Configure Microsoft Defender Antivirus scanning options
Use Microsoft Intune to configure scanning options
Use Microsoft Endpoint Configuration Manager to configure scanning options:
See How to create and deploy antimalware policies: Scan settings for details on configuring Microsoft Endpoint Configuration Manager (current branch).
Use Group Policy to configure scanning options
To configure the Group Policy settings described in the following table:
On your Group Policy management computer, open the Group Policy Management Console, right-click the Group Policy Object you want to configure and click Edit.
In the Group Policy Management Editor go to Computer configuration and click Administrative templates.
Expand the tree to Windows components > Microsoft Defender Antivirus and then the Location specified in the table below.
Double-click the policy Setting as specified in the table below, and set the option to your desired configuration. Click OK, and repeat for any other settings.
|Description||Location and setting||Default setting (if not configured)||PowerShell
|Email scanning See Email scanning limitations||Scan > Turn on e-mail scanning||Disabled||
|Scan reparse points||Scan > Turn on reparse point scanning||Disabled||Not available|
|Scan mapped network drives||Scan > Run full scan on mapped network drives||Disabled||
|Scan archive files (such as .zip or .rar files). The extensions exclusion list will take precedence over this setting.||Scan > Scan archive files||Enabled||
|Scan files on the network||Scan > Scan network files||Disabled||
|Scan packed executables||Scan > Scan packed executables||Enabled||Not available|
|Scan removable drives during full scans only||Scan > Scan removable drives||Disabled||
|Specify the level of subfolders within an archive folder to scan||Scan > Specify the maximum depth to scan archive files||0||Not available|
|Specify the maximum CPU load (as a percentage) during a scan. Note: This is not a hard limit but rather a guidance for the scanning engine to not exceed this maximum on average.||Scan > Specify the maximum percentage of CPU utilization during a scan||50||
|Specify the maximum size (in kilobytes) of archive files that should be scanned. The default, 0, applies no limit||Scan > Specify the maximum size of archive files to be scanned||No limit||Not available|
|Configure low CPU priority for scheduled scans||Scan > Configure low CPU priority for scheduled scans||Disabled||Not available|
If real-time protection is enabled, files are scanned before they are accessed and executed. The scanning scope includes all files, including those on mounted removable devices such as USB drives.
Use PowerShell to configure scanning options
See Manage Microsoft Defender Antivirus with PowerShell cmdlets and Defender cmdlets for more information on how to use PowerShell with Microsoft Defender Antivirus.
Use WMI to configure scanning options
For using WMI classes, see Windows Defender WMIv2 APIs.
Email scanning limitations
Email scanning enables scanning of email files used by Outlook and other mail clients during on-demand and scheduled scans. Embedded objects within an email file (such as attachments and archived files) are also scanned. The following file format types can be scanned and remediated:
PST files used by Outlook 2003 or older (where the archive type is set to non-unicode) will also be scanned, but Windows Defender cannot remediate threats detected inside PST files.
If Microsoft Defender Antivirus detects a threat inside an email, it will show you the following information to assist you in identifying the compromised email, so you can remediate the threat manually:
- Email subject
- Attachment name