Remove-MpPreference

Removes exclusions or default actions.

Syntax

Remove-MpPreference
      [-ExclusionPath <String[]>]
      [-ExclusionExtension <String[]>]
      [-ExclusionProcess <String[]>]
      [-ExclusionIpAddress <String[]>]
      [-RealTimeScanDirection]
      [-QuarantinePurgeItemsAfterDelay]
      [-RemediationScheduleDay]
      [-RemediationScheduleTime]
      [-ReportingAdditionalActionTimeOut]
      [-ReportingCriticalFailureTimeOut]
      [-ReportingNonCriticalTimeOut]
      [-ScanAvgCPULoadFactor]
      [-CheckForSignaturesBeforeRunningScan]
      [-ScanPurgeItemsAfterDelay]
      [-ScanOnlyIfIdleEnabled]
      [-ScanParameters]
      [-ScanScheduleDay]
      [-ScanScheduleQuickScanTime]
      [-ScanScheduleTime]
      [-SignatureFirstAuGracePeriod]
      [-SignatureAuGracePeriod]
      [-SignatureDefinitionUpdateFileSharesSources]
      [-SignatureDisableUpdateOnStartupWithoutEngine]
      [-SignatureFallbackOrder]
      [-SharedSignaturesPath]
      [-SignatureScheduleDay]
      [-SignatureScheduleTime]
      [-SignatureUpdateCatchupInterval]
      [-SignatureUpdateInterval]
      [-SignatureBlobUpdateInterval]
      [-SignatureBlobFileSharesSources]
      [-MeteredConnectionUpdates]
      [-AllowNetworkProtectionOnWinServer]
      [-DisableDatagramProcessing]
      [-DisableCpuThrottleOnIdleScans]
      [-MAPSReporting]
      [-SubmitSamplesConsent]
      [-DisableAutoExclusions]
      [-DisablePrivacyMode]
      [-RandomizeScheduleTaskTimes]
      [-SchedulerRandomizationTime]
      [-DisableBehaviorMonitoring]
      [-DisableIntrusionPreventionSystem]
      [-DisableIOAVProtection]
      [-DisableRealtimeMonitoring]
      [-DisableScriptScanning]
      [-DisableArchiveScanning]
      [-DisableCatchupFullScan]
      [-DisableCatchupQuickScan]
      [-DisableEmailScanning]
      [-DisableRemovableDriveScanning]
      [-DisableRestorePoint]
      [-DisableScanningMappedNetworkDrivesForFullScan]
      [-DisableScanningNetworkFiles]
      [-UILockdown]
      [-ThreatIDDefaultAction_Ids <Int64[]>]
      [-ThreatIDDefaultAction_Actions <ThreatAction[]>]
      [-UnknownThreatDefaultAction]
      [-LowThreatDefaultAction]
      [-ModerateThreatDefaultAction]
      [-HighThreatDefaultAction]
      [-SevereThreatDefaultAction]
      [-DisableBlockAtFirstSeen]
      [-PUAProtection]
      [-CloudBlockLevel]
      [-CloudExtendedTimeout]
      [-EnableNetworkProtection]
      [-EnableControlledFolderAccess]
      [-AttackSurfaceReductionOnlyExclusions <String[]>]
      [-ControlledFolderAccessAllowedApplications <String[]>]
      [-ControlledFolderAccessProtectedFolders <String[]>]
      [-AttackSurfaceReductionRules_Ids <String[]>]
      [-AttackSurfaceReductionRules_Actions <ASRRuleActionType[]>]
      [-EnableLowCpuPriority]
      [-EnableFileHashComputation]
      [-EnableFullScanOnBatteryPower]
      [-ProxyPacUrl]
      [-ProxyServer]
      [-ProxyBypass]
      [-ForceUseProxyOnly]
      [-DisableTlsParsing]
      [-DisableHttpParsing]
      [-DisableDnsParsing]
      [-DisableDnsOverTcpParsing]
      [-DisableSshParsing]
      [-PlatformUpdatesChannel]
      [-EngineUpdatesChannel]
      [-SignaturesUpdatesChannel]
      [-DisableGradualRelease]
      [-AllowNetworkProtectionDownLevel]
      [-AllowDatagramProcessingOnWinServer]
      [-EnableDnsSinkhole]
      [-DisableInboundConnectionFiltering]
      [-DisableRdpParsing]
      [-Force]
      [-CimSession <CimSession[]>]
      [-ThrottleLimit <Int32>]
      [-AsJob]
      [<CommonParameters>]

Description

The Remove-MpPreference cmdlet removes exclusions for file name extensions, paths, and processes, or default actions for high, moderate, and low threats. If you attempt to remove an exclusion that is not in the list, this cmdlet reports the error.

