <br/> `.inf` <br/> `.java` <br/> `.jar` <br/> `.job` <br/> `.jpeg` <br/> `.jpg` <br/> `.js` <br/> `.ko` <br/> `.ko.gz` <br/> `.msi` <br/> `.ocx` <br/> `.png` <br/> `.ps1` <br/> `.py` <br/> `.rar` <br/> `.reg` <br/> `.scr` <br/> `.sys` <br/> `.tar` <br/> `.tmp` <br/> `.url` <br/> `.vbe` <br/> `.vbs` <br/> `.wsf` <br/> `.zip` | `AcroRd32.exe` <br/> `bitsadmin.exe` <br/> `excel.exe` <br/> `iexplore.exe` <br/> `java.exe` <br/> `outlook.exe` <br/> `psexec.exe` <br/> `powerpnt.exe` <br/> `powershell.exe` <br/> `schtasks.exe`  <br/> `svchost.exe` <br/>`wmic.exe` <br/> `winword.exe` <br/> `wuauclt.exe` <br/> `addinprocess.exe` <br/> `addinprocess32.exe` <br/> `addinutil.exe` <br/> `bash.exe` <br/> `bginfo.exe`[1] <br/>`cdb.exe` <br/> `csi.exe` <br/> `dbghost.exe` <br/> `dbgsvc.exe` <br/> `dnx.exe` <br/> `fsi.exe` <br/> `fsiAnyCpu.exe` <br/> `kd.exe` <br/> `ntkd.exe` <br/> `lxssmanager.dll` <br/> `msbuild.exe`[2] <br/> `mshta.exe` <br/> `ntsd.exe` <br/> `rcsi.exe` <br/> `system.management.automation.dll` <br/> `windbg.exe` |
-
-> [!NOTE]
-> You can choose to exclude file types, such as `.gif`, `.jpg`, `.jpeg`, or `.png` if your environment has a modern, up-to-date software with a strict update policy to handle any vulnerabilities.
-
-## Using just the file name in the exclusion list
-
-A malware may have the same name as that of the file that you trust and want to exclude from scanning. Therefore, to avoid excluding a potential malware from scanning, use a fully qualified path to the file that you want to exclude instead of using just the file name. For example, if you want to exclude `Filename.exe` from scanning, use the complete path to the file, such as `C:\program files\contoso\Filename.exe`.
-
-## Using a single exclusion list for multiple server workloads
-
-Do not use a single exclusion list to define exclusions for multiple server workloads. Split the exclusions for different application or service workloads into multiple exclusion lists. For example, the exclusion list for your IIS Server workload must be different from the exclusion list for your SQL Server workload.
-
-## Using incorrect environment variables as wildcards in the file name and folder path or extension exclusion lists
-
-Microsoft Defender Antivirus Service runs in system context using the LocalSystem account, which means it gets information from the system environment variable, and not from the user environment variable. Use of environment variables as a wildcard in exclusion lists is limited to system variables and those applicable to processes running as an NT AUTHORITY\SYSTEM account. Therefore, do not use user environment variables as wildcards when adding Microsoft Defender Antivirus folder and process exclusions. See the table under [System environment variables](configure-extension-file-exclusions-microsoft-defender-antivirus.md#system-environment-variables) for a complete list of system environment variables.
-
-See [Use wildcards in the file name and folder path or extension exclusion lists](configure-extension-file-exclusions-microsoft-defender-antivirus.md#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists) for information on how to use wildcards in exclusion lists.
-
-## Related articles
-
-- [Configure and validate exclusions in Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md)
-- [Configure and validate exclusions based on file extension and folder location](configure-extension-file-exclusions-microsoft-defender-antivirus.md)
-- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md)
-- [Configure Microsoft Defender Antivirus exclusions on Windows Server](configure-server-exclusions-microsoft-defender-antivirus.md)

windows/security/threat-protection/microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md

@@ -1,46 +0,0 @@
----
-title: Manage Windows Defender in your business
-description: Learn how to use Group Policy, Configuration Manager, PowerShell, WMI, Intune, and the command line to manage Microsoft Defender AV
-keywords: group policy, gpo, config manager, sccm, scep, powershell, wmi, intune, defender, antivirus, antimalware, security, protection
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: denisebmsft
-ms.author: deniseb
-ms.custom: nextgen
-ms.date: 12/16/2020
-ms.reviewer: 
-manager: dansimp
-ms.technology: mde
----
-
-# Manage Microsoft Defender Antivirus in your business
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
-
-You can manage and configure Microsoft Defender Antivirus with the following tools:
-
-- [Microsoft Intune](/mem/intune/protect/endpoint-security-antivirus-policy) (now part of Microsoft Endpoint Manager)
-- [Microsoft Endpoint Configuration Manager](/mem/configmgr/protect/deploy-use/endpoint-protection-configure) (now part of Microsoft Endpoint Manager)
-- [Group Policy](./use-group-policy-microsoft-defender-antivirus.md)
-- [PowerShell cmdlets](./use-powershell-cmdlets-microsoft-defender-antivirus.md)
-- [Windows Management Instrumentation (WMI)](./use-wmi-microsoft-defender-antivirus.md)
-- The [Microsoft Malware Protection Command Line Utility](./command-line-arguments-microsoft-defender-antivirus.md) (referred to as the *mpcmdrun.exe* utility
-
-The following articles provide further information, links, and resources for using these tools to manage and configure Microsoft Defender Antivirus.
-
-| Article | Description |
-|:---|:---|
-|[Manage Microsoft Defender Antivirus with Microsoft Intune and Microsoft Endpoint Configuration Manager](use-intune-config-manager-microsoft-defender-antivirus.md)|Information about using Intune and Configuration Manager to deploy, manage, report, and configure Microsoft Defender Antivirus |
-|[Manage Microsoft Defender Antivirus with Group Policy settings](use-group-policy-microsoft-defender-antivirus.md)|List of all Group Policy settings located in ADMX templates |
-|[Manage Microsoft Defender Antivirus with PowerShell cmdlets](use-powershell-cmdlets-microsoft-defender-antivirus.md)|Instructions for using PowerShell cmdlets to manage Microsoft Defender Antivirus, plus links to documentation for all cmdlets and allowed parameters |
-|[Manage Microsoft Defender Antivirus with Windows Management Instrumentation (WMI)](use-wmi-microsoft-defender-antivirus.md)| Instructions for using WMI to manage Microsoft Defender Antivirus, plus links to documentation for the WMIv2 APIs (including all classes, methods, and properties) |
-|[Manage Microsoft Defender Antivirus with the mpcmdrun.exe command-line tool](command-line-arguments-microsoft-defender-antivirus.md)|Instructions on using the dedicated command-line tool to manage and use Microsoft Defender Antivirus |

windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md

@@ -1,95 +0,0 @@
----
-title: Configure scanning options for Microsoft Defender AV
-description: You can configure Microsoft Defender AV to scan email storage files, back-up or reparse points, network files, and archived files (such as .zip files).
-keywords: advanced scans, scanning, email, archive, zip, rar, archive, reparse scanning
-search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.localizationpriority: medium
-author: denisebmsft
-ms.author: deniseb
-ms.custom: nextgen
-ms.reviewer: 
-manager: dansimp
-ms.technology: mde
----
-
-# Configure Microsoft Defender Antivirus scanning options
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
-
-## Use Microsoft Intune to configure scanning options
-
-See [Configure device restriction settings in Microsoft Intune](/intune/device-restrictions-configure) and [Microsoft Defender Antivirus device restriction settings for Windows 10 in Intune](/intune/device-restrictions-windows-10#microsoft-defender-antivirus) for more details.
-
-## Use Microsoft Endpoint Manager to configure scanning options
-
-See [How to create and deploy antimalware policies: Scan settings](/configmgr/protect/deploy-use/endpoint-antimalware-policies#scan-settings) for details on configuring Microsoft Endpoint Manager (current branch).
-
-## Use Group Policy to configure scanning options
-
-To configure the Group Policy settings described in the following table:
-
-1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
-
-2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-
-3. Expand the tree to **Windows components > Microsoft Defender Antivirus** and then the **Location** specified in the table below.
-
-4. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings.
-
-Description | Location and setting | Default setting (if not configured) | PowerShell `Set-MpPreference` parameter or WMI property for `MSFT_MpPreference` class
----|---|---|---
-Email scanning See [Email scanning limitations](#ref1)| Scan > Turn on e-mail scanning | Disabled | `-DisableEmailScanning`
-Scan [reparse points](/windows/win32/fileio/reparse-points) | Scan > Turn on reparse point scanning | Disabled | Not available
-Scan mapped network drives | Scan > Run full scan on mapped network drives | Disabled | `-DisableScanningMappedNetworkDrivesForFullScan`
- Scan archive files (such as .zip or .rar files). The [extensions exclusion list](configure-extension-file-exclusions-microsoft-defender-antivirus.md) will take precedence over this setting. | Scan > Scan archive files | Enabled | `-DisableArchiveScanning`
-Scan files on the network | Scan > Scan network files | Disabled | `-DisableScanningNetworkFiles`
-Scan packed executables | Scan > Scan packed executables | Enabled | Not available
-Scan removable drives during full scans only | Scan > Scan removable drives | Disabled | `-DisableRemovableDriveScanning`
-Specify the level of subfolders within an archive folder to scan | Scan > Specify the maximum depth to scan archive files | 0 | Not available
- Specify the maximum CPU load (as a percentage) during a scan. Note: This is not a hard limit but rather a guidance for the scanning engine to not exceed this maximum on average. | Scan > Specify the maximum percentage of CPU utilization during a scan | 50 |  `-ScanAvgCPULoadFactor`
- Specify the maximum size (in kilobytes) of archive files that should be scanned. The default, **0**, applies no limit | Scan > Specify the maximum size of archive files to be scanned | No limit | Not available
- Configure low CPU priority for scheduled scans | Scan > Configure low CPU priority for scheduled scans | Disabled | Not available
- 
-> [!NOTE]
-> If real-time protection is turned on, files are scanned before they are accessed and executed. The scanning scope includes all files, including files on mounted removable media, such as USB drives. If the device performing the scan has real-time protection or on-access protection turned on, the scan will also include network shares.
-
-## Use PowerShell to configure scanning options
-
-See [Manage Microsoft Defender Antivirus with PowerShell cmdlets](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](/powershell/module/defender/) for more information on how to use PowerShell with Microsoft Defender Antivirus.
-
-## Use WMI to configure scanning options
-
-For using WMI classes, see [Windows Defender WMIv2 APIs](/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal).
-
-<a id="ref1"></a>
-
-## Email scanning limitations
-
-Email scanning enables scanning of  email files used by Outlook and other mail clients during on-demand and scheduled scans. Embedded objects within an email file (such as attachments and archived files) are also scanned. The following file format types can be scanned and remediated:
-
-- DBX
-- MBX
-- MIME
-
-PST files used by Outlook 2003 or older (where the archive type is set to non-unicode) will also be scanned, but Windows Defender cannot remediate threats detected inside PST files.
-
-If Microsoft Defender Antivirus detects a threat inside an email, it will show you the following information to assist you in identifying the compromised email, so you can remediate the threat manually:
-
-- Email subject
-- Attachment name
-
-## Related topics
-
-- [Customize, initiate, and review the results of Microsoft Defender Antivirus scans and remediation](customize-run-review-remediate-scans-microsoft-defender-antivirus.md)
-- [Configure and run on-demand Microsoft Defender Antivirus scans](run-scan-microsoft-defender-antivirus.md)
-- [Configure scheduled Microsoft Defender Antivirus scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md)
-- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)

windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md

@@ -1,176 +0,0 @@
----
-title: Enable block at first sight to detect malware in seconds
-description: Turn on the block at first sight feature to detect and block malware within seconds.
-keywords: scan, BAFS, malware, first seen, first sight, cloud, defender
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.localizationpriority: high
-author: denisebmsft
-ms.author: deniseb
-ms.reviewer: 
-manager: dansimp
-ms.custom: nextgen
-ms.date: 10/22/2020
-ms.technology: mde
----
-
-# Turn on block at first sight
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
-
-Block at first sight provides a way to detect and block new malware within seconds. This protection is enabled by default when certain prerequisite settings are enabled. These settings include cloud-delivered protection, a specified sample submission timeout (such as 50 seconds), and a file-blocking level of high. In most enterprise organizations, these settings are enabled by default with Microsoft Defender Antivirus deployments. 
-
-You can [specify how long a file should be prevented from running](configure-cloud-block-timeout-period-microsoft-defender-antivirus.md) while the cloud-based protection service analyzes the file. And, you can [customize the message displayed on users' desktops](../windows-defender-security-center/wdsc-customize-contact-information.md) when a file is blocked. You can change the company name, contact information, and message URL.
-
->[!TIP]
->Visit the Microsoft Defender for Endpoint demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the features are working and see how they work.
-
-## How it works
-
-When Microsoft Defender Antivirus encounters a suspicious but undetected file, it queries our cloud protection backend. The cloud backend applies heuristics, machine learning, and automated analysis of the file to determine whether the files are malicious or not a threat.
-
-Microsoft Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, intelligent, and real-time protection. To learn more, see this blog: [Get to know the advanced technologies at the core of Microsoft Defender for Endpoint next-generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/).
-![List of Microsoft Defender AV engines](images/microsoft-defender-atp-next-generation-protection-engines.png)  
-
-In Windows 10, version 1803 or later, block at first sight can block non-portable executable files (such as JS, VBS, or macros) as well as executable files.
-
-Block at first sight only uses the cloud protection backend for executable files and non-portable executable files that are downloaded from the Internet, or that originate from the Internet zone. A hash value of the .exe file is checked via the cloud backend to determine if the file is a previously undetected file.
-
-If the cloud backend is unable to make a determination, Microsoft Defender Antivirus locks the file and uploads a copy to the cloud. The cloud performs additional analysis to reach a determination before it either allows the file to run or blocks it in all future encounters, depending on whether it determines the file to be malicious or safe.
-
-In many cases, this process can reduce the response time for new malware from hours to seconds.
-
-## Turn on block at first sight with Microsoft Intune
-
-> [!TIP]
-> Microsoft Intune is now part of Microsoft Endpoint Manager.
-
-1. In the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)), navigate to **Devices** > **Configuration profiles**.
-
-2. Select or create a profile using the **Device restrictions** profile type.
-
-3. In the **Configuration settings** for the Device restrictions profile, set or confirm the following settings under **Microsoft Defender Antivirus**:
-
-   - **Cloud-delivered protection**: Enabled
-   - **File Blocking Level**: High
-   - **Time extension for file scanning by the cloud**: 50
-   - **Prompt users before sample submission**: Send all data without prompting
-
-   ![Intune config](images/defender/intune-block-at-first-sight.png)
-
-4. Save your settings.
-
-> [!TIP]
-> - Setting the file blocking level to **High** applies a strong level of detection. In the unlikely event that file blocking causes a false positive detection of legitimate files, you can [restore quarantined files](./restore-quarantined-files-microsoft-defender-antivirus.md).
-> - For more information about configuring Microsoft Defender Antivirus device restrictions in Intune, see [Configure device restriction settings in Microsoft Intune](/intune/device-restrictions-configure).
-> - For a list of Microsoft Defender Antivirus device restrictions in Intune, see [Device restriction for Windows 10 (and newer) settings in Intune](/intune/device-restrictions-windows-10#microsoft-defender-antivirus).
-
-## Turn on block at first sight with Microsoft Endpoint Manager
-
-> [!TIP]
-> If you're looking for Microsoft Endpoint Configuration Manager, it's now part of Microsoft Endpoint Manager.
-
-1. In Microsoft Endpoint Manager ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)), go to **Endpoint security** > **Antivirus**.
-
-2. Select an existing policy, or create a new policy using the **Microsoft Defender Antivirus** profile type.
-
-3. Set or confirm the following configuration settings:
-
-   - **Turn on cloud-delivered protection**: Yes
-   - **Cloud-delivered protection level**: High
-   - **Defender Cloud Extended Timeout in Seconds**: 50
-
-   :::image type="content" source="images/endpointmgr-antivirus-cloudprotection.png" alt-text="Block at first sight settings in Endpoint Manager":::
-
-4. Apply the Microsoft Defender Antivirus profile to a group, such as **All users**, **All devices**, or **All users and devices**.
-
-## Turn on block at first sight with Group Policy
-
-> [!NOTE]
-> We recommend using Intune or Microsoft Endpoint Manager to turn on block at first sight. 
-
-1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and select **Edit**. 
-
-2. Using the **Group Policy Management Editor** go to **Computer configuration** > **Administrative templates** > **Windows Components** > **Microsoft Defender Antivirus** > **MAPS**. 
-
-3. In the MAPS section, double-click **Configure the 'Block at First Sight' feature**, and set it to **Enabled**, and then select **OK**.
-
-    > [!IMPORTANT]
-    > Setting to **Always prompt (0)** will lower the protection state of the device. Setting to **Never send (2)** means block at first sight will not function.
-
-4. In the MAPS section, double-click **Send file samples when further analysis is required**, and set it to **Enabled**. Under **Send file samples when further analysis is required**, select **Send all samples**, and then click **OK**.
-
-5. If you changed any settings, redeploy the Group Policy Object across your network to ensure all endpoints are covered.
-
-## Confirm block at first sight is enabled on individual clients
-
-You can confirm that block at first sight is enabled on individual clients using Windows security settings.
-
-Block at first sight is automatically enabled as long as **Cloud-delivered protection** and **Automatic sample submission** are both turned on.
-
-1. Open the Windows Security app.
-
-2. Select **Virus & threat protection**, and then, under **Virus & threat protection settings**, select **Manage Settings**.
-
-   ![Screenshot of the Virus & threat protection settings label in the Windows Security app](images/defender/wdav-protection-settings-wdsc.png)
-
-3. Confirm that **Cloud-delivered protection** and **Automatic sample submission** are both turned on.
-
-> [!NOTE]
-> - If the prerequisite settings are configured and deployed using Group Policy, the settings described in this section will be greyed-out and unavailable for use on individual endpoints. 
-> - Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings.
-
-## Validate block at first sight is working
-
-To validate that the feature is working, follow the guidance in [Validate connections between your network and the cloud](configure-network-connections-microsoft-defender-antivirus.md#validate-connections-between-your-network-and-the-cloud).
-
-## Turn off block at first sight
-
-> [!CAUTION]
-> Turning off block at first sight will lower the protection state of your device(s) and your network.
-
-You might choose to disable block at first sight if you want to retain the prerequisite settings without actually using block at first sight protection. You might do temporarily turn block at first sight off if you are experiencing latency issues or you want to test the feature's impact on your network. However, we do not recommend disabling block at first sight protection permanently.
-
-### Turn off block at first sight with Microsoft Endpoint Manager
-
-1. Go to Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in.
-
-2. Go to **Endpoint security** > **Antivirus**, and then select your Microsoft Defender Antivirus policy.
-
-3. Under **Manage**, choose **Properties**.
-
-4. Next to **Configuration settings**, choose **Edit**.
-
-5. Change one or more of the following settings:
-
-   - Set **Turn on cloud-delivered protection** to **No** or **Not configured**.
-   - Set **Cloud-delivered protection level** to **Not configured**.
-   - Clear the **Defender Cloud Extended Timeout In Seconds** box.
-
-6. Review and save your settings.
-
-### Turn off block at first sight with Group Policy
-
-1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure, and then click **Edit**.
-
-2. Using the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-
-3. Expand the tree through **Windows components** > **Microsoft Defender Antivirus** > **MAPS**.
-
-4. Double-click **Configure the 'Block at First Sight' feature** and set the option to **Disabled**.
-
-    > [!NOTE]
-    > Disabling block at first sight does not disable or alter the prerequisite group policies.
-
-## See also
-
-- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
-
-- [Enable cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md)

windows/security/threat-protection/microsoft-defender-antivirus/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md

