Updates from: 04/10/2021 04:08:11
Category Microsoft Docs article Related commit history on GitHub Change details
admin Manage Feedback Ms Org https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/manage-feedback-ms-org.md
description: "Manage feedback your users can send to Microsoft about Microsoft p
# Manage Microsoft feedback for your organization
-As the admin of a Microsoft 365 organization, there are now several policies to help you manage the feedback collection and the customer engagement experience of your users when using Microsoft 365 applications. You can create and use existing Azure Active directory groups in your organization for each of these policies. With these polices, you can control how different departments in your organization can send feedback to Microsoft. Microsoft reviews all feedback submitted by customers and uses this feedback to improve the product. Keeping the feedback experiences turned **On** allows you to see what your users are saying about the Microsoft products they're using. The feedback we collect from your users will soon be available in the Microsoft 365 admin center.ΓÇ¥
+As the admin of a Microsoft 365 organization, there are now several policies to help you manage the feedback collection and the customer engagement experience of your users when using Microsoft 365 applications. You can create and use existing Azure Active directory groups in your organization for each of these policies. With these polices, you can control how different departments in your organization can send feedback to Microsoft. Microsoft reviews all feedback submitted by customers and uses this feedback to improve the product. Keeping the feedback experiences turned **On** allows you to see what your users are saying about the Microsoft products they're using. The feedback we collect from your users will soon be available in the Microsoft 365 admin center.
To learn more about the types of feedback and how Microsoft uses user feedback, see [Learn about Microsoft feedback for your organization](../misc/feedback-user-control.md).
compliance Audit Log Retention Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/audit-log-retention-policies.md
You can create and manage audit log retention policies in the Security & Complia
## Default audit log retention policy
-Advanced Audit in Microsoft 365 provides a default audit log retention policy for all organizations. This policy retains all Exchange, SharePoint, and Azure Active Directory audit records for one year. This default policy retains audit records that contain the value of **AzureActiveDirectory**, **Exchange**, or **SharePoint** for the **Workload** property (which is the service in which the activity occurred). The default policy can't be modified. See the [More information](#more-information) section in this article for a list of record types for each workload that are included in the default policy.
+Advanced Audit in Microsoft 365 provides a default audit log retention policy for all organizations. This policy retains all Exchange Online, SharePoint Online, OneDrive for Business, and Azure Active Directory audit records for one year. This default policy retains audit records that contain the value of **Exchange**, **SharePoint**, **OneDrive**, **AzureActiveDirectory** for the **Workload** property (which is the service in which the activity occurred). The default policy can't be modified. See the [More information](#more-information) section in this article for a list of record types for each workload that are included in the default policy.
> [!NOTE] > The default audit log retention policy only applies to audit records for activity performed by users who are assigned an Office 365 or Microsoft 365 E5 license or have a Microsoft 365 E5 Compliance or E5 eDiscovery and Audit add-on license. If you have non-E5 users or guest users in your organization, their corresponding audit records are retained for 90 days.
Use the [Remove-UnifiedAuditLogRetentionPolicy](/powershell/module/exchange/remo
## More information
-As previously stated, audit records for operations in Azure Active Directory, Exchange, and SharePoint are retained for one year by default. The following table lists all the record types (for each of these services) included in the default audit log retention policy. This means that audit logs for any operation with this record type are retained for one year unless a custom audit log retention policy takes precedence for a specific record type, operation, or user. The Enum value (which is displayed as the value for the RecordType property in an audit record) for each record type is shown in parentheses.
+As previously stated, audit records for operations in Azure Active Directory, Exchange Online, SharePoint Online, and OneDrive for Business, are retained for one year by default. The following table lists all the record types (for each of these services) included in the default audit log retention policy. This means that audit logs for any operation with this record type are retained for one year unless a custom audit log retention policy takes precedence for a specific record type, operation, or user. The Enum value (which is displayed as the value for the RecordType property in an audit record) for each record type is shown in parentheses.
-|AzureActiveDirectory |Exchange |SharePoint|
+|AzureActiveDirectory |Exchange |SharePoint or OneDrive|
|:|:|:| |AzureActiveDirectory (8)|ExchangeAdmin (1)|ComplianceDLPSharePoint (11)| |AzureActiveDirectoryAccountLogon (9)|ExchangeItem (2)|ComplianceDLPSharePointClassification (33)|
As previously stated, audit records for operations in Azure Active Directory, Ex
||ExchangeItemAggregated (50)|SharePointFileOperation (6)| ||ExchangeItemGroup (3)|SharePointListOperation (36)| ||InformationBarrierPolicyApplication (53)|SharePointSharingOperation (14)|
-||||
+||||
compliance Create Sensitivity Labels https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-sensitivity-labels.md
When you use built-in labeling for Office apps on Windows, macOS, iOS, and Andro
Additional label policy settings are available with the [Set-LabelPolicy](/powershell/module/exchange/set-labelpolicy) cmdlet from [Security & Compliance Center PowerShell](/powershell/exchange/scc-powershell).
-For the Azure Information Protection unified labeling client only, you can specify [advanced settings](/azure/information-protection/rms-client/clientv2-admin-guide-customizations) that include setting a different default label for Outlook, and implement pop-up messages in Outlook that warn, justify, or block emails being sent. For the full list, see [Available advanced settings for label policies](/azure/information-protection/rms-client/clientv2-admin-guide-customizations#available-advanced-settings-for-label-policies) from this client's admin guide.
+The Azure Information Protection unified labeling client supports many [advanced settings](/azure/information-protection/rms-client/clientv2-admin-guide-customizations) that include migrating from other labeling solutions, and pop-up messages in Outlook that warn, justify, or block emails being sent. For the full list, see [Available advanced settings for label policies](/azure/information-protection/rms-client/clientv2-admin-guide-customizations#available-advanced-settings-for-label-policies) from this client's admin guide.
## Use PowerShell for sensitivity labels and their policies
compliance Hold Distribution Errors https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/hold-distribution-errors.md
Title: "Troubleshoot eDiscovery hold distribution errors"
+ Title: "Troubleshoot eDiscovery legal hold errors"
f1.keywords: - NOCSH audience: Admin-+ localization_priority: Normal
search.appverid:
- MET150 - seo-marvel-apr2020-
-description: "Troubleshoot errors related to holds applied to custodians and non-custodial data sources in Advanced eDiscovery."
+description: "Troubleshoot errors related to legal holds applied to custodians and non-custodial data sources in Core eDiscovery."
# Troubleshoot eDiscovery hold errors
-start adding content here
+This article discusses common issues that may occur with eDiscovery holds and how to resolve them. The article also includes recommended practices to help you mitigate or avoid these issues.
+
+## Recommended practices
+
+To reduce the number of errors related to eDiscovery holds, we recommend the following practices:
+
+- If a hold distribution is still pending, with a status of either `On (Pending)` or `Off (Pending)`, wait until the hold distribution is complete before you make any further updates.
+
+- Merge your updates to an eDiscovery hold in a single bulk request rather than updating the hold policy repeatedly for each transaction. For example, to add multiple user mailboxes to an existing hold policy using the [Set-CaseHoldPolicy](/powershell/module/exchange/set-caseholdpolicy) cmdlet, run the command (or add as a code block to a script) so that it runs only once to add multiple users.
+
+ **Correct**
+
+ ```powershell
+ Set-CaseHoldPolicy -AddExchangeLocation {$user1, $user2, $user3, $user4, $user5}
+ ```
+
+ **Incorrect**
+
+ ```powershell
+ $users = {$user1, $user2, $user3, $user4, $user5}
+ ForEach($user in $users)
+ {
+ Set-CaseHoldPolicy -AddExchangeLocation $user
+ }
+ ```
+
+ In the previous incorrect example, the cmdlet is run five separate times to complete the task. For more information about the recommended practices for adding users to a hold policy, see the [More information](#more-information) section.
+
+- Before contacting Microsoft Support about eDiscovery hold issues, follow the steps in the [Error/issue: Holds don't sync](#errorissue-holds-dont-sync) section to retry the hold distribution. This process often resolves temporary issues including, internal server errors.
+
+## Error/issue: Holds don't sync
+
+If you see one the following error messages when putting custodians and data sources on hold, use the resolution steps to troubleshoot the issue.
+
+> Resources: It's taking longer than expected to deploy the policy. It might take an additional 2 hours to update the final deployment status, so check back in a couple hours.
+
+> Policy cannot be deployed to the content source due to a temporary Office 365 datacenter issue. The current policy is not applied to any content in the source, so there's no impact from the blocked deployment. To fix this issue, please try redeploying the policy.
+
+> Sorry, we could not perform the requested changes to policy due to a transient internal server error. Please try again in 30 minutes.
+
+### Resolution
+
+1. Connect to [Security & Compliance Center PowerShell](/powershell/exchange/connect-to-scc-powershell) and run the following command for an eDiscovery hold:
+
+ ```powershell
+ Get-CaseHoldPolicy <policyname> - DistributionDetail | FL
+ ```
+
+2. Examine the value in the *DistributionDetail* parameter. Look for errors like the following:
+
+ > Error: Resources: It's taking longer than expected to deploy the policy. It might take an additional 2 hours to update the final deployment status, so check back in a couple hours.
+
+3. Try running the **Set-CaseHoldPolicy -RetryDistribution** command on the hold policy in question; for example:
+
+ ```powershell
+ Set-CaseHoldPolicy <policyname> -RetryDistribution
+ ```
+
+## More information
+
+- The guidance about updating hold policies for multiple users in the "Recommended practices" section results from the fact that the system blocks simultaneous updates to a hold policy. That means when an updated hold policy is applied to new content locations and the hold policy is in a pending state, additional content locations can't be added to the hold policy. Here are some things to keep in mind to help you mitigate this issue:
+
+ - Every time a hold updated is updated, it immediately goes into a pending state. The pending state status means the hold is being applied to content locations.
+
+ - If you have a script that runs a loop and adds locations to policy one by one (similar to the incorrect example shown in the "Recommended practices" section), the first content location (for example, a user mailbox) initiates the sync process that triggers the pending state. That means the other users that are added to the policy in subsequent loops result in an error.
+
+ - If your organization is using a script that runs a loop to update the content locations for a hold policy, you must update the script so that it updates locations in a single bulk operation (as shown in the correct example in the "Recommended practices" section).
compliance Insider Risk Management Cases https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/insider-risk-management-cases.md
Using recommended Power Automate flows, risk investigators and analysts can quic
- Request information from HR or business about a user in an insider risk case - Notify manager when a user has an insider risk alert-- Add calendar reminder to follow up on an insider risk case - Create a record for an insider risk management case in ServiceNow
+- Notify users when they're added to an insider risk policy
To run, manage, or create Power Automate flows for an insider risk management case:
compliance Insider Risk Management Settings https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/insider-risk-management-settings.md
The following Power Automate templates are provided to customers to support proc
- Severity level of the alert The flow automatically updates the case notes that the message was sent and that the flow was activated. If you've chosen to anonymize users in **Privacy settings**, flows created from this template will not function as intended so that user privacy is maintained. Power Automate flows using this template are available on the **Cases dashboard**.--- **Add calendar reminder to follow up on an insider risk case**: This template allows risk investigators and analysts to add calendar reminders for cases to their Office 365 Outlook calendar. This flow eliminates the need for users to exit or switch out of the insider risk management workflow when processing cases and triaging alerts. When this flow is configured and selected, a reminder is added to Office 365 Outlook calendar for the user running the flow. Power Automate flows using this template are available on the **Cases dashboard**. - **Create record for insider risk case in ServiceNow**: This template is for organizations that want to use their ServiceNow solution to track insider risk management cases. When in a case, insider risk analysts and investigators can create a record for the case in ServiceNow. You can customize this template to populate selected fields in ServiceNow based on your organization's requirements. Power Automate flows using this template are available on the **Cases dashboard**. For more information on available ServiceNow fields, see the [ServiceNow Connector reference](/connectors/service-now/) article. ### Create a Power Automate flow from insider risk management template
compliance Retention Policies Teams https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/retention-policies-teams.md
You can use a retention policy to retain data from chats and channel messages in
These mailboxes are, listed by their RecipientTypeDetails attribute: -- **MailUser**: These mailboxes store message data for cloud-based Teams users.-- **UserMailbox**: These mailboxes store message data for [on-premises Teams users](search-cloud-based-mailboxes-for-on-premises-users.md).
+- **UserMailbox**: These mailboxes store message data for cloud-based Teams users.
+- **MailUser**: These mailboxes store message data for [on-premises Teams users](search-cloud-based-mailboxes-for-on-premises-users.md).
- **GroupMailbox**: These mailboxes store message data for Teams channels. Other mailbox types, such as RoomMailbox that is used for Teams conference rooms, are not supported for Teams retention policies.
compliance Sensitivity Labels Office Apps https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-office-apps.md
The numbers listed are the minimum Office application version required for each
|[Require users to apply a label to their email and documents](#require-users-to-apply-a-label-to-their-email-and-documents) | Rolling out: 2101+ | 16.43+ <sup>2</sup> | Under review | Under review | Yes | |[Audit label-related user activity](data-classification-activity-explorer.md) | 2011+ | Under review | Under review | Under review | Under review | |[Apply a sensitivity label to content automatically](apply-sensitivity-label-automatically.md) | 2009+ | 16.44+ <sup>2</sup> | Under review | Under review | Yes |
+|[Different settings for default label and mandatory labeling](#outlook-specific-options-for-default-label-and-mandatory-labeling) | Under review | Under review | Under review | Under review | Rolling out |
| **Footnotes:**
For Microsoft Word 2016, Excel 2016, PowerPoint 2016, and Outlook 2016, specify
|Outlook | `MSIP.OutlookAddin` | | | | + Deploy this setting by using Group Policy, or by using the [Office cloud policy service](https://docs.microsoft.com/DeployOffice/overview-office-cloud-policy-service). > [!NOTE]
For guidance about when to use this setting, see the information about [policy s
> > The default label always takes priority over mandatory labeling. However, for documents, the Azure Information Protection unified labeling client applies the default label to all unlabeled documents whereas built-in labeling applies the default label to new documents and not to existing documents that are unlabeled. This difference in behavior means that when you use mandatory labeling with the default label setting, users will be prompted to apply a sensitivity label more often when they use built-in labeling than when they use the Azure Information Protection unified labeling client.
+## Outlook-specific options for default label and mandatory labeling
+
+For built-in labeling, identify the minimum versions of Outlook that support these features by using the [capabilities table for Outlook](#sensitivity-label-capabilities-in-outlook) on this page, and the row **Different settings for default label and mandatory labeling**.
+
+By default, when you select the label policy settings **Apply this label by default to documents and email** and **Requires users to apply a label to their email or documents**, your configuration choice applies to emails as well as to documents.
+
+To apply different settings to emails, use PowerShell advanced settings:
+
+- **OutlookDefaultLabel**: Use this setting if you want Outlook to apply a different default label, or no label.
+
+- **DisableMandatoryInOutlook**: Use this setting if you want Outlook to be exempt from prompting users to select a label for unlabeled email messages.
+
+For more information about configuring these settings by using PowerShell, see the next section.
+
+### PowerShell advanced settings OutlookDefaultLabel and DisableMandatoryInOutlook
+
+These settings are supported by using PowerShell with the *AdvancedSettings* parameter and the [Set-LabelPolicy](/powershell/module/exchange/set-labelpolicy) and [New-LabelPolicy](/powershell/module/exchange/new-labelpolicy) cmdlets from [Security & Compliance Center PowerShell](/powershell/exchange/scc-powershell). Previously supported only by the Azure Information Protection unified labeling client, these two advanced settings are now supported for built-in labeling.
+
+PowerShell examples, where the label policy is named **Global**:
+
+- To exempt Outlook from a default label:
+
+ ````powershell
+ Set-LabelPolicy -Identity Global -AdvancedSettings @{OutlookDefaultLabel="None"}
+ ````
+
+- To exempt Outlook from mandatory labeling:
+
+ ````powershell
+ Set-LabelPolicy -Identity Global -AdvancedSettings @{DisableMandatoryInOutlook="True"}
+ ````
+
+Currently, OutlookDefaultLabel and DisableMandatoryInOutlook are the only PowerShell advanced settings that are supported for both built-in labeling and the Azure Information Protection client.
+
+The other PowerShell advanced settings remain supported for the Azure Information Protection client only. For more information about using advanced settings for the Azure Information Protection client, see [Admin Guide: Custom configurations for the Azure Information Protection unified labeling client](/azure/information-protection/rms-client/clientv2-admin-guide-customizations#configuring-advanced-settings-for-the-client-via-powershell).
+
+#### PowerShell tips for specifying the advanced settings
+
+To specify a different default label for Outlook, you must specify the label GUID. To find this value, can you use the following command:
+
+````powershell
+Get-Label | Format-Table -Property DisplayName, Name, Guid
+````
+
+To remove either of these advanced settings from a label policy, use the same AdvancedSettings parameter syntax, but specify a null string value. For example:
+
+````powershell
+Set-LabelPolicy -Identity Global -AdvancedSettings @{OutlookDefaultLabel=""}
+````
++ ## End-user documentation - [Apply sensitivity labels to your documents and email within Office](https://support.microsoft.com/en-us/office/apply-sensitivity-labels-to-your-files-and-email-in-office-2f96e7cd-d5a4-403b-8bd7-4cc636bae0f9) -- [Known issues when you apply sensitivity labels to your Office files](https://support.microsoft.com/en-us/office/known-issues-with-sensitivity-labels-in-office-b169d687-2bbd-4e21-a440-7da1b2743edc)
+- [Known issues when you apply sensitivity labels to your Office files](https://support.microsoft.com/en-us/office/known-issues-with-sensitivity-labels-in-office-b169d687-2bbd-4e21-a440-7da1b2743edc)
knowledge Create A Topic https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/knowledge/create-a-topic.md
To create a new topic, you need to:
You can create a new topic from two locations: -- Topic center home page: Any licensed user with the **Who can create or edit topics** permission (contributors) can create a new topic from the topic center by selecting the <b>New</b> menu and select <b>Topic page</b>.</br>
+- Topic center home page: Any licensed user with the **Who can create or edit topics** permission (contributors) can create a new topic from the topic center by selecting the **New** menu and select **Topic page**.
- ![New topic from topic center](../media/knowledge-management/new-topic.png) </br>
+ ![New topic from topic center](../media/knowledge-management/new-topic.png)
-- Manage topics page: Any licensed user who has **Who can manage topics** permission (knowledge managers) can create a new topic from the Manage topics page in the Topic Center by selecting <b>New topic page</b>.</br>
+- Manage topics page: Any licensed user who has **Who can manage topics** permission (knowledge managers) can create a new topic from the Manage topics page in the Topic Center by selecting **New topic page**.
- ![New topic from manage topics](../media/knowledge-management/new-topic-topic-center.png) </br>
+ ![New topic from manage topics](../media/knowledge-management/new-topic-topic-center.png)
### To create a new topic: 1. Select the option to create a new Topic Page from the ribbon on the Manage Topics page.
-2. In the **Name this topic** section, type the name of the new topic.
+2. In the **Name this topic** section, type the name of the new topic.
- ![Name this topic](../media/knowledge-management/k-new-topic-page.png) </br>
+ ![Name this topic](../media/knowledge-management/k-new-topic-page.png)
+3. In the **Alternate Names** section, type any other names that the topic might be referred to.
-3. In the <b>Alternate Names</b> section, type any other names that the topic might be referred to.
+ ![Alternate names](../media/knowledge-management/alt-names.png)
- ![Alternate names](../media/knowledge-management/alt-names.png) </br>
-4. In the <b>Description</b> section, type a couple of sentences that describe the topic.
+4. In the **Description** section, type a couple of sentences that describe the topic.
- ![Description of the topic](../media/knowledge-management/description.png)</br>
+ ![Description of the topic](../media/knowledge-management/description.png)
-4. In the <b>Pinned people</b> section, you can "pin" a person to show them as having a connection to the topic (for example, an owner of a connected resource). Begin by typing their name or email address in the <b>add a new user</b> box, and then select the user you want to add from the search results. You can also "unpin" them by selecting the <b>Remove from list</b> icon on the user card. You can also drag the person to change the order that the list of people appear.
+4. In the **Pinned people** section, you can "pin" a person to show them as having a connection to the topic (for example, an owner of a connected resource). Begin by typing their name or email address in the **add a new user** box, and then select the user you want to add from the search results. You can also "unpin" them by selecting the **Remove from list** icon on the user card. You can also drag the person to another place in the list.
- ![Pinned people](../media/knowledge-management/pinned-people.png)</br>
+ ![Pinned people](../media/knowledge-management/pinned-people.png)
+5. In the **Pinned files and pages** section, you can add or "pin" a file or SharePoint site page that is associated to the topic.
-5. In the <b>Pinned files and pages</b> section, you can add or "pin" a file or SharePoint site page that is associated to the topic.
-
- ![Pinned files and pages](../media/knowledge-management/pinned-files-and-pages.png)</br>
+ ![Pinned files and pages](../media/knowledge-management/pinned-files-and-pages.png)
- To add a new file, select <b>Add</b>, select the SharePoint site from your Frequent or Followed sites, and then select the file from the site's document library.
+ To add a new file, select **Add**, select the SharePoint site from your Frequent or Followed sites, and then select the file from the site's document library.
- You can also use the <b>From a link</b> option to add a file or page by providing the URL.
+ You can also use the **From a link** option to add a file or page by providing the URL.
> [!Note] > Files and pages that you add must be located within the same Microsoft 365 tenant. If you want to add a link to an external resource in the topic, you can add it through the canvas icon in step 8.
-6. The <b>Related sites</b> section shows sites that have information about the topic.
+6. The **Related sites** section shows sites that have information about the topic.
- ![Related sites section](../media/knowledge-management/related-sites.png)</br>
+ ![Related sites section](../media/knowledge-management/related-sites.png)
- You can add a related site by selecting <b>Add</b> and then either searching for the site, or selecting it from your list of Frequent or Recent sites.</br>
+ You can add a related site by selecting **Add** and then either searching for the site, or selecting it from your list of Frequent or Recent sites.
- ![Select site](../media/knowledge-management/sites.png)</br>
+ ![Select site](../media/knowledge-management/sites.png)
-7. The <b>Related topics</b> section shows connections that exist between topics. You can add a connection to a different topic by selecting the <b>Connect to a related topic</b> button, and then typing the name of the related topic, and selecting it from the search results.
+7. The **Related topics** section shows connections that exist between topics. You can add a connection to a different topic by selecting the **Connect to a related topic** button, and then typing the name of the related topic, and selecting it from the search results.
- ![Related topics](../media/knowledge-management/related-topic.png)</br>
+ ![Related topics](../media/knowledge-management/related-topic.png)
- You can then give a description of how the topics are related, and select <b>Update</b>.</br>
+ You can then give a description of how the topics are related, and select **Update**.
- ![Related topics description](../media/knowledge-management/related-topics-update.png)</br>
+ ![Related topics description](../media/knowledge-management/related-topics-update.png)
The related topic you added will display as a connected topic.
- ![Related topics connected](../media/knowledge-management/related-topics-final.png)</br>
+ ![Related topics connected](../media/knowledge-management/related-topics-final.png)
- To remove a related topic, select the topic you want to remove, then select the <b>Remove topic</b> icon.</br>
+ To remove a related topic, select the topic you want to remove, then select the **Remove topic** icon.
- ![Remove related topic](../media/knowledge-management/remove-related.png)</br>
-
- Then select <b>Remove</b>.</br>
+ ![Remove related topic](../media/knowledge-management/remove-related.png)
- ![Confirm remove](../media/knowledge-management/remove-related-confirm.png)</br>
-
-
+ Then select **Remove**.
+ ![Confirm remove](../media/knowledge-management/remove-related-confirm.png)
8. You can also add static items to the page (such as text, images, or links) by selecting the canvas icon, which you can find below the short description. Selecting it will open the SharePoint toolbox from which you can choose the item you want to add to the page.
- ![Canvas icon](../media/knowledge-management/webpart-library.png)</br>
-
+ ![Canvas icon](../media/knowledge-management/webpart-library.png)
9. Select **Publish** to save your changes.
security TOC https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/TOC.md
##### [Customize attack surface reduction rules](customize-attack-surface-reduction.md) ##### [View attack surface reduction events](event-views.md)
+### Next-generation protection
+#### [Overview of Microsoft Defender Antivirus](microsoft-defender-antivirus-in-windows-10.md)
+#### [Microsoft Defender Antivirus on Windows Server](microsoft-defender-antivirus-on-windows-server.md)
+#### [Better together: Microsoft Defender Antivirus and Microsoft Defender for Endpoint](why-use-microsoft-defender-antivirus.md)
+#### [Better together: Microsoft Defender Antivirus and Office 365](office-365-microsoft-defender-antivirus.md)
+#### [Cloud-delivered protection and Microsoft Defender Antivirus](cloud-protection-microsoft-defender-antivirus.md)
+#### [Evaluate Microsoft Defender Antivirus](evaluate-microsoft-defender-antivirus.md)
+#### [Configure Microsoft Defender Antivirus features](configure-microsoft-defender-antivirus-features.md)
+##### [Turn on cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md)
+##### [Specify the cloud-delivered protection level](specify-cloud-protection-level-microsoft-defender-antivirus.md)
+##### [Configure and validate Microsoft Defender Antivirus network connections](configure-network-connections-microsoft-defender-antivirus.md)
+##### [Protect security settings with tamper protection](prevent-changes-to-security-settings-with-tamper-protection.md)
+##### [Turn on block at first sight](configure-block-at-first-sight-microsoft-defender-antivirus.md)
+##### [Configure the cloud block timeout period](configure-cloud-block-timeout-period-microsoft-defender-antivirus.md)
+##### [Configure behavioral, heuristic, and real-time protection](configure-protection-features-microsoft-defender-antivirus.md)
+##### [Detect and block potentially unwanted applications](detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md)
+##### [Enable and configure Microsoft Defender Antivirus always-on protection in Group Policy](configure-real-time-protection-microsoft-defender-antivirus.md)
+##### [Configure remediation for Microsoft Defender Antivirus detections](configure-remediation-microsoft-defender-antivirus.md)
+##### [Configure scheduled quick or full Microsoft Defender Antivirus scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md)
+##### [Use limited periodic scanning in Microsoft Defender Antivirus](limited-periodic-scanning-microsoft-defender-antivirus.md)
+#### [Compatibility with other security products](microsoft-defender-antivirus-compatibility.md)
+
+#### [Get your antivirus and antimalware updates](manage-updates-baselines-microsoft-defender-antivirus.md)
+##### [Manage the sources for Microsoft Defender Antivirus protection updates](manage-protection-updates-microsoft-defender-antivirus.md)
+##### [Manage the schedule for when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md)
+##### [Manage Microsoft Defender Antivirus updates and scans for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md)
+##### [Manage event-based forced updates](manage-event-based-updates-microsoft-defender-antivirus.md)
+##### [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md)
+
+#### [Manage Microsoft Defender Antivirus for your organization](configuration-management-reference-microsoft-defender-antivirus.md)
+##### [Use Microsoft Endpoint Manager to manage Microsoft Defender Antivirus](use-intune-config-manager-microsoft-defender-antivirus.md)
+##### [Use Group Policy settings to manage Microsoft Defender Antivirus](use-group-policy-microsoft-defender-antivirus.md)
+##### [Use PowerShell cmdlets to manage Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md)
+##### [Use Windows Management Instrumentation (WMI) to manage Microsoft Defender Antivirus](use-wmi-microsoft-defender-antivirus.md)
+##### [Use the mpcmdrun.exe tool to manage Microsoft Defender Antivirus](command-line-arguments-microsoft-defender-antivirus.md)
+
+#### [Deploy and report on Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md)
+##### [Deploy and enable Microsoft Defender Antivirus](deploy-microsoft-defender-antivirus.md)
+##### [Deployment guide for Microsoft Defender Antivirus in a virtual desktop infrastructure (VDI) environment](deployment-vdi-microsoft-defender-antivirus.md)
+##### [Report on Microsoft Defender Antivirus](report-monitor-microsoft-defender-antivirus.md)
+
+#### [Scans and remediation](review-scan-results-microsoft-defender-antivirus.md)
+##### [Configure and run on-demand Microsoft Defender Antivirus scans](run-scan-microsoft-defender-antivirus.md)
+##### [Run and review the results of a Microsoft Defender Offline scan](microsoft-defender-offline.md)
+##### [Configure Microsoft Defender Antivirus scanning options](configure-advanced-scan-types-microsoft-defender-antivirus.md)
+##### [Restore quarantined files in Microsoft Defender Antivirus](restore-quarantined-files-microsoft-defender-antivirus.md)
+
+#### [Microsoft Defender Antivirus exclusions](configure-exclusions-microsoft-defender-antivirus.md)
+##### [Exclusions based on file extension and folder location](configure-extension-file-exclusions-microsoft-defender-antivirus.md)
+##### [Exclusions for files opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md)
+##### [Exclusions for Windows Server](configure-server-exclusions-microsoft-defender-antivirus.md)
+##### [Common mistakes to avoid when defining exclusions](common-exclusion-mistakes-microsoft-defender-antivirus.md)
+
+#### Troubleshooting Microsoft Defender Antivirus
+##### [Troubleshoot Microsoft Defender Antivirus reporting in Update Compliance](troubleshoot-reporting.md)
+##### [Review event logs and error codes to troubleshoot issues with Microsoft Defender Antivirus](troubleshoot-microsoft-defender-antivirus.md)
+##### [Troubleshoot Microsoft Defender Antivirus while migrating from a third-party solution](troubleshoot-microsoft-defender-antivirus-when-migrating.md)
++ #### [Hardware-based isolation]() ##### [Hardware-based isolation in Windows 10](overview-hardware-based-isolation.md)
security Cloud Protection Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus.md
+
+ Title: Cloud-delivered protection and Microsoft Defender Antivirus
+description: Learn about cloud-delivered protection and Microsoft Defender Antivirus
+keywords: Microsoft Defender Antivirus, next-generation technologies, next-generation av, machine learning, antimalware, security, defender, cloud, cloud-delivered protection
+search.product: eADQiWindows 10XVcnh
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.localizationpriority: medium
+++++
+ms.technology: mde
++
+# Use next-generation technologies in Microsoft Defender Antivirus through cloud-delivered protection
+++
+**Applies to:**
+
+- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
+- Microsoft Defender Antivirus
+
+Microsoft next-generation technologies in Microsoft Defender Antivirus provide near-instant, automated protection against new and emerging threats. To dynamically identify new threats, these technologies work with large sets of interconnected data in the Microsoft Intelligent Security Graph and powerful artificial intelligence (AI) systems driven by advanced machine learning models.
+
+Microsoft Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender for Endpoint next-generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/).
+![List of Microsoft Defender AV engines](images/microsoft-defender-atp-next-generation-protection-engines.png)
+
+To take advantage of the power and speed of these next-generation technologies, Microsoft Defender Antivirus works seamlessly with Microsoft cloud services. These cloud protection services, also referred to as Microsoft Advanced Protection Service (MAPS), enhances standard real-time protection, providing arguably the best antivirus defense.
+
+>[!NOTE]
+>The Microsoft Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates.
+
+With cloud-delivered protection, next-generation technologies provide rapid identification of new threats, sometimes even before a single machine is infected. Watch the following video about Microsoft AI and Microsoft Defender Antivirus in action:
+
+<iframe
+src="https://www.microsoft.com/videoplayer/embed/RE1Yu4B" width="768" height="432" allowFullScreen="true" frameBorder="0" scrolling="no"></iframe>
+
+To understand how next-generation technologies shorten protection delivery time through the cloud, watch the following video:
+
+<iframe
+src="https://videoplayercdn.osi.office.net/embed/c2f20f59-ca56-4a7b-ba23-44c60bc62c59" width="768" height="432" allowFullScreen="true" frameBorder="0" scrolling="no"></iframe>
+
+Read the following blog posts for detailed protection stories involving cloud-protection and Microsoft AI:
+
+- [Why Microsoft Defender Antivirus is the most deployed in the enterprise](https://www.microsoft.com/security/blog/2018/03/22/why-windows-defender-antivirus-is-the-most-deployed-in-the-enterprise)
+- [Behavior monitoring combined with machine learning spoils a massive Dofoil coin mining campaign](https://www.microsoft.com/security/blog/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign)
+- [How artificial intelligence stopped an Emotet outbreak](https://www.microsoft.com/security/blog/2018/02/14/how-artificial-intelligence-stopped-an-emotet-outbreak)
+- [Detonating a bad rabbit: Microsoft Defender Antivirus and layered machine learning defenses](https://www.microsoft.com/security/blog/2017/12/11/detonating-a-bad-rabbit-windows-defender-antivirus-and-layered-machine-learning-defenses)
+- [Microsoft Defender Antivirus cloud protection service: Advanced real-time defense against never-before-seen malware](https://www.microsoft.com/security/blog/2017/07/18/windows-defender-antivirus-cloud-protection-service-advanced-real-time-defense-against-never-before-seen-malware)
+
+## Get cloud-delivered protection
+
+Cloud-delivered protection is enabled by default. However, you may need to re-enable it if it has been disabled as part of previous organizational policies.
+
+Organizations running Windows 10 E5 can also take advantage of emergency dynamic intelligence updates, which provide near real-time protection from emerging threats. When you turn on cloud-delivered protection, fixes for malware issues can be delivered via the cloud within minutes, instead of waiting for the next update.
+
+>[!TIP]
+>You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
+
+The following table describes the differences in cloud-delivered protection between recent versions of Windows and Configuration Manager.
+
+|OS version or service application |Cloud-protection service label |Reporting level (MAPS membership level) |Cloud block timeout period |
+|||||
+|Windows 8.1 (Group Policy) |Microsoft Advanced Protection Service |Basic, Advanced |No |
+|Windows 10, version 1607 (Group Policy) |Microsoft Advanced Protection Service |Advanced |No |
+|Windows 10, version 1703 or greater (Group Policy) |Cloud-based Protection |Advanced |Configurable |
+|System Center 2012 Configuration Manager | N/A |Dependent on Windows version |Not configurable |
+|Microsoft Endpoint Manager (Current Branch) |Cloud protection service |Dependent on Windows version |Configurable |
+|Microsoft Intune |Microsoft Advanced Protection Service |Dependent on Windows version |Configurable |
+
+You can also [configure Microsoft Defender Antivirus to automatically receive new protection updates based on reports from our cloud service](manage-event-based-updates-microsoft-defender-antivirus.md#cloud-report-updates).
++
+## Tasks
+
+- [Enable cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md). You can enable cloud-delivered protection with Microsoft Endpoint Configuration Manager, Group Policy, Microsoft Intune, and PowerShell cmdlets.
+
+- [Specify the cloud-delivered protection level](specify-cloud-protection-level-microsoft-defender-antivirus.md). You can specify the level of protection offered by the cloud with Group Policy and Microsoft Endpoint Configuration Manager. The protection level will affect the amount of information shared with the cloud and how aggressively new files are blocked.
+
+- [Configure and validate network connections for Microsoft Defender Antivirus](configure-network-connections-microsoft-defender-antivirus.md). There are certain Microsoft URLs that your network and endpoints must be able to connect to for cloud-delivered protection to work effectively. This article lists the URLs that should be allowed via firewall or network filtering rules, and instructions for confirming your network is properly enrolled in cloud-delivered protection.
+
+- [Configure the block at first sight feature](configure-block-at-first-sight-microsoft-defender-antivirus.md). The "block at first sight" feature can block new malware within seconds, without having to wait hours for traditional Security intelligence. You can enable and configure it with Microsoft Endpoint Manager and Group Policy.
+
+- [Configure the cloud block timeout period](configure-cloud-block-timeout-period-microsoft-defender-antivirus.md). Microsoft Defender Antivirus can block suspicious files from running while it queries our cloud-delivered protection service. You can configure the amount of time the file will be prevented from running with Microsoft Endpoint Manager and Group Policy.
security Collect Diagnostic Data Update Compliance https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/collect-diagnostic-data-update-compliance.md
+
+ Title: Collect diagnostic data for Update Compliance and Windows Defender Microsoft Defender Antivirus
+description: Use a tool to collect data to troubleshoot Update Compliance issues when using the Microsoft Defender Antivirus Assessment add in
+keywords: troubleshoot, error, fix, update compliance, oms, monitor, report, Microsoft Defender AV
+search.product: eADQiWindows 10XVcnh
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+++ Last updated : 09/03/2018++
+ms.technology: mde
++
+# Collect Update Compliance diagnostic data for Microsoft Defender AV Assessment
+++
+**Applies to:**
+
+- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
+
+This article describes how to collect diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues you may encounter when using the Microsoft Defender AV Assessment section in the Update Compliance add-in.
+
+Before attempting this process, ensure you have read [Troubleshoot Microsoft Defender Antivirus reporting](troubleshoot-reporting.md), met all require prerequisites, and taken any other suggested troubleshooting steps.
+
+On at least two devices that are not reporting or showing up in Update Compliance, obtain the .cab diagnostic file by taking the following steps:
+
+1. Open an administrator-level version of the command prompt as follows:
+
+ a. Open the **Start** menu.
+
+ b. Type **cmd**. Right-click on **Command Prompt** and click **Run as administrator**.
+
+ c. Enter administrator credentials or approve the prompt.
+
+2. Navigate to the Windows Defender directory. By default, this is `C:\Program Files\Windows Defender`.
+
+3. Type the following command, and then press **Enter**
+
+ ```Dos
+ mpcmdrun -getfiles
+ ```
+
+4. A .cab file will be generated that contains various diagnostic logs. The location of the file will be specified in the output in the command prompt. By default, the location is `C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab`.
+
+5. Copy these .cab files to a location that can be accessed by Microsoft support. An example could be a password-protected OneDrive folder that you can share with us.
+
+6. Send an email using the <a href="mailto:ucsupport@microsoft.com?subject=WDAV assessment issue&body=I%20am%20encountering%20the%20following%20issue%20when%20using%20Windows%20Defender%20AV%20in%20Update%20Compliance%3a%20%0d%0aI%20have%20provided%20at%20least%202%20support%20.cab%20files%20at%20the%20following%20location%3a%20%3Caccessible%20share%2c%20including%20access%20details%20such%20as%20password%3E%0d%0aMy%20OMS%20workspace%20ID%20is%3a%20%0d%0aPlease%20contact%20me%20at%3a">Update Compliance support email template</a>, and fill out the template with the following information:
+
+ ```
+ I am encountering the following issue when using Microsoft Defender Antivirus in Update Compliance:
+
+ I have provided at least 2 support .cab files at the following location: <accessible share, including access details such as password>
+
+ My OMS workspace ID is:
+
+ Please contact me at:
+ ```
+
+## See also
+
+- [Troubleshoot Windows Defender Microsoft Defender Antivirus reporting](troubleshoot-reporting.md)
security Collect Diagnostic Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/collect-diagnostic-data.md
+
+ Title: Collect diagnostic data of Microsoft Defender Antivirus
+description: Use a tool to collect data to troubleshoot Microsoft Defender Antivirus
+keywords: troubleshoot, error, fix, update compliance, oms, monitor, report, Microsoft Defender av, group policy object, setting, diagnostic data
+search.product: eADQiWindows 10XVcnh
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+++ Last updated : 06/29/2020++
+ms.technology: mde
++
+# Collect Microsoft Defender AV diagnostic data
+++
+**Applies to:**
+
+- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
+
+This article describes how to collect diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues you might encounter when using the Microsoft Defender AV.
+
+> [!NOTE]
+> As part of the investigation or response process, you can collect an investigation package from a device. Here's how: [Collect investigation package from devices](/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts#collect-investigation-package-from-devices).
+
+On at least two devices that are experiencing the same issue, obtain the .cab diagnostic file by taking the following steps:
+
+1. Open an administrator-level version of the command prompt as follows:
+
+ a. Open the **Start** menu.
+
+ b. Type **cmd**. Right-click on **Command Prompt** and click **Run as administrator**.
+
+ c. Enter administrator credentials or approve the prompt.
+
+2. Navigate to the Microsoft Defender directory. By default, this is `C:\Program Files\Windows Defender`.
+
+> [!NOTE]
+> If you're running an [updated Microsoft Defender Platform version](https://support.microsoft.com/help/4052623/update-for-microsoft-defender-antimalware-platform), please run `MpCmdRun` from the following location: `C:\ProgramData\Microsoft\Windows Defender\Platform\<version>`.
+
+3. Type the following command, and then press **Enter**
+
+ ```Dos
+ mpcmdrun.exe -GetFiles
+ ```
+
+4. A .cab file will be generated that contains various diagnostic logs. The location of the file will be specified in the output in the command prompt. By default, the location is `C:\ProgramData\Microsoft\Microsoft Defender\Support\MpSupportFiles.cab`.
+
+> [!NOTE]
+> To redirect the cab file to a a different path or UNC share, use the following command: `mpcmdrun.exe -GetFiles -SupportLogLocation <path>` <br/>For more information, see [Redirect diagnostic data to a UNC share](#redirect-diagnostic-data-to-a-unc-share).
+
+5. Copy these .cab files to a location that can be accessed by Microsoft support. An example could be a password-protected OneDrive folder that you can share with us.
+
+> [!NOTE]
+>If you have a problem with Update compliance, send an email using the <a href="mailto:ucsupport@microsoft.com?subject=WDAV assessment issue&body=I%20am%20encountering%20the%20following%20issue%20when%20using%20Windows%20Defender%20AV%20in%20Update%20Compliance%3a%20%0d%0aI%20have%20provided%20at%20least%202%20support%20.cab%20files%20at%20the%20following%20location%3a%20%3Caccessible%20share%2c%20including%20access%20details%20such%20as%20password%3E%0d%0aMy%20OMS%20workspace%20ID%20is%3a%20%0d%0aPlease%20contact%20me%20at%3a">Update Compliance support email template</a>, and fill out the template with the following information:
+>```
+> I am encountering the following issue when using Microsoft Defender Antivirus in Update Compliance:
+> I have provided at least 2 support .cab files at the following location:
+> <accessible share, including access details such as password>
+>
+> My OMS workspace ID is:
+>
+> Please contact me at:
+
+## Redirect diagnostic data to a UNC share
+To collect diagnostic data on a central repository, you can specify the SupportLogLocation parameter.
+
+```Dos
+mpcmdrun.exe -GetFiles -SupportLogLocation <path>
+```
+
+Copies the diagnostic data to the specified path. If the path is not specified, the diagnostic data will be copied to the location specified in the Support Log Location Configuration.
+
+When the SupportLogLocation parameter is used, a folder structure like as follows will be created in the destination path:
+
+```Dos
+<path>\<MMDD>\MpSupport-<hostname>-<HHMM>.cab
+```
+
+| field | Description |
+|:-|:-|
+| path | The path as specified on the command line or retrieved from configuration
+| MMDD | Month and day when the diagnostic data was collected (for example, 0530)
+| hostname | The hostname of the device on which the diagnostic data was collected
+| HHMM | Hours and minutes when the diagnostic data was collected (for example, 1422)
+
+> [!NOTE]
+> When using a file share please make sure that account used to collect the diagnostic package has write access to the share.
+
+## Specify location where diagnostic data is created
+
+You can also specify where the diagnostic .cab file will be created using a Group Policy Object (GPO).
+
+1. Open the Local Group Policy Editor and find the SupportLogLocation GPO at: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SupportLogLocation`
+
+1. Select **Define the directory path to copy support log files**.
+
+ ![Screenshot of local group policy editor](images/GPO1-SupportLogLocationDefender.png)
+
+ ![Screenshot of define path for log files setting](images/GPO2-SupportLogLocationGPPage.png)
+3. Inside the policy editor, select **Enabled**.
+
+4. Specify the directory path where you want to copy the support log files in the **Options** field.
+ ![Screenshot of Enabled directory path custom setting](images/GPO3-SupportLogLocationGPPageEnabledExample.png)
+5. Select **OK** or **Apply**.
+
+## See also
+
+- [Troubleshoot Microsoft Defender Antivirus reporting](troubleshoot-reporting.md)
security Command Line Arguments Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/command-line-arguments-microsoft-defender-antivirus.md
+
+ Title: Use the command line to manage Microsoft Defender Antivirus
+description: Run Microsoft Defender Antivirus scans and configure next-generation protection with a dedicated command-line utility.
+keywords: run windows defender scan, run antivirus scan from command line, run windows defender scan from command line, mpcmdrun, defender
+search.product: eADQiWindows 10XVcnh
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.localizationpriority: medium
+++++ Last updated : 03/19/2021
+ms.technology: mde
++
+# Configure and manage Microsoft Defender Antivirus with the mpcmdrun.exe command-line tool
+++
+**Applies to:**
+
+- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
+
+You can perform various Microsoft Defender Antivirus functions with the dedicated command-line tool **mpcmdrun.exe**. This utility is useful when you want to automate Microsoft Defender Antivirus use. You can find the utility in `%ProgramFiles%\Windows Defender\MpCmdRun.exe`. You must run it from a command prompt.
+
+> [!NOTE]
+> You might need to open an administrator-level version of the command prompt. When you search for **Command Prompt** on the Start menu, choose **Run as administrator**.
+> If you're running an updated Microsoft Defender Platform version, run `**MpCmdRun**` from the following location: `C:\ProgramData\Microsoft\Windows Defender\Platform\<version>`.
+
+The utility has the following commands:
+
+```console
+MpCmdRun.exe [command] [-options]
+```
+Here's an example:
+
+```console
+MpCmdRun.exe -Scan -ScanType 2
+```
+
+| Command | Description |
+|:-|:-|
+| `-?` **or** `-h` | Displays all available options for this tool |
+| `-Scan [-ScanType [0\|1\|2\|3]] [-File <path> [-DisableRemediation] [-BootSectorScan] [-CpuThrottling]] [-Timeout <days>] [-Cancel]` | Scans for malicious software. Values for **ScanType** are: **0** Default, according to your configuration, **-1** Quick scan, **-2** Full scan, **-3** File and directory custom scan. CpuThrottling will honor the configured CPU throttling from policy |
+| `-Trace [-Grouping #] [-Level #]` | Starts diagnostic tracing |
+| `-GetFiles [-SupportLogLocation <path>]` | Collects support information. See '[collecting diagnostic data](collect-diagnostic-data.md)' |
+| `-GetFilesDiagTrack` | Same as `-GetFiles`, but outputs to temporary DiagTrack folder |
+| `-RemoveDefinitions [-All]` | Restores the installed Security intelligence to a previous backup copy or to the original default set |
+| `-RemoveDefinitions [-DynamicSignatures]` | Removes only the dynamically downloaded Security intelligence |
+| `-RemoveDefinitions [-Engine]` | Restores the previous installed engine |
+| `-SignatureUpdate [-UNC \| -MMPC]` | Checks for new Security intelligence updates |
+| `-Restore [-ListAll \| [[-Name <name>] [-All] \| [-FilePath <filePath>]] [-Path <path>]]` | Restores or lists quarantined item(s) |
+| `-AddDynamicSignature [-Path]` | Loads dynamic Security intelligence |
+| `-ListAllDynamicSignatures` | Lists the loaded dynamic Security intelligence |
+| `-RemoveDynamicSignature [-SignatureSetID]` | Removes dynamic Security intelligence |
+| `-CheckExclusion -path <path>` | Checks whether a path is excluded |
+| `-ValidateMapsConnection` | Verifies that your network can communicate with the Microsoft Defender Antivirus cloud service. This command will only work on Windows 10, version 1703 or higher.|
++
+## Common errors in running commands via mpcmdrun.exe
+
+|Error message | Possible reason
+|:-|:-|
+| `ValidateMapsConnection failed (800106BA) or 0x800106BA` | The Microsoft Defender Antivirus service is disabled. Enable the service and try again. <br> **Note:** In Windows 10 1909 or older, and Windows Server 2019 or older, the service used to be called "Windows Defender Antivirus" service.|
+| `0x80070667` | You're running the `-ValidateMapsConnection` command from a computer that is Windows 10 version 1607 or older, or Windows Server 2016 or older. Run the command from a machine that is Windows 10 version 1703 or newer, or Windows Server 2019 or newer.|
+| `'MpCmdRun' is not recognized as an internal or external command, operable program or batch file.` | The tool needs to be run from either: `%ProgramFiles%\Windows Defender` or `C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2012.4-0` (where `2012.4-0` might differ since platform updates are monthly except for March)|
+| `ValidateMapsConnection failed to establish a connection to MAPS (hr=80070005 httpcode=450)` | Not enough privileges. Use the command prompt (cmd.exe) as an administrator.|
+| `ValidateMapsConnection failed to establish a connection to MAPS (hr=80070006 httpcode=451)` | The firewall is blocking the connection or conducting SSL inspection. |
+| `ValidateMapsConnection failed to establish a connection to MAPS (hr=80004005 httpcode=450)` | Possible network-related issues, like name resolution problems|
+| `ValidateMapsConnection failed to establish a connection to MAPS (hr=0x80508015` | The firewall is blocking the connection or conducting SSL inspection. |
+| `ValidateMapsConnection failed to establish a connection to MAPS (hr=800722F0D` | The firewall is blocking the connection or conducting SSL inspection. |
+| `ValidateMapsConnection failed to establish a connection to MAPS (hr=80072EE7 httpcode=451)` | The firewall is blocking the connection or conducting SSL inspection. |
+
+## See also
+
+- [Configure Microsoft Defender Antivirus features](configure-microsoft-defender-antivirus-features.md)
+- [Manage Microsoft Defender Antivirus in your business](configuration-management-reference-microsoft-defender-antivirus.md)
+- [Reference topics for management and configuration tools](configuration-management-reference-microsoft-defender-antivirus.md)
+- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
security Common Exclusion Mistakes Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/common-exclusion-mistakes-microsoft-defender-antivirus.md
+
+ Title: Common mistakes to avoid when defining exclusions
+description: Avoid common mistakes when defining exclusions for Microsoft Defender Antivirus scans.
+keywords: exclusions, files, extension, file type, folder name, file name, scans
+search.product: eADQiWindows 10XVcnh
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+++++
+ms.technology: mde
++
+# Common mistakes to avoid when defining exclusions
++
+You can define an exclusion list for items that you don't want Microsoft Defender Antivirus to scan. Such excluded items could contain threats that make your device vulnerable.
+
+This article describes some common mistake that you should avoid when defining exclusions.
+
+Before defining your exclusion lists, see [Recommendations for defining exclusions](configure-exclusions-microsoft-defender-antivirus.md#recommendations-for-defining-exclusions).
+
+## Excluding certain trusted items
+
+Certain files, file types, folders, or processes should not be excluded from scanning even though you trust them to be not malicious.
