Configure remediation for Windows Defender Antivirus scans
When Windows Defender Antivirus runs a scan, it will attempt to remediate or remove threats that it finds. You can configure how Windows Defender Antivirus should react to certain threats, whether it should create a restore point before remediating, and when it should remove remediated threats.
Configure remediation options
You can configure how remediation works with the Group Policy settings described in this section.
To configure these settings:
On your Group Policy management computer, open the Group Policy Management Console, right-click the Group Policy Object you want to configure and click Edit.
In the Group Policy Management Editor go to Computer configuration and click Administrative templates.
Expand the tree to Windows components > Windows Defender Antivirus and then the Location specified in the table below.
Double-click the policy Setting as specified in the table below, and set the option to your desired configuration. Click OK, and repeat for any other settings.
|Location||Setting||Description||Default setting (if not configured)|
|Scan||Create a system restore point||A system restore point will be created each day before cleaning or scanning is attempted||Disabled|
|Scan||Turn on removal of items from scan history folder||Specify how many days items should be kept in the scan history||30 days|
|Root||Turn off routine remediation||You can specify whether Windows Defender Antivirus automatically remediates threats, or if it should ask the endpoint user what to do.||Disabled (threats are remediated automatically)|
|Quarantine||Configure removal of items from Quarantine folder||Specify how many days items should be kept in quarantine before being removed||Never removed|
|Threats||Specify threat alert levels at which default action should not be taken when detected||Every threat that is detected by Windows Defender Antivirus is assigned a threat level (low, medium, high, or severe). You can use this setting to define how all threats for each of the threat levels should be remediated (quarantined, removed, or ignored)||Not applicable|
|Threats||Specify threats upon which default action should not be taken when detected||Specify how specific threats (using their threat ID) should be remediated. You can specify whether the specific threat should be quarantined, removed, or ignored||Not applicable|
Windows Defender Antivirus detects and remediates files based on many factors. Sometimes, completing a remediation requires a reboot. Even if the detection is later determined to be a false positive, the reboot must be completed to ensure all additional remediation steps have been completed.
If you are certain Windows Defender Antivirus quarantined a file based on a false positive, you can restore the file from quarantine after the device reboots. See [Restore quarantined files in Windows Defender Antivirus](restore-quarantined-files-windows-defender-antivirus.md).To avoid this problem in the future, you can exclude files from the scans. See [Configure and validate exclusions for Windows Defender Antivirus scans](configure-exclusions-windows-defender-antivirus.md).
Also see Configure remediation-required scheduled full Windows Defender Antivirus scans for more remediation-related settings.
- Configure Windows Defender Antivirus scanning options
- Configure scheduled Windows Defender Antivirus scans
- Configure and run on-demand Windows Defender Antivirus scans
- Configure the notifications that appear on endpoints
- Configure end-user Windows Defender Antivirus interaction
- Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation
- Windows Defender Antivirus in Windows 10