@@ -1,56 +0,0 @@
----
-title: Configure the Microsoft Defender AV cloud block timeout period
-description: You can configure how long Microsoft Defender Antivirus will block a file from running while waiting for a cloud determination.
-keywords: Microsoft Defender Antivirus, antimalware, security, defender, cloud, timeout, block, period, seconds
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: denisebmsft
-ms.author: deniseb
-ms.custom: nextgen
-ms.date: 09/03/2018
-ms.reviewer: 
-manager: dansimp
-ms.technology: mde
----
-
-# Configure the cloud block timeout period
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
-
-When Microsoft Defender Antivirus finds a suspicious file, it can prevent the file from running while it queries the [Microsoft Defender Antivirus cloud service](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md).
-
-The default period that the file will be [blocked](configure-block-at-first-sight-microsoft-defender-antivirus.md) is 10 seconds. You can specify an additional period of time to wait before the file is allowed to run. This can help ensure there is enough time to receive a proper determination from the Microsoft Defender Antivirus cloud service.
-
-## Prerequisites to use the extended cloud block timeout
-
-[Block at first sight](configure-block-at-first-sight-microsoft-defender-antivirus.md) and its prerequisites must be enabled before you can specify an extended timeout period.
-
-## Specify the extended timeout period
-
-You can use Group Policy to specify an extended timeout for cloud checks.
-
-1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
-
-2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-
-3. Expand the tree to **Windows components > Microsoft Defender Antivirus > MpEngine**
-
-4. Double-click **Configure extended cloud check** and ensure the option is enabled. Specify the additional amount of time to prevent the file from running while waiting for a cloud determination. You can specify the additional time, in seconds, from 1 second to 50 seconds. This time will be added to the default 10 seconds.
-
-5. Click **OK**.
-
-## Related topics
-
-- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
-- [Use next-generation antivirus technologies through cloud-delivered protection](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md)
-- [Configure block at first sight](configure-block-at-first-sight-microsoft-defender-antivirus.md)
-- [Enable cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md)

windows/security/threat-protection/microsoft-defender-antivirus/configure-end-user-interaction-microsoft-defender-antivirus.md

@@ -1,38 +0,0 @@
----
-title: Configure how users can interact with Microsoft Defender AV
-description: Configure how end-users interact with Microsoft Defender AV, what notifications they see, and if they can override settings.
-keywords: endpoint, user, interaction, notifications, ui lockdown mode, headless mode, hide interface
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: denisebmsft
-ms.author: deniseb
-ms.custom: nextgen
-ms.reviewer: 
-manager: dansimp
-ms.technology: mde
----
-
-# Configure end-user interaction with Microsoft Defender Antivirus
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
-
-You can configure how users of the endpoints on your network can interact with Microsoft Defender Antivirus.
-
-This includes whether they see the Microsoft Defender Antivirus interface, what notifications they see, and if they can locally override globally-deployed Group Policy settings.
-
-## In this section
-
-Topic | Description 
----|---
-[Configure notifications that appear on endpoints](configure-notifications-microsoft-defender-antivirus.md) | Configure and customize additional notifications, customized text for notifications, and notifications about reboots for remediation
-[Prevent users from seeing or interacting with the Microsoft Defender Antivirus user interface](prevent-end-user-interaction-microsoft-defender-antivirus.md) | Hide the user interface from users
-[Prevent users from locally modifying policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md) | Prevent (or allow) users from overriding policy settings on their individual endpoints

windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md

@@ -1,54 +0,0 @@
----
-title: Set up exclusions for Microsoft Defender AV scans
-description: You can exclude files (including files modified by specified processes) and folders from being scanned by Microsoft Defender AV. Validate your exclusions with PowerShell.
-keywords: 
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.localizationpriority: medium
-author: denisebmsft
-ms.author: deniseb
-ms.custom: nextgen
-ms.reviewer: 
-manager: dansimp
-ms.technology: mde
----
-
-# Configure and validate exclusions for Microsoft Defender Antivirus scans
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
-
-You can exclude certain files, folders, processes, and process-opened files from Microsoft Defender Antivirus scans. Such exclusions apply to [scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md), [on-demand scans](run-scan-microsoft-defender-antivirus.md), and [always-on real-time protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md). Exclusions for process-opened files only apply to real-time protection.
-
-## Configure and validate exclusions
-
-To configure and validate exclusions, see the following:
-
-- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-microsoft-defender-antivirus.md). This enables you to exclude files from Microsoft Defender Antivirus scans based on their file extension, file name, or location.
-
-- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md). This enables you to exclude files from scans that have been opened by a specific process.
-
-## Recommendations for defining exclusions
-
-Defining exclusions lowers the protection offered by Microsoft Defender Antivirus. You should always evaluate the risks that are associated with implementing exclusions, and you should only exclude files that you are confident are not malicious.
-
-The following is a list of recommendations that you should keep in mind when defining exclusions:  
-
-- Exclusions are technically a protection gap—always consider additional mitigations when defining exclusions. Additional mitigations could be as simple as making sure the excluded location has the appropriate access-control lists (ACLs), audit policy, is processed by an up-to-date software, etc.
-
-- Review the exclusions periodically. Re-check and re-enforce the mitigations as part of the review process.
-
-- Ideally, avoid defining proactive exclusions. For instance, don't exclude something just because you think it might be a problem in the future. Use exclusions only for specific issues—mostly around performance, or sometimes around application compatibility that exclusions could mitigate.
-
-- Audit the exclusion list changes. The security admin should preserve enough context around why a certain exclusion was added. You should be able to provide answer with specific reasoning as to why a certain path was excluded.
-
-## Related articles
-
-- [Microsoft Defender Antivirus exclusions on Windows Server 2016](configure-server-exclusions-microsoft-defender-antivirus.md)
-- [Common mistakes to avoid when defining exclusions](common-exclusion-mistakes-microsoft-defender-antivirus.md)

windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md

@@ -1,362 +0,0 @@
----
-title: Configure and validate exclusions based on extension, name, or location
-description: Exclude files from Microsoft Defender Antivirus scans based on their file extension, file name, or location.
-keywords: exclusions, files, extension, file type, folder name, file name, scans
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.localizationpriority: medium
-author: denisebmsft
-ms.author: deniseb
-ms.custom: nextgen
-ms.reviewer: 
-manager: dansimp
-ms.technology: mde
----
-
-# Configure and validate exclusions based on file extension and folder location
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
-
-> [!IMPORTANT]
-> Microsoft Defender Antivirus exclusions don't apply to other Microsoft Defender for Endpoint capabilities, including [endpoint detection and response (EDR)](/microsoft-365/security/defender-endpoint/overview-endpoint-detection-response), [attack surface reduction (ASR) rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction), and [controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders). Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections. To exclude files broadly, add them to the Microsoft Defender for Endpoint [custom indicators](/microsoft-365/security/defender-endpoint/manage-indicators).
-
-## Exclusion lists
-
-You can exclude certain files from Microsoft Defender Antivirus scans by modifying exclusion lists. **Generally, you shouldn't need to apply exclusions**. Microsoft Defender Antivirus includes many automatic exclusions based on known operating system behaviors and typical management files, such as those used in enterprise management, database management, and other enterprise scenarios and situations.
-
-> [!NOTE]
-> Exclusions apply to Potentially Unwanted Apps (PUA) detections as well.
-
-> [!NOTE]
-> Automatic exclusions apply only to Windows Server 2016 and above. These exclusions are not visible in the Windows Security app and in PowerShell.
-
-This article  describes how to configure exclusion lists for the files and folders. See [Recommendations for defining exclusions](configure-exclusions-microsoft-defender-antivirus.md#recommendations-for-defining-exclusions) before defining your exclusion lists.
-
-| Exclusion | Examples | Exclusion list |
-|:---|:---|:---|
-|Any file with a specific extension | All files with the specified extension, anywhere on the machine. <p> Valid syntax: `.test` and `test`  | Extension exclusions |
-|Any file under a specific folder | All files under the `c:\test\sample` folder | File and folder exclusions |
-| A specific file in a specific folder | The file `c:\sample\sample.test` only | File and folder exclusions |
-| A specific process | The executable file `c:\test\process.exe` | File and folder exclusions |
-
-Exclusion lists have the following characteristics:
-
-- Folder exclusions apply to all files and folders under that folder, unless the subfolder is a reparse point. Reparse point subfolders must be excluded separately.
-- File extensions apply to any file name with the defined extension if a path or folder is not defined.
-
-> [!IMPORTANT]
-> - Using wildcards such as the asterisk (\*) will alter how the exclusion rules are interpreted. See the [Use wildcards in the file name and folder path or extension exclusion lists](#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists) section for important information about how wildcards work.
-> - You cannot exclude mapped network drives. You must specify the actual network path.
-> - Folders that are reparse points that are created after the Microsoft Defender Antivirus service starts and that have been added to the exclusion list will not be included. You must restart the service (by restarting Windows) for new reparse points to be recognized as a valid exclusion target.
-
-To exclude files opened by a specific process, see [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md).
-
-The exclusions apply to [scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md), [on-demand scans](run-scan-microsoft-defender-antivirus.md), and [real-time protection](configure-real-time-protection-microsoft-defender-antivirus.md).
-
-> [!IMPORTANT]
-> Exclusion list changes made with Group Policy **will show** in the lists in the [Windows Security app](microsoft-defender-security-center-antivirus.md).
-> Changes made in the Windows Security app **will not show** in the Group Policy lists.
-
-By default, local changes made to the lists (by users with administrator privileges, including changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists take precedence when there are conflicts.
-
-You can [configure how locally and globally defined exclusions lists are merged](configure-local-policy-overrides-microsoft-defender-antivirus.md#merge-lists) to allow local changes to override managed deployment settings.
-
-## Configure the list of exclusions based on folder name or file extension
-
-### Use Intune to configure file name, folder, or file extension exclusions
-
-See the following articles:
-- [Configure device restriction settings in Microsoft Intune](/intune/device-restrictions-configure)
-- [Microsoft Defender Antivirus device restriction settings for Windows 10 in Intune](/intune/device-restrictions-windows-10#microsoft-defender-antivirus)
-
-### Use Configuration Manager to configure file name, folder, or file extension exclusions
-
-See [How to create and deploy antimalware policies: Exclusion settings](/configmgr/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) for details on configuring Microsoft Endpoint Manager (current branch).
-
-### Use Group Policy to configure folder or file extension exclusions
-
->[!NOTE]
->If you specify a fully qualified path to a file, then only that file is excluded. If a folder is defined in the exclusion, then all files and subdirectories under that folder are excluded.
-
-1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
-
-2. In the **Group Policy Management Editor** go to **Computer configuration** and select **Administrative templates**.
-
-3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Exclusions**.
-
-4. Open the **Path Exclusions** setting for editing, and add your exclusions.
-
-    1. Set the option to **Enabled**.
-    1. Under the **Options** section, click **Show**.
-    1. Specify each folder on its own line under the **Value name** column.
-    1. If you are specifying a file, ensure that you enter a fully qualified path to the file, including the drive letter, folder path, file name, and extension. Enter **0** in the **Value** column.
-
-5. Choose **OK**.
-
-6. Open the **Extension Exclusions** setting for editing and add your exclusions.
-
-    1. Set the option to **Enabled**.
-    1. Under the **Options** section, select **Show**.
-    1. Enter each file extension on its own line under the **Value name** column.  Enter **0** in the **Value** column.
-
-7. Choose **OK**.
-
-<a id="ps"></a>
-
-### Use PowerShell cmdlets to configure file name, folder, or file extension exclusions
-
-Using PowerShell to add or remove exclusions for files based on the extension, location, or file name requires using a combination of three cmdlets and the appropriate exclusion list parameter. The cmdlets are all in the [Defender module](/powershell/module/defender/).
-
-The format for the cmdlets is as follows:
-
-```PowerShell
-<cmdlet> -<exclusion list> "<item>"
-```
-
-The following are allowed as the `<cmdlet>`:
-
-| Configuration action | PowerShell cmdlet |
-|:---|:---|
-|Create or overwrite the list | `Set-MpPreference` |
-|Add to the list | `Add-MpPreference` |
-|Remove item from the list | `Remove-MpPreference` |
-
-The following are allowed as the `<exclusion list>`:
-
-| Exclusion type | PowerShell parameter |
-|:---|:---|
-| All files with a specified file extension | `-ExclusionExtension` |
-| All files under a folder (including files in subdirectories), or a specific file | `-ExclusionPath` |
-
-> [!IMPORTANT]
-> If you have created a list, either with `Set-MpPreference` or `Add-MpPreference`, using the `Set-MpPreference` cmdlet again will overwrite the existing list.
-
-For example, the following code snippet would cause Microsoft Defender Antivirus scans to exclude any file with the `.test` file extension:
-
-```PowerShell
-Add-MpPreference -ExclusionExtension ".test"
-```
-
-For more information, see [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](/powershell/module/defender/).
-
-### Use Windows Management Instruction (WMI) to configure file name, folder, or file extension exclusions
-
-Use the [**Set**, **Add**, and **Remove** methods of the **MSFT_MpPreference**](/previous-versions/windows/desktop/legacy/dn455323(v=vs.85)) class for the following properties:
-
-```WMI
-ExclusionExtension
-ExclusionPath
-```
-
-The use of **Set**, **Add**, and **Remove** is analogous to their counterparts in PowerShell: `Set-MpPreference`, `Add-MpPreference`, and `Remove-MpPreference`.
-
-For more information, see [Windows Defender WMIv2 APIs](/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal).
-
-<a id="man-tools"></a>
-
-### Use the Windows Security app to configure file name, folder, or file extension exclusions
-
-See [Add exclusions in the Windows Security app](microsoft-defender-security-center-antivirus.md) for instructions.
-
-<a id="wildcards"></a>
-
-## Use wildcards in the file name and folder path or extension exclusion lists
-
-You can use the asterisk `*`, question mark `?`, or environment variables (such as `%ALLUSERSPROFILE%`) as wildcards when defining items in the file name or folder path exclusion list. The way in which these wildcards are interpreted differs from their usual usage in other apps and languages. Make sure to read this section to understand their specific limitations.
-
-> [!IMPORTANT]
-> There are key limitations and usage scenarios for these wildcards:
-> - Environment variable usage is limited to machine variables and those applicable to processes running as an NT AUTHORITY\SYSTEM account.
-> - You cannot use a wildcard in place of a drive letter.
-> - An asterisk `*` in a folder exclusion stands in place for a single folder. Use multiple instances of `\*\` to indicate multiple nested folders with unspecified names.
-
-The following table describes how the wildcards can be used and provides some examples.
-
-
-|Wildcard  |Examples  |
-|:---------|:---------|
-|`*` (asterisk) <p> In **file name and file extension inclusions**, the asterisk replaces any number of characters, and only applies to files in the last folder defined in the argument. <p> In **folder exclusions**, the asterisk replaces a single folder. Use multiple `*` with folder slashes `\` to indicate multiple nested folders. After matching the number of wild carded and named folders, all subfolders are also included.   | `C:\MyData\*.txt` includes `C:\MyData\notes.txt` <p> `C:\somepath\*\Data` includes any file in `C:\somepath\Archives\Data` and its subfolders, and `C:\somepath\Authorized\Data` and its subfolders <p> `C:\Serv\*\*\Backup` includes any file in `C:\Serv\Primary\Denied\Backup` and its subfolders and `C:\Serv\Secondary\Allowed\Backup` and its subfolders     |
-|`?` (question mark)  <p> In **file name and file extension inclusions**, the question mark replaces a single character, and only applies to files in the last folder defined in the argument. <p> In **folder exclusions**, the question mark replaces a single character in a folder name. After matching the number of wild carded and named folders, all subfolders are also included.   |`C:\MyData\my?.zip` includes `C:\MyData\my1.zip` <p> `C:\somepath\?\Data` includes any file in `C:\somepath\P\Data` and its subfolders  <p> `C:\somepath\test0?\Data` would include any file in `C:\somepath\test01\Data` and its subfolders          |
-|Environment variables <p> The defined variable is populated as a path when the exclusion is evaluated.          |`%ALLUSERSPROFILE%\CustomLogFiles` would include `C:\ProgramData\CustomLogFiles\Folder1\file1.txt`         |
-        
-
-> [!IMPORTANT]
-> If you mix a file exclusion argument with a folder exclusion argument, the rules will stop at the file argument match in the matched folder, and will not look for file matches in any subfolders.
-> For example, you can exclude all files that start with "date" in the folders `c:\data\final\marked` and `c:\data\review\marked` by using the rule argument `c:\data\*\marked\date*`.
-> This argument, however, will not match any files in subfolders under `c:\data\final\marked` or `c:\data\review\marked`.
-
-<a id="review"></a>
-
-### System environment variables
-
-The following table lists and describes the system account environment variables. 
-
-| This system environment variable... | Redirects to this |
-|:--|:--|
-| `%APPDATA%`| `C:\Users\UserName.DomainName\AppData\Roaming` |
-| `%APPDATA%\Microsoft\Internet Explorer\Quick Launch` | `C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch` |
-| `%APPDATA%\Microsoft\Windows\Start Menu` | `C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu` |
-| `%APPDATA%\Microsoft\Windows\Start Menu\Programs` | `C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs` |
-| `%LOCALAPPDATA%` | `C:\Windows\System32\config\systemprofile\AppData\Local` |
-| `%ProgramData%` | `C:\ProgramData` |
-| `%ProgramFiles%` | `C:\Program Files` |
-| `%ProgramFiles%\Common Files` | `C:\Program Files\Common Files` |
-| `%ProgramFiles%\Windows Sidebar\Gadgets` | `C:\Program Files\Windows Sidebar\Gadgets` |
-| `%ProgramFiles%\Common Files` | `C:\Program Files\Common Files` |
-| `%ProgramFiles(x86)%` | `C:\Program Files (x86)` |
-| `%ProgramFiles(x86)%\Common Files` | `C:\Program Files (x86)\Common Files` |
-| `%SystemDrive%` | `C:` |
-| `%SystemDrive%\Program Files` | `C:\Program Files` |
-| `%SystemDrive%\Program Files (x86)` | `C:\Program Files (x86)` |
-| `%SystemDrive%\Users` | `C:\Users` |
-| `%SystemDrive%\Users\Public` | `C:\Users\Public` |
-| `%SystemRoot%` | `C:\Windows` |
-| `%windir%` | `C:\Windows` |
-| `%windir%\Fonts` | `C:\Windows\Fonts` |
-| `%windir%\Resources` | `C:\Windows\Resources` |
-| `%windir%\resources\0409` | `C:\Windows\resources\0409` |
-| `%windir%\system32` | `C:\Windows\System32` |
-| `%ALLUSERSPROFILE%` | `C:\ProgramData` |
-| `%ALLUSERSPROFILE%\Application Data` | `C:\ProgramData\Application Data` |
-| `%ALLUSERSPROFILE%\Documents` | `C:\ProgramData\Documents` |
-| `%ALLUSERSPROFILE%\Documents\My Music\Sample Music` | `C:\ProgramData\Documents\My Music\Sample Music` |
-| `%ALLUSERSPROFILE%\Documents\My Music` | `C:\ProgramData\Documents\My Music` |
-| `%ALLUSERSPROFILE%\Documents\My Pictures` | `C:\ProgramData\Documents\My Pictures` |
-| `%ALLUSERSPROFILE%\Documents\My Pictures\Sample Pictures` | `C:\ProgramData\Documents\My Pictures\Sample Pictures` |
-| `%ALLUSERSPROFILE%\Documents\My Videos` | `C:\ProgramData\Documents\My Videos` |
-| `%ALLUSERSPROFILE%\Microsoft\Windows\DeviceMetadataStore` | `C:\ProgramData\Microsoft\Windows\DeviceMetadataStore` |
-| `%ALLUSERSPROFILE%\Microsoft\Windows\GameExplorer` | `C:\ProgramData\Microsoft\Windows\GameExplorer` |
-| `%ALLUSERSPROFILE%\Microsoft\Windows\Ringtones` | `C:\ProgramData\Microsoft\Windows\Ringtones` |
-| `%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu` | `C:\ProgramData\Microsoft\Windows\Start Menu` |
-| `%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs` | `C:\ProgramData\Microsoft\Windows\Start Menu\Programs` |
-| `%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Administrative Tools` | `C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools` |
-| `%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\StartUp` | `C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp` |
-| `%ALLUSERSPROFILE%\Microsoft\Windows\Templates` | `C:\ProgramData\Microsoft\Windows\Templates` |
-| `%ALLUSERSPROFILE%\Start Menu` | `C:\ProgramData\Start Menu` |
-| `%ALLUSERSPROFILE%\Start Menu\Programs` | C:\ProgramData\Start Menu\Programs |
-| `%ALLUSERSPROFILE%\Start Menu\Programs\Administrative Tools` | `C:\ProgramData\Start Menu\Programs\Administrative Tools` | 
-| `%ALLUSERSPROFILE%\Templates` | `C:\ProgramData\Templates` |
-| `%LOCALAPPDATA%\Microsoft\Windows\ConnectedSearch\Templates` | `C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\ConnectedSearch\Templates` |
-| `%LOCALAPPDATA%\Microsoft\Windows\History` | `C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History` |
-| `%PUBLIC%` | `C:\Users\Public` |
-| `%PUBLIC%\AccountPictures` | `C:\Users\Public\AccountPictures` |
-| `%PUBLIC%\Desktop` | `C:\Users\Public\Desktop` |
-| `%PUBLIC%\Documents` | `C:\Users\Public\Documents` |
-| `%PUBLIC%\Downloads` | `C:\Users\Public\Downloads` |
-| `%PUBLIC%\Music\Sample Music` | `C:\Users\Public\Music\Sample Music` |
-| `%PUBLIC%\Music\Sample Playlists` | `C:\Users\Public\Music\Sample Playlists` |
-| `%PUBLIC%\Pictures\Sample Pictures` | `C:\Users\Public\Pictures\Sample Pictures` |
-| `%PUBLIC%\RecordedTV.library-ms` | `C:\Users\Public\RecordedTV.library-ms` |
-| `%PUBLIC%\Videos` | `C:\Users\Public\Videos` |
-| `%PUBLIC%\Videos\Sample Videos` | `C:\Users\Public\Videos\Sample Videos` | 
-| `%USERPROFILE%` | `C:\Windows\System32\config\systemprofile` |
-| `%USERPROFILE%\AppData\Local` | `C:\Windows\System32\config\systemprofile\AppData\Local` |
-| `%USERPROFILE%\AppData\LocalLow` | `C:\Windows\System32\config\systemprofile\AppData\LocalLow` |
-| `%USERPROFILE%\AppData\Roaming` | `C:\Windows\System32\config\systemprofile\AppData\Roaming` |
-
-
-## Review the list of exclusions
-
-You can retrieve the items in the exclusion list using one of the following methods:
-- [Intune](/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune)
-- [Microsoft Endpoint Configuration Manager](/configmgr/protect/deploy-use/endpoint-antimalware-policies)
-- MpCmdRun
-- PowerShell
-- [Windows Security app](microsoft-defender-security-center-antivirus.md)
-
->[!IMPORTANT]
->Exclusion list changes made with Group Policy **will show** in the lists in the [Windows Security app](microsoft-defender-security-center-antivirus.md).
->
->Changes made in the Windows Security app **will not show** in the Group Policy lists.
-
-If you use PowerShell, you can retrieve the list in two ways:
-
-- Retrieve the status of all Microsoft Defender Antivirus preferences. Each list is displayed on separate lines, but the items within each list are combined into the same line.
-- Write the status of all preferences to a variable, and use that variable to only call the specific list you are interested in. Each use of `Add-MpPreference` is written to a new line.
-
-### Validate the exclusion list by using MpCmdRun
-
-To check exclusions with the dedicated [command-line tool mpcmdrun.exe](./command-line-arguments-microsoft-defender-antivirus.md?branch=v-anbic-wdav-new-mpcmdrun-options), use the following command:
-
-```DOS
-Start, CMD (Run as admin)
-cd "%programdata%\microsoft\windows defender\platform"
-cd 4.18.1812.3 (Where 4.18.1812.3 is this month's MDAV "Platform Update".)
-MpCmdRun.exe -CheckExclusion -path <path>
-```
-
->[!NOTE]
->Checking exclusions with MpCmdRun requires Microsoft Defender Antivirus CAMP version 4.18.1812.3 (released in December 2018) or later.
-
-### Review the list of exclusions alongside all other Microsoft Defender Antivirus preferences by using PowerShell
-
-Use the following cmdlet:
-
-```PowerShell
-Get-MpPreference
-```
-
-In the following example, the items contained in the `ExclusionExtension` list are highlighted:
-
-![PowerShell output for Get-MpPreference showing the exclusion list alongside other preferences](images/defender/wdav-powershell-get-exclusions-all.png)
-
-For more information, see [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](/powershell/module/defender/).
-
-### Retrieve a specific exclusions list by using PowerShell
-
-Use the following code snippet (enter each line as a separate command); replace **WDAVprefs** with whatever label you want to name the variable:
-
-```PowerShell
-$WDAVprefs = Get-MpPreference
-$WDAVprefs.ExclusionExtension
-$WDAVprefs.ExclusionPath
-```
-
-In the following example, the list is split into new lines for each use of the `Add-MpPreference` cmdlet:
-
-![PowerShell output showing only the entries in the exclusion list](images/defender/wdav-powershell-get-exclusions-variable.png)
-
-For more information, see [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](/powershell/module/defender/).
-
-<a id="validate"></a>
-
-## Validate exclusions lists with the EICAR test file
-
-You can validate that your exclusion lists are working by using PowerShell with either the `Invoke-WebRequest` cmdlet or the .NET WebClient class to download a test file.
-
-In the following PowerShell snippet, replace *test.txt* with a file that conforms to your exclusion rules. For example, if you have excluded the `.testing` extension, replace `test.txt` with `test.testing`. If you are testing a path, ensure you run the cmdlet within that path.
-
-```PowerShell
-Invoke-WebRequest "http://www.eicar.org/download/eicar.com.txt" -OutFile "test.txt"
-```
-
-If Microsoft Defender Antivirus reports malware, then the rule is not working. If there is no report of malware and the downloaded file exists, then the exclusion is working. You can open the file to confirm the contents are the same as what is described on the [EICAR test file website](http://www.eicar.org/86-0-Intended-use.html).
-
-You can also use the following PowerShell code, which calls the .NET WebClient class to download the test file - as with the `Invoke-WebRequest` cmdlet; replace *c:\test.txt* with a file that conforms to the rule you are validating:
-
-```PowerShell
-$client = new-object System.Net.WebClient
-$client.DownloadFile("http://www.eicar.org/download/eicar.com.txt","c:\test.txt")
-```
-
-If you do not have Internet access, you can create your own EICAR test file by writing the EICAR string to a new text file with the following PowerShell command:
-
-```PowerShell
-[io.file]::WriteAllText("test.txt",'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*')
-```
-
-You can also copy the string into a blank text file and attempt to save it with the file name or in the folder you are attempting to exclude.
-
-## Related topics
-
-- [Configure and validate exclusions in Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md)
-- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md)
-- [Configure Microsoft Defender Antivirus exclusions on Windows Server](configure-server-exclusions-microsoft-defender-antivirus.md)
-- [Common mistakes to avoid when defining exclusions](common-exclusion-mistakes-microsoft-defender-antivirus.md)