+
+Do not define exclusions for the folder locations, file extensions, and processes that are listed in the following table:
+
+| Folder locations | File extensions | Processes |
+|:--|:--|:--|
+| `%systemdrive%` <br/> `C:`<br/> `C:\` <br/> `C:\*` <br/> `%ProgramFiles%\Java` <br/> `C:\Program Files\Java` <br/> `%ProgramFiles%\Contoso\` <br/> `C:\Program Files\Contoso\` <br/> `%ProgramFiles(x86)%\Contoso\` <br/> `C:\Program Files (x86)\Contoso\` <br/> `C:\Temp` <br/> `C:\Temp\` <br/> `C:\Temp\*` <br/> `C:\Users\` <br/> `C:\Users\*` <br/> `C:\Users\<UserProfileName>\AppData\Local\Temp\` <br/> `C:\Users\<UserProfileName>\AppData\LocalLow\Temp\` <br/> `C:\Users\<UserProfileName>\AppData\Roaming\Temp\` <br/> `%Windir%\Prefetch` <br/> `C:\Windows\Prefetch` <br/> `C:\Windows\Prefetch\` <br/> `C:\Windows\Prefetch\*` <br/> `%Windir%\System32\Spool` <br/> `C:\Windows\System32\Spool` <br/> `C:\Windows\System32\CatRoot2` <br/> `%Windir%\Temp` <br/> `C:\Windows\Temp` <br/> `C:\Windows\Temp\` <br/> `C:\Windows\Temp\*` | `.7z` <br/> `.bat` <br/> `.bin` <br/> `.cab` <br/> `.cmd` <br/> `.com` <br/> `.cpl` <br/> `.dll` <br/> `.exe` <br/> `.fla` <br/> `.gif` <br/> `.gz` <br/> `.hta` <br/> `.inf` <br/> `.java` <br/> `.jar` <br/> `.job` <br/> `.jpeg` <br/> `.jpg` <br/> `.js` <br/> `.ko` <br/> `.ko.gz` <br/> `.msi` <br/> `.ocx` <br/> `.png` <br/> `.ps1` <br/> `.py` <br/> `.rar` <br/> `.reg` <br/> `.scr` <br/> `.sys` <br/> `.tar` <br/> `.tmp` <br/> `.url` <br/> `.vbe` <br/> `.vbs` <br/> `.wsf` <br/> `.zip` | `AcroRd32.exe` <br/> `bitsadmin.exe` <br/> `excel.exe` <br/> `iexplore.exe` <br/> `java.exe` <br/> `outlook.exe` <br/> `psexec.exe` <br/> `powerpnt.exe` <br/> `powershell.exe` <br/> `schtasks.exe` <br/> `svchost.exe` <br/>`wmic.exe` <br/> `winword.exe` <br/> `wuauclt.exe` <br/> `addinprocess.exe` <br/> `addinprocess32.exe` <br/> `addinutil.exe` <br/> `bash.exe` <br/> `bginfo.exe`[1] <br/>`cdb.exe` <br/> `csi.exe` <br/> `dbghost.exe` <br/> `dbgsvc.exe` <br/> `dnx.exe` <br/> `fsi.exe` <br/> `fsiAnyCpu.exe` <br/> `kd.exe` <br/> `ntkd.exe` <br/> `lxssmanager.dll` <br/> `msbuild.exe`[2] <br/> `mshta.exe` <br/> `ntsd.exe` <br/> `rcsi.exe` <br/> `system.management.automation.dll` <br/> `windbg.exe` |
+
+> [!NOTE]
+> You can choose to exclude file types, such as `.gif`, `.jpg`, `.jpeg`, or `.png` if your environment has a modern, up-to-date software with a strict update policy to handle any vulnerabilities.
+
+## Using just the file name in the exclusion list
+
+A malware may have the same name as that of the file that you trust and want to exclude from scanning. Therefore, to avoid excluding a potential malware from scanning, use a fully qualified path to the file that you want to exclude instead of using just the file name. For example, if you want to exclude `Filename.exe` from scanning, use the complete path to the file, such as `C:\program files\contoso\Filename.exe`.
+
+## Using a single exclusion list for multiple server workloads
+
+Do not use a single exclusion list to define exclusions for multiple server workloads. Split the exclusions for different application or service workloads into multiple exclusion lists. For example, the exclusion list for your IIS Server workload must be different from the exclusion list for your SQL Server workload.
+
+## Using incorrect environment variables as wildcards in the file name and folder path or extension exclusion lists
+
+Microsoft Defender Antivirus Service runs in system context using the LocalSystem account, which means it gets information from the system environment variable, and not from the user environment variable. Use of environment variables as a wildcard in exclusion lists is limited to system variables and those applicable to processes running as an NT AUTHORITY\SYSTEM account. Therefore, do not use user environment variables as wildcards when adding Microsoft Defender Antivirus folder and process exclusions. See the table under [System environment variables](configure-extension-file-exclusions-microsoft-defender-antivirus.md#system-environment-variables) for a complete list of system environment variables.
+
+See [Use wildcards in the file name and folder path or extension exclusion lists](configure-extension-file-exclusions-microsoft-defender-antivirus.md#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists) for information on how to use wildcards in exclusion lists.
+
+## Related articles
+
+- [Configure and validate exclusions in Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md)
+- [Configure and validate exclusions based on file extension and folder location](configure-extension-file-exclusions-microsoft-defender-antivirus.md)
+- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md)
+- [Configure Microsoft Defender Antivirus exclusions on Windows Server](configure-server-exclusions-microsoft-defender-antivirus.md)
security Configuration Management Reference Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configuration-management-reference-microsoft-defender-antivirus.md
+
+ Title: Manage Windows Defender in your business
+description: Learn how to use Group Policy, Configuration Manager, PowerShell, WMI, Intune, and the command line to manage Microsoft Defender AV
+keywords: group policy, gpo, config manager, sccm, scep, powershell, wmi, intune, defender, antivirus, antimalware, security, protection
+search.product: eADQiWindows 10XVcnh
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+++ Last updated : 12/16/2020++
+ms.technology: mde
++
+# Manage Microsoft Defender Antivirus in your business
+++
+**Applies to:**
+
+- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
+
+You can manage and configure Microsoft Defender Antivirus with the following tools:
+
+- [Microsoft Intune](/mem/intune/protect/endpoint-security-antivirus-policy) (now part of Microsoft Endpoint Manager)
+- [Microsoft Endpoint Configuration Manager](/mem/configmgr/protect/deploy-use/endpoint-protection-configure) (now part of Microsoft Endpoint Manager)
+- [Group Policy](./use-group-policy-microsoft-defender-antivirus.md)
+- [PowerShell cmdlets](./use-powershell-cmdlets-microsoft-defender-antivirus.md)
+- [Windows Management Instrumentation (WMI)](./use-wmi-microsoft-defender-antivirus.md)
+- The [Microsoft Malware Protection Command Line Utility](./command-line-arguments-microsoft-defender-antivirus.md) (referred to as the *mpcmdrun.exe* utility
+
+The following articles provide further information, links, and resources for using these tools to manage and configure Microsoft Defender Antivirus.
+
+| Article | Description |
+|:|:|
+|[Manage Microsoft Defender Antivirus with Microsoft Intune and Microsoft Endpoint Configuration Manager](use-intune-config-manager-microsoft-defender-antivirus.md)|Information about using Intune and Configuration Manager to deploy, manage, report, and configure Microsoft Defender Antivirus |
+|[Manage Microsoft Defender Antivirus with Group Policy settings](use-group-policy-microsoft-defender-antivirus.md)|List of all Group Policy settings located in ADMX templates |
+|[Manage Microsoft Defender Antivirus with PowerShell cmdlets](use-powershell-cmdlets-microsoft-defender-antivirus.md)|Instructions for using PowerShell cmdlets to manage Microsoft Defender Antivirus, plus links to documentation for all cmdlets and allowed parameters |
+|[Manage Microsoft Defender Antivirus with Windows Management Instrumentation (WMI)](use-wmi-microsoft-defender-antivirus.md)| Instructions for using WMI to manage Microsoft Defender Antivirus, plus links to documentation for the WMIv2 APIs (including all classes, methods, and properties) |
+|[Manage Microsoft Defender Antivirus with the mpcmdrun.exe command-line tool](command-line-arguments-microsoft-defender-antivirus.md)|Instructions on using the dedicated command-line tool to manage and use Microsoft Defender Antivirus |
security Configure Advanced Scan Types Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-advanced-scan-types-microsoft-defender-antivirus.md
+
+ Title: Configure scanning options for Microsoft Defender AV
+description: You can configure Microsoft Defender AV to scan email storage files, back-up or reparse points, network files, and archived files (such as .zip files).
+keywords: advanced scans, scanning, email, archive, zip, rar, archive, reparse scanning
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.localizationpriority: medium
+++++
+ms.technology: mde
++
+# Configure Microsoft Defender Antivirus scanning options
+++
+**Applies to:**
+
+- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
+
+## Use Microsoft Intune to configure scanning options
+
+See [Configure device restriction settings in Microsoft Intune](/intune/device-restrictions-configure) and [Microsoft Defender Antivirus device restriction settings for Windows 10 in Intune](/intune/device-restrictions-windows-10#microsoft-defender-antivirus) for more details.
+
+## Use Microsoft Endpoint Manager to configure scanning options
+
+See [How to create and deploy antimalware policies: Scan settings](/configmgr/protect/deploy-use/endpoint-antimalware-policies#scan-settings) for details on configuring Microsoft Endpoint Manager (current branch).
+
+## Use Group Policy to configure scanning options
+
+To configure the Group Policy settings described in the following table:
+
+1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
+
+2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+
+3. Expand the tree to **Windows components > Microsoft Defender Antivirus** and then the **Location** specified in the table below.
+
+4. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings.
+
+Description | Location and setting | Default setting (if not configured) | PowerShell `Set-MpPreference` parameter or WMI property for `MSFT_MpPreference` class
+|||
+Email scanning See [Email scanning limitations](#ref1)| Scan > Turn on e-mail scanning | Disabled | `-DisableEmailScanning`
+Scan [reparse points](/windows/win32/fileio/reparse-points) | Scan > Turn on reparse point scanning | Disabled | Not available
+Scan mapped network drives | Scan > Run full scan on mapped network drives | Disabled | `-DisableScanningMappedNetworkDrivesForFullScan`
+ Scan archive files (such as .zip or .rar files). The [extensions exclusion list](configure-extension-file-exclusions-microsoft-defender-antivirus.md) will take precedence over this setting. | Scan > Scan archive files | Enabled | `-DisableArchiveScanning`
+Scan files on the network | Scan > Scan network files | Disabled | `-DisableScanningNetworkFiles`
+Scan packed executables | Scan > Scan packed executables | Enabled | Not available
+Scan removable drives during full scans only | Scan > Scan removable drives | Disabled | `-DisableRemovableDriveScanning`
+Specify the level of subfolders within an archive folder to scan | Scan > Specify the maximum depth to scan archive files | 0 | Not available
+ Specify the maximum CPU load (as a percentage) during a scan. Note: This is not a hard limit but rather a guidance for the scanning engine to not exceed this maximum on average. | Scan > Specify the maximum percentage of CPU utilization during a scan | 50 | `-ScanAvgCPULoadFactor`
+ Specify the maximum size (in kilobytes) of archive files that should be scanned. The default, **0**, applies no limit | Scan > Specify the maximum size of archive files to be scanned | No limit | Not available
+ Configure low CPU priority for scheduled scans | Scan > Configure low CPU priority for scheduled scans | Disabled | Not available
+
+> [!NOTE]
+> If real-time protection is turned on, files are scanned before they are accessed and executed. The scanning scope includes all files, including files on mounted removable media, such as USB drives. If the device performing the scan has real-time protection or on-access protection turned on, the scan will also include network shares.
+
+## Use PowerShell to configure scanning options
+
+See [Manage Microsoft Defender Antivirus with PowerShell cmdlets](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](/powershell/module/defender/) for more information on how to use PowerShell with Microsoft Defender Antivirus.
+
+## Use WMI to configure scanning options
+
+For using WMI classes, see [Windows Defender WMIv2 APIs](/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal).
+
+<a id="ref1"></a>
+
+## Email scanning limitations
+
+Email scanning enables scanning of email files used by Outlook and other mail clients during on-demand and scheduled scans. Embedded objects within an email file (such as attachments and archived files) are also scanned. The following file format types can be scanned and remediated:
+
+- DBX
+- MBX
+- MIME
+
+PST files used by Outlook 2003 or older (where the archive type is set to non-unicode) will also be scanned, but Windows Defender cannot remediate threats detected inside PST files.
+
+If Microsoft Defender Antivirus detects a threat inside an email, it will show you the following information to assist you in identifying the compromised email, so you can remediate the threat manually:
+
+- Email subject
+- Attachment name
+
+## Related topics
+
+- [Customize, initiate, and review the results of Microsoft Defender Antivirus scans and remediation](customize-run-review-remediate-scans-microsoft-defender-antivirus.md)
+- [Configure and run on-demand Microsoft Defender Antivirus scans](run-scan-microsoft-defender-antivirus.md)
+- [Configure scheduled Microsoft Defender Antivirus scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md)
+- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
security Configure Block At First Sight Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus.md
+
+ Title: Enable block at first sight to detect malware in seconds
+description: Turn on the block at first sight feature to detect and block malware within seconds.
+keywords: scan, BAFS, malware, first seen, first sight, cloud, defender
+search.product: eADQiWindows 10XVcnh
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.localizationpriority: high
+++++ Last updated : 10/22/2020
+ms.technology: mde
++
+# Turn on block at first sight
+++
+**Applies to:**
+
+- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
+
+Block at first sight provides a way to detect and block new malware within seconds. This protection is enabled by default when certain prerequisite settings are enabled. These settings include cloud-delivered protection, a specified sample submission timeout (such as 50 seconds), and a file-blocking level of high. In most enterprise organizations, these settings are enabled by default with Microsoft Defender Antivirus deployments.
+
+You can [specify how long a file should be prevented from running](configure-cloud-block-timeout-period-microsoft-defender-antivirus.md) while the cloud-based protection service analyzes the file. And, you can [customize the message displayed on users' desktops](/windows/security/threat-protection//windows-defender-security-center/wdsc-customize-contact-information.md) when a file is blocked. You can change the company name, contact information, and message URL.
+
+>[!TIP]
+>Visit the Microsoft Defender for Endpoint demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the features are working and see how they work.
+
+## How it works
+
+When Microsoft Defender Antivirus encounters a suspicious but undetected file, it queries our cloud protection backend. The cloud backend applies heuristics, machine learning, and automated analysis of the file to determine whether the files are malicious or not a threat.
+
+Microsoft Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, intelligent, and real-time protection. To learn more, see this blog: [Get to know the advanced technologies at the core of Microsoft Defender for Endpoint next-generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/).
+![List of Microsoft Defender AV engines](images/microsoft-defender-atp-next-generation-protection-engines.png)
+
+In Windows 10, version 1803 or later, block at first sight can block non-portable executable files (such as JS, VBS, or macros) as well as executable files.
+
+Block at first sight only uses the cloud protection backend for executable files and non-portable executable files that are downloaded from the Internet, or that originate from the Internet zone. A hash value of the .exe file is checked via the cloud backend to determine if the file is a previously undetected file.
+
+If the cloud backend is unable to make a determination, Microsoft Defender Antivirus locks the file and uploads a copy to the cloud. The cloud performs additional analysis to reach a determination before it either allows the file to run or blocks it in all future encounters, depending on whether it determines the file to be malicious or safe.
+
+In many cases, this process can reduce the response time for new malware from hours to seconds.
+
+## Turn on block at first sight with Microsoft Intune
+
+> [!TIP]
+> Microsoft Intune is now part of Microsoft Endpoint Manager.
+
+1. In the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)), navigate to **Devices** > **Configuration profiles**.
+
+2. Select or create a profile using the **Device restrictions** profile type.
+
+3. In the **Configuration settings** for the Device restrictions profile, set or confirm the following settings under **Microsoft Defender Antivirus**:
+
+ - **Cloud-delivered protection**: Enabled
+ - **File Blocking Level**: High
+ - **Time extension for file scanning by the cloud**: 50
+ - **Prompt users before sample submission**: Send all data without prompting
+
+ ![Intune config](images/defender/intune-block-at-first-sight.png)
+
+4. Save your settings.
+
+> [!TIP]
+> - Setting the file blocking level to **High** applies a strong level of detection. In the unlikely event that file blocking causes a false positive detection of legitimate files, you can [restore quarantined files](./restore-quarantined-files-microsoft-defender-antivirus.md).
+> - For more information about configuring Microsoft Defender Antivirus device restrictions in Intune, see [Configure device restriction settings in Microsoft Intune](/intune/device-restrictions-configure).
+> - For a list of Microsoft Defender Antivirus device restrictions in Intune, see [Device restriction for Windows 10 (and newer) settings in Intune](/intune/device-restrictions-windows-10#microsoft-defender-antivirus).
+
+## Turn on block at first sight with Microsoft Endpoint Manager
+
+> [!TIP]
+> If you're looking for Microsoft Endpoint Configuration Manager, it's now part of Microsoft Endpoint Manager.
+
+1. In Microsoft Endpoint Manager ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)), go to **Endpoint security** > **Antivirus**.
+
+2. Select an existing policy, or create a new policy using the **Microsoft Defender Antivirus** profile type.
+
+3. Set or confirm the following configuration settings:
+
+ - **Turn on cloud-delivered protection**: Yes
+ - **Cloud-delivered protection level**: High
+ - **Defender Cloud Extended Timeout in Seconds**: 50
+
+ :::image type="content" source="images/endpointmgr-antivirus-cloudprotection.png" alt-text="Block at first sight settings in Endpoint Manager":::
+
+4. Apply the Microsoft Defender Antivirus profile to a group, such as **All users**, **All devices**, or **All users and devices**.
+
+## Turn on block at first sight with Group Policy
+
+> [!NOTE]
+> We recommend using Intune or Microsoft Endpoint Manager to turn on block at first sight.
+
+1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and select **Edit**.
+
+2. Using the **Group Policy Management Editor** go to **Computer configuration** > **Administrative templates** > **Windows Components** > **Microsoft Defender Antivirus** > **MAPS**.
+
+3. In the MAPS section, double-click **Configure the 'Block at First Sight' feature**, and set it to **Enabled**, and then select **OK**.
+
+ > [!IMPORTANT]
+ > Setting to **Always prompt (0)** will lower the protection state of the device. Setting to **Never send (2)** means block at first sight will not function.
+
+4. In the MAPS section, double-click **Send file samples when further analysis is required**, and set it to **Enabled**. Under **Send file samples when further analysis is required**, select **Send all samples**, and then click **OK**.
+
+5. If you changed any settings, redeploy the Group Policy Object across your network to ensure all endpoints are covered.
+
+## Confirm block at first sight is enabled on individual clients
+
+You can confirm that block at first sight is enabled on individual clients using Windows security settings.
+
+Block at first sight is automatically enabled as long as **Cloud-delivered protection** and **Automatic sample submission** are both turned on.
+
+1. Open the Windows Security app.
+
+2. Select **Virus & threat protection**, and then, under **Virus & threat protection settings**, select **Manage Settings**.
+
+ ![Screenshot of the Virus & threat protection settings label in the Windows Security app](images/defender/wdav-protection-settings-wdsc.png)
+
+3. Confirm that **Cloud-delivered protection** and **Automatic sample submission** are both turned on.
+
+> [!NOTE]
+> - If the prerequisite settings are configured and deployed using Group Policy, the settings described in this section will be greyed-out and unavailable for use on individual endpoints.
+> - Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings.
+
+## Validate block at first sight is working
+
+To validate that the feature is working, follow the guidance in [Validate connections between your network and the cloud](configure-network-connections-microsoft-defender-antivirus.md#validate-connections-between-your-network-and-the-cloud).
+
+## Turn off block at first sight
+
+> [!CAUTION]
+> Turning off block at first sight will lower the protection state of your device(s) and your network.
+
+You might choose to disable block at first sight if you want to retain the prerequisite settings without actually using block at first sight protection. You might do temporarily turn block at first sight off if you are experiencing latency issues or you want to test the feature's impact on your network. However, we do not recommend disabling block at first sight protection permanently.
+
+### Turn off block at first sight with Microsoft Endpoint Manager
+
+1. Go to Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in.
+
+2. Go to **Endpoint security** > **Antivirus**, and then select your Microsoft Defender Antivirus policy.
+
+3. Under **Manage**, choose **Properties**.
+
+4. Next to **Configuration settings**, choose **Edit**.
+
+5. Change one or more of the following settings:
+
+ - Set **Turn on cloud-delivered protection** to **No** or **Not configured**.
+ - Set **Cloud-delivered protection level** to **Not configured**.
+ - Clear the **Defender Cloud Extended Timeout In Seconds** box.
+
+6. Review and save your settings.
+
+### Turn off block at first sight with Group Policy
+
+1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure, and then click **Edit**.
+
+2. Using the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+
+3. Expand the tree through **Windows components** > **Microsoft Defender Antivirus** > **MAPS**.
+
+4. Double-click **Configure the 'Block at First Sight' feature** and set the option to **Disabled**.
+
+ > [!NOTE]
+ > Disabling block at first sight does not disable or alter the prerequisite group policies.
+
+## See also
+
+- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
+
+- [Enable cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md)
security Configure Cloud Block Timeout Period Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md
+
+ Title: Configure the Microsoft Defender Antivirus cloud block timeout period
+description: You can configure how long Microsoft Defender Antivirus will block a file from running while waiting for a cloud determination.
+keywords: Microsoft Defender Antivirus, antimalware, security, defender, cloud, timeout, block, period, seconds
+search.product: eADQiWindows 10XVcnh
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+++++
+ms.technology: mde
++
+# Configure the cloud block timeout period
+++
+**Applies to:**
+
+- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
+
+When Microsoft Defender Antivirus finds a suspicious file, it can prevent the file from running while it queries the [Microsoft Defender Antivirus cloud service](cloud-protection-microsoft-defender-antivirus.md).
+
+The default period that the file will be [blocked](configure-block-at-first-sight-microsoft-defender-antivirus.md) is 10 seconds. You can specify an additional period of time to wait before the file is allowed to run. This can help ensure there is enough time to receive a proper determination from the Microsoft Defender Antivirus cloud service.
+
+## Prerequisites to use the extended cloud block timeout
+
+[Block at first sight](configure-block-at-first-sight-microsoft-defender-antivirus.md) and its prerequisites must be enabled before you can specify an extended timeout period.
+
+## Specify the extended timeout period
+
+You can use Group Policy to specify an extended timeout for cloud checks.
+
+1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
+
+2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+
+3. Expand the tree to **Windows components > Microsoft Defender Antivirus > MpEngine**
+
+4. Double-click **Configure extended cloud check** and ensure the option is enabled. Specify the additional amount of time to prevent the file from running while waiting for a cloud determination. You can specify the additional time, in seconds, from 1 second to 50 seconds. This time will be added to the default 10 seconds.
+
+5. Click **OK**.
+
+## Related topics
+
+- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
+- [Use next-generation antivirus technologies through cloud-delivered protection](cloud-protection-microsoft-defender-antivirus.md)
+- [Configure block at first sight](configure-block-at-first-sight-microsoft-defender-antivirus.md)
+- [Enable cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md)
security Configure End User Interaction Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-end-user-interaction-microsoft-defender-antivirus.md
+
+ Title: Configure how users can interact with Microsoft Defender AV
+description: Configure how end-users interact with Microsoft Defender AV, what notifications they see, and if they can override settings.
+keywords: endpoint, user, interaction, notifications, ui lockdown mode, headless mode, hide interface
+search.product: eADQiWindows 10XVcnh
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+++++
+ms.technology: mde
++
+# Configure end-user interaction with Microsoft Defender Antivirus
+++
+**Applies to:**
+
+- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
+
+You can configure how users of the endpoints on your network can interact with Microsoft Defender Antivirus.
+
+This includes whether they see the Microsoft Defender Antivirus interface, what notifications they see, and if they can locally override globally-deployed Group Policy settings.
+
+## In this section
+
+Topic | Description
+|
+[Configure notifications that appear on endpoints](configure-notifications-microsoft-defender-antivirus.md) | Configure and customize additional notifications, customized text for notifications, and notifications about reboots for remediation
+[Prevent users from seeing or interacting with the Microsoft Defender Antivirus user interface](prevent-end-user-interaction-microsoft-defender-antivirus.md) | Hide the user interface from users
+[Prevent users from locally modifying policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md) | Prevent (or allow) users from overriding policy settings on their individual endpoints
security Configure Exclusions Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-exclusions-microsoft-defender-antivirus.md
+
+ Title: Set up exclusions for Microsoft Defender AV scans
+description: You can exclude files (including files modified by specified processes) and folders from being scanned by Microsoft Defender AV. Validate your exclusions with PowerShell.
+keywords:
+search.product: eADQiWindows 10XVcnh
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.localizationpriority: medium
+++++
+ms.technology: mde
++
+# Configure and validate exclusions for Microsoft Defender Antivirus scans
+++
+**Applies to:**
+
+- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
+
+You can exclude certain files, folders, processes, and process-opened files from Microsoft Defender Antivirus scans. Such exclusions apply to [scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md), [on-demand scans](run-scan-microsoft-defender-antivirus.md), and [always-on real-time protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md). Exclusions for process-opened files only apply to real-time protection.
+
+## Configure and validate exclusions
+
+To configure and validate exclusions, see the following:
+
+- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-microsoft-defender-antivirus.md). This enables you to exclude files from Microsoft Defender Antivirus scans based on their file extension, file name, or location.
+
+- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md). This enables you to exclude files from scans that have been opened by a specific process.
+
+## Recommendations for defining exclusions
+
+Defining exclusions lowers the protection offered by Microsoft Defender Antivirus. You should always evaluate the risks that are associated with implementing exclusions, and you should only exclude files that you are confident are not malicious.
+
+The following is a list of recommendations that you should keep in mind when defining exclusions:
+
+- Exclusions are technically a protection gapΓÇöalways consider additional mitigations when defining exclusions. Additional mitigations could be as simple as making sure the excluded location has the appropriate access-control lists (ACLs), audit policy, is processed by an up-to-date software, etc.
+
+- Review the exclusions periodically. Re-check and re-enforce the mitigations as part of the review process.
+
+- Ideally, avoid defining proactive exclusions. For instance, don't exclude something just because you think it might be a problem in the future. Use exclusions only for specific issuesΓÇömostly around performance, or sometimes around application compatibility that exclusions could mitigate.
+
+- Audit the exclusion list changes. The security admin should preserve enough context around why a certain exclusion was added. You should be able to provide answer with specific reasoning as to why a certain path was excluded.
+
+## Related articles
+
+- [Microsoft Defender Antivirus exclusions on Windows Server 2016](configure-server-exclusions-microsoft-defender-antivirus.md)
+- [Common mistakes to avoid when defining exclusions](common-exclusion-mistakes-microsoft-defender-antivirus.md)
security Configure Extension File Exclusions Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-extension-file-exclusions-microsoft-defender-antivirus.md
+
+ Title: Configure and validate exclusions based on extension, name, or location
+description: Exclude files from Microsoft Defender Antivirus scans based on their file extension, file name, or location.
+keywords: exclusions, files, extension, file type, folder name, file name, scans
+search.product: eADQiWindows 10XVcnh
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.localizationpriority: medium
+++++
+ms.technology: mde
++
+# Configure and validate exclusions based on file extension and folder location
+++
+**Applies to:**
+
+- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
+
+> [!IMPORTANT]
+> Microsoft Defender Antivirus exclusions don't apply to other Microsoft Defender for Endpoint capabilities, including [endpoint detection and response (EDR)](/microsoft-365/security/defender-endpoint/overview-endpoint-detection-response), [attack surface reduction (ASR) rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction), and [controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders). Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections. To exclude files broadly, add them to the Microsoft Defender for Endpoint [custom indicators](/microsoft-365/security/defender-endpoint/manage-indicators).
+
+## Exclusion lists
+
+You can exclude certain files from Microsoft Defender Antivirus scans by modifying exclusion lists. **Generally, you shouldn't need to apply exclusions**. Microsoft Defender Antivirus includes many automatic exclusions based on known operating system behaviors and typical management files, such as those used in enterprise management, database management, and other enterprise scenarios and situations.
+
+> [!NOTE]
+> Exclusions apply to Potentially Unwanted Apps (PUA) detections as well.
+
+> [!NOTE]
+> Automatic exclusions apply only to Windows Server 2016 and above. These exclusions are not visible in the Windows Security app and in PowerShell.
+
+This article describes how to configure exclusion lists for the files and folders. See [Recommendations for defining exclusions](configure-exclusions-microsoft-defender-antivirus.md#recommendations-for-defining-exclusions) before defining your exclusion lists.
+
+| Exclusion | Examples | Exclusion list |
+|:|:|:|
+|Any file with a specific extension | All files with the specified extension, anywhere on the machine. <p> Valid syntax: `.test` and `test` | Extension exclusions |
+|Any file under a specific folder | All files under the `c:\test\sample` folder | File and folder exclusions |
+| A specific file in a specific folder | The file `c:\sample\sample.test` only | File and folder exclusions |
+| A specific process | The executable file `c:\test\process.exe` | File and folder exclusions |
+
+Exclusion lists have the following characteristics:
+
+- Folder exclusions apply to all files and folders under that folder, unless the subfolder is a reparse point. Reparse point subfolders must be excluded separately.
+- File extensions apply to any file name with the defined extension if a path or folder is not defined.
+
+> [!IMPORTANT]
+> - Using wildcards such as the asterisk (\*) will alter how the exclusion rules are interpreted. See the [Use wildcards in the file name and folder path or extension exclusion lists](#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists) section for important information about how wildcards work.
+> - You cannot exclude mapped network drives. You must specify the actual network path.
+> - Folders that are reparse points that are created after the Microsoft Defender Antivirus service starts and that have been added to the exclusion list will not be included. You must restart the service (by restarting Windows) for new reparse points to be recognized as a valid exclusion target.
+
+To exclude files opened by a specific process, see [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md).
+
+The exclusions apply to [scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md), [on-demand scans](run-scan-microsoft-defender-antivirus.md), and [real-time protection](configure-real-time-protection-microsoft-defender-antivirus.md).
+
+> [!IMPORTANT]
+> Exclusion list changes made with Group Policy **will show** in the lists in the [Windows Security app](microsoft-defender-security-center-antivirus.md).
+> Changes made in the Windows Security app **will not show** in the Group Policy lists.
+
+By default, local changes made to the lists (by users with administrator privileges, including changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists take precedence when there are conflicts.
+
+You can [configure how locally and globally defined exclusions lists are merged](configure-local-policy-overrides-microsoft-defender-antivirus.md#merge-lists) to allow local changes to override managed deployment settings.
+
+## Configure the list of exclusions based on folder name or file extension
+
+### Use Intune to configure file name, folder, or file extension exclusions
+
+See the following articles:
+- [Configure device restriction settings in Microsoft Intune](/intune/device-restrictions-configure)
+- [Microsoft Defender Antivirus device restriction settings for Windows 10 in Intune](/intune/device-restrictions-windows-10#microsoft-defender-antivirus)
+
+### Use Configuration Manager to configure file name, folder, or file extension exclusions
+
+See [How to create and deploy antimalware policies: Exclusion settings](/configmgr/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) for details on configuring Microsoft Endpoint Manager (current branch).
+
+### Use Group Policy to configure folder or file extension exclusions
+
+>[!NOTE]
+>If you specify a fully qualified path to a file, then only that file is excluded. If a folder is defined in the exclusion, then all files and subdirectories under that folder are excluded.
+
+1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
+
+2. In the **Group Policy Management Editor** go to **Computer configuration** and select **Administrative templates**.
+
+3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Exclusions**.
+
+4. Open the **Path Exclusions** setting for editing, and add your exclusions.
+
+ 1. Set the option to **Enabled**.
+ 1. Under the **Options** section, click **Show**.
+ 1. Specify each folder on its own line under the **Value name** column.
+ 1. If you are specifying a file, ensure that you enter a fully qualified path to the file, including the drive letter, folder path, file name, and extension. Enter **0** in the **Value** column.
+
+5. Choose **OK**.
+
+6. Open the **Extension Exclusions** setting for editing and add your exclusions.
+
+ 1. Set the option to **Enabled**.
+ 1. Under the **Options** section, select **Show**.
+ 1. Enter each file extension on its own line under the **Value name** column. Enter **0** in the **Value** column.
+
+7. Choose **OK**.
+
+<a id="ps"></a>
+
+### Use PowerShell cmdlets to configure file name, folder, or file extension exclusions
+
+Using PowerShell to add or remove exclusions for files based on the extension, location, or file name requires using a combination of three cmdlets and the appropriate exclusion list parameter. The cmdlets are all in the [Defender module](/powershell/module/defender/).
+
+The format for the cmdlets is as follows:
+
+```PowerShell
+<cmdlet> -<exclusion list> "<item>"
+```
+
+The following are allowed as the `<cmdlet>`:
+
+| Configuration action | PowerShell cmdlet |
+|:|:|
+|Create or overwrite the list | `Set-MpPreference` |
+|Add to the list | `Add-MpPreference` |
+|Remove item from the list | `Remove-MpPreference` |
+
+The following are allowed as the `<exclusion list>`:
+
+| Exclusion type | PowerShell parameter |
+|:|:|
+| All files with a specified file extension | `-ExclusionExtension` |
+| All files under a folder (including files in subdirectories), or a specific file | `-ExclusionPath` |
+
+> [!IMPORTANT]
+> If you have created a list, either with `Set-MpPreference` or `Add-MpPreference`, using the `Set-MpPreference` cmdlet again will overwrite the existing list.
+
+For example, the following code snippet would cause Microsoft Defender Antivirus scans to exclude any file with the `.test` file extension:
+
+```PowerShell
+Add-MpPreference -ExclusionExtension ".test"
+```
+
+For more information, see [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](/powershell/module/defender/).
+
+### Use Windows Management Instruction (WMI) to configure file name, folder, or file extension exclusions
+
+Use the [**Set**, **Add**, and **Remove** methods of the **MSFT_MpPreference**](/previous-versions/windows/desktop/legacy/dn455323(v=vs.85)) class for the following properties:
+
+```WMI
+ExclusionExtension
+ExclusionPath
+```
+
+The use of **Set**, **Add**, and **Remove** is analogous to their counterparts in PowerShell: `Set-MpPreference`, `Add-MpPreference`, and `Remove-MpPreference`.
+
+For more information, see [Windows Defender WMIv2 APIs](/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal).
+
+<a id="man-tools"></a>
+
+### Use the Windows Security app to configure file name, folder, or file extension exclusions
+
+See [Add exclusions in the Windows Security app](microsoft-defender-security-center-antivirus.md) for instructions.
+
+<a id="wildcards"></a>
+
+## Use wildcards in the file name and folder path or extension exclusion lists
+
+You can use the asterisk `*`, question mark `?`, or environment variables (such as `%ALLUSERSPROFILE%`) as wildcards when defining items in the file name or folder path exclusion list. The way in which these wildcards are interpreted differs from their usual usage in other apps and languages. Make sure to read this section to understand their specific limitations.
+
+> [!IMPORTANT]
+> There are key limitations and usage scenarios for these wildcards:
+> - Environment variable usage is limited to machine variables and those applicable to processes running as an NT AUTHORITY\SYSTEM account.
+> - You cannot use a wildcard in place of a drive letter.
+> - An asterisk `*` in a folder exclusion stands in place for a single folder. Use multiple instances of `\*\` to indicate multiple nested folders with unspecified names.
+
+The following table describes how the wildcards can be used and provides some examples.
++
+|Wildcard |Examples |
+|:|:|
+|`*` (asterisk) <p> In **file name and file extension inclusions**, the asterisk replaces any number of characters, and only applies to files in the last folder defined in the argument. <p> In **folder exclusions**, the asterisk replaces a single folder. Use multiple `*` with folder slashes `\` to indicate multiple nested folders. After matching the number of wild carded and named folders, all subfolders are also included. | `C:\MyData\*.txt` includes `C:\MyData\notes.txt` <p> `C:\somepath\*\Data` includes any file in `C:\somepath\Archives\Data` and its subfolders, and `C:\somepath\Authorized\Data` and its subfolders <p> `C:\Serv\*\*\Backup` includes any file in `C:\Serv\Primary\Denied\Backup` and its subfolders and `C:\Serv\Secondary\Allowed\Backup` and its subfolders |
+|`?` (question mark) <p> In **file name and file extension inclusions**, the question mark replaces a single character, and only applies to files in the last folder defined in the argument. <p> In **folder exclusions**, the question mark replaces a single character in a folder name. After matching the number of wild carded and named folders, all subfolders are also included. |`C:\MyData\my?.zip` includes `C:\MyData\my1.zip` <p> `C:\somepath\?\Data` includes any file in `C:\somepath\P\Data` and its subfolders <p> `C:\somepath\test0?\Data` would include any file in `C:\somepath\test01\Data` and its subfolders |
+|Environment variables <p> The defined variable is populated as a path when the exclusion is evaluated. |`%ALLUSERSPROFILE%\CustomLogFiles` would include `C:\ProgramData\CustomLogFiles\Folder1\file1.txt` |
+
+
+> [!IMPORTANT]
+> If you mix a file exclusion argument with a folder exclusion argument, the rules will stop at the file argument match in the matched folder, and will not look for file matches in any subfolders.
+> For example, you can exclude all files that start with "date" in the folders `c:\data\final\marked` and `c:\data\review\marked` by using the rule argument `c:\data\*\marked\date*`.
+> This argument, however, will not match any files in subfolders under `c:\data\final\marked` or `c:\data\review\marked`.
+
+<a id="review"></a>
+
+### System environment variables
+
+The following table lists and describes the system account environment variables.
+
+| This system environment variable... | Redirects to this |
+|:--|:--|
+| `%APPDATA%`| `C:\Users\UserName.DomainName\AppData\Roaming` |
+| `%APPDATA%\Microsoft\Internet Explorer\Quick Launch` | `C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch` |
+| `%APPDATA%\Microsoft\Windows\Start Menu` | `C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu` |
+| `%APPDATA%\Microsoft\Windows\Start Menu\Programs` | `C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs` |
+| `%LOCALAPPDATA%` | `C:\Windows\System32\config\systemprofile\AppData\Local` |
+| `%ProgramData%` | `C:\ProgramData` |
+| `%ProgramFiles%` | `C:\Program Files` |
+| `%ProgramFiles%\Common Files` | `C:\Program Files\Common Files` |
+| `%ProgramFiles%\Windows Sidebar\Gadgets` | `C:\Program Files\Windows Sidebar\Gadgets` |
+| `%ProgramFiles%\Common Files` | `C:\Program Files\Common Files` |
+| `%ProgramFiles(x86)%` | `C:\Program Files (x86)` |
+| `%ProgramFiles(x86)%\Common Files` | `C:\Program Files (x86)\Common Files` |
+| `%SystemDrive%` | `C:` |
+| `%SystemDrive%\Program Files` | `C:\Program Files` |
+| `%SystemDrive%\Program Files (x86)` | `C:\Program Files (x86)` |
+| `%SystemDrive%\Users` | `C:\Users` |
+| `%SystemDrive%\Users\Public` | `C:\Users\Public` |
+| `%SystemRoot%` | `C:\Windows` |
+| `%windir%` | `C:\Windows` |
+| `%windir%\Fonts` | `C:\Windows\Fonts` |
+| `%windir%\Resources` | `C:\Windows\Resources` |
+| `%windir%\resources\0409` | `C:\Windows\resources\0409` |
+| `%windir%\system32` | `C:\Windows\System32` |
+| `%ALLUSERSPROFILE%` | `C:\ProgramData` |
+| `%ALLUSERSPROFILE%\Application Data` | `C:\ProgramData\Application Data` |
+| `%ALLUSERSPROFILE%\Documents` | `C:\ProgramData\Documents` |
+| `%ALLUSERSPROFILE%\Documents\My Music\Sample Music` | `C:\ProgramData\Documents\My Music\Sample Music` |
+| `%ALLUSERSPROFILE%\Documents\My Music` | `C:\ProgramData\Documents\My Music` |
+| `%ALLUSERSPROFILE%\Documents\My Pictures` | `C:\ProgramData\Documents\My Pictures` |
+| `%ALLUSERSPROFILE%\Documents\My Pictures\Sample Pictures` | `C:\ProgramData\Documents\My Pictures\Sample Pictures` |
+| `%ALLUSERSPROFILE%\Documents\My Videos` | `C:\ProgramData\Documents\My Videos` |
+| `%ALLUSERSPROFILE%\Microsoft\Windows\DeviceMetadataStore` | `C:\ProgramData\Microsoft\Windows\DeviceMetadataStore` |
+| `%ALLUSERSPROFILE%\Microsoft\Windows\GameExplorer` | `C:\ProgramData\Microsoft\Windows\GameExplorer` |
+| `%ALLUSERSPROFILE%\Microsoft\Windows\Ringtones` | `C:\ProgramData\Microsoft\Windows\Ringtones` |
+| `%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu` | `C:\ProgramData\Microsoft\Windows\Start Menu` |
+| `%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs` | `C:\ProgramData\Microsoft\Windows\Start Menu\Programs` |
+| `%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Administrative Tools` | `C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools` |
+| `%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\StartUp` | `C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp` |
+| `%ALLUSERSPROFILE%\Microsoft\Windows\Templates` | `C:\ProgramData\Microsoft\Windows\Templates` |
+| `%ALLUSERSPROFILE%\Start Menu` | `C:\ProgramData\Start Menu` |
+| `%ALLUSERSPROFILE%\Start Menu\Programs` | C:\ProgramData\Start Menu\Programs |
+| `%ALLUSERSPROFILE%\Start Menu\Programs\Administrative Tools` | `C:\ProgramData\Start Menu\Programs\Administrative Tools` |
+| `%ALLUSERSPROFILE%\Templates` | `C:\ProgramData\Templates` |
+| `%LOCALAPPDATA%\Microsoft\Windows\ConnectedSearch\Templates` | `C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\ConnectedSearch\Templates` |
+| `%LOCALAPPDATA%\Microsoft\Windows\History` | `C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History` |
+| `%PUBLIC%` | `C:\Users\Public` |
+| `%PUBLIC%\AccountPictures` | `C:\Users\Public\AccountPictures` |
+| `%PUBLIC%\Desktop` | `C:\Users\Public\Desktop` |
+| `%PUBLIC%\Documents` | `C:\Users\Public\Documents` |
+| `%PUBLIC%\Downloads` | `C:\Users\Public\Downloads` |
+| `%PUBLIC%\Music\Sample Music` | `C:\Users\Public\Music\Sample Music` |
+| `%PUBLIC%\Music\Sample Playlists` | `C:\Users\Public\Music\Sample Playlists` |
+| `%PUBLIC%\Pictures\Sample Pictures` | `C:\Users\Public\Pictures\Sample Pictures` |
+| `%PUBLIC%\RecordedTV.library-ms` | `C:\Users\Public\RecordedTV.library-ms` |
+| `%PUBLIC%\Videos` | `C:\Users\Public\Videos` |
+| `%PUBLIC%\Videos\Sample Videos` | `C:\Users\Public\Videos\Sample Videos` |
+| `%USERPROFILE%` | `C:\Windows\System32\config\systemprofile` |
+| `%USERPROFILE%\AppData\Local` | `C:\Windows\System32\config\systemprofile\AppData\Local` |
+| `%USERPROFILE%\AppData\LocalLow` | `C:\Windows\System32\config\systemprofile\AppData\LocalLow` |
+| `%USERPROFILE%\AppData\Roaming` | `C:\Windows\System32\config\systemprofile\AppData\Roaming` |
++
+## Review the list of exclusions
+
+You can retrieve the items in the exclusion list using one of the following methods:
+- [Intune](/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune)
+- [Microsoft Endpoint Configuration Manager](/configmgr/protect/deploy-use/endpoint-antimalware-policies)
+- MpCmdRun
+- PowerShell
+- [Windows Security app](microsoft-defender-security-center-antivirus.md)
+
+>[!IMPORTANT]
+>Exclusion list changes made with Group Policy **will show** in the lists in the [Windows Security app](microsoft-defender-security-center-antivirus.md).
+>
+>Changes made in the Windows Security app **will not show** in the Group Policy lists.
+
+If you use PowerShell, you can retrieve the list in two ways:
+
+- Retrieve the status of all Microsoft Defender Antivirus preferences. Each list is displayed on separate lines, but the items within each list are combined into the same line.
+- Write the status of all preferences to a variable, and use that variable to only call the specific list you are interested in. Each use of `Add-MpPreference` is written to a new line.
+
+### Validate the exclusion list by using MpCmdRun
+
+To check exclusions with the dedicated [command-line tool mpcmdrun.exe](./command-line-arguments-microsoft-defender-antivirus.md?branch=v-anbic-wdav-new-mpcmdrun-options), use the following command:
+
+```DOS
+Start, CMD (Run as admin)
+cd "%programdata%\microsoft\windows defender\platform"
+cd 4.18.1812.3 (Where 4.18.1812.3 is this month's MDAV "Platform Update".)
+MpCmdRun.exe -CheckExclusion -path <path>
+```
+
+>[!NOTE]
+>Checking exclusions with MpCmdRun requires Microsoft Defender Antivirus CAMP version 4.18.1812.3 (released in December 2018) or later.
+
+### Review the list of exclusions alongside all other Microsoft Defender Antivirus preferences by using PowerShell
+
+Use the following cmdlet:
+
+```PowerShell
+Get-MpPreference
+```
+
+In the following example, the items contained in the `ExclusionExtension` list are highlighted:
+
+![PowerShell output for Get-MpPreference showing the exclusion list alongside other preferences](images/defender/wdav-powershell-get-exclusions-all.png)
+
+For more information, see [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](/powershell/module/defender/).
+
+### Retrieve a specific exclusions list by using PowerShell
+
+Use the following code snippet (enter each line as a separate command); replace **WDAVprefs** with whatever label you want to name the variable:
+
+```PowerShell
+$WDAVprefs = Get-MpPreference
+$WDAVprefs.ExclusionExtension
+$WDAVprefs.ExclusionPath
+```
+
+In the following example, the list is split into new lines for each use of the `Add-MpPreference` cmdlet:
+
+![PowerShell output showing only the entries in the exclusion list](images/defender/wdav-powershell-get-exclusions-variable.png)
+
+For more information, see [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](/powershell/module/defender/).
+
+<a id="validate"></a>
+
+## Validate exclusions lists with the EICAR test file
+
+You can validate that your exclusion lists are working by using PowerShell with either the `Invoke-WebRequest` cmdlet or the .NET WebClient class to download a test file.
+
+In the following PowerShell snippet, replace *test.txt* with a file that conforms to your exclusion rules. For example, if you have excluded the `.testing` extension, replace `test.txt` with `test.testing`. If you are testing a path, ensure you run the cmdlet within that path.
+
+```PowerShell
+Invoke-WebRequest "http://www.eicar.org/download/eicar.com.txt" -OutFile "test.txt"
+```
+
+If Microsoft Defender Antivirus reports malware, then the rule is not working. If there is no report of malware and the downloaded file exists, then the exclusion is working. You can open the file to confirm the contents are the same as what is described on the [EICAR test file website](http://www.eicar.org/86-0-Intended-use.html).
+
+You can also use the following PowerShell code, which calls the .NET WebClient class to download the test file - as with the `Invoke-WebRequest` cmdlet; replace *c:\test.txt* with a file that conforms to the rule you are validating:
+
+```PowerShell
+$client = new-object System.Net.WebClient
+$client.DownloadFile("http://www.eicar.org/download/eicar.com.txt","c:\test.txt")
+```
+
+If you do not have Internet access, you can create your own EICAR test file by writing the EICAR string to a new text file with the following PowerShell command:
+
+```PowerShell
+[io.file]::WriteAllText("test.txt",'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*')
+```
+
+You can also copy the string into a blank text file and attempt to save it with the file name or in the folder you are attempting to exclude.
+
+## Related topics
+
+- [Configure and validate exclusions in Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md)
+- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md)
+- [Configure Microsoft Defender Antivirus exclusions on Windows Server](configure-server-exclusions-microsoft-defender-antivirus.md)
+- [Common mistakes to avoid when defining exclusions](common-exclusion-mistakes-microsoft-defender-antivirus.md)
security Configure Local Policy Overrides Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-local-policy-overrides-microsoft-defender-antivirus.md
+
+ Title: Configure local overrides for Microsoft Defender AV settings
+description: Enable or disable users from locally changing settings in Microsoft Defender AV.
+keywords: local override, local policy, group policy, gpo, lockdown,merge, lists
+search.product: eADQiWindows 10XVcnh
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+++ Last updated : 02/13/2020++
+ms.technology: mde
++
+# Prevent or allow users to locally modify Microsoft Defender Antivirus policy settings
+++
+**Applies to:**
+
+- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
+
+By default, Microsoft Defender Antivirus settings that are deployed via a Group Policy Object to the endpoints in your network will prevent users from locally changing the settings. You can change this in some instances.
+
+For example, it may be necessary to allow certain user groups (such as security researchers and threat investigators) further control over individual settings on the endpoints they use.
+
+## Configure local overrides for Microsoft Defender Antivirus settings
+
+The default setting for these policies is **Disabled**.
+
+If they are set to **Enabled**, users on endpoints can make changes to the associated setting with the [Windows Security](microsoft-defender-security-center-antivirus.md) app, local Group Policy settings, and PowerShell cmdlets (where appropriate).
+
+The following table lists each of the override policy setting and the configuration instructions for the associated feature or setting.
+
+To configure these settings:
+
+1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
+
+2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+
+3. Expand the tree to **Windows components > Microsoft Defender Antivirus** and then the **Location** specified in the table below.
+
+4. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings.
+
+5. Deploy the Group Policy Object as usual.
+
+Location | Setting | Article
+|||
+MAPS | Configure local setting override for reporting to Microsoft MAPS | [Enable cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md)
+Quarantine | Configure local setting override for the removal of items from Quarantine folder | [Configure remediation for scans](configure-remediation-microsoft-defender-antivirus.md)
+Real-time protection | Configure local setting override for monitoring file and program activity on your computer | [Enable and configure Microsoft Defender Antivirus always-on protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md)
+Real-time protection | Configure local setting override for monitoring for incoming and outgoing file activity | [Enable and configure Microsoft Defender Antivirus always-on protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md)
+Real-time protection | Configure local setting override for scanning all downloaded files and attachments | [Enable and configure Microsoft Defender Antivirus always-on protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md)
+Real-time protection | Configure local setting override for turn on behavior monitoring | [Enable and configure Microsoft Defender Antivirus always-on protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md)
+Real-time protection | Configure local setting override to turn on real-time protection | [Enable and configure Microsoft Defender Antivirus always-on protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md)
+Remediation | Configure local setting override for the time of day to run a scheduled full scan to complete remediation | [Configure remediation for scans](configure-remediation-microsoft-defender-antivirus.md)
+Scan | Configure local setting override for maximum percentage of CPU utilization | [Configure and run scans](run-scan-microsoft-defender-antivirus.md)
+Scan | Configure local setting override for schedule scan day | [Configure scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md)
+Scan | Configure local setting override for scheduled quick scan time | [Configure scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md)
+Scan | Configure local setting override for scheduled scan time | [Configure scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md)
+Scan | Configure local setting override for the scan type to use for a scheduled scan | [Configure scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md)
+
+<a id="merge-lists"></a>
+
+## Configure how locally and globally defined threat remediation and exclusions lists are merged
+
+You can also configure how locally defined lists are combined or merged with globally defined lists. This setting applies to [exclusion lists](configure-exclusions-microsoft-defender-antivirus.md), [specified remediation lists](configure-remediation-microsoft-defender-antivirus.md), and [attack surface reduction](/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction).
+
+By default, lists that have been configured in local group policy and the Windows Security app are merged with lists that are defined by the appropriate Group Policy Object that you have deployed on your network. Where there are conflicts, the globally-defined list takes precedence.