Examples

Example 1: Remove a folder from the exclusion list

Remove-MpPreference -ExclusionPath "C:\Temp"

This command removes the folder C:\Temp from the exclusion list.

Example 2: Exclude a specific file

Remove-MpPreference -AttackSurfaceReductionOnlyExclusions "C:\Windows\App.exe"

This command will exclude only that specific file app.exe in that specific folder.

Parameters

-AllowDatagramProcessingOnWinServer

Indicates that the cmdlet removes whether to disable inspection of UDP connections on Windows Server.

Type:SwitchParameter
Aliases:adpows
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-AllowNetworkProtectionDownLevel

Indicates that the cmdlet removes whether to allow network protection to be set to Enabled or Audit Mode on Windows versions before 1709.

Type:SwitchParameter
Aliases:anpdl
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-AllowNetworkProtectionOnWinServer

Indicates that the cmdlet removes whether to allow network protection to be set to Enabled or Audit Mode for Windows Server.

Type:SwitchParameter
Aliases:anpws
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-AsJob

Runs the cmdlet as a background job. Use this parameter to run commands that take a long time to complete.

The cmdlet immediately returns an object that represents the job and then displays the command prompt. You can continue to work in the session while the job completes. To manage the job, use the *-Job cmdlets. To get the job results, use the Receive-Job cmdlet.

For more information about Windows PowerShell background jobs, see about_Jobs.

Type:SwitchParameter
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-AttackSurfaceReductionOnlyExclusions

Specifies the files and paths to exclude from Attack Surface Reduction (ASR) rules. Specify the folders or files and resources that should be excluded from ASR rules. Enter a folder path or a fully qualified resource name. For example, ""C:\Windows"" will exclude all files in that directory. ""C:\Windows\App.exe"" will exclude only that specific file in that specific folder.

For more information about excluding files and folders from ASR rules.

Type:String[]
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-AttackSurfaceReductionRules_Actions

Specifies the states of attack surface reduction rules specified by using the AttackSurfaceReductionRules_Ids parameter. If you add multiple rules as a comma-separated list, specify their states separately as a comma-separated list.

Type:ASRRuleActionType[]
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-AttackSurfaceReductionRules_Ids

Specifies the states of attack surface reduction rules specified by using the AttackSurfaceReductionRules_Ids parameter. If you add multiple rules as a comma-separated list, specify their states separately as a comma-separated list.

Type:String[]
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-CheckForSignaturesBeforeRunningScan

Indicates that the cmdlet removes whether to check for new virus and spyware definitions before Windows Defender runs a scan.

Type:SwitchParameter
Aliases:csbr
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-CimSession

Runs the cmdlet in a remote session or on a remote computer. Enter a computer name or a session object, such as the output of a New-CimSession or Get-CimSession cmdlet. The default is the current session on the local computer.

Type:CimSession[]
Aliases:Session
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-CloudBlockLevel

Specifies a cloud block level. This value determines how aggressive Microsoft Defender Antivirus is in blocking and scanning suspicious files.

Type:SwitchParameter
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-CloudExtendedTimeout

Specifies the amount of extended time to block a suspicious file and scan it in the cloud. Standard time is 10 seconds. Extend by up to 50 seconds.

Type:SwitchParameter
Aliases:cloudextimeout
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-ControlledFolderAccessAllowedApplications

Specifies applications that can make changes in controlled folders.

Type:String[]
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-ControlledFolderAccessProtectedFolders

Specifies more folders to protect.

Type:String[]
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-DisableArchiveScanning

Indicates that the cmdlet removes whether to scan archive files, such as .zip and .cab files, for malicious and unwanted software.

Type:SwitchParameter
Aliases:darchsc
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-DisableAutoExclusions

Indicates that the cmdlet removes whether to disable the Automatic Exclusions feature for the server.

Type:SwitchParameter
Aliases:dae
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-DisableBehaviorMonitoring

Indicates that the cmdlet removes whether to enable behavior monitoring.