windows/security/threat-protection/microsoft-defender-antivirus/configure-local-policy-overrides-microsoft-defender-antivirus.md

@@ -1,95 +0,0 @@
----
-title: Configure local overrides for Microsoft Defender AV settings
-description: Enable or disable users from locally changing settings in Microsoft Defender AV.
-keywords: local override, local policy, group policy, gpo, lockdown,merge, lists
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: denisebmsft
-ms.author: deniseb
-ms.custom: nextgen
-ms.date: 02/13/2020
-ms.reviewer: 
-manager: dansimp
-ms.technology: mde
----
-
-# Prevent or allow users to locally modify Microsoft Defender Antivirus policy settings
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
-
-By default, Microsoft Defender Antivirus settings that are deployed via a Group Policy Object to the endpoints in your network will prevent users from locally changing the settings. You can change this in some instances.
-
-For example, it may be necessary to allow certain user groups (such as security researchers and threat investigators) further control over individual settings on the endpoints they use.
-
-## Configure local overrides for Microsoft Defender Antivirus settings
-
-The default setting for these policies is **Disabled**.
-
-If they are set to **Enabled**, users on endpoints can make changes to the associated setting with the [Windows Security](microsoft-defender-security-center-antivirus.md) app, local Group Policy settings, and PowerShell cmdlets (where appropriate).
-
-The following table lists each of the override policy setting and the configuration instructions for the associated feature or setting.
-
-To configure these settings:
-
-1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
-
-2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-
-3. Expand the tree to **Windows components > Microsoft Defender Antivirus** and then the **Location** specified in the table below.
-
-4. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings.
-
-5. Deploy the Group Policy Object as usual.
-
-Location | Setting | Article
----|---|---|---
-MAPS | Configure local setting override for reporting to Microsoft MAPS | [Enable cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md)
-Quarantine | Configure local setting override for the removal of items from Quarantine folder | [Configure remediation for scans](configure-remediation-microsoft-defender-antivirus.md)
-Real-time protection | Configure local setting override for monitoring file and program activity on your computer | [Enable and configure Microsoft Defender Antivirus always-on protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md)
-Real-time protection | Configure local setting override for monitoring for incoming and outgoing file activity | [Enable and configure Microsoft Defender Antivirus always-on protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md)
-Real-time protection | Configure local setting override for scanning all downloaded files and attachments | [Enable and configure Microsoft Defender Antivirus always-on protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md)
-Real-time protection | Configure local setting override for turn on behavior monitoring | [Enable and configure Microsoft Defender Antivirus always-on protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md)
-Real-time protection | Configure local setting override to turn on real-time protection | [Enable and configure Microsoft Defender Antivirus always-on protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md)
-Remediation | Configure local setting override for the time of day to run a scheduled full scan to complete remediation | [Configure remediation for scans](configure-remediation-microsoft-defender-antivirus.md)
-Scan | Configure local setting override for maximum percentage of CPU utilization | [Configure and run scans](run-scan-microsoft-defender-antivirus.md)
-Scan | Configure local setting override for schedule scan day | [Configure scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md)
-Scan | Configure local setting override for scheduled quick scan time | [Configure scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md)
-Scan | Configure local setting override for scheduled scan time | [Configure scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md)
-Scan | Configure local setting override for the scan type to use for a scheduled scan | [Configure scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md)
-
-<a id="merge-lists"></a>
-
-## Configure how locally and globally defined threat remediation and exclusions lists are merged
-
-You can also configure how locally defined lists are combined or merged with globally defined lists. This setting applies to [exclusion lists](configure-exclusions-microsoft-defender-antivirus.md), [specified remediation lists](configure-remediation-microsoft-defender-antivirus.md), and [attack surface reduction](/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction).
-
-By default, lists that have been configured in local group policy and the Windows Security app are merged with lists that are defined by the appropriate Group Policy Object that you have deployed on your network. Where there are conflicts, the globally-defined list takes precedence.
-
-You can disable this setting to ensure that only globally-defined lists (such as those from any deployed GPOs) are used.
-
-### Use Group Policy to disable local list merging
-
-1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
-
-2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-
-3. Expand the tree to **Windows components > Microsoft Defender Antivirus**.
-
-4. Double-click **Configure local administrator merge behavior for lists** and set the option to **Disabled**. Click **OK**.
-
-> [!NOTE]
-> If you disable local list merging, it will override controlled folder access settings. It also overrides any protected folders or allowed apps set by the local administrator. For more information about controlled folder access settings, see [Allow a blocked app in Windows Security](https://support.microsoft.com/help/4046851/windows-10-allow-blocked-app-windows-security).
-
-## Related topics
-
-- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
-- [Configure end-user interaction with Microsoft Defender Antivirus](configure-end-user-interaction-microsoft-defender-antivirus.md)

windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md

@@ -1,52 +0,0 @@
----
-title: Configure Microsoft Defender Antivirus features
-description: You can configure Microsoft Defender Antivirus features with Intune, Microsoft Endpoint Configuration Manager, Group Policy, and PowerShell.
-keywords: Microsoft Defender Antivirus, antimalware, security, defender, configure, configuration, Config Manager, Microsoft Endpoint Configuration Manager, SCCM, Intune, MDM, mobile device management, GP, group policy, PowerShell
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: denisebmsft
-ms.author: deniseb
-ms.custom: nextgen
-ms.date: 11/18/2020
-ms.reviewer: 
-manager: dansimp
-ms.technology: mde
----
-
-# Configure Microsoft Defender Antivirus features
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
-
-You can configure Microsoft Defender Antivirus with a number of tools, including:
-
-- Microsoft Intune
-- Microsoft Endpoint Configuration Manager
-- Group Policy
-- PowerShell cmdlets
-- Windows Management Instrumentation (WMI)
-
-The following broad categories of features can be configured:
-
-- Cloud-delivered protection
-- Always-on real-time protection, including behavioral, heuristic, and machine-learning-based protection
-- How end users interact with the client on individual endpoints
-
-The following articles describe how to perform key tasks when configuring Microsoft Defender Antivirus. Each article includes instructions for the applicable configuration tool (or tools).
-
-|Article  |Description  |
-|---------|---------|
-|[Utilize Microsoft cloud-provided Microsoft Defender Antivirus protection](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md)     | Use cloud-delivered protection for advanced, fast, robust antivirus detection.        |
-|[Configure behavioral, heuristic, and real-time protection](configure-protection-features-microsoft-defender-antivirus.md)     |Enable behavior-based, heuristic, and real-time antivirus protection.         |
-|[Configure end-user interaction with Microsoft Defender Antivirus](configure-end-user-interaction-microsoft-defender-antivirus.md) | Configure how end users in your organization interact with Microsoft Defender Antivirus, what notifications they see, and whether they can override settings. |
-
-> [!TIP]
-> You can also review the [Reference topics for management and configuration tools](configuration-management-reference-microsoft-defender-antivirus.md) topic for an overview of each tool and links to further help.

windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md

@@ -1,127 +0,0 @@
----
-title: Configure and validate Microsoft Defender Antivirus network connections
-description: Configure and test your connection to the Microsoft Defender Antivirus cloud protection service.
-keywords: antivirus, Microsoft Defender Antivirus, antimalware, security, defender, cloud, aggressiveness, protection level
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: denisebmsft
-ms.author: deniseb
-ms.custom: nextgen
-ms.date: 12/28/2020
-ms.reviewer: 
-manager: dansimp
-ms.technology: mde
----
-
-# Configure and validate Microsoft Defender Antivirus network connections
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
-
-To ensure Microsoft Defender Antivirus cloud-delivered protection works properly, you need to configure your network to allow connections between your endpoints and certain Microsoft servers.
-
-This article lists the connections that must be allowed, such as by using firewall rules, and provides instructions for validating your connection. Configuring your protection properly helps ensure that you receive the best value from your cloud-delivered protection services.
-
-See the blog post [Important changes to Microsoft Active Protection Services endpoint](https://techcommunity.microsoft.com/t5/Configuration-Manager-Archive/Important-changes-to-Microsoft-Active-Protection-Service-MAPS/ba-p/274006) for some details about network connectivity.
-
->[!TIP]
->You can also visit the Microsoft Defender for Endpoint demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working:
->
->- Cloud-delivered protection
->- Fast learning (including block at first sight)
->- Potentially unwanted application blocking
-
-## Allow connections to the Microsoft Defender Antivirus cloud service
-
-The Microsoft Defender Antivirus cloud service provides fast, strong protection for your endpoints. Enabling the cloud-delivered protection service is optional, however it's highly recommended because it provides important protection against malware on your endpoints and across your network.
-
->[!NOTE]
->The Microsoft Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it's called a cloud service, it's not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates.
-
-See [Enable cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md) for details on enabling the service with Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, or on individual clients in the Windows Security app. 
-
-After you've enabled the service, you may need to configure your network or firewall to allow connections between it and your endpoints.
-
-Because your protection is a cloud service, computers must have access to the internet and reach the Microsoft Defender for Office 365 machine learning services. Don't exclude the URL `*.blob.core.windows.net` from any kind of network inspection. 
-
-The table below lists the services and their associated URLs. Make sure that there are no firewall or network filtering rules denying access to these URLs, or you may need to create an allow rule specifically for them (excluding the URL `*.blob.core.windows.net`). Below mention URLs are using port 443 for communication.
-
-
-| **Service**| **Description** |**URL** |
-| :--: | :-- | :-- |
-| Microsoft Defender Antivirus cloud-delivered protection service, also referred to as Microsoft Active Protection Service (MAPS)|Used by Microsoft Defender Antivirus to provide cloud-delivered protection|`*.wdcp.microsoft.com` <br/> `*.wdcpalt.microsoft.com` <br/> `*.wd.microsoft.com`|
-| Microsoft Update Service (MU) <br/> Windows Update Service (WU)|	Security intelligence and product updates	|`*.update.microsoft.com` <br/> `*.delivery.mp.microsoft.com`<br/> `*.windowsupdate.com` <br/><br/> For details see [Connection endpoints for Windows Update](/windows/privacy/manage-windows-1709-endpoints#windows-update)|
-|Security intelligence updates Alternate Download Location (ADL)|	Alternate location for Microsoft Defender Antivirus Security intelligence updates if the installed Security intelligence is out of date (7 or more days behind)|	`*.download.microsoft.com`  </br> `*.download.windowsupdate.com`</br> `https://fe3cr.delivery.mp.microsoft.com/ClientWebService/client.asmx`|
-| Malware submission storage|Upload location for files submitted to Microsoft via the Submission form or automatic sample submission	| `ussus1eastprod.blob.core.windows.net` <br/>    `ussus2eastprod.blob.core.windows.net` <br/>    `ussus3eastprod.blob.core.windows.net` <br/>    `ussus4eastprod.blob.core.windows.net` <br/>    `wsus1eastprod.blob.core.windows.net` <br/>    `wsus2eastprod.blob.core.windows.net` <br/>    `ussus1westprod.blob.core.windows.net` <br/>    `ussus2westprod.blob.core.windows.net` <br/>    `ussus3westprod.blob.core.windows.net` <br/>    `ussus4westprod.blob.core.windows.net` <br/>    `wsus1westprod.blob.core.windows.net` <br/>    `wsus2westprod.blob.core.windows.net` <br/>    `usseu1northprod.blob.core.windows.net` <br/>    `wseu1northprod.blob.core.windows.net` <br/>    `usseu1westprod.blob.core.windows.net` <br/>    `wseu1westprod.blob.core.windows.net` <br/>    `ussuk1southprod.blob.core.windows.net` <br/>    `wsuk1southprod.blob.core.windows.net` <br/>    `ussuk1westprod.blob.core.windows.net` <br/>    `wsuk1westprod.blob.core.windows.net` |
-| Certificate Revocation List (CRL)|Used by Windows when creating the SSL connection to MAPS for updating the CRL	| `http://www.microsoft.com/pkiops/crl/` <br/> `http://www.microsoft.com/pkiops/certs` <br/>   `http://crl.microsoft.com/pki/crl/products` <br/> `http://www.microsoft.com/pki/certs` |
-| Symbol Store|Used by Microsoft Defender Antivirus to restore certain critical files during remediation flows	| `https://msdl.microsoft.com/download/symbols` |
-| Universal Telemetry Client| Used by Windows to send client diagnostic data; Microsoft Defender Antivirus uses telemetry for product quality monitoring purposes	| The update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints:   `vortex-win.data.microsoft.com` <br/>   `settings-win.data.microsoft.com`|
-
-## Validate connections between your network and the cloud
-
-After allowing the URLs listed above, you can test if you're connected to the Microsoft Defender Antivirus cloud service and are correctly reporting and receiving information to ensure you're fully protected.
-
-**Use the cmdline tool to validate cloud-delivered protection:**
-
-Use the following argument with the Microsoft Defender Antivirus command-line utility (`mpcmdrun.exe`) to verify that your network can communicate with the Microsoft Defender Antivirus cloud service:
-
-```console
-"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -ValidateMapsConnection
-```
-
-> [!NOTE]
-> You need to open an administrator-level version of the command prompt. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt. This command will only work on Windows 10, version 1703 or higher.
-
-For more information, see [Manage Microsoft Defender Antivirus with the mpcmdrun.exe commandline tool](command-line-arguments-microsoft-defender-antivirus.md).
-
-**Attempt to download a fake malware file from Microsoft:**
-
-You can download a sample file that Microsoft Defender Antivirus will detect and block if you're properly connected to the cloud.
-
-Download the file by visiting [https://aka.ms/ioavtest](https://aka.ms/ioavtest).
-
->[!NOTE]
->This file is not an actual piece of malware. It's a fake file that is designed to test if you're properly connected to the cloud.
-
-If you're properly connected, you'll see a warning Microsoft Defender Antivirus notification.
-
-If you're using Microsoft Edge, you'll also see a notification message:
-
-![Microsoft Edge informing the user that malware was found](images/defender/wdav-bafs-edge.png)
-
-A similar message occurs if you're using Internet Explorer:
-
-![Microsoft Defender Antivirus notification informing the user that malware was found](images/defender/wdav-bafs-ie.png)
-
-You'll also see a detection under **Quarantined threats** in the **Scan history** section in the Windows Security app:
-
-1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
-
-2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Scan history** label:
-
-    ![Screenshot of the Scan history label in the Windows Security app](images/defender/wdav-history-wdsc.png)
-
-3. Under the **Quarantined threats** section, select **See full history** to see the detected fake malware.
-
-   > [!NOTE]
-   > Versions of Windows 10 before version 1703 have a different user interface. See [Microsoft Defender Antivirus in the Windows Security app](microsoft-defender-security-center-antivirus.md).
-
-   The Windows event log will also show [Windows Defender client event ID 1116](troubleshoot-microsoft-defender-antivirus.md).
-
-## Related articles
-
-- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
-
-- [Enable cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md)
-
-- [Command line arguments](command-line-arguments-microsoft-defender-antivirus.md)
-
-- [Important changes to Microsoft Active Protection Services endpoint](https://techcommunity.microsoft.com/t5/Configuration-Manager-Archive/Important-changes-to-Microsoft-Active-Protection-Service-MAPS/ba-p/274006)

windows/security/threat-protection/microsoft-defender-antivirus/configure-notifications-microsoft-defender-antivirus.md

@@ -1,109 +0,0 @@
----
-title: Configure Microsoft Defender Antivirus notifications
-description: Learn how to configure and customize both standard and additional Microsoft Defender Antivirus notifications on endpoints.
-keywords: notifications, defender, antivirus, endpoint, management, admin
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: denisebmsft
-ms.author: deniseb
-ms.custom: nextgen
-ms.date: 09/03/2018
-ms.reviewer: 
-manager: dansimp
-ms.technology: mde
----
-
-# Configure the notifications that appear on endpoints
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
-
-In Windows 10, application notifications about malware detection and remediation are more robust, consistent, and concise.
-
-Notifications appear on endpoints when manually triggered and scheduled scans are completed and threats are detected. These notifications also appear in the **Notification Center**, and a summary of scans and threat detections appear at regular time intervals.
-
-You can also configure how standard notifications appear on endpoints, such as notifications for reboot or when a threat has been detected and remediated.
-
-## Configure the additional notifications that appear on endpoints
-
-You can configure the display of additional notifications, such as recent threat detection summaries, in the [Windows Security app](microsoft-defender-security-center-antivirus.md) and with Group Policy.
-
-> [!NOTE]
-> In Windows 10, version 1607 the feature was called **Enhanced notifications** and could be configured under **Windows Settings** > **Update & security** > **Windows Defender**. In Group Policy settings in all versions of Windows 10, it is called **Enhanced notifications**.
-
-> [!IMPORTANT]
-> Disabling additional notifications will not disable critical notifications, such as threat detection and remediation alerts.
-
-**Use the Windows Security app to disable additional notifications:**
-
-1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
-
-2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label:
-
-    ![Screenshot of the Virus & threat protection settings label in the Windows Security app](images/defender/wdav-protection-settings-wdsc.png)
-
-3. Scroll to the **Notifications** section and click **Change notification settings**.
-
-4. Slide the switch to **Off** or **On** to disable or enable additional notifications.
-
-**Use Group Policy to disable additional notifications:**
-
-1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
-
-2. In the **Group Policy Management Editor** go to **Computer configuration**.
-
-3. Click **Administrative templates**.
-
-4. Expand the tree to **Windows components > Microsoft Defender Antivirus > Reporting**.
-
-5. Double-click **Turn off enhanced notifications** and set the option to **Enabled**. Click **OK**. This will prevent additional notifications from appearing.
-
-## Configure standard notifications on endpoints
-
-You can use Group Policy to:
-
-- Display additional, customized text on endpoints when the user needs to perform an action
-- Hide all notifications on endpoints
-- Hide reboot notifications on endpoints
-
-Hiding notifications can be useful in situations where you can't hide the entire Microsoft Defender Antivirus interface. See [Prevent users from seeing or interacting with the Microsoft Defender Antivirus user interface](prevent-end-user-interaction-microsoft-defender-antivirus.md) for more information. 
-
-> [!NOTE]
-> Hiding notifications will only occur on endpoints to which the policy has been deployed. Notifications related to actions that must be taken (such as a reboot) will still appear on the [Microsoft Endpoint Manager Endpoint Protection monitoring dashboard and reports](/configmgr/protect/deploy-use/monitor-endpoint-protection). 
-
-See [Customize the Windows Security app for your organization](../windows-defender-security-center/windows-defender-security-center.md) for instructions to add custom contact information to the notifications that users see on their machines.
-
-**Use Group Policy to hide notifications:**
-
-1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure, and click **Edit**.
-
-2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-
-3. Expand the tree to **Windows components > Microsoft Defender Antivirus > Client interface**. 
-
-4. Double-click **Suppress all notifications** and set the option to **Enabled**. Click **OK**. This will prevent additional notifications from appearing.
-
-**Use Group Policy to hide reboot notifications:**
-
-1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
-
-2. In the **Group Policy Management Editor** go to **Computer configuration**.
-
-3. Click **Administrative templates**.
-
-4. Expand the tree to **Windows components > Microsoft Defender Antivirus > Client interface**.
-
-5. Double-click **Suppresses reboot notifications** and set the option to **Enabled**. Click **OK**. This will prevent additional notifications from appearing.
-
-## Related topics
-
-- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
-- [Configure end-user interaction with Microsoft Defender Antivirus](configure-end-user-interaction-microsoft-defender-antivirus.md)

windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md

@@ -1,188 +0,0 @@
----
-title: Configure exclusions for files opened by specific processes
-description: You can exclude files from scans if they have been opened by a specific process.
-keywords: Microsoft Defender Antivirus, process, exclusion, files, scans
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: denisebmsft
-ms.author: deniseb
-ms.custom: nextgen
-ms.reviewer: 
-manager: dansimp
-ms.technology: mde
----
-
-# Configure exclusions for files opened by processes
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
-
-You can exclude files that have been opened by specific processes from Microsoft Defender Antivirus scans. See [Recommendations for defining exclusions](configure-exclusions-microsoft-defender-antivirus.md#recommendations-for-defining-exclusions) before defining your exclusion lists.
-
-This article describes how to configure exclusion lists. 
-
-## Examples of exclusions
-
-|Exclusion | Example |
-|---|---|
-|Any file on the machine that is opened by any process with a specific file name | Specifying `test.exe` would exclude files opened by: <br/>`c:\sample\test.exe`<br/>`d:\internal\files\test.exe` |  
-|Any file on the machine that is opened by any process under a specific folder | Specifying `c:\test\sample\*` would exclude files opened by:<br/>`c:\test\sample\test.exe`<br/>`c:\test\sample\test2.exe`<br/>`c:\test\sample\utility.exe` | 
-|Any file on the machine that is opened by a specific process in a specific folder | Specifying `c:\test\process.exe` would exclude files only opened by `c:\test\process.exe` |
-
-
-When you add a process to the process exclusion list, Microsoft Defender Antivirus won't scan files opened by that process, no matter where the files are located. The process itself, however, will be scanned unless it has also been added to the [file exclusion list](configure-extension-file-exclusions-microsoft-defender-antivirus.md).
-
-The exclusions only apply to [always-on real-time protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md). They don't apply to scheduled or on-demand scans.
-
-Changes made with Group Policy to the exclusion lists **will show** in the lists in the [Windows Security app](microsoft-defender-security-center-antivirus.md). However, changes made in the Windows Security app **will not show** in the Group Policy lists.
-
-You can add, remove, and review the lists for exclusions in Group Policy, Microsoft Endpoint Configuration Manager, Microsoft Intune, and with the Windows Security app, and you can use wildcards to further customize the lists.
-
-You can also use PowerShell cmdlets and WMI to configure the exclusion lists, including reviewing your lists.
-
-By default, local changes made to the lists (by users with administrator privileges; changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists will take precedence in the case of conflicts.
-
-You can [configure how locally and globally defined exclusions lists are merged](configure-local-policy-overrides-microsoft-defender-antivirus.md#merge-lists) to allow local changes to override managed deployment settings.
-
-## Configure the list of exclusions for files opened by specified processes
-
-### Use Microsoft Intune to exclude files that have been opened by specified processes from scans
-
-See [Configure device restriction settings in Microsoft Intune](/intune/device-restrictions-configure) and [Microsoft Defender Antivirus device restriction settings for Windows 10 in Intune](/intune/device-restrictions-windows-10#microsoft-defender-antivirus) for more details.
-
-### Use Microsoft Endpoint Manager to exclude files that have been opened by specified processes from scans
-
-See [How to create and deploy antimalware policies: Exclusion settings](/configmgr/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) for details on configuring Microsoft Endpoint Manager (current branch).
-
-### Use Group Policy to exclude files that have been opened by specified processes from scans
-
-1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
-
-2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-
-3. Expand the tree to **Windows components > Microsoft Defender Antivirus > Exclusions**.
-
-4. Double-click **Process Exclusions** and add the exclusions:
-
-    1. Set the option to **Enabled**.
-    2. Under the **Options** section, click **Show...**.
-    3. Enter each process on its own line under the **Value name** column. See the example table for the different types of process exclusions.  Enter **0** in the **Value** column for all processes.
-
-5. Click **OK**.
-
-### Use PowerShell cmdlets to exclude files that have been opened by specified processes from scans
-
-Using PowerShell to add or remove exclusions for files that have been opened by processes requires using a combination of three cmdlets with the `-ExclusionProcess` parameter. The cmdlets are all in the [Defender module](/powershell/module/defender/).
-
-The format for the cmdlets is:
-
-```PowerShell
-<cmdlet> -ExclusionProcess "<item>"
-```
-
-The following are allowed as the \<cmdlet>:
-
-|Configuration action | PowerShell cmdlet |
-|---|---|
-|Create or overwrite the list | `Set-MpPreference` |
-|Add to the list | `Add-MpPreference` |
-|Remove items from the list | `Remove-MpPreference` |
-
->[!IMPORTANT]
->If you have created a list, either with `Set-MpPreference` or `Add-MpPreference`, using the `Set-MpPreference` cmdlet again will overwrite the existing list.
-
-For example, the following code snippet would cause Microsoft Defender AV scans to exclude any file that is opened by the specified process:
-
-```PowerShell
-Add-MpPreference -ExclusionProcess "c:\internal\test.exe"
-```
-
-For more information on how to use PowerShell with Microsoft Defender Antivirus, see Manage antivirus with PowerShell cmdlets and [Microsoft Defender Antivirus cmdlets](/powershell/module/defender).
-
-### Use Windows Management Instruction (WMI) to exclude files that have been opened by specified processes from scans
-
-Use the [**Set**, **Add**, and **Remove** methods of the **MSFT_MpPreference**](/previous-versions/windows/desktop/legacy/dn455323(v=vs.85)) class for the following properties:
-
-```WMI
-ExclusionProcess
-```
-
-The use of **Set**, **Add**, and **Remove** is analogous to their counterparts in PowerShell: `Set-MpPreference`, `Add-MpPreference`, and `Remove-MpPreference`.
-
-For more information and allowed parameters, see  [Windows Defender WMIv2 APIs](/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal).
-
-### Use the Windows Security app to exclude files that have been opened by specified processes from scans
-
-See [Add exclusions in the Windows Security app](microsoft-defender-security-center-antivirus.md) for instructions.
-
-## Use wildcards in the process exclusion list
-
-The use of wildcards in the process exclusion list is different from their use in other exclusion lists.
-
-In particular, you cannot use the question mark (`?`) wildcard, and the asterisk (`*`) wildcard can only be used at the end of a complete path. You can still use environment variables (such as `%ALLUSERSPROFILE%`) as wildcards when defining items in the process exclusion list.
-
-The following table describes how the wildcards can be used in the process exclusion list:
-
-|Wildcard | Example use | Example matches |
-|:---|:---|:---|
-|`*` (asterisk) <br/><br/> Replaces any number of characters | `C:\MyData\*` | Any file opened by `C:\MyData\file.exe` |
-|Environment variables <br/><br/> The defined variable is populated as a path when the exclusion is evaluated | `%ALLUSERSPROFILE%\CustomLogFiles\file.exe` | Any file opened by `C:\ProgramData\CustomLogFiles\file.exe` |
-
-## Review the list of exclusions
-
-You can retrieve the items in the exclusion list with MpCmdRun, PowerShell, [Microsoft Endpoint Configuration Manager](/configmgr/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings), [Intune](/intune/device-restrictions-configure), or the [Windows Security app](microsoft-defender-security-center-antivirus.md).
-
-If you use PowerShell, you can retrieve the list in two ways:
-
-- Retrieve the status of all Microsoft Defender Antivirus preferences. Each of the lists will be displayed on separate lines, but the items within each list will be combined into the same line.
-- Write the status of all preferences to a variable, and use that variable to only call the specific list you are interested in. Each use of `Add-MpPreference` is written to a new line.
-
-### Validate the exclusion list by using MpCmdRun
-
-To check exclusions with the dedicated [command-line tool mpcmdrun.exe](./command-line-arguments-microsoft-defender-antivirus.md?branch=v-anbic-wdav-new-mpcmdrun-options), use the following command:
-
-```DOS
-MpCmdRun.exe -CheckExclusion -path <path>
-```
-
-> [!NOTE]
-> Checking exclusions with MpCmdRun requires Microsoft Defender Antivirus CAMP version 4.18.1812.3 (released in December 2018) or later.
-
-
-### Review the list of exclusions alongside all other Microsoft Defender Antivirus preferences by using PowerShell
-
-Use the following cmdlet:
-
-```PowerShell
-Get-MpPreference
-```
-
-See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](/powershell/module/defender) for more information on how to use PowerShell with Microsoft Defender Antivirus.
-
-### Retrieve a specific exclusions list by using PowerShell
-
-Use the following code snippet (enter each line as a separate command); replace **WDAVprefs** with whatever label you want to name the variable:
-
-```PowerShell
-$WDAVprefs = Get-MpPreference
-$WDAVprefs.ExclusionProcess
-```
-
-See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](/powershell/module/defender) for more information on how to use PowerShell with Microsoft Defender Antivirus.
-
-## Related articles
-
-- [Configure and validate exclusions in Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md)
-- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-microsoft-defender-antivirus.md)
-- [Configure Microsoft Defender Antivirus exclusions on Windows Server](configure-server-exclusions-microsoft-defender-antivirus.md)
-- [Common mistakes to avoid when defining exclusions](common-exclusion-mistakes-microsoft-defender-antivirus.md)
-- [Customize, initiate, and review the results of Microsoft Defender Antivirus scans and remediation](customize-run-review-remediate-scans-microsoft-defender-antivirus.md)
-- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)

windows/security/threat-protection/microsoft-defender-antivirus/configure-protection-features-microsoft-defender-antivirus.md

