--- title: Defender DDF file description: View the XML file containing the device description framework (DDF) for the Defender configuration service provider. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa ms.date: 11/02/2022 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage ms.topic: reference --- # Defender DDF file The following XML file contains the device description framework (DDF) for the Defender configuration service provider. ```xml ]> 1.2 Defender ./Device/Vendor/MSFT 10.0.10586 1.0 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBD;0xBF;0xCA;0xCB; Detections An interior node to group all threats detected by Windows Defender. The ID of a threat that has been detected by Windows Defender. ThreatId Name The name of the specific threat. URL URL link for additional threat information. Severity Threat severity ID. The following list shows the supported values: 0 = Unknown; 1 = Low; 2 = Moderate; 4 = High; 5 = Severe; Category Threat category ID. Supported values: 0-Invalid; 1-Adware; 2-Spyware; 3-Password stealer; 4-Trojan downloader; 5-Worm; 6-Backdoor; 7-Remote access Trojan; 8-Trojan; 9-Email flooder; 10-Keylogger; 11-Dialer; 12-Monitoring software; 13-Browser modifier; 14-Cookie; 15-Browser plugin; 16-AOL exploit; 17-Nuker; 18-Security disabler; 19-Joke program; 20-Hostile ActiveX control; 21-Software bundler; 22-Stealth modifier; 23-Settings modifier; 24-Toolbar; 25-Remote control software; 26-Trojan FTP; 27-Potential unwanted software; 28-ICQ exploit; 29-Trojan telnet; 30-Exploit; 31-File sharing program; 32-Malware creation tool; 33-Remote control software; 34-Tool; 36-Trojan denial of service; 37-Trojan dropper; 38-Trojan mass mailer; 39-Trojan monitoring software; 40-Trojan proxy server; 42-Virus; 43-Known; 44-Unknown; 45-SPP; 46-Behavior; 47-Vulnerability; 48-Policy; 49-EUS (Enterprise Unwanted Software); 50-Ransomware; 51-ASR Rule CurrentStatus Information about the current status of the threat. The following list shows the supported values: 0 = Active; 1 = Action failed; 2 = Manual steps required; 3 = Full scan required; 4 = Reboot required; 5 = Remediated with noncritical failures; 6 = Quarantined; 7 = Removed; 8 = Cleaned; 9 = Allowed; 10 = No Status ( Cleared) ExecutionStatus Information about the execution status of the threat. InitialDetectionTime The first time this particular threat was detected. LastThreatStatusChangeTime The last time this particular threat was changed. NumberOfDetections Number of times this threat has been detected on a particular client. Health An interior node to group information about Windows Defender health status. ProductStatus 10.0.17763 1.2 ComputerState Provide the current state of the device. The following list shows the supported values: 0 = Clean; 1 = Pending full scan; 2 = Pending reboot; 4 = Pending manual steps (Windows Defender is waiting for the user to take some action, such as restarting the computer or running a full scan); 8 = Pending offline scan; 16 = Pending critical failure (Windows Defender has failed critically and an Administrator needs to investigate and take some action, such as restarting the computer or reinstalling Windows Defender) DefenderEnabled Indicates whether the Windows Defender service is running. RtpEnabled Indicates whether real-time protection is running. NisEnabled Indicates whether network protection is running. QuickScanOverdue Indicates whether a Windows Defender quick scan is overdue for the device. A Quick scan is overdue when a scheduled Quick scan did not complete successfully for 2 weeks and catchup Quick scans are disabled (default). FullScanOverdue Indicates whether a Windows Defender full scan is overdue for the device. A Full scan is overdue when a scheduled Full scan did not complete successfully for 2 weeks and catchup Full scans are disabled (default). SignatureOutOfDate Indicates whether the Windows Defender signature is outdated. RebootRequired Indicates whether a device reboot is needed. FullScanRequired Indicates whether a Windows Defender full scan is required. EngineVersion Version number of the current Windows Defender engine on the device. SignatureVersion Version number of the current Windows Defender signatures on the device. DefenderVersion Version number of Windows Defender on the device. QuickScanTime Time of the last Windows Defender quick scan of the device. FullScanTime Time of the last Windows Defender full scan of the device. QuickScanSigVersion Signature version used for the last quick scan of the device. FullScanSigVersion Signature version used for the last full scan of the device. TamperProtectionEnabled Indicates whether the Windows Defender tamper protection feature is enabled. 10.0.18362 1.3 IsVirtualMachine Indicates whether the device is a virtual machine. 10.0.18362 1.3 Configuration An interior node to group Windows Defender configuration information. 