Type:SwitchParameter
Aliases:dbm
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-DisableBlockAtFirstSeen

Indicates that the cmdlet removes whether to enable block at first seen.

Type:SwitchParameter
Aliases:dbaf
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-DisableCatchupFullScan

Indicates that the cmdlet removes whether Windows Defender runs catch-up scans for scheduled full scans.

Type:SwitchParameter
Aliases:dcfsc
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-DisableCatchupQuickScan

Indicates that the cmdlet removes whether Windows Defender runs catch-up scans for scheduled quick scans.

Type:SwitchParameter
Aliases:dcqsc
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-DisableCpuThrottleOnIdleScans

Indicates that the cmdlet removes whether the CPU will be throttled for scheduled scans while the device is idle.

Type:SwitchParameter
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-DisableDatagramProcessing

Indicates that the cmdlet removes whether to disable inspection of UDP connections.

Type:SwitchParameter
Aliases:ddtgp
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-DisableDnsOverTcpParsing

Indicates that the cmdlet removes whether to disable inspection of DNS traffic that occurs over a TCP channel.

Type:SwitchParameter
Aliases:ddnstcpp
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-DisableDnsParsing

Indicates that the cmdlet removes whether to disable inspection of DNS traffic that occurs over a UDP channel.

Type:SwitchParameter
Aliases:ddnsp
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-DisableEmailScanning

Indicates that the cmdlet removes whether Windows Defender parses the mailbox and mail files, according to their specific format, in order to analyze mail bodies and attachments.

Type:SwitchParameter
Aliases:demsc
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-DisableGradualRelease

Indicates that the cmdlet removes whether to disable gradual rollout of monthly and daily Windows Defender updates. If you enable this option, devices are offered all updates after the gradual release cycle finishes. Consider this option for datacenter computers that only receive limited updates.

This setting applies to both monthly and daily updates. It overrides any previously configured channel selections for platform and engine updates.

If you disable or do not configure this policy, the device remains in Current Channel (Default) unless specified otherwise in specific channels for platform and engine updates. The device stays up to date automatically during the gradual release cycle, which is suitable for most devices.

This policy is available starting with platform version 4.18.2106.5 and later.

Type:SwitchParameter
Aliases:dgr
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-DisableHttpParsing

Indicates that the cmdlet removes whether disable inspection of HTTP traffic. If EnableNetworkProtection has the value Enabled, HTTP connections to malicious websites can be blocked.

Type:SwitchParameter
Aliases:dhttpp
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-DisableInboundConnectionFiltering

Indicates that the cmdlet removes whether to inspect only outbound connections. By default, Network Protection inspects both inbound and outbound connections.

Type:SwitchParameter
Aliases:dicf
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-DisableIntrusionPreventionSystem

Indicates that the cmdlet removes whether to configure network protection against exploitation of known vulnerabilities.

Type:SwitchParameter
Aliases:dips
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-DisableIOAVProtection

Indicates that the cmdlet removes whether Windows Defender scans all downloaded files and attachments.

Type:SwitchParameter
Aliases:dioavp
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-DisablePrivacyMode

Indicates that the cmdlet removes whether to disable privacy mode.

Type:SwitchParameter
Aliases:dpm
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-DisableRdpParsing

Indicates that the cmdlet removes whether to inspect only outbound connections. By default, Network Protection inspects both inbound and outbound connections.

Type:SwitchParameter
Aliases:drdpp
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-DisableRealtimeMonitoring

Indicates that the cmdlet removes whether to use real-time protection.

Type:SwitchParameter
Aliases:drtm
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-DisableRemovableDriveScanning

Indicates that the cmdlet removes whether to scan for malicious and unwanted software in removable drives, such as flash drives, during a full scan.

Type:SwitchParameter
Aliases:drdsc
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-DisableRestorePoint

Indicates that the cmdlet removes whether to disable scanning of restore points.

Type:SwitchParameter
Aliases:drp
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-DisableScanningMappedNetworkDrivesForFullScan

Indicates that the cmdlet removes whether to scan mapped network drives. If you specify a value of $False or do not specify a value, Windows Defender scans mapped network drives.

Type:SwitchParameter
Aliases:dsmndfsc
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-DisableScanningNetworkFiles

Indicates that the cmdlet removes whether to scan for network files.