+
+You can disable this setting to ensure that only globally-defined lists (such as those from any deployed GPOs) are used.
+
+### Use Group Policy to disable local list merging
+
+1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
+
+2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+
+3. Expand the tree to **Windows components > Microsoft Defender Antivirus**.
+
+4. Double-click **Configure local administrator merge behavior for lists** and set the option to **Disabled**. Click **OK**.
+
+> [!NOTE]
+> If you disable local list merging, it will override controlled folder access settings. It also overrides any protected folders or allowed apps set by the local administrator. For more information about controlled folder access settings, see [Allow a blocked app in Windows Security](https://support.microsoft.com/help/4046851/windows-10-allow-blocked-app-windows-security).
+
+## Related topics
+
+- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
+- [Configure end-user interaction with Microsoft Defender Antivirus](configure-end-user-interaction-microsoft-defender-antivirus.md)
security Configure Microsoft Defender Antivirus Features https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-microsoft-defender-antivirus-features.md
+
+ Title: Configure Microsoft Defender Antivirus features
+description: You can configure Microsoft Defender Antivirus features with Intune, Microsoft Endpoint Configuration Manager, Group Policy, and PowerShell.
+keywords: Microsoft Defender Antivirus, antimalware, security, defender, configure, configuration, Config Manager, Microsoft Endpoint Configuration Manager, SCCM, Intune, MDM, mobile device management, GP, group policy, PowerShell
+search.product: eADQiWindows 10XVcnh
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+++ Last updated : 11/18/2020++
+ms.technology: mde
++
+# Configure Microsoft Defender Antivirus features
+++
+**Applies to:**
+
+- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
+
+You can configure Microsoft Defender Antivirus with a number of tools, including:
+
+- Microsoft Intune
+- Microsoft Endpoint Configuration Manager
+- Group Policy
+- PowerShell cmdlets
+- Windows Management Instrumentation (WMI)
+
+The following broad categories of features can be configured:
+
+- Cloud-delivered protection
+- Always-on real-time protection, including behavioral, heuristic, and machine-learning-based protection
+- How end users interact with the client on individual endpoints
+
+The following articles describe how to perform key tasks when configuring Microsoft Defender Antivirus. Each article includes instructions for the applicable configuration tool (or tools).
+
+|Article |Description |
+|||
+|[Utilize Microsoft cloud-provided Microsoft Defender Antivirus protection](cloud-protection-microsoft-defender-antivirus.md) | Use cloud-delivered protection for advanced, fast, robust antivirus detection. |
+|[Configure behavioral, heuristic, and real-time protection](configure-protection-features-microsoft-defender-antivirus.md) |Enable behavior-based, heuristic, and real-time antivirus protection. |
+|[Configure end-user interaction with Microsoft Defender Antivirus](configure-end-user-interaction-microsoft-defender-antivirus.md) | Configure how end users in your organization interact with Microsoft Defender Antivirus, what notifications they see, and whether they can override settings. |
+
+> [!TIP]
+> You can also review the [Reference topics for management and configuration tools](configuration-management-reference-microsoft-defender-antivirus.md) topic for an overview of each tool and links to further help.
security Configure Network Connections Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-network-connections-microsoft-defender-antivirus.md
+
+ Title: Configure and validate Microsoft Defender Antivirus network connections
+description: Configure and test your connection to the Microsoft Defender Antivirus cloud protection service.
+keywords: antivirus, Microsoft Defender Antivirus, antimalware, security, defender, cloud, aggressiveness, protection level
+search.product: eADQiWindows 10XVcnh
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+++ Last updated : 12/28/2020++
+ms.technology: mde
++
+# Configure and validate Microsoft Defender Antivirus network connections
+++
+**Applies to:**
+
+- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
+
+To ensure Microsoft Defender Antivirus cloud-delivered protection works properly, you need to configure your network to allow connections between your endpoints and certain Microsoft servers.
+
+This article lists the connections that must be allowed, such as by using firewall rules, and provides instructions for validating your connection. Configuring your protection properly helps ensure that you receive the best value from your cloud-delivered protection services.
+
+See the blog post [Important changes to Microsoft Active Protection Services endpoint](https://techcommunity.microsoft.com/t5/Configuration-Manager-Archive/Important-changes-to-Microsoft-Active-Protection-Service-MAPS/ba-p/274006) for some details about network connectivity.
+
+>[!TIP]
+>You can also visit the Microsoft Defender for Endpoint demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working:
+>
+>- Cloud-delivered protection
+>- Fast learning (including block at first sight)
+>- Potentially unwanted application blocking
+
+## Allow connections to the Microsoft Defender Antivirus cloud service
+
+The Microsoft Defender Antivirus cloud service provides fast, strong protection for your endpoints. Enabling the cloud-delivered protection service is optional, however it's highly recommended because it provides important protection against malware on your endpoints and across your network.
+
+>[!NOTE]
+>The Microsoft Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it's called a cloud service, it's not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates.
+
+See [Enable cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md) for details on enabling the service with Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, or on individual clients in the Windows Security app.
+
+After you've enabled the service, you may need to configure your network or firewall to allow connections between it and your endpoints.
+
+Because your protection is a cloud service, computers must have access to the internet and reach the Microsoft Defender for Office 365 machine learning services. Don't exclude the URL `*.blob.core.windows.net` from any kind of network inspection.
+
+The table below lists the services and their associated URLs. Make sure that there are no firewall or network filtering rules denying access to these URLs, or you may need to create an allow rule specifically for them (excluding the URL `*.blob.core.windows.net`). Below mention URLs are using port 443 for communication.
++
+| **Service**| **Description** |**URL** |
+| :--: | :-- | :-- |
+| Microsoft Defender Antivirus cloud-delivered protection service, also referred to as Microsoft Active Protection Service (MAPS)|Used by Microsoft Defender Antivirus to provide cloud-delivered protection|`*.wdcp.microsoft.com` <br/> `*.wdcpalt.microsoft.com` <br/> `*.wd.microsoft.com`|
+| Microsoft Update Service (MU) <br/> Windows Update Service (WU)| Security intelligence and product updates |`*.update.microsoft.com` <br/> `*.delivery.mp.microsoft.com`<br/> `*.windowsupdate.com` <br/><br/> For details see [Connection endpoints for Windows Update](/windows/privacy/manage-windows-1709-endpoints#windows-update)|
+|Security intelligence updates Alternate Download Location (ADL)| Alternate location for Microsoft Defender Antivirus Security intelligence updates if the installed Security intelligence is out of date (7 or more days behind)| `*.download.microsoft.com` </br> `*.download.windowsupdate.com`</br> `https://fe3cr.delivery.mp.microsoft.com/ClientWebService/client.asmx`|
+| Malware submission storage|Upload location for files submitted to Microsoft via the Submission form or automatic sample submission | `ussus1eastprod.blob.core.windows.net` <br/> `ussus2eastprod.blob.core.windows.net` <br/> `ussus3eastprod.blob.core.windows.net` <br/> `ussus4eastprod.blob.core.windows.net` <br/> `wsus1eastprod.blob.core.windows.net` <br/> `wsus2eastprod.blob.core.windows.net` <br/> `ussus1westprod.blob.core.windows.net` <br/> `ussus2westprod.blob.core.windows.net` <br/> `ussus3westprod.blob.core.windows.net` <br/> `ussus4westprod.blob.core.windows.net` <br/> `wsus1westprod.blob.core.windows.net` <br/> `wsus2westprod.blob.core.windows.net` <br/> `usseu1northprod.blob.core.windows.net` <br/> `wseu1northprod.blob.core.windows.net` <br/> `usseu1westprod.blob.core.windows.net` <br/> `wseu1westprod.blob.core.windows.net` <br/> `ussuk1southprod.blob.core.windows.net` <br/> `wsuk1southprod.blob.core.windows.net` <br/> `ussuk1westprod.blob.core.windows.net` <br/> `wsuk1westprod.blob.core.windows.net` |
+| Certificate Revocation List (CRL)|Used by Windows when creating the SSL connection to MAPS for updating the CRL | `http://www.microsoft.com/pkiops/crl/` <br/> `http://www.microsoft.com/pkiops/certs` <br/> `http://crl.microsoft.com/pki/crl/products` <br/> `http://www.microsoft.com/pki/certs` |
+| Symbol Store|Used by Microsoft Defender Antivirus to restore certain critical files during remediation flows | `https://msdl.microsoft.com/download/symbols` |
+| Universal Telemetry Client| Used by Windows to send client diagnostic data; Microsoft Defender Antivirus uses telemetry for product quality monitoring purposes | The update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints: `vortex-win.data.microsoft.com` <br/> `settings-win.data.microsoft.com`|
+
+## Validate connections between your network and the cloud
+
+After allowing the URLs listed above, you can test if you're connected to the Microsoft Defender Antivirus cloud service and are correctly reporting and receiving information to ensure you're fully protected.
+
+**Use the cmdline tool to validate cloud-delivered protection:**
+
+Use the following argument with the Microsoft Defender Antivirus command-line utility (`mpcmdrun.exe`) to verify that your network can communicate with the Microsoft Defender Antivirus cloud service:
+
+```console
+"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -ValidateMapsConnection
+```
+
+> [!NOTE]
+> You need to open an administrator-level version of the command prompt. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt. This command will only work on Windows 10, version 1703 or higher.
+
+For more information, see [Manage Microsoft Defender Antivirus with the mpcmdrun.exe commandline tool](command-line-arguments-microsoft-defender-antivirus.md).
+
+**Attempt to download a fake malware file from Microsoft:**
+
+You can download a sample file that Microsoft Defender Antivirus will detect and block if you're properly connected to the cloud.
+
+Download the file by visiting [https://aka.ms/ioavtest](https://aka.ms/ioavtest).
+
+>[!NOTE]
+>This file is not an actual piece of malware. It's a fake file that is designed to test if you're properly connected to the cloud.
+
+If you're properly connected, you'll see a warning Microsoft Defender Antivirus notification.
+
+If you're using Microsoft Edge, you'll also see a notification message:
+
+![Microsoft Edge informing the user that malware was found](images/defender/wdav-bafs-edge.png)
+
+A similar message occurs if you're using Internet Explorer:
+
+![Microsoft Defender Antivirus notification informing the user that malware was found](images/defender/wdav-bafs-ie.png)
+
+You'll also see a detection under **Quarantined threats** in the **Scan history** section in the Windows Security app:
+
+1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+
+2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Scan history** label:
+
+ ![Screenshot of the Scan history label in the Windows Security app](images/defender/wdav-history-wdsc.png)
+
+3. Under the **Quarantined threats** section, select **See full history** to see the detected fake malware.
+
+ > [!NOTE]
+ > Versions of Windows 10 before version 1703 have a different user interface. See [Microsoft Defender Antivirus in the Windows Security app](microsoft-defender-security-center-antivirus.md).
+
+ The Windows event log will also show [Windows Defender client event ID 1116](troubleshoot-microsoft-defender-antivirus.md).
+
+## Related articles
+
+- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
+
+- [Enable cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md)
+
+- [Command line arguments](command-line-arguments-microsoft-defender-antivirus.md)
+
+- [Important changes to Microsoft Active Protection Services endpoint](https://techcommunity.microsoft.com/t5/Configuration-Manager-Archive/Important-changes-to-Microsoft-Active-Protection-Service-MAPS/ba-p/274006)
security Configure Notifications Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-notifications-microsoft-defender-antivirus.md
+
+ Title: Configure Microsoft Defender Antivirus notifications
+description: Learn how to configure and customize both standard and additional Microsoft Defender Antivirus notifications on endpoints.
+keywords: notifications, defender, antivirus, endpoint, management, admin
+search.product: eADQiWindows 10XVcnh
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+++ Last updated : 09/03/2018++
+ms.technology: mde
++
+# Configure the notifications that appear on endpoints
+++
+**Applies to:**
+
+- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
+
+In Windows 10, application notifications about malware detection and remediation are more robust, consistent, and concise.
+
+Notifications appear on endpoints when manually triggered and scheduled scans are completed and threats are detected. These notifications also appear in the **Notification Center**, and a summary of scans and threat detections appear at regular time intervals.
+
+You can also configure how standard notifications appear on endpoints, such as notifications for reboot or when a threat has been detected and remediated.
+
+## Configure the additional notifications that appear on endpoints
+
+You can configure the display of additional notifications, such as recent threat detection summaries, in the [Windows Security app](microsoft-defender-security-center-antivirus.md) and with Group Policy.
+
+> [!NOTE]
+> In Windows 10, version 1607 the feature was called **Enhanced notifications** and could be configured under **Windows Settings** > **Update & security** > **Windows Defender**. In Group Policy settings in all versions of Windows 10, it is called **Enhanced notifications**.
+
+> [!IMPORTANT]
+> Disabling additional notifications will not disable critical notifications, such as threat detection and remediation alerts.
+
+**Use the Windows Security app to disable additional notifications:**
+
+1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+
+2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label:
+
+ ![Screenshot of the Virus & threat protection settings label in the Windows Security app](images/defender/wdav-protection-settings-wdsc.png)
+
+3. Scroll to the **Notifications** section and click **Change notification settings**.
+
+4. Slide the switch to **Off** or **On** to disable or enable additional notifications.
+
+**Use Group Policy to disable additional notifications:**
+
+1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
+
+2. In the **Group Policy Management Editor** go to **Computer configuration**.
+
+3. Click **Administrative templates**.
+
+4. Expand the tree to **Windows components > Microsoft Defender Antivirus > Reporting**.
+
+5. Double-click **Turn off enhanced notifications** and set the option to **Enabled**. Click **OK**. This will prevent additional notifications from appearing.
+
+## Configure standard notifications on endpoints
+
+You can use Group Policy to:
+
+- Display additional, customized text on endpoints when the user needs to perform an action
+- Hide all notifications on endpoints
+- Hide reboot notifications on endpoints
+
+Hiding notifications can be useful in situations where you can't hide the entire Microsoft Defender Antivirus interface. See [Prevent users from seeing or interacting with the Microsoft Defender Antivirus user interface](prevent-end-user-interaction-microsoft-defender-antivirus.md) for more information.
+
+> [!NOTE]
+> Hiding notifications will only occur on endpoints to which the policy has been deployed. Notifications related to actions that must be taken (such as a reboot) will still appear on the [Microsoft Endpoint Manager Endpoint Protection monitoring dashboard and reports](/configmgr/protect/deploy-use/monitor-endpoint-protection).
+
+See [Customize the Windows Security app for your organization](/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center) for instructions to add custom contact information to the notifications that users see on their machines.
+
+**Use Group Policy to hide notifications:**
+
+1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure, and click **Edit**.
+
+2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+
+3. Expand the tree to **Windows components > Microsoft Defender Antivirus > Client interface**.
+
+4. Double-click **Suppress all notifications** and set the option to **Enabled**. Click **OK**. This will prevent additional notifications from appearing.
+
+**Use Group Policy to hide reboot notifications:**
+
+1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
+
+2. In the **Group Policy Management Editor** go to **Computer configuration**.
+
+3. Click **Administrative templates**.
+
+4. Expand the tree to **Windows components > Microsoft Defender Antivirus > Client interface**.
+
+5. Double-click **Suppresses reboot notifications** and set the option to **Enabled**. Click **OK**. This will prevent additional notifications from appearing.
+
+## Related topics
+
+- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
+- [Configure end-user interaction with Microsoft Defender Antivirus](configure-end-user-interaction-microsoft-defender-antivirus.md)
security Configure Process Opened File Exclusions Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md
+
+ Title: Configure exclusions for files opened by specific processes
+description: You can exclude files from scans if they have been opened by a specific process.
+keywords: Microsoft Defender Antivirus, process, exclusion, files, scans
+search.product: eADQiWindows 10XVcnh
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+++++
+ms.technology: mde
++
+# Configure exclusions for files opened by processes
+++
+**Applies to:**
+
+- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
+
+You can exclude files that have been opened by specific processes from Microsoft Defender Antivirus scans. See [Recommendations for defining exclusions](configure-exclusions-microsoft-defender-antivirus.md#recommendations-for-defining-exclusions) before defining your exclusion lists.
+
+This article describes how to configure exclusion lists.
+
+## Examples of exclusions
+
+|Exclusion | Example |
+|||
+|Any file on the machine that is opened by any process with a specific file name | Specifying `test.exe` would exclude files opened by: <br/>`c:\sample\test.exe`<br/>`d:\internal\files\test.exe` |
+|Any file on the machine that is opened by any process under a specific folder | Specifying `c:\test\sample\*` would exclude files opened by:<br/>`c:\test\sample\test.exe`<br/>`c:\test\sample\test2.exe`<br/>`c:\test\sample\utility.exe` |
+|Any file on the machine that is opened by a specific process in a specific folder | Specifying `c:\test\process.exe` would exclude files only opened by `c:\test\process.exe` |
++
+When you add a process to the process exclusion list, Microsoft Defender Antivirus won't scan files opened by that process, no matter where the files are located. The process itself, however, will be scanned unless it has also been added to the [file exclusion list](configure-extension-file-exclusions-microsoft-defender-antivirus.md).
+
+The exclusions only apply to [always-on real-time protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md). They don't apply to scheduled or on-demand scans.
+
+Changes made with Group Policy to the exclusion lists **will show** in the lists in the [Windows Security app](microsoft-defender-security-center-antivirus.md). However, changes made in the Windows Security app **will not show** in the Group Policy lists.
+
+You can add, remove, and review the lists for exclusions in Group Policy, Microsoft Endpoint Configuration Manager, Microsoft Intune, and with the Windows Security app, and you can use wildcards to further customize the lists.
+
+You can also use PowerShell cmdlets and WMI to configure the exclusion lists, including reviewing your lists.
+
+By default, local changes made to the lists (by users with administrator privileges; changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists will take precedence in the case of conflicts.
+
+You can [configure how locally and globally defined exclusions lists are merged](configure-local-policy-overrides-microsoft-defender-antivirus.md#merge-lists) to allow local changes to override managed deployment settings.
+
+## Configure the list of exclusions for files opened by specified processes
+
+### Use Microsoft Intune to exclude files that have been opened by specified processes from scans
+
+See [Configure device restriction settings in Microsoft Intune](/intune/device-restrictions-configure) and [Microsoft Defender Antivirus device restriction settings for Windows 10 in Intune](/intune/device-restrictions-windows-10#microsoft-defender-antivirus) for more details.
+
+### Use Microsoft Endpoint Manager to exclude files that have been opened by specified processes from scans
+
+See [How to create and deploy antimalware policies: Exclusion settings](/configmgr/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) for details on configuring Microsoft Endpoint Manager (current branch).
+
+### Use Group Policy to exclude files that have been opened by specified processes from scans
+
+1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
+
+2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+
+3. Expand the tree to **Windows components > Microsoft Defender Antivirus > Exclusions**.
+
+4. Double-click **Process Exclusions** and add the exclusions:
+
+ 1. Set the option to **Enabled**.
+ 2. Under the **Options** section, click **Show...**.
+ 3. Enter each process on its own line under the **Value name** column. See the example table for the different types of process exclusions. Enter **0** in the **Value** column for all processes.
+
+5. Click **OK**.
+
+### Use PowerShell cmdlets to exclude files that have been opened by specified processes from scans
+
+Using PowerShell to add or remove exclusions for files that have been opened by processes requires using a combination of three cmdlets with the `-ExclusionProcess` parameter. The cmdlets are all in the [Defender module](/powershell/module/defender/).
+
+The format for the cmdlets is:
+
+```PowerShell
+<cmdlet> -ExclusionProcess "<item>"
+```
+
+The following are allowed as the \<cmdlet>:
+
+|Configuration action | PowerShell cmdlet |
+|||
+|Create or overwrite the list | `Set-MpPreference` |
+|Add to the list | `Add-MpPreference` |
+|Remove items from the list | `Remove-MpPreference` |
+
+>[!IMPORTANT]
+>If you have created a list, either with `Set-MpPreference` or `Add-MpPreference`, using the `Set-MpPreference` cmdlet again will overwrite the existing list.
+
+For example, the following code snippet would cause Microsoft Defender AV scans to exclude any file that is opened by the specified process:
+
+```PowerShell
+Add-MpPreference -ExclusionProcess "c:\internal\test.exe"
+```
+
+For more information on how to use PowerShell with Microsoft Defender Antivirus, see Manage antivirus with PowerShell cmdlets and [Microsoft Defender Antivirus cmdlets](/powershell/module/defender).
+
+### Use Windows Management Instruction (WMI) to exclude files that have been opened by specified processes from scans
+
+Use the [**Set**, **Add**, and **Remove** methods of the **MSFT_MpPreference**](/previous-versions/windows/desktop/legacy/dn455323(v=vs.85)) class for the following properties:
+
+```WMI
+ExclusionProcess
+```
+
+The use of **Set**, **Add**, and **Remove** is analogous to their counterparts in PowerShell: `Set-MpPreference`, `Add-MpPreference`, and `Remove-MpPreference`.
+
+For more information and allowed parameters, see [Windows Defender WMIv2 APIs](/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal).
+
+### Use the Windows Security app to exclude files that have been opened by specified processes from scans
+
+See [Add exclusions in the Windows Security app](microsoft-defender-security-center-antivirus.md) for instructions.
+
+## Use wildcards in the process exclusion list
+
+The use of wildcards in the process exclusion list is different from their use in other exclusion lists.
+
+In particular, you cannot use the question mark (`?`) wildcard, and the asterisk (`*`) wildcard can only be used at the end of a complete path. You can still use environment variables (such as `%ALLUSERSPROFILE%`) as wildcards when defining items in the process exclusion list.
+
+The following table describes how the wildcards can be used in the process exclusion list:
+
+|Wildcard | Example use | Example matches |
+|:|:|:|
+|`*` (asterisk) <br/><br/> Replaces any number of characters | `C:\MyData\*` | Any file opened by `C:\MyData\file.exe` |
+|Environment variables <br/><br/> The defined variable is populated as a path when the exclusion is evaluated | `%ALLUSERSPROFILE%\CustomLogFiles\file.exe` | Any file opened by `C:\ProgramData\CustomLogFiles\file.exe` |
+
+## Review the list of exclusions
+
+You can retrieve the items in the exclusion list with MpCmdRun, PowerShell, [Microsoft Endpoint Configuration Manager](/configmgr/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings), [Intune](/intune/device-restrictions-configure), or the [Windows Security app](microsoft-defender-security-center-antivirus.md).
+
+If you use PowerShell, you can retrieve the list in two ways:
+
+- Retrieve the status of all Microsoft Defender Antivirus preferences. Each of the lists will be displayed on separate lines, but the items within each list will be combined into the same line.
+- Write the status of all preferences to a variable, and use that variable to only call the specific list you are interested in. Each use of `Add-MpPreference` is written to a new line.
+
+### Validate the exclusion list by using MpCmdRun
+
+To check exclusions with the dedicated [command-line tool mpcmdrun.exe](./command-line-arguments-microsoft-defender-antivirus.md?branch=v-anbic-wdav-new-mpcmdrun-options), use the following command:
+
+```DOS
+MpCmdRun.exe -CheckExclusion -path <path>
+```
+
+> [!NOTE]
+> Checking exclusions with MpCmdRun requires Microsoft Defender Antivirus CAMP version 4.18.1812.3 (released in December 2018) or later.
++
+### Review the list of exclusions alongside all other Microsoft Defender Antivirus preferences by using PowerShell
+
+Use the following cmdlet:
+
+```PowerShell
+Get-MpPreference
+```
+
+See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](/powershell/module/defender) for more information on how to use PowerShell with Microsoft Defender Antivirus.
+
+### Retrieve a specific exclusions list by using PowerShell
+
+Use the following code snippet (enter each line as a separate command); replace **WDAVprefs** with whatever label you want to name the variable:
+
+```PowerShell
+$WDAVprefs = Get-MpPreference
+$WDAVprefs.ExclusionProcess
+```
+
+See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](/powershell/module/defender) for more information on how to use PowerShell with Microsoft Defender Antivirus.
+
+## Related articles
+
+- [Configure and validate exclusions in Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md)
+- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-microsoft-defender-antivirus.md)
+- [Configure Microsoft Defender Antivirus exclusions on Windows Server](configure-server-exclusions-microsoft-defender-antivirus.md)
+- [Common mistakes to avoid when defining exclusions](common-exclusion-mistakes-microsoft-defender-antivirus.md)
+- [Customize, initiate, and review the results of Microsoft Defender Antivirus scans and remediation](customize-run-review-remediate-scans-microsoft-defender-antivirus.md)
+- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
security Configure Protection Features Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-protection-features-microsoft-defender-antivirus.md
+
+ Title: Enable and configure Microsoft Defender Antivirus protection features
+description: Enable behavior-based, heuristic, and real-time protection in Microsoft Defender AV.
+keywords: heuristic, machine-learning, behavior monitor, real-time protection, always-on, Microsoft Defender Antivirus, antimalware, security, defender
+search.product: eADQiWindows 10XVcnh
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+++++
+ms.technology: mde
++
+# Configure behavioral, heuristic, and real-time protection
+++
+**Applies to:**
+
+- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
+
+Microsoft Defender Antivirus uses several methods to provide threat protection:
+
+- Cloud-delivered protection for near-instant detection and blocking of new and emerging threats
+- Always-on scanning, using file and process behavior monitoring and other heuristics (also known as "real-time protection")
+- Dedicated protection updates based on machine-learning, human and automated big-data analysis, and in-depth threat resistance research
+
+You can configure how Microsoft Defender Antivirus uses these methods with Group Policy, System Center Configuration Manage, PowerShell cmdlets, and Windows Management Instrumentation (WMI).
+
+This section covers configuration for always-on scanning, including how to detect and block apps that are deemed unsafe, but may not be detected as malware.
+
+See [Use next-gen Microsoft Defender Antivirus technologies through cloud-delivered protection](cloud-protection-microsoft-defender-antivirus.md) for how to enable and configure Microsoft Defender Antivirus cloud-delivered protection.
+
+## In this section
+
+ Topic | Description
+|
+[Detect and block potentially unwanted applications](detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md) | Detect and block apps that may be unwanted in your network, such as adware, browser modifiers and toolbars, and rogue or fake antivirus apps
+[Enable and configure Microsoft Defender Antivirus protection capabilities](configure-real-time-protection-microsoft-defender-antivirus.md) | Enable and configure real-time protection, heuristics, and other always-on Microsoft Defender Antivirus monitoring features
security Configure Real Time Protection Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-real-time-protection-microsoft-defender-antivirus.md
+
+ Title: Enable and configure Microsoft Defender Antivirus protection capabilities
+description: Enable and configure Microsoft Defender Antivirus real-time protection features such as behavior monitoring, heuristics, and machine-learning
+keywords: antivirus, real-time protection, rtp, machine-learning, behavior monitoring, heuristics
+search.product: eADQiWindows 10XVcnh
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
++ Last updated : 12/16/2019+++
+ms.technology: mde
++
+# Enable and configure Microsoft Defender Antivirus always-on protection in Group Policy
+++
+**Applies to:**
+
+- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
+
+Always-on protection consists of real-time protection, behavior monitoring, and heuristics to identify malware based on known suspicious and malicious activities.
+
+These activities include events, such as processes making unusual changes to existing files, modifying or creating automatic startup registry keys and startup locations (also known as auto-start extensibility points, or ASEPs), and other changes to the file system or file structure.
+
+## Enable and configure always-on protection in Group Policy
+
+You can use **Local Group Policy Editor** to enable and configure Microsoft Defender Antivirus always-on protection settings.
+
+To enable and configure always-on protection:
+
+1. Open **Local Group Policy Editor**. To do this:
+
+ 1. In your Windows 10 taskbar search box, type **gpedit**.
+
+ 1. Under **Best match**, click **Edit group policy** to launch **Local Group Policy Editor**.
+
+ ![GPEdit taskbar search result](images/gpedit-search.png)
+
+2. In the left pane of **Local Group Policy Editor**, expand the tree to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus**.
+
+3. Configure the Microsoft Defender Antivirus antimalware service policy settings. To do this:
+
+ 1. In the **Microsoft Defender Antivirus** details pane on right, double-click the policy setting as specified in the following table:
+
+ | Setting | Description | Default setting |
+ |--||-|
+ | Allow antimalware service to startup with normal priority | You can lower the priority of the Microsoft Defender Antivirus engine, which may be useful in lightweight deployments where you want to have as lean a startup process as possible. This may impact protection on the endpoint. | Enabled
+ | Allow antimalware service to remain running always | If protection updates have been disabled, you can set Microsoft Defender Antivirus to still run. This lowers the protection on the endpoint. | Disabled |
+
+ 1. Configure the setting as appropriate, and click **OK**.
+
+ 1. Repeat the previous steps for each setting in the table.
+
+4. Configure the Microsoft Defender Antivirus real-time protection policy settings. To do this:
+
+ 1. In the **Microsoft Defender Antivirus** details pane, double-click **Real-time Protection**. Or, from the **Microsoft Defender Antivirus** tree on left pane, click **Real-time Protection**.
+
+ 1. In the **Real-time Protection** details pane on right, double-click the policy setting as specified in the following table:
+
+ | Setting | Description | Default setting |
+ |--||-|
+ | Turn on behavior monitoring | The AV engine will monitor file processes, file and registry changes, and other events on your endpoints for suspicious and known malicious activity. | Enabled |
+ | Scan all downloaded files and attachments | Downloaded files and attachments are automatically scanned. This operates in addition to the Windows Defender SmartScreen filter, which scans files before and during downloading. | Enabled |
+ | Monitor file and program activity on your computer | The Microsoft Defender Antivirus engine makes note of any file changes (file writes, such as moves, copies, or modifications) and general program activity (programs that are opened or running and that cause other programs to run). | Enabled |
+ | Turn on raw volume write notifications | Information about raw volume writes will be analyzed by behavior monitoring. | Enabled |
+ | Turn on process scanning whenever real-time protection is enabled | You can independently enable the Microsoft Defender Antivirus engine to scan running processes for suspicious modifications or behaviors. This is useful if you have temporarily disabled real-time protection and want to automatically scan processes that started while it was disabled. | Enabled |
+ | Define the maximum size of downloaded files and attachments to be scanned | You can define the size in kilobytes. | Enabled |
+ | Configure local setting override for turn on behavior monitoring | Configure a local override for the configuration of behavior monitoring. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.| Enabled |
+ | Configure local setting override for scanning all downloaded files and attachments | Configure a local override for the configuration of scanning for all downloaded files and attachments. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.| Enabled |
+ | Configure local setting override for monitoring file and program activity on your computer | Configure a local override for the configuration of monitoring for file and program activity on your computer. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.| Enabled |
+ | Configure local setting override to turn on real-time protection | Configure a local override for the configuration to turn on real-time protection. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.| Enabled |
+ | Configure local setting override for monitoring for incoming and outgoing file activity | Configure a local override for the configuration of monitoring for incoming and outgoing file activity. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. | Enabled |
+ | Configure monitoring for incoming and outgoing file and program activity | Specify whether monitoring should occur on incoming, outgoing, both, or neither direction. This is relevant for Windows Server installations where you have defined specific servers or Server Roles that see large amounts of file changes in only one direction and you want to improve network performance. Fully updated endpoints (and servers) on a network will see little performance impact irrespective of the number or direction of file changes. | Enabled (both directions) |
+
+ 1. Configure the setting as appropriate, and click **OK**.
+
+ 1. Repeat the previous steps for each setting in the table.
+
+5. Configure the Microsoft Defender Antivirus scanning policy setting. To do this:
+
+ 1. From the **Microsoft Defender Antivirus** tree on left pane, click **Scan**.
+
+ ![Microsoft Defender Antivirus Scan options](images/gpedit-windows-defender-antivirus-scan.png)
+
+ 1. In the **Scan** details pane on right, double-click the policy setting as specified in the following table:
+
+ | Setting | Description | Default setting |
+ |--||-|
+ | Turn on heuristics | Heuristic protection will disable or block suspicious activity immediately before the Microsoft Defender Antivirus engine is asked to detect the activity. | Enabled |
+
+ 1. Configure the setting as appropriate, and click **OK**.
+
+6. Close **Local Group Policy Editor**.
++
+## Disable real-time protection in Group Policy
+
+> [!WARNING]
+> Disabling real-time protection drastically reduces the protection on your endpoints and is not recommended.
+
+The main real-time protection capability is enabled by default, but you can disable it by using **Local Group Policy Editor**.
+
+To disable real-time protection in Group policy:
+
+1. Open **Local Group Policy Editor**.
+
+ 1. In your Windows 10 taskbar search box, type **gpedit**.
+
+ 1. Under **Best match**, click **Edit group policy** to launch **Local Group Policy Editor**.
+
+2. In the left pane of **Local Group Policy Editor**, expand the tree to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Real-time Protection**.
+
+3. In the **Real-time Protection** details pane on right, double-click **Turn off real-time protection**.
+
+ ![Turn off real-time protection](images/gpedit-turn-off-real-time-protection.png)
+
+4. In the **Turn off real-time protection** setting window, set the option to **Enabled**.
+
+ ![Turn off real-time protection enabled](images/gpedit-turn-off-real-time-protection-enabled.png)
+
+5. Click **OK**.
+
+6. Close **Local Group Policy Editor**.
+
+## Related articles
+
+- [Configure behavioral, heuristic, and real-time protection](configure-protection-features-microsoft-defender-antivirus.md)
+- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
security Configure Remediation Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-remediation-microsoft-defender-antivirus.md
+
+ Title: Configure remediation for Microsoft Defender Antivirus detections
+description: Configure what Microsoft Defender Antivirus should do when it detects a threat, and how long quarantined files should be retained in the quarantine folder
+keywords: remediation, fix, remove, threats, quarantine, scan, restore
+search.product: eADQiWindows 10XVcnh
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+++ Last updated : 03/16/2021++
+ms.technology: mde
++
+# Configure remediation for Microsoft Defender Antivirus detections
+++
+**Applies to:**
+
+- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
+
+When Microsoft Defender Antivirus runs a scan, it attempts to remediate or remove threats that are detected. You can configure how Microsoft Defender Antivirus should address certain threats, whether a restore point should be created before remediating, and when threats should be removed.
+
+This article describes how to configure these settings by using Group Policy, but you can also use [Microsoft Endpoint Configuration Manager](/configmgr/protect/deploy-use/endpoint-antimalware-policies#threat-overrides-settings) and [Microsoft Intune](/intune/device-restrictions-configure).
+
+You can also use the [`Set-MpPreference` PowerShell cmdlet](/powershell/module/defender/set-mppreference) or [`MSFT_MpPreference` WMI class](/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal) to configure these settings.
+
+## Configure remediation options
+
+1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
+
+2. In the **Group Policy Management Editor** go to **Computer configuration** and select **Administrative templates**.
+
+3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus**.
+
+4. Using the table below, select a location, and then edit the policy as needed.
+
+5. Select **OK**.
+
+|Location | Setting | Description | Default setting (if not configured) |
+|:|:|:|:|
+|Scan | Create a system restore point | A system restore point will be created each day before cleaning or scanning is attempted | Disabled|
+|Scan | Turn on removal of items from scan history folder | Specify how many days items should be kept in the scan history | 30 days |
+|Root | Turn off routine remediation | You can specify whether Microsoft Defender Antivirus automatically remediates threats, or if it should ask the endpoint user what to do. | Disabled (threats are remediated automatically) |
+|Quarantine | Configure removal of items from Quarantine folder | Specify how many days items should be kept in quarantine before being removed | 90 days |
+|Threats | Specify threat alert levels at which default action should not be taken when detected | Every threat that is detected by Microsoft Defender Antivirus is assigned a threat level (low, medium, high, or severe). You can use this setting to define how all threats for each of the threat levels should be remediated (quarantined, removed, or ignored) | Not applicable |
+|Threats | Specify threats upon which default action should not be taken when detected | Specify how specific threats (using their threat ID) should be remediated. You can specify whether the specific threat should be quarantined, removed, or ignored | Not applicable |
+
+> [!IMPORTANT]
+> Microsoft Defender Antivirus detects and remediates files based on many factors. Sometimes, completing a remediation requires a reboot. Even if the detection is later determined to be a false positive, the reboot must be completed to ensure all additional remediation steps have been completed.
+>
+> If you are certain Microsoft Defender Antivirus quarantined a file based on a false positive, you can restore the file from quarantine after the device reboots. See [Restore quarantined files in Microsoft Defender Antivirus](restore-quarantined-files-microsoft-defender-antivirus.md).
+>
+> To avoid this problem in the future, you can exclude files from the scans. See [Configure and validate exclusions for Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md).
+
+Also see [Configure remediation-required scheduled full Microsoft Defender Antivirus scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md#remed) for more remediation-related settings.
+
+## See also
+
+- [Configure Microsoft Defender Antivirus scanning options](configure-advanced-scan-types-microsoft-defender-antivirus.md)
+- [Configure scheduled Microsoft Defender Antivirus scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md)
+- [Configure and run on-demand Microsoft Defender Antivirus scans](run-scan-microsoft-defender-antivirus.md)
+- [Configure the notifications that appear on endpoints](configure-notifications-microsoft-defender-antivirus.md)
+- [Configure end-user Microsoft Defender Antivirus interaction](configure-end-user-interaction-microsoft-defender-antivirus.md)
+- [Customize, initiate, and review the results of Microsoft Defender Antivirus scans and remediation](customize-run-review-remediate-scans-microsoft-defender-antivirus.md)
+- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
security Configure Server Exclusions Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-server-exclusions-microsoft-defender-antivirus.md
+
+ Title: Configure Microsoft Defender Antivirus exclusions on Windows Server
++
+description: Windows Server includes automatic exclusions, based on server role. You can also add custom exclusions.
+keywords: exclusions, server, auto-exclusions, automatic, custom, scans, Microsoft Defender Antivirus
+search.product: eADQiWindows 10XVcnh
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+++
+ms.technology: mde
Last updated : 02/10/2021++
+# Configure Microsoft Defender Antivirus exclusions on Windows Server
++
+**Applies to:**
+
+- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
+
+Microsoft Defender Antivirus on Windows Server 2016 and Windows Server 2019 automatically enrolls you in certain exclusions, as defined by your specified server role. These exclusions do not appear in the standard exclusion lists that are shown in the [Windows Security app](microsoft-defender-security-center-antivirus.md).
+
+> [!NOTE]
+> Automatic exclusions only apply to Real-time protection (RTP) scanning. Automatic exclusions are not honored during a Full/Quick or On-demand scan.
+
+In addition to server role-defined automatic exclusions, you can add or remove custom exclusions. To do that, refer to these articles:
+- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-microsoft-defender-antivirus.md)
+- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md)
+
+## A few points to keep in mind
+
+Keep the following important points in mind:
+
+- Custom exclusions take precedence over automatic exclusions.
+- Automatic exclusions only apply to Real-time protection (RTP) scanning. Automatic exclusions are not honored during a Full/Quick or On-demand scan.
+- Custom and duplicate exclusions do not conflict with automatic exclusions.
+- Microsoft Defender Antivirus uses the Deployment Image Servicing and Management (DISM) tools to determine which roles are installed on your computer.
+
+## Opt out of automatic exclusions
+
+In Windows Server 2016 and Windows Server 2019, the predefined exclusions delivered by Security intelligence updates only exclude the default paths for a role or feature. If you installed a role or feature in a custom path, or you want to manually control the set of exclusions, make sure to opt out of the automatic exclusions delivered in Security intelligence updates. But keep in mind that the exclusions that are delivered automatically are optimized for Windows Server 2016 and 2019 roles. See [Recommendations for defining exclusions](configure-exclusions-microsoft-defender-antivirus.md#recommendations-for-defining-exclusions) before defining your exclusion lists.
+
+> [!WARNING]
+> Opting out of automatic exclusions may adversely impact performance, or result in data corruption. The exclusions that are delivered automatically are optimized for Windows Server 2016 and Windows Server 2019 roles.
+
+Because predefined exclusions only exclude **default paths**, if you move NTDS and SYSVOL to another drive or path that is *different from the original path*, you must add exclusions manually using the information [here](configure-extension-file-exclusions-microsoft-defender-antivirus.md#configure-the-list-of-exclusions-based-on-folder-name-or-file-extension) .
+
+You can disable the automatic exclusion lists with Group Policy, PowerShell cmdlets, and WMI.
+
+### Use Group Policy to disable the auto-exclusions list on Windows Server 2016 and Windows Server 2019
+
+1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc725752(v=ws.11)). Right-click the Group Policy Object you want to configure, and then click **Edit**.
+2. In the **Group Policy Management Editor** go to **Computer configuration**, and then click **Administrative templates**.
+3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Exclusions**.
+4. Double-click **Turn off Auto Exclusions**, and set the option to **Enabled**. Then click **OK**.
+
+### Use PowerShell cmdlets to disable the auto-exclusions list on Windows Server 2016 and 2019
+
+Use the following cmdlets:
+
+```PowerShell
+Set-MpPreference -DisableAutoExclusions $true
+```
+
+To learn more, see the following resources:
+
+- [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md).
+- [Use PowerShell with Microsoft Defender Antivirus](/powershell/module/defender/).
+
+### Use Windows Management Instruction (WMI) to disable the auto-exclusions list on Windows Server 2016 and Windows Server 2019
+
+Use the **Set** method of the [MSFT_MpPreference](/previous-versions/windows/desktop/defender/msft-mppreference) class for the following properties:
+
+```WMI
+DisableAutoExclusions
+```
+
+See the following for more information and allowed parameters:
+- [Windows Defender WMIv2 APIs](/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal)
+
+## List of automatic exclusions
+
+The following sections contain the exclusions that are delivered with automatic exclusions file paths and file types.
+
+### Default exclusions for all roles
+
+This section lists the default exclusions for all Windows Server 2016 and 2019 roles.
+
+> [!NOTE]
+> The default locations could be different than what's listed in this article.
+
+#### Windows "temp.edb" files
+
+- `%windir%\SoftwareDistribution\Datastore\*\tmp.edb`
+- `%ProgramData%\Microsoft\Search\Data\Applications\Windows\*\*.log`
+
+#### Windows Update files or Automatic Update files
+
+- `%windir%\SoftwareDistribution\Datastore\*\Datastore.edb`
+- `%windir%\SoftwareDistribution\Datastore\*\edb.chk`
+- `%windir%\SoftwareDistribution\Datastore\*\edb\*.log`
+- `%windir%\SoftwareDistribution\Datastore\*\Edb\*.jrs`
+- `%windir%\SoftwareDistribution\Datastore\*\Res\*.log`
+
+#### Windows Security files
+
+- `%windir%\Security\database\*.chk`
+- `%windir%\Security\database\*.edb`
+- `%windir%\Security\database\*.jrs`
+- `%windir%\Security\database\*.log`
+- `%windir%\Security\database\*.sdb`
+
+#### Group Policy files
+
+- `%allusersprofile%\NTUser.pol`
+- `%SystemRoot%\System32\GroupPolicy\Machine\registry.pol`
+- `%SystemRoot%\System32\GroupPolicy\User\registry.pol`
+
+#### WINS files
+
+- `%systemroot%\System32\Wins\*\*.chk`
+- `%systemroot%\System32\Wins\*\*.log`
+- `%systemroot%\System32\Wins\*\*.mdb`
+- `%systemroot%\System32\LogFiles\`
+- `%systemroot%\SysWow64\LogFiles\`
+
+#### File Replication Service (FRS) exclusions
+
+- Files in the File Replication Service (FRS) working folder. The FRS working folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Working Directory`
+
+ - `%windir%\Ntfrs\jet\sys\*\edb.chk`
+ - `%windir%\Ntfrs\jet\*\Ntfrs.jdb`
+ - `%windir%\Ntfrs\jet\log\*\*.log`
+
+- FRS Database log files. The FRS Database log file folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Ntfrs\Parameters\DB Log File Directory`
+
+ - `%windir%\Ntfrs\*\Edb\*.log`
+
+- The FRS staging folder. The staging folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Replica Sets\GUID\Replica Set Stage`
+
+ - `%systemroot%\Sysvol\*\Ntfrs_cmp*\`
+
+- The FRS preinstall folder. This folder is specified by the folder `Replica_root\DO_NOT_REMOVE_NtFrs_PreInstall_Directory`
+
+ - `%systemroot%\SYSVOL\domain\DO_NOT_REMOVE_NtFrs_PreInstall_Directory\*\Ntfrs*\`
+
+- The Distributed File System Replication (DFSR) database and working folders. These folders are specified by the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\GUID\Replica Set Configuration File`
+
+ > [!NOTE]
+ > For custom locations, see [Opt out of automatic exclusions](#opt-out-of-automatic-exclusions).
+
+ - `%systemdrive%\System Volume Information\DFSR\$db_normal$`
+ - `%systemdrive%\System Volume Information\DFSR\FileIDTable_*`
+ - `%systemdrive%\System Volume Information\DFSR\SimilarityTable_*`
+ - `%systemdrive%\System Volume Information\DFSR\*.XML`
+ - `%systemdrive%\System Volume Information\DFSR\$db_dirty$`
+ - `%systemdrive%\System Volume Information\DFSR\$db_clean$`
+ - `%systemdrive%\System Volume Information\DFSR\$db_lostl$`
+ - `%systemdrive%\System Volume Information\DFSR\Dfsr.db`
+ - `%systemdrive%\System Volume Information\DFSR\*.frx`
+ - `%systemdrive%\System Volume Information\DFSR\*.log`
+ - `%systemdrive%\System Volume Information\DFSR\Fsr*.jrs`
+ - `%systemdrive%\System Volume Information\DFSR\Tmp.edb`
+
+#### Process exclusions
+
+- `%systemroot%\System32\dfsr.exe`
+- `%systemroot%\System32\dfsrs.exe`
+
+#### Hyper-V exclusions
+
+The following table lists the file type exclusions, folder exclusions, and process exclusions that are delivered automatically when you install the Hyper-V role.
+
+|File type exclusions |Folder exclusions | Process exclusions |
+|:--|:--|:--|
+| `*.vhd` <br/> `*.vhdx` <br/> `*.avhd` <br/> `*.avhdx` <br/> `*.vsv` <br/> `*.iso` <br/> `*.rct` <br/> `*.vmcx` <br/> `*.vmrs` | `%ProgramData%\Microsoft\Windows\Hyper-V` <br/> `%ProgramFiles%\Hyper-V` <br/> `%SystemDrive%\ProgramData\Microsoft\Windows\Hyper-V\Snapshots` <br/> `%Public%\Documents\Hyper-V\Virtual Hard Disks` | `%systemroot%\System32\Vmms.exe` <br/> `%systemroot%\System32\Vmwp.exe` |
+
+#### SYSVOL files
+
+- `%systemroot%\Sysvol\Domain\*.adm`
+- `%systemroot%\Sysvol\Domain\*.admx`
+- `%systemroot%\Sysvol\Domain\*.adml`
+- `%systemroot%\Sysvol\Domain\Registry.pol`
+- `%systemroot%\Sysvol\Domain\*.aas`
+- `%systemroot%\Sysvol\Domain\*.inf`
+- `%systemroot%\Sysvol\Domain\*Scripts.ini`
+- `%systemroot%\Sysvol\Domain\*.ins`
+- `%systemroot%\Sysvol\Domain\Oscfilter.ini`
++
+### Active Directory exclusions
+
+This section lists the exclusions that are delivered automatically when you install Active Directory Domain Services.
+
+#### NTDS database files
+
+The database files are specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Database File`
+
+- `%windir%\Ntds\ntds.dit`
+- `%windir%\Ntds\ntds.pat`
+
+#### The AD DS transaction log files
+
+The transaction log files are specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\Database Log Files Path`
+
+- `%windir%\Ntds\EDB*.log`
+- `%windir%\Ntds\Res*.log`
+- `%windir%\Ntds\Edb*.jrs`
+- `%windir%\Ntds\Ntds*.pat`
+- `%windir%\Ntds\TEMP.edb`
+
+#### The NTDS working folder
+
+This folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Working Directory`
+
+- `%windir%\Ntds\Temp.edb`
+- `%windir%\Ntds\Edb.chk`
+
+#### Process exclusions for AD DS and AD DS-related support files
+
+- `%systemroot%\System32\ntfrs.exe`
+- `%systemroot%\System32\lsass.exe`
+
+### DHCP Server exclusions
+
+This section lists the exclusions that are delivered automatically when you install the DHCP Server role. The DHCP Server file locations are specified by the *DatabasePath*, *DhcpLogFilePath*, and *BackupDatabasePath* parameters in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DHCPServer\Parameters`
+
+- `%systemroot%\System32\DHCP\*\*.mdb`
+- `%systemroot%\System32\DHCP\*\*.pat`
+- `%systemroot%\System32\DHCP\*\*.log`
+- `%systemroot%\System32\DHCP\*\*.chk`
+- `%systemroot%\System32\DHCP\*\*.edb`
+
+### DNS Server exclusions
+
+This section lists the file and folder exclusions and the process exclusions that are delivered automatically when you install the DNS Server role.
+
+#### File and folder exclusions for the DNS Server role
+
+- `%systemroot%\System32\Dns\*\*.log`
+- `%systemroot%\System32\Dns\*\*.dns`
+- `%systemroot%\System32\Dns\*\*.scc`
+- `%systemroot%\System32\Dns\*\BOOT`
+
+#### Process exclusions for the DNS Server role
+
+- `%systemroot%\System32\dns.exe`
+
+### File and Storage Services exclusions
+
+This section lists the file and folder exclusions that are delivered automatically when you install the File and Storage Services role. The exclusions listed below do not include exclusions for the Clustering role.
+
+- `%SystemDrive%\ClusterStorage`
+- `%clusterserviceaccount%\Local Settings\Temp`
+- `%SystemDrive%\mscs`
+
+### Print Server exclusions
+
+This section lists the file type exclusions, folder exclusions, and the process exclusions that are delivered automatically when you install the Print Server role.
+
+#### File type exclusions
+
+- `*.shd`
+- `*.spl`
+
+#### Folder exclusions
+
+This folder is specified in the registry key `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Printers\DefaultSpoolDirectory`
+
+- `%system32%\spool\printers\*`
+
+#### Process exclusions
+
+- `spoolsv.exe`
+
+### Web Server exclusions
+
+This section lists the folder exclusions and the process exclusions that are delivered automatically when you install the Web Server role.
