Policy CSP - Defender

Warning

Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.


Defender policies

Defender/AllowArchiveScanning
Defender/AllowBehaviorMonitoring
Defender/AllowCloudProtection
Defender/AllowEmailScanning
Defender/AllowFullScanOnMappedNetworkDrives
Defender/AllowFullScanRemovableDriveScanning
Defender/AllowIOAVProtection
Defender/AllowIntrusionPreventionSystem
Defender/AllowOnAccessProtection
Defender/AllowRealtimeMonitoring
Defender/AllowScanningNetworkFiles
Defender/AllowScriptScanning
Defender/AllowUserUIAccess
Defender/AttackSurfaceReductionOnlyExclusions
Defender/AttackSurfaceReductionRules
Defender/AvgCPULoadFactor
Defender/CheckForSignaturesBeforeRunningScan
Defender/CloudBlockLevel
Defender/CloudExtendedTimeout
Defender/ControlledFolderAccessAllowedApplications
Defender/ControlledFolderAccessProtectedFolders
Defender/DaysToRetainCleanedMalware
Defender/DisableCatchupFullScan
Defender/DisableCatchupQuickScan
Defender/EnableControlledFolderAccess
Defender/EnableLowCPUPriority
Defender/EnableNetworkProtection
Defender/ExcludedExtensions
Defender/ExcludedPaths
Defender/ExcludedProcesses
Defender/PUAProtection
Defender/RealTimeScanDirection
Defender/ScanParameter
Defender/ScheduleQuickScanTime
Defender/ScheduleScanDay
Defender/ScheduleScanTime
Defender/SignatureUpdateFallbackOrder
Defender/SignatureUpdateFileSharesSources
Defender/SignatureUpdateInterval
Defender/SubmitSamplesConsent
Defender/ThreatSeverityDefaultAction

Defender/AllowArchiveScanning

Home Pro Business Enterprise Education Mobile Mobile Enterprise
check mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • Device

Note

This policy is only enforced in Windows 10 for desktop.

Allows or disallows scanning of archives.

ADMX Info:

  • GP English name: Scan archive files
  • GP name: Scan_DisableArchiveScanning
  • GP path: Windows Components/Windows Defender Antivirus/Scan
  • GP ADMX file name: WindowsDefender.admx

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.

Defender/AllowBehaviorMonitoring

Home Pro Business Enterprise Education Mobile Mobile Enterprise
check mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • Device

Note

This policy is only enforced in Windows 10 for desktop.

Allows or disallows Windows Defender Behavior Monitoring functionality.

ADMX Info:

  • GP English name: Turn on behavior monitoring
  • GP name: RealtimeProtection_DisableBehaviorMonitoring
  • GP path: Windows Components/Windows Defender Antivirus/Real-time Protection
  • GP ADMX file name: WindowsDefender.admx

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.

Defender/AllowCloudProtection

Home Pro Business Enterprise Education Mobile Mobile Enterprise
check mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • Device

Note

This policy is only enforced in Windows 10 for desktop.

To best protect your PC, Windows Defender will send information to Microsoft about any problems it finds. Microsoft will analyze that information, learn more about problems affecting you and other customers, and offer improved solutions.

ADMX Info:

  • GP English name: Join Microsoft MAPS
  • GP name: SpynetReporting
  • GP element: SpynetReporting
  • GP path: Windows Components/Windows Defender Antivirus/MAPS
  • GP ADMX file name: WindowsDefender.admx

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.

Defender/AllowEmailScanning

Home Pro Business Enterprise Education Mobile Mobile Enterprise
check mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • Device

Note

This policy is only enforced in Windows 10 for desktop.

Allows or disallows scanning of email.

ADMX Info:

  • GP English name: Turn on e-mail scanning
  • GP name: Scan_DisableEmailScanning
  • GP path: Windows Components/Windows Defender Antivirus/Scan
  • GP ADMX file name: WindowsDefender.admx

The following list shows the supported values:

  • 0 (default) – Not allowed.
  • 1 – Allowed.

Defender/AllowFullScanOnMappedNetworkDrives

Home Pro Business Enterprise Education Mobile Mobile Enterprise
check mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • Device

Note

This policy is only enforced in Windows 10 for desktop.

Allows or disallows a full scan of mapped network drives.

ADMX Info:

  • GP English name: Run full scan on mapped network drives
  • GP name: Scan_DisableScanningMappedNetworkDrivesForFullScan
  • GP path: Windows Components/Windows Defender Antivirus/Scan
  • GP ADMX file name: WindowsDefender.admx

The following list shows the supported values:

  • 0 (default) – Not allowed.
  • 1 – Allowed.

