Policy CSP - Defender


Defender policies

Defender/AllowArchiveScanning
Defender/AllowBehaviorMonitoring
Defender/AllowCloudProtection
Defender/AllowEmailScanning
Defender/AllowFullScanOnMappedNetworkDrives
Defender/AllowFullScanRemovableDriveScanning
Defender/AllowIOAVProtection
Defender/AllowIntrusionPreventionSystem
Defender/AllowOnAccessProtection
Defender/AllowRealtimeMonitoring
Defender/AllowScanningNetworkFiles
Defender/AllowScriptScanning
Defender/AllowUserUIAccess
Defender/AttackSurfaceReductionOnlyExclusions
Defender/AttackSurfaceReductionRules
Defender/AvgCPULoadFactor
Defender/CloudBlockLevel
Defender/CloudExtendedTimeout
Defender/ControlledFolderAccessAllowedApplications
Defender/ControlledFolderAccessProtectedFolders
Defender/DaysToRetainCleanedMalware
Defender/EnableControlledFolderAccess
Defender/EnableNetworkProtection
Defender/ExcludedExtensions
Defender/ExcludedPaths
Defender/ExcludedProcesses
Defender/PUAProtection
Defender/RealTimeScanDirection
Defender/ScanParameter
Defender/ScheduleQuickScanTime
Defender/ScheduleScanDay
Defender/ScheduleScanTime
Defender/SignatureUpdateInterval
Defender/SubmitSamplesConsent
Defender/ThreatSeverityDefaultAction


Defender/AllowArchiveScanning

Home Pro Business Enterprise Education Mobile Mobile Enterprise
check mark check mark check mark check mark cross mark cross mark

Scope:

  • Device

Note

This policy is only enforced in Windows 10 for desktop.

Allows or disallows scanning of archives.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.


Defender/AllowBehaviorMonitoring

Home Pro Business Enterprise Education Mobile Mobile Enterprise
check mark check mark check mark check mark cross mark cross mark

Scope:

  • Device

Note

This policy is only enforced in Windows 10 for desktop.

Allows or disallows Windows Defender Behavior Monitoring functionality.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.


Defender/AllowCloudProtection

Home Pro Business Enterprise Education Mobile Mobile Enterprise
check mark check mark check mark check mark cross mark cross mark

Scope:

  • Device

Note

This policy is only enforced in Windows 10 for desktop.

To best protect your PC, Windows Defender will send information to Microsoft about any problems it finds. Microsoft will analyze that information, learn more about problems affecting you and other customers, and offer improved solutions.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.


Defender/AllowEmailScanning

Home Pro Business Enterprise Education Mobile Mobile Enterprise
check mark check mark check mark check mark cross mark cross mark

Scope:

  • Device

Note

This policy is only enforced in Windows 10 for desktop.

Allows or disallows scanning of email.

The following list shows the supported values:

  • 0 (default) – Not allowed.
  • 1 – Allowed.


Defender/AllowFullScanOnMappedNetworkDrives

Home Pro Business Enterprise Education Mobile Mobile Enterprise
check mark check mark check mark check mark cross mark cross mark

Scope:

  • Device

Note

This policy is only enforced in Windows 10 for desktop.

Allows or disallows a full scan of mapped network drives.

The following list shows the supported values:

  • 0 (default) – Not allowed.
  • 1 – Allowed.


Defender/AllowFullScanRemovableDriveScanning

Home Pro Business Enterprise Education Mobile Mobile Enterprise
check mark check mark check mark check mark cross mark cross mark

Scope:

  • Device

Note

This policy is only enforced in Windows 10 for desktop.

Allows or disallows a full scan of removable drives.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.


Defender/AllowIOAVProtection

Home Pro Business Enterprise Education Mobile Mobile Enterprise
check mark check mark check mark check mark cross mark cross mark

Scope:

  • Device

Note

This policy is only enforced in Windows 10 for desktop.

Allows or disallows Windows Defender IOAVP Protection functionality.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.