+
+#### Folder exclusions
+
+- `%SystemRoot%\IIS Temporary Compressed Files`
+- `%SystemDrive%\inetpub\temp\IIS Temporary Compressed Files`
+- `%SystemDrive%\inetpub\temp\ASP Compiled Templates`
+- `%systemDrive%\inetpub\logs`
+- `%systemDrive%\inetpub\wwwroot`
+
+#### Process exclusions
+
+- `%SystemRoot%\system32\inetsrv\w3wp.exe`
+- `%SystemRoot%\SysWOW64\inetsrv\w3wp.exe`
+- `%SystemDrive%\PHP5433\php-cgi.exe`
+
+#### Turning off scanning of files in the Sysvol\Sysvol folder or the SYSVOL_DFSR\Sysvol folder
+
+The current location of the `Sysvol\Sysvol` or `SYSVOL_DFSR\Sysvol` folder and all the subfolders is the file system reparse target of the replica set root. The `Sysvol\Sysvol` and `SYSVOL_DFSR\Sysvol` folders use the following locations by default:
+
+- `%systemroot%\Sysvol\Domain`
+- `%systemroot%\Sysvol_DFSR\Domain`
+
+The path to the currently active `SYSVOL` is referenced by the NETLOGON share and can be determined by the SysVol value name in the following subkey: `HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Netlogon\Parameters`
+
+Exclude the following files from this folder and all its subfolders:
+
+- `*.adm`
+- `*.admx`
+- `*.adml`
+- `Registry.pol`
+- `Registry.tmp`
+- `*.aas`
+- `*.inf`
+- `Scripts.ini`
+- `*.ins`
+- `Oscfilter.ini`
+
+### Windows Server Update Services exclusions
+
+This section lists the folder exclusions that are delivered automatically when you install the Windows Server Update Services (WSUS) role. The WSUS folder is specified in the registry key `HKEY_LOCAL_MACHINE\Software\Microsoft\Update Services\Server\Setup`
+
+- `%systemroot%\WSUS\WSUSContent`
+- `%systemroot%\WSUS\UpdateServicesDBFiles`
+- `%systemroot%\SoftwareDistribution\Datastore`
+- `%systemroot%\SoftwareDistribution\Download`
+
+## See also
+
+- [Configure and validate exclusions for Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md)
+- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-microsoft-defender-antivirus.md)
+- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md)
+- [Common mistakes to avoid when defining exclusions](common-exclusion-mistakes-microsoft-defender-antivirus.md)
+- [Customize, initiate, and review the results of Microsoft Defender Antivirus scans and remediation](customize-run-review-remediate-scans-microsoft-defender-antivirus.md)
+- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
security Customize Run Review Remediate Scans Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/customize-run-review-remediate-scans-microsoft-defender-antivirus.md
+
+ Title: Run and customize scheduled and on-demand scans
+description: Customize and initiate Microsoft Defender Antivirus scans on endpoints across your network.
+keywords: scan, schedule, customize, exclusions, exclude files, remediation, scan results, quarantine, remove threat, quick scan, full scan, Microsoft Defender Antivirus
+search.product: eADQiWindows 10XVcnh
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+++ Last updated : 09/03/2018++
+ms.technology: mde
++
+# Customize, initiate, and review the results of Microsoft Defender Antivirus scans and remediation
+++
+**Applies to:**
+
+- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
+
+You can use Group Policy, PowerShell, and Windows Management Instrumentation (WMI) to configure Microsoft Defender Antivirus scans.
+
+## In this section
+
+Topic | Description
+|
+[Configure and validate file, folder, and process-opened file exclusions in Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md) | You can exclude files (including files modified by specified processes) and folders from on-demand scans, scheduled scans, and always-on real-time protection monitoring and scanning
+[Configure Microsoft Defender Antivirus scanning options](configure-advanced-scan-types-microsoft-defender-antivirus.md) | You can configure Microsoft Defender Antivirus to include certain types of email storage files, back-up or reparse points, and archived files (such as .zip files) in scans. You can also enable network file scanning
+[Configure remediation for scans](configure-remediation-microsoft-defender-antivirus.md) | Configure what Microsoft Defender Antivirus should do when it detects a threat, and how long quarantined files should be retained in the quarantine folder
+[Configure scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md) | Set up recurring (scheduled) scans, including when they should run and whether they run as full or quick scans
+[Configure and run scans](run-scan-microsoft-defender-antivirus.md) | Run and configure on-demand scans using PowerShell, Windows Management Instrumentation, or individually on endpoints with the Windows Security app
+[Review scan results](review-scan-results-microsoft-defender-antivirus.md) | Review the results of scans using Microsoft Endpoint Configuration Manager, Microsoft Intune, or the Windows Security app
security Customize Run Review Remediate Scans Windows Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/customize-run-review-remediate-scans-windows-defender-antivirus.md
+
+ Title: Run and customize scheduled and on-demand scans
+description: Customize and initiate Microsoft Defender Antivirus scans on endpoints across your network.
+keywords: scan, schedule, customize, exclusions, exclude files, remediation, scan results, quarantine, remove threat, quick scan, full scan, Microsoft Defender Antivirus
+search.product: eADQiWindows 10XVcnh
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+++ Last updated : 09/03/2018++
+ms.technology: mde
++
+# Customize, initiate, and review the results of Microsoft Defender Antivirus scans & remediation
+++
+**Applies to:**
+
+- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
+
+You can use Group Policy, PowerShell, and Windows Management Instrumentation (WMI) to configure Microsoft Defender Antivirus scans.
+
+## In this section
+
+| Article | Description |
+|:|:|
+|[Configure and validate file, folder, and process-opened file exclusions in Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md) | You can exclude files (including files modified by specified processes) and folders from on-demand scans, scheduled scans, and always-on real-time protection monitoring and scanning |
+|[Configure Microsoft Defender Antivirus scanning options](configure-advanced-scan-types-microsoft-defender-antivirus.md) | You can configure Microsoft Defender Antivirus to include certain types of email storage files, back-up or reparse points, and archived files (such as .zip files) in scans. You can also enable network file scanning |
+|[Configure remediation for scans](configure-remediation-microsoft-defender-antivirus.md) | Configure what Microsoft Defender Antivirus should do when it detects a threat, and how long quarantined files should be retained in the quarantine folder |
+|[Configure scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md) | Set up recurring (scheduled) scans, including when they should run and whether they run as full or quick scans |
+|[Configure and run scans](run-scan-microsoft-defender-antivirus.md) | Run and configure on-demand scans using PowerShell, Windows Management Instrumentation, or individually on endpoints with the Windows Security app |
+|[Review scan results](review-scan-results-microsoft-defender-antivirus.md) | Review the results of scans using Microsoft Endpoint Configuration Manager, Microsoft Intune, or the Windows Security app |
security Defender Endpoint False Positives Negatives https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-endpoint-false-positives-negatives.md
ms.sitesec: library
ms.pagetype: security Previously updated : 04/08/2021 localization_priority: Normal audience: ITPro
security Deploy Manage Report Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/deploy-manage-report-microsoft-defender-antivirus.md
+
+ Title: Deploy, manage, and report on Microsoft Defender Antivirus
+description: You can deploy and manage Microsoft Defender Antivirus with Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell, or WMI
+keywords: deploy, manage, update, protection, Microsoft Defender Antivirus
+search.product: eADQiWindows 10XVcnh
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+++ Last updated : 09/03/2018++
+ms.technology: mde
++
+# Deploy, manage, and report on Microsoft Defender Antivirus
+++
+**Applies to:**
+
+- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
+
+You can deploy, manage, and report on Microsoft Defender Antivirus in a number of ways.
+
+Because the Microsoft Defender Antivirus client is installed as a core part of Windows 10, traditional deployment of a client to your endpoints does not apply.
+
+However, in most cases you will still need to enable the protection service on your endpoints with Microsoft Intune, Microsoft Endpoint Configuration Manager, Azure Defender, or Group Policy Objects, which is described in the following table.
+
+You'll also see additional links for:
+
+- Managing Microsoft Defender Antivirus protection, including managing product and protection updates
+- Reporting on Microsoft Defender Antivirus protection
+
+> [!IMPORTANT]
+> In most cases, Windows 10 will disable Microsoft Defender Antivirus if it finds another antivirus product that is running and up-to-date. You must disable or uninstall third-party antivirus products before Microsoft Defender Antivirus will function. If you re-enable or install third-party antivirus products, then Windows 10 automatically disables Microsoft Defender Antivirus.
+
+Tool|Deployment options (<a href="#fn2" id="ref2">2</a>)|Management options (network-wide configuration and policy or baseline deployment) ([3](#fn3))|Reporting options
+|||
+Microsoft Intune|[Add endpoint protection settings in Intune](/intune/endpoint-protection-configure)|[Configure device restriction settings in Intune](/intune/device-restrictions-configure)| [Use the Intune console to manage devices](/intune/device-management)
+Microsoft Endpoint Manager ([1](#fn1))|Use the [Endpoint Protection point site system role][] and [enable Endpoint Protection with custom client settings][]|With [default and customized antimalware policies][] and [client management][]|With the default [Configuration Manager Monitoring workspace][] and [email alerts][]
+Group Policy and Active Directory (domain-joined)|Use a Group Policy Object to deploy configuration changes and ensure Microsoft Defender Antivirus is enabled.|Use Group Policy Objects (GPOs) to [Configure update options for Microsoft Defender Antivirus][] and [Configure Windows Defender features][]|Endpoint reporting is not available with Group Policy. You can generate a list of [Group Policies to determine if any settings or policies are not applied][]
+PowerShell|Deploy with Group Policy, Microsoft Endpoint Configuration Manager, or manually on individual endpoints.|Use the [Set-MpPreference] and [Update-MpSignature] cmdlets available in the Defender module.|Use the appropriate [Get- cmdlets available in the Defender module][]
+Windows Management Instrumentation|Deploy with Group Policy, Microsoft Endpoint Configuration Manager, or manually on individual endpoints.|Use the [Set method of the MSFT_MpPreference class][] and the [Update method of the MSFT_MpSignature class][]|Use the [MSFT_MpComputerStatus][] class and the get method of associated classes in the [Windows Defender WMIv2 Provider][]
+Microsoft Azure|Deploy Microsoft Antimalware for Azure in the [Azure portal, by using Visual Studio virtual machine configuration, or using Azure PowerShell cmdlets](/azure/security/azure-security-antimalware#antimalware-deployment-scenarios). You can also [Install Endpoint protection in Azure Defender*](/azure/security-center/security-center-install-endpoint-protection)|Configure [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](/azure/security/azure-security-antimalware#enable-and-configure-antimalware-using-powershell-cmdlets) or [use code samples](https://gallery.technet.microsoft.com/Antimalware-For-Azure-5ce70efe)|Use [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](/azure/security/azure-security-antimalware#enable-and-configure-antimalware-using-powershell-cmdlets) to enable monitoring. You can also review usage reports in Azure Active Directory to determine suspicious activity, including the [Possibly infected devices][] report and configure an SIEM tool to report on [Microsoft Defender Antivirus events][] and add that tool as an app in AAD.
+
+1. <span id="fn1" />The availability of some functions and features, especially related to cloud-delivered protection, differ between Microsoft Endpoint Manager (Current Branch) and System Center 2012 Configuration Manager. In this library, we've focused on Windows 10, Windows Server 2016, and Microsoft Endpoint Manager (Current Branch). See [Use Microsoft cloud-provided protection in Microsoft Defender Antivirus](cloud-protection-microsoft-defender-antivirus.md) for a table that describes the major differences. [(Return to table)](#ref2)
+
+2. <span id="fn2" />In Windows 10, Microsoft Defender Antivirus is a component available without installation or deployment of an additional client or service. It will automatically be enabled when third-party antivirus products are either uninstalled or out of date ([except on Windows Server 2016](microsoft-defender-antivirus-on-windows-server.md)). Traditional deployment therefore is not required. Deployment here refers to ensuring the Microsoft Defender Antivirus component is available and enabled on endpoints or servers. [(Return to table)](#ref2)
+
+3. <span id="fn3" />Configuration of features and protection, including configuring product and protection updates, are further described in the [Configure Microsoft Defender Antivirus features](configure-notifications-microsoft-defender-antivirus.md) section in this library. [(Return to table)](#ref2)
+
+[Endpoint Protection point site system role]: /configmgr/protect/deploy-use/endpoint-protection-site-role
+[default and customized antimalware policies]: /configmgr/protect/deploy-use/endpoint-antimalware-policies
+[client management]: /configmgr/core/clients/manage/manage-clients
+[enable Endpoint Protection with custom client settings]: /configmgr/protect/deploy-use/endpoint-protection-configure-client
+[Configuration Manager Monitoring workspace]: /configmgr/protect/deploy-use/monitor-endpoint-protection
+[email alerts]: /configmgr/protect/deploy-use/endpoint-configure-alerts
+[Deploy the Microsoft Intune client to endpoints]: /intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune
+[custom Intune policy]: /intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#configure-microsoft-intune-endpoint-protection
+ [custom Intune policy]: /intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#configure-microsoft-intune-endpoint-protection
+[manage tasks]: /intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#choose-management-tasks-for-endpoint-protection
+[Monitor endpoint protection in the Microsoft Intune administration console]: /intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#monitor-endpoint-protection
+[Set method of the MSFT_MpPreference class]: /previous-versions/windows/desktop/defender/set-msft-mppreference
+[Update method of the MSFT_MpSignature class]: /previous-versions/windows/desktop/defender/set-msft-mppreference
+[MSFT_MpComputerStatus]: /previous-versions/windows/desktop/defender/msft-mpcomputerstatus
+[Windows Defender WMIv2 Provider]: /previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal
+[Set-MpPreference]: https://technet.microsoft.com/itpro/powershell/windows/defender/set-mppreference.md
+[Update-MpSignature]: /powershell/module/defender/update-mpsignature
+[Get- cmdlets available in the Defender module]: /powershell/module/defender/
+[Configure update options for Microsoft Defender Antivirus]: manage-updates-baselines-microsoft-defender-antivirus.md
+[Configure Windows Defender features]: configure-microsoft-defender-antivirus-features.md
+[Group Policies to determine if any settings or policies are not applied]: /previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc771389(v=ws.11)
+[Possibly infected devices]: /azure/active-directory/active-directory-reporting-sign-ins-from-possibly-infected-devices
+[Microsoft Defender Antivirus events]: troubleshoot-microsoft-defender-antivirus.md
+
+## In this section
+
+Topic | Description
+|
+[Deploy and enable Microsoft Defender Antivirus protection](deploy-microsoft-defender-antivirus.md) | While the client is installed as a core part of Windows 10, and traditional deployment does not apply, you will still need to enable the client on your endpoints with Microsoft Endpoint Configuration Manager, Microsoft Intune, or Group Policy Objects.
+[Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md) | There are two parts to updating Microsoft Defender Antivirus: updating the client on endpoints (product updates), and updating Security intelligence (protection updates). You can update Security intelligence in a number of ways, using Microsoft Endpoint Configuration Manager, Group Policy, PowerShell, and WMI.
+[Monitor and report on Microsoft Defender Antivirus protection](report-monitor-microsoft-defender-antivirus.md) | You can use Microsoft Intune, Microsoft Endpoint Configuration Manager, the Update Compliance add-in for Microsoft Operations Management Suite, or a third-party SIEM product (by consuming Windows event logs) to monitor protection status and create reports about endpoint protection.
security Deploy Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/deploy-microsoft-defender-antivirus.md
+
+ Title: Deploy and enable Microsoft Defender Antivirus
+description: Deploy Microsoft Defender Antivirus for protection of your endpoints with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, or WMI.
+keywords: deploy, enable, Microsoft Defender Antivirus
+search.product: eADQiWindows 10XVcnh
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+++ Last updated : 01/06/2021++
+ms.technology: mde
++
+# Deploy and enable Microsoft Defender Antivirus
+++
+**Applies to:**
+
+- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
+
+Depending on the management tool you are using, you may need to specifically enable or configure Microsoft Defender Antivirus protection.
+
+See the table in [Deploy, manage, and report on Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md#ref2) for instructions on how to enable protection with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, Active Directory, Microsoft Azure, PowerShell cmdlets, and Windows Management Instruction (WMI).
+
+Some scenarios require more guidance on how to successfully deploy or configure Microsoft Defender Antivirus protection, such as Virtual Desktop Infrastructure (VDI) environments.
+
+The remaining article in this section provides end-to-end advice and best practices for [setting up Microsoft Defender Antivirus on virtual machines (VMs) in a VDI or Remote Desktop Services (RDS) environment](deployment-vdi-microsoft-defender-antivirus.md).
+
+## Related articles
+
+- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
+- [Deploy, manage updates, and report on Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md)
+- [Deployment guide for Microsoft Defender Antivirus in a virtual desktop infrastructure (VDI) environment](deployment-vdi-microsoft-defender-antivirus.md)
security Deployment Vdi Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/deployment-vdi-microsoft-defender-antivirus.md
+
+ Title: Microsoft Defender Antivirus Virtual Desktop Infrastructure deployment guide
+description: Learn how to deploy Microsoft Defender Antivirus in a virtual desktop environment for the best balance between protection and performance.
+keywords: vdi, hyper-v, vm, virtual machine, windows defender, antivirus, av, virtual desktop, rds, remote desktop
+search.product: eADQiWindows 10XVcnh
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.localizationpriority: medium
+++ Last updated : 12/28/2020++
+ms.technology: mde
++
+# Deployment guide for Microsoft Defender Antivirus in a virtual desktop infrastructure (VDI) environment
+++
+**Applies to:**
+
+- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
+
+In addition to standard on-premises or hardware configurations, you can also use Microsoft Defender Antivirus in a remote desktop (RDS) or virtual desktop infrastructure (VDI) environment.
+
+See [Windows Virtual Desktop Documentation](/azure/virtual-desktop) for more details on Microsoft Remote Desktop Services and VDI support.
+
+For Azure-based virtual machines, see [Install Endpoint Protection in Azure Defender](/azure/security-center/security-center-install-endpoint-protection).
+
+With the ability to easily deploy updates to VMs running in VDIs, we've shortened this guide to focus on how you can get updates on your machines quickly and easily. You no longer need to create and seal golden images on a periodic basis, as updates are expanded into their component bits on the host server and then downloaded directly to the VM when it's turned on.
+
+This guide describes how to configure your VMs for optimal protection and performance, including how to:
+
+- [Set up a dedicated VDI file share for security intelligence updates](#set-up-a-dedicated-vdi-file-share)
+- [Randomize scheduled scans](#randomize-scheduled-scans)
+- [Use quick scans](#use-quick-scans)
+- [Prevent notifications](#prevent-notifications)
+- [Disable scans from occurring after every update](#disable-scans-after-an-update)
+- [Scan out-of-date machines or machines that have been offline for a while](#scan-vms-that-have-been-offline)
+- [Apply exclusions](#exclusions)
+
+You can also download the whitepaper [Microsoft Defender Antivirus on Virtual Desktop Infrastructure](https://demo.wd.microsoft.com/Content/wdav-testing-vdi-ssu.pdf), which looks at the new shared security intelligence update feature, alongside performance testing and guidance on how you can test antivirus performance on your own VDI.
+
+> [!IMPORTANT]
+> Although the VDI can be hosted on Windows Server 2012 or Windows Server 2016, the virtual machines (VMs) should be running Windows 10, 1607 at a minimum, due to increased protection technologies and features that are unavailable in earlier versions of Windows.<br/>There are performance and feature improvements to the way in which Microsoft Defender AV operates on virtual machines in Windows 10 Insider Preview, build 18323 (and later). We'll identify in this guide if you need to be using an Insider Preview build; if it isn't specified, then the minimum required version for the best protection and performance is Windows 10 1607.
+
+## Set up a dedicated VDI file share
+
+In Windows 10, version 1903, we introduced the shared security intelligence feature, which offloads the unpackaging of downloaded security intelligence updates onto a host machineΓÇöthus saving previous CPU, disk, and memory resources on individual machines. This feature has been backported and now works in Windows 10 version 1703 and above. You can set this feature with a Group Policy, or PowerShell.
+
+### Use Group Policy to enable the shared security intelligence feature:
+
+1. On your Group Policy management computer, open the Group Policy Management Console, right-click the Group Policy Object you want to configure, and then click **Edit**.
+
+2. In the **Group Policy Management Editor** go to **Computer configuration**.
+
+3. Click **Administrative templates**.
+
+4. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Security Intelligence Updates**.
+
+5. Double-click **Define security intelligence location for VDI clients**, and then set the option to **Enabled**. A field automatically appears.
+
+6. Enter `\\<sharedlocation\>\wdav-update` (for help with this value, see [Download and unpackage](#download-and-unpackage-the-latest-updates)).
+
+7. Click **OK**.
+
+8. Deploy the GPO to the VMs you want to test.
+
+### Use PowerShell to enable the shared security intelligence feature
+
+Use the following cmdlet to enable the feature. YouΓÇÖll need to then push this as you normally would push PowerShell-based configuration policies onto the VMs:
+
+```PowerShell
+Set-MpPreference -SharedSignaturesPath \\<shared location>\wdav-update
+```
+
+See the [Download and unpackage](#download-and-unpackage-the-latest-updates) section for what the \<shared location\> will be.
+
+## Download and unpackage the latest updates
+
+Now you can get started on downloading and installing new updates. WeΓÇÖve created a sample PowerShell script for you below. This script is the easiest way to download new updates and get them ready for your VMs. You should then set the script to run at a certain time on the management machine by using a scheduled task (or, if youΓÇÖre familiar with using PowerShell scripts in Azure, Intune, or SCCM, you could also use those scripts).
+
+```PowerShell
+$vdmpathbase = "$env:systemdrive\wdav-update\{00000000-0000-0000-0000-"
+$vdmpathtime = Get-Date -format "yMMddHHmmss"
+$vdmpath = $vdmpathbase + $vdmpathtime + '}'
+$vdmpackage = $vdmpath + '\mpam-fe.exe'
+
+New-Item -ItemType Directory -Force -Path $vdmpath | Out-Null
+
+Invoke-WebRequest -Uri 'https://go.microsoft.com/fwlink/?LinkID=121721&arch=x64' -OutFile $vdmpackage
+
+cmd /c "cd $vdmpath & c: & mpam-fe.exe /x"
+```
+
+You can set a scheduled task to run once a day so that whenever the package is downloaded and unpacked then the VMs will receive the new update.
+We suggest starting with once a dayΓÇöbut you should experiment with increasing or decreasing the frequency to understand the impact.
+
+Security intelligence packages are typically published once every three to four hours. Setting a frequency shorter than four hours isnΓÇÖt advised because it will increase the network overhead on your management machine for no benefit.
+
+### Set a scheduled task to run the PowerShell script
+
+1. On the management machine, open the Start menu and type **Task Scheduler**. Open it and select **Create task…** on the side panel.
+
+2. Enter the name as **Security intelligence unpacker**. Go to the **Trigger** tab. Select **New…** > **Daily**, and select **OK**.
+
+3. Go to the **Actions** tab. Select **New…** Enter **PowerShell** in the **Program/Script** field. Enter `-ExecutionPolicy Bypass c:\wdav-update\vdmdlunpack.ps1` in the **Add arguments** field. Select **OK**.
+
+4. You can choose to configure additional settings if you wish.
+
+5. Select **OK** to save the scheduled task.
+
+You can initiate the update manually by right-clicking on the task and clicking **Run**.
+
+### Download and unpackage manually
+
+If you would prefer to do everything manually, here's what to do to replicate the scriptΓÇÖs behavior:
+
+1. Create a new folder on the system root called `wdav_update` to store intelligence updates, for example, create the folder `c:\wdav_update`.
+
+2. Create a subfolder under *wdav_update* with a GUID name, such as `{00000000-0000-0000-0000-000000000000}`
+
+Here's an example: `c:\wdav_update\{00000000-0000-0000-0000-000000000000}`
+
+ > [!NOTE]
+ > In the script we set it so the last 12 digits of the GUID are the year, month, day, and time when the file was downloaded so that a new folder is created each time. You can change this so that the file is downloaded to the same folder each time.
+
+3. Download a security intelligence package from [https://www.microsoft.com/wdsi/definitions](https://www.microsoft.com/wdsi/definitions) into the GUID folder. The file should be named `mpam-fe.exe`.
+
+4. Open a cmd prompt window and navigate to the GUID folder you created. Use the **/X** extraction command to extract the files, for example `mpam-fe.exe /X`.
+
+ > [!NOTE]
+ > The VMs will pick up the updated package whenever a new GUID folder is created with an extracted update package or whenever an existing folder is updated with a new extracted package.
+
+## Randomize scheduled scans
+
+Scheduled scans run in addition to [real-time protection and scanning](configure-real-time-protection-microsoft-defender-antivirus.md).
+
+The start time of the scan itself is still based on the scheduled scan policy (**ScheduleDay**, **ScheduleTime**, and **ScheduleQuickScanTime**). Randomization will cause Microsoft Defender Antivirus to start a scan on each machine within a 4-hour window from the time set for the scheduled scan.
+
+See [Schedule scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md) for other configuration options available for scheduled scans.
+
+## Use quick scans
+
+You can specify the type of scan that should be performed during a scheduled scan. Quick scans are the preferred approach as they are designed to look in all places where malware needs to reside to be active. The following procedure describes how to set up quick scans using Group Policy.
+
+1. In your Group Policy Editor, go to **Administrative templates** > **Windows components** > **Microsoft Defender Antivirus** > **Scan**.
+
+2. Select **Specify the scan type to use for a scheduled scan** and then edit the policy setting.
+
+3. Set the policy to **Enabled**, and then under **Options**, select **Quick scan**.
+
+4. Select **OK**.
+
+5. Deploy your Group Policy object as you usually do.
+
+## Prevent notifications
+
+Sometimes, Microsoft Defender Antivirus notifications may be sent to or persist across multiple sessions. In order to minimize this problem, you can lock down the Microsoft Defender Antivirus user interface. The following procedure describes how to suppress notifications with Group Policy.
+
+1. In your Group Policy Editor, go to **Windows components** > **Microsoft Defender Antivirus** > **Client Interface**.
+
+2. Select **Suppress all notifications** and then edit the policy settings.
+
+3. Set the policy to **Enabled**, and then select **OK**.
+
+4. Deploy your Group Policy object as you usually do.
+
+Suppressing notifications prevents notifications from Microsoft Defender Antivirus from showing up in the Action Center on Windows 10 when scans are done or remediation actions are taken. However, your security operations team will see the results of the scan in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)).
+
+> [!TIP]
+> To open the Action Center on Windows 10, take one of the following steps:
+> - On the right end of the taskbar, select the Action Center icon.
+> - Press the Windows logo key button + A.
+> - On a touchscreen device, swipe in from the right edge of the screen.
+
+## Disable scans after an update
+
+Disabling a scan after an update will prevent a scan from occurring after receiving an update. You can apply this setting when creating the base image if you have also run a quick scan. This way, you can prevent the newly updated VM from performing a scan again (as you've already scanned it when you created the base image).
+
+> [!IMPORTANT]
+> Running scans after an update will help ensure your VMs are protected with the latest Security intelligence updates. Disabling this option will reduce the protection level of your VMs and should only be used when first creating or deploying the base image.
+
+1. In your Group Policy Editor, go to **Windows components** > **Microsoft Defender Antivirus** > **Security Intelligence Updates**.
+
+2. Select **Turn on scan after security intelligence update** and then edit the policy setting.
+
+3. Set the policy to **Disabled**.
+
+4. Select **OK**.
+
+5. Deploy your Group Policy object as you usually do.
+
+This policy prevents a scan from running immediately after an update.
+
+## Scan VMs that have been offline
+
+1. In your Group Policy Editor, go to to **Windows components** > **Microsoft Defender Antivirus** > **Scan**.
+
+2. Select **Turn on catch-up quick scan** and then edit the policy setting.
+
+3. Set the policy to **Enabled**.
+
+4. Select **OK**.
+
+5. Deploy your Group Policy Object as you usually do.
+
+This policy forces a scan if the VM has missed two or more consecutive scheduled scans.
+
+## Enable headless UI mode
+
+1. In your Group Policy Editor, go to **Windows components** > **Microsoft Defender Antivirus** > **Client Interface**.
+
+2. Select **Enable headless UI mode** and edit the policy.
+
+3. Set the policy to **Enabled**.
+
+4. Click **OK**.
+
+5. Deploy your Group Policy Object as you usually do.
+
+This policy hides the entire Microsoft Defender Antivirus user interface from end users in your organization.
+
+## Exclusions
+
+Exclusions can be added, removed, or customized to suit your needs.
+
+For more information, see [Configure Microsoft Defender Antivirus exclusions on Windows Server](configure-exclusions-microsoft-defender-antivirus.md).
+
+## Additional resources
+
+- [Tech Community Blog: Configuring Microsoft Defender Antivirus for non-persistent VDI machines](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/configuring-microsoft-defender-antivirus-for-non-persistent-vdi/ba-p/1489633)
+- [TechNet forums on Remote Desktop Services and VDI](https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverTS)
+- [SignatureDownloadCustomTask PowerShell script](https://www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4)
security Detect Block Potentially Unwanted Apps Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md
+
+ Title: Block potentially unwanted applications with Microsoft Defender Antivirus
+description: Enable the potentially unwanted application (PUA) antivirus feature to block unwanted software such as adware.
+keywords: pua, enable, unwanted software, unwanted apps, adware, browser toolbar, detect, block, Microsoft Defender Antivirus
+search.product: eADQiWindows 10XVcnh
+ms.mktglfcycl: detect
+ms.sitesec: library
+ms.localizationpriority: high
+++
+audience: ITPro
++
+ms.technology: mde
++
+# Detect and block potentially unwanted applications
+++
+**Applies to:**
+
+- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
+- [Microsoft Edge](/microsoft-edge/deploy/microsoft-edge)
+
+> [!NOTE]
+> Potentially unwanted applications (PUA) are a category of software that can cause your machine to run slowly, display unexpected ads, or at worst, install other software which might be unexpected or unwanted. By default in Windows 10 (version 2004 and later), Microsoft Defender Antivirus blocks apps that are considered PUA, for Enterprise (E5) devices.
+
+Potentially unwanted applications (PUA) are not considered viruses, malware, or other types of threats, but they might perform actions on endpoints which adversely affect endpoint performance or use. _PUA_ can also refer to an application that has a poor reputation, as assessed by Microsoft Defender for Endpoint, due to certain kinds of undesirable behavior.
+
+Here are some examples:
+
+- **Advertising software** that displays advertisements or promotions, including software that inserts advertisements to webpages.
+- **Bundling software** that offers to install other software that is not digitally signed by the same entity. Also, software that offers to install other software that qualify as PUA.
+- **Evasion software** that actively tries to evade detection by security products, including software that behaves differently in the presence of security products.
+
+> [!TIP]
+> For more examples and a discussion of the criteria we use to label applications for special attention from security features, see [How Microsoft identifies malware and potentially unwanted applications](/windows/security/threat-protection/intelligence/criteria).
+
+Potentially unwanted applications can increase the risk of your network being infected with actual malware, make malware infections harder to identify, or waste IT resources in cleaning them up. PUA protection is supported on Windows 10, Windows Server 2019, and Windows Server 2016.
+
+## Microsoft Edge
+
+The [new Microsoft Edge](https://support.microsoft.com/microsoft-edge/get-to-know-microsoft-edge-3f4bb0ff-58de-2188-55c0-f560b7e20bea), which is Chromium-based, blocks potentially unwanted application downloads and associated resource URLs. This feature is provided via [Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview).
+
+### Enable PUA protection in Chromium-based Microsoft Edge
+
+Although potentially unwanted application protection in Microsoft Edge (Chromium-based, version 80.0.361.50) is turned off by default, it can easily be turned on from within the browser.
+
+1. Select the ellipses, and then choose **Settings**.
+2. Select **Privacy, search, and services**.
+3. Under the **Security** section, turn on **Block potentially unwanted apps**.
+
+> [!TIP]
+> If you are running Microsoft Edge (Chromium-based), you can safely explore the URL-blocking feature of PUA protection by testing it out on one of our [Microsoft Defender SmartScreen demo pages](https://demo.smartscreen.msft.net/).
+
+### Blocking URLs with Microsoft Defender SmartScreen
+
+In Chromium-based Edge with PUA protection turned on, Microsoft Defender SmartScreen protects you from PUA-associated URLs.
+
+Security admins can [configure](/DeployEdge/configure-microsoft-edge) how Microsoft Edge and Microsoft Defender SmartScreen work together to protect groups of users from PUA-associated URLs. There are several [group policy settings](/DeployEdge/microsoft-edge-policies#smartscreen-settings) explicitly for Microsoft Defender SmartScreen available, including [one for blocking PUA](/DeployEdge/microsoft-edge-policies#smartscreenpuaenabled). In addition, admins can [configure Microsoft Defender SmartScreen](/microsoft-edge/deploy/available-policies?source=docs#configure-windows-defender-smartscreen) as a whole, using group policy settings to turn Microsoft Defender SmartScreen on or off.
+
+Although Microsoft Defender for Endpoint has its own block list based upon a data set managed by Microsoft, you can customize this list based on your own threat intelligence. If you [create and manage indicators](/microsoft-365/security/defender-endpoint/manage-indicators) in the Microsoft Defender for Endpoint portal, Microsoft Defender SmartScreen respects the new settings.
+
+## Microsoft Defender Antivirus
+
+The potentially unwanted application (PUA) protection feature in Microsoft Defender Antivirus can detect and block PUAs on endpoints in your network.
+
+> [!NOTE]
+> This feature is available in Windows 10, Windows Server 2019, and Windows Server 2016.
+
+Microsoft Defender Antivirus blocks detected PUA files and any attempts to download, move, run, or install them. Blocked PUA files are then moved to quarantine. When a PUA file is detected on an endpoint, Microsoft Defender Antivirus sends a notification to the user ([unless notifications have been disabled](configure-notifications-microsoft-defender-antivirus.md)) in the same format as other threat detections. The notification is prefaced with `PUA:` to indicate its content.
+
+The notification appears in the usual [quarantine list within the Windows Security app](microsoft-defender-security-center-antivirus.md).
+
+### Configure PUA protection in Microsoft Defender Antivirus
+
+You can enable PUA protection with [Microsoft Intune](/mem/intune/protect/device-protect), [Microsoft Endpoint Configuration Manager](/mem/configmgr/protect/deploy-use/endpoint-protection), [Group Policy](/azure/active-directory-domain-services/manage-group-policy), or via [PowerShell cmdlets](/powershell/module/defender/?preserve-view=true&view=win10-ps).
+
+You can also use PUA protection in audit mode to detect potentially unwanted applications without blocking them. The detections are captured in the Windows event log.
+
+> [!TIP]
+> Visit the Microsoft Defender for Endpoint demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com/Page/UrlRep) to confirm that the feature is working, and see it in action.
+
+PUA protection in audit mode is useful if your company is conducting an internal software security compliance check and you'd like to avoid any false positives.
+
+#### Use Intune to configure PUA protection
+
+See [Configure device restriction settings in Microsoft Intune](/intune/device-restrictions-configure) and [Microsoft Defender Antivirus device restriction settings for Windows 10 in Intune](/intune/device-restrictions-windows-10#microsoft-defender-antivirus) for more details.
+
+#### Use Configuration Manager to configure PUA protection
+
+PUA protection is enabled by default in the Microsoft Endpoint Manager (Current Branch).
+
+See [How to create and deploy antimalware policies: Scheduled scans settings](/configmgr/protect/deploy-use/endpoint-antimalware-policies#real-time-protection-settings) for details on configuring Microsoft Endpoint Manager (Current Branch).
+
+For System Center 2012 Configuration Manager, see [How to Deploy Potentially Unwanted Application Protection Policy for Endpoint Protection in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/hh508770(v=technet.10)#BKMK_PUA).
+
+> [!NOTE]
+> PUA events blocked by Microsoft Defender Antivirus are reported in the Windows Event Viewer and not in Microsoft Endpoint Configuration Manager.
+
+#### Use Group Policy to configure PUA protection
+
+1. Download and install [Administrative Templates (.admx) for Windows 10 October 2020 Update (20H2)](https://www.microsoft.com/download/details.aspx?id=102157)
+
+2. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)).
+
+3. Select the Group Policy Object you want to configure, and then choose **Edit**.
+
+4. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**.
+
+5. Expand the tree to **Windows Components** > **Microsoft Defender Antivirus**.
+
+6. Double-click **Configure detection for potentially unwanted applications**.
+
+7. Select **Enabled** to enable PUA protection.
+
+8. In **Options**, select **Block** to block potentially unwanted applications, or select **Audit Mode** to test how the setting works in your environment. Select **OK**.
+
+9. Deploy your Group Policy object as you usually do.
+
+#### Use PowerShell cmdlets to configure PUA protection
+
+##### To enable PUA protection
+
+```PowerShell
+Set-MpPreference -PUAProtection Enabled
+```
+
+Setting the value for this cmdlet to `Enabled` turns the feature on if it has been disabled.
+
+##### To set PUA protection to audit mode
+
+```PowerShell
+Set-MpPreference -PUAProtection AuditMode
+```
+
+Setting `AuditMode` detects PUAs without blocking them.
+
+##### To disable PUA protection
+
+We recommend keeping PUA protection turned on. However, you can turn it off by using the following cmdlet:
+
+```PowerShell
+Set-MpPreference -PUAProtection Disabled
+```
+
+Setting the value for this cmdlet to `Disabled` turns the feature off if it has been enabled.
+
+See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](/powershell/module/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus.
+
+## View PUA events
+
+PUA events are reported in the Windows Event Viewer, but not in Microsoft Endpoint Manager or in Intune. You can also use the `Get-MpThreat` cmdlet to view threats that Microsoft Defender Antivirus handled. Here's an example:
+
+```console
+CategoryID : 27
+DidThreatExecute : False
+IsActive : False
+Resources : {webfile:_q:\Builds\Dalton_Download_Manager_3223905758.exe|http://d18yzm5yb8map8.cloudfront.net/
+ fo4yue@kxqdw/Dalton_Download_Manager.exe|pid:14196,ProcessStart:132378130057195714}
+RollupStatus : 33
+SchemaVersion : 1.0.0.0
+SeverityID : 1
+ThreatID : 213927
+ThreatName : PUA:Win32/InstallCore
+TypeID : 0
+PSComputerName :
+```
+
+You can turn on email notifications to receive mail about PUA detections.
+
+See [Troubleshoot event IDs](troubleshoot-microsoft-defender-antivirus.md) for details on viewing Microsoft Defender Antivirus events. PUA events are recorded under event ID **1160**.
+
+## Excluding files
+
+Sometimes a file is erroneously blocked by PUA protection, or a feature of a PUA is required to complete a task. In these cases, a file can be added to an exclusion list.
+
+For more information, see [Configure and validate exclusions based on file extension and folder location](configure-extension-file-exclusions-microsoft-defender-antivirus.md).
+
+## See also
+
+- [Next-generation protection](microsoft-defender-antivirus-in-windows-10.md)
+- [Configure behavioral, heuristic, and real-time protection](configure-protection-features-microsoft-defender-antivirus.md)
security Enable Cloud Protection Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/enable-cloud-protection-microsoft-defender-antivirus.md
+
+ Title: Turn on cloud-delivered protection in Microsoft Defender Antivirus
+description: Turn on cloud-delivered protection to benefit from fast and advanced protection features.
+keywords: Microsoft Defender Antivirus, antimalware, security, cloud, block at first sight
+search.product: eADQiWindows 10XVcnh
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.localizationpriority: medium
++ Last updated : 11/13/2020+++
+ms.technology: mde
++
+# Turn on cloud-delivered protection
++
+**Applies to:**
+
+- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
+
+> [!NOTE]
+> The Microsoft Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud; rather, it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates.
+
+Microsoft Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender for Endpoint next-generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/).
+![List of Microsoft Defender AV engines](images/microsoft-defender-atp-next-generation-protection-engines.png)
+
+You can turn Microsoft Defender Antivirus cloud-delivered protection on or off in several ways:
+
+- Microsoft Intune
+- Microsoft Endpoint Configuration Manager
+- Group Policy
+- PowerShell cmdlets.
+
+ You can also turn it on or off in individual clients with the Windows Security app.
+
+See [Use Microsoft cloud-delivered protection](cloud-protection-microsoft-defender-antivirus.md) for an overview of Microsoft Defender Antivirus cloud-delivered protection.
+
+For more information about the specific network-connectivity requirements to ensure your endpoints can connect to the cloud-delivered protection service, see [Configure and validate network connections](configure-network-connections-microsoft-defender-antivirus.md).
+
+> [!NOTE]
+> In Windows 10, there is no difference between the **Basic** and **Advanced** reporting options described in this topic. This is a legacy distinction and choosing either setting will result in the same level of cloud-delivered protection. There is no difference in the type or amount of information that is shared. For more information on what we collect, see the [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=521839).
+
+## Use Intune to turn on cloud-delivered protection
+
+1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and log in.
+2. On the **Home** pane, select **Device configuration > Profiles**.
+3. Select the **Device restrictions** profile type you want to configure. If you need to create a new **Device restrictions** profile type, see [Configure device restriction settings in Microsoft Intune](/intune/device-restrictions-configure).
+4. Select **Properties** > **Configuration settings: Edit** > **Microsoft Defender Antivirus**.
+5. On the **Cloud-delivered protection** switch, select **Enable**.
+6. In the **Prompt users before sample submission** dropdown, select **Send all data automatically**.
+
+For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](/intune/device-profiles)
+
+## Use Microsoft Endpoint Manager to turn on cloud-delivered protection
+
+1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and log in.
+2. Choose **Endpoint security** > **Antivirus**.
+3. Select an antivirus profile. (If you don't have one yet, or if you want to create a new profile, see [Configure device restriction settings in Microsoft Intune](/intune/device-restrictions-configure).
+4. Select **Properties**. Then, next to **Configuration settings**, choose **Edit**.
+5. Expand **Cloud protection**, and then in the **Cloud-delivered protection level** list, select one of the following:
+ 1. **High**: Applies a strong level of detection.
+ 2. **High plus**: Uses the **High** level and applies additional protection measures (may impact client performance).
+ 3. **Zero tolerance**: Blocks all unknown executables.
+6. Select **Review + save**, then choose **Save**.
+
+For more information about configuring Microsoft Endpoint Configuration Manager, see [How to create and deploy antimalware policies: Cloud-protection service](/configmgr/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service).
+
+## Use Group Policy to turn on cloud-delivered protection
+
+1. On your Group Policy management device, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and select **Edit**.
+
+2. In the **Group Policy Management Editor**, go to **Computer configuration**.
+
+3. Select **Administrative templates**.
+
+4. Expand the tree to **Windows components > Microsoft Defender Antivirus > MAPS**
+
+5. Double-click **Join Microsoft MAPS**. Ensure the option is turned on and set to **Basic MAPS** or **Advanced MAPS**. Select **OK**.
+
+6. Double-click **Send file samples when further analysis is required**. Ensure that the first option is set to **Enabled** and that the other options are set to either:
+
+ 1. **Send safe samples** (1)
+ 2. **Send all samples** (3)
+
+ >[!NOTE]
+ > The **Send safe samples** (1) option means that most samples will be sent automatically. Files that are likely to contain personal information will still prompt and require additional confirmation.
+
+ > [!WARNING]
+ > Setting the option to **Always Prompt** (0) will lower the protection state of the device. Setting it to **Never send** (2) means that the [Block at First Sight](configure-block-at-first-sight-microsoft-defender-antivirus.md) feature of Microsoft Defender for Endpoint won't work.
+
+7. Select **OK**.
+
+## Use PowerShell cmdlets to turn on cloud-delivered protection
+
+The following cmdlets can turn on cloud-delivered protection:
+
+```PowerShell
+Set-MpPreference -MAPSReporting Advanced
+Set-MpPreference -SubmitSamplesConsent SendAllSamples
+```
+
+For more information on how to use PowerShell with Microsoft Defender Antivirus, see [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](/powershell/module/defender/). [Policy CSP - Defender](/windows/client-management/mdm/policy-csp-defender) also has more information specifically on [-SubmitSamplesConsent](/windows/client-management/mdm/policy-csp-defender#defender-submitsamplesconsent).
+
+>[!NOTE]
+> You can also set **-SubmitSamplesConsent** to `SendSafeSamples` (the default setting), `NeverSend`, or `AlwaysPrompt`. The `SendSafeSamples` setting means that most samples will be sent automatically. Files that are likely to contain personal information will still prompt and require additional confirmation.
+
+>[!WARNING]
+> Setting **-SubmitSamplesConsent** to `NeverSend` or `AlwaysPrompt` will lower the protection level of the device. In addition, setting it to `NeverSend` means that the [Block at First Sight](configure-block-at-first-sight-microsoft-defender-antivirus.md) feature of Microsoft Defender for Endpoint won't work.
+
+## Use Windows Management Instruction (WMI) to turn on cloud-delivered protection
+
+Use the [**Set** method of the **MSFT_MpPreference**](/previous-versions/windows/desktop/defender/set-msft-mppreference) class for the following properties:
+
+```WMI
+MAPSReporting
+SubmitSamplesConsent
+```
+
+For more information about allowed parameters, see [Windows Defender WMIv2 APIs](/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal)
+
+## Turn on cloud-delivered protection on individual clients with the Windows Security app
+
+> [!NOTE]
+> If the **Configure local setting override for reporting Microsoft MAPS** Group Policy setting is set to **Disabled**, then the **Cloud-based protection** setting in Windows Settings will be greyed-out and unavailable. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings.
+
+1. Open the Windows Security app by selecting the shield icon in the task bar, or by searching the start menu for **Defender**.
+
+2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label:
+
+ ![Screenshot of the Virus & threat protection settings label in the Windows Security app](images/defender/wdav-protection-settings-wdsc.png)
+
+3. Confirm that **Cloud-based Protection** and **Automatic sample submission** are switched to **On**.
+
+> [!NOTE]
+> If automatic sample submission has been configured with Group Policy then the setting will be greyed-out and unavailable.
+
+## Related articles
+
+- [Configure the cloud block timeout period](configure-cloud-block-timeout-period-microsoft-defender-antivirus.md)
+- [Configure block at first sight](configure-block-at-first-sight-microsoft-defender-antivirus.md)
+- [Use PowerShell cmdlets to manage Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md)
+- [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune)]
+- [Defender cmdlets](/powershell/module/defender/)
+- [Use Microsoft cloud-delivered protection in Microsoft Defender Antivirus](cloud-protection-microsoft-defender-antivirus.md)
+- [How to create and deploy antimalware policies: Cloud-protection service](/configmgr/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service)
+- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
security Evaluate Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/evaluate-microsoft-defender-antivirus.md
+
+ Title: Evaluate Microsoft Defender Antivirus
+description: Businesses of all sizes can use this guide to evaluate and test the protection offered by Microsoft Defender Antivirus in Windows 10.
+keywords: Microsoft Defender Antivirus, cloud protection, cloud, antimalware, security, defender, evaluate, test, protection, compare, real-time protection
+search.product: eADQiWindows 10XVcnh
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.localizationpriority: medium
+++ Last updated : 09/03/2018++
+ms.technology: mde
++
+# Evaluate Microsoft Defender Antivirus
+++
+**Applies to:**
+
+- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
+
+Use this guide to determine how well Microsoft Defender Antivirus protects you from viruses, malware, and potentially unwanted applications.
+
+>[!TIP]
+>You can also visit the Microsoft Defender for Endpoint demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working and see how they work:
+>- Cloud-delivered protection
+>- Fast learning (including Block at first sight)
+>- Potentially unwanted application blocking
+
+It explains the important next-generation protection features of Microsoft Defender Antivirus available for both small and large enterprises, and how they increase malware detection and protection across your network.
+
+You can choose to configure and evaluate each setting independently, or all at once. We have grouped similar settings based upon typical evaluation scenarios, and include instructions for using PowerShell to enable the settings.
+
+The guide is available in PDF format for offline viewing:
+
+- [Download the guide in PDF format](https://www.microsoft.com/download/details.aspx?id=54795)
+
+You can also download a PowerShell that will enable all the settings described in the guide automatically. You can obtain the script alongside the PDF download above, or individually from PowerShell Gallery:
+
+- [Download the PowerShell script to automatically configure the settings](https://www.powershellgallery.com/packages/WindowsDefender_InternalEvaluationSettings)
+
+> [!IMPORTANT]
+> The guide is currently intended for single-machine evaluation of Microsoft Defender Antivirus. Enabling all of the settings in this guide may not be suitable for real-world deployment.
+>
+> For the latest recommendations for real-world deployment and monitoring of Microsoft Defender Antivirus across a network, see [Deploy Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md).
+
+## Related topics
+
+- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
+- [Deploy Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md)
security Limited Periodic Scanning Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/limited-periodic-scanning-microsoft-defender-antivirus.md
+
+ Title: Enable the limited periodic Microsoft Defender Antivirus scanning feature
+description: Limited periodic scanning lets you use Microsoft Defender Antivirus in addition to your other installed AV providers
+keywords: lps, limited, periodic, scan, scanning, compatibility, 3rd party, other av, disable
+search.product: eADQiWindows 10XVcnh
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.localizationpriority: medium
+++ Last updated : 09/03/2018++
+ms.technology: mde
++++
+# Use limited periodic scanning in Microsoft Defender Antivirus
+++
+**Applies to:**
+
+- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
+
+Limited periodic scanning is a special type of threat detection and remediation that can be enabled when you have installed another antivirus product on a Windows 10 device.
+
+It can only be enabled in certain situations. For more information about limited periodic scanning and how Microsoft Defender Antivirus works with other antivirus products, see [Microsoft Defender Antivirus compatibility](microsoft-defender-antivirus-compatibility.md).
+
+**Microsoft does not recommend using this feature in enterprise environments. This is a feature primarily intended for consumers.** This feature only uses a limited subset of the Microsoft Defender Antivirus capabilities to detect malware, and will not be able to detect most malware and potentially unwanted software. Also, management and reporting capabilities will be limited. Microsoft recommends enterprises choose their primary antivirus solution and use it exclusively.
+
+## How to enable limited periodic scanning
+
+By default, Microsoft Defender Antivirus will enable itself on a Windows 10 device if there is no other antivirus product installed, or if the other product is out-of-date, expired, or not working correctly.
+
+If Microsoft Defender Antivirus is enabled, the usual options will appear to configure it on that device:
+
+![Windows Security app showing Microsoft Defender AV options, including scan options, settings, and update options](images/vtp-wdav.png)
+
+If another antivirus product is installed and working correctly, Microsoft Defender Antivirus will disable itself. The Windows Security app will change the **Virus & threat protection** section to show status about the AV product, and provide a link to the product's configuration options.
+
+Underneath any third party AV products, a new link will appear as **Microsoft Defender Antivirus options**. Clicking this link will expand to show the toggle that enables limited periodic scanning. Note that the limited periodic option is a toggle to enable or disable periodic scanning.
+
+Sliding the switch to **On** will show the standard Microsoft Defender AV options underneath the third party AV product. The limited periodic scanning option will appear at the bottom of the page.
+
+## Related articles
+
+- [Configure behavioral, heuristic, and real-time protection](configure-protection-features-microsoft-defender-antivirus.md)
+- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
security Manage Event Based Updates Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-event-based-updates-microsoft-defender-antivirus.md
+
+ Title: Apply Microsoft Defender Antivirus updates after certain events
+description: Manage how Microsoft Defender Antivirus applies security intelligence updates after startup or receiving cloud-delivered detection reports.
+keywords: updates, protection, force updates, events, startup, check for latest, notifications
+search.product: eADQiWindows 10XVcnh
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+++ Last updated : 09/17/2018++
+ms.technology: mde
++
+# Manage event-based forced updates
+++
+**Applies to:**
+
+- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
+
+Microsoft Defender Antivirus allows you to determine if updates should (or should not) occur after certain events, such as at startup or after receiving specific reports from the cloud-delivered protection service.
+
+## Check for protection updates before running a scan
+
+You can use Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, and WMI to force Microsoft Defender Antivirus to check and download protection updates before running a scheduled scan.
+
+### Use Configuration Manager to check for protection updates before running a scan
+
+1. On your Microsoft Endpoint Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
+
+2. Go to the **Scheduled scans** section and set **Check for the latest security intelligence updates before running a scan** to **Yes**.
+
+3. Click **OK**.
+
+4. [Deploy the updated policy as usual](/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers).
+
+### Use Group Policy to check for protection updates before running a scan
+
+1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal), right-click the Group Policy Object you want to configure and click **Edit**.