Defender/AllowFullScanRemovableDriveScanning

Home Pro Business Enterprise Education Mobile Mobile Enterprise
check mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • Device

Note

This policy is only enforced in Windows 10 for desktop.

Allows or disallows a full scan of removable drives.

ADMX Info:

  • GP English name: Scan removable drives
  • GP name: Scan_DisableRemovableDriveScanning
  • GP path: Windows Components/Windows Defender Antivirus/Scan
  • GP ADMX file name: WindowsDefender.admx

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.

Defender/AllowIOAVProtection

Home Pro Business Enterprise Education Mobile Mobile Enterprise
check mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • Device

Note

This policy is only enforced in Windows 10 for desktop.

Allows or disallows Windows Defender IOAVP Protection functionality.

ADMX Info:

  • GP English name: Scan all downloaded files and attachments
  • GP name: RealtimeProtection_DisableIOAVProtection
  • GP path: Windows Components/Windows Defender Antivirus/Real-time Protection
  • GP ADMX file name: WindowsDefender.admx

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.

Defender/AllowIntrusionPreventionSystem

Home Pro Business Enterprise Education Mobile Mobile Enterprise
check mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • Device

Note

This policy is only enforced in Windows 10 for desktop.

Allows or disallows Windows Defender Intrusion Prevention functionality.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.

Defender/AllowOnAccessProtection

Home Pro Business Enterprise Education Mobile Mobile Enterprise
check mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • Device

Note

This policy is only enforced in Windows 10 for desktop.

Allows or disallows Windows Defender On Access Protection functionality.

ADMX Info:

  • GP English name: Monitor file and program activity on your computer
  • GP name: RealtimeProtection_DisableOnAccessProtection
  • GP path: Windows Components/Windows Defender Antivirus/Real-time Protection
  • GP ADMX file name: WindowsDefender.admx

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.

Defender/AllowRealtimeMonitoring

Home Pro Business Enterprise Education Mobile Mobile Enterprise
check mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • Device

Note

This policy is only enforced in Windows 10 for desktop.

Allows or disallows Windows Defender Realtime Monitoring functionality.

ADMX Info:

  • GP English name: Turn off real-time protection
  • GP name: DisableRealtimeMonitoring
  • GP path: Windows Components/Windows Defender Antivirus/Real-time Protection
  • GP ADMX file name: WindowsDefender.admx

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.

Defender/AllowScanningNetworkFiles

Home Pro Business Enterprise Education Mobile Mobile Enterprise
check mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • Device

Note

This policy is only enforced in Windows 10 for desktop.

Allows or disallows a scanning of network files.

ADMX Info:

  • GP English name: Scan network files
  • GP name: Scan_DisableScanningNetworkFiles
  • GP path: Windows Components/Windows Defender Antivirus/Scan
  • GP ADMX file name: WindowsDefender.admx

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.

Defender/AllowScriptScanning

Home Pro Business Enterprise Education Mobile Mobile Enterprise
check mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • Device

Note

This policy is only enforced in Windows 10 for desktop.

Allows or disallows Windows Defender Script Scanning functionality.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.

Defender/AllowUserUIAccess

Home Pro Business Enterprise Education Mobile Mobile Enterprise
check mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • Device

Note

This policy is only enforced in Windows 10 for desktop.

Allows or disallows user access to the Windows Defender UI. If disallowed, all Windows Defender notifications will also be suppressed.

ADMX Info:

  • GP English name: Enable headless UI mode
  • GP name: UX_Configuration_UILockdown
  • GP path: Windows Components/Windows Defender Antivirus/Client Interface
  • GP ADMX file name: WindowsDefender.admx

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.

Defender/AttackSurfaceReductionOnlyExclusions

Home Pro Business Enterprise Education Mobile Mobile Enterprise
check mark3 check mark3 check mark3 check mark3 check mark3 cross mark cross mark

Scope:

  • Device

Note

This policy is only enforced in Windows 10 for desktop.

Added in Windows 10, version 1709. This policy setting allows you to prevent Attack Surface reduction rules from matching on files under the paths specified or for the fully qualified resources specified. Paths should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of a path or a fully qualified resource name. As an example, a path might be defined as: "c:\Windows" to exclude all files in this directory. A fully qualified resource name might be defined as: "C:\Windows\App.exe"..

Value type is string.