Type:SwitchParameter
Aliases:dsnf
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-DisableScriptScanning

Indicates that the cmdlet removes whether to disable the scanning of scripts during malware scans. If you specify a value of $False or do not specify a value, Windows Defender does not scan scripts.

Type:SwitchParameter
Aliases:dscrptsc
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-DisableSshParsing

Indicates that the cmdlet removes whether to disable inspection of SSH traffic. By default, Network Protection inspects SSH traffic.

Type:SwitchParameter
Aliases:dsshp
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-DisableTlsParsing

Indicates that the cmdlet removes whether to disable inspection of TLS traffic, also known as HTTPS. By default, Network Protection inspects TLS traffic.

Type:SwitchParameter
Aliases:dtlsp
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-EnableControlledFolderAccess

Indicates that the cmdlet removes the state for the controlled folder access feature. Valid values are Disabled, Enabled, and Audit Mode.

Type:SwitchParameter
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-EnableDnsSinkhole

Indicates that the cmdlet removes whether to examine DNS traffic to detect and sinkhole DNS exfiltration attempts and other DNS based malicious attacks.

Type:SwitchParameter
Aliases:ednss
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-EnableFileHashComputation

Indicates that the cmdlet removes whether to enable file hash computation. When this feature is enabled, Windows Defender computes hashes for files it scans.

Type:SwitchParameter
Aliases:efhc
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-EnableFullScanOnBatteryPower

Indicates that the cmdlet removes whether Windows Defender does a full scan while on battery power.

Type:SwitchParameter
Aliases:efsobp
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-EnableLowCpuPriority

Indicates that the cmdlet removes whether Windows Defender uses low CPU priority for scheduled scans.

Type:SwitchParameter
Aliases:elcp
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-EnableNetworkProtection

Specifies how the Network Protection Service handles web-based malicious threats, including phishing and malware. Possible values are Disabled, Enabled, and AuditMode.

Type:SwitchParameter
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-EngineUpdatesChannel

Specifies when devices receive Microsoft Defender engine updates during the monthly gradual rollout.

Valid values are:

  • NotConfigured. Devices stay up to date automatically during the gradual release cycle. This value is suitable for most devices.
  • Beta. Devices are the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. This value is for use in manual test environments only and a limited number of devices.
  • Broad. Devices are offered updates only after the gradual release cycle completes. This value is suggested for a broad set of devices in your production population, from 10 to 100 percent.
  • Preview. Devices are offered updates earliest during the monthly gradual release cycle. This value is suggested for pre-production or validation environments.
  • Staged. Devices are offered updates after the monthly gradual release cycle. This value is suggested for a small, representative part of your production population, around 10 percent.
Type:SwitchParameter
Aliases:erelr
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-ExclusionExtension

Specifies an array of file name extensions, such as obj or lib, to exclude from scheduled, custom, and real-time scanning. This cmdlet removes the exclusions that you specify.

Type:String[]
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-ExclusionIpAddress

Specifies an array of IP addresses to exclude from scheduled and real-time scanning.

Type:String[]
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-ExclusionPath

Specifies an array of file paths to exclude from scheduled and real-time scanning. This cmdlet removes the exclusions that you specify.

Type:String[]
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-ExclusionProcess

Specifies an array of processes, as paths to process images. This cmdlet removes exclusions of files opened by the processes that you specify.

Type:String[]
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-Force

Forces the command to run without asking for user confirmation.

Type:SwitchParameter
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-ForceUseProxyOnly

Removes whether to force the device to use only the proxy.

Type:SwitchParameter
Aliases:fupo
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-HighThreatDefaultAction

Indicates that this cmdlet removes the automatic remediation action specified for the high threat alert level.

Type:SwitchParameter
Aliases:htdefac
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-LowThreatDefaultAction

Indicates that this cmdlet removes the automatic remediation action specified for the low threat alert level.

Type:SwitchParameter
Aliases:ltdefac
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-MAPSReporting

Indicates that the cmdlet removes membership in Microsoft Active Protection Service.

Type:SwitchParameter
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-MeteredConnectionUpdates

Indicates that the cmdlet removes whether to update managed devices to update through metered connections. Data charges may apply.

Type:SwitchParameter
Aliases:mcupd
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-ModerateThreatDefaultAction

Indicates that this cmdlet removes the automatic remediation action specified for the moderate threat alert level.