+
+2. Using the **Group Policy Management Editor** go to **Computer configuration**.
+
+3. Click **Policies** then **Administrative templates**.
+
+4. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Scan**.
+
+5. Double-click **Check for the latest virus and spyware definitions before running a scheduled scan** and set the option to **Enabled**.
+
+6. Click **OK**.
+
+### Use PowerShell cmdlets to check for protection updates before running a scan
+
+Use the following cmdlets:
+
+```PowerShell
+Set-MpPreference -CheckForSignaturesBeforeRunningScan
+```
+
+For more information, see [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](/powershell/module/defender/index).
+
+### Use Windows Management Instruction (WMI) to check for protection updates before running a scan
+
+Use the [**Set** method of the **MSFT_MpPreference**](/previous-versions/windows/desktop/legacy/dn455323(v=vs.85)) class for the following properties:
+
+```WMI
+CheckForSignaturesBeforeRunningScan
+```
+
+For more information, see [Windows Defender WMIv2 APIs](/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal).
+
+## Check for protection updates on startup
+
+You can use Group Policy to force Microsoft Defender Antivirus to check and download protection updates when the machine is started.
+
+1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal), right-click the Group Policy Object you want to configure and click **Edit**.
+
+2. Using the **Group Policy Management Editor** go to **Computer configuration**.
+
+3. Click **Policies** then **Administrative templates**.
+
+4. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Security Intelligence Updates**.
+
+5. Double-click **Check for the latest virus and spyware definitions on startup** and set the option to **Enabled**.
+
+6. Click **OK**.
+
+You can also use Group Policy, PowerShell, or WMI to configure Microsoft Defender Antivirus to check for updates at startup even when it is not running.
+
+### Use Group Policy to download updates when Microsoft Defender Antivirus is not present
+
+1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal), right-click the Group Policy Object you want to configure and click **Edit**.
+
+2. Using the **Group Policy Management Editor**, go to **Computer configuration**.
+
+3. Click **Policies** then **Administrative templates**.
+
+4. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Security Intelligence Updates**.
+
+5. Double-click **Initiate security intelligence update on startup** and set the option to **Enabled**.
+
+6. Click **OK**.
+
+### Use PowerShell cmdlets to download updates when Microsoft Defender Antivirus is not present
+
+Use the following cmdlets:
+
+```PowerShell
+Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine
+```
+
+For more information, see [Use PowerShell cmdlets to manage Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](/powershell/module/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus.
+
+### Use Windows Management Instruction (WMI) to download updates when Microsoft Defender Antivirus is not present
+
+Use the [**Set** method of the **MSFT_MpPreference**](/previous-versions/windows/desktop/legacy/dn455323(v=vs.85)) class for the following properties:
+
+```WMI
+SignatureDisableUpdateOnStartupWithoutEngine
+```
+
+For more information, see [Windows Defender WMIv2 APIs](/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal).
+
+<a id="cloud-report-updates"></a>
+
+## Allow ad hoc changes to protection based on cloud-delivered protection
+
+Microsoft Defender AV can make changes to its protection based on cloud-delivered protection. Such changes can occur outside of normal or scheduled protection updates.
+
+If you have enabled cloud-delivered protection, Microsoft Defender AV will send files it is suspicious about to the Windows Defender cloud. If the cloud service reports that the file is malicious, and the file is detected in a recent protection update, you can use Group Policy to configure Microsoft Defender AV to automatically receive that protection update. Other important protection updates can also be applied.
+
+### Use Group Policy to automatically download recent updates based on cloud-delivered protection
+
+1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal), right-click the Group Policy Object you want to configure and click **Edit**.
+
+2. Using the **Group Policy Management Editor** go to **Computer configuration**.
+
+3. Click **Policies** then **Administrative templates**.
+
+4. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Security Intelligence Updates**.
+
+5. Double-click **Allow real-time security intelligence updates based on reports to Microsoft MAPS** and set the option to **Enabled**. Then click **OK**.
+
+6. **Allow notifications to disable definitions-based reports to Microsoft MAPS** and set the option to **Enabled**. Then click **OK**.
+
+> [!NOTE]
+> **Allow notifications to disable definitions based reports** enables Microsoft MAPS to disable those definitions known to cause false-positive reports. You must configure your computer to join Microsoft MAPS for this function to work.
+
+## See also
+
+- [Deploy Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md)
+- [Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md)
+- [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md)
+- [Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md)
+- [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md)
+- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
security Manage Outdated Endpoints Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-outdated-endpoints-microsoft-defender-antivirus.md
+
+ Title: Apply Microsoft Defender AV protection updates to out of date endpoints
+description: Define when and how updates should be applied for endpoints that have not updated in a while.
+keywords: updates, protection, out-of-date, outdated, old, catch-up
+search.product: eADQiWindows 10XVcnh
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+++ Last updated : 09/03/2018++
+ms.technology: mde
++
+# Manage Microsoft Defender Antivirus updates and scans for endpoints that are out of date
+++
+**Applies to:**
+
+- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
+
+Microsoft Defender Antivirus lets you define how long an endpoint can avoid an update or how many scans it can miss before it is required to update and scan itself. This is especially useful in environments where devices are not often connected to a corporate or external network, or devices that are not used on a daily basis.
+
+For example, an employee that uses a particular PC is on break for three days and does not log on to their PC during that time.
+
+When the user returns to work and logs on to their PC, Microsoft Defender Antivirus will immediately check and download the latest protection updates, and run a scan.
+
+## Set up catch-up protection updates for endpoints that haven't updated for a while
+
+If Microsoft Defender Antivirus did not download protection updates for a specified period, you can set it up to automatically check and download the latest update at the next log on. This is useful if you have [globally disabled automatic update downloads on startup](manage-event-based-updates-microsoft-defender-antivirus.md).
+
+### Use Configuration Manager to configure catch-up protection updates
+
+1. On your Microsoft Endpoint Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
+
+2. Go to the **Security intelligence updates** section and configure the following settings:
+
+ 1. Set **Force a security intelligence update if the client computer is offline for more than two consecutive scheduled updates** to **Yes**.
+ 2. For the **If Configuration Manager is used as a source for security intelligence updates...**, specify the hours before which the protection updates delivered by Configuration Manager should be considered out-of-date. This will cause the next update location to be used, based on the defined [fallback source order](manage-protection-updates-microsoft-defender-antivirus.md#fallback-order).
+
+3. Click **OK**.
+
+4. [Deploy the updated policy as usual](/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers).
+
+### Use Group Policy to enable and configure the catch-up update feature
+
+1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
+
+2. In the **Group Policy Management Editor** go to **Computer configuration**.
+
+3. Click **Policies** then **Administrative templates**.
+
+4. Expand the tree to **Windows components > Microsoft Defender Antivirus > Signature Updates**.
+
+5. Double-click the **Define the number of days after which a catch-up security intelligence update is required** setting and set the option to **Enabled**. Enter the number of days after which you want Microsoft Defender AV to check for and download the latest protection update.
+
+6. Click **OK**.
+
+### Use PowerShell cmdlets to configure catch-up protection updates
+
+Use the following cmdlets:
+
+```PowerShell
+Set-MpPreference -SignatureUpdateCatchupInterval
+```
+
+See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](/powershell/module/defender/) for more information on how to use PowerShell with Microsoft Defender Antivirus.
+
+### Use Windows Management Instruction (WMI) to configure catch-up protection updates
+
+Use the [**Set** method of the **MSFT_MpPreference**](/previous-versions/windows/desktop/legacy/dn455323(v=vs.85)) class for the following properties:
+
+```WMI
+SignatureUpdateCatchupInterval
+```
+
+See the following for more information and allowed parameters:
+- [Windows Defender WMIv2 APIs](/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal)
++
+## Set the number of days before protection is reported as out-of-date
+
+You can also specify the number of days after which Microsoft Defender Antivirus protection is considered old or out-of-date. After the specified number of days, the client will report itself as out-of-date, and show an error to the user of the PC. It may also cause Microsoft Defender Antivirus to attempt to download an update from other sources (based on the defined [fallback source order](manage-protection-updates-microsoft-defender-antivirus.md#fallback-order)), such as when using MMPC as a secondary source after setting WSUS or Microsoft Update as the first source.
+
+### Use Group Policy to specify the number of days before protection is considered out-of-date
+
+1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3. In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4. Click **Policies** then **Administrative templates**.
+
+5. Expand the tree to **Windows components > Microsoft Defender Antivirus > Signature Updates** and configure the following settings:
+
+ 1. Double-click **Define the number of days before spyware definitions are considered out of date** and set the option to **Enabled**. Enter the number of days after which you want Microsoft Defender AV to consider spyware Security intelligence to be out-of-date.
+
+ 2. Click **OK**.
+
+ 3. Double-click **Define the number of days before virus definitions are considered out of date** and set the option to **Enabled**. Enter the number of days after which you want Microsoft Defender AV to consider virus Security intelligence to be out-of-date.
+
+ 4. Click **OK**.
++
+## Set up catch-up scans for endpoints that have not been scanned for a while
+
+You can set the number of consecutive scheduled scans that can be missed before Microsoft Defender Antivirus will force a scan.
+
+The process for enabling this feature is:
+
+1. Set up at least one scheduled scan (see the [Schedule scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md) topic).
+2. Enable the catch-up scan feature.
+3. Define the number of scans that can be skipped before a catch-up scan occurs.
+
+This feature can be enabled for both full and quick scans.
+
+### Use Group Policy to enable and configure the catch-up scan feature
+
+1. Ensure you have set up at least one scheduled scan.
+
+2. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3. In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4. Click **Policies** then **Administrative templates**.
+
+5. Expand the tree to **Windows components > Microsoft Defender Antivirus > Scan** and configure the following settings:
+
+ 1. If you have set up scheduled quick scans, double-click the **Turn on catch-up quick scan** setting and set the option to **Enabled**.
+ 2. If you have set up scheduled full scans, double-click the **Turn on catch-up full scan** setting and set the option to **Enabled**. Click **OK**.
+ 3. Double-click the **Define the number of days after which a catch-up scan is forced** setting and set the option to **Enabled**.
+ 4. Enter the number of scans that can be missed before a scan will be automatically run when the user next logs on to the PC. The type of scan that is run is determined by the **Specify the scan type to use for a scheduled scan** (see the [Schedule scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md) topic). Click **OK**.
+
+> [!NOTE]
+> The Group Policy setting title refers to the number of days. The setting, however, is applied to the number of scans (not days) before the catch-up scan will be run.
+
+### Use PowerShell cmdlets to configure catch-up scans
+
+Use the following cmdlets:
+
+```PowerShell
+Set-MpPreference -DisableCatchupFullScan
+Set-MpPreference -DisableCatchupQuickScan
+
+```
+
+See [Use PowerShell cmdlets to manage Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](/powershell/module/defender/) for more information on how to use PowerShell with Microsoft Defender Antivirus.
+
+### Use Windows Management Instruction (WMI) to configure catch-up scans
+
+Use the [**Set** method of the **MSFT_MpPreference**](/previous-versions/windows/desktop/legacy/dn455323(v=vs.85)) class for the following properties:
+
+```WMI
+DisableCatchupFullScan
+DisableCatchupQuickScan
+```
+
+See the following for more information and allowed parameters:
+- [Windows Defender WMIv2 APIs](/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal)
++
+### Use Configuration Manager to configure catch-up scans
+
+1. On your Microsoft Endpoint Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
+
+2. Go to the **Scheduled scans** section and **Force a scan of the selected scan type if client computer is offline...** to **Yes**.
+
+3. Click **OK**.
+
+4. [Deploy the updated policy as usual](/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers).
+
+## Related articles
+
+- [Deploy Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md)
+- [Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md)
+- [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md)
+- [Manage event-based forced updates](manage-event-based-updates-microsoft-defender-antivirus.md)
+- [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md)
+- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
security Manage Protection Update Schedule Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-protection-update-schedule-microsoft-defender-antivirus.md
+
+ Title: Schedule Microsoft Defender Antivirus protection updates
+description: Schedule the day, time, and interval for when protection updates should be downloaded
+keywords: updates, security baselines, schedule updates
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+++++
+ms.technology: mde
++
+# Manage the schedule for when protection updates should be downloaded and applied
+++
+**Applies to:**
+
+- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
+
+Microsoft Defender Antivirus lets you determine when it should look for and download updates.
+
+You can schedule updates for your endpoints by:
+
+- Specifying the day of the week to check for protection updates
+- Specifying the interval to check for protection updates
+- Specifying the time to check for protection updates
+
+You can also randomize the times when each endpoint checks and downloads protection updates. See the [Schedule scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md) topic for more information.
+
+## Use Configuration Manager to schedule protection updates
+
+1. On your Microsoft Endpoint Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
+
+2. Go to the **Security intelligence updates** section.
+
+3. To check and download updates at a certain time:
+ 1. Set **Check for Endpoint Protection security intelligence updates at a specific interval...** to **0**.
+ 2. Set **Check for Endpoint Protection security intelligence updates daily at...** to the time when updates should be checked.
+ 3
+4. To check and download updates on a continual interval, Set **Check for Endpoint Protection security intelligence updates at a specific interval...** to the number of hours that should occur between updates.
+
+5. [Deploy the updated policy as usual](/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers).
+
+## Use Group Policy to schedule protection updates
+
+> [!IMPORTANT]
+> By default, Microsoft Defender Antivirus will check for an update 15 minutes before the time of any scheduled scans. Enabling these settings will override that default.
+
+1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3. In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4. Click **Policies** then **Administrative templates**.
+
+5. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Signature Intelligence Updates** and configure the following settings:
+
+ 1. Double-click the **Specify the day of the week to check for security intelligence updates** setting and set the option to **Enabled**. Enter the day of the week to check for updates. Click **OK**.
+ 2. Double-click the **Specify the interval to check for security intelligence updates** setting and set the option to **Enabled**. Enter the number of hours between updates. Click **OK**.
+ 3. Double-click the **Specify the time to check for security intelligence updates** setting and set the option to **Enabled**. Enter the time when updates should be checked. The time is based on the local time of the endpoint. Click **OK**.
++
+## Use PowerShell cmdlets to schedule protection updates
+
+Use the following cmdlets:
+
+```PowerShell
+Set-MpPreference -SignatureScheduleDay
+Set-MpPreference -SignatureScheduleTime
+Set-MpPreference -SignatureUpdateInterval
+```
+
+See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](/powershell/module/defender/) for more information on how to use PowerShell with Microsoft Defender Antivirus.
+
+## Use Windows Management Instruction (WMI) to schedule protection updates
+
+Use the [**Set** method of the **MSFT_MpPreference**](/previous-versions/windows/desktop/legacy/dn455323(v=vs.85)) class for the following properties:
+
+```WMI
+SignatureScheduleDay
+SignatureScheduleTime
+SignatureUpdateInterval
+```
+
+See the following for more information and allowed parameters:
+- [Windows Defender WMIv2 APIs](/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal)
++
+## Related articles
+
+- [Deploy Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md)
+- [Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md)
+- [Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md)
+- [Manage event-based forced updates](manage-event-based-updates-microsoft-defender-antivirus.md)
+- [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md)
+- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
security Manage Protection Updates Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-protection-updates-microsoft-defender-antivirus.md
+
+ Title: Manage how and where Microsoft Defender Antivirus receives updates
+description: Manage the fallback order for how Microsoft Defender Antivirus receives protection updates.
+keywords: updates, security baselines, protection, fallback order, ADL, MMPC, UNC, file path, share, wsus
+search.product: eADQiWindows 10XVcnh
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+++++
+ms.technology: mde
++
+# Manage the sources for Microsoft Defender Antivirus protection updates
+++
+**Applies to:**
+
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=22154037)
+
+<a id="protection-updates"></a>
+<!-- this has been used as anchor in VDI content -->
+
+Keeping your antivirus protection up to date is critical. There are two components to managing protection updates for Microsoft Defender Antivirus:
+- *Where* the updates are downloaded from; and
+- *When* updates are downloaded and applied.
+
+This article describes how to specify from where updates should be downloaded (this is also known as the fallback order). See [Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md) topic for an overview on how updates work, and how to configure other aspects of updates (such as scheduling updates).
+
+> [!IMPORTANT]
+> Microsoft Defender Antivirus Security intelligence updates are delivered through Windows Update and starting Monday, October 21, 2019, all security intelligence updates will be SHA-2 signed exclusively. Your devices must be updated to support SHA-2 in order to update your security intelligence. To learn more, see [2019 SHA-2 Code Signing Support requirement for Windows and WSUS](https://support.microsoft.com/help/4472027/2019-sha-2-code-signing-support-requirement-for-windows-and-wsus).
++
+<a id="fallback-order"></a>
+
+## Fallback order
+
+Typically, you configure endpoints to individually download updates from a primary source followed by other sources in order of priority, based on your network configuration. Updates are obtained from sources in the order you specify. If a source is not available, the next source in the list is used immediately.
+
+When updates are published, some logic is applied to minimize the size of the update. In most cases, only the differences between the latest update and the update that is currently installed (this is referred to as the delta) on the device is downloaded and applied. However, the size of the delta depends on two main factors:
+- The age of the last update on the device; and
+- The source used to download and apply updates.
+
+The older the updates on an endpoint, the larger the download will be. However, you must also consider download frequency as well. A more frequent update schedule can result in more network usage, whereas a less-frequent schedule can result in larger file sizes per download.
+
+There are five locations where you can specify where an endpoint should obtain updates:
+
+- [Microsoft Update](https://support.microsoft.com/help/12373/windows-update-faq)
+- [Windows Server Update Service](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus)
+- [Microsoft Endpoint Configuration Manager](/configmgr/core/servers/manage/updates)
+- [Network file share](#unc-share)
+- [Security intelligence updates for Microsoft Defender Antivirus and other Microsoft antimalware](https://www.microsoft.com/en-us/wdsi/defenderupdates) (Your policy and registry might have this listed as Microsoft Malware Protection Center (MMPC) security intelligence, its former name.)
+
+To ensure the best level of protection, Microsoft Update allows for rapid releases, which means smaller downloads on a frequent basis. The Windows Server Update Service, Microsoft Endpoint Configuration Manager, and Microsoft security intelligence updates sources deliver less frequent updates. Thus, the delta can be larger, resulting in larger downloads.
+
+> [!IMPORTANT]
+> If you have set [Microsoft Security intelligence page](https://www.microsoft.com/security/portal/definitions/adl.aspx) updates as a fallback source after Windows Server Update Service or Microsoft Update, updates are only downloaded from security intelligence updates when the current update is considered out-of-date. (By default, this is seven consecutive days of not being able to apply updates from the Windows Server Update Service or Microsoft Update services).
+> You can, however, [set the number of days before protection is reported as out-of-date](/windows/threat-protection/microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus#set-the-number-of-days-before-protection-is-reported-as-out-of-date).<p>
+> Starting Monday, October 21, 2019, security intelligence updates will be SHA-2 signed exclusively. Devices must be updated to support SHA-2 in order to get the latest security intelligence updates. To learn more, see [2019 SHA-2 Code Signing Support requirement for Windows and WSUS](https://support.microsoft.com/help/4472027/2019-sha-2-code-signing-support-requirement-for-windows-and-wsus).
+
+Each source has typical scenarios that depend on how your network is configured, in addition to how often they publish updates, as described in the following table:
+
+|Location | Sample scenario |
+|||
+|Windows Server Update Service | You are using Windows Server Update Service to manage updates for your network.|
+|Microsoft Update | You want your endpoints to connect directly to Microsoft Update. This can be useful for endpoints that irregularly connect to your enterprise network, or if you do not use Windows Server Update Service to manage your updates.|
+|File share | You have non-Internet-connected devices (such as VMs). You can use your Internet-connected VM host to download the updates to a network share, from which the VMs can obtain the updates. See the [VDI deployment guide](deployment-vdi-microsoft-defender-antivirus.md) for how file shares can be used in virtual desktop infrastructure (VDI) environments.|
+|Microsoft Endpoint Manager | You are using Microsoft Endpoint Manager to update your endpoints.|
+|Security intelligence updates for Microsoft Defender Antivirus and other Microsoft antimalware (formerly referred to as MMPC) |[Make sure your devices are updated to support SHA-2](https://support.microsoft.com/help/4472027/2019-sha-2-code-signing-support-requirement-for-windows-and-wsus). Microsoft Defender Antivirus Security intelligence updates are delivered through Windows Update, and starting Monday October 21, 2019 security intelligence updates will be SHA-2 signed exclusively. <br/>Download the latest protection updates because of a recent infection or to help provision a strong, base image for [VDI deployment](deployment-vdi-microsoft-defender-antivirus.md). This option should generally be used only as a final fallback source, and not the primary source. It will only be used if updates cannot be downloaded from Windows Server Update Service or Microsoft Update for [a specified number of days](/windows/threat-protection/microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus#set-the-number-of-days-before-protection-is-reported-as-out-of-date).|
+
+You can manage the order in which update sources are used with Group Policy, Microsoft Endpoint Configuration Manager, PowerShell cmdlets, and WMI.
+
+> [!IMPORTANT]
+> If you set Windows Server Update Service as a download location, you must approve the updates, regardless of the management tool you use to specify the location. You can set up an automatic approval rule with Windows Server Update Service, which might be useful as updates arrive at least once a day. To learn more, see [synchronize endpoint protection updates in standalone Windows Server Update Service](/configmgr/protect/deploy-use/endpoint-definitions-wsus#to-synchronize-endpoint-protection-definition-updates-in-standalone-wsus).
+
+The procedures in this article first describe how to set the order, and then how to set up the **File share** option if you have enabled it.
+
+## Use Group Policy to manage the update location
+
+1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
+
+2. In the **Group Policy Management Editor** go to **Computer configuration**.
+
+3. Click **Policies** then **Administrative templates**.
+
+4. Expand the tree to **Windows components > Windows Defender > Signature updates** and configure the following settings:
+
+ 1. Double-click the **Define the order of sources for downloading security intelligence updates** setting and set the option to **Enabled**.
+
+ 2. Enter the order of sources, separated by a single pipe, for example: `InternalDefinitionUpdateServer|MicrosoftUpdateServer|MMPC`, as shown in the following screenshot.
+
+ ![Screenshot of group policy setting listing the order of sources](images/defender/wdav-order-update-sources.png)
+
+ 3. Click **OK**. This will set the order of protection update sources.
+
+ 4. Double-click the **Define file shares for downloading security intelligence updates** setting and set the option to **Enabled**.
+
+ 5. Enter the file share source. If you have multiple sources, enter each source in the order they should be used, separated by a single pipe. Use [standard UNC notation](/openspecs/windows_protocols/ms-dtyp/62e862f4-2a51-452e-8eeb-dc4ff5ee33cc) for denoting the path, for example: `\\host-name1\share-name\object-name|\\host-name2\share-name\object-name`. If you do not enter any paths, then this source will be skipped when the VM downloads updates.
+
+ 6. Click **OK**. This will set the order of file shares when that source is referenced in the **Define the order of sources...** group policy setting.
+
+> [!NOTE]
+> For Windows 10, versions 1703 up to and including 1809, the policy path is **Windows Components > Microsoft Defender Antivirus > Signature Updates**
+> For Windows 10, version 1903, the policy path is **Windows Components > Microsoft Defender Antivirus > Security Intelligence Updates**
+
+## Use Configuration Manager to manage the update location
+
+See [Configure Security intelligence Updates for Endpoint Protection](/configmgr/protect/deploy-use/endpoint-definition-updates) for details on configuring Microsoft Endpoint Manager (current branch).
++
+## Use PowerShell cmdlets to manage the update location
+
+Use the following PowerShell cmdlets to set the update order.
+
+```PowerShell
+Set-MpPreference -SignatureFallbackOrder {LOCATION|LOCATION|LOCATION|LOCATION}
+Set-MpPreference -SignatureDefinitionUpdateFileSharesSource {\\UNC SHARE PATH|\\UNC SHARE PATH}
+```
+See the following articles for more information:
+- [Set-MpPreference -SignatureFallbackOrder](/powershell/module/defender/set-mppreference)
+- [Set-MpPreference -SignatureDefinitionUpdateFileSharesSource](/powershell/module/defender/set-mppreference#-signaturedefinitionupdatefilesharessources)
+- [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md)
+- [Defender cmdlets](/powershell/module/defender/index)
+
+## Use Windows Management Instruction (WMI) to manage the update location
+
+Use the [**Set** method of the **MSFT_MpPreference**](/previous-versions/windows/desktop/legacy/dn455323(v=vs.85)) class for the following properties:
+
+```WMI
+SignatureFallbackOrder
+SignatureDefinitionUpdateFileSharesSource
+```
+
+See the following articles for more information:
+- [Windows Defender WMIv2 APIs](/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal)
+
+## Use Mobile Device Management (MDM) to manage the update location
+
+See [Policy CSP - Defender/SignatureUpdateFallbackOrder](/windows/client-management/mdm/policy-csp-defender#defender-signatureupdatefallbackorder) for details on configuring MDM.
+
+## What if we're using a third-party vendor?
+
+This article describes how to configure and manage updates for Microsoft Defender Antivirus. However, third-party vendors can be used to perform these tasks.
+
+For example, suppose that Contoso has hired Fabrikam to manage their security solution, which includes Microsoft Defender Antivirus. Fabrikam typically uses [Windows Management Instrumentation](./use-wmi-microsoft-defender-antivirus.md), [PowerShell cmdlets](./use-powershell-cmdlets-microsoft-defender-antivirus.md), or [Windows command-line](./command-line-arguments-microsoft-defender-antivirus.md) to deploy patches and updates.
+
+> [!NOTE]
+> Microsoft does not test third-party solutions for managing Microsoft Defender Antivirus.
+
+<a id="unc-share"></a>
+## Create a UNC share for security intelligence updates
+
+Set up a network file share (UNC/mapped drive) to download security intelligence updates from the MMPC site by using a scheduled task.
+
+1. On the system on which you want to provision the share and download the updates, create a folder to which you will save the script.
+ ```DOS
+ Start, CMD (Run as admin)
+ MD C:\Tool\PS-Scripts\
+ ```
+
+2. Create the folder to which you will save the signature updates.
+ ```DOS
+ MD C:\Temp\TempSigs\x64
+ MD C:\Temp\TempSigs\x86
+ ```
+
+3. Download the PowerShell script from [www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4](https://www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4).
+
+4. Click **Manual Download**.
+
+5. Click **Download the raw nupkg file**.
+
+6. Extract the file.
+
+7. Copy the file SignatureDownloadCustomTask.ps1 to the folder you previously created, C:\Tool\PS-Scripts\ .
+
+8. Use the command line to set up the scheduled task.
+ > [!NOTE]
+ > There are two types of updates: full and delta.
+ - For x64 delta:
+
+ ```DOS
+ Powershell (Run as admin)
+
+ C:\Tool\PS-Scripts\
+
+ ΓÇ£.\SignatureDownloadCustomTask.ps1 -action create -arch x64 -isDelta $true -destDir C:\Temp\TempSigs\x64 -scriptPath C:\Tool\PS-Scripts\SignatureDownloadCustomTask.ps1 -daysInterval 1ΓÇ¥
+ ```
+
+ - For x64 full:
+
+ ```DOS
+ Powershell (Run as admin)
+
+ C:\Tool\PS-Scripts\
+
+ ΓÇ£.\SignatureDownloadCustomTask.ps1 -action create -arch x64 -isDelta $false -destDir C:\Temp\TempSigs\x64 -scriptPath C:\Tool\PS-Scripts\SignatureDownloadCustomTask.ps1 -daysInterval 1ΓÇ¥
+ ```
+
+ - For x86 delta:
+
+ ```DOS
+ Powershell (Run as admin)
+
+ C:\Tool\PS-Scripts\
+
+ ΓÇ£.\SignatureDownloadCustomTask.ps1 -action create -arch x86 -isDelta $true -destDir C:\Temp\TempSigs\x86 -scriptPath C:\Tool\PS-Scripts\SignatureDownloadCustomTask.ps1 -daysInterval 1ΓÇ¥
+ ```
+
+ - For x86 full:
+
+ ```DOS
+ Powershell (Run as admin)
+
+ C:\Tool\PS-Scripts\
+
+ ΓÇ£.\SignatureDownloadCustomTask.ps1 -action create -arch x86 -isDelta $false -destDir C:\Temp\TempSigs\x86 -scriptPath C:\Tool\PS-Scripts\SignatureDownloadCustomTask.ps1 -daysInterval 1ΓÇ¥
+ ```
+
+ > [!NOTE]
+ > When the scheduled tasks are created, you can find these in the Task Scheduler under Microsoft\Windows\Windows Defender
+9. Run each task manually and verify that you have data (mpam-d.exe, mpam-fe.exe, and nis_full.exe) in the following folders (you might have chosen different locations):
+
+ - C:\Temp\TempSigs\x86
+ - C:\Temp\TempSigs\x64
+
+ If the scheduled task fails, run the following commands:
+
+ ```DOS
+ C:\windows\system32\windowspowershell\v1.0\powershell.exe -NoProfile -executionpolicy allsigned -command “&\”C:\Tool\PS-Scripts\SignatureDownloadCustomTask.ps1\” -action run -arch x64 -isDelta $False -destDir C:\Temp\TempSigs\x64″
+
+ C:\windows\system32\windowspowershell\v1.0\powershell.exe -NoProfile -executionpolicy allsigned -command “&\”C:\Tool\PS-Scripts\SignatureDownloadCustomTask.ps1\” -action run -arch x64 -isDelta $True -destDir C:\Temp\TempSigs\x64″
+
+ C:\windows\system32\windowspowershell\v1.0\powershell.exe -NoProfile -executionpolicy allsigned -command “&\”C:\Tool\PS-Scripts\SignatureDownloadCustomTask.ps1\” -action run -arch x86 -isDelta $False -destDir C:\Temp\TempSigs\x86″
+
+ C:\windows\system32\windowspowershell\v1.0\powershell.exe -NoProfile -executionpolicy allsigned -command “&\”C:\Tool\PS-Scripts\SignatureDownloadCustomTask.ps1\” -action run -arch x86 -isDelta $True -destDir C:\Temp\TempSigs\x86″
+ ```
+ > [!NOTE]
+ > Issues could also be due to execution policy.
+
+10. Create a share pointing to C:\Temp\TempSigs (e.g. \\server\updates).
+ > [!NOTE]
+ > At a minimum, authenticated users must have ΓÇ£ReadΓÇ¥ access.
+11. Set the share location in the policy to the share.
+
+ > [!NOTE]
+ > Do not add the x64 (or x86) folder in the path. The mpcmdrun.exe process adds it automatically.
+
+## Related articles
+
+- [Deploy Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md)
+- [Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md)
+- [Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md)
+- [Manage event-based forced updates](manage-event-based-updates-microsoft-defender-antivirus.md)
+- [Manage updates for mobile devices and VMs](manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md)
+- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
security Manage Updates Baselines Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus.md
+
+ Title: Manage Microsoft Defender Antivirus updates and apply baselines
+description: Manage how Microsoft Defender Antivirus receives protection and product updates.
+keywords: updates, security baselines, protection, schedule updates, force updates, mobile updates, wsus
+search.product: eADQiWindows 10XVcnh
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+++++
+ms.technology: mde
++
+# Manage Microsoft Defender Antivirus updates and apply baselines
+
+**Applies to:**
+
+- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
+- Microsoft Defender Antivirus
+
+There are two types of updates related to keeping Microsoft Defender Antivirus up to date:
+
+- Security intelligence updates
+- Product updates
+
+> [!IMPORTANT]
+> Keeping Microsoft Defender Antivirus up to date is critical to assure your devices have the latest technology and features needed to protect against new malware and attack techniques.
+> Make sure to update your antivirus protection even if Microsoft Defender Antivirus is running in [passive mode](./microsoft-defender-antivirus-compatibility.md).
+>
+> To see the most current engine, platform, and signature date, visit the [Security intelligence updates for Microsoft Defender Antivirus and other Microsoft antimalware](https://www.microsoft.com/en-us/wdsi/defenderupdates).
+
+## Security intelligence updates
+
+Microsoft Defender Antivirus uses [cloud-delivered protection](cloud-protection-microsoft-defender-antivirus.md) (also called the Microsoft Advanced Protection Service or MAPS) and periodically downloads security intelligence updates to provide protection.
+
+> [!NOTE]
+> Updates are released under the below KB numbers:
+> Microsoft Defender Antivirus: KB2267602
+> System Center Endpoint Protection: KB2461484
+
+Cloud-delivered protection is always on and requires an active connection to the Internet to function. Security intelligence updates occur on a scheduled cadence (configurable via policy). For more information, see [Use Microsoft cloud-provided protection in Microsoft Defender Antivirus](cloud-protection-microsoft-defender-antivirus.md).
+
+For a list of recent security intelligence updates, see [Security intelligence updates for Microsoft Defender Antivirus and other Microsoft antimalware](https://www.microsoft.com/en-us/wdsi/defenderupdates).
+
+Engine updates are included with security intelligence updates and are released on a monthly cadence.
+
+## Product updates
+
+Microsoft Defender Antivirus requires [monthly updates (KB4052623)](https://support.microsoft.com/help/4052623/update-for-windows-defender-antimalware-platform) (known as *platform updates*), and will receive major feature updates alongside Windows 10 releases.
+
+You can manage the distribution of updates through one of the following methods:
+
+- [Windows Server Update Service (WSUS)](/mem/configmgr/protect/deploy-use/endpoint-definitions-wsus#to-synchronize-endpoint-protection-definition-updates-in-standalone-wsus)
+- [Microsoft Endpoint Configuration Manager](/configmgr/sum/understand/software-updates-introduction)
+- The usual method you use to deploy Microsoft and Windows updates to endpoints in your network.
+
+For more information, see [Manage the sources for Microsoft Defender Antivirus protection updates](/mem/configmgr/protect/deploy-use/endpoint-definitions-wsus#to-synchronize-endpoint-protection-definition-updates-in-standalone-wsus).
+
+> [!NOTE]
+> Monthly updates are released in phases, resulting in multiple packages visible in your [Window Server Update Services](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus).
+
+## Monthly platform and engine versions
+
+For information how to update or install the platform update, see [Update for Windows Defender antimalware platform](https://support.microsoft.com/help/4052623/update-for-windows-defender-antimalware-platform).
+
+All our updates contain
+- performance improvements;
+- serviceability improvements; and
+- integration improvements (Cloud, Microsoft 365 Defender).
+<br/><br/>
+
+<details>
+<summary> March-2021 (Platform: 4.18.2103.6 | Engine: 1.1.18000.5)</summary>
+
+&ensp;Security intelligence update version: **1.335.36.0**
+&ensp;Released: **April 1, 2021**
+&ensp;Platform: **4.19.2103.6**
+&ensp;Engine: **1.1.18000.5**
+&ensp;Support phase: **Security and Critical Updates**
+
+### What's new
+
+- Improvement to the Behavior Monitoring engine
+- Expanded network brute-force-attack mitigations
+- Additional failed tampering attempt event generation when [Tamper Protection](prevent-changes-to-security-settings-with-tamper-protection.md) is enabled
+
+### Known Issues
+No known issues
+<br/>
+</details><details>
+<summary> February-2021 (Platform: 4.18.2102.3 | Engine: 1.1.17900.7)</summary>
+
+&ensp;Security intelligence update version: **1.333.7.0**
+&ensp;Released: **March 9, 2021**
+&ensp;Platform: **4.19.2102.3**
+&ensp;Engine: **1.1.17900.7**
+&ensp;Support phase: **Security and Critical Updates**
+
+### What's new
+
+- Improved service recovery through [tamper protection](prevent-changes-to-security-settings-with-tamper-protection.md)
+- Extend tamper protection scope
+
+### Known Issues
+No known issues
+<br/>
+</details><details>
+<summary> January-2021 (Platform: 4.18.2101.9 | Engine: 1.1.17800.5)</summary>
+
+&ensp;Security intelligence update version: **1.327.1854.0**
+&ensp;Released: **February 2, 2021**
+&ensp;Platform: **4.18.2101.9**
+&ensp;Engine: **1.1.17800.5**
+&ensp;Support phase: **Security and Critical Updates**
+
+### What's new
+
+- Shellcode exploit detection improvements
+- Increased visibility for credential stealing attempts
+- Improvements in antitampering features in Microsoft Defender Antivirus services
+- Improved support for ARM x64 emulation
+- Fix: EDR Block notification remains in threat history after real-time protection performed initial detection
+
+### Known Issues
+No known issues
+<br/>
+</details>
+
+### Previous version updates: Technical upgrade support only
+
+After a new package version is released, support for the previous two versions is reduced to technical support only. Versions older than that are listed in this section, and are provided for technical upgrade support only.
+<br/><br/>
+<details>
+<summary> November-2020 (Platform: 4.18.2011.6 | Engine: 1.1.17700.4)</summary>
+
+&ensp;Security intelligence update version: **1.327.1854.0**
+&ensp;Released: **December 03, 2020**
+&ensp;Platform: **4.18.2011.6**
+&ensp;Engine: **1.1.17700.4**
+&ensp;Support phase: **Security and Critical Updates**
+
+### What's new
+
+- Improved [SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview) status support logging
+
+### Known Issues
+No known issues
+<br/>
+</details><details>
+<summary> October-2020 (Platform: 4.18.2010.7 | Engine: 1.1.17600.5)</summary>
+
+&ensp;Security intelligence update version: **1.327.7.0**
+&ensp;Released: **October 29, 2020**
+&ensp;Platform: **4.18.2010.7**
+&ensp;Engine: **1.1.17600.5**
+&ensp;Support phase: **Security and Critical Updates**
+
+### What's new
+
+- New descriptions for special threat categories
+- Improved emulation capabilities
+- Improved host address allow/block capabilities
+- New option in Defender CSP to Ignore merging of local user exclusions
+
+### Known Issues
+
+No known issues
+<br/>
+</details><details>
+<summary> September-2020 (Platform: 4.18.2009.7 | Engine: 1.1.17500.4)</summary>
+
+&ensp;Security intelligence update version: **1.325.10.0**
+&ensp;Released: **October 01, 2020**
+&ensp;Platform: **4.18.2009.7**
+&ensp;Engine: **1.1.17500.4**
+&ensp;Support phase: **Technical upgrade support (only)**
+
+### What's new
+
+- Admin permissions are required to restore files in quarantine
+- XML formatted events are now supported
+- CSP support for ignoring exclusion merges
+- New management interfaces for:
+ - UDP Inspection
+ - Network Protection on Server 2019
+ - IP Address exclusions for Network Protection
+- Improved visibility into TPM measurements
+- Improved Office VBA module scanning
+
+### Known Issues
+
+No known issues
+<br/>
+</details>
+<details>
+<summary> August-2020 (Platform: 4.18.2008.9 | Engine: 1.1.17400.5)</summary>
+
+&ensp;Security intelligence update version: **1.323.9.0**
+&ensp;Released: **August 27, 2020**
+&ensp;Platform: **4.18.2008.9**
+&ensp;Engine: **1.1.17400.5**
+&ensp;Support phase: **Technical upgrade support (only)**
+
+### What's new
+
+- Add more telemetry events
+- Improved scan event telemetry
+- Improved behavior monitoring for memory scans
+- Improved macro streams scanning
+- Added `AMRunningMode` to Get-MpComputerStatus PowerShell cmdlet
+- [DisableAntiSpyware](/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware) is ignored. Microsoft Defender Antivirus automatically turns itself off when it detects another antivirus program.
++
+### Known Issues
+No known issues
+<br/>
+</details>
+
+<details>
+<summary> July-2020 (Platform: 4.18.2007.8 | Engine: 1.1.17300.4)</summary>
+
+&ensp;Security intelligence update version: **1.321.30.0**
+&ensp;Released: **July 28, 2020**
+&ensp;Platform: **4.18.2007.8**
+&ensp;Engine: **1.1.17300.4**
+&ensp;Support phase: **Technical upgrade support (only)**
+
+### What's new
+
+- Improved telemetry for BITS
+- Improved Authenticode code signing certificate validation
+
+### Known Issues
+No known issues
+<br/>
+</details>
+
+<details>
+<summary> June-2020 (Platform: 4.18.2006.10 | Engine: 1.1.17200.2)</summary>
+
+&ensp;Security intelligence update version: **1.319.20.0**
+&ensp;Released: **June 22, 2020**
+&ensp;Platform: **4.18.2006.10**
+&ensp;Engine: **1.1.17200.2**
+&ensp;Support phase: **Technical upgrade support (only)**
+
+### What's new
+
+- Possibility to specify the [location of the support logs](./collect-diagnostic-data.md)
+- Skipping aggressive catchup scan in Passive mode.
+- Allow Defender to update on metered connections
+- Fixed performance tuning when caching is disabled
+- Fixed registry query
+- Fixed scantime randomization in ADMX
+
+### Known Issues
+No known issues
+<br/>
+</details>
+
+<details>
+<summary> May-2020 (Platform: 4.18.2005.4 | Engine: 1.1.17100.2)</summary>
+
+&ensp;Security intelligence update version: **1.317.20.0**
+&ensp;Released: **May 26, 2020**
+&ensp;Platform: **4.18.2005.4**
+&ensp;Engine: **1.1.17100.2**
+&ensp;Support phase: **Technical upgrade support (only)**
+
+### What's new
+
+- Improved logging for scan events
+- Improved user mode crash handling.
+- Added event tracing for Tamper protection
+- Fixed AMSI Sample submission
+- Fixed AMSI Cloud blocking
+- Fixed Security update install log
+
+### Known Issues
+No known issues
+<br/>
+</details>
+
+<details>
+<summary> April-2020 (Platform: 4.18.2004.6 | Engine: 1.1.17000.2)</summary>
+
+&ensp;Security intelligence update version: **1.315.12.0**
+&ensp;Released: **April 30, 2020**
+&ensp;Platform: **4.18.2004.6**
+&ensp;Engine: **1.1.17000.2**
+&ensp;Support phase: **Technical upgrade support (only)**
+
+### What's new
+- WDfilter improvements
+- Add more actionable event data to attack surface reduction detection events
+- Fixed version information in diagnostic data and WMI
+- Fixed incorrect platform version in UI after platform update
+- Dynamic URL intel for Fileless threat protection
+- UEFI scan capability
+- Extend logging for updates
+
+### Known Issues
+No known issues
+<br/>
+</details>
+
+<details>
+<summary> March-2020 (Platform: 4.18.2003.8 | Engine: 1.1.16900.2)</summary>
+
+&ensp;Security intelligence update version: **1.313.8.0**
+&ensp;Released: **March 24, 2020**
+&ensp;Platform: **4.18.2003.8**
+&ensp;Engine: **1.1.16900.4**
+&ensp;Support phase: **Technical upgrade support (only)**
+
+### What's new
+
+- CPU Throttling option added to [MpCmdRun](./command-line-arguments-microsoft-defender-antivirus.md)
+- Improve diagnostic capability
+- reduce Security intelligence timeout (5 min)
+- Extend AMSI engine internal log capability
+- Improve notification for process blocking
+
+### Known Issues
+[**Fixed**] Microsoft Defender Antivirus is skipping files when running a scan.
+
+<br/>
+</details>
+
+<details>
+
+<summary> February-2020 (Platform: - | Engine: 1.1.16800.2)</summary>
+
+
+&ensp;Security intelligence update version: **1.311.4.0**
+&ensp;Released: **February 25, 2020**
+&ensp;Platform/Client: **-**
+&ensp;Engine: **1.1.16800.2**
+&ensp;Support phase: **Technical upgrade support (only)**
+
+### What's new
+
+
+### Known Issues
+No known issues
+<br/>
+</details>
+
+<details>
+<summary> January-2020 (Platform: 4.18.2001.10 | Engine: 1.1.16700.2)</summary>
+
+
+Security intelligence update version: **1.309.32.0**
+Released: **January 30, 2020**
+Platform/Client: **4.18.2001.10**
+Engine: **1.1.16700.2**
+&ensp;Support phase: **Technical upgrade support (only)**
+
+### What's new
+
+- Fixed BSOD on WS2016 with Exchange
+- Support platform updates when TMP is redirected to network path
+- Platform and engine versions are added to [WDSI](https://www.microsoft.com/en-us/wdsi/defenderupdates) <!-- The preceding URL must include "/en-us" -->
+- extend Emergency signature update to [passive mode](./microsoft-defender-antivirus-compatibility.md)
+- Fix 4.18.1911.3 hang
+
+### Known Issues
+
+[**Fixed**] devices utilizing [modern standby mode](/windows-hardware/design/device-experiences/modern-standby) may experience a hang with the Windows Defender filter driver that results in a gap of protection. Affected machines appear to the customer as having not updated to the latest antimalware platform.
+<br/>
+> [!IMPORTANT]
+> This update is:
+> - needed by RS1 devices running lower version of the platform to support SHA2;
+> - has a reboot flag for systems that have hanging issues;
+> - is re-released in April 2020 and will not be superseded by newer updates to keep future availability;
+> - is categorized as an update due to the reboot requirement; and
+> - is only be offered with [Windows Update](https://support.microsoft.com/help/4027667/windows-10-update).
+<br/>
+</details>
+
+<details>
+<summary> November-2019 (Platform: 4.18.1911.3 | Engine: 1.1.16600.7)</summary>
+
+Security intelligence update version: **1.307.13.0**
+Released: **December 7, 2019**
+Platform: **4.18.1911.3**
+Engine: **1.1.17000.7**
+Support phase: **No support**
+
+### What's new
+
+- Fixed MpCmdRun tracing level
+- Fixed WDFilter version info
+- Improve notifications (PUA)
+- add MRT logs to support files
+
+### Known Issues
+When this update is installed, the device needs the jump package 4.10.2001.10 to be able to update to the latest platform version.
+<br/>
+</details>
++
+## Microsoft Defender Antivirus platform support
+Platform and engine updates are provided on a monthly cadence. To be fully supported, keep current with the latest platform updates. Our support structure is dynamic, evolving into two phases depending on the availability of the latest platform version:
+
+- **Security and Critical Updates servicing phase** - When running the latest platform version, you will be eligible to receive both Security and Critical updates to the anti-malware platform.
+
+- **Technical Support (Only) phase** - After a new platform version is released, support for older versions (N-2) will reduce to technical support only. Platform versions older than N-2 will no longer be supported.*
+
+\* Technical support will continue to be provided for upgrades from the Windows 10 release version (see [Platform version included with Windows 10 releases](#platform-version-included-with-windows-10-releases)) to the latest platform version.
+
+During the technical support (only) phase, commercially reasonable support incidents will be provided through Microsoft Customer Service & Support and MicrosoftΓÇÖs managed support offerings (such as Premier Support). If a support incident requires escalation to development for further guidance, requires a non-security update, or requires a security update, customers will be asked to upgrade to the latest platform version or an intermediate update (*).
+
+### Platform version included with Windows 10 releases
+The below table provides the Microsoft Defender Antivirus platform and engine versions that are shipped with the latest Windows 10 releases:
+
+|Windows 10 release |Platform version |Engine version |Support phase |
+|:|:|:|:|
+|2004 (20H1/20H2) |4.18.1909.6 |1.1.17000.2 | Technical upgrade support (only) |
+|1909 (19H2) |4.18.1902.5 |1.1.16700.3 | Technical upgrade support (only) |
+|1903 (19H1) |4.18.1902.5 |1.1.15600.4 | Technical upgrade support (only) |
+|1809 (RS5) |4.18.1807.18075 |1.1.15000.2 | Technical upgrade support (only) |
+|1803 (RS4) |4.13.17134.1 |1.1.14600.4 | Technical upgrade support (only) |
+|1709 (RS3) |4.12.16299.15 |1.1.14104.0 | Technical upgrade support (only) |
+|1703 (RS2) |4.11.15603.2 |1.1.13504.0 | Technical upgrade support (only) |
+|1607 (RS1) |4.10.14393.3683 |1.1.12805.0 | Technical upgrade support (only) |
+
+For Windows 10 release information, see the [Windows lifecycle fact sheet](https://support.microsoft.com/help/13853/windows-lifecycle-fact-sheet).
+
+## Updates for Deployment Image Servicing and Management (DISM)
+
+We recommend updating your Windows 10 (Enterprise, Pro, and Home editions), Windows Server 2019, and Windows Server 2016 OS installation images with the latest antivirus and antimalware updates. Keeping your OS installation images up to date helps avoid a gap in protection.
+
+For more information, see [Microsoft Defender update for Windows operating system installation images](https://support.microsoft.com/help/4568292/defender-update-for-windows-operating-system-installation-images).
+
+<details>
+<summary>1.1.2104.01</summary>
+
+&ensp;Package version: **1.1.2104.01**
+&ensp;Platform version: **4.18.2102.4**
+&ensp;Engine version: **1.1.18000.5**
+&ensp;Signature version: **1.335.232.0**
+
+### Fixes
+- None
+
+### Additional information
+- None
+<br/>
+</details><details>
+<summary>1.1.2103.01</summary>
+
+&ensp;Package version: **1.1.2103.01**
+&ensp;Platform version: **4.18.2101.9**
+&ensp;Engine version: **1.1.17800.5**
+&ensp;Signature version: **1.331.2302.0**
+
+### Fixes
+- None
+
+### Additional information
+- None
+<br/>
+</details><details>
+<summary>1.1.2102.03</summary>
+
+&ensp;Package version: **1.1.2102.03**
+&ensp;Platform version: **4.18.2011.6**
+&ensp;Engine version: **1.1.17800.5**
+&ensp;Signature version: **1.331.174.0**
+
+### Fixes
+- None
+
+### Additional information
+- None
+<br/>
+</details><details>
+<summary>1.1.2101.02</summary>
+
+&ensp;Package version: **1.1.2101.02**
+&ensp;Platform version: **4.18.2011.6**
+&ensp;Engine version: **1.1.17700.4**
+&ensp;Signature version: **1.329.1796.0**
+
+### Fixes
+- None
+
+### Additional information
+- None
+<br/>
+</details><details>
+<summary>1.1.2012.01</summary>
+
+&ensp;Package version: **1.1.2012.01**
+&ensp;Platform version: **4.18.2010.7**
+&ensp;Engine version: **1.1.17600.5**
+&ensp;Signature version: **1.327.1991.0**
+
+### Fixes
+- None
+
+### Additional information
+- None
+<br/>
+</details><details>
+<summary>1.1.2011.02</summary>
+
+&ensp;Package version: **1.1.2011.02**
+&ensp;Platform version: **4.18.2010.7**
+&ensp;Engine version: **1.1.17600.5**
+&ensp;Signature version: **1.327.658.0**
+
+### Fixes
+- None
+
+### Additional information
+- Refreshed Microsoft Defender Antivirus signatures
+<br/>
+</details><details>
+<summary>1.1.2011.01</summary>
+
+&ensp;Package version: **1.1.2011.01**
+&ensp;Platform version: **4.18.2009.7**
+&ensp;Engine version: **1.1.17600.5**
+&ensp;Signature version: **1.327.344.0**
+
+### Fixes
+- None
+
+### Additional information
+- None
+<br/>
+</details><details>
+<summary>1.1.2009.10</summary>
+
+&ensp;Package version: **1.1.2011.01**
+&ensp;Platform version: **4.18.2008.9**
+&ensp;Engine version: **1.1.17400.5**
+&ensp;Signature version: **1.327.2216.0**
+
+### Fixes
+- None
+
+### Additional information
+- Added support for Windows 10 RS1 or later OS install images.