ADMX Info:

  • GP English name: Exclude files and paths from Attack Surface Reduction Rules
  • GP name: ExploitGuard_ASR_ASROnlyExclusions
  • GP element: ExploitGuard_ASR_ASROnlyExclusions
  • GP path: Windows Components/Windows Defender Antivirus/Windows Defender Exploit Guard/Attack Surface Reduction
  • GP ADMX file name: WindowsDefender.admx

Defender/AttackSurfaceReductionRules

Home Pro Business Enterprise Education Mobile Mobile Enterprise
check mark3 check mark3 check mark3 check mark3 check mark3 cross mark cross mark

Scope:

  • Device

Note

This policy is only enforced in Windows 10 for desktop.

Added in Windows 10, version 1709. This policy setting enables setting the state (Block/Audit/Off) for each Attack surface reduction (ASR) rule. Each ASR rule listed can be set to one of the following states (Block/Audit/Off). The ASR rule ID and state should be added under the Options for this setting. Each entry must be listed as a name value pair. The name defines a valid ASR rule ID, while the value contains the status ID indicating the status of the rule.

For more information about ASR rule ID and status ID, see Enable Attack Surface Reduction.

Value type is string.

ADMX Info:

  • GP English name: Configure Attack Surface Reduction rules
  • GP name: ExploitGuard_ASR_Rules
  • GP element: ExploitGuard_ASR_Rules
  • GP path: Windows Components/Windows Defender Antivirus/Windows Defender Exploit Guard/Attack Surface Reduction
  • GP ADMX file name: WindowsDefender.admx

Defender/AvgCPULoadFactor

Home Pro Business Enterprise Education Mobile Mobile Enterprise
check mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • Device

Note

This policy is only enforced in Windows 10 for desktop.

Represents the average CPU load factor for the Windows Defender scan (in percent).

The default value is 50.

ADMX Info:

  • GP English name: Specify the maximum percentage of CPU utilization during a scan
  • GP name: Scan_AvgCPULoadFactor
  • GP element: Scan_AvgCPULoadFactor
  • GP path: Windows Components/Windows Defender Antivirus/Scan
  • GP ADMX file name: WindowsDefender.admx

Valid values: 0–100


Defender/CheckForSignaturesBeforeRunningScan

Home Pro Business Enterprise Education Mobile Mobile Enterprise
check mark5 check mark5 check mark5 check mark5 check mark5

Scope:

  • Device

This policy setting allows you to manage whether a check for new virus and spyware definitions will occur before running a scan.

This setting applies to scheduled scans as well as the command line "mpcmdrun -SigUpdate", but it has no effect on scans initiated manually from the user interface.

If you enable this setting, a check for new definitions will occur before running a scan.

If you disable this setting or do not configure this setting, the scan will start using the existing definitions.

Supported values:

  • 0 (default) - Disabled
  • 1 - Enabled

ADMX Info:

  • GP English name: Check for the latest virus and spyware definitions before running a scheduled scan
  • GP name: CheckForSignaturesBeforeRunningScan
  • GP element: CheckForSignaturesBeforeRunningScan
  • GP path: Windows Components/Windows Defender Antivirus/Scan
  • GP ADMX file name: WindowsDefender.admx

Defender/CloudBlockLevel

Home Pro Business Enterprise Education Mobile Mobile Enterprise
check mark3 check mark3 check mark3 check mark3 check mark3 cross mark cross mark

Scope:

  • Device

Note

This policy is only enforced in Windows 10 for desktop.

Added in Windows 10, version 1709. This policy setting determines how aggressive Windows Defender Antivirus will be in blocking and scanning suspicious files. Value type is integer.

If this setting is on, Windows Defender Antivirus will be more aggressive when identifying suspicious files to block and scan; otherwise, it will be less aggressive and therefore block and scan with less frequency.

For more information about specific values that are supported, see the Windows Defender Antivirus documentation site.

Note

This feature requires the "Join Microsoft MAPS" setting enabled in order to function.

ADMX Info:

  • GP English name: Select cloud protection level
  • GP name: MpEngine_MpCloudBlockLevel
  • GP element: MpCloudBlockLevel
  • GP path: Windows Components/Windows Defender Antivirus/MpEngine
  • GP ADMX file name: WindowsDefender.admx

The following list shows the supported values:

  • 0x0 - Default windows defender blocking level
  • 0x2 - High blocking level - aggressively block unknowns while optimizing client performance (greater chance of false positives)
  • 0x4 - High+ blocking level – aggressively block unknowns and apply additional protection measures (may impact client performance)
  • 0x6 - Zero tolerance blocking level – block all unknown executables

Defender/CloudExtendedTimeout

Home Pro Business Enterprise Education Mobile Mobile Enterprise
check mark3 check mark3 check mark3 check mark3 check mark3 cross mark cross mark

Scope:

  • Device

Note

This policy is only enforced in Windows 10 for desktop.