Type:SwitchParameter
Aliases:mtdefac
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-PlatformUpdatesChannel

Specifies when devices receive Microsoft Defender platform updates during the monthly gradual rollout.

Valid values are:

  • NotConfigured. Devices stay up to date automatically during the gradual release cycle. This value is suitable for most devices.
  • Beta. Devices are the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. This value is for use in manual test environments only and a limited number of devices.
  • Broad. Devices are offered updates only after the gradual release cycle completes. This value is suggested for a broad set of devices in your production population, from 10 to 100 percent.
  • Preview. Devices are offered updates earliest during the monthly gradual release cycle. This value is suggested for pre-production or validation environments.
  • Staged. Devices are offered updates after the monthly gradual release cycle. This value is suggested for a small, representative part of your production population, around 10 percent.
Type:SwitchParameter
Aliases:prelr
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-ProxyBypass

Specifies proxy bypasses.

Type:SwitchParameter
Aliases:proxbps
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-ProxyPacUrl

Specifies the Privilege Attribute Certificate (PAC) proxy.

Type:SwitchParameter
Aliases:ppurl
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-ProxyServer

Specifies the proxy server.

Type:SwitchParameter
Aliases:proxsrv
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-PUAProtection

Specifies the level of detection for potentially unwanted applications. When potentially unwanted software is downloaded or attempts to install itself on your computer, you are warned.

Type:SwitchParameter
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-QuarantinePurgeItemsAfterDelay

Indicates that the cmdlet removes specified number of days to keep items in the Quarantine folder.

Type:SwitchParameter
Aliases:qpiad
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-RandomizeScheduleTaskTimes

Indicates that the cmdlet removes whether to select a random time for the scheduled start and scheduled update for definitions.

Type:SwitchParameter
Aliases:rstt
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-RealTimeScanDirection

Indicates that the cmdlet removes specified scanning configuration for incoming and outgoing files on NTFS volumes.

Type:SwitchParameter
Aliases:rtsd
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-RemediationScheduleDay

Indicates that the cmdlet removes specified day of the week on which to perform a scheduled full scan in order to complete remediation.

Type:SwitchParameter
Aliases:rsd
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-RemediationScheduleTime

Indicates that the cmdlet removes specified time of day, as the number of minutes after midnight, to perform a scheduled scan.

Type:SwitchParameter
Aliases:rst
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-ReportingAdditionalActionTimeOut

Indicates that the cmdlet removes specified number of minutes before a detection in the additional action state changes to the cleared state.

Type:SwitchParameter
Aliases:raat
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-ReportingCriticalFailureTimeOut

Indicates that the cmdlet removes specified the number of minutes before a detection in the critically failed state changes to either the additional action state or the cleared state.

Type:SwitchParameter
Aliases:rcto
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-ReportingNonCriticalTimeOut

Indicates that the cmdlet removes specified number of minutes before a detection in the non-critically failed state changes to the cleared state.

Type:SwitchParameter
Aliases:rncto
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-ScanAvgCPULoadFactor

Indicates that the cmdlet removes specified maximum percentage CPU usage for a scan.

Type:SwitchParameter
Aliases:saclf
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-ScanOnlyIfIdleEnabled

Indicates that the cmdlet removes whether to start scheduled scans only when the computer is not in use.

Type:SwitchParameter
Aliases:soiie
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-ScanParameters

Indicates that the cmdlet removes specified scan type to use during a scheduled scan.

Type:SwitchParameter
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-ScanPurgeItemsAfterDelay

Indicates that the cmdlet removes specified number of days to keep items in the scan history folder.

Type:SwitchParameter
Aliases:spiad
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-ScanScheduleDay

Indicates that the cmdlet removes specified the day of the week on which to perform a scheduled scan.

Type:SwitchParameter
Aliases:scsd
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-ScanScheduleQuickScanTime

Indicates that the cmdlet removes specified time of day, as the number of minutes after midnight, to perform a scheduled quick scan.

Type:SwitchParameter
Aliases:scsqst
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-ScanScheduleTime

Indicates that the cmdlet removes specified time of day, as the number of minutes after midnight, to perform a scheduled scan.

Type:SwitchParameter
Aliases:scst
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-SchedulerRandomizationTime

Specifies the randomization time for the scheduler.

Type:SwitchParameter
Aliases:srt
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-SevereThreatDefaultAction

Indicates that this cmdlet removes the automatic remediation action specified for the severe threat alert level.