10.0.18362 1.3 DeviceControl 10.0.17763 1.3 PolicyGroups GroupId GroupData PolicyRules RuleId RuleData TamperProtection Tamper protection helps protect important security features from unwanted changes and interference. This includes real-time protection, behavior monitoring, and more. Accepts signed string to turn the feature on or off. Settings are configured with an MDM solution, such as Intune and is available in Windows 10 Enterprise E5 or equivalent subscriptions. Send off blob to device to reset tamper protection state before setting this configuration to "not configured" or "unassigned" in Intune. The data type is a Signed blob. EnableFileHashComputation 0 Enables or disables file hash computation feature. When this feature is enabled Windows defender will compute hashes for files it scans. 0 Disable 1 Enable MeteredConnectionUpdates 0 Allow managed devices to update through metered connections. Default is 0 - not allowed, 1 - allowed 10.0.14393 1 Allowed 0 Not Allowed SupportLogLocation The support log location setting allows the administrator to specify where the Microsoft Defender Antivirus diagnostic data collection tool (MpCmdRun.exe) will save the resulting log files. This setting is configured with an MDM solution, such as Intune, and is available for Windows 10 Enterprise. 10.0.14393 9.9 AllowNetworkProtectionOnWinServer 1 This settings controls whether Network Protection is allowed to be configured into block or audit mode on Windows Server. If false, the value of EnableNetworkProtection will be ignored. 10.0.16299 1.3 1 Allow 0 Disallow ExcludedIpAddresses This node contains a list of values specifying any IP addresses that wdnisdrv will ignore when intercepting traffic. 10.0.14393 1.3 DisableCpuThrottleOnIdleScans 1 Indicates whether the CPU will be throttled for scheduled scans while the device is idle. This feature is enabled by default and will not throttle the CPU for scheduled scans performed when the device is otherwise idle, regardless of what ScanAvgCPULoadFactor is set to. For all other scheduled scans this flag will have no impact and normal throttling will occur. 10.0.14393 1.3 1 Disable CPU Throttle on idle scans 0 Enable CPU Throttle on idle scans DisableLocalAdminMerge When this value is set to false, it allows a local admin the ability to specify some settings for complex list type that will then merge /override the Preference settings with the Policy settings 10.0.14393 1.3 1 Disable Local Admin Merge 0 Enable Local Admin Merge SchedulerRandomizationTime 4 This setting allows you to configure the scheduler randomization in hours. The randomization interval is [1 - 23] hours. For more information on the randomization effect please check the RandomizeScheduleTaskTimes setting. 10.0.14393 1.3 [1-23] DisableTlsParsing 0 This setting disables TLS Parsing for Network Protection. 10.0.14393 1.3 1 TLS parsing is disabled 0 TLS parsing is enabled DisableFtpParsing 0 This setting disables FTP Parsing for Network Protection. 10.0.14393 1.3 1 FTP parsing is disabled 0 FTP parsing is enabled DisableHttpParsing 0 This setting disables HTTP Parsing for Network Protection. 10.0.14393 1.3 1 HTTP parsing is disabled 0 HTTP parsing is enabled DisableDnsParsing 0 This setting disables DNS Parsing for Network Protection. 10.0.14393 1.3 1 DNS parsing is disabled 0 DNS parsing is enabled DisableDnsOverTcpParsing 0 This setting disables DNS over TCP Parsing for Network Protection. 10.0.14393 1.3 1 DNS over TCP parsing is disabled 0 DNS over TCP parsing is enabled DisableSshParsing 0 This setting disables SSH Parsing for Network Protection. 10.0.14393 1.3 1 SSH parsing is disabled 0 SSH parsing is enabled PlatformUpdatesChannel Enable this policy to specify when devices receive Microsoft Defender platform updates during the monthly gradual rollout. 10.0.14393 1.3 0 Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices. 2 Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices. 3 Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments. 4 Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%). 5 Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). 6 Critical - Time delay: Devices will be offered updates with a 48-hour delay. Suggested for critical environments only. EngineUpdatesChannel Enable this policy to specify when devices receive Microsoft Defender engine updates during the monthly gradual rollout. 10.0.14393 1.3 0 Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices. 2 Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices. 3 Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments. 4 Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%). 5 Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). 6 Critical - Time delay: Devices will be offered updates with a 48-hour delay. Suggested for critical environments only. SecurityIntelligenceUpdatesChannel Enable this policy to specify when devices receive Microsoft Defender security intelligence updates during the daily gradual rollout. 10.0.14393 1.3 0 Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices. 4 Current Channel (Staged): Devices will be offered updates after the release cycle. Suggested to apply to a small, representative part of production population (~10%). 5 Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). DisableGradualRelease Enable this policy to disable gradual rollout of Defender updates. 