Added in Windows 10, version 1709. This feature allows Windows Defender Antivirus to block a suspicious file for up to 60 seconds, and scan it in the cloud to make sure it's safe. Value type is integer, range is 0 - 50.

The typical cloud check timeout is 10 seconds. To enable the extended cloud check feature, specify the extended time in seconds, up to an additional 50 seconds.

For example, if the desired timeout is 60 seconds, specify 50 seconds in this setting, which will enable the extended cloud check feature, and will raise the total time to 60 seconds.

Note

This feature depends on three other MAPS settings the must all be enabled- "Configure the 'Block at First Sight' feature; "Join Microsoft MAPS"; "Send file samples when further analysis is required".

ADMX Info:

  • GP English name: Configure extended cloud check
  • GP name: MpEngine_MpBafsExtendedTimeout
  • GP element: MpBafsExtendedTimeout
  • GP path: Windows Components/Windows Defender Antivirus/MpEngine
  • GP ADMX file name: WindowsDefender.admx

Defender/ControlledFolderAccessAllowedApplications

Home Pro Business Enterprise Education Mobile Mobile Enterprise
check mark3 check mark3 check mark3 check mark3 check mark3 cross mark cross mark

Scope:

  • Device

Note

This policy is only enforced in Windows 10 for desktop. The previous name was GuardedFoldersAllowedApplications and changed to ControlledFolderAccessAllowedApplications.

Added in Windows 10, version 1709. This policy setting allows user-specified applications to the guard my folders feature. Adding an allowed application means the guard my folders feature will allow the application to modify or delete content in certain folders such as My Documents. In most cases it will not be necessary to add entries. Windows Defender Antivirus will automatically detect and dynamically add applications that are friendly. Value type is string. Use the | as the substring separator.

ADMX Info:

  • GP English name: Configure allowed applications
  • GP name: ExploitGuard_ControlledFolderAccess_AllowedApplications
  • GP element: ExploitGuard_ControlledFolderAccess_AllowedApplications
  • GP path: Windows Components/Windows Defender Antivirus/Windows Defender Exploit Guard/Controlled Folder Access
  • GP ADMX file name: WindowsDefender.admx

Defender/ControlledFolderAccessProtectedFolders

Home Pro Business Enterprise Education Mobile Mobile Enterprise
check mark3 check mark3 check mark3 check mark3 check mark3 cross mark cross mark

Scope:

  • Device

Note

This policy is only enforced in Windows 10 for desktop. The previous name was GuardedFoldersList and changed to ControlledFolderAccessProtectedFolders.

Added in Windows 10, version 1709. This policy settings allows adding user-specified folder locations to the guard my folders feature. These folders will complement the system defined folders such as My Documents and My Pictures. The list of system folders will be displayed in the user interface and can not be changed. Value type is string. Use the | as the substring separator.

ADMX Info:

  • GP English name: Configure protected folders
  • GP name: ExploitGuard_ControlledFolderAccess_ProtectedFolders
  • GP element: ExploitGuard_ControlledFolderAccess_ProtectedFolders
  • GP path: Windows Components/Windows Defender Antivirus/Windows Defender Exploit Guard/Controlled Folder Access
  • GP ADMX file name: WindowsDefender.admx

Defender/DaysToRetainCleanedMalware

Home Pro Business Enterprise Education Mobile Mobile Enterprise
check mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • Device

Note

This policy is only enforced in Windows 10 for desktop.

Time period (in days) that quarantine items will be stored on the system.

The default value is 0, which keeps items in quarantine, and does not automatically remove them.

ADMX Info:

  • GP English name: Configure removal of items from Quarantine folder
  • GP name: Quarantine_PurgeItemsAfterDelay
  • GP element: Quarantine_PurgeItemsAfterDelay
  • GP path: Windows Components/Windows Defender Antivirus/Quarantine
  • GP ADMX file name: WindowsDefender.admx

Valid values: 0–90


Defender/DisableCatchupFullScan

Home Pro Business Enterprise Education Mobile Mobile Enterprise
check mark5 check mark5 check mark5 check mark5 check mark5

Scope:

  • Device

This policy setting allows you to configure catch-up scans for scheduled full scans. A catch-up scan is a scan that is initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the computer was turned off at the scheduled time.