Defender/AllowIntrusionPreventionSystem

Home Pro Business Enterprise Education Mobile Mobile Enterprise
check mark check mark check mark check mark cross mark cross mark

Scope:

  • Device

Note

This policy is only enforced in Windows 10 for desktop.

Allows or disallows Windows Defender Intrusion Prevention functionality.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.


Defender/AllowOnAccessProtection

Home Pro Business Enterprise Education Mobile Mobile Enterprise
check mark check mark check mark check mark cross mark cross mark

Scope:

  • Device

Note

This policy is only enforced in Windows 10 for desktop.

Allows or disallows Windows Defender On Access Protection functionality.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.


Defender/AllowRealtimeMonitoring

Home Pro Business Enterprise Education Mobile Mobile Enterprise
check mark check mark check mark check mark cross mark cross mark

Scope:

  • Device

Note

This policy is only enforced in Windows 10 for desktop.

Allows or disallows Windows Defender Realtime Monitoring functionality.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.


Defender/AllowScanningNetworkFiles

Home Pro Business Enterprise Education Mobile Mobile Enterprise
check mark check mark check mark check mark cross mark cross mark

Scope:

  • Device

Note

This policy is only enforced in Windows 10 for desktop.

Allows or disallows a scanning of network files.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.


Defender/AllowScriptScanning

Home Pro Business Enterprise Education Mobile Mobile Enterprise
check mark check mark check mark check mark cross mark cross mark

Scope:

  • Device

Note

This policy is only enforced in Windows 10 for desktop.

Allows or disallows Windows Defender Script Scanning functionality.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.


Defender/AllowUserUIAccess

Home Pro Business Enterprise Education Mobile Mobile Enterprise
check mark check mark check mark check mark cross mark cross mark

Scope:

  • Device

Note

This policy is only enforced in Windows 10 for desktop.

Allows or disallows user access to the Windows Defender UI. If disallowed, all Windows Defender notifications will also be suppressed.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.


Defender/AttackSurfaceReductionOnlyExclusions

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark3 check mark3 check mark3 check mark3 cross mark cross mark

Scope:

  • Device

Note

This policy is only enforced in Windows 10 for desktop.

Added in Windows 10, version 1709. This policy setting allows you to prevent Attack Surface reduction rules from matching on files under the paths specified or for the fully qualified resources specified. Paths should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of a path or a fully qualified resource name. As an example, a path might be defined as: "c:\Windows" to exclude all files in this directory. A fully qualified resource name might be defined as: "C:\Windows\App.exe"..

Value type is string.


Defender/AttackSurfaceReductionRules

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark3 check mark3 check mark3 check mark3 cross mark cross mark

Scope:

  • Device

Note

This policy is only enforced in Windows 10 for desktop.

Added in Windows 10, version 1709. This policy setting enables setting the state (Block/Audit/Off) for each Attack surface reduction (ASR) rule. Each ASR rule listed can be set to one of the following states (Block/Audit/Off). The ASR rule ID and state should be added under the Options for this setting. Each entry must be listed as a name value pair. The name defines a valid ASR rule ID, while the value contains the status ID indicating the status of the rule.

For more information about ASR rule ID and status ID, see Enable Attack Surface Reduction.

Value type is string.


Defender/AvgCPULoadFactor

Home Pro Business Enterprise Education Mobile Mobile Enterprise
check mark check mark check mark check mark cross mark cross mark

Scope:

  • Device

Note

This policy is only enforced in Windows 10 for desktop.

Represents the average CPU load factor for the Windows Defender scan (in percent).

Valid values: 0–100

The default value is 50.


Defender/CloudBlockLevel

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark3 check mark3 check mark3 check mark3 cross mark cross mark

Scope:

  • Device

Note

This policy is only enforced in Windows 10 for desktop.

Added in Windows 10, version 1709. This policy setting determines how aggressive Windows Defender Antivirus will be in blocking and scanning suspicious files. Value type is integer.

If this setting is on, Windows Defender Antivirus will be more aggressive when identifying suspicious files to block and scan; otherwise, it will be less aggressive and therefore block and scan with less frequency.

For more information about specific values that are supported, see the Windows Defender Antivirus documentation site.

