Use Group Policy settings to configure and manage Windows Defender Antivirus

Applies to:

  • Windows Defender Advanced Threat Protection (Windows Defender ATP)

You can use Group Policy to configure and manage Windows Defender Antivirus on your endpoints.

In general, you can use the following procedure to configure or change Windows Defender Antivirus group policy settings:

  1. On your Group Policy management machine, open the Group Policy Management Console, right-click the Group Policy Object (GPO) you want to configure and click Edit.

  2. In the Group Policy Management Editor go to Computer configuration.

  3. Click Administrative templates.

  4. Expand the tree to Windows components > Windows Defender Antivirus.

  5. Expand the section (referred to as Location in the table in this topic) that contains the setting you want to configure, double-click the setting to open it, and make configuration changes.

  6. Deploy the updated GPO as you normally do.

The following table in this topic lists the Group Policy settings available in Windows 10, version 1703, and provides links to the appropriate topic in this documentation library (where applicable).

Location Setting Documented in topic
Client interface Enable headless UI mode Prevent users from seeing or interacting with the Windows Defender Antivirus user interface
Client interface Display additional text to clients when they need to perform an action Configure the notifications that appear on endpoints
Client interface Suppress all notifications Configure the notifications that appear on endpoints
Client interface Suppresses reboot notifications Configure the notifications that appear on endpoints
Exclusions Extension Exclusions Configure and validate exclusions in Windows Defender Antivirus scans
Exclusions Path Exclusions Configure and validate exclusions in Windows Defender Antivirus scans
Exclusions Process Exclusions Configure and validate exclusions in Windows Defender Antivirus scans
Exclusions Turn off Auto Exclusions Configure and validate exclusions in Windows Defender Antivirus scans
MAPS Configure the 'Block at First Sight' feature Enable block at first sight
MAPS Join Microsoft MAPS Enable cloud-delivered protection
MAPS Send file samples when further analysis is required Enable cloud-delivered protection
MAPS Configure local setting override for reporting to Microsoft MAPS Prevent or allow users to locally modify policy settings
MpEngine Configure extended cloud check Configure the cloud block timeout period
MpEngine Select cloud protection level Specify the cloud-delivered protection level
Network inspection system Specify additional definition sets for network traffic inspection Not used
Network inspection system Turn on definition retirement Not used
Network inspection system Turn on protocol recognition Not used
Quarantine Configure local setting override for the removal of items from Quarantine folder Prevent or allow users to locally modify policy settings
Quarantine Configure removal of items from Quarantine folder Configure remediation for Windows Defender Antivirus scans
Real-time protection Configure local setting override for monitoring file and program activity on your computer Prevent or allow users to locally modify policy settings
Real-time protection Configure local setting override for monitoring for incoming and outgoing file activity Prevent or allow users to locally modify policy settings
Real-time protection Configure local setting override for scanning all downloaded files and attachments Prevent or allow users to locally modify policy settings
Real-time protection Configure local setting override for turn on behavior monitoring Prevent or allow users to locally modify policy settings
Real-time protection Configure local setting override to turn on real-time protection Prevent or allow users to locally modify policy settings
Real-time protection Define the maximum size of downloaded files and attachments to be scanned Enable and configure Windows Defender Antivirus always-on protection and monitoring
Real-time protection Monitor file and program activity on your computer Enable and configure Windows Defender Antivirus always-on protection and monitoring
Real-time protection Scan all downloaded files and attachments Enable and configure Windows Defender Antivirus always-on protection and monitoring
Real-time protection Turn off real-time protection Enable and configure Windows Defender Antivirus always-on protection and monitoring
Real-time protection Turn on behavior monitoring Enable and configure Windows Defender Antivirus always-on protection and monitoring
Real-time protection Turn on process scanning whenever real-time protection is enabled Enable and configure Windows Defender Antivirus always-on protection and monitoring
Real-time protection Turn on raw volume write notifications Enable and configure Windows Defender Antivirus always-on protection and monitoring
Real-time protection Configure monitoring for incoming and outgoing file and program activity Enable and configure Windows Defender Antivirus always-on protection and monitoring
Remediation Configure local setting override for the time of day to run a scheduled full scan to complete remediation Prevent or allow users to locally modify policy settings
Remediation Specify the day of the week to run a scheduled full scan to complete remediation Configure scheduled Windows Defender Antivirus scans
Remediation Specify the time of day to run a scheduled full scan to complete remediation Configure scheduled Windows Defender Antivirus scans
Reporting Configure Watson events Not used
Reporting Configure Windows software trace preprocessor components Not used
Reporting Configure WPP tracing level Not used
Reporting Configure time out for detections in critically failed state Not used
Reporting Configure time out for detections in non-critical failed state Not used
Reporting Configure time out for detections in recently remediated state Not used
Reporting Configure time out for detections requiring additional action Not used
Reporting Turn off enhanced notifications Configure the notifications that appear on endpoints