If you enable this setting, catch-up scans for scheduled full scans will be turned on. If a computer is offline for two consecutive scheduled scans, a catch-up scan is started the next time someone logs on to the computer. If there is no scheduled scan configured, there will be no catch-up scan run.

If you disable or do not configure this setting, catch-up scans for scheduled full scans will be turned off.

Supported values:

  • 0 - Disabled
  • 1 - Enabled (default)

ADMX Info:

  • GP English name: Turn on catch-up full scan
  • GP name: Scan_DisableCatchupFullScan
  • GP element: Scan_DisableCatchupFullScan
  • GP path: Windows Components/Windows Defender Antivirus/Scan
  • GP ADMX file name: WindowsDefender.admx

Defender/DisableCatchupQuickScan

Home Pro Business Enterprise Education Mobile Mobile Enterprise
check mark5 check mark5 check mark5 check mark5 check mark5

Scope:

  • Device

This policy setting allows you to configure catch-up scans for scheduled quick scans. A catch-up scan is a scan that is initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the computer was turned off at the scheduled time.

If you enable this setting, catch-up scans for scheduled quick scans will be turned on. If a computer is offline for two consecutive scheduled scans, a catch-up scan is started the next time someone logs on to the computer. If there is no scheduled scan configured, there will be no catch-up scan run.

If you disable or do not configure this setting, catch-up scans for scheduled quick scans will be turned off.

Supported values:

  • 0 - Disabled
  • 1 - Enabled (default)

ADMX Info:

  • GP English name: Turn on catch-up quick scan
  • GP name: Scan_DisableCatchupQuickScan
  • GP element: Scan_DisableCatchupQuickScan
  • GP path: Windows Components/Windows Defender Antivirus/Scan
  • GP ADMX file name: WindowsDefender.admx

Defender/EnableControlledFolderAccess

Home Pro Business Enterprise Education Mobile Mobile Enterprise
check mark3 check mark3 check mark3 check mark3 check mark3 cross mark cross mark

Scope:

  • Device

Note

This policy is only enforced in Windows 10 for desktop. The previous name was EnableGuardMyFolders and changed to EnableControlledFolderAccess.

Added in Windows 10, version 1709. This policy enables setting the state (On/Off/Audit) for the guard my folders feature. The guard my folders feature removes modify and delete permissions from untrusted applications to certain folders such as My Documents. Value type is integer and the range is 0 - 2.

ADMX Info:

  • GP English name: Configure Controlled folder access
  • GP name: ExploitGuard_ControlledFolderAccess_EnableControlledFolderAccess
  • GP element: ExploitGuard_ControlledFolderAccess_EnableControlledFolderAccess
  • GP path: Windows Components/Windows Defender Antivirus/Windows Defender Exploit Guard/Controlled Folder Access
  • GP ADMX file name: WindowsDefender.admx

The following list shows the supported values:

  • 0 (default) - Disabled
  • 1 - Enabled
  • 2 - Audit Mode

Defender/EnableLowCPUPriority

Home Pro Business Enterprise Education Mobile Mobile Enterprise
check mark5 check mark5 check mark5 check mark5 check mark5

Scope:

  • Device

This policy setting allows you to enable or disable low CPU priority for scheduled scans.

If you enable this setting, low CPU priority will be used during scheduled scans.

If you disable or do not configure this setting, not changes will be made to CPU priority for scheduled scans.

Supported values:

  • 0 - Disabled (default)
  • 1 - Enabled

ADMX Info:

  • GP English name: Configure low CPU priority for scheduled scans
  • GP name: Scan_LowCpuPriority
  • GP element: Scan_LowCpuPriority
  • GP path: Windows Components/Windows Defender Antivirus/Scan
  • GP ADMX file name: WindowsDefender.admx

Defender/EnableNetworkProtection

Home Pro Business Enterprise Education Mobile Mobile Enterprise
check mark3 check mark3 check mark3 check mark3 check mark3 cross mark cross mark

Scope:

  • Device

Note

This policy is only enforced in Windows 10 for desktop.

Added in Windows 10, version 1709. This policy allows you to turn network protection on (block/audit) or off in Windows Defender Exploit Guard. Network protection is a feature of Windows Defender Exploit Guard that protects employees using any app from accessing phishing scams, exploit-hosting sites, and malicious content on the Internet. This includes preventing third-party browsers from connecting to dangerous sites. Value type is integer.