@@ -1,46 +0,0 @@
----
-title: Enable and configure Microsoft Defender Antivirus protection features
-description: Enable behavior-based, heuristic, and real-time protection in Microsoft Defender AV.
-keywords: heuristic, machine-learning, behavior monitor, real-time protection, always-on, Microsoft Defender Antivirus, antimalware, security, defender
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: denisebmsft
-ms.author: deniseb
-ms.custom: nextgen
-ms.date: 09/03/2018
-ms.reviewer: 
-manager: dansimp
-ms.technology: mde
----
-
-# Configure behavioral, heuristic, and real-time protection
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
-
-Microsoft Defender Antivirus uses several methods to provide threat protection:
-
-- Cloud-delivered protection for near-instant detection and blocking of new and emerging threats
-- Always-on scanning, using file and process behavior monitoring and other heuristics (also known as "real-time protection")
-- Dedicated protection updates based on machine-learning, human and automated big-data analysis, and in-depth threat resistance research
-
-You can configure how Microsoft Defender Antivirus uses these methods with Group Policy, System Center Configuration Manage, PowerShell cmdlets, and Windows Management Instrumentation (WMI).
-
-This section covers configuration for always-on scanning, including how to detect and block apps that are deemed unsafe, but may not be detected as malware.
-
-See [Use next-gen Microsoft Defender Antivirus technologies through cloud-delivered protection](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) for how to enable and configure Microsoft Defender Antivirus cloud-delivered protection.
-
-## In this section
-
- Topic | Description
----|---
-[Detect and block potentially unwanted applications](detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md) | Detect and block apps that may be unwanted in your network, such as adware, browser modifiers and toolbars, and rogue or fake antivirus apps
-[Enable and configure Microsoft Defender Antivirus protection capabilities](configure-real-time-protection-microsoft-defender-antivirus.md) | Enable and configure real-time protection, heuristics, and other always-on Microsoft Defender Antivirus monitoring features

windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md

@@ -1,136 +0,0 @@
----
-title: Enable and configure Microsoft Defender Antivirus protection capabilities
-description: Enable and configure Microsoft Defender Antivirus real-time protection features such as behavior monitoring, heuristics, and machine-learning
-keywords: antivirus, real-time protection, rtp, machine-learning, behavior monitoring, heuristics
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: denisebmsft
-ms.author: deniseb
-ms.date: 12/16/2019
-ms.reviewer: 
-manager: dansimp
-ms.custom: nextgen
-ms.technology: mde
----
-
-# Enable and configure Microsoft Defender Antivirus always-on protection in Group Policy
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
-
-Always-on protection consists of real-time protection, behavior monitoring, and heuristics to identify malware based on known suspicious and malicious activities.
-
-These activities include events, such as processes making unusual changes to existing files, modifying or creating automatic startup registry keys and startup locations (also known as auto-start extensibility points, or ASEPs), and other changes to the file system or file structure.
-
-## Enable and configure always-on protection in Group Policy
-
-You can use **Local Group Policy Editor** to enable and configure Microsoft Defender Antivirus always-on protection settings.
-
-To enable and configure always-on protection:
-
-1. Open **Local Group Policy Editor**. To do this:  
-
-    1. In your Windows 10 taskbar search box, type **gpedit**.
-    
-    1. Under **Best match**, click **Edit group policy** to launch **Local Group Policy Editor**.
-    
-       ![GPEdit taskbar search result](images/gpedit-search.png)
-
-2. In the left pane of **Local Group Policy Editor**, expand the tree to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus**. 
-
-3. Configure the Microsoft Defender Antivirus antimalware service policy settings. To do this:  
-
-    1. In the **Microsoft Defender Antivirus** details pane on right, double-click the policy setting as specified in the following table:
-
-       | Setting | Description | Default setting |
-       |-----------------------------|------------------------|-------------------------------|
-       | Allow antimalware service to startup with normal priority | You can lower the priority of the Microsoft Defender Antivirus engine, which may be useful in lightweight deployments where you want to have as lean a startup process as possible. This may impact protection on the endpoint. | Enabled
-       | Allow antimalware service to remain running always | If protection updates have been disabled, you can set Microsoft Defender Antivirus to still run. This lowers the protection on the endpoint. | Disabled |
-    
-    1. Configure the setting as appropriate, and click **OK**.
-    
-    1. Repeat the previous steps for each setting in the table.
-
-4. Configure the Microsoft Defender Antivirus real-time protection policy settings. To do this:
-
-    1. In the **Microsoft Defender Antivirus** details pane, double-click **Real-time Protection**. Or, from the **Microsoft Defender Antivirus** tree on left pane, click **Real-time Protection**.
-    
-    1. In the **Real-time Protection** details pane on right, double-click the policy setting as specified in the following table:  
-
-       | Setting | Description | Default setting |
-       |-----------------------------|------------------------|-------------------------------|
-       | Turn on behavior monitoring | The AV engine will monitor file processes, file and registry changes, and other events on your endpoints for suspicious and known malicious activity. | Enabled |
-       | Scan all downloaded files and attachments | Downloaded files and attachments are automatically scanned. This operates in addition to the Windows Defender SmartScreen filter, which scans files before and during downloading. | Enabled |
-       | Monitor file and program activity on your computer | The Microsoft Defender Antivirus engine makes note of any file changes (file writes, such as moves, copies, or modifications) and general program activity (programs that are opened or running and that cause other programs to run). | Enabled |
-       | Turn on raw volume write notifications | Information about raw volume writes will be analyzed by behavior monitoring. | Enabled |
-       | Turn on process scanning whenever real-time protection is enabled | You can independently enable the Microsoft Defender Antivirus engine to scan running processes for suspicious modifications or behaviors. This is useful if you have temporarily disabled real-time protection and want to automatically scan processes that started while it was disabled. | Enabled |
-       | Define the maximum size of downloaded files and attachments to be scanned | You can define the size in kilobytes. | Enabled |
-       | Configure local setting override for turn on behavior monitoring | Configure a local override for the configuration of behavior monitoring. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.| Enabled |
-       | Configure local setting override for scanning all downloaded files and attachments | Configure a local override for the configuration of scanning for all downloaded files and attachments. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.| Enabled |
-       | Configure local setting override for monitoring file and program activity on your computer | Configure a local override for the configuration of monitoring for file and program activity on your computer. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.| Enabled |
-       | Configure local setting override to turn on real-time protection | Configure a local override for the configuration to turn on real-time protection. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.| Enabled |
-       | Configure local setting override for monitoring for incoming and outgoing file activity | Configure a local override for the configuration of monitoring for incoming and outgoing file activity. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. | Enabled |
-       | Configure monitoring for incoming and outgoing file and program activity | Specify whether monitoring should occur on incoming, outgoing, both, or neither direction. This is relevant for Windows Server installations where you have defined specific servers or Server Roles that see large amounts of file changes in only one direction and you want to improve network performance. Fully updated endpoints (and servers) on a network will see little performance impact irrespective of the number or direction of file changes. | Enabled (both directions) |
-
-    1. Configure the setting as appropriate, and click **OK**.
-    
-    1. Repeat the previous steps for each setting in the table.
-
-5. Configure the Microsoft Defender Antivirus scanning policy setting. To do this:  
-
-    1. From the **Microsoft Defender Antivirus** tree on left pane, click **Scan**.
-    
-       ![Microsoft Defender Antivirus Scan options](images/gpedit-windows-defender-antivirus-scan.png)
-
-    1. In the **Scan** details pane on right, double-click the policy setting as specified in the following table:
-
-       | Setting | Description | Default setting |
-       |-----------------------------|------------------------|-------------------------------|    
-       | Turn on heuristics | Heuristic protection will disable or block suspicious activity immediately before the Microsoft Defender Antivirus engine is asked to detect the activity. | Enabled |
-
-    1. Configure the setting as appropriate, and click **OK**.
-    
-6. Close **Local Group Policy Editor**.
-
-
-## Disable real-time protection in Group Policy
-
-> [!WARNING]
-> Disabling real-time protection drastically reduces the protection on your endpoints and is not recommended.
-
-The main real-time protection capability is enabled by default, but you can disable it by using **Local Group Policy Editor**.
-
-To disable real-time protection in Group policy:
-
-1. Open **Local Group Policy Editor**.
-
-   1. In your Windows 10 taskbar search box, type **gpedit**.
-   
-   1. Under **Best match**, click **Edit group policy** to launch **Local Group Policy Editor**.
-
-2.  In the left pane of **Local Group Policy Editor**, expand the tree to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Real-time Protection**.
-
-3. In the **Real-time Protection** details pane on right, double-click **Turn off real-time protection**.
-
-   ![Turn off real-time protection](images/gpedit-turn-off-real-time-protection.png)
-
-4. In the **Turn off real-time protection** setting window, set the option to **Enabled**.
-
-   ![Turn off real-time protection enabled](images/gpedit-turn-off-real-time-protection-enabled.png)
-   
-5. Click **OK**.
-
-6. Close **Local Group Policy Editor**.
-
-## Related articles
-
-- [Configure behavioral, heuristic, and real-time protection](configure-protection-features-microsoft-defender-antivirus.md)
-- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)

windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md

@@ -1,73 +0,0 @@
----
-title: Configure remediation for Microsoft Defender Antivirus detections
-description: Configure what Microsoft Defender Antivirus should do when it detects a threat, and how long quarantined files should be retained in the quarantine folder
-keywords: remediation, fix, remove, threats, quarantine, scan, restore
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: denisebmsft
-ms.author: deniseb
-ms.custom: nextgen
-ms.date: 03/16/2021
-ms.reviewer: 
-manager: dansimp
-ms.technology: mde
----
-
-# Configure remediation for Microsoft Defender Antivirus detections
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
-
-When Microsoft Defender Antivirus runs a scan, it attempts to remediate or remove threats that are detected. You can configure how Microsoft Defender Antivirus should address certain threats, whether a restore point should be created before remediating, and when threats should be removed.
-
-This article describes how to configure these settings by using Group Policy, but you can also use [Microsoft Endpoint Configuration Manager](/configmgr/protect/deploy-use/endpoint-antimalware-policies#threat-overrides-settings) and [Microsoft Intune](/intune/device-restrictions-configure). 
-
-You can also use the [`Set-MpPreference` PowerShell cmdlet](/powershell/module/defender/set-mppreference) or [`MSFT_MpPreference` WMI class](/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal) to configure these settings.
-
-## Configure remediation options
-
-1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
-
-2. In the **Group Policy Management Editor** go to **Computer configuration** and select **Administrative templates**.
-
-3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus**. 
-
-4. Using the table below, select a location, and then edit the policy as needed. 
-
-5. Select **OK**.
-
-|Location | Setting | Description | Default setting (if not configured) |
-|:---|:---|:---|:---|
-|Scan | Create a system restore point | A system restore point will be created each day before cleaning or scanning is attempted | Disabled|
-|Scan | Turn on removal of items from scan history folder | Specify how many days items should be kept in the scan history | 30 days |
-|Root | Turn off routine remediation | You can specify whether Microsoft Defender Antivirus automatically remediates threats, or if it should ask the endpoint user what to do. | Disabled (threats are remediated automatically) |
-|Quarantine | Configure removal of items from Quarantine folder | Specify how many days items should be kept in quarantine before being removed | 90 days |
-|Threats | Specify threat alert levels at which default action should not be taken when detected | Every threat that is detected by Microsoft Defender Antivirus is assigned a threat level (low, medium, high, or severe). You can use this setting to define how all threats for each of the threat levels should be remediated (quarantined, removed, or ignored) | Not applicable |
-|Threats | Specify threats upon which default action should not be taken when detected | Specify how specific threats (using their threat ID) should be remediated. You can specify whether the specific threat should be quarantined, removed, or ignored | Not applicable |
-
-> [!IMPORTANT]
-> Microsoft Defender Antivirus detects and remediates files based on many factors. Sometimes, completing a remediation requires a reboot. Even if the detection is later determined to be a false positive, the reboot must be completed to ensure all additional remediation steps have been completed.
->
-> If you are certain Microsoft Defender Antivirus quarantined a file based on a false positive, you can restore the file from quarantine after the device reboots. See [Restore quarantined files in Microsoft Defender Antivirus](restore-quarantined-files-microsoft-defender-antivirus.md).
-> 
-> To avoid this problem in the future, you can exclude files from the scans. See [Configure and validate exclusions for Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md).
-
-Also see [Configure remediation-required scheduled full Microsoft Defender Antivirus scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md#remed) for more remediation-related settings.
-
-## See also
-
-- [Configure Microsoft Defender Antivirus scanning options](configure-advanced-scan-types-microsoft-defender-antivirus.md)
-- [Configure scheduled Microsoft Defender Antivirus scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md)
-- [Configure and run on-demand Microsoft Defender Antivirus scans](run-scan-microsoft-defender-antivirus.md)
-- [Configure the notifications that appear on endpoints](configure-notifications-microsoft-defender-antivirus.md)
-- [Configure end-user Microsoft Defender Antivirus interaction](configure-end-user-interaction-microsoft-defender-antivirus.md)
-- [Customize, initiate, and review the results of Microsoft Defender Antivirus scans and remediation](customize-run-review-remediate-scans-microsoft-defender-antivirus.md)
-- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)

windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md

@@ -1,339 +0,0 @@
----
-title: Configure Microsoft Defender Antivirus exclusions on Windows Server
-ms.reviewer: 
-manager: dansimp
-description: Windows Server includes automatic exclusions, based on server role. You can also add custom exclusions.
-keywords: exclusions, server, auto-exclusions, automatic, custom, scans, Microsoft Defender Antivirus
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: denisebmsft
-ms.author: deniseb
-ms.custom: nextgen
-ms.technology: mde
-ms.date: 02/10/2021
----
-
-# Configure Microsoft Defender Antivirus exclusions on Windows Server
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
-
-Microsoft Defender Antivirus on Windows Server 2016 and Windows Server 2019 automatically enrolls you in certain exclusions, as defined by your specified server role. These exclusions do not appear in the standard exclusion lists that are shown in the [Windows Security app](microsoft-defender-security-center-antivirus.md).
-
-> [!NOTE]
-> Automatic exclusions only apply to Real-time protection (RTP) scanning. Automatic exclusions are not honored during a Full/Quick or On-demand scan.
-
-In addition to server role-defined automatic exclusions, you can add or remove custom exclusions. To do that, refer to these articles:
-- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-microsoft-defender-antivirus.md)
-- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md)
-
-## A few points to keep in mind
-
-Keep the following important points in mind:
-
-- Custom exclusions take precedence over automatic exclusions.
-- Automatic exclusions only apply to Real-time protection (RTP) scanning. Automatic exclusions are not honored during a Full/Quick or On-demand scan.
-- Custom and duplicate exclusions do not conflict with automatic exclusions.
-- Microsoft Defender Antivirus uses the Deployment Image Servicing and Management (DISM) tools to determine which roles are installed on your computer.
-
-## Opt out of automatic exclusions
-
-In Windows Server 2016 and Windows Server 2019, the predefined exclusions delivered by Security intelligence updates only exclude the default paths for a role or feature. If you installed a role or feature in a custom path, or you want to manually control the set of exclusions, make sure to opt out of the automatic exclusions delivered in Security intelligence updates. But keep in mind that the exclusions that are delivered automatically are optimized for Windows Server 2016 and 2019 roles. See [Recommendations for defining exclusions](configure-exclusions-microsoft-defender-antivirus.md#recommendations-for-defining-exclusions) before defining your exclusion lists.
-
-> [!WARNING]
-> Opting out of automatic exclusions may adversely impact performance, or result in data corruption. The exclusions that are delivered automatically are optimized for Windows Server 2016 and Windows Server 2019 roles.
-
-Because predefined exclusions only exclude **default paths**, if you move NTDS and SYSVOL to another drive or path that is *different from the original path*, you must add exclusions manually using the information [here](configure-extension-file-exclusions-microsoft-defender-antivirus.md#configure-the-list-of-exclusions-based-on-folder-name-or-file-extension) .
-
-You can disable the automatic exclusion lists with Group Policy, PowerShell cmdlets, and WMI.
-
-### Use Group Policy to disable the auto-exclusions list on Windows Server 2016 and Windows Server 2019
-
-1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc725752(v=ws.11)). Right-click the Group Policy Object you want to configure, and then click **Edit**.
-2. In the **Group Policy Management Editor** go to **Computer configuration**, and then click **Administrative templates**.
-3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Exclusions**.
-4. Double-click **Turn off Auto Exclusions**, and set the option to **Enabled**. Then click **OK**. 
-
-### Use PowerShell cmdlets to disable the auto-exclusions list on Windows Server 2016 and 2019
-
-Use the following cmdlets:
-
-```PowerShell
-Set-MpPreference -DisableAutoExclusions $true
-```
-
-To learn more, see the following resources:
-
-- [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md).
-- [Use PowerShell with Microsoft Defender Antivirus](/powershell/module/defender/).
-
-### Use Windows Management Instruction (WMI) to disable the auto-exclusions list on Windows Server 2016 and Windows Server 2019
-
-Use the **Set** method of the [MSFT_MpPreference](/previous-versions/windows/desktop/defender/msft-mppreference) class for the following properties:
-
-```WMI
-DisableAutoExclusions
-```
-
-See the following for more information and allowed parameters:
-- [Windows Defender WMIv2 APIs](/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal)
-
-## List of automatic exclusions
-
-The following sections contain the exclusions that are delivered with automatic exclusions file paths and file types.
-
-### Default exclusions for all roles
-
-This section lists the default exclusions for all Windows Server 2016 and 2019 roles.
-
-> [!NOTE]
-> The default locations could be different than what's listed in this article.
-
-#### Windows "temp.edb" files
-
-- `%windir%\SoftwareDistribution\Datastore\*\tmp.edb`
-- `%ProgramData%\Microsoft\Search\Data\Applications\Windows\*\*.log`
-
-#### Windows Update files or Automatic Update files
-
-- `%windir%\SoftwareDistribution\Datastore\*\Datastore.edb`
-- `%windir%\SoftwareDistribution\Datastore\*\edb.chk`
-- `%windir%\SoftwareDistribution\Datastore\*\edb\*.log`
-- `%windir%\SoftwareDistribution\Datastore\*\Edb\*.jrs`
-- `%windir%\SoftwareDistribution\Datastore\*\Res\*.log`
-
-#### Windows Security files
-
-- `%windir%\Security\database\*.chk`
-- `%windir%\Security\database\*.edb`
-- `%windir%\Security\database\*.jrs`
-- `%windir%\Security\database\*.log`
-- `%windir%\Security\database\*.sdb`
-
-#### Group Policy files
-
-- `%allusersprofile%\NTUser.pol`
-- `%SystemRoot%\System32\GroupPolicy\Machine\registry.pol`
-- `%SystemRoot%\System32\GroupPolicy\User\registry.pol`
-
-#### WINS files
-
-- `%systemroot%\System32\Wins\*\*.chk`
-- `%systemroot%\System32\Wins\*\*.log`
-- `%systemroot%\System32\Wins\*\*.mdb`
-- `%systemroot%\System32\LogFiles\`
-- `%systemroot%\SysWow64\LogFiles\`
-
-#### File Replication Service (FRS) exclusions
-
-- Files in the File Replication Service (FRS) working folder. The FRS working folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Working Directory`
-
-  - `%windir%\Ntfrs\jet\sys\*\edb.chk`
-  - `%windir%\Ntfrs\jet\*\Ntfrs.jdb`
-  - `%windir%\Ntfrs\jet\log\*\*.log`
-
-- FRS Database log files. The FRS Database log file folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Ntfrs\Parameters\DB Log File Directory`
-
-  - `%windir%\Ntfrs\*\Edb\*.log`
-
-- The FRS staging folder. The staging folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Replica Sets\GUID\Replica Set Stage`
-
-  - `%systemroot%\Sysvol\*\Ntfrs_cmp*\`
-
-- The FRS preinstall folder. This folder is specified by the folder `Replica_root\DO_NOT_REMOVE_NtFrs_PreInstall_Directory`
-
-  - `%systemroot%\SYSVOL\domain\DO_NOT_REMOVE_NtFrs_PreInstall_Directory\*\Ntfrs*\`
-
-- The Distributed File System Replication (DFSR) database and working folders. These folders are specified by the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\GUID\Replica Set Configuration File`
-
-  > [!NOTE]
-  > For custom locations, see [Opt out of automatic exclusions](#opt-out-of-automatic-exclusions).
-
-  - `%systemdrive%\System Volume Information\DFSR\$db_normal$`
-  - `%systemdrive%\System Volume Information\DFSR\FileIDTable_*`
-  - `%systemdrive%\System Volume Information\DFSR\SimilarityTable_*`
-  - `%systemdrive%\System Volume Information\DFSR\*.XML`
-  - `%systemdrive%\System Volume Information\DFSR\$db_dirty$`
-  - `%systemdrive%\System Volume Information\DFSR\$db_clean$`
-  - `%systemdrive%\System Volume Information\DFSR\$db_lostl$`
-  - `%systemdrive%\System Volume Information\DFSR\Dfsr.db`
-  - `%systemdrive%\System Volume Information\DFSR\*.frx`
-  - `%systemdrive%\System Volume Information\DFSR\*.log`
-  - `%systemdrive%\System Volume Information\DFSR\Fsr*.jrs`
-  - `%systemdrive%\System Volume Information\DFSR\Tmp.edb`
-
-#### Process exclusions
-
-- `%systemroot%\System32\dfsr.exe`
-- `%systemroot%\System32\dfsrs.exe`
-
-#### Hyper-V exclusions
-
-The following table lists the file type exclusions, folder exclusions, and process exclusions that are delivered automatically when you install the Hyper-V role.
-
-|File type exclusions |Folder exclusions  | Process exclusions |
-|:--|:--|:--|
-| `*.vhd` <br/> `*.vhdx` <br/> `*.avhd` <br/> `*.avhdx` <br/> `*.vsv` <br/> `*.iso` <br/> `*.rct` <br/> `*.vmcx` <br/> `*.vmrs` | `%ProgramData%\Microsoft\Windows\Hyper-V` <br/> `%ProgramFiles%\Hyper-V` <br/> `%SystemDrive%\ProgramData\Microsoft\Windows\Hyper-V\Snapshots` <br/> `%Public%\Documents\Hyper-V\Virtual Hard Disks` | `%systemroot%\System32\Vmms.exe` <br/> `%systemroot%\System32\Vmwp.exe` |
-
-#### SYSVOL files
-
-- `%systemroot%\Sysvol\Domain\*.adm`
-- `%systemroot%\Sysvol\Domain\*.admx`
-- `%systemroot%\Sysvol\Domain\*.adml`
-- `%systemroot%\Sysvol\Domain\Registry.pol`
-- `%systemroot%\Sysvol\Domain\*.aas`
-- `%systemroot%\Sysvol\Domain\*.inf`
-- `%systemroot%\Sysvol\Domain\*Scripts.ini`
-- `%systemroot%\Sysvol\Domain\*.ins`
-- `%systemroot%\Sysvol\Domain\Oscfilter.ini`
-
-
-### Active Directory exclusions
-
-This section lists the exclusions that are delivered automatically when you install Active Directory Domain Services.
-
-#### NTDS database files
-
-The database files are specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Database File`
-
-- `%windir%\Ntds\ntds.dit`
-- `%windir%\Ntds\ntds.pat`
-
-#### The AD DS transaction log files
-
-The transaction log files are specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\Database Log Files Path`
-
-- `%windir%\Ntds\EDB*.log`
-- `%windir%\Ntds\Res*.log`
-- `%windir%\Ntds\Edb*.jrs`
-- `%windir%\Ntds\Ntds*.pat`
-- `%windir%\Ntds\TEMP.edb`
-
-#### The NTDS working folder
-
-This folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Working Directory`
-
-- `%windir%\Ntds\Temp.edb`
-- `%windir%\Ntds\Edb.chk`
-
-#### Process exclusions for AD DS and AD DS-related support files
-
-- `%systemroot%\System32\ntfrs.exe`
-- `%systemroot%\System32\lsass.exe`
-
-### DHCP Server exclusions
-
-This section lists the exclusions that are delivered automatically when you install the DHCP Server role. The DHCP Server file locations are specified by the *DatabasePath*, *DhcpLogFilePath*, and *BackupDatabasePath* parameters in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DHCPServer\Parameters`
-
-- `%systemroot%\System32\DHCP\*\*.mdb`
-- `%systemroot%\System32\DHCP\*\*.pat`
-- `%systemroot%\System32\DHCP\*\*.log`
-- `%systemroot%\System32\DHCP\*\*.chk`
-- `%systemroot%\System32\DHCP\*\*.edb`
-
-### DNS Server exclusions
-
-This section lists the file and folder exclusions and the process exclusions that are delivered automatically when you install the DNS Server role.
-
-#### File and folder exclusions for the DNS Server role
-
-- `%systemroot%\System32\Dns\*\*.log`
-- `%systemroot%\System32\Dns\*\*.dns`
-- `%systemroot%\System32\Dns\*\*.scc`
-- `%systemroot%\System32\Dns\*\BOOT`
-
-#### Process exclusions for the DNS Server role
-
-- `%systemroot%\System32\dns.exe`
-
-### File and Storage Services exclusions
-
-This section lists the file and folder exclusions that are delivered automatically when you install the File and Storage Services role. The exclusions listed below do not include exclusions for the Clustering role.
-
-- `%SystemDrive%\ClusterStorage`
-- `%clusterserviceaccount%\Local Settings\Temp`
-- `%SystemDrive%\mscs`
-
-### Print Server exclusions
-
-This section lists the file type exclusions, folder exclusions, and the process exclusions that are delivered automatically when you install the Print Server role.
-
-#### File type exclusions
-
-- `*.shd`
-- `*.spl`
-
-#### Folder exclusions
-
-This folder is specified in the registry key `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Printers\DefaultSpoolDirectory`
-
-- `%system32%\spool\printers\*`
-
-#### Process exclusions
-
-- `spoolsv.exe`
-
-### Web Server exclusions
-
-This section lists the folder exclusions and the process exclusions that are delivered automatically when you install the Web Server role.
-
-#### Folder exclusions
-
-- `%SystemRoot%\IIS Temporary Compressed Files`
-- `%SystemDrive%\inetpub\temp\IIS Temporary Compressed Files`
-- `%SystemDrive%\inetpub\temp\ASP Compiled Templates`
-- `%systemDrive%\inetpub\logs`
-- `%systemDrive%\inetpub\wwwroot`
-
-#### Process exclusions
-
-- `%SystemRoot%\system32\inetsrv\w3wp.exe`
-- `%SystemRoot%\SysWOW64\inetsrv\w3wp.exe`
-- `%SystemDrive%\PHP5433\php-cgi.exe`
-
-#### Turning off scanning of files in the Sysvol\Sysvol folder or the SYSVOL_DFSR\Sysvol folder
-
-The current location of the `Sysvol\Sysvol` or `SYSVOL_DFSR\Sysvol` folder and all the subfolders is the file system reparse target of the replica set root. The `Sysvol\Sysvol` and `SYSVOL_DFSR\Sysvol` folders use the following locations by default:
-
-- `%systemroot%\Sysvol\Domain`
-- `%systemroot%\Sysvol_DFSR\Domain`
-
-The path to the currently active `SYSVOL` is referenced by the NETLOGON share and can be determined by the SysVol value name in the following subkey: `HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Netlogon\Parameters`
-
-Exclude the following files from this folder and all its subfolders:
-
-- `*.adm`
-- `*.admx`
-- `*.adml`
-- `Registry.pol`
-- `Registry.tmp`
-- `*.aas`
-- `*.inf`
-- `Scripts.ini`
-- `*.ins`
-- `Oscfilter.ini`
-
-### Windows Server Update Services exclusions
-
-This section lists the folder exclusions that are delivered automatically when you install the Windows Server Update Services (WSUS) role. The WSUS folder is specified in the registry key `HKEY_LOCAL_MACHINE\Software\Microsoft\Update Services\Server\Setup`
-
-- `%systemroot%\WSUS\WSUSContent`
-- `%systemroot%\WSUS\UpdateServicesDBFiles`
-- `%systemroot%\SoftwareDistribution\Datastore`
-- `%systemroot%\SoftwareDistribution\Download`
-
-## See also
-
-- [Configure and validate exclusions for Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md)
-- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-microsoft-defender-antivirus.md)
-- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md)
-- [Common mistakes to avoid when defining exclusions](common-exclusion-mistakes-microsoft-defender-antivirus.md)
-- [Customize, initiate, and review the results of Microsoft Defender Antivirus scans and remediation](customize-run-review-remediate-scans-microsoft-defender-antivirus.md)
-- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)

windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md

@@ -1,40 +0,0 @@
----
-title: Run and customize scheduled and on-demand scans
-description: Customize and initiate Microsoft Defender Antivirus scans on endpoints across your network.
-keywords: scan, schedule, customize, exclusions, exclude files, remediation, scan results, quarantine, remove threat, quick scan, full scan, Microsoft Defender Antivirus
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: denisebmsft
-ms.author: deniseb
-ms.custom: nextgen
-ms.date: 09/03/2018
-ms.reviewer: 
-manager: dansimp
-ms.technology: mde
----
-
-# Customize, initiate, and review the results of Microsoft Defender Antivirus scans and remediation
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
-
-You can use Group Policy, PowerShell, and Windows Management Instrumentation (WMI) to configure Microsoft Defender Antivirus scans. 
-
-## In this section
-
-Topic | Description
----|---
-[Configure and validate file, folder, and process-opened file exclusions in Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md) | You can exclude files (including files modified by specified processes) and folders from on-demand scans, scheduled scans, and always-on real-time protection monitoring and scanning
-[Configure Microsoft Defender Antivirus scanning options](configure-advanced-scan-types-microsoft-defender-antivirus.md) | You can configure Microsoft Defender Antivirus to include certain types of email storage files, back-up or reparse points, and archived files (such as .zip files) in scans. You can also enable network file scanning
-[Configure remediation for scans](configure-remediation-microsoft-defender-antivirus.md) | Configure what Microsoft Defender Antivirus should do when it detects a threat, and how long quarantined files should be retained in the quarantine folder
-[Configure scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md) | Set up recurring (scheduled) scans, including when they should run and whether they run as full or quick scans
-[Configure and run scans](run-scan-microsoft-defender-antivirus.md) | Run and configure on-demand scans using PowerShell, Windows Management Instrumentation, or individually on endpoints with the Windows Security app
-[Review scan results](review-scan-results-microsoft-defender-antivirus.md) | Review the results of scans using  Microsoft Endpoint Configuration Manager, Microsoft Intune, or the Windows Security app

windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md

@@ -1,40 +0,0 @@
----
-title: Run and customize scheduled and on-demand scans
-description: Customize and initiate Microsoft Defender Antivirus scans on endpoints across your network.
-keywords: scan, schedule, customize, exclusions, exclude files, remediation, scan results, quarantine, remove threat, quick scan, full scan, Microsoft Defender Antivirus
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: denisebmsft
-ms.author: deniseb
-ms.custom: nextgen
-ms.date: 09/03/2018
-ms.reviewer: 
-manager: dansimp
-ms.technology: mde
----
-
-# Customize, initiate, and review the results of Microsoft Defender Antivirus scans & remediation
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
-
-You can use Group Policy, PowerShell, and Windows Management Instrumentation (WMI) to configure Microsoft Defender Antivirus scans. 
-
-## In this section
-
-| Article | Description |
-|:---|:---|
-|[Configure and validate file, folder, and process-opened file exclusions in Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md) | You can exclude files (including files modified by specified processes) and folders from on-demand scans, scheduled scans, and always-on real-time protection monitoring and scanning |
-|[Configure Microsoft Defender Antivirus scanning options](configure-advanced-scan-types-microsoft-defender-antivirus.md) | You can configure Microsoft Defender Antivirus to include certain types of email storage files, back-up or reparse points, and archived files (such as .zip files) in scans. You can also enable network file scanning |
-|[Configure remediation for scans](configure-remediation-microsoft-defender-antivirus.md) | Configure what Microsoft Defender Antivirus should do when it detects a threat, and how long quarantined files should be retained in the quarantine folder |
-|[Configure scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md) | Set up recurring (scheduled) scans, including when they should run and whether they run as full or quick scans |
-|[Configure and run scans](run-scan-microsoft-defender-antivirus.md) | Run and configure on-demand scans using PowerShell, Windows Management Instrumentation, or individually on endpoints with the Windows Security app |
-|[Review scan results](review-scan-results-microsoft-defender-antivirus.md) | Review the results of scans using  Microsoft Endpoint Configuration Manager, Microsoft Intune, or the Windows Security app |

windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md

@@ -1,88 +0,0 @@
----
-title: Deploy, manage, and report on Microsoft Defender Antivirus
-description: You can deploy and manage Microsoft Defender Antivirus with Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell, or WMI
-keywords: deploy, manage, update, protection, Microsoft Defender Antivirus
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: denisebmsft
-ms.author: deniseb
-ms.custom: nextgen
-ms.date: 09/03/2018
-ms.reviewer: 
-manager: dansimp
-ms.technology: mde
----
-
-# Deploy, manage, and report on Microsoft Defender Antivirus
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
-
-You can deploy, manage, and report on Microsoft Defender Antivirus in a number of ways.
-
-Because the Microsoft Defender Antivirus client is installed as a core part of Windows 10, traditional deployment of a client to your endpoints does not apply.
-
-However, in most cases you will still need to enable the protection service on your endpoints with Microsoft Intune, Microsoft Endpoint Configuration Manager, Azure Defender, or Group Policy Objects, which is described in the following table.
-
-You'll also see additional links for:
-
-- Managing Microsoft Defender Antivirus protection, including managing product and protection updates
-- Reporting on Microsoft Defender Antivirus protection
-
-> [!IMPORTANT]
-> In most cases, Windows 10 will disable Microsoft Defender Antivirus if it finds another antivirus product that is running and up-to-date. You must disable or uninstall third-party antivirus products before Microsoft Defender Antivirus will function. If you re-enable or install third-party antivirus products, then Windows 10 automatically disables Microsoft Defender Antivirus.
-
-Tool|Deployment options (<a href="#fn2" id="ref2">2</a>)|Management options (network-wide configuration and policy or baseline deployment) ([3](#fn3))|Reporting options  
----|---|---|---  
-Microsoft Intune|[Add endpoint protection settings in Intune](/intune/endpoint-protection-configure)|[Configure device restriction settings in Intune](/intune/device-restrictions-configure)| [Use the Intune console to manage devices](/intune/device-management)  
-Microsoft Endpoint Manager ([1](#fn1))|Use the [Endpoint Protection point site system role][] and [enable Endpoint Protection with custom client settings][]|With [default and customized antimalware policies][] and [client management][]|With the default [Configuration Manager Monitoring workspace][] and [email alerts][]  
-Group Policy and Active Directory (domain-joined)|Use a Group Policy Object to deploy configuration changes and ensure Microsoft Defender Antivirus is enabled.|Use Group Policy Objects (GPOs) to [Configure update options for Microsoft Defender Antivirus][] and [Configure Windows Defender features][]|Endpoint reporting is not available with Group Policy. You can generate a list of [Group Policies to determine if any settings or policies are not applied][]
-PowerShell|Deploy with Group Policy, Microsoft Endpoint Configuration Manager, or manually on individual endpoints.|Use the [Set-MpPreference] and [Update-MpSignature] cmdlets available in the Defender module.|Use the appropriate [Get- cmdlets available in the Defender module][]
-Windows Management Instrumentation|Deploy with Group Policy, Microsoft Endpoint Configuration Manager, or manually on individual endpoints.|Use the [Set method of the MSFT_MpPreference class][] and the [Update method of the MSFT_MpSignature class][]|Use the [MSFT_MpComputerStatus][] class and the get method of associated classes in the [Windows Defender WMIv2 Provider][]
-Microsoft Azure|Deploy Microsoft Antimalware for Azure in the [Azure portal, by using Visual Studio virtual machine configuration, or using Azure PowerShell cmdlets](/azure/security/azure-security-antimalware#antimalware-deployment-scenarios). You can also [Install Endpoint protection in Azure Defender*](/azure/security-center/security-center-install-endpoint-protection)|Configure [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](/azure/security/azure-security-antimalware#enable-and-configure-antimalware-using-powershell-cmdlets) or [use code samples](https://gallery.technet.microsoft.com/Antimalware-For-Azure-5ce70efe)|Use [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](/azure/security/azure-security-antimalware#enable-and-configure-antimalware-using-powershell-cmdlets) to enable monitoring. You can also review usage reports in Azure Active Directory to determine suspicious activity, including the [Possibly infected devices][] report and configure an SIEM tool to report on [Microsoft Defender Antivirus events][] and add that tool as an app in AAD.
-
-1. <span id="fn1" />The availability of some functions and features, especially related to cloud-delivered protection, differ between Microsoft Endpoint Manager (Current Branch) and System Center 2012 Configuration Manager. In this library, we've focused on Windows 10, Windows Server 2016, and Microsoft Endpoint Manager (Current Branch). See [Use Microsoft cloud-provided protection in Microsoft Defender Antivirus](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) for a table that describes the major differences. [(Return to table)](#ref2)
-  
-2.	<span id="fn2" />In Windows 10, Microsoft Defender Antivirus is a component available without installation or deployment of an additional client or service. It will automatically be enabled when third-party antivirus products are either uninstalled or out of date ([except on Windows Server 2016](microsoft-defender-antivirus-on-windows-server-2016.md)). Traditional deployment therefore is not required. Deployment here refers to ensuring the Microsoft Defender Antivirus component is available and enabled on endpoints or servers. [(Return to table)](#ref2)
-
-3. <span id="fn3" />Configuration of features and protection, including configuring product and protection updates, are further described in the [Configure Microsoft Defender Antivirus features](configure-notifications-microsoft-defender-antivirus.md) section in this library. [(Return to table)](#ref2)
-
-[Endpoint Protection point site system role]: /configmgr/protect/deploy-use/endpoint-protection-site-role
-[default and customized antimalware policies]:  /configmgr/protect/deploy-use/endpoint-antimalware-policies
-[client management]:  /configmgr/core/clients/manage/manage-clients
-[enable Endpoint Protection with custom client settings]:  /configmgr/protect/deploy-use/endpoint-protection-configure-client
-[Configuration Manager Monitoring workspace]:  /configmgr/protect/deploy-use/monitor-endpoint-protection
-[email alerts]:  /configmgr/protect/deploy-use/endpoint-configure-alerts
-[Deploy the Microsoft Intune client to endpoints]: /intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune
-[custom Intune policy]:  /intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#configure-microsoft-intune-endpoint-protection
- [custom Intune policy]:  /intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#configure-microsoft-intune-endpoint-protection 
-[manage tasks]: /intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#choose-management-tasks-for-endpoint-protection
-[Monitor endpoint protection in the Microsoft Intune administration console]: /intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#monitor-endpoint-protection
-[Set method of the MSFT_MpPreference class]:  /previous-versions/windows/desktop/defender/set-msft-mppreference
-[Update method of the MSFT_MpSignature class]:  /previous-versions/windows/desktop/defender/set-msft-mppreference
-[MSFT_MpComputerStatus]:  /previous-versions/windows/desktop/defender/msft-mpcomputerstatus
-[Windows Defender WMIv2 Provider]: /previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal
-[Set-MpPreference]:  https://technet.microsoft.com/itpro/powershell/windows/defender/set-mppreference.md
-[Update-MpSignature]: /powershell/module/defender/update-mpsignature
-[Get- cmdlets available in the Defender module]: /powershell/module/defender/
-[Configure update options for Microsoft Defender Antivirus]: manage-updates-baselines-microsoft-defender-antivirus.md
-[Configure Windows Defender features]: configure-microsoft-defender-antivirus-features.md
-[Group Policies to determine if any settings or policies are not applied]: /previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc771389(v=ws.11)
-[Possibly infected devices]: /azure/active-directory/active-directory-reporting-sign-ins-from-possibly-infected-devices
-[Microsoft Defender Antivirus events]: troubleshoot-microsoft-defender-antivirus.md
-
-## In this section
-
-Topic | Description
----|---
-[Deploy and enable Microsoft Defender Antivirus protection](deploy-microsoft-defender-antivirus.md) | While the client is installed as a core part of Windows 10, and traditional deployment does not apply, you will still need to enable the client on your endpoints with Microsoft Endpoint Configuration Manager, Microsoft Intune, or Group Policy Objects. 
-[Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md) | There are two parts to updating Microsoft Defender Antivirus: updating the client on endpoints (product updates), and updating Security intelligence (protection updates). You can update Security intelligence in a number of ways, using Microsoft Endpoint Configuration Manager, Group Policy, PowerShell, and WMI.
-[Monitor and report on Microsoft Defender Antivirus protection](report-monitor-microsoft-defender-antivirus.md) | You can use Microsoft Intune, Microsoft Endpoint Configuration Manager, the Update Compliance add-in for Microsoft Operations Management Suite, or a third-party SIEM product (by consuming Windows event logs) to monitor protection status and create reports about endpoint protection.