Root Turn off Windows Defender Antivirus Not used (This setting must be set to Not configured to ensure any installed third-party antivirus apps work correctly)
Root Define addresses to bypass proxy server Not used
Root Define proxy auto-config (.pac) for connecting to the network Not used
Root Define proxy server for connecting to the network Not used
Root Configure local administrator merge behavior for lists Prevent or allow users to locally modify policy settings
Root Allow antimalware service to startup with normal priority Configure remediation for Windows Defender Antivirus scans
Root Allow antimalware service to remain running always Configure remediation for Windows Defender Antivirus scans
Root Turn off routine remediation Configure remediation for Windows Defender Antivirus scans
Root Randomize scheduled task times Configure scheduled scans for Windows Defender Antivirus
Scan Allow users to pause scan Prevent users from seeing or interacting with the Windows Defender Antivirus user interface
Scan Check for the latest virus and spyware definitions before running a scheduled scan Manage event-based forced updates
Scan Define the number of days after which a catch-up scan is forced Manage updates for endpoints that are out of date
Scan Turn on catch up full scan Manage updates for endpoints that are out of date
Scan Turn on catch up quick scan Manage updates for endpoints that are out of date
Scan Configure local setting override for maximum percentage of CPU utilization Prevent or allow users to locally modify policy settings
Scan Configure local setting override for schedule scan day Prevent or allow users to locally modify policy settings
Scan Configure local setting override for scheduled quick scan time Prevent or allow users to locally modify policy settings
Scan Configure local setting override for scheduled scan time Prevent or allow users to locally modify policy settings
Scan Configure local setting override for the scan type to use for a scheduled scan Prevent or allow users to locally modify policy settings
Scan Create a system restore point Configure remediation for Windows Defender Antivirus scans
Scan Turn on removal of items from scan history folder Configure remediation for Windows Defender Antivirus scans
Scan Turn on heuristics Enable and configure Windows Defender Antivirus always-on protection and monitoring
Scan Turn on e-mail scanning Configure scanning options in Windows Defender Antivirus
Scan Turn on reparse point scanning Configure scanning options in Windows Defender Antivirus
Scan Run full scan on mapped network drives Configure scanning options in Windows Defender Antivirus
Scan Scan archive files Configure scanning options in Windows Defender Antivirus
Scan Scan network files Configure scanning options in Windows Defender Antivirus
Scan Scan packed executables Configure scanning options in Windows Defender Antivirus
Scan Scan removable drives Configure scanning options in Windows Defender Antivirus
Scan Specify the maximum depth to scan archive files Configure scanning options in Windows Defender Antivirus
Scan Specify the maximum percentage of CPU utilization during a scan Configure scanning options in Windows Defender Antivirus
Scan Specify the maximum size of archive files to be scanned Configure scanning options in Windows Defender Antivirus
Scan Specify the day of the week to run a scheduled scan Configure scheduled scans for Windows Defender Antivirus
Scan Specify the interval to run quick scans per day Configure scheduled scans for Windows Defender Antivirus
Scan Specify the scan type to use for a scheduled scan Configure scheduled scans for Windows Defender Antivirus
Scan Specify the time for a daily quick scan Configure scheduled scans for Windows Defender Antivirus
Scan Specify the time of day to run a scheduled scan Configure scheduled scans for Windows Defender Antivirus
Scan Start the scheduled scan only when computer is on but not in use Configure scheduled scans for Windows Defender Antivirus
Signature updates Allow definition updates from Microsoft Update Manage updates for mobile devices and virtual machines (VMs)
Signature updates Allow definition updates when running on battery power Manage updates for mobile devices and virtual machines (VMs)
Signature updates Allow notifications to disable definitions based repots to Microsoft MAPS Manage event-based forced updates
Signature updates Allow real-time definition updates based on reports to Microsoft MAPS Manage event-based forced updates
Signature updates Check for the latest virus and spyware definitions on startup Manage event-based forced updates
Signature updates Define file shares for downloading definition updates Manage Windows Defender Antivirus protection and definition updates
Signature updates Define the number of days after which a catch up definition update is required Manage updates for endpoints that are out of date
Signature updates Define the number of days before spyware definitions are considered out of date Manage updates for endpoints that are out of date
Signature updates Define the number of days before virus definitions are considered out of date Manage updates for endpoints that are out of date
Signature updates Define the order of sources for downloading definition updates Manage Windows Defender Antivirus protection and definition updates
Signature updates Initiate definition update on startup Manage event-based forced updates
Signature updates Specify the day of the week to check for definition updates Manage when protection updates should be downloaded and applied
Signature updates Specify the interval to check for definition updates Manage when protection updates should be downloaded and applied
Signature updates Specify the time to check for definition updates Manage when protection updates should be downloaded and applied
Signature updates Turn on scan after signature update Configure scheduled scans for Windows Defender Antivirus
Threats Specify threat alert levels at which default action should not be taken when detected Configure remediation for Windows Defender Antivirus scans
Threats Specify threats upon which default action should not be taken when detected Configure remediation for Windows Defender Antivirus scans