If you enable this setting, network protection is turned on and employees can't turn it off. Its behavior can be controlled by the following options: Block and Audit. If you enable this policy with the ""Block"" option, users/apps will be blocked from connecting to dangerous domains. You will be able to see this activity in Windows Defender Security Center. If you enable this policy with the ""Audit"" option, users/apps will not be blocked from connecting to dangerous domains. However, you will still see this activity in Windows Defender Security Center. If you disable this policy, users/apps will not be blocked from connecting to dangerous domains. You will not see any network activity in Windows Defender Security Center. If you do not configure this policy, network blocking will be disabled by default.

ADMX Info:

  • GP English name: Prevent users and apps from accessing dangerous websites
  • GP name: ExploitGuard_EnableNetworkProtection
  • GP element: ExploitGuard_EnableNetworkProtection
  • GP path: Windows Components/Windows Defender Antivirus/Windows Defender Exploit Guard/Network Protection
  • GP ADMX file name: WindowsDefender.admx

The following list shows the supported values:

  • 0 (default) - Disabled
  • 1 - Enabled (block mode)
  • 2 - Enabled (audit mode)

Defender/ExcludedExtensions

Home Pro Business Enterprise Education Mobile Mobile Enterprise
check mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • Device

Note

This policy is only enforced in Windows 10 for desktop.

Allows an administrator to specify a list of file type extensions to ignore during a scan. Each file type in the list must be separated by a |. For example, "lib|obj".

ADMX Info:

  • GP English name: Path Exclusions
  • GP name: Exclusions_Paths
  • GP element: Exclusions_PathsList
  • GP path: Windows Components/Windows Defender Antivirus/Exclusions
  • GP ADMX file name: WindowsDefender.admx

Defender/ExcludedPaths

Home Pro Business Enterprise Education Mobile Mobile Enterprise
check mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • Device

Note

This policy is only enforced in Windows 10 for desktop.

Allows an administrator to specify a list of directory paths to ignore during a scan. Each path in the list must be separated by a |. For example, "C:\Example|C:\Example1".

ADMX Info:

  • GP English name: Extension Exclusions
  • GP name: Exclusions_Extensions
  • GP element: Exclusions_ExtensionsList
  • GP path: Windows Components/Windows Defender Antivirus/Exclusions
  • GP ADMX file name: WindowsDefender.admx

Defender/ExcludedProcesses

Home Pro Business Enterprise Education Mobile Mobile Enterprise
check mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • Device

Note

This policy is only enforced in Windows 10 for desktop.

Allows an administrator to specify a list of files opened by processes to ignore during a scan.

Important

The process itself is not excluded from the scan, but can be by using the Defender/ExcludedPaths policy to exclude its path.

Each file type must be separated by a |. For example, "C:\Example.exe|C:\Example1.exe".

ADMX Info:

  • GP English name: Process Exclusions
  • GP name: Exclusions_Processes
  • GP element: Exclusions_ProcessesList
  • GP path: Windows Components/Windows Defender Antivirus/Exclusions
  • GP ADMX file name: WindowsDefender.admx

Defender/PUAProtection

Home Pro Business Enterprise Education Mobile Mobile Enterprise
check mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • Device

Note

This policy is only enforced in Windows 10 for desktop.

Added in Windows 10, version 1607. Specifies the level of detection for potentially unwanted applications (PUAs). Windows Defender alerts you when potentially unwanted software is being downloaded or attempts to install itself on your computer.

The following list shows the supported values:

  • 0 (default) – PUA Protection off. Windows Defender will not protect against potentially unwanted applications.
  • 1 – PUA Protection on. Detected items are blocked. They will show in history along with other threats.
  • 2 – Audit mode. Windows Defender will detect potentially unwanted applications, but take no action. You can review information about the applications Windows Defender would have taken action against by searching for events created by Windows Defender in the Event Viewer.

Defender/RealTimeScanDirection

Home Pro Business Enterprise Education Mobile Mobile Enterprise
check mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • Device

Note

This policy is only enforced in Windows 10 for desktop.

Controls which sets of files should be monitored.

Note

If AllowOnAccessProtection is not allowed, then this configuration can be used to monitor specific files.