10.0.14393 1.3 1 Gradual release is disabled 0 Gradual release is enabled AllowNetworkProtectionDownLevel This settings controls whether Network Protection is allowed to be configured into block or audit mode on windows downlevel of RS3. If false, the value of EnableNetworkProtection will be ignored. 10.0.14393 1.3 1 Network protection will be enabled downlevel. 0 Network protection will be disabled downlevel. EnableDnsSinkhole This setting enables the DNS Sinkhole feature for Network Protection, respecting the value of EnableNetworkProtection for block vs audit, does nothing in inspect mode. 10.0.14393 1.3 1 DNS Sinkhole is disabled 0 DNS Sinkhole is enabled DisableInboundConnectionFiltering This setting disables Inbound connection filtering for Network Protection. 10.0.14393 1.3 1 Inbound connection filtering is disabled 0 Inbound connection filtering is enabled DisableRdpParsing This setting disables RDP Parsing for Network Protection. 10.0.14393 1.3 1 RDP Parsing is disabled 0 RDP Parsing is enabled AllowDatagramProcessingOnWinServer This settings controls whether Network Protection is allowed to enable datagram processing on Windows Server. If false, the value of DisableDatagramProcessing will be ignored and default to disabling Datagram inspection. 10.0.14393 1.3 1 Datagram processing on Windows Server is enabled. 0 Datagram processing on Windows Server is disabled. DisableNetworkProtectionPerfTelemetry This setting disables the gathering and send of performance telemetry from Network Protection. 10.0.14393 1.3 1 Network protection telemetry is disabled 0 Network protection telemetry is enabled HideExclusionsFromLocalAdmins This policy setting controls whether or not exclusions are visible to local admins. For end users (that are not local admins) exclusions are not visible, whether or not this setting is enabled. 10.0.17763 1.3 1 If you enable this setting, local admins will no longer be able to see the exclusion list in Windows Security App or via PowerShell. 0 If you disable or do not configure this setting, local admins will be able to see exclusions in the Windows Security App and via PowerShell. ThrottleForScheduledScanOnly 1 A CPU usage limit can be applied to scheduled scans only, or to scheduled and custom scans. The default value applies a CPU usage limit to scheduled scans only. 10.0.14393 1.3 1 If you enable this setting, CPU throttling will apply only to scheduled scans. 0 If you disable this setting, CPU throttling will apply to scheduled and custom scans. ASROnlyPerRuleExclusions Apply ASR only per rule exclusions. 10.0.16299 1.3 DataDuplicationDirectory Define data duplication directory for device control. 10.0.17763 1.3 DataDuplicationRemoteLocation Define data duplication remote location for device control. 10.0.17763 1.3 DeviceControlEnabled Control Device Control feature. 10.0.17763 1.3 1 0 DefaultEnforcement Control Device Control default enforcement. This is the enforcement applied if there are no policy rules present or at the end of the policy rules evaluation none were matched. 10.0.17763 1.3 1 Default Allow Enforcement 2 Default Deny Enforcement PassiveRemediation Setting to control automatic remediation for Sense scans. 10.0.14393 1.3 0x1 PASSIVE_REMEDIATION_FLAG_SENSE_AUTO_REMEDIATION: Passive Remediation Sense AutoRemediation 0x2 PASSIVE_REMEDIATION_FLAG_RTP_AUDIT: Passive Remediation Realtime Protection Audit 0x4 PASSIVE_REMEDIATION_FLAG_RTP_REMEDIATION: Passive Remediation Realtime Protection Remediation PauseUpdateStartTime Pause update from the UTC time in ISO string format without milliseconds, for example, 2022-02-24T00:03:59Z. 10.0.14393 1.3 PauseUpdateExpirationTime Pause update until the UTC time in ISO string format without milliseconds, for example, 2022-02-24T00:03:59Z. 10.0.14393 1.3 PauseUpdateFlag Setting to control automatic remediation for Sense scans. 10.0.14393 1.3 0 Update not paused 1 Update paused TDTFeatureEnabled 0 This policy setting configures the integration level for Intel TDT integration for Intel TDT-capable devices. 10.0.19041 1.3 0 If you do not configure this setting, the default value will be applied. The default value is set to control by signatures. TDT will be enabled based on particular signatures that are released by Microsoft. 2 If you configure this setting to disabled, Intel TDT integration will be turned off. Scan Node that can be used to start a Windows Defender scan on a device. 1 quick scan 2 full scan UpdateSignature Node that can be used to perform signature updates for Windows Defender. OfflineScan OfflineScan action starts a Microsoft Defender Offline scan on the computer where you run the command. After the next OS reboot, the device will start in Microsoft Defender Offline mode to begin the scan. 10.0.17134 1.1 ServerInitiated RollbackPlatform RollbackPlatform action rolls back Microsoft Defender to it's last known good installation location on the computer where you run the command. 10.0.17134 1.1 ServerInitiated RollbackEngine RollbackEngine action rolls back Microsoft Defender engine to it's last known good saved version on the computer where you run the command. 10.0.17134 1.1 ServerInitiated ``` ## Related articles [Defender configuration service provider reference](defender-csp.md)