windows/security/threat-protection/microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md

@@ -1,41 +0,0 @@
----
-title: Deploy and enable Microsoft Defender Antivirus
-description: Deploy Microsoft Defender Antivirus for protection of your endpoints with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, or WMI.
-keywords: deploy, enable, Microsoft Defender Antivirus
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: denisebmsft
-ms.author: deniseb
-ms.custom: nextgen
-ms.date: 01/06/2021
-ms.reviewer: 
-manager: dansimp
-ms.technology: mde
----
-
-# Deploy and enable Microsoft Defender Antivirus
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
-
-Depending on the management tool you are using, you may need to specifically enable or configure Microsoft Defender Antivirus protection. 
-
-See the table in [Deploy, manage, and report on Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md#ref2) for instructions on how to enable protection with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, Active Directory, Microsoft Azure, PowerShell cmdlets, and Windows Management Instruction (WMI).
-
-Some scenarios require more guidance on how to successfully deploy or configure Microsoft Defender Antivirus protection, such as Virtual Desktop Infrastructure (VDI) environments.
-
-The remaining article in this section provides end-to-end advice and best practices for [setting up Microsoft Defender Antivirus on virtual machines (VMs) in a VDI or Remote Desktop Services (RDS) environment](deployment-vdi-microsoft-defender-antivirus.md).
-
-## Related articles
-
-- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
-- [Deploy, manage updates, and report on Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md)
-- [Deployment guide for Microsoft Defender Antivirus in a virtual desktop infrastructure (VDI) environment](deployment-vdi-microsoft-defender-antivirus.md)

windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md

@@ -1,238 +0,0 @@
----
-title: Microsoft Defender Antivirus Virtual Desktop Infrastructure deployment guide
-description: Learn how to deploy Microsoft Defender Antivirus in a virtual desktop environment for the best balance between protection and performance.
-keywords: vdi, hyper-v, vm, virtual machine, windows defender, antivirus, av, virtual desktop, rds, remote desktop
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.localizationpriority: medium
-author: denisebmsft
-ms.author: deniseb
-ms.custom: nextgen
-ms.date: 12/28/2020
-ms.reviewer: jesquive
-manager: dansimp
-ms.technology: mde
----
-
-# Deployment guide for Microsoft Defender Antivirus in a virtual desktop infrastructure (VDI) environment
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
-
-In addition to standard on-premises or hardware configurations, you can also use Microsoft Defender Antivirus in a remote desktop (RDS) or virtual desktop infrastructure (VDI) environment.
-
-See [Windows Virtual Desktop Documentation](/azure/virtual-desktop) for more details on Microsoft Remote Desktop Services and VDI support.
-
-For Azure-based virtual machines, see [Install Endpoint Protection in Azure Defender](/azure/security-center/security-center-install-endpoint-protection).
-
-With the ability to easily deploy updates to VMs running in VDIs, we've shortened this guide to focus on how you can get updates on your machines quickly and easily. You no longer need to create and seal golden images on a periodic basis, as updates are expanded into their component bits on the host server and then downloaded directly to the VM when it's turned on.
-
-This guide describes how to configure your VMs for optimal protection and performance, including how to:
-
-- [Set up a dedicated VDI file share for security intelligence updates](#set-up-a-dedicated-vdi-file-share)
-- [Randomize scheduled scans](#randomize-scheduled-scans)
-- [Use quick scans](#use-quick-scans)
-- [Prevent notifications](#prevent-notifications)
-- [Disable scans from occurring after every update](#disable-scans-after-an-update)
-- [Scan out-of-date machines or machines that have been offline for a while](#scan-vms-that-have-been-offline)
-- [Apply exclusions](#exclusions)
-
-You can also download the whitepaper [Microsoft Defender Antivirus on Virtual Desktop Infrastructure](https://demo.wd.microsoft.com/Content/wdav-testing-vdi-ssu.pdf), which looks at the new shared security intelligence update feature, alongside performance testing and guidance on how you can test antivirus performance on your own VDI.
-
-> [!IMPORTANT]
-> Although the VDI can be hosted on Windows Server 2012 or Windows Server 2016, the virtual machines (VMs) should be running Windows 10, 1607 at a minimum, due to increased protection technologies and features that are unavailable in earlier versions of Windows.<br/>There are performance and feature improvements to the way in which Microsoft Defender AV operates on virtual machines in Windows 10 Insider Preview, build 18323 (and later). We'll identify in this guide if you need to be using an Insider Preview build; if it isn't specified, then the minimum required version for the best protection and performance is Windows 10 1607.
-
-## Set up a dedicated VDI file share
-
-In Windows 10, version 1903, we introduced the shared security intelligence feature, which offloads the unpackaging of downloaded security intelligence updates onto a host machine—thus saving previous CPU, disk, and memory resources on individual machines. This feature has been backported and now works in Windows 10 version 1703 and above. You can set this feature with a Group Policy, or PowerShell.
-
-### Use Group Policy to enable the shared security intelligence feature:
-
-1. On your Group Policy management computer, open the Group Policy Management Console, right-click the Group Policy Object you want to configure, and then click **Edit**.
-
-2. In the **Group Policy Management Editor** go to **Computer configuration**.
-
-3. Click **Administrative templates**.
-
-4. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Security Intelligence Updates**.
-
-5. Double-click **Define security intelligence location for VDI clients**, and then set the option to **Enabled**. A field automatically appears.
-
-6. Enter `\\<sharedlocation\>\wdav-update` (for help with this value, see [Download and unpackage](#download-and-unpackage-the-latest-updates)).
-
-7. Click **OK**.
-
-8. Deploy the GPO to the VMs you want to test.
-
-### Use PowerShell to enable the shared security intelligence feature
-
-Use the following cmdlet to enable the feature. You’ll need to then push this as you normally would push PowerShell-based configuration policies onto the VMs:
-
-```PowerShell
-Set-MpPreference -SharedSignaturesPath \\<shared location>\wdav-update
-```
-
-See the [Download and unpackage](#download-and-unpackage-the-latest-updates) section for what the \<shared location\> will be.
-
-## Download and unpackage the latest updates
-
-Now you can get started on downloading and installing new updates. We’ve created a sample PowerShell script for you below. This script is the easiest way to download new updates and get them ready for your VMs. You should then set the script to run at a certain time on the management machine by using a scheduled task (or, if you’re familiar with using PowerShell scripts in Azure, Intune, or SCCM, you could also use those scripts).
-
-```PowerShell
-$vdmpathbase = "$env:systemdrive\wdav-update\{00000000-0000-0000-0000-"
-$vdmpathtime = Get-Date -format "yMMddHHmmss"
-$vdmpath = $vdmpathbase + $vdmpathtime + '}'
-$vdmpackage = $vdmpath + '\mpam-fe.exe'
-
-New-Item -ItemType Directory -Force -Path $vdmpath | Out-Null
-
-Invoke-WebRequest -Uri 'https://go.microsoft.com/fwlink/?LinkID=121721&arch=x64' -OutFile $vdmpackage
-
-cmd /c "cd $vdmpath & c: & mpam-fe.exe /x"
-```
-
-You can set a scheduled task to run once a day so that whenever the package is downloaded and unpacked then the VMs will receive the new update. 
-We suggest starting with once a day—but you should experiment with increasing or decreasing the frequency to understand the impact. 
-
-Security intelligence packages are typically published once every three to four hours. Setting a frequency shorter than four hours isn’t advised because it will increase the network overhead on your management machine for no benefit.
-
-### Set a scheduled task to run the PowerShell script
-
-1. On the management machine, open the Start menu and type **Task Scheduler**. Open it and select **Create task…** on the side panel.
-
-2. Enter the name as **Security intelligence unpacker**. Go to the **Trigger** tab. Select **New…** > **Daily**, and select **OK**.
-
-3. Go to the **Actions** tab. Select **New…** Enter **PowerShell** in the **Program/Script** field. Enter `-ExecutionPolicy Bypass c:\wdav-update\vdmdlunpack.ps1` in the **Add arguments** field. Select **OK**.
-
-4. You can choose to configure additional settings if you wish.
-
-5. Select **OK** to save the scheduled task.
- 
-You can initiate the update manually by right-clicking on the task and clicking **Run**.
-
-### Download and unpackage manually
-
-If you would prefer to do everything manually, here's what to do to replicate the script’s behavior:
-
-1. Create a new folder on the system root called `wdav_update` to store intelligence updates, for example, create the folder `c:\wdav_update`.
-
-2. Create a subfolder under *wdav_update* with a GUID name, such as `{00000000-0000-0000-0000-000000000000}`
-
-Here's an example: `c:\wdav_update\{00000000-0000-0000-0000-000000000000}`
-
-   > [!NOTE]
-   > In the script we set it so the last 12 digits of the GUID are the year, month, day, and time when the file was downloaded so that a new folder is created each time. You can change this so that the file is downloaded to the same folder each time.
-
-3. Download a security intelligence package from [https://www.microsoft.com/wdsi/definitions](https://www.microsoft.com/wdsi/definitions)  into the GUID folder. The file should be named `mpam-fe.exe`.
-
-4. Open a cmd prompt window and navigate to the GUID folder you created. Use the **/X** extraction command to extract the files, for example `mpam-fe.exe /X`.
-
-   > [!NOTE]
-   > The VMs will pick up the updated package whenever a new GUID folder is created with an extracted update package or whenever an existing folder is updated with a new extracted package.
-
-## Randomize scheduled scans
-
-Scheduled scans run in addition to [real-time protection and scanning](configure-real-time-protection-microsoft-defender-antivirus.md).
-
-The start time of the scan itself is still based on the scheduled scan policy (**ScheduleDay**, **ScheduleTime**, and **ScheduleQuickScanTime**). Randomization will cause Microsoft Defender Antivirus to start a scan on each machine within a 4-hour window from the time set for the scheduled scan.
-
-See [Schedule scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md) for other configuration options available for scheduled scans.
-
-## Use quick scans
-
-You can specify the type of scan that should be performed during a scheduled scan. Quick scans are the preferred approach as they are designed to look in all places where malware needs to reside to be active. The following procedure describes how to set up quick scans using Group Policy.
-
-1. In your Group Policy Editor, go to **Administrative templates** > **Windows components** > **Microsoft Defender Antivirus** > **Scan**.
-
-2. Select **Specify the scan type to use for a scheduled scan** and then edit the policy setting.
-
-3. Set the policy to **Enabled**, and then under **Options**, select  **Quick scan**.
-
-4. Select **OK**. 
-
-5. Deploy your Group Policy object as you usually do.
-
-## Prevent notifications
-
-Sometimes, Microsoft Defender Antivirus notifications may be sent to or persist across multiple sessions. In order to minimize this problem, you can lock down the Microsoft Defender Antivirus user interface. The following procedure describes how to suppress notifications with Group Policy.
-
-1. In your Group Policy Editor, go to **Windows components** > **Microsoft Defender Antivirus** > **Client Interface**.
-
-2. Select **Suppress all notifications** and then edit the policy settings. 
-
-3. Set the policy to **Enabled**, and then select **OK**.
-
-4. Deploy your Group Policy object as you usually do.
-
-Suppressing notifications prevents notifications from Microsoft Defender Antivirus from showing up in the Action Center on Windows 10 when scans are done or remediation actions are taken. However, your security operations team will see the results of the scan in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)).
-
-> [!TIP]
-> To open the Action Center on Windows 10, take one of the following steps:
-> - On the right end of the taskbar, select the Action Center icon.
-> - Press the Windows logo key button + A.
-> - On a touchscreen device, swipe in from the right edge of the screen.
-
-## Disable scans after an update
-
-Disabling a scan after an update will prevent a scan from occurring after receiving an update. You can apply this setting when creating the base image if you have also run a quick scan. This way, you can prevent the newly updated VM from performing a scan again (as you've already scanned it when you created the base image).
-
-> [!IMPORTANT]
-> Running scans after an update will help ensure your VMs are protected with the latest Security intelligence updates. Disabling this option will reduce the protection level of your VMs and should only be used when first creating or deploying the base image.
-
-1. In your Group Policy Editor, go to **Windows components** > **Microsoft Defender Antivirus** > **Security Intelligence Updates**.
-
-2. Select **Turn on scan after security intelligence update** and then edit the policy setting.
-
-3. Set the policy to **Disabled**.
-
-4. Select **OK**.
-
-5. Deploy your Group Policy object as you usually do.
-
-This policy prevents a scan from running immediately after an update.
-
-## Scan VMs that have been offline
-
-1. In your Group Policy Editor, go to to **Windows components** > **Microsoft Defender Antivirus** > **Scan**.
-
-2. Select **Turn on catch-up quick scan** and then edit the policy setting.
-
-3. Set the policy to **Enabled**.
-
-4. Select **OK**.
-
-5. Deploy your Group Policy Object as you usually do.
-
-This policy forces a scan if the VM has missed two or more consecutive scheduled scans.
-
-## Enable headless UI mode
-
-1. In your Group Policy Editor, go to **Windows components** > **Microsoft Defender Antivirus** > **Client Interface**.
-
-2. Select **Enable headless UI mode** and edit the policy.
-
-3. Set the policy to **Enabled**.
-
-4. Click **OK**.
-
-5. Deploy your Group Policy Object as you usually do.
- 
-This policy hides the entire Microsoft Defender Antivirus user interface from end users in your organization.
-
-## Exclusions
-
-Exclusions can be added, removed, or customized to suit your needs.
-
-For more information, see [Configure Microsoft Defender Antivirus exclusions on Windows Server](configure-exclusions-microsoft-defender-antivirus.md).
-
-## Additional resources
-
-- [Tech Community Blog: Configuring Microsoft Defender Antivirus for non-persistent VDI machines](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/configuring-microsoft-defender-antivirus-for-non-persistent-vdi/ba-p/1489633)
-- [TechNet forums on Remote Desktop Services and VDI](https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverTS)
-- [SignatureDownloadCustomTask PowerShell script](https://www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4)

windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md

@@ -1,188 +0,0 @@
----
-title: Block potentially unwanted applications with Microsoft Defender Antivirus
-description: Enable the potentially unwanted application (PUA) antivirus feature to block unwanted software such as adware.
-keywords: pua, enable, unwanted software, unwanted apps, adware, browser toolbar, detect, block, Microsoft Defender Antivirus
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: detect
-ms.sitesec: library
-ms.localizationpriority: high
-author: denisebmsft
-ms.author: deniseb
-ms.custom: nextgen
-audience: ITPro
-ms.date: 03/10/2021
-ms.reviewer: 
-manager: dansimp
-ms.technology: mde
----
-
-# Detect and block potentially unwanted applications
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
-- [Microsoft Edge](/microsoft-edge/deploy/microsoft-edge)
-
-> [!NOTE]
-> Potentially unwanted applications (PUA) are a category of software that can cause your machine to run slowly, display unexpected ads, or at worst, install other software which might be unexpected or unwanted. By default in Windows 10 (version 2004 and later), Microsoft Defender Antivirus blocks apps that are considered PUA, for Enterprise (E5) devices.
-
-Potentially unwanted applications (PUA) are not considered viruses, malware, or other types of threats, but they might perform actions on endpoints which adversely affect endpoint performance or use. _PUA_ can also refer to an application that has a poor reputation, as assessed by Microsoft Defender for Endpoint, due to certain kinds of undesirable behavior.
-
-Here are some examples:
-
-- **Advertising software** that displays advertisements or promotions, including software that inserts advertisements to webpages.
-- **Bundling software** that offers to install other software that is not digitally signed by the same entity. Also, software that offers to install other software that qualify as PUA.
-- **Evasion software** that actively tries to evade detection by security products, including software that behaves differently in the presence of security products.
-
-> [!TIP]
-> For more examples and a discussion of the criteria we use to label applications for special attention from security features, see [How Microsoft identifies malware and potentially unwanted applications](../intelligence/criteria.md).
-
-Potentially unwanted applications can increase the risk of your network being infected with actual malware, make malware infections harder to identify, or waste IT resources in cleaning them up. PUA protection is supported on Windows 10, Windows Server 2019, and Windows Server 2016.
-
-## Microsoft Edge
-
-The [new Microsoft Edge](https://support.microsoft.com/microsoft-edge/get-to-know-microsoft-edge-3f4bb0ff-58de-2188-55c0-f560b7e20bea), which is Chromium-based, blocks potentially unwanted application downloads and associated resource URLs. This feature is provided via [Microsoft Defender SmartScreen](../microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md).
-
-### Enable PUA protection in Chromium-based Microsoft Edge
-
-Although potentially unwanted application protection in Microsoft Edge (Chromium-based, version 80.0.361.50) is turned off by default, it can easily be turned on from within the browser.
-
-1. Select the ellipses, and then choose **Settings**.
-2. Select **Privacy, search, and services**.
-3. Under the **Security** section, turn on **Block potentially unwanted apps**.
-
-> [!TIP]
-> If you are running Microsoft Edge (Chromium-based), you can safely explore the URL-blocking feature of PUA protection by testing it out on one of our [Microsoft Defender SmartScreen demo pages](https://demo.smartscreen.msft.net/).
-
-### Blocking URLs with Microsoft Defender SmartScreen
-
-In Chromium-based Edge with PUA protection turned on, Microsoft Defender SmartScreen protects you from PUA-associated URLs.
-
-Security admins can [configure](/DeployEdge/configure-microsoft-edge) how Microsoft Edge and Microsoft Defender SmartScreen work together to protect groups of users from PUA-associated URLs. There are several [group policy settings](/DeployEdge/microsoft-edge-policies#smartscreen-settings) explicitly for Microsoft Defender SmartScreen available, including [one for blocking PUA](/DeployEdge/microsoft-edge-policies#smartscreenpuaenabled). In addition, admins can [configure Microsoft Defender SmartScreen](/microsoft-edge/deploy/available-policies?source=docs#configure-windows-defender-smartscreen) as a whole, using group policy settings to turn Microsoft Defender SmartScreen on or off.
-
-Although Microsoft Defender for Endpoint has its own block list based upon a data set managed by Microsoft, you can customize this list based on your own threat intelligence. If you [create and manage indicators](/microsoft-365/security/defender-endpoint/manage-indicators) in the Microsoft Defender for Endpoint portal, Microsoft Defender SmartScreen respects the new settings.
-
-## Microsoft Defender Antivirus
-
-The potentially unwanted application (PUA) protection feature in Microsoft Defender Antivirus can detect and block PUAs on endpoints in your network.
-
-> [!NOTE]
-> This feature is available in Windows 10, Windows Server 2019, and Windows Server 2016.
-
-Microsoft Defender Antivirus blocks detected PUA files and any attempts to download, move, run, or install them. Blocked PUA files are then moved to quarantine. When a PUA file is detected on an endpoint, Microsoft Defender Antivirus sends a notification to the user ([unless notifications have been disabled](configure-notifications-microsoft-defender-antivirus.md)) in the same format as other threat detections. The notification is prefaced with `PUA:` to indicate its content.
-
-The notification appears in the usual [quarantine list within the Windows Security app](microsoft-defender-security-center-antivirus.md).
-
-### Configure PUA protection in Microsoft Defender Antivirus
-
-You can enable PUA protection with [Microsoft Intune](/mem/intune/protect/device-protect), [Microsoft Endpoint Configuration Manager](/mem/configmgr/protect/deploy-use/endpoint-protection), [Group Policy](/azure/active-directory-domain-services/manage-group-policy), or via [PowerShell cmdlets](/powershell/module/defender/?preserve-view=true&view=win10-ps).
-
-You can also use PUA protection in audit mode to detect potentially unwanted applications without blocking them. The detections are captured in the Windows event log.
-
-> [!TIP]
-> Visit the Microsoft Defender for Endpoint demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com/Page/UrlRep) to confirm that the feature is working, and see it in action.
-
-PUA protection in audit mode is useful if your company is conducting an internal software security compliance check and you'd like to avoid any false positives.
-
-#### Use Intune to configure PUA protection
-
-See [Configure device restriction settings in Microsoft Intune](/intune/device-restrictions-configure) and [Microsoft Defender Antivirus device restriction settings for Windows 10 in Intune](/intune/device-restrictions-windows-10#microsoft-defender-antivirus) for more details.
-
-#### Use Configuration Manager to configure PUA protection
-
-PUA protection is enabled by default in the Microsoft Endpoint Manager (Current Branch).
-
-See [How to create and deploy antimalware policies: Scheduled scans settings](/configmgr/protect/deploy-use/endpoint-antimalware-policies#real-time-protection-settings) for details on configuring Microsoft Endpoint Manager (Current Branch).
-
-For System Center 2012 Configuration Manager, see [How to Deploy Potentially Unwanted Application Protection Policy for Endpoint Protection in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/hh508770(v=technet.10)#BKMK_PUA).
-
-> [!NOTE]
-> PUA events blocked by Microsoft Defender Antivirus are reported in the Windows Event Viewer and not in Microsoft Endpoint Configuration Manager.
-
-#### Use Group Policy to configure PUA protection
-
-1. Download and install [Administrative Templates (.admx) for Windows 10 October 2020 Update (20H2)](https://www.microsoft.com/download/details.aspx?id=102157)
-
-2. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)).
-
-3. Select the Group Policy Object you want to configure, and then choose **Edit**.
-
-4. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**.
-
-5. Expand the tree to **Windows Components** > **Microsoft Defender Antivirus**.
-
-6. Double-click **Configure detection for potentially unwanted applications**.
-
-7. Select **Enabled** to enable PUA protection.
-
-8. In **Options**, select **Block** to block potentially unwanted applications, or select **Audit Mode** to test how the setting works in your environment. Select **OK**.
-
-9. Deploy your Group Policy object as you usually do.
-
-#### Use PowerShell cmdlets to configure PUA protection
-
-##### To enable PUA protection
-
-```PowerShell
-Set-MpPreference -PUAProtection Enabled
-```
-
-Setting the value for this cmdlet to `Enabled` turns the feature on if it has been disabled.
-
-##### To set PUA protection to audit mode
-
-```PowerShell
-Set-MpPreference -PUAProtection AuditMode
-```
-
-Setting `AuditMode` detects PUAs without blocking them.
-
-##### To disable PUA protection
-
-We recommend keeping PUA protection turned on. However, you can turn it off by using the following cmdlet:
-
-```PowerShell
-Set-MpPreference -PUAProtection Disabled
-```
-
-Setting the value for this cmdlet to `Disabled` turns the feature off if it has been enabled.
-
-See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](/powershell/module/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus.
-
-## View PUA events
-
-PUA events are reported in the Windows Event Viewer, but not in Microsoft Endpoint Manager or in Intune. You can also use the `Get-MpThreat` cmdlet to view threats that Microsoft Defender Antivirus handled. Here's an example:
-
-```console
-CategoryID       : 27
-DidThreatExecute : False
-IsActive         : False
-Resources        : {webfile:_q:\Builds\Dalton_Download_Manager_3223905758.exe|http://d18yzm5yb8map8.cloudfront.net/
-                    fo4yue@kxqdw/Dalton_Download_Manager.exe|pid:14196,ProcessStart:132378130057195714}
-RollupStatus     : 33
-SchemaVersion    : 1.0.0.0
-SeverityID       : 1
-ThreatID         : 213927
-ThreatName       : PUA:Win32/InstallCore
-TypeID           : 0
-PSComputerName   :
-```
-
-You can turn on email notifications to receive mail about PUA detections.
-
-See [Troubleshoot event IDs](troubleshoot-microsoft-defender-antivirus.md) for details on viewing Microsoft Defender Antivirus events. PUA events are recorded under event ID **1160**.
-
-## Excluding files
-
-Sometimes a file is erroneously blocked by PUA protection, or a feature of a PUA is required to complete a task. In these cases, a file can be added to an exclusion list.
-
-For more information, see [Configure and validate exclusions based on file extension and folder location](configure-extension-file-exclusions-microsoft-defender-antivirus.md).
-
-## See also
-
-- [Next-generation protection](microsoft-defender-antivirus-in-windows-10.md)
-- [Configure behavioral, heuristic, and real-time protection](configure-protection-features-microsoft-defender-antivirus.md)

windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md

@@ -1,152 +0,0 @@
----
-title: Turn on cloud-delivered protection in Microsoft Defender Antivirus
-description: Turn on cloud-delivered protection to benefit from fast and advanced protection features.
-keywords: Microsoft Defender Antivirus, antimalware, security, cloud, block at first sight
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.localizationpriority: medium
-author: denisebmsft
-ms.author: deniseb
-ms.date: 11/13/2020
-ms.reviewer: 
-manager: dansimp
-ms.custom: nextgen
-ms.technology: mde
----
-
-# Turn on cloud-delivered protection
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
-
-> [!NOTE]
-> The Microsoft Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud; rather, it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates.
-
-Microsoft Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender for Endpoint next-generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/).
-![List of Microsoft Defender AV engines](images/microsoft-defender-atp-next-generation-protection-engines.png)  
-
-You can turn Microsoft Defender Antivirus cloud-delivered protection on or off in several ways:
-
-- Microsoft Intune
-- Microsoft Endpoint Configuration Manager
-- Group Policy
-- PowerShell cmdlets.
-
- You can also turn it on or off in individual clients with the Windows Security app.
-
-See [Use Microsoft cloud-delivered protection](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) for an overview of Microsoft Defender Antivirus cloud-delivered protection.
-
-For more information about the specific network-connectivity requirements to ensure your endpoints can connect to the cloud-delivered protection service, see [Configure and validate network connections](configure-network-connections-microsoft-defender-antivirus.md).
-
-> [!NOTE]
-> In Windows 10, there is no difference between the **Basic** and **Advanced** reporting options described in this topic. This is a legacy distinction and choosing either setting will result in the same level of cloud-delivered protection. There is no difference in the type or amount of information that is shared. For more information on what we collect, see the [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=521839).
-
-## Use Intune to turn on cloud-delivered protection
-
-1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and log in.
-2. On the **Home** pane, select **Device configuration > Profiles**.
-3. Select the **Device restrictions** profile type you want to configure. If you need to create a new **Device restrictions** profile type, see [Configure device restriction settings in Microsoft Intune](/intune/device-restrictions-configure).
-4. Select **Properties** > **Configuration settings: Edit** > **Microsoft Defender Antivirus**.
-5. On the **Cloud-delivered protection** switch, select **Enable**.
-6. In the **Prompt users before sample submission** dropdown, select **Send all data automatically**.
-
-For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](/intune/device-profiles)
-
-## Use Microsoft Endpoint Manager to turn on cloud-delivered protection
-
-1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and log in.
-2. Choose **Endpoint security** > **Antivirus**.
-3. Select an antivirus profile. (If you don't have one yet, or if you want to create a new profile, see [Configure device restriction settings in Microsoft Intune](/intune/device-restrictions-configure).
-4. Select **Properties**. Then, next to **Configuration settings**, choose **Edit**.
-5. Expand **Cloud protection**, and then in the **Cloud-delivered protection level** list, select one of the following:
-    1. **High**: Applies a strong level of detection.
-    2. **High plus**: Uses the **High** level and applies additional protection measures (may impact client performance).
-    3. **Zero tolerance**: Blocks all unknown executables.
-6. Select **Review + save**, then choose **Save**.
-
-For more information about configuring Microsoft Endpoint Configuration Manager, see [How to create and deploy antimalware policies: Cloud-protection service](/configmgr/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service).
-
-## Use Group Policy to turn on cloud-delivered protection
-
-1. On your Group Policy management device, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and select **Edit**.
-
-2. In the **Group Policy Management Editor**, go to **Computer configuration**.
-
-3. Select **Administrative templates**.
-
-4. Expand the tree to **Windows components > Microsoft Defender Antivirus > MAPS**
-
-5. Double-click **Join Microsoft MAPS**. Ensure the option is turned on and set to **Basic MAPS** or **Advanced MAPS**. Select **OK**.
-
-6. Double-click **Send file samples when further analysis is required**. Ensure that the first option is set to **Enabled** and that the other options are set to either:
-
-    1. **Send safe samples** (1)
-    2. **Send all samples** (3)
-
-        >[!NOTE]
-        > The **Send safe samples** (1) option means that most samples will be sent automatically. Files that are likely to contain personal information will still prompt and require additional confirmation.
-
-        > [!WARNING]
-        > Setting the option to **Always Prompt** (0) will lower the protection state of the device. Setting it to **Never send** (2) means that the [Block at First Sight](configure-block-at-first-sight-microsoft-defender-antivirus.md) feature of Microsoft Defender for Endpoint won't work.
-
-7. Select **OK**.
-
-## Use PowerShell cmdlets to turn on cloud-delivered protection
-
-The following cmdlets can turn on cloud-delivered protection:
-
-```PowerShell
-Set-MpPreference -MAPSReporting Advanced
-Set-MpPreference -SubmitSamplesConsent SendAllSamples
-```
-
-For more information on how to use PowerShell with Microsoft Defender Antivirus, see [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](/powershell/module/defender/). [Policy CSP - Defender](/windows/client-management/mdm/policy-csp-defender) also has more information specifically on [-SubmitSamplesConsent](/windows/client-management/mdm/policy-csp-defender#defender-submitsamplesconsent).
-
->[!NOTE]
-> You can also set **-SubmitSamplesConsent** to `SendSafeSamples` (the default setting), `NeverSend`, or `AlwaysPrompt`. The `SendSafeSamples` setting means that most samples will be sent automatically. Files that are likely to contain personal information will still prompt and require additional confirmation.
-
->[!WARNING]
-> Setting **-SubmitSamplesConsent** to `NeverSend` or `AlwaysPrompt` will lower the protection level of the device. In addition, setting it to `NeverSend` means that the [Block at First Sight](configure-block-at-first-sight-microsoft-defender-antivirus.md) feature of Microsoft Defender for Endpoint won't work.
-
-## Use Windows Management Instruction (WMI) to turn on cloud-delivered protection
-
-Use the [**Set** method of the **MSFT_MpPreference**](/previous-versions/windows/desktop/defender/set-msft-mppreference) class for the following properties:
-
-```WMI
-MAPSReporting
-SubmitSamplesConsent
-```
-
-For more information about allowed parameters, see [Windows Defender WMIv2 APIs](/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal)
-
-## Turn on cloud-delivered protection on individual clients with the Windows Security app
-
-> [!NOTE]
-> If the **Configure local setting override for reporting Microsoft MAPS** Group Policy setting is set to **Disabled**, then the **Cloud-based protection** setting in Windows Settings will be greyed-out and unavailable. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings.
-
-1. Open the Windows Security app by selecting the shield icon in the task bar, or by searching the start menu for **Defender**.
-
-2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label:
-
-    ![Screenshot of the Virus & threat protection settings label in the Windows Security app](images/defender/wdav-protection-settings-wdsc.png)
-
-3. Confirm that **Cloud-based Protection** and **Automatic sample submission** are switched to **On**.
-
-> [!NOTE]
-> If automatic sample submission has been configured with Group Policy then the setting will be greyed-out and unavailable.
-
-## Related articles
-
-- [Configure the cloud block timeout period](configure-cloud-block-timeout-period-microsoft-defender-antivirus.md)
-- [Configure block at first sight](configure-block-at-first-sight-microsoft-defender-antivirus.md)
-- [Use PowerShell cmdlets to manage Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md)
-- [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune)]
-- [Defender cmdlets](/powershell/module/defender/)
-- [Use Microsoft cloud-delivered protection in Microsoft Defender Antivirus](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md)
-- [How to create and deploy antimalware policies: Cloud-protection service](/configmgr/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service)
-- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)

windows/security/threat-protection/microsoft-defender-antivirus/evaluate-microsoft-defender-antivirus.md

@@ -1,56 +0,0 @@
----
-title: Evaluate Microsoft Defender Antivirus
-description: Businesses of all sizes can use this guide to evaluate and test the protection offered by Microsoft Defender Antivirus in Windows 10.
-keywords: Microsoft Defender Antivirus, cloud protection, cloud, antimalware, security, defender, evaluate, test, protection, compare, real-time protection
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.localizationpriority: medium
-author: denisebmsft
-ms.author: deniseb
-ms.custom: nextgen
-ms.date: 09/03/2018
-ms.reviewer: 
-manager: dansimp
-ms.technology: mde
----
-
-# Evaluate Microsoft Defender Antivirus
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
-
-Use this guide to determine how well Microsoft Defender Antivirus protects you from viruses, malware, and potentially unwanted applications.
-
->[!TIP]
->You can also visit the Microsoft Defender for Endpoint demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working and see how they work:
->- Cloud-delivered protection
->- Fast learning (including Block at first sight)
->- Potentially unwanted application blocking
-
-It explains the important next-generation protection features of Microsoft Defender Antivirus available for both small and large enterprises, and how they increase malware detection and protection across your network.
-
-You can choose to configure and evaluate each setting independently, or all at once. We have grouped similar settings based upon typical evaluation scenarios, and include instructions for using PowerShell to enable the settings.
-
-The guide is available in PDF format for offline viewing:
-
-- [Download the guide in PDF format](https://www.microsoft.com/download/details.aspx?id=54795)
-
-You can also download a PowerShell that will enable all the settings described in the guide automatically. You can obtain the script alongside the PDF download above, or individually from PowerShell Gallery:
-
-- [Download the PowerShell script to automatically configure the settings](https://www.powershellgallery.com/packages/WindowsDefender_InternalEvaluationSettings)
-
-> [!IMPORTANT]
-> The guide is currently intended for single-machine evaluation of Microsoft Defender Antivirus. Enabling all of the settings in this guide may not be suitable for real-world deployment.
->
-> For the latest recommendations for real-world deployment and monitoring of Microsoft Defender Antivirus across a network, see [Deploy Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md).
-
-## Related topics
-
-- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
-- [Deploy Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md)