Note

This feature requires the "Join Microsoft MAPS" setting enabled in order to function.

Possible options are:

  • (0x0) Default windows defender blocking level
  • (0x2) High blocking level - aggressively block unknowns while optimizing client performance (greater chance of false positives)
  • (0x4) High+ blocking level – aggressively block unknowns and apply additional protection measures (may impact client performance)
  • (0x6) Zero tolerance blocking level – block all unknown executables


Defender/CloudExtendedTimeout

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark3 check mark3 check mark3 check mark3 cross mark cross mark

Scope:

  • Device

Note

This policy is only enforced in Windows 10 for desktop.

Added in Windows 10, version 1709. This feature allows Windows Defender Antivirus to block a suspicious file for up to 60 seconds, and scan it in the cloud to make sure it's safe. Value type is integer, range is 0 - 50.

The typical cloud check timeout is 10 seconds. To enable the extended cloud check feature, specify the extended time in seconds, up to an additional 50 seconds.

For example, if the desired timeout is 60 seconds, specify 50 seconds in this setting, which will enable the extended cloud check feature, and will raise the total time to 60 seconds.

Note

This feature depends on three other MAPS settings the must all be enabled- "Configure the 'Block at First Sight' feature; "Join Microsoft MAPS"; "Send file samples when further analysis is required".


Defender/ControlledFolderAccessAllowedApplications

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark3 check mark3 check mark3 check mark3 cross mark cross mark

Scope:

  • Device

Note

This policy is only enforced in Windows 10 for desktop. The previous name was GuardedFoldersAllowedApplications and changed to ControlledFolderAccessAllowedApplications.

Added in Windows 10, version 1709. This policy setting allows user-specified applications to the guard my folders feature. Adding an allowed application means the guard my folders feature will allow the application to modify or delete content in certain folders such as My Documents. In most cases it will not be necessary to add entries. Windows Defender Antivirus will automatically detect and dynamically add applications that are friendly. Value type is string. Use the | as the substring separator.


Defender/ControlledFolderAccessProtectedFolders

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark3 check mark3 check mark3 check mark3 cross mark cross mark

Scope:

  • Device

Note

This policy is only enforced in Windows 10 for desktop. The previous name was GuardedFoldersList and changed to ControlledFolderAccessProtectedFolders.

Added in Windows 10, version 1709. This policy settings allows adding user-specified folder locations to the guard my folders feature. These folders will complement the system defined folders such as My Documents and My Pictures. The list of system folders will be displayed in the user interface and can not be changed. Value type is string. Use the | as the substring separator.


Defender/DaysToRetainCleanedMalware

Home Pro Business Enterprise Education Mobile Mobile Enterprise
check mark check mark check mark check mark cross mark cross mark

Scope:

  • Device

Note

This policy is only enforced in Windows 10 for desktop.

Time period (in days) that quarantine items will be stored on the system.

Valid values: 0–90

The default value is 0, which keeps items in quarantine, and does not automatically remove them.


Defender/EnableControlledFolderAccess

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark3 check mark3 check mark3 check mark3 cross mark cross mark

Scope:

  • Device

Note

This policy is only enforced in Windows 10 for desktop. The previous name was EnableGuardMyFolders and changed to EnableControlledFolderAccess.

Added in Windows 10, version 1709. This policy enables setting the state (On/Off/Audit) for the guard my folders feature. The guard my folders feature removes modify and delete permissions from untrusted applications to certain folders such as My Documents. Value type is integer and the range is 0 - 2.

  • 0 (default) - Disabled
  • 1 - Enabled
  • 2 - Audit Mode


Defender/EnableNetworkProtection

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark3 check mark3 check mark3 check mark3 cross mark cross mark

Scope:

  • Device

Note

This policy is only enforced in Windows 10 for desktop.

Added in Windows 10, version 1709. This policy allows you to turn network protection on (block/audit) or off in Windows Defender Exploit Guard. Network protection is a feature of Windows Defender Exploit Guard that protects employees using any app from accessing phishing scams, exploit-hosting sites, and malicious content on the Internet. This includes preventing third-party browsers from connecting to dangerous sites. Value type is integer.

