Configure Microsoft Defender Antivirus scanning options

Applies to:

Use Microsoft Intune to configure scanning options

For more information, see Configure device restriction settings in Microsoft Intune and Microsoft Defender Antivirus device restriction settings for Windows 10 in Intune.

Use Microsoft Endpoint Manager to configure scanning options

For details on configuring Microsoft Endpoint Manager (current branch), see How to create and deploy antimalware policies: Scan settings.

Use Group Policy to configure scanning options

  1. On your Group Policy management computer, open the Group Policy Management Console.

  2. Right-click the Group Policy Object you want to configure, and then select Edit.

  3. In the Group Policy Management Editor go to Computer configuration and click Administrative templates.

  4. Expand the tree to Windows components > Microsoft Defender Antivirus, and then select a location (refer to Settings and locations in this article).

  5. Edit the policy object.

  6. Click OK, and repeat for any other settings.

Settings and locations

Policy item and location Default setting (if not configured) PowerShell Set-MpPreference parameter or WMI property for MSFT_MpPreference class
Email scanning

Scan > Turn on e-mail scanning

See Email scanning limitations (in this article)

Disabled -DisableEmailScanning
Scan reparse points

Scan > Turn on reparse point scanning

Disabled Not available

See Reparse points

Scan mapped network drives

Scan > Run full scan on mapped network drives

Disabled -DisableScanningMappedNetworkDrivesForFullScan
Scan archive files (such as .zip or .rar files).

Scan > Scan archive files

Enabled -DisableArchiveScanning

The extensions exclusion list will take precedence over this setting.

Scan files on the network

Scan > Scan network files

Disabled -DisableScanningNetworkFiles
Scan packed executables

Scan > Scan packed executables

Enabled Not available
Scan removable drives during full scans only

Scan > Scan removable drives

Disabled -DisableRemovableDriveScanning
Specify the level of subfolders within an archive folder to scan

Scan > Specify the maximum depth to scan archive files

0 Not available
Specify the maximum CPU load (as a percentage) during a scan.

Scan > Specify the maximum percentage of CPU utilization during a scan

50 -ScanAvgCPULoadFactor

NOTE: The maximum CPU load is not a hard limit, but is guidance for the scanning engine to not exceed the maximum on average. Manually run scans will ignore this setting and run without any CPU limits.

Specify the maximum size (in kilobytes) of archive files that should be scanned.

Scan > Specify the maximum size of archive files to be scanned

No limit Not available

The default value of 0 applies no limit

Configure low CPU priority for scheduled scans

Scan > Configure low CPU priority for scheduled scans

Disabled Not available

Note

If real-time protection is turned on, files are scanned before they are accessed and executed. The scanning scope includes all files, including files on mounted removable media, such as USB drives. If the device performing the scan has real-time protection or on-access protection turned on, the scan will also include network shares.

Use PowerShell to configure scanning options

For more information on how to use PowerShell with Microsoft Defender Antivirus, see

Use WMI to configure scanning options

See Windows Defender WMIv2 APIs.

Email scanning limitations

Email scanning enables scanning of email files used by Outlook and other mail clients during on-demand and scheduled scans. Embedded objects within email (such as attachments and archived files) are also scanned. The following file format types can be scanned and remediated:

  • DBX
  • MBX
  • MIME

PST files used by Outlook 2003 or older (where the archive type is set to non-unicode) are also scanned, but Microsoft Defender Antivirus cannot remediate threats that are detected inside PST files.

If Microsoft Defender Antivirus detects a threat inside an email message, it will show you the following information to assist you in identifying the compromised email, so you can remediate the threat manually:

  • Email subject
  • Attachment name

Scanning mapped network drives

On any OS, only the network drives that are mapped at system level, are scanned. User-level mapped network drives aren't scanned. User-level mapped network drives are those that a user maps in their session manually and using their own credentials.

See also