ADMX Info:

  • GP English name: Configure monitoring for incoming and outgoing file and program activity
  • GP name: RealtimeProtection_RealtimeScanDirection
  • GP element: RealtimeProtection_RealtimeScanDirection
  • GP path: Windows Components/Windows Defender Antivirus/Real-time Protection
  • GP ADMX file name: WindowsDefender.admx

The following list shows the supported values:

  • 0 (default) – Monitor all files (bi-directional).
  • 1 – Monitor incoming files.
  • 2 – Monitor outgoing files.

Defender/ScanParameter

Home Pro Business Enterprise Education Mobile Mobile Enterprise
check mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • Device

Note

This policy is only enforced in Windows 10 for desktop.

Selects whether to perform a quick scan or full scan.

ADMX Info:

  • GP English name: Specify the scan type to use for a scheduled scan
  • GP name: Scan_ScanParameters
  • GP element: Scan_ScanParameters
  • GP path: Windows Components/Windows Defender Antivirus/Scan
  • GP ADMX file name: WindowsDefender.admx

The following list shows the supported values:

  • 1 (default) – Quick scan
  • 2 – Full scan

Defender/ScheduleQuickScanTime

Home Pro Business Enterprise Education Mobile Mobile Enterprise
check mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • Device

Note

This policy is only enforced in Windows 10 for desktop.

Selects the time of day that the Windows Defender quick scan should run.

Note

The scan type will depends on what scan type is selected in the Defender/ScanParameter setting.

For example, a value of 0=12:00AM, a value of 60=1:00AM, a value of 120=2:00, and so on, up to a value of 1380=11:00PM.

The default value is 120

ADMX Info:

  • GP English name: Specify the time for a daily quick scan
  • GP name: Scan_ScheduleQuickScantime
  • GP element: Scan_ScheduleQuickScantime
  • GP path: Windows Components/Windows Defender Antivirus/Scan
  • GP ADMX file name: WindowsDefender.admx

Valid values: 0–1380


Defender/ScheduleScanDay

Home Pro Business Enterprise Education Mobile Mobile Enterprise
check mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • Device

Note

This policy is only enforced in Windows 10 for desktop.

Selects the day that the Windows Defender scan should run.

Note

The scan type will depends on what scan type is selected in the Defender/ScanParameter setting.

ADMX Info:

  • GP English name: Specify the day of the week to run a scheduled scan
  • GP name: Scan_ScheduleDay
  • GP element: Scan_ScheduleDay
  • GP path: Windows Components/Windows Defender Antivirus/Scan
  • GP ADMX file name: WindowsDefender.admx

The following list shows the supported values:

  • 0 (default) – Every day
  • 1 – Monday
  • 2 – Tuesday
  • 3 – Wednesday
  • 4 – Thursday
  • 5 – Friday
  • 6 – Saturday
  • 7 – Sunday
  • 8 – No scheduled scan

Defender/ScheduleScanTime

Home Pro Business Enterprise Education Mobile Mobile Enterprise
check mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • Device

Note

This policy is only enforced in Windows 10 for desktop.

Selects the time of day that the Windows Defender scan should run.

Note

The scan type will depends on what scan type is selected in the Defender/ScanParameter setting.

For example, a value of 0=12:00AM, a value of 60=1:00AM, a value of 120=2:00, and so on, up to a value of 1380=11:00PM.

The default value is 120.

ADMX Info:

  • GP English name: Specify the time of day to run a scheduled scan
  • GP name: Scan_ScheduleTime
  • GP element: Scan_ScheduleTime
  • GP path: Windows Components/Windows Defender Antivirus/Scan
  • GP ADMX file name: WindowsDefender.admx

Valid values: 0–1380.


Defender/SignatureUpdateFallbackOrder

Home Pro Business Enterprise Education Mobile Mobile Enterprise
check mark5 check mark5 check mark5 check mark5 check mark5

Scope:

  • Device

This policy setting allows you to define the order in which different definition update sources should be contacted. The value of this setting should be entered as a pipe-separated string enumerating the definition update sources in order.

Possible values are:

  • InternalDefinitionUpdateServer
  • MicrosoftUpdateServer
  • MMPC
  • FileShares

For example: { InternalDefinitionUpdateServer | MicrosoftUpdateServer | MMPC }

If you enable this setting, definition update sources will be contacted in the order specified. Once definition updates have been successfully downloaded from one specified source, the remaining sources in the list will not be contacted.

If you disable or do not configure this setting, definition update sources will be contacted in a default order.