If you enable this setting, network protection is turned on and employees can't turn it off. Its behavior can be controlled by the following options: Block and Audit.

If you enable this policy with the ""Block"" option, users/apps will be blocked from connecting to dangerous domains. You will be able to see this activity in Windows Defender Security Center.

If you enable this policy with the ""Audit"" option, users/apps will not be blocked from connecting to dangerous domains. However, you will still see this activity in Windows Defender Security Center.

If you disable this policy, users/apps will not be blocked from connecting to dangerous domains. You will not see any network activity in Windows Defender Security Center.

If you do not configure this policy, network blocking will be disabled by default.

Valid values:

  • 0 (default) - Disabled
  • 1 - Enabled (block mode)
  • 2 - Enabled (audit mode)


Defender/ExcludedExtensions

Home Pro Business Enterprise Education Mobile Mobile Enterprise
check mark check mark check mark check mark cross mark cross mark

Scope:

  • Device

Note

This policy is only enforced in Windows 10 for desktop.

Allows an administrator to specify a list of file type extensions to ignore during a scan. Each file type in the list must be separated by a |. For example, "lib|obj".


Defender/ExcludedPaths

Home Pro Business Enterprise Education Mobile Mobile Enterprise
check mark check mark check mark check mark cross mark cross mark

Scope:

  • Device

Note

This policy is only enforced in Windows 10 for desktop.

Allows an administrator to specify a list of directory paths to ignore during a scan. Each path in the list must be separated by a |. For example, "C:\Example|C:\Example1".


Defender/ExcludedProcesses

Home Pro Business Enterprise Education Mobile Mobile Enterprise
check mark check mark check mark check mark cross mark cross mark

Scope:

  • Device

Note

This policy is only enforced in Windows 10 for desktop.

Allows an administrator to specify a list of files opened by processes to ignore during a scan.

Important

The process itself is not excluded from the scan, but can be by using the Defender/ExcludedPaths policy to exclude its path.

Each file type must be separated by a |. For example, "C:\Example.exe|C:\Example1.exe".


Defender/PUAProtection

Home Pro Business Enterprise Education Mobile Mobile Enterprise
check mark check mark check mark check mark cross mark cross mark

Scope:

  • Device

Note

This policy is only enforced in Windows 10 for desktop.

Added in Windows 10, version 1607. Specifies the level of detection for potentially unwanted applications (PUAs). Windows Defender alerts you when potentially unwanted software is being downloaded or attempts to install itself on your computer.

The following list shows the supported values:

  • 0 (default) – PUA Protection off. Windows Defender will not protect against potentially unwanted applications.
  • 1 – PUA Protection on. Detected items are blocked. They will show in history along with other threats.
  • 2 – Audit mode. Windows Defender will detect potentially unwanted applications, but take no action. You can review information about the applications Windows Defender would have taken action against by searching for events created by Windows Defender in the Event Viewer.


Defender/RealTimeScanDirection

Home Pro Business Enterprise Education Mobile Mobile Enterprise
check mark check mark check mark check mark cross mark cross mark

Scope:

  • Device

Note

This policy is only enforced in Windows 10 for desktop.

Controls which sets of files should be monitored.

Note

If AllowOnAccessProtection is not allowed, then this configuration can be used to monitor specific files.

The following list shows the supported values:

  • 0 (default) – Monitor all files (bi-directional).
  • 1 – Monitor incoming files.
  • 2 – Monitor outgoing files.


Defender/ScanParameter

Home Pro Business Enterprise Education Mobile Mobile Enterprise
check mark check mark check mark check mark cross mark cross mark

Scope:

  • Device

Note

This policy is only enforced in Windows 10 for desktop.

Selects whether to perform a quick scan or full scan.

The following list shows the supported values:

  • 1 (default) – Quick scan
  • 2 – Full scan


Defender/ScheduleQuickScanTime

Home Pro Business Enterprise Education Mobile Mobile Enterprise
check mark check mark check mark check mark cross mark cross mark

Scope:

  • Device

Note

This policy is only enforced in Windows 10 for desktop.

