Configure remediation for Microsoft Defender Antivirus detections
- Microsoft Defender for Endpoint Plan 1
- Microsoft Defender for Endpoint Plan 2
- Microsoft Defender Antivirus
When Microsoft Defender Antivirus runs a scan, it attempts to remediate or remove threats that are detected. You can configure how Microsoft Defender Antivirus should address certain threats, whether a restore point should be created before remediating, and when threats should be removed.
Configure remediation options
On your Group Policy management computer, open the Group Policy Management Console, right-click the Group Policy Object you want to configure and click Edit.
In the Group Policy Management Editor go to Computer configuration and select Administrative templates.
Expand the tree to Windows components > Microsoft Defender Antivirus.
Using the table below, select a location, and then edit the policy as needed.
|Location||Setting||Description||Default setting (if not configured)|
|Scan||Create a system restore point||A system restore point will be created each day before cleaning or scanning is attempted||Disabled|
|Scan||Turn on removal of items from scan history folder||Specify how many days items should be kept in the scan history||30 days|
|Root||Turn off routine remediation||You can specify whether Microsoft Defender Antivirus automatically remediates threats, or if it should ask the endpoint user what to do.||Disabled (threats are remediated automatically)|
|Quarantine||Configure removal of items from Quarantine folder||Specify how many days items should be kept in quarantine before being removed||90 days|
|Threats||Specify threat alert levels at which default action should not be taken when detected||Every threat that is detected by Microsoft Defender Antivirus is assigned a threat level (low, medium, high, or severe). You can use this setting to define how all threats for each of the threat levels should be remediated (quarantined, removed, or ignored)||Not applicable|
|Threats||Specify threats upon which default action should not be taken when detected||Specify how specific threats (using their threat ID) should be remediated. You can specify whether the specific threat should be quarantined, removed, or ignored||Not applicable|
Microsoft Defender Antivirus detects and remediates files based on many factors. Sometimes, completing a remediation requires a reboot. Even if the detection is later determined to be a false positive, the reboot must be completed to ensure all additional remediation steps have been completed.
If you are certain Microsoft Defender Antivirus quarantined a file based on a false positive, you can restore the file from quarantine after the device reboots. See Restore quarantined files in Microsoft Defender Antivirus.
To avoid this problem in the future, you can exclude files from the scans. See Configure and validate exclusions for Microsoft Defender Antivirus scans.
Also see Configure remediation-required scheduled full Microsoft Defender Antivirus scans for more remediation-related settings.
If you're looking for Antivirus related information for other platforms, see:
- Set preferences for Microsoft Defender for Endpoint on macOS
- Microsoft Defender for Endpoint on Mac
- macOS Antivirus policy settings for Microsoft Defender Antivirus for Intune
- Set preferences for Microsoft Defender for Endpoint on Linux
- Microsoft Defender for Endpoint on Linux
- Configure Defender for Endpoint on Android features
- Configure Microsoft Defender for Endpoint on iOS features
- Configure Microsoft Defender Antivirus scanning options
- Configure scheduled Microsoft Defender Antivirus scans
- Configure and run on-demand Microsoft Defender Antivirus scans
- Configure the notifications that appear on endpoints
- Configure end-user Microsoft Defender Antivirus interaction
- Customize, initiate, and review the results of Microsoft Defender Antivirus scans and remediation
- Microsoft Defender Antivirus in Windows 10
Submit and view feedback for