Type:SwitchParameter
Aliases:stdefac
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-SharedSignaturesPath

Specifies the shared signatures path.

Type:SwitchParameter
Aliases:ssp, SecurityIntelligenceLocation, ssl
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-SignatureAuGracePeriod

Indicates that the cmdlet removes specified grace period, in minutes, for the definition.

Type:SwitchParameter
Aliases:sigagp
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-SignatureBlobFileSharesSources

Specifies the file shares sources for signatures.

Type:SwitchParameter
Aliases:sigbfs
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-SignatureBlobUpdateInterval

Indicates that the cmdlet removes the signature update interval.

Type:SwitchParameter
Aliases:sigbui
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-SignatureDefinitionUpdateFileSharesSources

Indicates that the cmdlet removes specified file-share sources for definition updates.

Type:SwitchParameter
Aliases:sigdufss
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-SignatureDisableUpdateOnStartupWithoutEngine

Indicates that the cmdlet removes whether to initiate definition updates even if no antimalware engine is present.

Type:SwitchParameter
Aliases:sigduoswo
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-SignatureFallbackOrder

Indicates that the cmdlet removes specified order in which to contact different definition update sources.

Type:SwitchParameter
Aliases:sfo
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-SignatureFirstAuGracePeriod

Indicates that the cmdlet removes specified grace period, in minutes, for the definition.

Type:SwitchParameter
Aliases:sigfagp
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-SignatureScheduleDay

Indicates that the cmdlet removes specified day of the week on which to check for definition updates.

Type:SwitchParameter
Aliases:sigsd
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-SignatureScheduleTime

Indicates that the cmdlet removes specified time of day, as the number of minutes after midnight, to check for definition updates.

Type:SwitchParameter
Aliases:sigst
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-SignaturesUpdatesChannel

Specifies when devices receive daily Microsoft Defender definition updates during the monthly gradual rollout.

Valid values are:

  • NotConfigured. Devices stay up to date automatically during the gradual release cycle. This value is suitable for most devices.
  • Broad. Devices are offered updates only after the gradual release cycle completes. This value is suggested for a broad set of devices in your production population, from 10 to 100 percent.
  • Staged. Devices are offered updates after the monthly gradual release cycle. This value is suggested for a small, representative part of your production population, around 10 percent.

This parameter name will be updated to DefinitionUpdatesChannel in a future release.

Type:SwitchParameter
Aliases:srelr
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-SignatureUpdateCatchupInterval

Indicates that the cmdlet removes specified number of days after which Windows Defender requires a catch-up definition update.

Type:SwitchParameter
Aliases:siguci
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-SignatureUpdateInterval

Indicates that the cmdlet removes specified interval at which to check for definition updates.

Type:SwitchParameter
Aliases:sigui
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-SubmitSamplesConsent

Indicates that the cmdlet removes how Windows Defender checks for user consent for certain samples.

Type:SwitchParameter
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-ThreatIDDefaultAction_Actions

Specifies an array of the actions to take for the IDs specified by using the ThreatIDDefaultAction_Ids parameter. The acceptable values for this parameter are:

  • 1: Clean
  • 2: Quarantine
  • 3: Remove
  • 6: Allow
  • 8: UserDefined
  • 9: NoAction
  • 10: Block

Note

A value of 0 (NULL) applies an action based on the Security Intelligence Update (SIU). This is the default value.

Type:ThreatAction[]
Aliases:tiddefaca
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-ThreatIDDefaultAction_Ids

Specifies an array of threat IDs. This cmdlet removes the default actions for the threat IDs that you specify.

Type:Int64[]
Aliases:tiddefaci
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-ThrottleLimit

Specifies the maximum number of concurrent operations that can be established to run the cmdlet. If this parameter is omitted or a value of 0 is entered, then Windows PowerShell® calculates an optimum throttle limit for the cmdlet based on the number of CIM cmdlets that are running on the computer. The throttle limit applies only to the current cmdlet, not to the session or to the computer.

Type:Int32
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-UILockdown

Indicates that the cmdlet removes whether to disable UI lockdown mode.

Type:SwitchParameter
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-UnknownThreatDefaultAction

Indicates that this cmdlet removes the automatic remediation action specified for the unknown threat alert level.

Type:SwitchParameter
Aliases:unktdefac
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False