ADMX Info:

  • GP English name: Define the order of sources for downloading definition updates
  • GP name: SignatureUpdate_FallbackOrder
  • GP element: SignatureUpdate_FallbackOrder
  • GP path: Windows Components/Windows Defender Antivirus/Signature Updates
  • GP ADMX file name: WindowsDefender.admx

Defender/SignatureUpdateFileSharesSources

Home Pro Business Enterprise Education Mobile Mobile Enterprise
check mark5 check mark5 check mark5 check mark5 check mark5

Scope:

  • Device

This policy setting allows you to configure UNC file share sources for downloading definition updates. Sources will be contacted in the order specified. The value of this setting should be entered as a pipe-separated string enumerating the definition update sources. For example: "{\unc1 | \unc2 }". The list is empty by default.

If you enable this setting, the specified sources will be contacted for definition updates. Once definition updates have been successfully downloaded from one specified source, the remaining sources in the list will not be contacted.

If you disable or do not configure this setting, the list will remain empty by default and no sources will be contacted.

ADMX Info:

  • GP English name: Define file shares for downloading definition updates
  • GP name: SignatureUpdate_DefinitionUpdateFileSharesSources
  • GP element: SignatureUpdate_DefinitionUpdateFileSharesSources
  • GP path: Windows Components/Windows Defender Antivirus/Signature Updates
  • GP ADMX file name: WindowsDefender.admx

Defender/SignatureUpdateInterval

Home Pro Business Enterprise Education Mobile Mobile Enterprise
check mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • Device

Note

This policy is only enforced in Windows 10 for desktop.

Specifies the interval (in hours) that will be used to check for signatures, so instead of using the ScheduleDay and ScheduleTime the check for new signatures will be set according to the interval.

A value of 0 means no check for new signatures, a value of 1 means to check every hour, a value of 2 means to check every two hours, and so on, up to a value of 24, which means to check every day.

The default value is 8.

ADMX Info:

  • GP English name: Specify the interval to check for definition updates
  • GP name: SignatureUpdate_SignatureUpdateInterval
  • GP element: SignatureUpdate_SignatureUpdateInterval
  • GP path: Windows Components/Windows Defender Antivirus/Signature Updates
  • GP ADMX file name: WindowsDefender.admx

Valid values: 0–24.


Defender/SubmitSamplesConsent

Home Pro Business Enterprise Education Mobile Mobile Enterprise
check mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • Device

Note

This policy is only enforced in Windows 10 for desktop.

Checks for the user consent level in Windows Defender to send data. If the required consent has already been granted, Windows Defender submits them. If not, (and if the user has specified never to ask), the UI is launched to ask for user consent (when Defender/AllowCloudProtection is allowed) before sending data.

ADMX Info:

  • GP English name: Send file samples when further analysis is required
  • GP name: SubmitSamplesConsent
  • GP element: SubmitSamplesConsent
  • GP path: Windows Components/Windows Defender Antivirus/MAPS
  • GP ADMX file name: WindowsDefender.admx

The following list shows the supported values:

  • 0 – Always prompt.
  • 1 (default) – Send safe samples automatically.
  • 2 – Never send.
  • 3 – Send all samples automatically.

Defender/ThreatSeverityDefaultAction

Home Pro Business Enterprise Education Mobile Mobile Enterprise
check mark check mark check mark check mark check mark cross mark cross mark

Scope:

  • Device

Note

This policy is only enforced in Windows 10 for desktop.

Allows an administrator to specify any valid threat severity levels and the corresponding default action ID to take.

This value is a list of threat severity level IDs and corresponding actions, separated by a| using the format "threat level=action|threat level=action". For example "1=6|2=2|4=10|5=3

The following list shows the supported values for threat severity levels:

  • 1 – Low severity threats
  • 2 – Moderate severity threats
  • 4 – High severity threats
  • 5 – Severe threats

The following list shows the supported values for possible actions:

  • 1 – Clean
  • 2 – Quarantine
  • 3 – Remove
  • 6 – Allow
  • 8 – User defined
  • 10 – Block

ADMX Info:

  • GP English name: Specify threat alert levels at which default action should not be taken when detected
  • GP name: Threats_ThreatSeverityDefaultAction
  • GP element: Threats_ThreatSeverityDefaultActionList
  • GP path: Windows Components/Windows Defender Antivirus/Threats
  • GP ADMX file name: WindowsDefender.admx

Footnote:

  • 1 - Added in Windows 10, version 1607.
  • 2 - Added in Windows 10, version 1703.
  • 3 - Added in Windows 10, version 1709.
  • 4 - Added in Windows 10, version 1803.
  • 5 - Added in the next major release of Windows 10.

Defender policies supported by Microsoft Surface Hub