Selects the time of day that the Windows Defender quick scan should run.

Note

The scan type will depends on what scan type is selected in the Defender/ScanParameter setting.

Valid values: 0–1380

For example, a value of 0=12:00AM, a value of 60=1:00AM, a value of 120=2:00, and so on, up to a value of 1380=11:00PM.

The default value is 120


Defender/ScheduleScanDay

Home Pro Business Enterprise Education Mobile Mobile Enterprise
check mark check mark check mark check mark cross mark cross mark

Scope:

  • Device

Note

This policy is only enforced in Windows 10 for desktop.

Selects the day that the Windows Defender scan should run.

Note

The scan type will depends on what scan type is selected in the Defender/ScanParameter setting.

The following list shows the supported values:

  • 0 (default) – Every day
  • 1 – Monday
  • 2 – Tuesday
  • 3 – Wednesday
  • 4 – Thursday
  • 5 – Friday
  • 6 – Saturday
  • 7 – Sunday
  • 8 – No scheduled scan


Defender/ScheduleScanTime

Home Pro Business Enterprise Education Mobile Mobile Enterprise
check mark check mark check mark check mark cross mark cross mark

Scope:

  • Device

Note

This policy is only enforced in Windows 10 for desktop.

Selects the time of day that the Windows Defender scan should run.

Note

The scan type will depends on what scan type is selected in the Defender/ScanParameter setting.

Valid values: 0–1380.

For example, a value of 0=12:00AM, a value of 60=1:00AM, a value of 120=2:00, and so on, up to a value of 1380=11:00PM.

The default value is 120.


Defender/SignatureUpdateInterval

Home Pro Business Enterprise Education Mobile Mobile Enterprise
check mark check mark check mark check mark cross mark cross mark

Scope:

  • Device

Note

This policy is only enforced in Windows 10 for desktop.

Specifies the interval (in hours) that will be used to check for signatures, so instead of using the ScheduleDay and ScheduleTime the check for new signatures will be set according to the interval.

Valid values: 0–24.

A value of 0 means no check for new signatures, a value of 1 means to check every hour, a value of 2 means to check every two hours, and so on, up to a value of 24, which means to check every day.

The default value is 8.


Defender/SubmitSamplesConsent

Home Pro Business Enterprise Education Mobile Mobile Enterprise
check mark check mark check mark check mark cross mark cross mark

Scope:

  • Device

Note

This policy is only enforced in Windows 10 for desktop.

Checks for the user consent level in Windows Defender to send data. If the required consent has already been granted, Windows Defender submits them. If not, (and if the user has specified never to ask), the UI is launched to ask for user consent (when Defender/AllowCloudProtection is allowed) before sending data.

The following list shows the supported values:

  • 0 – Always prompt.
  • 1 (default) – Send safe samples automatically.
  • 2 – Never send.
  • 3 – Send all samples automatically.


Defender/ThreatSeverityDefaultAction

Home Pro Business Enterprise Education Mobile Mobile Enterprise
check mark check mark check mark check mark cross mark cross mark

Scope:

  • Device

Note

This policy is only enforced in Windows 10 for desktop.

Allows an administrator to specify any valid threat severity levels and the corresponding default action ID to take.

This value is a list of threat severity level IDs and corresponding actions, separated by a| using the format "threat level=action|threat level=action". For example "1=6|2=2|4=10|5=3

The following list shows the supported values for threat severity levels:

  • 1 – Low severity threats
  • 2 – Moderate severity threats
  • 4 – High severity threats
  • 5 – Severe threats

The following list shows the supported values for possible actions:

  • 1 – Clean
  • 2 – Quarantine
  • 3 – Remove
  • 6 – Allow
  • 8 – User defined
  • 10 – Block

Footnote:

  • 1 - Added in Windows 10, version 1607.
  • 2 - Added in Windows 10, version 1703.
  • 3 - Added in Windows 10, version 1709.

Defender policies supported by Microsoft Surface Hub