+<br/>
+</details>
+
+## Additional resources
+
+| Article | Description |
+|:|:|
+|[Microsoft Defender update for Windows operating system installation images](https://support.microsoft.com/help/4568292/defender-update-for-windows-operating-system-installation-images) | Review antimalware update packages for your OS installation images (WIM and VHD files). Get Microsoft Defender Antivirus updates for Windows 10 (Enterprise, Pro, and Home editions), Windows Server 2019, and Windows Server 2016 installation images. |
+|[Manage how protection updates are downloaded and applied](manage-protection-updates-microsoft-defender-antivirus.md) | Protection updates can be delivered through many sources. |
+|[Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md) | You can schedule when protection updates should be downloaded. |
+|[Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md) | If an endpoint misses an update or scheduled scan, you can force an update or scan the next time a user signs in. |
+|[Manage event-based forced updates](manage-event-based-updates-microsoft-defender-antivirus.md) | You can set protection updates to be downloaded at startup or after certain cloud-delivered protection events. |
+|[Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md)| You can specify settings, such as whether updates should occur on battery power, that are especially useful for mobile devices and virtual machines. |
security Manage Updates Mobile Devices Vms Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md
+
+ Title: Define how mobile devices are updated by Microsoft Defender Antivirus
+description: Manage how mobile devices, such as laptops, should be updated with Microsoft Defender Antivirus protection updates.
+keywords: updates, protection, schedule updates, battery, mobile device, laptop, notebook, opt-in, microsoft update, wsus, override
+search.product: eADQiWindows 10XVcnh
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+++++
+ms.technology: mde
++
+# Manage updates for mobile devices and virtual machines (VMs)
+++
+**Applies to:**
+
+- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
+
+Mobile devices and VMs may require more configuration to ensure performance is not impacted by updates.
+
+There are two settings that are useful for these devices:
+
+- Opt in to Microsoft Update on mobile computers without a WSUS connection
+- Prevent Security intelligence updates when running on battery power
+
+The following articles may also be useful in these situations:
+- [Configuring scheduled and catch-up scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md)
+- [Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md)
+- [Deployment guide for Microsoft Defender Antivirus in a virtual desktop infrastructure (VDI) environment](deployment-vdi-microsoft-defender-antivirus.md)
+
+## Opt in to Microsoft Update on mobile computers without a WSUS connection
+
+You can use Microsoft Update to keep Security intelligence on mobile devices running Microsoft Defender Antivirus up to date when they are not connected to the corporate network or don't otherwise have a WSUS connection.
+
+This means that protection updates can be delivered to devices (via Microsoft Update) even if you have set WSUS to override Microsoft Update.
+
+You can opt in to Microsoft Update on the mobile device in one of the following ways:
+
+- Change the setting with Group Policy.
+- Use a VBScript to create a script, then run it on each computer in your network.
+- Manually opt in every computer on your network through the **Settings** menu.
+
+### Use Group Policy to opt in to Microsoft Update
+
+1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and select **Edit**.
+
+2. In the **Group Policy Management Editor** go to **Computer configuration**.
+
+3. Select **Policies** then **Administrative templates**.
+
+4. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Signature Updates**.
+
+5. Set **Allow security intelligence updates from Microsoft Update** to **Enabled**, and then select **OK**.
++
+### Use a VBScript to opt in to Microsoft Update
+
+1. Use the instructions in the MSDN article [Opt-In to Microsoft Update](/windows/win32/wua_sdk/opt-in-to-microsoft-update) to create the VBScript.
+
+2. Run the VBScript you created on each computer in your network.
+
+### Manually opt in to Microsoft Update
+
+1. Open **Windows Update** in **Update & security** settings on the computer you want to opt in.
+
+2. Select **Advanced** options.
+
+3. Select the checkbox for **Give me updates for other Microsoft products when I update Windows**.
+
+## Prevent Security intelligence updates when running on battery power
+
+You can configure Microsoft Defender Antivirus to only download protection updates when the PC is connected to a wired power source.
+
+### Use Group Policy to prevent security intelligence updates on battery power
+
+1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), choose the Group Policy Object you want to configure, and open it for editing.
+
+2. In the **Group Policy Management Editor** go to **Computer configuration**.
+
+3. Select **Policies** then **Administrative templates**.
+
+4. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Signature Updates**, and then set **Allow security intelligence updates when running on battery power** to **Disabled**. Then select **OK**.
+
+This action prevents protection updates from downloading when the PC is on battery power.
+
+## Related articles
+
+- [Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md)
+- [Update and manage Microsoft Defender Antivirus in Windows 10](deploy-manage-report-microsoft-defender-antivirus.md)
security Microsoft Defender Antivirus Compatibility https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility.md
+
+ Title: Microsoft Defender Antivirus compatibility with other security products
+description: What to expect from Microsoft Defender Antivirus with other security products and the operating systems you are using.
+keywords: windows defender, next-generation, antivirus, compatibility, passive mode
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.localizationpriority: medium
+++++
+ms.technology: mde
++
+# Microsoft Defender Antivirus compatibility
++
+**Applies to:**
+
+- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
+
+## Overview
+
+Microsoft Defender Antivirus is automatically enabled and installed on endpoints and devices that are running Windows 10. But what happens when another antivirus/antimalware solution is used? It depends on whether you're using [Microsoft Defender for Endpoint](microsoft-defender-endpoint.md) together with your antivirus protection.
+- If your organization's endpoints and devices are protected with a non-Microsoft antivirus/antimalware solution, and Microsoft Defender for Endpoint is not used, then Microsoft Defender Antivirus automatically goes into disabled mode.
+- If your organization is using Microsoft Defender for Endpoint together with a non-Microsoft antivirus/antimalware solution, then Microsoft Defender Antivirus automatically goes into passive mode. (Real-time protection and threats are not remediated by Microsoft Defender Antivirus.)
+- If your organization is using Microsoft Defender for Endpoint together with a non-Microsoft antivirus/antimalware solution, and you have [EDR in block mode](/microsoft-365/security/defender-endpoint/edr-in-block-mode) enabled, then whenever a malicious artifact is detected, Microsoft Defender for Endpoint takes action to block and remediate the artifact.
+
+## Antivirus and Microsoft Defender for Endpoint
+
+The following table summarizes what happens with Microsoft Defender Antivirus when third-party antivirus products are used together or without Microsoft Defender for Endpoint.
++
+| Windows version | Antimalware protection | Microsoft Defender for Endpoint enrollment | Microsoft Defender Antivirus state |
+|||-|-|
+| Windows 10 | A third-party product that is not offered or developed by Microsoft | Yes | Passive mode |
+| Windows 10 | A third-party product that is not offered or developed by Microsoft | No | Automatically disabled mode |
+| Windows 10 | Microsoft Defender Antivirus | Yes | Active mode |
+| Windows 10 | Microsoft Defender Antivirus | No | Active mode |
+| Windows Server, version 1803 or newer, or Windows Server 2019 | A third-party product that is not offered or developed by Microsoft | Yes | Must be set to passive mode (manually) <sup>[[1](#fn1)]<sup> |
+| Windows Server, version 1803 or newer, or Windows Server 2019 | A third-party product that is not offered or developed by Microsoft | No | Must be disabled (manually) <sup>[[2](#fn2)]<sup></sup> |
+| Windows Server, version 1803 or newer, or Windows Server 2019 | Microsoft Defender Antivirus | Yes | Active mode |
+| Windows Server, version 1803 or newer, or Windows Server 2019 | Microsoft Defender Antivirus | No | Active mode |
+| Windows Server 2016 | Microsoft Defender Antivirus | Yes | Active mode |
+| Windows Server 2016 | Microsoft Defender Antivirus | No | Active mode |
+| Windows Server 2016 | A third-party product that is not offered or developed by Microsoft | Yes | Must be disabled (manually) <sup>[[2](#fn2)]<sup> |
+| Windows Server 2016 | A third-party product that is not offered or developed by Microsoft | No | Must be disabled (manually) <sup>[[2](#fn2)]<sup> |
+
+(<a id="fn1">1</a>) On Windows Server, version 1803 or newer, or Windows Server 2019, Microsoft Defender Antivirus does not enter passive mode automatically when you install a non-Microsoft antivirus product. In those cases, [set Microsoft Defender Antivirus to passive mode](microsoft-defender-antivirus-on-windows-server.md#need-to-set-microsoft-defender-antivirus-to-passive-mode) to prevent problems caused by having multiple antivirus products installed on a server.
+
+If you are using Windows Server, version 1803 or newer, or Windows Server 2019, you can set Microsoft Defender Antivirus to passive mode by setting the following registry key:
+- Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`
+- Name: `ForcePassiveMode`
+- Type: `REG_DWORD`
+- Value: `1`
+
+> [!NOTE]
+> The `ForcePassiveMode` registry key is not supported on Windows Server 2016.
+
+(<a id="fn2">2</a>) On Windows Server 2016, Microsoft Defender Antivirus does not enter passive mode automatically when you install a non-Microsoft antivirus product. In addition, Microsoft Defender Antivirus is not supported in passive mode. In those cases, [disable/uninstall Microsoft Defender Antivirus manually](microsoft-defender-antivirus-on-windows-server.md#are-you-using-windows-server-2016) to prevent problems caused by having multiple antivirus products installed on a server.
+
+See [Microsoft Defender Antivirus on Windows Server](microsoft-defender-antivirus-on-windows-server.md) for key differences and management options for Windows Server installations.
+
+> [!IMPORTANT]
+> Microsoft Defender Antivirus is only available on devices running Windows 10, Windows Server 2016, Windows Server, version 1803 or later, and Windows Server 2019.
+>
+> In Windows 8.1 and Windows Server 2012, enterprise-level endpoint antivirus protection is offered as [System Center Endpoint Protection](/previous-versions/system-center/system-center-2012-R2/hh508760(v=technet.10)), which is managed through Microsoft Endpoint Configuration Manager.
+>
+> Windows Defender is also offered for [consumer devices on Windows 8.1 and Windows Server 2012](/previous-versions/windows/it-pro/windows-8.1-and-8/dn344918(v=ws.11)#BKMK_WindowsDefender), although it does not provide enterprise-level management (or an interface on Windows Server 2012 Server Core installations).
+
+## Functionality and features available in each state
+
+The table in this section summarizes the functionality and features that are available in each state. The table is designed to be informational only. It is intended to describe the features & capabilities that are actively working or not, according to whether Microsoft Defender Antivirus is in active mode, in passive mode, or is disabled/uninstalled.
+
+> [!IMPORTANT]
+> Do not turn off capabilities, such as real-time protection, cloud-delivered protection, or limited periodic scanning, if you are using Microsoft Defender Antivirus in passive mode or you are using EDR in block mode.
+
+|Protection |Active mode |Passive mode |EDR in block mode |Disabled or uninstalled |
+|:|:|:|:|:|
+| [Real-time protection](./configure-real-time-protection-microsoft-defender-antivirus.md) and [cloud-delivered protection](./enable-cloud-protection-microsoft-defender-antivirus.md) | Yes | No <sup>[[3](#fn3)]<sup> | No | No |
+| [Limited periodic scanning availability](./limited-periodic-scanning-microsoft-defender-antivirus.md) | No | No | No | Yes |
+| [File scanning and detection information](./customize-run-review-remediate-scans-microsoft-defender-antivirus.md) | Yes | Yes | Yes | No |
+| [Threat remediation](./configure-remediation-microsoft-defender-antivirus.md) | Yes | See note <sup>[[4](#fn4)]<sup> | Yes | No |
+| [Security intelligence updates](./manage-updates-baselines-microsoft-defender-antivirus.md) | Yes | Yes | Yes | No |
+
+(<a id="fn3">3</a>) In general, when Microsoft Defender Antivirus is in passive mode, real-time protection does not provide any blocking or enforcement, even though it is enabled and in passive mode.
+
+(<a id="fn4">4</a>) When Microsoft Defender Antivirus is in passive mode, threat remediation features are active only during scheduled or on-demand scans.
+
+> [!NOTE]
+> [Microsoft 365 Endpoint data loss prevention](/microsoft-365/compliance/endpoint-dlp-learn-about) protection continues to operate normally when Microsoft Defender Antivirus is in active or passive mode.
+
+## Keep the following points in mind
+
+- In active mode, Microsoft Defender Antivirus is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files are scanned and threats remediated, and detection information are reported in your configuration tool (such as Configuration Manager or the Microsoft Defender Antivirus app on the machine itself).
+
+- In passive mode, Microsoft Defender Antivirus is not used as the antivirus app, and threats are not remediated by Microsoft Defender Antivirus. Files are scanned and reports are provided for threat detections that are shared with the Microsoft Defender for Endpoint service. Therefore, you might encounter alerts in the Security Center console with Microsoft Defender Antivirus as a source, even when Microsoft Defender Antivirus is in Passive mode.
+
+- When [EDR in block mode](/microsoft-365/security/defender-endpoint/edr-in-block-mode) is turned on and Microsoft Defender Antivirus is not the primary antivirus solution, it can still detect and remediate malicious items.
+
+- When disabled, Microsoft Defender Antivirus is not used as the antivirus app. Files are not scanned and threats are not remediated. Disabling/uninstalling Microsoft Defender Antivirus is not recommended in general; if possible, keep Microsoft Defender Antivirus in passive mode if you are using a non-Microsoft antimalware/antivirus solution.
+
+- If you are enrolled in Microsoft Defender for Endpoint and you are using a third-party antimalware product, then passive mode is enabled. [The service requires common information sharing from Microsoft Defender Antivirus service](/microsoft-365/security/defender-endpoint/defender-compatibility) in order to properly monitor your devices and network for intrusion attempts and attacks.
+
+- When Microsoft Defender Antivirus is disabled automatically, it can be re-enabled automatically if the protection offered by a non-Microsoft antivirus product expires or otherwise stops providing real-time protection from viruses, malware, or other threats. Automatic re-enabling helps to ensure that antivirus protection is maintained on your devices. It also allows you to enable [limited periodic scanning](limited-periodic-scanning-microsoft-defender-antivirus.md), which uses the Microsoft Defender Antivirus engine to periodically check for threats in addition to your main antivirus app.
+
+- When Microsoft Defender Antivirus is in passive mode, you can still [manage updates for Microsoft Defender Antivirus](manage-updates-baselines-microsoft-defender-antivirus.md); however, you can't move Microsoft Defender Antivirus into active mode if your devices have an up-to-date, non-Microsoft antivirus product providing real-time protection from malware. For optimal security layered defense and detection efficacy, please ensure that you update the [Microsoft Defender Antivirus protection (Security intelligence update, Engine and Platform)](./manage-updates-baselines-microsoft-defender-antivirus.md) even if Microsoft Defender Antivirus is running in passive mode.
+
+ If you uninstall the non-Microsoft antivirus product, and use Microsoft Defender Antivirus to provide protection to your devices, Microsoft Defender Antivirus will return to its normal active mode automatically.
+
+> [!WARNING]
+> Do not disable, stop, or modify any of the associated services that are used by Microsoft Defender Antivirus, Microsoft Defender for Endpoint, or the Windows Security app. This recommendation includes the *wscsvc*, *SecurityHealthService*, *MsSense*, *Sense*, *WinDefend*, or *MsMpEng* services and processes. Manually modifying these services can cause severe instability on your devices and can make your network vulnerable. Disabling, stopping, or modifying those services can also cause problems when using non-Microsoft antivirus solutions and how their information is displayed in the [Windows Security app](microsoft-defender-security-center-antivirus.md).
++
+## See also
+
+- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
+- [Microsoft Defender Antivirus on Windows Server](microsoft-defender-antivirus-on-windows-server.md)
+- [EDR in block mode](edr-in-block-mode.md)
+- [Configure Endpoint Protection](/mem/configmgr/protect/deploy-use/endpoint-protection-configure)
+- [Address false positives/negatives in Microsoft Defender for Endpoint](defender-endpoint-false-positives-negatives.md)
+- [Learn about Microsoft 365 Endpoint data loss prevention](/microsoft-365/compliance/endpoint-dlp-learn-about)
security Microsoft Defender Antivirus In Windows 10 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10.md
+
+ Title: Next-generation protection
+description: Learn how to manage, configure, and use Microsoft Defender Antivirus, built-in antimalware and antivirus protection.
+keywords: Microsoft Defender Antivirus, windows defender, antimalware, scep, system center endpoint protection, system center configuration manager, virus, malware, threat, detection, protection, security
+search.product: eADQiWindows 10XVcnh
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: high
+++++
+ms.technology: mde
++
+# Next-generation protection
++
+**Applies to:**
+
+- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
+
+## Microsoft Defender Antivirus: Your next-generation protection
+
+Microsoft Defender Antivirus is the next-generation protection component of Microsoft Defender for Endpoint. This protection brings together machine learning, big-data analysis, in-depth threat resistance research, and the Microsoft cloud infrastructure to protect devices in your enterprise organization. Your next-generation protection services include the following capabilities:
+
+- [Behavior-based, heuristic, and real-time antivirus protection](configure-protection-features-microsoft-defender-antivirus.md), which includes always-on scanning using file and process behavior monitoring and other heuristics (also known as *real-time protection*). It also includes detecting and blocking apps that are deemed unsafe, but might not be detected as malware.
+- [Cloud-delivered protection](cloud-protection-microsoft-defender-antivirus.md), which includes near-instant detection and blocking of new and emerging threats.
+- [Dedicated protection and product updates](manage-updates-baselines-microsoft-defender-antivirus.md), which includes updates related to keeping Microsoft Defender Antivirus up to date.
+
+## Try a demo!
+
+Visit the [Microsoft Defender for Endpoint demo website](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following protection features are working and explore them using demo scenarios:
+- Cloud-delivered protection
+- Block at first sight (BAFS) protection
+- Potentially unwanted applications (PUA) protection
+
+## Minimum system requirements
+
+Microsoft Defender Antivirus has the same hardware requirements as of Windows 10. For more information, see the following resources:
+
+- [Minimum hardware requirements](/windows-hardware/design/minimum/minimum-hardware-requirements-overview)
+- [Hardware component guidelines](/windows-hardware/design/component-guidelines/components)
+
+## Configure next-generation protection services
+
+For information on how to configure next-generation protection services, see [Configure Microsoft Defender Antivirus features](configure-microsoft-defender-antivirus-features.md).
+
+> [!Note]
+> Configuration and management is largely the same in Windows Server 2016 and Windows Server 2019, while running Microsoft Defender Antivirus; however, there are some differences. To learn more, see [Microsoft Defender Antivirus on Windows Server 2016 and 2019](microsoft-defender-antivirus-on-windows-server.md).
+
+## See also
+
+- [Microsoft Defender Antivirus on Windows Server 2016 and 2019](microsoft-defender-antivirus-on-windows-server.md)
+- [Microsoft Defender Antivirus management and configuration](configuration-management-reference-microsoft-defender-antivirus.md)
+- [Evaluate Microsoft Defender Antivirus protection](evaluate-microsoft-defender-antivirus.md)
security Microsoft Defender Antivirus On Windows Server https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-on-windows-server.md
+
+ Title: Microsoft Defender Antivirus on Windows Server
+description: Learn how to enable and configure Microsoft Defender Antivirus on Windows Server 2016 and Windows Server 2019.
+keywords: windows defender, server, scep, system center endpoint protection, server 2016, current branch, server 2012
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.localizationpriority: medium
++++
+ms.technology: mde
++
+# Microsoft Defender Antivirus on Windows Server
++
+**Applies to:**
+
+- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
+
+Microsoft Defender Antivirus is available on the following editions/versions of Windows Server:
+- Windows Server 2019
+- Windows Server, version 1803 or later
+- Windows Server 2016.
+
+In some instances, Microsoft Defender Antivirus is referred to as *Endpoint Protection*; however, the protection engine is the same. Although the functionality, configuration, and management are largely the same for [Microsoft Defender Antivirus on Windows 10](microsoft-defender-antivirus-in-windows-10.md), there are a few key differences on Windows Server:
+
+- In Windows Server, [automatic exclusions](configure-server-exclusions-microsoft-defender-antivirus.md) are applied based on your defined Server Role.
+- In Windows Server, Microsoft Defender Antivirus does not automatically disable itself if you are running another antivirus product.
+
+## The process at a glance
+
+The process of setting up and running Microsoft Defender Antivirus on a server platform includes several steps:
+
+1. [Enable the interface](#enable-the-user-interface-on-windows-server).
+2. [Install Microsoft Defender Antivirus](#install-microsoft-defender-antivirus-on-windows-server).
+3. [Verify Microsoft Defender Antivirus is running](#verify-microsoft-defender-antivirus-is-running).
+4. [Update your antimalware Security intelligence](#update-antimalware-security-intelligence).
+5. (As needed) [Submit samples](#submit-samples).
+6. (As needed) [Configure automatic exclusions](#configure-automatic-exclusions).
+7. (Only if necessary) [Set Microsoft Defender Antivirus to passive mode](#need-to-set-microsoft-defender-antivirus-to-passive-mode).
+
+## Enable the user interface on Windows Server
+
+By default, Microsoft Defender Antivirus is installed and functional on Windows Server. The user interface (GUI) is installed by default on some SKUs, but is not required because you can use PowerShell or other methods to manage Microsoft Defender Antivirus. If the GUI is not installed on your server, you can add it by using the **Add Roles and Features** wizard, or by using PowerShell cmdlets.
+
+### Turn on the GUI using the Add Roles and Features Wizard
+
+1. See [Install roles, role services, and features by using the add Roles and Features Wizard](/windows-server/administration/server-manager/install-or-uninstall-roles-role-services-or-features#install-roles-role-services-and-features-by-using-the-add-roles-and-features-wizard), and use the **Add Roles and Features Wizard**.
+
+2. When you get to the **Features** step of the wizard, under **Windows Defender Features**, select the **GUI for Windows Defender** option.
+
+ In Windows Server 2016, the **Add Roles and Features Wizard** looks like this:
+
+ ![Add roles and feature wizard showing the GUI for Windows Defender option](images/server-add-gui.png)
+
+ In Windows Server 2019, the **Add Roles and Feature Wizard** is similar.
+
+### Turn on the GUI using PowerShell
+
+The following PowerShell cmdlet will enable the interface:
+
+```PowerShell
+Install-WindowsFeature -Name Windows-Defender-GUI
+```
+
+## Install Microsoft Defender Antivirus on Windows Server
+
+You can use either the **Add Roles and Features Wizard** or PowerShell to install Microsoft Defender Antivirus.
+
+### Use the Add Roles and Features Wizard
+
+1. Refer to [this article](/windows-server/administration/server-manager/install-or-uninstall-roles-role-services-or-features#install-roles-role-services-and-features-by-using-the-add-roles-and-features-wizard), and use the **Add Roles and Features Wizard**.
+
+2. When you get to the **Features** step of the wizard, select the Microsoft Defender Antivirus option. Also select the **GUI for Windows Defender** option.
+
+### Use PowerShell
+
+To use PowerShell to install Microsoft Defender Antivirus, run the following cmdlet:
+
+```PowerShell
+Install-WindowsFeature -Name Windows-Defender
+```
+
+Event messages for the antimalware engine included with Microsoft Defender Antivirus can be found in [Microsoft Defender AV Events](troubleshoot-microsoft-defender-antivirus.md).
++
+## Verify Microsoft Defender Antivirus is running
+
+To verify that Microsoft Defender Antivirus is running on your server, run the following PowerShell cmdlet:
+
+```PowerShell
+Get-Service -Name windefend
+```
+
+To verify that firewall protection is turned on, run the following PowerShell cmdlet:
+
+```PowerShell
+Get-Service -Name mpssvc
+```
+
+As an alternative to PowerShell, you can use Command Prompt to verify that Microsoft Defender Antivirus is running. To do that, run the following command from a command prompt:
+
+```console
+sc query Windefend
+```
+
+The `sc query` command returns information about the Microsoft Defender Antivirus service. When Microsoft Defender Antivirus is running, the `STATE` value displays `RUNNING`.
+
+## Update antimalware Security intelligence
+
+To get updated antimalware security intelligence, you must have the Windows Update service running. If you use an update management service, like Windows Server Update Services (WSUS), make sure that updates for Microsoft Defender Antivirus Security intelligence are approved for the computers you manage.
+
+By default, Windows Update does not download and install updates automatically on Windows Server 2019 or Windows Server 2016. You can change this configuration by using one of the following methods:
++
+|Method |Description |
+|||
+|**Windows Update** in Control Panel |- **Install updates automatically** results in all updates being automatically installed, including Windows Defender Security intelligence updates. <br/>- **Download updates but let me choose whether to install them** allows Windows Defender to download and install Security intelligence updates automatically, but other updates are not automatically installed. |
+|**Group Policy** | You can set up and manage Windows Update by using the settings available in Group Policy, in the following path: **Administrative Templates\Windows Components\Windows Update\Configure Automatic Updates** |
+|The **AUOptions** registry key |The following two values allow Windows Update to automatically download and install Security intelligence updates: <br/>- **4** - **Install updates automatically**. This value results in all updates being automatically installed, including Windows Defender Security intelligence updates. <br/>- **3** - **Download updates but let me choose whether to install them**. This value allows Windows Defender to download and install Security intelligence updates automatically, but other updates are not automatically installed. |
+
+To ensure that protection from malware is maintained, we recommend that you enable the following
+
+- Windows Error Reporting service
+
+- Windows Update service
+
+The following table lists the services for Microsoft Defender Antivirus and the dependent services.
+
+|Service Name|File Location|Description|
+|--||--|
+|Windows Defender Service (WinDefend)|`C:\Program Files\Windows Defender\MsMpEng.exe`|This is the main Microsoft Defender Antivirus service that needs to be running at all times.|
+|Windows Error Reporting Service (Wersvc)|`C:\WINDOWS\System32\svchost.exe -k WerSvcGroup`|This service sends error reports back to Microsoft.|
+|Windows Defender Firewall (MpsSvc)|`C:\WINDOWS\system32\svchost.exe -k LocalServiceNoNetwork`|We recommend leaving the Windows Defender Firewall service enabled.|
+|Windows Update (Wuauserv)|`C:\WINDOWS\system32\svchost.exe -k netsvcs`|Windows Update is needed to get Security intelligence updates and antimalware engine updates|
+
+## Submit samples
+
+Sample submission allows Microsoft to collect samples of potentially malicious software. To help provide continued and up-to-date protection, Microsoft researchers use these samples to analyze suspicious activities and produce updated antimalware Security intelligence. We collect program executable files, such as .exe files and .dll files. We do not collect files that contain personal data, like Microsoft Word documents and PDF files.
+
+### Submit a file
+
+1. Review the [submission guide](/windows/security/threat-protection/intelligence/submission-guide).
+
+2. Visit the [sample submission portal](https://www.microsoft.com/wdsi/filesubmission), and submit your file.
++
+### Enable automatic sample submission
+
+To enable automatic sample submission, start a Windows PowerShell console as an administrator, and set the **SubmitSamplesConsent** value data according to one of the following settings:
+
+|Setting |Description |
+|||
+|**0** - **Always prompt** |The Microsoft Defender Antivirus service prompts you to confirm submission of all required files. This is the default setting for Microsoft Defender Antivirus, but is not recommended for installations on Windows Server 2016 or 2019 without a GUI. |
+|**1** - **Send safe samples automatically** |The Microsoft Defender Antivirus service sends all files marked as "safe" and prompts for the remainder of the files. |
+|**2** - **Never send** |The Microsoft Defender Antivirus service does not prompt and does not send any files. |
+|**3** - **Send all samples automatically** |The Microsoft Defender Antivirus service sends all files without a prompt for confirmation. |
+
+## Configure automatic exclusions
+
+To help ensure security and performance, certain exclusions are automatically added based on the roles and features you install when using Microsoft Defender Antivirus on Windows Server 2016 or 2019.
+
+See [Configure exclusions in Microsoft Defender Antivirus on Windows Server](configure-server-exclusions-microsoft-defender-antivirus.md).
+
+## Need to set Microsoft Defender Antivirus to passive mode?
+
+If you are using a non-Microsoft antivirus product as your primary antivirus solution, set Microsoft Defender Antivirus to passive mode.
+
+### Set Microsoft Defender Antivirus to passive mode using a registry key
+
+If you are using Windows Server, version 1803 or Windows Server 2019, you can set Microsoft Defender Antivirus to passive mode by setting the following registry key:
+- Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`
+- Name: `ForcePassiveMode`
+- Type: `REG_DWORD`
+- Value: `1`
+
+### Disable Microsoft Defender Antivirus using the Remove Roles and Features wizard
+
+1. See [Install or Uninstall Roles, Role Services, or Features](/windows-server/administration/server-manager/install-or-uninstall-roles-role-services-or-features#remove-roles-role-services-and-features-by-using-the-remove-roles-and-features-wizard), and use the **Remove Roles and Features Wizard**.
+
+2. When you get to the **Features** step of the wizard, clear the **Windows Defender Features** option.
+
+ If you clear **Windows Defender** by itself under the **Windows Defender Features** section, you will be prompted to remove the interface option **GUI for Windows Defender**.
+
+ Microsoft Defender Antivirus will still run normally without the user interface, but the user interface cannot be enabled if you disable the core **Windows Defender** feature.
+
+### Turn off the Microsoft Defender Antivirus user interface using PowerShell
+
+To turn off the Microsoft Defender Antivirus GUI, use the following PowerShell cmdlet:
+
+```PowerShell
+Uninstall-WindowsFeature -Name Windows-Defender-GUI
+```
+
+### Are you using Windows Server 2016?
+
+If you are using Windows Server 2016 and a third-party antimalware/antivirus product that is not offered or developed by Microsoft, you'll need to disable/uninstall Microsoft Defender Antivirus.
+
+> [!NOTE]
+> You can't uninstall the Windows Security app, but you can disable the interface with these instructions.
+
+The following PowerShell cmdlet uninstalls Microsoft Defender Antivirus on Windows Server 2016:
+
+```PowerShell
+Uninstall-WindowsFeature -Name Windows-Defender
+```
+
+## See also
+
+- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
+- [Microsoft Defender Antivirus compatibility](microsoft-defender-antivirus-compatibility.md)
security Microsoft Defender Offline https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-offline.md
+
+ Title: Microsoft Defender Offline in Windows 10
+description: You can use Microsoft Defender Offline straight from the Windows Defender Antivirus app. You can also manage how it is deployed in your network.
+keywords: scan, defender, offline
+search.product: eADQiWindows 10XVcnh
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+++++
+ms.technology: mde
++
+# Run and review the results of a Microsoft Defender Offline scan
+++
+**Applies to:**
+
+- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
+
+Microsoft Defender Offline is an antimalware scanning tool that lets you boot and run a scan from a trusted environment. The scan runs from outside the normal Windows kernel so it can target malware that attempts to bypass the Windows shell, such as viruses and rootkits that infect or overwrite the master boot record (MBR).
+
+You can use Microsoft Defender Offline if you suspect a malware infection, or you want to confirm a thorough clean of the endpoint after a malware outbreak.
+
+In Windows 10, Microsoft Defender Offline can be run with one click directly from the [Windows Security app](microsoft-defender-security-center-antivirus.md). In previous versions of Windows, a user had to install Microsoft Defender Offline to bootable media, restart the endpoint, and load the bootable media.
+
+## prerequisites and requirements
+
+Microsoft Defender Offline in Windows 10 has the same hardware requirements as Windows 10.
+
+For more information about Windows 10 requirements, see the following topics:
+
+- [Minimum hardware requirements](/windows-hardware/design/minimum/minimum-hardware-requirements-overview)
+
+- [Hardware component guidelines](/windows-hardware/design/component-guidelines/components)
+
+> [!NOTE]
+> Microsoft Defender Offline is not supported on machines with ARM processors, or on Windows Server Stock Keeping Units.
+
+To run Microsoft Defender Offline from the endpoint, the user must be logged in with administrator privileges.
+
+## Microsoft Defender Offline updates
+
+Microsoft Defender Offline uses the most recent protection updates available on the endpoint; it's updated whenever Windows Defender Antivirus is updated.
+
+> [!NOTE]
+> Before running an offline scan, you should attempt to update Microsoft Defender AV protection. You can either force an update with Group Policy or however you normally deploy updates to endpoints, or you can manually download and install the latest protection updates from the [Microsoft Malware Protection Center](https://www.microsoft.com/security/portal/definitions/adl.aspx).
+
+See the [Manage Microsoft Defender Antivirus Security intelligence updates](manage-protection-updates-microsoft-defender-antivirus.md) topic for more information.
+
+## Usage scenarios
+
+In Windows 10, version 1607, you can manually force an offline scan. Alternatively, if Windows Defender determines that Microsoft Defender Offline needs to run, it will prompt the user on the endpoint.
+
+The need to perform an offline scan will also be revealed in Microsoft Endpoint Manager if you're using it to manage your endpoints.
+
+The prompt can occur via a notification, similar to the following:
+
+![Windows notification showing the requirement to run Microsoft Defender Offline](images/defender/notification.png)
+
+The user will also be notified within the Windows Defender client.
+
+In Configuration Manager, you can identify the status of endpoints by navigating to **Monitoring > Overview > Security > Endpoint Protection Status > System Center Endpoint Protection Status**.
+
+Microsoft Defender Offline scans are indicated under **Malware remediation status** as **Offline scan required**.
+
+![Microsoft Endpoint Manager indicating a Microsoft Defender Offline scan is required](images/defender/sccm-wdo.png)
+
+## Configure notifications
+
+Microsoft Defender Offline notifications are configured in the same policy setting as other Microsoft Defender AV notifications.
+
+For more information about notifications in Windows Defender, see the [Configure the notifications that appear on endpoints](configure-notifications-microsoft-defender-antivirus.md) topic.
+
+## Run a scan
+
+> [!IMPORTANT]
+> Before you use Microsoft Defender Offline, make sure you save any files and shut down running programs. The Microsoft Defender Offline scan takes about 15 minutes to run. It will restart the endpoint when the scan is complete. The scan is performed outside of the usual Windows operating environment. The user interface will appear different to a normal scan performed by Windows Defender. After the scan is completed, the endpoint will be restarted and Windows will load normally.
+
+You can run a Microsoft Defender Offline scan with the following:
+
+- PowerShell
+- Windows Management Instrumentation (WMI)
+- The Windows Security app
+++
+### Use PowerShell cmdlets to run an offline scan
+
+Use the following cmdlets:
+
+```PowerShell
+Start-MpWDOScan
+```
+
+See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](/powershell/module/defender/) for more information on how to use PowerShell with Microsoft Defender Antivirus.
+
+### Use Windows Management Instruction (WMI) to run an offline scan
+
+Use the [**MSFT_MpWDOScan**](/previous-versions/windows/desktop/legacy/dn455323(v=vs.85)) class to run an offline scan.
+
+The following WMI script snippet will immediately run a Microsoft Defender Offline scan, which will cause the endpoint to restart, run the offline scan, and then restart and boot into Windows.
+
+```console
+wmic /namespace:\\root\Microsoft\Windows\Defender path MSFT_MpWDOScan call Start
+```
+
+See the following for more information:
+- [Windows Defender WMIv2 APIs](/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal)
++
+### Use the Windows Defender Security app to run an offline scan
+
+1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+
+2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Advanced scan** label:
+
+3. Select **Microsoft Defender Offline scan** and click **Scan now**.
+
+ > [!NOTE]
+ > In Windows 10, version 1607, the offline scan could be run from under **Windows Settings** > **Update & security** > **Windows Defender** or from the Windows Defender client.
++
+## Review scan results
+
+Microsoft Defender Offline scan results will be listed in the [Scan history section of the Windows Security app](microsoft-defender-security-center-antivirus.md).
++
+## Related articles
+
+- [Customize, initiate, and review the results of scans and remediation](customize-run-review-remediate-scans-microsoft-defender-antivirus.md)
+- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
security Microsoft Defender Security Center Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-security-center-antivirus.md
+
+ Title: Microsoft Defender Antivirus in the Windows Security app
+description: With Microsoft Defender Antivirus now included in the Windows Security app, you can review, compare, and perform common tasks.
+keywords: wdav, antivirus, firewall, security, windows
+search.product: eADQiWindows 10XVcnh
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+++++
+ms.technology: mde
++
+# Microsoft Defender Antivirus in the Windows Security app
+++
+**Applies to:**
+
+- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
+
+In Windows 10, version 1703 and later, the Windows Defender app is part of the Windows Security.
+
+Settings that were previously part of the Windows Defender client and main Windows Settings have been combined and moved to the new app, which is installed by default as part of Windows 10, version 1703.
+
+> [!IMPORTANT]
+> Disabling the Windows Security Center service does not disable Microsoft Defender Antivirus or [Windows Defender Firewall](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security). These are disabled automatically when a third-party antivirus or firewall product is installed and kept up to date.
+>
+> If you do disable the Windows Security Center service, or configure its associated Group Policy settings to prevent it from starting or running, the Windows Security app might display stale or inaccurate information about any antivirus or firewall products you have installed on the device.
+> It might also prevent Microsoft Defender Antivirus from enabling itself if you have an old or outdated third-party antivirus, or if you uninstall any third-party antivirus products you might have previously installed.
+> This will significantly lower the protection of your device and could lead to malware infection.
+
+See the [Windows Security article](/windows/threat-protection/windows-defender-security-center/windows-defender-security-center) for more information on other Windows security features that can be monitored in the app.
+
+The Windows Security app is a client interface on Windows 10, version 1703 and later. It is not the Microsoft Defender Security Center web portal that is used to review and manage [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint).
+
+## Review virus and threat protection settings in the Windows Security app
+
+![Screenshot of the Virus & threat protection settings label in the Windows Security app](images/defender/wdav-protection-settings-wdsc.png)
+
+1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+
+2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar).
+
+The following sections describe how to perform some of the most common tasks when reviewing or interacting with the threat protection provided by Microsoft Defender Antivirus in the Windows Security app.
+
+> [!NOTE]
+> If these settings are configured and deployed using Group Policy, the settings described in this section will be greyed-out and unavailable for use on individual endpoints. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings. The [Configure end-user interaction with Microsoft Defender Antivirus](configure-end-user-interaction-microsoft-defender-antivirus.md) topic describes how local policy override settings can be configured.
+
+## Run a scan with the Windows Security app
+
+1. Open the Windows Security app by searching the start menu for **Security**, and then selecting **Windows Security**.
+
+2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar).
+
+3. Select **Quick scan**. Or, to run a full scan, select **Scan options**, and then select an option, such as **Full scan**.
+
+## Review the security intelligence update version and download the latest updates in the Windows Security app
+
+![Security intelligence version number information](images/defender/wdav-wdsc-defs.png)
+
+1. Open the Windows Security app by searching the start menu for *Security*, and then selecting **Windows Security**.
+
+2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar).
+
+3. Select **Virus & threat protection updates**. The currently installed version is displayed along with some information about when it was downloaded. You can check your current against the latest version available for manual download, or review the change log for that version. See [Security intelligence updates for Microsoft Defender Antivirus and other Microsoft antimalware](https://www.microsoft.com/en-us/wdsi/defenderupdates).
+
+4. Select **Check for updates** to download new protection updates (if there are any).
+
+## Ensure Microsoft Defender Antivirus is enabled in the Windows Security app
+
+1. Open the Windows Security app by searching the start menu for *Security*, and then selecting **Windows Security**.
+
+2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar).
+
+3. Select **Virus & threat protection settings**.
+
+4. Toggle the **Real-time protection** switch to **On**.
+
+ > [!NOTE]
+ > If you switch **Real-time protection** off, it will automatically turn back on after a short delay. This is to ensure you are protected from malware and threats.
+ > If you install another antivirus product, Microsoft Defender Antivirus automatically disables itself and is indicated as such in the Windows Security app. A setting will appear that will allow you to enable [limited periodic scanning](limited-periodic-scanning-microsoft-defender-antivirus.md).
+
+## Add exclusions for Microsoft Defender Antivirus in the Windows Security app
+
+1. Open the Windows Security app by searching the start menu for *Security*, and then selecting **Windows Security**.
+
+2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar).
+
+3. Under the **Manage settings**, select **Virus & threat protection settings**.
+
+4. Under the **Exclusions** setting, select **Add or remove exclusions**.
+
+5. Select the plus icon (**+**) to choose the type and set the options for each exclusion.
+
+The following table summarizes exclusion types and what happens:
+
+|Exclusion type |Defined by |What happens |
+||||
+|**File** |Location <br/>Example: `c:\sample\sample.test` |The specific file is skipped by Microsoft Defender Antivirus. |
+|**Folder** |Location <br/>Example: `c:\test\sample` |All items in the specified folder are skipped by Microsoft Defender Antivirus. |
+|**File type** |File extension <br/>Example: `.test` |All files with the `.test` extension anywhere on your device are skipped by Microsoft Defender Antivirus. |
+|**Process** |Executable file path <br>Example: `c:\test\process.exe` |The specific process and any files that are opened by that process are skipped by Microsoft Defender Antivirus. |
+
+To learn more, see the following resources:
+- [Configure and validate exclusions based on file extension and folder location](./configure-extension-file-exclusions-microsoft-defender-antivirus.md)
+- [Configure exclusions for files opened by processes](./configure-process-opened-file-exclusions-microsoft-defender-antivirus.md)
+
+## Review threat detection history in the Windows Defender Security Center app
+
+1. Open the Windows Security app by searching the start menu for *Security*, and then selecting **Windows Security**.
+
+2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar).
+
+3. Select **Protection history**. Any recent items are listed.
+
+## Set ransomware protection and recovery options
+
+1. Open the Windows Security app by searching the start menu for *Security*, and then selecting **Windows Security**.
+
+2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar).
+
+3. Under **Ransomware protection**, select **Manage ransomware protection**.
+
+4. To change **Controlled folder access** settings, see [Protect important folders with Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders).
+
+5. To set up ransomware recovery options, select **Set up** under **Ransomware data recovery** and follow the instructions for linking or setting up your OneDrive account so you can easily recover from a ransomware attack.
+
+## See also
+- [Microsoft Defender Antivirus](microsoft-defender-antivirus-in-windows-10.md)
security Network Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/network-devices.md
Network discovery capabilities are available in the **Device inventory** section
A designated Microsoft Defender for Endpoint device will be used on each network segment to perform periodic authenticated scans of preconfigured network devices. Once discovered, Defender for EndpointΓÇÖs threat and vulnerability management capabilities provide integrated workflows to secure discovered switches, routers, WLAN controllers, firewalls, and VPN gateways.
-Once the network devices are discovered and classified, security administrators will be able to receive the latest security recommendations and review recently discovered vulnerabilities foron network devices deployed across their organizations.
+Once the network devices are discovered and classified, security administrators will be able to receive the latest security recommendations and review recently discovered vulnerabilities on network devices deployed across their organizations.
## Approach
Your first step is to select a device that will perform the authenticated networ
- login.windows.net - *.securitycenter.windows.com - login.microsoftonline.com
- - *.blob.core.windows.net/networkscannerstable/*
+ - *.blob.core.windows.net/networkscannerstable/ *
- Note: These URLs are not specified in the Defender for Endpoint documented list of allowed data collection.
+ Note: Not all URLs are specified in the Defender for Endpoint documented list of allowed data collection.
## Permissions
security Office 365 Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/office-365-microsoft-defender-antivirus.md
+
+ Title: Better together - Microsoft Defender Antivirus and Office 365 (including OneDrive) - better protection from ransomware and cyberthreats
+description: Office 365, which includes OneDrive, goes together wonderfully with Microsoft Defender Antivirus. Read this article to learn more.
+keywords: windows defender, antivirus, office 365, onedrive, restore, ransomware
+search.product: eADQiWindows 10XVcnh
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+audience: ITPro
++++++
+ms.technology: mde
++
+# Better together: Microsoft Defender Antivirus and Office 365
+++
+**Applies to:**
+- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
+- Microsoft Defender Antivirus
+- Microsoft 365
+
+You might already know that:
+
+- **Microsoft Defender Antivirus protects your Windows 10 device from software threats, such as viruses, malware, and spyware**. Microsoft Defender Antivirus is your complete, ongoing protection, built into Windows 10 and ready to go. [Microsoft Defender Antivirus is your next-generation protection](./microsoft-defender-antivirus-in-windows-10.md).
+
+- **Office 365 includes antiphishing, antispam, and antimalware protection**. With your Office 365 subscription, you get premium email and calendars, Office apps, 1 TB of cloud storage (via OneDrive), and advanced security across all your devices. This is true for home and business users. And if you're a business user, and your organization is using Office 365 E5, you get even more protection through Microsoft Defender for Office 365 [Protect against threats with Office 365](/microsoft-365/security/office-365-security/protect-against-threats).
+
+- **OneDrive, included in Office 365, enables you to store your files and folders online, and share them as you see fit**. You can work together with people (for work or fun), and coauthor files that are stored in OneDrive. You can also access your files across all your devices (your PC, phone, and tablet). [Manage sharing in OneDrive](/OneDrive/manage-sharing).
+
+**But did you know there are good security reasons to use Microsoft Defender Antivirus together with Office 365**? Here are two:
+
+ 1. [You get ransomware protection and recovery](#ransomware-protection-and-recovery).
+
+ 2. [Integration means better protection](#integration-means-better-protection).
+
+Read the following sections to learn more.
+
+## Ransomware protection and recovery
+
+When you save your files to [OneDrive](/onedrive), and [Microsoft Defender Antivirus](./microsoft-defender-antivirus-in-windows-10.md) detects a ransomware threat on your device, the following things occur:
+
+1. **You are told about the threat**. (If your organization is using [Microsoft Defender for Endpoint](microsoft-defender-endpoint.md), your security operations team is notified, too.)
+
+2. **Microsoft Defender Antivirus helps you (and your organization's security team) remove the ransomware** from your device(s). (If your organization is using Microsoft Defender for Endpoint, your security operations team can determine whether other devices are infected and take appropriate action, too.)
+
+3. **You get the option to recover your files in OneDrive**. With the OneDrive Files Restore feature, you can recover your files in OneDrive to the state they were in before the ransomware attack occurred. See [Ransomware detection and recovering your files](https://support.office.com/article/0d90ec50-6bfd-40f4-acc7-b8c12c73637f).
+
+Think of the time and hassle this can save.
+
+## Integration means better protection
+
+Microsoft Defender for Office 365 integrated with Microsoft Defender for Endpoint means better protection for your organization. Here's how:
+
+- [Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/office-365-atp) safeguards your organization against malicious threats posed in email messages, email attachments, and links (URLs) in Office documents.
+
+ AND
+
+- [Microsoft Defender for Endpoint](microsoft-defender-endpoint.md) protects your devices from cyber threats, detects advanced attacks and data breaches, automates security incidents, and improves your security posture.
+
+ SO
+
+- Once integration is enabled, your security operations team can see a list of devices that are used by the recipients of any detected URLs or email messages, along with recent alerts for those devices, in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)).
+
+If you haven't already done so, [integrate Microsoft Defender for Office 365 with Microsoft Defender for Endpoint](/microsoft-365/security/office-365-security/integrate-office-365-ti-with-wdatp).
+
+## More good reasons to use OneDrive
+
+Protection from ransomware is one great reason to put your files in OneDrive. And there are several more good reasons, summarized in this video: <br/><br/>
+
+> [!VIDEO https://www.microsoft.com/videoplayer/embed/70b4d256-46fb-481f-ad9b-921ef5fd7bed]
+
+## Want to learn more? See these resources:
+
+- [OneDrive](/onedrive)
+
+- [Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/office-365-atp?view=o365-worldwide)
+
+- [Microsoft Defender for Endpoint](microsoft-defender-endpoint.md)
security Prevent Changes To Security Settings With Tamper Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection.md
+
+ Title: Protect security settings with tamper protection
++
+description: Use tamper protection to prevent malicious apps from changing important security settings.
+keywords: malware, defender, antivirus, tamper protection
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.localizationpriority: medium
+audience: ITPro
+++
+ms.technology: mde
++
+# Protect security settings with tamper protection
+++
+**Applies to:**
+
+- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
+
+Tamper protection is available for devices that are running one of the following versions of Windows:
+
+- Windows 10
+- Windows Server 2019
+- Windows Server, version 1803 or later
+- Windows Server 2016
+
+## Overview
+
+During some kinds of cyber attacks, bad actors try to disable security features, such as anti-virus protection, on your machines. Bad actors like to disable your security features to get easier access to your data, to install malware, or to otherwise exploit your data, identity, and devices. Tamper protection helps prevent these kinds of things from occurring.
+
+With tamper protection, malicious apps are prevented from taking actions such as:
+
+- Disabling virus and threat protection
+- Disabling real-time protection
+- Turning off behavior monitoring
+- Disabling antivirus (such as IOfficeAntivirus (IOAV))
+- Disabling cloud-delivered protection
+- Removing security intelligence updates
+
+### How it works
+
+Tamper protection essentially locks Microsoft Defender Antivirus and prevents your security settings from being changed through apps and methods such as:
+
+- Configuring settings in Registry Editor on your Windows device
+- Changing settings through PowerShell cmdlets
+- Editing or removing security settings through group policies
+
+Tamper protection doesn't prevent you from viewing your security settings. And, tamper protection doesn't affect how third-party antivirus apps register with the Windows Security app. If your organization is using Windows 10 Enterprise E5, individual users can't change the tamper protection setting; in those cases, tamper protection is managed by your security team.
+
+### What do you want to do?
+
+| To perform this task... | See this section... |
+|:|:|
+| Turn tamper protection on (or off) in the Microsoft Defender Security Center <p>Manage tamper protection across your tenant | [Manage tamper protection for your organization using the Microsoft Defender Security Center](#manage-tamper-protection-for-your-organization-using-the-microsoft-defender-security-center) |
+| Turn tamper protection on (or off) for all or part of your organization using Intune <p>Fine-tune tamper protection settings in your organization | [Manage tamper protection for your organization using Intune](#manage-tamper-protection-for-your-organization-using-intune) |
+| Turn tamper protection on (or off) for your organization with Configuration Manager | [Manage tamper protection for your organization using tenant attach with Configuration Manager, version 2006](#manage-tamper-protection-for-your-organization-with-configuration-manager-version-2006) |
+| Turn tamper protection on (or off) for an individual device | [Manage tamper protection on an individual device](#manage-tamper-protection-on-an-individual-device) |
+| View details about tampering attempts on devices | [View information about tampering attempts](#view-information-about-tampering-attempts) |
+| Review your security recommendations | [Review security recommendations](#review-your-security-recommendations) |
+| Review the list of frequently asked questions (FAQs) | [Browse the FAQs](#view-information-about-tampering-attempts) |
+
+## Manage tamper protection for your organization using the Microsoft Defender Security Center
+
+Tamper protection can be turned on or off for your tenant using the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)). Here are a few points to keep in mind:
+
+- Currently, the option to manage tamper protection in the Microsoft Defender Security Center is on by default for new deployments. For existing deployments, tamper protection is available on an opt-in basis, with plans to make this the default method in the near future. (To opt in, in the Microsoft Defender Security Center, choose **Settings** > **Advanced features** > **Tamper protection**.)
+
+- When you use the Microsoft Defender Security Center to manage tamper protection, you do not have to use Intune or the tenant attach method.
+
+- When you manage tamper protection in the Microsoft Defender Security Center, the setting is applied tenant wide, affecting all of your devices that are running Windows 10, Windows Server 2016, or Windows Server 2019. To fine-tune tamper protection (such as having tamper protection on for some devices but off for others), use either [Intune](#manage-tamper-protection-for-your-organization-using-intune) or [Configuration Manager with tenant attach](#manage-tamper-protection-for-your-organization-with-configuration-manager-version-2006).
+
+- If you have a hybrid environment, tamper protection settings configured in Intune take precedence over settings configured in the Microsoft Defender Security Center.
+
+### Requirements for managing tamper protection in the Microsoft Defender Security Center
+
+- You must have appropriate [permissions](/microsoft-365/security/defender-endpoint/assign-portal-access), such as global admin, security admin, or security operations.
+
+- Your Windows devices must be running one of the following versions of Windows:
+ - Windows 10
+ - [Windows Server 2019](/windows-server/get-started-19/whats-new-19)
+ - Windows Server, version [1803](/windows/release-health/status-windows-10-1803) or later
+ - [Windows Server 2016](/windows-server/get-started/whats-new-in-windows-server-2016)
+ - For more information about releases, see [Windows 10 release information](/windows/release-health/release-information).
+
+- Your devices must be [onboarded to Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/onboarding).
+
+- Your devices must be using anti-malware platform version 4.18.2010.7 (or above) and anti-malware engine version 1.1.17600.5 (or above). ([Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md).)
+
+- [Cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md) must be turned on.
+
+### Turn tamper protection on (or off) in the Microsoft Defender Security Center
+
+![Turn tamper protection on in the Microsoft Defender Security Center](images/mde-turn-tamperprotect-on.png)
+
+1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in.
+
+2. Choose **Settings**.
+
+3. Go to **General** > **Advanced features**, and then turn tamper protection on.
+
+## Manage tamper protection for your organization using Intune
+
+If you are part of your organization's security team, and your subscription includes [Intune](/intune/fundamentals/what-is-intune), you can turn tamper protection on (or off) for your organization in the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com) portal. Use Intune when you want to fine-tune tamper protection settings. For example, if you want to enable tamper protection on some devices, but not all, use Intune.
+
+### Requirements for managing tamper protection in Intune
+
+- You must have appropriate [permissions](/microsoft-365/security/defender-endpoint/assign-portal-access), such as global admin, security admin, or security operations.
+
+- Your organization uses [Intune to manage devices](/intune/fundamentals/what-is-device-management). ([Intune licenses](/intune/fundamentals/licenses) are required; Intune is included in Microsoft 365 E5.)
+
+- Your Windows devices must be running Windows 10 OS [1709](/windows/release-health/status-windows-10-1709), [1803](/windows/release-health/status-windows-10-1803), [1809](/windows/release-health/status-windows-10-1809-and-windows-server-2019) or later. (For more information about releases, see [Windows 10 release information](/windows/release-health/release-information).)
+
+- You must be using Windows security with [security intelligence](https://www.microsoft.com/wdsi/definitions) updated to version 1.287.60.0 (or above).
+
+- Your devices must be using anti-malware platform version 4.18.1906.3 (or above) and anti-malware engine version 1.1.15500.X (or above). ([Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md).)
+
+### Turn tamper protection on (or off) in Intune
+
+![Turn tamper protection on with Intune](images/turnontamperprotect-MEM.png)
+
+1. Go to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com) and sign in with your work or school account.
+
+2. Select **Devices** > **Configuration Profiles**.
+
+3. Create a profile that includes the following settings:
+ - **Platform: Windows 10 and later**
+ - **Profile type: Endpoint protection**
+ - **Category: Microsoft Defender Security Center**
+ - **Tamper Protection: Enabled**
+
+4. Assign the profile to one or more groups.
+
+### Are you using Windows OS 1709, 1803, or 1809?
+
+If you are using Windows 10 OS [1709](/windows/release-health/status-windows-10-1709), [1803](/windows/release-health/status-windows-10-1803), or [1809](/windows/release-health/status-windows-10-1809-and-windows-server-2019), you won't see **Tamper Protection** in the Windows Security app. Instead, you can use PowerShell to determine whether tamper protection is enabled.
+
+#### Use PowerShell to determine whether tamper protection is turned on
+
+1. Open the Windows PowerShell app.
+
+2. Use the [Get-MpComputerStatus](/powershell/module/defender/get-mpcomputerstatus?preserve-view=true&view=win10-ps) PowerShell cmdlet.
+
+3. In the list of results, look for `IsTamperProtected`. (A value of *true* means tamper protection is enabled.)
+
+## Manage tamper protection for your organization with Configuration Manager, version 2006
+
+If you're using [version 2006 of Configuration Manager](/mem/configmgr/core/plan-design/changes/whats-new-in-version-2006), you can manage tamper protection settings on Windows 10, Windows Server 2016, and Windows Server 2019 by using a method called *tenant attach*. Tenant attach enables you to sync your on-premises-only Configuration Manager devices into the Microsoft Endpoint Manager admin center, and then deliver endpoint security configuration policies to on-premises collections & devices.
+
+![Windows security experience in Endpoint Manager](images/win-security- exp-policy-endpt-security.png)
+
+> [!NOTE]
+> The procedure can be used to extend tamper protection to devices running Windows 10 and Windows Server 2019. Make sure to review the prerequisites and other information in the resources mentioned in this procedure.
+
+1. Set up tenant attach. To get help with this, see [Microsoft Endpoint Manager tenant attach: Device sync and device actions](/mem/configmgr/tenant-attach/device-sync-actions).
+
+2. In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Endpoint security** > **Antivirus**, and then choose **+ Create Policy**.<br/>
+ - In the **Platform** list, select **Windows 10 and Windows Server (ConfigMgr)**.
+ - In the **Profile** list, select **Windows Security experience (preview)**. <br/>
+
+3. Deploy the policy to your device collection.
+
+### Need help with this method?
+
+See the following resources:
+
+- [Settings for the Windows Security experience profile in Microsoft Intune](/mem/intune/protect/antivirus-security-experience-windows-settings)
+- [Tech Community Blog: Announcing Tamper Protection for Configuration Manager Tenant Attach clients](https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/announcing-tamper-protection-for-configuration-manager-tenant/ba-p/1700246#.X3QLR5Ziqq8.linkedin)
+
+## Manage tamper protection on an individual device
+
+> [!NOTE]
+> Tamper protection blocks attempts to modify Microsoft Defender Antivirus settings through the registry.
+>
+> To help ensure that tamper protection doesnΓÇÖt interfere with third-party security products or enterprise installation scripts that modify these settings, go to **Windows Security** and update **Security intelligence** to version 1.287.60.0 or later. (See [Security intelligence updates](https://www.microsoft.com/wdsi/definitions).)
+>
+> Once youΓÇÖve made this update, tamper protection continues to protect your registry settings, and logs attempts to modify them without returning errors.
+
+If you are a home user, or you are not subject to settings managed by a security team, you can use the Windows Security app to manage tamper protection. You must have appropriate admin permissions on your device to do change security settings, such as tamper protection.
+
+Here's what you see in the Windows Security app:
+
+![Tamper protection turned on in Windows 10 Home](images/tamperprotectionturnedon.png)
+
+1. Select **Start**, and start typing *Security*. In the search results, select **Windows Security**.
+
+2. Select **Virus & threat protection** > **Virus & threat protection settings**.
+
+3. Set **Tamper Protection** to **On** or **Off**.
+++
+## View information about tampering attempts
+
+Tampering attempts typically indicate bigger cyberattacks. Bad actors try to change security settings as a way to persist and stay undetected. If you're part of your organization's security team, you can view information about such attempts, and then take appropriate actions to mitigate threats.
+
+When a tampering attempt is detected, an alert is raised in the [Microsoft Defender Security Center](/microsoft-365/security/defender-endpoint/portal-overview) ([https://securitycenter.windows.com](https://securitycenter.windows.com)).
+
+![Microsoft Defender Security Center](images/tamperattemptalert.png)
+
+Using [endpoint detection and response](/microsoft-365/security/defender-endpoint/overview-endpoint-detection-response) and [advanced hunting](/microsoft-365/security/defender-endpoint/advanced-hunting-overview) capabilities in Microsoft Defender for Endpoint, your security operations team can investigate and address such attempts.
+
+## Review your security recommendations
+
+Tamper protection integrates with [Threat & Vulnerability Management](/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt) capabilities. [Security recommendations](/microsoft-365/security/defender-endpoint/tvm-security-recommendation) include making sure tamper protection is turned on. For example, you can search on *tamper*, as shown in the following image:
+
+![Tamper protection results in security recommendations](/images/securityrecs-tamperprotect.jpg)
+
+In the results, you can select **Turn on Tamper Protection** to learn more and turn it on.
+
+![Turn on tamper protection](images/tamperprotectsecurityrecos.png)
+
+To learn more about Threat & Vulnerability Management, see [Threat & Vulnerability Management in Microsoft Defender Security Center](/microsoft-365/security/defender-endpoint/tvm-dashboard-insights#threat--vulnerability-management-in-microsoft-defender-security-center).
+
+## Frequently asked questions
+
+### To which Windows OS versions is configuring tamper protection is applicable?
+
+Windows 10 OS [1709](/windows/release-health/status-windows-10-1709), [1803](/windows/release-health/status-windows-10-1803), [1809](/windows/release-health/status-windows-10-1809-and-windows-server-2019), or later together with [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint).
+
+If you are using Configuration Manager, version 2006, with tenant attach, tamper protection can be extended to Windows Server 2019. See [Tenant attach: Create and deploy endpoint security Antivirus policy from the admin center (preview)](/mem/configmgr/tenant-attach/deploy-antivirus-policy).
+
+### Will tamper protection have any impact on third-party antivirus registration?
+
+No. Third-party antivirus offerings will continue to register with the Windows Security application.
+
+### What happens if Microsoft Defender Antivirus is not active on a device?
+
+Devices that are onboarded to Microsoft Defender for Endpoint will have Microsoft Defender Antivirus running in passive mode. Tamper protection will continue to protect the service and its features.
+
+### How can I turn tamper protection on/off?
+
+If you are a home user, see [Manage tamper protection on an individual device](#manage-tamper-protection-on-an-individual-device).
+
+If you are an organization using [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint), you should be able to manage tamper protection in Intune similar to how you manage other endpoint protection features. See the following sections of this article:
+
+- [Manage tamper protection using Intune](#manage-tamper-protection-for-your-organization-using-intune)
+- [Manage tamper protection using Configuration Manager, version 2006](#manage-tamper-protection-for-your-organization-with-configuration-manager-version-2006)
+- [Manage tamper protection using the Microsoft Defender Security Center](#manage-tamper-protection-for-your-organization-using-the-microsoft-defender-security-center) (currently in preview)
+
+### How does configuring tamper protection in Intune affect how I manage Microsoft Defender Antivirus through my group policy?
+
+Your regular group policy doesnΓÇÖt apply to tamper protection, and changes to Microsoft Defender Antivirus settings are ignored when tamper protection is on.
+
+### For Microsoft Defender for Endpoint, is configuring tamper protection in Intune targeted to the entire organization only?
+
+Configuring tamper protection in Intune or Microsoft Endpoint Manager can be targeted to your entire organization and to specific devices and user groups.
+
+### Can I configure Tamper Protection in Microsoft Endpoint Configuration Manager?
+
+If you are using tenant attach, you can use Microsoft Endpoint Configuration Manager. See the following resources:
+- [Manage tamper protection for your organization with Configuration Manager, version 2006](#manage-tamper-protection-for-your-organization-with-configuration-manager-version-2006)
+- [Tech Community blog: Announcing Tamper Protection for Configuration Manager Tenant Attach clients](https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/announcing-tamper-protection-for-configuration-manager-tenant/ba-p/1700246#.X3QLR5Ziqq8.linkedin)
+
+### I have the Windows E3 enrollment. Can I use configuring tamper protection in Intune?
+
+Currently, configuring tamper protection in Intune is only available for customers who have [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint).
+
+### What happens if I try to change Microsoft Defender for Endpoint settings in Intune, Microsoft Endpoint Configuration Manager, and Windows Management Instrumentation when Tamper Protection is enabled on a device?
+
+You wonΓÇÖt be able to change the features that are protected by tamper protection; such change requests are ignored.
+
+### IΓÇÖm an enterprise customer. Can local admins change tamper protection on their devices?
+
+No. Local admins cannot change or modify tamper protection settings.
+
+### What happens if my device is onboarded with Microsoft Defender for Endpoint and then goes into an off-boarded state?
+
+If a device is off-boarded from Microsoft Defender for Endpoint, tamper protection is turned on, which is the default state for unmanaged devices.
+
+### Will there be an alert about tamper protection status changing in the Microsoft Defender Security Center?
+
+Yes. The alert is shown in [https://securitycenter.microsoft.com](https://securitycenter.microsoft.com) under **Alerts**.
+
+Your security operations team can also use hunting queries, such as the following example:
+
+`DeviceAlertEvents | where Title == "Tamper Protection bypass"`
+
+[View information about tampering attempts](#view-information-about-tampering-attempts).
+
+## See also
+
+[Help secure Windows PCs with Endpoint Protection for Microsoft Intune](/intune/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune)
+
+[Get an overview of Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint)
+
+[Better together: Microsoft Defender Antivirus and Microsoft Defender for Endpoint](why-use-microsoft-defender-antivirus.md)
security Prevent End User Interaction Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/prevent-end-user-interaction-microsoft-defender-antivirus.md
+
+ Title: Hide the Microsoft Defender Antivirus interface
+description: You can hide virus and threat protection tile in the Windows Security app.
+keywords: ui lockdown, headless mode, hide app, hide settings, hide interface
+search.product: eADQiWindows 10XVcnh
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+++ Last updated : 09/03/2018++
+ms.technology: mde
++
+# Prevent users from seeing or interacting with the Microsoft Defender Antivirus user interface
+++
+**Applies to:**
+
+- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
+
+You can use Group Policy to prevent users on endpoints from seeing the Microsoft Defender Antivirus interface. You can also prevent them from pausing scans.
+
+## Hide the Microsoft Defender Antivirus interface
+
+In Windows 10, versions 1703, hiding the interface will hide Microsoft Defender Antivirus notifications and prevent the Virus & threat protection tile from appearing in the Windows Security app.
+
+With the setting set to **Enabled**:
+
+![Screenshot of Windows Security without the shield icon and virus and threat protection section](images/defender/wdav-headless-mode-1703.png)
+
+With the setting set to **Disabled** or not configured:
+
+![Screenshot of Windows Security showing the shield icon and virus and threat protection section](images/defender/wdav-headless-mode-off-1703.png)
+
+>[!NOTE]
+>Hiding the interface will also prevent Microsoft Defender Antivirus notifications from appearing on the endpoint. Microsoft Defender for Endpoint notifications will still appear. You can also individually [configure the notifications that appear on endpoints](configure-notifications-microsoft-defender-antivirus.md)
+
+In earlier versions of Windows 10, the setting will hide the Windows Defender client interface. If the user attempts to open it, they will receive a warning that says, "Your system administrator has restricted access to this app."
+
+![Warning message when headless mode is enabled in Windows 10, versions earlier than 1703](images/defender/wdav-headless-mode-1607.png)
+
+## Use Group Policy to hide the Microsoft Defender AV interface from users
+
+1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal), right-click the Group Policy Object you want to configure and click **Edit**.
+
+2. Using the **Group Policy Management Editor** go to **Computer configuration**.
+
+3. Click **Administrative templates**.
+
+4. Expand the tree to **Windows components > Microsoft Defender Antivirus > Client interface**.
+
+5. Double-click the **Enable headless UI mode** setting and set the option to **Enabled**. Click **OK**.
+
+See [Prevent users from locally modifying policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md) for more options on preventing users form modifying protection on their PCs.
+
+## Prevent users from pausing a scan
+
+You can prevent users from pausing scans, which can be helpful to ensure scheduled or on-demand scans are not interrupted by users.
+
+> [!NOTE]
+> This setting is not supported on Windows 10.
+
+### Use Group Policy to prevent users from pausing a scan
+
+1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal), right-click the Group Policy Object you want to configure and click **Edit**.
+
+2. Using the **Group Policy Management Editor** go to **Computer configuration**.
+
+3. Click **Administrative templates**.
+
+4. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Scan**.
+
+5. Double-click the **Allow users to pause scan** setting and set the option to **Disabled**. Click **OK**.
+
+## Related articles
+
+- [Configure the notifications that appear on endpoints](configure-notifications-microsoft-defender-antivirus.md)
+
+- [Configure end-user interaction with Microsoft Defender Antivirus](configure-end-user-interaction-microsoft-defender-antivirus.md)
+
+- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
security Report Monitor Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/report-monitor-microsoft-defender-antivirus.md
+
+ Title: Monitor and report on Microsoft Defender Antivirus protection
+description: Use Configuration Manager or security information and event management (SIEM) tools to consume reports, and monitor Microsoft Defender AV with PowerShell and WMI.
+keywords: siem, monitor, report, Microsoft Defender AV
+search.product: eADQiWindows 10XVcnh
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+++ Last updated : 12/07/2020++
+ms.technology: mde
++
+# Report on Microsoft Defender Antivirus
+++
+**Applies to:**
+
+- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
+
+Microsoft Defender Antivirus is built into Windows 10, Windows Server 2019, and Windows Server 2016. Microsoft Defender Antivirus is of your next-generation protection in Microsoft Defender for Endpoint. Next-generation protection helps protect your devices from software threats like viruses, malware, and spyware across email, apps, the cloud, and the web.
+
+With Microsoft Defender Antivirus, you have several options for reviewing protection status and alerts. You can use Microsoft Endpoint Manager to [monitor Microsoft Defender Antivirus](/configmgr/protect/deploy-use/monitor-endpoint-protection) or [create email alerts](/configmgr/protect/deploy-use/endpoint-configure-alerts). Or, you can monitor protection using [Microsoft Intune](/intune/introduction-intune).
+
+Microsoft Operations Management Suite has an [Update Compliance add-in](/windows/deployment/update/update-compliance-get-started) that reports on key Microsoft Defender Antivirus issues, including protection updates and real-time protection settings.
+
+If you have a third-party security information and event management (SIEM) server, you can also consume [Windows Defender client events](/windows/win32/events/windows-events).
+
+Windows events comprise several security event sources, including Security Account Manager (SAM) events ([enhanced for Windows 10](/windows/whats-new/whats-new-windows-10-version-1507-and-1511), also see the [Security auditing](/windows/device-security/auditing/security-auditing-overview) topic) and [Windows Defender events](troubleshoot-microsoft-defender-antivirus.md).
+
+These events can be centrally aggregated using the [Windows event collector](/windows/win32/wec/windows-event-collector). Often, SIEM servers have connectors for Windows events, allowing you to correlate all security events in your SIEM server.
+
+You can also [monitor malware events using the Malware Assessment solution in Log Analytics](/azure/log-analytics/log-analytics-malware).
+
+For monitoring or determining status with PowerShell, WMI, or Microsoft Azure, see the [(Deployment, management, and reporting options table)](deploy-manage-report-microsoft-defender-antivirus.md#ref2).
+
+## Related articles
+
+- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
+- [Microsoft Defender Antivirus on Windows Server 2016 and 2019](microsoft-defender-antivirus-on-windows-server.md)
+- [Deploy Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md)
security Restore Quarantined Files Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/restore-quarantined-files-microsoft-defender-antivirus.md
+
+ Title: Restore quarantined files in Microsoft Defender AV
+description: You can restore files and folders that were quarantined by Microsoft Defender AV.
+keywords:
+search.product: eADQiWindows 10XVcnh
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+++ Last updated : 05/20/2020++
+ms.technology: mde
++
+# Restore quarantined files in Microsoft Defender AV
+++
+**Applies to:**
+
+- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
+
+If Microsoft Defender Antivirus is configured to detect and remediate threats on your device, Microsoft Defender Antivirus quarantines suspicious files. If you are certain a quarantined file is not a threat, you can restore it.
+
+1. Open **Windows Security**.
+2. Select **Virus & threat protection** and then click **Protection history**.
+3. In the list of all recent items, filter on **Quarantined Items**.
+4. Select an item you want to keep, and take an action, such as restore.
+
+> [!TIP]
+> Restoring a file from quarantine can also be done using Command Prompt. See [Restore a file from quarantine](/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts#restore-file-from-quarantine).
+
+## Related articles
+
+- [Configure remediation for scans](configure-remediation-microsoft-defender-antivirus.md)
+- [Review scan results](review-scan-results-microsoft-defender-antivirus.md)
+- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-microsoft-defender-antivirus.md)
+- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md)
+- [Configure Microsoft Defender Antivirus exclusions on Windows Server](configure-server-exclusions-microsoft-defender-antivirus.md)
security Review Scan Results Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/review-scan-results-microsoft-defender-antivirus.md
+
+ Title: Review the results of Microsoft Defender AV scans
+description: Review the results of scans using Microsoft Endpoint Configuration Manager, Microsoft Intune, or the Windows Security app
+keywords: scan results, remediation, full scan, quick scan
+search.product: eADQiWindows 10XVcnh
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+++ Last updated : 09/28/2020++
+ms.technology: mde
++
+# Review Microsoft Defender Antivirus scan results
+++
+**Applies to:**
+
+- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
+
+After a Microsoft Defender Antivirus scan completes, whether it is an [on-demand](run-scan-microsoft-defender-antivirus.md) or [scheduled scan](scheduled-catch-up-scans-microsoft-defender-antivirus.md), the results are recorded and you can view the results.
++
+## Use Configuration Manager to review scan results
+
+See [How to monitor Endpoint Protection status](/configmgr/protect/deploy-use/monitor-endpoint-protection).
+
+## Use PowerShell cmdlets to review scan results
+
+The following cmdlet will return each detection on the endpoint. If there are multiple detections of the same threat, each detection will be listed separately, based on the time of each detection:
+
+```PowerShell
+Get-MpThreatDetection
+```
+
+![screenshot of PowerShell cmdlets and outputs](images/defender/wdav-get-mpthreatdetection.png)
+
+You can specify `-ThreatID` to limit the output to only show the detections for a specific threat.
+
+If you want to list threat detections, but combine detections of the same threat into a single item, you can use the following cmdlet:
+
+```PowerShell
+Get-MpThreat
+```
+
+![screenshot of PowerShell](images/defender/wdav-get-mpthreat.png)
+
+See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](/powershell/module/defender/) for more information on how to use PowerShell with Microsoft Defender Antivirus.
+
+## Use Windows Management Instruction (WMI) to review scan results
+
+Use the [**Get** method of the **MSFT_MpThreat** and **MSFT_MpThreatDetection**](/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal) classes.
++
+## Related articles
+
+- [Customize, initiate, and review the results of Microsoft Defender Antivirus scans and remediation](customize-run-review-remediate-scans-microsoft-defender-antivirus.md)
+- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
security Run Scan Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/run-scan-microsoft-defender-antivirus.md
+
+ Title: Run and customize on-demand scans in Microsoft Defender AV
+description: Run and configure on-demand scans using PowerShell, Windows Management Instrumentation, or individually on endpoints with the Windows Security app
+keywords: scan, on-demand, dos, intune, instant scan
+search.product: eADQiWindows 10XVcnh
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+++ Last updated : 11/13/2020++
+ms.technology: mde
++
+# Configure and run on-demand Microsoft Defender Antivirus scans
++
+**Applies to:**
+
+- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
+
+You can run an on-demand scan on individual endpoints. These scans will start immediately, and you can define parameters for the scan, such as the location or type.
+
+## Quick scan versus full scan
+
+Quick scan looks at all the locations where there could be malware registered to start with the system, such as registry keys and known Windows startup folders.
+
+> [!IMPORTANT]
+> Microsoft Defender Antivirus runs in the context of the [LocalSystem](/windows/win32/services/localsystem-account) account when performing a local scan. For network scans, it uses the context of the device account. If the domain device account doesn't have appropriate permissions to access the share, the scan won't work. Ensure that the device has permissions to the access network share.
+
+Combined with [always-on real-time protection capability](configure-real-time-protection-microsoft-defender-antivirus.md)--which reviews files when they're opened and closed, and whenever a user navigates to a folder--a quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware.
+
+In most instances, a quick scan is adequate to find malware that wasn't picked up by real-time protection.
+
+A full scan can be useful on endpoints that have reported a malware threat. The scan can identify if there are any inactive components that require a more thorough clean-up. This is ideal if your organization is running on-demand scans.
+
+> [!NOTE]
+> By default, quick scans run on mounted removable devices, such as USB drives.
+
+## Use Microsoft Endpoint Manager to run a scan
+
+1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and log in.
+2. Choose **Endpoint security** > **Antivirus**.
+3. In the list of tabs, select **Windows 10 unhealthy endpoints**.
+4. From the list of actions provided, select **Quick Scan** or **Full Scan**.
+
+[ ![IMAGE](images/mem-antivirus-scan-on-demand.png) ](images/mem-antivirus-scan-on-demand.png#lightbox)
+
+> [!TIP]
+> For more information about using Microsoft Endpoint Manager to run a scan, see [Antimalware and firewall tasks: How to perform an on-demand scan](/configmgr/protect/deploy-use/endpoint-antimalware-firewall#how-to-perform-an-on-demand-scan-of-computers).
+
+## Use the mpcmdrun.exe command-line utility to run a scan
+
+Use the following `-scan` parameter:
+
+```console
+mpcmdrun.exe -scan -scantype 1
+```
+
+For more information about how to use the tool and additional parameters, including starting a full scan, or defining paths, see [Use the mpcmdrun.exe commandline tool to configure and manage Microsoft Defender Antivirus](command-line-arguments-microsoft-defender-antivirus.md).
+
+## Use Microsoft Intune to run a scan
+
+1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and log in.
+2. From the sidebar, select **Devices > All Devices** and choose the device you want to scan.
+3. Select **...More**. From the options, select **Quick Scan** or **Full Scan**.
+
+## Use the Windows Security app to run a scan
+
+See [Run a scan in the Windows Security app](microsoft-defender-security-center-antivirus.md) for instructions on running a scan on individual endpoints.
+
+## Use PowerShell cmdlets to run a scan
+
+Use the following cmdlet:
+
+```PowerShell
+Start-MpScan
+```
+
+For more information on how to use PowerShell with Microsoft Defender Antivirus, see [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](/powershell/module/defender/).
+
+## Use Windows Management Instruction (WMI) to run a scan
+
+Use the [**Start** method](/previous-versions/windows/desktop/defender/start-msft-mpscan) of the **MSFT_MpScan** class.
+
+For more information about which parameters are allowed, see [Windows Defender WMIv2 APIs](/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal)
+
+## Related articles
+
+- [Configure Microsoft Defender Antivirus scanning options](configure-advanced-scan-types-microsoft-defender-antivirus.md)
+- [Configure scheduled Microsoft Defender Antivirus scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md)
+- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
security Scheduled Catch Up Scans Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/scheduled-catch-up-scans-microsoft-defender-antivirus.md
+
+ Title: Schedule regular quick and full scans with Microsoft Defender Antivirus
+description: Set up recurring (scheduled) scans, including when they should run and whether they run as full or quick scans
+keywords: quick scan, full scan, quick vs full, schedule scan, daily, weekly, time, scheduled, recurring, regular
+search.product: eADQiWindows 10XVcnh
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+++ Last updated : 11/02/2020++
+ms.technology: mde
++
+# Configure scheduled quick or full Microsoft Defender Antivirus scans
+++
+**Applies to:**
+
+- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
++
+> [!NOTE]
+> By default, Microsoft Defender Antivirus checks for an update 15 minutes before the time of any scheduled scans. You can [Manage the schedule for when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md) to override this default.
+
+In addition to always-on real-time protection and [on-demand](run-scan-microsoft-defender-antivirus.md) scans, you can set up regular, scheduled scans.
+
+You can configure the type of scan, when the scan should occur, and if the scan should occur after a [protection update](manage-protection-updates-microsoft-defender-antivirus.md) or if the endpoint is being used. You can also specify when special scans to complete remediation should occur.
+
+This article describes how to configure scheduled scans with Group Policy, PowerShell cmdlets, and WMI. You can also configure schedules scans with [Microsoft Endpoint Configuration Manager](/configmgr/protect/deploy-use/endpoint-antimalware-policies#scheduled-scans-settings) or [Microsoft Intune](/mem/intune/configuration/device-restrictions-windows-10).
+
+## To configure the Group Policy settings described in this article
+
+1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3. In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4. Click **Administrative templates**.
+
+5. Expand the tree to **Windows components > Microsoft Defender Antivirus** and then the **Location** specified in the table below.
+
+6. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration.
+
+7. Click **OK**, and repeat for any other settings.
+
+Also see the [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md) and [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md) topics.
+
+## Quick scan versus full scan and custom scan
+
+When you set up scheduled scans, you can set up whether the scan should be a full or quick scan.
+
+Quick scans look at all the locations where there could be malware registered to start with the system, such as registry keys and known Windows startup folders.
+
+Combined with [always-on real-time protection capability](configure-real-time-protection-microsoft-defender-antivirus.md) - which reviews files when they are opened and closed, and whenever a user navigates to a folder - a quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware.
+
+In most instances, this means a quick scan is adequate to find malware that wasn't picked up by real-time protection.
+
+A full scan can be useful on endpoints that have encountered a malware threat to identify if there are any inactive components that require a more thorough clean-up. In this instance, you may want to use a full scan when running an [on-demand scan](run-scan-microsoft-defender-antivirus.md).
+
+A custom scan allows you to specify the files and folders to scan, such as a USB drive.
+
+>[!NOTE]
+>By default, quick scans run on mounted removable devices, such as USB drives.
+
+## Set up scheduled scans
+
+Scheduled scans will run at the day and time you specify. You can use Group Policy, PowerShell, and WMI to configure scheduled scans.
+
+>[!NOTE]
+>If a computer is unplugged and running on battery during a scheduled full scan, the scheduled scan will stop with event 1002, which states that the scan stopped before completion. Microsoft Defender Antivirus will run a full scan at the next scheduled time.
+
+### Use Group Policy to schedule scans
+
+|Location | Setting | Description | Default setting (if not configured) |
+|:|:|:|:|
+|Scan | Specify the scan type to use for a scheduled scan | Quick scan |
+|Scan | Specify the day of the week to run a scheduled scan | Specify the day (or never) to run a scan. | Never |
+|Scan | Specify the time of day to run a scheduled scan | Specify the number of minutes after midnight (for example, enter **60** for 1 a.m.). | 2 a.m. |
+|Root | Randomize scheduled task times |In Microsoft Defender Antivirus: Randomize the start time of the scan to any interval from 0 to 4 hours. <br>In FEP/SCEP: randomize to any interval plus or minus 30 minutes. This can be useful in VM or VDI deployments. | Enabled |
++
+### Use PowerShell cmdlets to schedule scans
+
+Use the following cmdlets:
+
+```PowerShell
+Set-MpPreference -ScanParameters
+Set-MpPreference -ScanScheduleDay
+Set-MpPreference -ScanScheduleTime
+Set-MpPreference -RandomizeScheduleTaskTimes
+
+```
+
+See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](/powershell/module/defender/) for more information on how to use PowerShell with Microsoft Defender Antivirus.
+
+### Use Windows Management Instruction (WMI) to schedule scans
+
+Use the [**Set** method of the **MSFT_MpPreference**](/previous-versions/windows/desktop/legacy/dn455323(v=vs.85)) class for the following properties:
+
+```WMI
+ScanParameters
+ScanScheduleDay
+ScanScheduleTime
+RandomizeScheduleTaskTimes
+```
+
+See the following for more information and allowed parameters:
+- [Windows Defender WMIv2 APIs](/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal)
++++
+## Start scheduled scans only when the endpoint is not in use
+
+You can set the scheduled scan to only occur when the endpoint is turned on but not in use with Group Policy, PowerShell, or WMI.
+
+> [!NOTE]
+> These scans will not honor the CPU throttling configuration and take full advantage of the resources available to complete the scan as fast as possible.
+
+### Use Group Policy to schedule scans
+
+|Location | Setting | Description | Default setting (if not configured) |
+|:|:|:|:|
+|Scan | Start the scheduled scan only when computer is on but not in use | Scheduled scans will not run, unless the computer is on but not in use | Enabled |
+
+### Use PowerShell cmdlets
+
+Use the following cmdlets:
+
+```PowerShell
+Set-MpPreference -ScanOnlyIfIdleEnabled
+```
+
+See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](/powershell/module/defender/) for more information on how to use PowerShell with Microsoft Defender Antivirus.
+
+### Use Windows Management Instruction (WMI)
+
+Use the [**Set** method of the **MSFT_MpPreference**](/previous-versions/windows/desktop/legacy/dn455323(v=vs.85)) class for the following properties:
+
+```WMI
+ScanOnlyIfIdleEnabled
+```
+
+See the following for more information and allowed parameters:
+- [Windows Defender WMIv2 APIs](/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal)
+
+<a id="remed"></a>
+## Configure when full scans should be run to complete remediation
+
+Some threats may require a full scan to complete their removal and remediation. You can schedule when these scans should occur with Group Policy, PowerShell, or WMI.
+
+### Use Group Policy to schedule remediation-required scans
+
+| Location | Setting | Description | Default setting (if not configured) |
+|||||
+|Remediation | Specify the day of the week to run a scheduled full scan to complete remediation | Specify the day (or never) to run a scan. | Never |
+|Remediation | Specify the time of day to run a scheduled full scan to complete remediation | Specify the number of minutes after midnight (for example, enter **60** for 1 a.m.) | 2 a.m. |
+
+### Use PowerShell cmdlets
+
+Use the following cmdlets:
+
+```PowerShell
+Set-MpPreference -RemediationScheduleDay
+Set-MpPreference -RemediationScheduleTime
+```
+
+See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](/powershell/module/defender/) for more information on how to use PowerShell with Microsoft Defender Antivirus.
+
+### Use Windows Management Instruction (WMI)
+
+Use the [**Set** method of the **MSFT_MpPreference**](/previous-versions/windows/desktop/legacy/dn455323(v=vs.85)) class for the following properties:
+
+```WMI
+RemediationScheduleDay
+RemediationScheduleTime
+```
+
+See the following for more information and allowed parameters:
+- [Windows Defender WMIv2 APIs](/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal)
++++
+## Set up daily quick scans
+
+You can enable a daily quick scan that can be run in addition to your other scheduled scans with Group Policy, PowerShell, or WMI.
++
+### Use Group Policy to schedule daily scans
++
+|Location | Setting | Description | Default setting (if not configured) |
+|:|:|:|:|
+|Scan | Specify the interval to run quick scans per day | Specify how many hours should elapse before the next quick scan. For example, to run every two hours, enter **2**, for once a day, enter **24**. Enter **0** to never run a daily quick scan. | Never |
+|Scan | Specify the time for a daily quick scan | Specify the number of minutes after midnight (for example, enter **60** for 1 a.m.) | 2 a.m. |
+
+### Use PowerShell cmdlets to schedule daily scans
+
+Use the following cmdlets:
+
+```PowerShell
+Set-MpPreference -ScanScheduleQuickScanTime
+```
+
+See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](/powershell/module/defender/) for more information on how to use PowerShell with Microsoft Defender Antivirus.
+
+### Use Windows Management Instruction (WMI) to schedule daily scans
+
+Use the [**Set** method of the **MSFT_MpPreference**](/previous-versions/windows/desktop/legacy/dn455323(v=vs.85)) class for the following properties:
+
+```WMI
+ScanScheduleQuickScanTime
+```
+
+See the following for more information and allowed parameters:
+- [Windows Defender WMIv2 APIs](/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal)
++
+## Enable scans after protection updates
+
+You can force a scan to occur after every [protection update](manage-protection-updates-microsoft-defender-antivirus.md) with Group Policy.
+
+### Use Group Policy to schedule scans after protection updates
+
+|Location | Setting | Description | Default setting (if not configured)|
+|:|:|:|:|
+|Signature updates | Turn on scan after Security intelligence update | A scan will occur immediately after a new protection update is downloaded | Enabled |
+
+## See also
+- [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md)
+- [Configure and run on-demand Microsoft Defender Antivirus scans](run-scan-microsoft-defender-antivirus.md)
+- [Configure Microsoft Defender Antivirus scanning options](configure-advanced-scan-types-microsoft-defender-antivirus.md)
+- [Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md)
+- [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md)
+- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
security Specify Cloud Protection Level Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/specify-cloud-protection-level-microsoft-defender-antivirus.md
+
+ Title: Specify the cloud-delivered protection level for Microsoft Defender Antivirus
+description: Set your level of cloud-delivered protection for Microsoft Defender Antivirus.
+keywords: Microsoft Defender Antivirus, antimalware, security, defender, cloud, aggressiveness, protection level
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.localizationpriority: medium
++ Last updated : 10/26/2020+++
+ms.technology: mde
++
+# Specify the cloud-delivered protection level
+++
+**Applies to:**
+
+- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
+
+You can specify your level of cloud-delivered protection offered by Microsoft Defender Antivirus by using Microsoft Endpoint Manager (recommended) or Group Policy.
+
+> [!TIP]
+> Cloud protection is not simply protection for files that are stored in the cloud. The Microsoft Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and devices (also called endpoints). Cloud protection with Microsoft Defender Antivirus uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional security intelligence updates.
+> Microsoft Intune and Microsoft Endpoint Manager are now part of [Microsoft Endpoint Manager](/mem/endpoint-manager-overview).
++
+## Use Microsoft Endpoint Manager to specify the level of cloud-delivered protection
+
+1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in.
+
+2. Choose **Endpoint security** > **Antivirus**.
+
+3. Select an antivirus profile. (If you don't have one yet, or if you want to create a new profile, see [Configure device restriction settings in Microsoft Intune](/intune/device-restrictions-configure).
+
+4. Select **Properties**. Then, next to **Configuration settings**, choose **Edit**.
+
+5. Expand **Cloud protection**, and then in the **Cloud-delivered protection level** list, select one of the following:
+
+ 1. **High**: Applies a strong level of detection.
+ 2. **High plus**: Uses the **High** level and applies additional protection measures (may impact client performance).
+ 3. **Zero tolerance**: Blocks all unknown executables.
+
+6. Choose **Review + save**, and then choose **Save**.
+
+> [!TIP]
+> Need some help? See the following resources:
+> - [Configure Endpoint Protection](/mem/configmgr/protect/deploy-use/endpoint-protection-configure)
+> - [Add endpoint protection settings in Intune](/mem/intune/protect/endpoint-protection-configure)
+
+
+## Use Group Policy to specify the level of cloud-delivered protection
+
+1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)).
+
+2. Right-click the Group Policy Object you want to configure, and then click **Edit**.
+
+3. In the **Group Policy Management Editor** go to **Computer Configuration** > **Administrative templates**.
+
+4. Expand the tree to **Windows Components** > **Microsoft Defender Antivirus** > **MpEngine**.
+
+5. Double-click the **Select cloud protection level** setting and set it to **Enabled**. Select the level of protection:
+ - **Default blocking level** provides strong detection without increasing the risk of detecting legitimate files.
+ - **Moderate blocking level** provides moderate only for high confidence detections
+ - **High blocking level** applies a strong level of detection while optimizing client performance (but can also give you a greater chance of false positives).
+ - **High + blocking level** applies additional protection measures (might impact client performance and increase your chance of false positives).
+ - **Zero tolerance blocking level** blocks all unknown executables.
+
+ > [!WARNING]
+ > While unlikely, setting this switch to **High** or **High +** may cause some legitimate files to be detected (although you will have the option to unblock or dispute that detection).
+
+6. Click **OK**.
+
+7. Deploy your updated Group Policy Object. See [Group Policy Management Console](/windows/win32/srvnodes/group-policy)
+
+> [!TIP]
+> Are you using Group Policy Objects on premises? See how they translate in the cloud. [Analyze your on-premises group policy objects using Group Policy analytics in Microsoft Endpoint Manager - Preview](/mem/intune/configuration/group-policy-analytics).
+
+## Related articles
+
+- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
+- [Enable cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md)
+- [How to create and deploy antimalware policies: Cloud-protection service](/configmgr/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service)
security Troubleshoot Microsoft Defender Antivirus When Migrating https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus-when-migrating.md
+
+ Title: Troubleshoot Microsoft Defender Antivirus while migrating from a third-party solution
+description: Troubleshoot common errors when migrating to Microsoft Defender Antivirus
+keywords: event, error code, logging, troubleshooting, microsoft defender antivirus, windows defender antivirus, migration
+search.product: eADQiWindows 10XVcnh
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.localizationpriority: medium
+++ Last updated : 09/11/2018++
+ms.technology: mde
++
+# Troubleshoot Microsoft Defender Antivirus while migrating from a third-party solution
++
+**Applies to:**
+
+- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
++
+You can find help here if you encounter issues while migrating from a third-party security solution to Microsoft Defender Antivirus.
+
+## Review event logs
+
+Open the Event viewer app by selecting the **Search** icon in the taskbar, and searching for *event viewer*.
+
+Information about Microsoft Defender Antivirus can be found under **Applications and Services Logs** > **Microsoft** > **Windows** > **Windows Defender**.
+
+From there, select **Open** underneath **Operational**.
+
+Selecting an event from the details pane will show you more information about an event in the lower pane, under the **General** and **Details** tabs.
+
+## Microsoft Defender Antivirus won't start
+
+This issue can manifest in the form of several different event IDs, all of which have the same underlying cause.
+
+### Associated event IDs
+
+ Event ID | Log name | Description | Source
+-|-|-|-
+15 | Application | Updated Windows Defender status successfully to SECURITY_PRODUCT_STATE_OFF. | Security Center
+5007 | Microsoft-Windows-Windows Defender/Operational | Windows Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.<br /><br />**Old value:** Default\IsServiceRunning = 0x0<br />**New value:** HKLM\SOFTWARE\Microsoft\Windows Defender\IsServiceRunning = 0x1 | Windows Defender
+5010 | Microsoft-Windows-Windows Defender/Operational | Windows Defender Antivirus scanning for spyware and other potentially unwanted software is disabled. | Windows Defender
+
+### How to tell if Microsoft Defender Antivirus won't start because a third-party antivirus is installed
+
+On a Windows 10 device, if you are not using Microsoft Defender for Endpoint, and you have a third-party antivirus installed, then Microsoft Defender Antivirus will be automatically turned off. If you are using Microsoft Defender for Endpoint with a third-party antivirus installed, Microsoft Defender Antivirus will start in passive mode, with reduced functionality.
+
+> [!TIP]
+> The scenario just described applies only to Windows 10. Other versions of Windows have [different responses](microsoft-defender-antivirus-compatibility.md) to Microsoft Defender Antivirus being run alongside third-party security software.
+
+#### Use Services app to check if Microsoft Defender Antivirus is turned off
+
+To open the Services app, select the **Search** icon from the taskbar and search for *services*. You can also open the app from the command-line by typing *services.msc*.
+
+Information about Microsoft Defender Antivirus will be listed within the Services app under **Windows Defender** > **Operational**. The antivirus service name is *Windows Defender Antivirus Service*.
+
+While checking the app, you may see that *Windows Defender Antivirus Service* is set to manual ΓÇö but when you try to start this service manually, you get a warning stating, *The Windows Defender Antivirus Service service on Local Computer started and then stopped. Some services stop automatically if they are not in use by other services or programs.*
+
+This indicates that Microsoft Defender Antivirus has been automatically turned off to preserve compatibility with a third-party antivirus.
+
+#### Generate a detailed report
+
+You can generate a detailed report about currently active group policies by opening a command prompt in **Run as admin** mode, then entering the following command:
+
+```powershell
+GPresult.exe /h gpresult.html
+```
+
+This will generate a report located at *./gpresult.html*. Open this file and you might see the following results, depending on how Microsoft Defender Antivirus was turned off.
+
+##### Group policy results
+
+##### If security settings are implemented via group policy (GPO) at the domain or local level, or though System center configuration manager (SCCM)
+
+Within the GPResults report, under the heading, *Windows Components/Windows Defender Antivirus*, you may see something like the following entry, indicating that Microsoft Defender Antivirus is turned off.
+
+Policy | Setting | Winning GPO
+-|-|-
+Turn off Windows Defender Antivirus | Enabled | Win10-Workstations
+
+###### If security settings are implemented via Group policy preference (GPP)
+
+Under the heading, *Registry item (Key path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender, Value name: DisableAntiSpyware)*, you may see something like the following entry, indicating that Microsoft Defender Antivirus is turned off.
+
+DisableAntiSpyware | -
+-|-
+Winning GPO | Win10-Workstations
+Result: Success |
+**General** |
+Action | Update
+**Properties** |
+Hive | HKEY_LOCAL_MACHINE
+Key path | SOFTWARE\Policies\Microsoft\Windows Defender
+Value name | DisableAntiSpyware
+Value type | REG_DWORD
+Value data | 0x1 (1)
+
+###### If security settings are implemented via registry key
+
+The report may contain the following text, indicating that Microsoft Defender Antivirus is turned off:
+
+> Registry (regedit.exe)
+>
+> HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
+> DisableAntiSpyware (dword) 1 (hex)
+
+###### If security settings are set in Windows or your Windows Server image
+
+Your imagining admin might have set the security policy, **[DisableAntiSpyware](/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware)**, locally via *GPEdit.exe*, *LGPO.exe*, or by modifying the registry in their task sequence. You can [configure a Trusted Image Identifier](/windows-hardware/manufacture/desktop/configure-a-trusted-image-identifier-for-windows-defender) for Microsoft Defender Antivirus.
+
+### Turn Microsoft Defender Antivirus back on
+
+Microsoft Defender Antivirus will automatically turn on if no other antivirus is currently active. You'll need to turn the third-party antivirus completely off to ensure Microsoft Defender Antivirus can run with full functionality.
+
+> [!WARNING]
+> Solutions suggesting that you edit the *Windows Defender* start values for *wdboot*, *wdfilter*, *wdnisdrv*, *wdnissvc*, and *windefend* in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services are unsupported, and may force you to re-image your system.
+
+Passive mode is available if you start using Microsoft Defender for Endpoint and a third-party antivirus together with Microsoft Defender Antivirus. Passive mode allows Microsoft Defender to scan files and update itself, but it will not remediate threats. In addition, behavior monitoring via [Real Time Protection](configure-real-time-protection-microsoft-defender-antivirus.md) is not available under passive mode, unless [Endpoint data loss prevention (DLP)](/microsoft-365/security/defender-endpoint/information-protection-in-windows-overview) is deployed.
+
+Another feature, known as [limited periodic scanning](limited-periodic-scanning-microsoft-defender-antivirus.md), is available to end-users when Microsoft Defender Antivirus is set to automatically turn off. This feature allows Microsoft Defender Antivirus to scan files periodically alongside a third-party antivirus, using a limited number of detections.
+
+> [!IMPORTANT]
+> Limited periodic scanning is not recommended in enterprise environments. The detection, management and reporting capabilities available when running Microsoft Defender Antivirus in this mode are reduced as compared to active mode.
+
+### See also
+
+* [Microsoft Defender Antivirus compatibility](microsoft-defender-antivirus-compatibility.md)
+* [Microsoft Defender Antivirus in the Windows Security app](microsoft-defender-security-center-antivirus.md)
security Troubleshoot Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus.md
+
+ Title: Microsoft Defender AV event IDs and error codes
+description: Look up the causes and solutions for Microsoft Defender Antivirus event IDs and errors
+keywords: event, error code, siem, logging, troubleshooting, wef, windows event forwarding
+search.product: eADQiWindows 10XVcnh
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.localizationpriority: medium
+++ Last updated : 09/11/2018++
+ms.technology: mde
++
+# Review event logs and error codes to troubleshoot issues with Microsoft Defender Antivirus
+++
+**Applies to:**
+
+- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
+
+If you encounter a problem with Microsoft Defender Antivirus, you can search the tables in this topic to find a matching issue and potential solution.
+
+The tables list:
+
+- [Microsoft Defender Antivirus event IDs](#windows-defender-av-ids) (these apply to both Windows 10 and Windows Server 2016)
+- [Microsoft Defender Antivirus client error codes](#error-codes)
+- [Internal Microsoft Defender Antivirus client error codes (used by Microsoft during development and testing)](#internal-error-codes)
+
+> [!TIP]
+> You can also visit the Microsoft Defender for Endpoint demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working:
+>
+> - Cloud-delivered protection
+> - Fast learning (including Block at first sight)
+> - Potentially unwanted application blocking
+
+<a id="windows-defender-av-ids"></a>
+## Microsoft Defender Antivirus event IDs
+
+Microsoft Defender Antivirus records event IDs in the Windows event log.
+
+You can directly view the event log, or if you have a third-party security information and event management (SIEM) tool, you can also consume [Microsoft Defender Antivirus client event IDs](troubleshoot-microsoft-defender-antivirus.md#windows-defender-av-ids) to review specific events and errors from your endpoints.
+
+The table in this section lists the main Microsoft Defender Antivirus event IDs and, where possible, provides suggested solutions to fix or resolve the error.
+
+## To view a Microsoft Defender Antivirus event
+
+1. Open **Event Viewer**.
+2. In the console tree, expand **Applications and Services Logs**, then **Microsoft**, then **Windows**, then **Windows Defender**.
+3. Double-click on **Operational**.
+4. In the details pane, view the list of individual events to find your event.
+5. Click the event to see specific details about an event in the lower pane, under the **General** and **Details** tabs.
+
+<table>
+<tr>
+<th colspan="2" >Event ID: 1000</th>
+</tr>
+<tr>
+<td>
+Symbolic name:
+</td>
+<td>
+<b>MALWAREPROTECTION_SCAN_STARTED</b>
+</td>
+</tr>
+<tr>
+<td>
+Message:
+</td>
+<td >
+<b>An antimalware scan started.
+</b>
+</td>
+</tr>
+<tr>
+<td >
+Description:
+</td>
+<td >
+<dl>
+<dt>Scan ID: &lt;ID number of the relevant scan.&gt;</dt>
+<dt>Scan Type: &lt;Scan type&gt;, for example:<ul>
+<li>Antivirus</li>
+<li>Antispyware</li>
+<li>Antimalware</li>
+</ul>
+</dt>
+<dt>Scan Parameters: &lt;Scan parameters&gt;, for example:<ul>
+<li>Full scan</li>
+<li>Quick scan</li>
+<li>Customer scan</li>
+</ul>
+</dt>
+<dt>Scan Resources: &lt;Resources (such as files/directories/BHO) that were scanned.&gt;</dt>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+</dl>
+</td>
+</tr>
+<tr>
+<th colspan="2">Event ID: 1001</th>
+</tr>
+<tr><td>
+Symbolic name:
+</td>
+<td >
+<b>MALWAREPROTECTION_SCAN_COMPLETED</b>
+</td>
+</tr>
+<tr>
+<td>
+Message:
+</td>
+<td >
+<b>An antimalware scan finished.</b>
+</td>
+</tr>
+<tr>
+<td>
+Description:
+</td>
+<td >
+<dl>
+<dt>Scan ID: &lt;ID number of the relevant scan.&gt;</dt>
+<dt>Scan Type: &lt;Scan type&gt;, for example:<ul>
+<li>Antivirus</li>
+<li>Antispyware</li>
+<li>Antimalware</li>
+</ul>
+</dt>
+<dt>Scan Parameters: &lt;Scan parameters&gt;, for example:<ul>
+<li>Full scan</li>
+<li>Quick scan</li>
+<li>Customer scan</li>
+</ul>
+</dt>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+<dt>Scan Time: &lt;The duration of a scan.&gt;</dt>
+</dl>
+</td>
+</tr>
+<tr>
+<th colspan="2">Event ID: 1002</th>
+</tr>
+<tr><td>
+Symbolic name:
+</td>
+<td >
+<b>MALWAREPROTECTION_SCAN_CANCELLED
+</b>
+</td>
+</tr>
+<tr>
+<td>
+Message:
+</td>
+<td >
+<b>An antimalware scan was stopped before it finished.
+</b>
+</td>
+</tr>
+<tr>
+<td>
+Description:
+</td>
+<td >
+<dl>
+<dt>Scan ID: &lt;ID number of the relevant scan.&gt;</dt>
+<dt>Scan Type: &lt;Scan type&gt;, for example:<ul>
+<li>Antivirus</li>
+<li>Antispyware</li>
+<li>Antimalware</li>
+</ul>
+</dt>
+<dt>Scan Parameters: &lt;Scan parameters&gt;, for example:<ul>
+<li>Full scan</li>
+<li>Quick scan</li>
+<li>Customer scan</li>
+</ul>
+</dt>
+<dt>User: &lt;Domain&gt;&amp;lt;User&gt;</dt>
+<dt>Scan Time: &lt;The duration of a scan.&gt;</dt>
+</dl>
+</td>
+</tr>
+<tr>
+<th colspan="2">Event ID: 1003</th>
+</tr>
+<tr><td>
+Symbolic name:
+</td>
+<td >
+<b>MALWAREPROTECTION_SCAN_PAUSED
+</b>
+</td>
+</tr>
+<tr>
+<td>
+Message:
+</td>
+<td >
+<b>An antimalware scan was paused.
+</b>
+</td>
+</tr>
+<tr>
+<td>
+Description:
+</td>
+<td >
+<dl>
+<dt>Scan ID: &lt;ID number of the relevant scan.&gt;</dt>
+<dt>Scan Type: &lt;Scan type&gt;, for example:<ul>
+<li>Antivirus</li>
+<li>Antispyware</li>
+<li>Antimalware</li>
+</ul>
+</dt>
+<dt>Scan Parameters: &lt;Scan parameters&gt;, for example:<ul>
+<li>Full scan</li>
+<li>Quick scan</li>
+<li>Customer scan</li>
+</ul>
+</dt>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+</dl>
+</td>
+</tr>
+<tr>
+<th colspan="2">Event ID: 1004</th>
+</tr>
+<tr><td>
+Symbolic name:
+</td>
+<td >
+<b>MALWAREPROTECTION_SCAN_RESUMED
+</b>
+</td>
+</tr>
+<tr>
+<td>
+Message:
+</td>
+<td >
+<b>An antimalware scan was resumed.
+</b>
+</td>
+</tr>
+<tr>
+<td>
+Description:
+</td>
+<td >
+<dl>
+<dt>Scan ID: &lt;ID number of the relevant scan.&gt;</dt>
+<dt>Scan Type: &lt;Scan type&gt;, for example:<ul>
+<li>Antivirus</li>
+<li>Antispyware</li>
+<li>Antimalware</li>
+</ul>
+</dt>
+<dt>Scan Parameters: &lt;Scan parameters&gt;, for example:<ul>
+<li>Full scan</li>
+<li>Quick scan</li>
+<li>Customer scan</li>
+</ul>
+</dt>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+</dl>
+</td>
+</tr>
+<tr>
+<th colspan="2">Event ID: 1005</th>
+</tr>
+<tr><td>
+Symbolic name:
+</td>
+<td >
+<b>MALWAREPROTECTION_SCAN_FAILED
+</b>
+</td>
+</tr>
+<tr>
+<td>
+Message:
+</td>
+<td >
+<b>An antimalware scan failed.
+</b>
+</td>
+</tr>
+<tr>
+<td>
+Description:
+</td>
+<td >
+<dl>
+<dt>Scan ID: &lt;ID number of the relevant scan.&gt;</dt>
+<dt>Scan Type: &lt;Scan type&gt;, for example:<ul>
+<li>Antivirus</li>
+<li>Antispyware</li>
+<li>Antimalware</li>
+</ul>
+</dt>
+<dt>Scan Parameters: &lt;Scan parameters&gt;, for example:<ul>
+<li>Full scan</li>
+<li>Quick scan</li>
+<li>Customer scan</li>
+</ul>
+</dt>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+<dt>Error Code: &lt;Error code&gt;
+Result code associated with threat status. Standard HRESULT values.</dt>
+<dt>Error Description: &lt;Error description&gt;
+Description of the error. </dt>
+</dl>
+</td>
+</tr>
+<tr>
+<td>
+User action:
+</td>
+<td >
+The antivirus client encountered an error, and the current scan has stopped. The scan might fail due to a client-side issue. This event record includes the scan ID, type of scan (Microsoft Defender Antivirus, antispyware, antimalware), scan parameters, the user that started the scan, the error code, and a description of the error.
+To troubleshoot this event:
+<ol>
+<li>Run the scan again.</li>
+<li>If it fails in the same way, go to the <a href="https://go.microsoft.com/fwlink/?LinkId=215163">Microsoft Support site</a>, enter the error number in the <b>Search</b> box to look for the error code.</li>
+<li>Contact <a href="https://go.microsoft.com/fwlink/?LinkId=215491">Microsoft Technical Support</a>.
+</li>
+</ol>
+</td>
+</tr>
+<tr>
+<th colspan="2">Event ID: 1006</th>
+</tr>
+<tr><td>
+Symbolic name:
+</td>
+<td >
+<b>MALWAREPROTECTION_MALWARE_DETECTED
+</b>
+</td>
+</tr>
+<tr>
+<td>
+Message:
+</td>
+<td >
+<b>The antimalware engine found malware or other potentially unwanted software.
+</b>
+</td>
+</tr>
+<tr>
+<td>
+Description:
+</td>
+<td >
+For more information, see the following:
+<dl>
+<dt>Name: &lt;Threat name&gt;</dt>
+<dt>ID: &lt;Threat ID&gt;</dt>
+<dt>Severity: &lt;Severity&gt;, for example:<ul>
+<li>Low</li>
+<li>Moderate</li>
+<li>High</li>
+<li>Severe</li>
+</ul>
+</dt>
+<dt>Category: &lt;Category description&gt;, for example, any threat or malware type.</dt>
+<dt>Path: &lt;File path&gt;</dt>
+<dt>Detection Origin: &lt;Detection origin&gt;, for example:<ul>
+<li>Unknown</li>
+<li>Local computer</li>
+<li>Network share</li>
+<li>Internet</li>
+<li>Incoming traffic</li>
+<li>Outgoing traffic</li>
+</ul>
+</dt>
+<dt>Detection Type: &lt;Detection type&gt;, for example:<ul>
+<li>Heuristics</li>
+<li>Generic</li>
+<li>Concrete</li>
+<li>Dynamic signature</li>
+</ul>
+</dt>
+<dt>Detection Source: &lt;Detection source&gt; for example:<ul>
+<li>User: user initiated</li>
+<li>System: system initiated</li>
+<li>Real-time: real-time component initiated</li>
+<li>IOAV: IE Downloads and Outlook Express Attachments initiated</li>
+<li>NIS: Network inspection system</li>
+<li>IEPROTECT: IE - IExtensionValidation; this protects against malicious webpage controls</li>
+<li>Early Launch Antimalware (ELAM). This includes malware detected by the boot sequence</li>
+<li>Remote attestation</li>
+</ul>Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PS, VBS), though it can be invoked by third parties as well.
+UAC</dt>
+<dt>Status: &lt;Status&gt;</dt>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+<dt>Process Name: &lt;Process in the PID&gt;</dt>
+<dt>Signature Version: &lt;Definition version&gt;</dt>
+<dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
+</dl>
+</td>
+</tr>
+<tr>
+<th colspan="2">Event ID: 1007</th>
+</tr>
+<tr><td>
+Symbolic name:
+</td>
+<td >
+<b>MALWAREPROTECTION_MALWARE_ACTION_TAKEN
+</b>
+</td>
+</tr>
+<tr>
+<td>
+Message:
+</td>
+<td >
+<b>The antimalware platform performed an action to protect your system from malware or other potentially unwanted software.
+</b>
+</td>
+</tr>
+<tr>
+<td>
+Description:
+</td>
+<td >
+Microsoft Defender Antivirus has taken action to protect this machine from malware or other potentially unwanted software. For more information, see the following:
+<dl>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+<dt>Name: &lt;Threat name&gt;</dt>
+<dt>ID: &lt;Threat ID&gt;</dt>
+<dt>Severity: &lt;Severity&gt;, for example:<ul>
+<li>Low</li>
+<li>Moderate</li>
+<li>High</li>
+<li>Severe</li>
+</ul>
+</dt>
+<dt>Category: &lt;Category description&gt;, for example, any threat or malware type.</dt>
+<dt>Action: &lt;Action&gt;, for example:<ul>
+<li>Clean: The resource was cleaned</li>
+<li>Quarantine: The resource was quarantined</li>
+<li>Remove: The resource was deleted</li>
+<li>Allow: The resource was allowed to execute/exist</li>
+<li>User defined: User-defined action that is normally one from this list of actions that the user has specified</li>
+<li>No action: No action</li>
+<li>Block: The resource was blocked from executing</li>
+</ul>
+</dt>
+<dt>Status: &lt;Status&gt;</dt>
+<dt>Signature Version: &lt;Definition version&gt;</dt>
+<dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
+</dl>
+</td>
+</tr>
+<tr>
+<th colspan="2">Event ID: 1008</th>
+</tr>
+<tr><td>
+Symbolic name:
+</td>
+<td >
+<b>MALWAREPROTECTION_MALWARE_ACTION_FAILED</b>
+</td>
+</tr>
+<tr>
+<td>
+Message:
+</td>
+<td >
+<b>The antimalware platform attempted to perform an action to protect your system from malware or other potentially unwanted software, but the action failed.</b>
+</td>
+</tr>
+<tr>
+<td>
+Description:
+</td>
+<td >
+Microsoft Defender Antivirus has encountered an error when taking action on malware or other potentially unwanted software. For more information, see the following:
+<dl>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+<dt>Name: &lt;Threat name&gt;</dt>
+<dt>ID: &lt;Threat ID&gt;</dt>
+<dt>Severity: &lt;Severity&gt;, for example:<ul>
+<li>Low</li>
+<li>Moderate</li>
+<li>High</li>
+<li>Severe</li>
+</ul>
+</dt>
+<dt>Category: &lt;Category description&gt;, for example, any threat or malware type.</dt>
+<dt>Path: &lt;File path&gt;</dt>
+<dt>Action: &lt;Action&gt;, for example:<ul>
+<li>Clean: The resource was cleaned</li>
+<li>Quarantine: The resource was quarantined</li>
+<li>Remove: The resource was deleted</li>
+<li>Allow: The resource was allowed to execute/exist</li>
+<li>User defined: User-defined action that is normally one from this list of actions that the user has specified</li>
+<li>No action: No action</li>
+<li>Block: The resource was blocked from executing</li>
+</ul>
+</dt>
+<dt>Error Code: &lt;Error code&gt;
+Result code associated with threat status. Standard HRESULT values. </dt>
+<dt>Error Description: &lt;Error description&gt;
+Description of the error. </dt>
+<dt>Status: &lt;Status&gt;</dt>
+<dt>Signature Version: &lt;Definition version&gt;</dt>
+<dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
+</dl>
+</td>
+</tr>
+<tr>
+<th colspan="2">Event ID: 1009</th>
+</tr>
+<tr><td>
+Symbolic name:
+</td>
+<td >
+<b>MALWAREPROTECTION_QUARANTINE_RESTORE
+</b>
+</td>
+</tr>
+<tr>
+<td>
+Message:
+</td>
+<td >
+<b>The antimalware platform restored an item from quarantine.
+</b>
+</td>
+</tr>
+<tr>
+<td>
+Description:
+</td>
+<td >
+Microsoft Defender Antivirus has restored an item from quarantine. For more information, see the following:
+<dl>
+<dt>Name: &lt;Threat name&gt;</dt>
+<dt>ID: &lt;Threat ID&gt;</dt>
+<dt>Severity: &lt;Severity&gt;, for example:<ul>
+<li>Low</li>
+<li>Moderate</li>
+<li>High</li>
+<li>Severe</li>
+</ul>
+</dt>
+<dt>Category: &lt;Category description&gt;, for example, any threat or malware type.</dt>
+<dt>Path: &lt;File path&gt;</dt>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+<dt>Signature Version: &lt;Definition version&gt;</dt>
+<dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
+</dl>
+</td>
+</tr>
+<tr>
+<th colspan="2">Event ID: 1010</th>
+</tr>
+<tr><td>
+Symbolic name:
+</td>
+<td >
+<b>MALWAREPROTECTION_QUARANTINE_RESTORE_FAILED
+</b>
+</td>
+</tr>
+<tr>
+<td>
+Message:
+</td>
+<td >
+<b>The antimalware platform could not restore an item from quarantine.
+</b>
+</td>
+</tr>
+<tr>
+<td>
+Description:
+</td>
+<td >
+Microsoft Defender Antivirus has encountered an error trying to restore an item from quarantine. For more information, see the following:
+<dl>
+<dt>Name: &lt;Threat name&gt;</dt>
+<dt>ID: &lt;Threat ID&gt;</dt>
+<dt>Severity: &lt;Severity&gt;, for example:<ul>
+<li>Low</li>
+<li>Moderate</li>
+<li>High</li>
+<li>Severe</li>
+</ul>
+</dt>
+<dt>Category: &lt;Category description&gt;, for example, any threat or malware type.</dt>
+<dt>Path: &lt;File path&gt;</dt>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+<dt>Error Code: &lt;Error code&gt;
+Result code associated with threat status. Standard HRESULT values. </dt>
+<dt>Error Description: &lt;Error description&gt;
+Description of the error. </dt>
+<dt>Signature Version: &lt;Definition version&gt;</dt>
+<dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
+</dl>
+</td>
+</tr>
+<tr>
+<th colspan="2">Event ID: 1011</th>
+</tr>
+<tr><td>
+Symbolic name:
+</td>
+<td >
+<b>MALWAREPROTECTION_QUARANTINE_DELETE</b>
+</td>
+</tr>
+<tr>
+<td>
+Message:
+</td>
+<td >
+<b>The antimalware platform deleted an item from quarantine.
+</b>
+</td>
+</tr>
+<tr>
+<td>
+Description:
+</td>
+<td >
+Microsoft Defender Antivirus has deleted an item from quarantine.<br/>For more information, see the following:
+<dl>
+<dt>Name: &lt;Threat name&gt;</dt>
+<dt>ID: &lt;Threat ID&gt;</dt>
+<dt>Severity: &lt;Severity&gt;, for example:<ul>
+<li>Low</li>
+<li>Moderate</li>
+<li>High</li>
+<li>Severe</li>
+</ul>
+</dt>
+<dt>Category: &lt;Category description&gt;, for example, any threat or malware type.</dt>
+<dt>Path: &lt;File path&gt;</dt>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+<dt>Signature Version: &lt;Definition version&gt;</dt>
+<dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
+</dl>
+</td>
+</tr>
+<tr>
+<th colspan="2">Event ID: 1012</th>
+</tr>
+<tr><td>
+Symbolic name:
+</td>
+<td >
+<b>MALWAREPROTECTION_QUARANTINE_DELETE_FAILED
+</b>
+</td>
+</tr>
+<tr>
+<td>
+Message:
+</td>
+<td >
+<b>The antimalware platform could not delete an item from quarantine.</b>
+</td>
+</tr>
+<tr>
+<td>
+Description:
+</td>
+<td >
+Microsoft Defender Antivirus has encountered an error trying to delete an item from quarantine.
+For more information, see the following:
+<dl>
+<dt>Name: &lt;Threat name&gt;</dt>
+<dt>ID: &lt;Threat ID&gt;</dt>
+<dt>Severity: &lt;Severity&gt;, for example:<ul>
+<li>Low</li>
+<li>Moderate</li>
+<li>High</li>
+<li>Severe</li>
+</ul>
+</dt>
+<dt>Category: &lt;Category description&gt;, for example, any threat or malware type.</dt>
+<dt>Path: &lt;File path&gt;</dt>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+<dt>Error Code: &lt;Error code&gt;
+Result code associated with threat status. Standard HRESULT values. </dt>
+<dt>Error Description: &lt;Error description&gt;
+Description of the error. </dt>
+<dt>Signature Version: &lt;Definition version&gt;</dt>
+<dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
+</dl>
+</td>
+</tr>
+<tr>
+<th colspan="2">Event ID: 1013</th>
+</tr>
+<tr><td>
+Symbolic name:
+</td>
+<td >
+<b>MALWAREPROTECTION_MALWARE_HISTORY_DELETE
+</b>
+</td>
+</tr>
+<tr>
+<td>
+Message:
+</td>
+<td >
+<b>The antimalware platform deleted history of malware and other potentially unwanted software.</b>
+</td>
+</tr>
+<tr>
+<td>
+Description:
+</td>
+<td >
+Microsoft Defender Antivirus has removed history of malware and other potentially unwanted software.
+<dl>
+<dt>Time: The time when the event occurred, for example when the history is purged. This parameter is not used in threat events so that there is no confusion regarding whether it is remediation time or infection time. For those, we specifically call them as Action Time or Detection Time.</dt>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+</dl>
+</td>
+</tr>
+<tr>
+<th colspan="2">Event ID: 1014</th>
+</tr>
+<tr><td>
+Symbolic name:
+</td>
+<td >
+<b>MALWAREPROTECTION_MALWARE_HISTORY_DELETE_FAILED
+</b>
+</td>
+</tr>
+<tr>
+<td>
+Message:
+</td>
+<td >
+The antimalware platform could not delete history of malware and other potentially unwanted software.
+</td>
+</tr>
+<tr>
+<td>
+Description:
+</td>
+<td >
+Microsoft Defender Antivirus has encountered an error trying to remove history of malware and other potentially unwanted software.
+<dl>
+<dt>Time: The time when the event occurred, for example when the history is purged. This parameter is not used in threat events so that there is no confusion regarding whether it is remediation time or infection time. For those, we specifically call them as Action Time or Detection Time.</dt>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+<dt>Error Code: &lt;Error code&gt;
+Result code associated with threat status. Standard HRESULT values. </dt>
+<dt>Error Description: &lt;Error description&gt;
+Description of the error. </dt>
+</dl>
+</td>
+</tr>
+<tr>
+<th colspan="2">Event ID: 1015</th>
+</tr>
+<tr><td>
+Symbolic name:
+</td>
+<td >
+<b>MALWAREPROTECTION_BEHAVIOR_DETECTED
+</b>
+</td>
+</tr>
+<tr>
+<td>
+Message:
+</td>
+<td >
+<b>The antimalware platform detected suspicious behavior.</b>
+</td>
+</tr>
+<tr>
+<td>
+Description:
+</td>
+<td >
+Microsoft Defender Antivirus has detected a suspicious behavior.<br/>For more information, see the following:
+<dl>
+<dt>Name: &lt;Threat name&gt;</dt>
+<dt>ID: &lt;Threat ID&gt;</dt>
+<dt>Severity: &lt;Severity&gt;, for example:<ul>
+<li>Low</li>
+<li>Moderate</li>
+<li>High</li>
+<li>Severe</li>
+</ul>
+</dt>
+<dt>Category: &lt;Category description&gt;, for example, any threat or malware type.</dt>
+<dt>Path: &lt;File path&gt;</dt>
+<dt>Detection Origin: &lt;Detection origin&gt;, for example:
+<ul>
+<li>Unknown</li>
+<li>Local computer</li>
+<li>Network share</li>
+<li>Internet</li>
+<li>Incoming traffic</li>
+<li>Outgoing traffic</li>
+</ul>
+</dt>
+<dt>Detection Type: &lt;Detection type&gt;, for example:<ul>
+<li>Heuristics</li>
+<li>Generic</li>
+<li>Concrete</li>
+<li>Dynamic signature</li>
+</ul>
+</dt>
+<dt>Detection Source: &lt;Detection source&gt; for example:<ul>
+<li>User: user initiated</li>
+<li>System: system initiated</li>
+<li>Real-time: real-time component initiated</li>
+<li>IOAV: IE Downloads and Outlook Express Attachments initiated</li>
+<li>NIS: Network inspection system</li>
+<li>IEPROTECT: IE - IExtensionValidation; this protects against malicious webpage controls</li>
+<li>Early Launch Antimalware (ELAM). This includes malware detected by the boot sequence</li>
+<li>Remote attestation</li>
+</ul>Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PS, VBS), though it can be invoked by third parties as well.
+UAC</dt>
+<dt>Status: &lt;Status&gt;</dt>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+<dt>Process Name: &lt;Process in the PID&gt;</dt>
+<dt>Signature ID: Enumeration matching severity.</dt>
+<dt>Signature Version: &lt;Definition version&gt;</dt>
+<dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
+<dt>Fidelity Label:</dt>
+<dt>Target File Name: &lt;File name&gt;
+Name of the file.</dt>
+</dl>
+</td>
+</tr>
+<tr>
+<th colspan="2">Event ID: 1116</th>
+</tr>
+<tr><td>
+Symbolic name:
+</td>
+<td >
+<b>MALWAREPROTECTION_STATE_MALWARE_DETECTED</b>
+</td>
+</tr>
+<tr>
+<td>
+Message:
+</td>
+<td >
+<b>The antimalware platform detected malware or other potentially unwanted software.
+</b>
+</td>
+</tr>
+<tr>
+<td>
+Description:
+</td>
+<td >
+Microsoft Defender Antivirus has detected malware or other potentially unwanted software.<br/>For more information, see the following:
+<dl>
+<dt>Name: &lt;Threat name&gt;</dt>
+<dt>ID: &lt;Threat ID&gt;</dt>
+<dt>Severity: &lt;Severity&gt;, for example:<ul>
+<li>Low</li>
+<li>Moderate</li>
+<li>High</li>
+<li>Severe</li>
+</ul>
+</dt>
+<dt>Category: &lt;Category description&gt;, for example, any threat or malware type.</dt>
+<dt>Path: &lt;File path&gt;</dt>
+<dt>Detection Origin: &lt;Detection origin&gt;, for example:
+<ul>
+<li>Unknown</li>
+<li>Local computer</li>
+<li>Network share</li>
+<li>Internet</li>
+<li>Incoming traffic</li>
+<li>Outgoing traffic</li>
+</ul>
+</dt>
+<dt>Detection Type: &lt;Detection type&gt;, for example:<ul>
+<li>Heuristics</li>
+<li>Generic</li>
+<li>Concrete</li>
+<li>Dynamic signature</li>
+</ul>
+</dt>
+<dt>Detection Source: &lt;Detection source&gt; for example:<ul>
+<li>User: user initiated</li>
+<li>System: system initiated</li>
+<li>Real-time: real-time component initiated</li>
+<li>IOAV: IE Downloads and Outlook Express Attachments initiated</li>
+<li>NIS: Network inspection system</li>
+<li>IEPROTECT: IE - IExtensionValidation; this protects against malicious webpage controls</li>
+<li>Early Launch Antimalware (ELAM). This includes malware detected by the boot sequence</li>
+<li>Remote attestation</li>
+</ul>Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PS, VBS), though it can be invoked by third parties as well.
+UAC</dt>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+<dt>Process Name: &lt;Process in the PID&gt;</dt>
+<dt>Signature Version: &lt;Definition version&gt;</dt>
+<dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
+</dl>
+</td>
+</tr>
+<tr>
+<td>
+User action:
+</td>
+<td >
+No action is required. Microsoft Defender Antivirus can suspend and take routine action on this threat. If you want to remove the threat manually, in the Microsoft Defender Antivirus interface, click <b>Clean Computer</b>.
+</td>
+</tr>
+<tr>
+<th colspan="2">Event ID: 1117</th>
+</tr>
+<tr><td>
+Symbolic name:
+</td>
+<td >
+<b>MALWAREPROTECTION_STATE_MALWARE_ACTION_TAKEN
+</b>
+</td>
+</tr>
+<tr>
+<td>
+Message:
+</td>
+<td >
+<b>The antimalware platform performed an action to protect your system from malware or other potentially unwanted software.
+</b>
+</td>
+</tr>
+<tr>
+<td>
+Description:
+</td>
+<td >
+Microsoft Defender Antivirus has taken action to protect this machine from malware or other potentially unwanted software.<br/>For more information, see the following:
+<dl>
+<dt>Name: &lt;Threat name&gt;</dt>
+<dt>ID: &lt;Threat ID&gt;</dt>
+<dt>Severity: &lt;Severity&gt;, for example:<ul>
+<li>Low</li>
+<li>Moderate</li>
+<li>High</li>
+<li>Severe</li>
+</ul>
+</dt>
+<dt>Category: &lt;Category description&gt;, for example, any threat or malware type.</dt>
+<dt>Path: &lt;File path&gt;</dt>
+<dt>Detection Origin: &lt;Detection origin&gt;, for example:
+<ul>
+<li>Unknown</li>
+<li>Local computer</li>
+<li>Network share</li>
+<li>Internet</li>
+<li>Incoming traffic</li>
+<li>Outgoing traffic</li>
+</ul>
+</dt>
+<dt>Detection Type: &lt;Detection type&gt;, for example:<ul>
+<li>Heuristics</li>
+<li>Generic</li>
+<li>Concrete</li>
+<li>Dynamic signature</li>
+</ul>
+</dt>
+<dt>Detection Source: &lt;Detection source&gt; for example:<ul>
+<li>User: user initiated</li>
+<li>System: system initiated</li>
+<li>Real-time: real-time component initiated</li>
+<li>IOAV: IE Downloads and Outlook Express Attachments initiated</li>
+<li>NIS: Network inspection system</li>
+<li>IEPROTECT: IE - IExtensionValidation; this protects against malicious webpage controls</li>
+<li>Early Launch Antimalware (ELAM). This includes malware detected by the boot sequence</li>
+<li>Remote attestation</li>
+</ul>Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PS, VBS), though it can be invoked by third parties as well.
+UAC</dt>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+<dt>Process Name: &lt;Process in the PID&gt;</dt>
+<dt>Action: &lt;Action&gt;, for example:<ul>
+<li>Clean: The resource was cleaned</li>
+<li>Quarantine: The resource was quarantined</li>
+<li>Remove: The resource was deleted</li>
+<li>Allow: The resource was allowed to execute/exist</li>
+<li>User defined: User-defined action that is normally one from this list of actions that the user has specified</li>
+<li>No action: No action</li>
+<li>Block: The resource was blocked from executing</li>
+</ul>
+</dt>
+<dt>Action Status: &lt;Description of additional actions&gt;</dt>
+<dt>Error Code: &lt;Error code&gt;
+Result code associated with threat status. Standard HRESULT values.</dt>
+<dt>Error Description: &lt;Error description&gt;
+Description of the error. </dt>
+<dt>Signature Version: &lt;Definition version&gt;</dt>
+<dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
+NOTE:
+Whenever Microsoft Defender Antivirus, Microsoft Security Essentials, Malicious Software Removal Tool, or System Center Endpoint Protection detects a malware, it will restore the following system settings and services that the malware might have changed:<ul>
+<li>Default Internet Explorer or Microsoft Edge setting</li>
+<li>User Access Control settings</li>
+<li>Chrome settings</li>
+<li>Boot Control Data</li>
+<li>Regedit and Task Manager registry settings</li>
+<li>Windows Update, Background Intelligent Transfer Service, and Remote Procedure Call service</li>
+<li>Windows Operating System files</li></ul>
+The above context applies to the following client and server versions:
+<table>
+<tr>
+<th>Operating system</th>
+<th>Operating system version</th>
+</tr>
+<tr>
+<td>
+Client Operating System
+</td>
+<td>
+Windows Vista (Service Pack 1, or Service Pack 2), Windows 7 and later
+</td>
+</tr>
+<tr>
+<td>
+Server Operating System
+</td>
+<td>
+Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2016
+</td>
+</tr>
+</table>
+</dl>
+</td>
+</tr>
+<tr>
+<td>
+User action:
+</td>
+<td >
+No action is necessary. Microsoft Defender Antivirus removed or quarantined a threat.
+</td>
+</tr>
+<tr>
+<th colspan="2">Event ID: 1118</th>
+</tr>
+<tr><td>
+Symbolic name:
+</td>
+<td >
+<b>MALWAREPROTECTION_STATE_MALWARE_ACTION_FAILED</b>
+</td>
+</tr>
+<tr>
+<td>
+Message:
+</td>
+<td >
+<b>The antimalware platform attempted to perform an action to protect your system from malware or other potentially unwanted software, but the action failed.
+</b>
+</td>
+</tr>
+<tr>
+<td>
+Description:
+</td>
+<td >
+Microsoft Defender Antivirus has encountered a non-critical error when taking action on malware or other potentially unwanted software.<br/>For more information, see the following:
+<dl>
+<dt>Name: &lt;Threat name&gt;</dt>
+<dt>ID: &lt;Threat ID&gt;</dt>
+<dt>Severity: &lt;Severity&gt;, for example:<ul>
+<li>Low</li>
+<li>Moderate</li>
+<li>High</li>
+<li>Severe</li>
+</ul>
+</dt>
+<dt>Category: &lt;Category description&gt;, for example, any threat or malware type.</dt>
+<dt>Path: &lt;File path&gt;</dt>
+<dt>Detection Origin: &lt;Detection origin&gt;, for example:
+<ul>
+<li>Unknown</li>
+<li>Local computer</li>
+<li>Network share</li>
+<li>Internet</li>
+<li>Incoming traffic</li>
+<li>Outgoing traffic</li>
+</ul>
+</dt>
+<dt>Detection Type: &lt;Detection type&gt;, for example:<ul>
+<li>Heuristics</li>
+<li>Generic</li>
+<li>Concrete</li>
+<li>Dynamic signature</li>
+</ul>
+</dt>
+<dt>Detection Source: &lt;Detection source&gt; for example:<ul>
+<li>User: user initiated</li>
+<li>System: system initiated</li>
+<li>Real-time: real-time component initiated</li>
+<li>IOAV: IE Downloads and Outlook Express Attachments initiated</li>
+<li>NIS: Network inspection system</li>
+<li>IEPROTECT: IE - IExtensionValidation; this protects against malicious webpage controls</li>
+<li>Early Launch Antimalware (ELAM). This includes malware detected by the boot sequence</li>
+<li>Remote attestation</li>
+</ul>Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PS, VBS), though it can be invoked by third parties as well.
+UAC</dt>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+<dt>Process Name: &lt;Process in the PID&gt;</dt>
+<dt>Action: &lt;Action&gt;, for example:<ul>
+<li>Clean: The resource was cleaned</li>
+<li>Quarantine: The resource was quarantined</li>
+<li>Remove: The resource was deleted</li>
+<li>Allow: The resource was allowed to execute/exist</li>
+<li>User defined: User-defined action that is normally one from this list of actions that the user has specified</li>
+<li>No action: No action</li>
+<li>Block: The resource was blocked from executing</li>
+</ul>
+</dt>
+<dt>Action Status: &lt;Description of additional actions&gt;</dt>
+<dt>Error Code: &lt;Error code&gt;
+Result code associated with threat status. Standard HRESULT values.</dt>
+<dt>Error Description: &lt;Error description&gt;
+Description of the error. </dt>
+<dt>Signature Version: &lt;Definition version&gt;</dt>
+<dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
+</dl>
+</td>
+</tr>
+<tr>
+<td>
+User action:
+</td>
+<td >
+No action is necessary. Microsoft Defender Antivirus failed to complete a task related to the malware remediation. This is not a critical failure.
+</td>
+</tr>
+<tr>
+<th colspan="2">Event ID: 1119</th>
+</tr>
+<tr><td>
+Symbolic name:
+</td>
+<td >
+<b>MALWAREPROTECTION_STATE_MALWARE_ACTION_CRITICALLY_FAILED
+</b>
+</td>
+</tr>
+<tr>
+<td>
+Message:
+</td>
+<td >
+<b>The antimalware platform encountered a critical error when trying to take action on malware or other potentially unwanted software. There are more details in the event message.</b>
+</td>
+</tr>
+<tr>
+<td>
+Description:
+</td>
+<td >
+Microsoft Defender Antivirus has encountered a critical error when taking action on malware or other potentially unwanted software.<br/>For more information, see the following:
+<dl>
+<dt>Name: &lt;Threat name&gt;</dt>
+<dt>ID: &lt;Threat ID&gt;</dt>
+<dt>Severity: &lt;Severity&gt;, for example:<ul>
+<li>Low</li>
+<li>Moderate</li>
+<li>High</li>
+<li>Severe</li>
+</ul>
+</dt>
+<dt>Category: &lt;Category description&gt;, for example, any threat or malware type.</dt>
+<dt>Path: &lt;File path&gt;</dt>
+<dt>Detection Origin: &lt;Detection origin&gt;, for example:
+<ul>
+<li>Unknown</li>
+<li>Local computer</li>
+<li>Network share</li>
+<li>Internet</li>
+<li>Incoming traffic</li>
+<li>Outgoing traffic</li>
+</ul>
+</dt>
+<dt>Detection Type: &lt;Detection type&gt;, for example:<ul>
+<li>Heuristics</li>
+<li>Generic</li>
+<li>Concrete</li>
+<li>Dynamic signature</li>
+</ul>
+</dt>
+<dt>Detection Source: &lt;Detection source&gt; for example:<ul>
+<li>User: user initiated</li>
+<li>System: system initiated</li>
+<li>Real-time: real-time component initiated</li>
+<li>IOAV: IE Downloads and Outlook Express Attachments initiated</li>
+<li>NIS: Network inspection system</li>
+<li>IEPROTECT: IE - IExtensionValidation; this protects against malicious webpage controls</li>
+<li>Early Launch Antimalware (ELAM). This includes malware detected by the boot sequence</li>
+<li>Remote attestation</li>
+</ul>Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PS, VBS), though it can be invoked by third parties as well.
+UAC</dt>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+<dt>Process Name: &lt;Process in the PID&gt;</dt>
+<dt>Action: &lt;Action&gt;, for example:<ul>
+<li>Clean: The resource was cleaned</li>
+<li>Quarantine: The resource was quarantined</li>
+<li>Remove: The resource was deleted</li>
+<li>Allow: The resource was allowed to execute/exist</li>
+<li>User defined: User-defined action that is normally one from this list of actions that the user has specified</li>
+<li>No action: No action</li>
+<li>Block: The resource was blocked from executing</li>
+</ul>
+</dt>
+<dt>Action Status: &lt;Description of additional actions&gt;</dt>
+<dt>Error Code: &lt;Error code&gt;
+Result code associated with threat status. Standard HRESULT values.</dt>
+<dt>Error Description: &lt;Error description&gt;
+Description of the error. </dt>
+<dt>Signature Version: &lt;Definition version&gt;</dt>
+<dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
+</dl>
+</td>
+</tr>
+<tr>
+<td>
+User action:
+</td>
+<td >
+The Microsoft Defender Antivirus client encountered this error due to critical issues. The endpoint might not be protected. Review the error description then follow the relevant <b>User action</b> steps below.
+<table>
+<tr>
+<th>Action</th>
+<th>User action</th>
+</tr>
+<tr>
+<td>
+<b>Remove</b>
+</td>
+<td>
+Update the definitions then verify that the removal was successful.
+</td>
+</tr>
+<tr>
+<td>
+<b>Clean</b>
+</td>
+<td>
+Update the definitions then verify that the remediation was successful.
+</td>
+</tr>
+<tr>
+<td>
+<b>Quarantine</b>
+</td>
+<td>
+Update the definitions and verify that the user has permission to access the necessary resources.
+</td>
+</tr>
+<tr>
+<td>
+<b>Allow</b>
+</td>
+<td>
+Verify that the user has permission to access the necessary resources.
+</td>
+</tr>
+</table>
+
+If this event persists:<ol>
+<li>Run the scan again.</li>
+<li>If it fails in the same way, go to the <a href="https://go.microsoft.com/fwlink/?LinkId=215163">Microsoft Support site</a>, enter the error number in the <b>Search</b> box to look for the error code.</li>
+<li>Contact <a href="https://go.microsoft.com/fwlink/?LinkId=215491">Microsoft Technical Support</a>.
+</li>
+</ol>
+</td>
+</tr>
+<tr>
+<th colspan="2">Event ID: 1120</th>
+</tr>
+<tr><td>
+Symbolic name:
+</td>
+<td >
+<b>MALWAREPROTECTION_THREAT_HASH</b>
+</td>
+</tr>
+<tr>
+<td>
+Message:
+</td>
+<td >
+<b>Microsoft Defender Antivirus has deduced the hashes for a threat resource.</b>
+</td>
+</tr>
+<tr>
+<td>
+Description:
+</td>
+<td >
+Microsoft Defender Antivirus client is up and running in a healthy state.
+<dl>
+<dt>Current Platform Version: &lt;Current platform version&gt;</dt>
+<dt>Threat Resource Path: &lt;Path&gt;</dt>
+<dt>Hashes: &lt;Hashes&gt;</dt>
+</dl>
+</td>
+</tr>
+<tr>
+<td></td>
+<td >
+<div class="alert"><b>Note: This event will only be logged if the following policy is set: <b>ThreatFileHashLogging unsigned</b>.</div>
+<div> </div>
+</td>
+</tr>
+<tr>
+<th colspan="2">Event ID: 1150</th>
+</tr>
+<tr><td>
+Symbolic name:
+</td>
+<td >
+<b>MALWAREPROTECTION_SERVICE_HEALTHY</b>
+</td>
+</tr>
+<tr>
+<td>
+Message:
+</td>
+<td >
+<b>If your antimalware platform reports status to a monitoring platform, this event indicates that the antimalware platform is running and in a healthy state.
+</b>
+</td>
+</tr>
+<tr>
+<td>
+Description:
+</td>
+<td >
+Microsoft Defender Antivirus client is up and running in a healthy state.
+<dl>
+<dt>Platform Version: &lt;Current platform version&gt;</dt>
+<dt>Signature Version: &lt;Definition version&gt;</dt>
+<dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
+</dl>
+</td>
+</tr>
+<tr>
+<td>
+User action:
+</td>
+<td >
+No action is necessary. The Microsoft Defender Antivirus client is in a healthy state. This event is reported on an hourly basis.
+</td>
+</tr>
+
+<tr>
+<th colspan="2">Event ID: 1151</th>
+</tr>
+<tr><td>
+Symbolic name:
+</td>
+<td >
+<b>MALWAREPROTECTION_SERVICE_HEALTH_REPORT</b>
+</td>
+</tr>
+<tr>
+<td>
+Message:
+</td>
+<td >
+<b>Endpoint Protection client health report (time in UTC)
+</b>
+</td>
+</tr>
+<tr>
+<td>
+Description:
+</td>
+<td >
+Antivirus client health report.
+<dl>
+<dt>Platform Version: &lt;Current platform version&gt;</dt>
+<dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
+<dt>Network Realtime Inspection engine version: &lt;Network Realtime Inspection engine version&gt;</dt>
+<dt>Antivirus signature version: &lt;Antivirus signature version&gt;</dt>
+<dt>Antispyware signature version: &lt;Antispyware signature version&gt;</dt>
+<dt>Network Realtime Inspection signature version: &lt;Network Realtime Inspection signature version&gt;</dt>
+<dt>RTP state: &lt;Realtime protection state&gt; (Enabled or Disabled)</dt>
+<dt>OA state: &lt;On Access state&gt; (Enabled or Disabled)</dt>
+<dt>IOAV state: &lt;IE Downloads and Outlook Express Attachments state&gt; (Enabled or Disabled)</dt>
+<dt>BM state: &lt;Behavior Monitoring state&gt; (Enabled or Disabled)</dt>
+<dt>Antivirus signature age: &lt;Antivirus signature age&gt; (in days)</dt>
+<dt>Antispyware signature age: &lt;Antispyware signature age&gt; (in days)</dt>
+<dt>Last quick scan age: &lt;Last quick scan age&gt; (in days)</dt>
+<dt>Last full scan age: &lt;Last full scan age&gt; (in days)</dt>
+<dt>Antivirus signature creation time: ?&lt;Antivirus signature creation time&gt;</dt>
+<dt>Antispyware signature creation time: ?&lt;Antispyware signature creation time&gt;</dt>
+<dt>Last quick scan start time: ?&lt;Last quick scan start time&gt;</dt>
+<dt>Last quick scan end time: ?&lt;Last quick scan end time&gt;</dt>
+<dt>Last quick scan source: &lt;Last quick scan source&gt; (0 = scan didn&#39;t run, 1 = user initiated, 2 = system initiated)</dt>
+<dt>Last full scan start time: ?&lt;Last full scan start time&gt;</dt>
+<dt>Last full scan end time: ?&lt;Last full scan end time&gt;</dt>
+<dt>Last full scan source: &lt;Last full scan source&gt; (0 = scan didn&#39;t run, 1 = user initiated, 2 = system initiated)</dt>
+<dt>Product status: For internal troubleshooting
+</dl>
+</td>
+</tr>
+
+<tr>
+<th colspan="2">Event ID: 2000</th>
+</tr>
+<tr><td>
+Symbolic name:
+</td>
+<td >
+<b>MALWAREPROTECTION_SIGNATURE_UPDATED
+</b>
+</td>
+</tr>
+<tr>
+<td>
+Message:
+</td>
+<td >
+<b>The antimalware definitions updated successfully.
+</b>
+</td>
+</tr>
+<tr>
+<td>
+Description:
+</td>
+<td >
+Antivirus signature version has been updated.
+<dl>
+<dt>Current Signature Version: &lt;Current signature version&gt;</dt>
+<dt>Previous Signature Version: &lt;Previous signature version&gt;</dt>
+<dt>Signature Type: &lt;Signature type&gt;, for example: <ul>
+<li>Antivirus</li>
+<li>Antispyware</li>
+<li>Antimalware</li>
+<li>Network Inspection System</li>
+</ul>
+</dt>
+<dt>Update Type: &lt;Update type&gt;, either Full or Delta.</dt>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+<dt>Current Engine Version: &lt;Current engine version&gt;</dt>
+<dt>Previous Engine Version: &lt;Previous engine version&gt;</dt>
+</dl>
+</td>
+</tr>
+<tr>
+<td>
+User action:
+</td>
+<td >
+No action is necessary. The Microsoft Defender Antivirus client is in a healthy state. This event is reported when signatures are successfully updated.
+</td>
+</tr>
+<tr>
+<th colspan="2">Event ID: 2001</th>
+</tr>
+<tr><td>
+Symbolic name:
+</td>
+<td >
+<b>MALWAREPROTECTION_SIGNATURE_UPDATE_FAILED</b>
+</td>
+</tr>
+<tr>
+<td>
+Message:
+</td>
+<td >
+<b>The security intelligence update failed.
+</b>
+</td>
+</tr>
+<tr>
+<td>
+Description:
+</td>
+<td >
+Microsoft Defender Antivirus has encountered an error trying to update signatures.
+<dl>
+<dt>New security intelligence version: &lt;New version number&gt;</dt>
+<dt>Previous security intelligence version: &lt;Previous version&gt;</dt>
+<dt>Update Source: &lt;Update source&gt;, for example:
+<ul>
+<li>Security intelligence update folder</li>
+<li>Internal security intelligence update server</li>
+<li>Microsoft Update Server</li>
+<li>File share</li>
+<li>Microsoft Malware Protection Center (MMPC)</li>
+</ul>
+</dt>
+<dt>Update Stage: &lt;Update stage&gt;, for example:
+<ul>
+<li>Search</li>
+<li>Download</li>
+<li>Install</li>
+</ul>
+</dt>
+<dt>Source Path: File share name for Universal Naming Convention (UNC), server name for Windows Server Update Services (WSUS)/Microsoft Update/ADL.</dt>
+<dt>Signature Type: &lt;Signature type&gt;, for example: <ul>
+<li>Antivirus</li>
+<li>Antispyware</li>
+<li>Antimalware</li>
+<li>Network Inspection System</li>
+</ul>
+</dt>
+<dt>Update Type: &lt;Update type&gt;, either Full or Delta.</dt>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+<dt>Current Engine Version: &lt;Current engine version&gt;</dt>
+<dt>Previous Engine Version: &lt;Previous engine version&gt;</dt>
+<dt>Error Code: &lt;Error code&gt;
+Result code associated with threat status. Standard HRESULT values.</dt>
+<dt>Error Description: &lt;Error description&gt;
+Description of the error. </dt>
+</dl>
+</td>
+</tr>
+<tr>
+<td>
+User action:
+</td>
+<td >
+This error occurs when there is a problem updating definitions.
+To troubleshoot this event:
+<ol>
+<li><a href="manage-updates-baselines-microsoft-defender-antivirus.md" data-raw-source="[Update definitions](manage-updates-baselines-microsoft-defender-antivirus.md)">Update definitions</a> and force a rescan directly on the endpoint.</li>
+<li>Review the entries in the %Windir%\WindowsUpdate.log file for more information about this error.</li>
+<li>Contact <a href="https://go.microsoft.com/fwlink/?LinkId=215491">Microsoft Technical Support</a>.
+</li>
+</ol>
+</td>
+</tr>
+<tr>
+<th colspan="2">Event ID: 2002</th>
+</tr>
+<tr><td>
+Symbolic name:
+</td>
+<td >
+<b>MALWAREPROTECTION_ENGINE_UPDATED</b>
+</td>
+</tr>
+<tr>
+<td>
+Message:
+</td>
+<td >
+<b>The antimalware engine updated successfully.
+</b>
+</td>
+</tr>
+<tr>
+<td>
+Description:
+</td>
+<td >
+Microsoft Defender Antivirus engine version has been updated.
+<dl>
+<dt>Current Engine Version: &lt;Current engine version&gt;</dt>
+<dt>Previous Engine Version: &lt;Previous engine version&gt;</dt>
+<dt>Engine Type: &lt;Engine type&gt;, either antimalware engine or Network Inspection System engine.</dt>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+</dl>
+</td>
+</tr>
+<tr>
+<td>
+User action:
+</td>
+<td >
+No action is necessary. The Microsoft Defender Antivirus client is in a healthy state. This event is reported when the antimalware engine is successfully updated.
+</td>
+</tr>
+<tr>
+<th colspan="2">Event ID: 2003</th>
+</tr>
+<tr><td>
+Symbolic name:
+</td>
+<td >
+<b>MALWAREPROTECTION_ENGINE_UPDATE_FAILED</b>
+</td>
+</tr>
+<tr>
+<td>
+Message:
+</td>
+<td >
+<b>The antimalware engine update failed.
+</b>
+</td>
+</tr>
+<tr>
+<td>
+Description:
+</td>
+<td >
+Microsoft Defender Antivirus has encountered an error trying to update the engine.
+<dl>
+<dt>New Engine Version:</dt>
+<dt>Previous Engine Version: &lt;Previous engine version&gt;</dt>
+<dt>Engine Type: &lt;Engine type&gt;, either antimalware engine or Network Inspection System engine.</dt>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+<dt>Error Code: &lt;Error code&gt;
+Result code associated with threat status. Standard HRESULT values.</dt>
+<dt>Error Description: &lt;Error description&gt;
+Description of the error. </dt>
+</dl>
+</td>
+</tr>
+<tr>
+<td>
+User action:
+</td>
+<td >
+The Microsoft Defender Antivirus client update failed. This event occurs when the client fails to update itself. This event is usually due to an interruption in network connectivity during an update.
+To troubleshoot this event:
+<ol>
+<li><a href="manage-updates-baselines-microsoft-defender-antivirus.md" data-raw-source="[Update definitions](manage-updates-baselines-microsoft-defender-antivirus.md)">Update definitions</a> and force a rescan directly on the endpoint.</li>
+<li>Contact <a href="https://go.microsoft.com/fwlink/?LinkId=215491">Microsoft Technical Support</a>.
+</li>
+</ol>
+</td>
+</tr>
+<tr>
+<th colspan="2">Event ID: 2004</th>
+</tr>
+<tr><td>
+Symbolic name:
+</td>
+<td >
+<b>MALWAREPROTECTION_SIGNATURE_REVERSION</b>
+</td>
+</tr>
+<tr>
+<td>
+Message:
+</td>
+<td >
+<b>There was a problem loading antimalware definitions. The antimalware engine will attempt to load the last-known good set of definitions.</b>
+</td>
+</tr>
+<tr>
+<td>
+Description:
+</td>
+<td >
+Microsoft Defender Antivirus has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures.
+<dl>
+<dt>Signatures Attempted:</dt>
+<dt>Error Code: &lt;Error code&gt;
+Result code associated with threat status. Standard HRESULT values.</dt>
+<dt>Error Description: &lt;Error description&gt;
+Description of the error. </dt>
+<dt>Signature Version: &lt;Definition version&gt;</dt>
+<dt>Engine Version: &lt;Antimalware engine version&gt;</dt>
+</dl>
+</td>
+</tr>
+<tr>
+<td>
+User action:
+</td>
+<td >
+The Microsoft Defender Antivirus client attempted to download and install the latest definitions file and failed. This error can occur when the client encounters an error while trying to load the definitions, or if the file is corrupt. Microsoft Defender Antivirus will attempt to revert back to a known-good set of definitions.
+To troubleshoot this event:
+<ol>
+<li>Restart the computer and try again.</li>
+<li>Download the latest definitions from the <a href="https://aka.ms/wdsi">Microsoft Security Intelligence site</a>.
+Note: The size of the definitions file downloaded from the site can exceed 60 MB and should not be used as a long-term solution for updating definitions.
+</li>
+<li>Contact <a href="https://go.microsoft.com/fwlink/?LinkId=215491">Microsoft Technical Support</a>.
+</li>
+</ol>
+</td>
+</tr>
+<tr>
+<th colspan="2">Event ID: 2005</th>
+</tr>
+<tr><td>
+Symbolic name:
+</td>
+<td >
+<b>MALWAREPROTECTION_ENGINE_UPDATE_PLATFORMOUTOFDATE</b>
+</td>
+</tr>
+<tr>
+<td>
+Message:
+</td>
+<td >
+<b>The antimalware engine failed to load because the antimalware platform is out of date. The antimalware platform will load the last-known good antimalware engine and attempt to update.</b>
+</td>
+</tr>
+<tr>
+<td>
+Description:
+</td>
+<td >
+Microsoft Defender Antivirus could not load antimalware engine because current platform version is not supported. Microsoft Defender Antivirus will revert back to the last known-good engine and a platform update will be attempted.
+<dl>
+<dt>Current Platform Version: &lt;Current platform version&gt;</dt>
+</dl>
+</td>
+</tr>
+<tr>
+<th colspan="2">Event ID: 2006</th>
+</tr>
+<tr><td>
+Symbolic name:
+</td>
+<td >
+<b>MALWAREPROTECTION_PLATFORM_UPDATE_FAILED
+</b>
+</td>
+</tr>
+<tr>
+<td>
+Message:
+</td>
+<td >
+<b>The platform update failed.
+</b>
+</td>
+</tr>
+<tr>
+<td>
+Description:
+</td>
+<td >
+Microsoft Defender Antivirus has encountered an error trying to update the platform.
+<dl>
+<dt>Current Platform Version: &lt;Current platform version&gt;</dt>
+<dt>Error Code: &lt;Error code&gt;
+Result code associated with threat status. Standard HRESULT values.</dt>
+<dt>Error Description: &lt;Error description&gt;
+Description of the error. </dt>
+</dl>
+</td>
+</tr>
+<tr>
+<th colspan="2">Event ID: 2007</th>
+</tr>
+<tr><td>
+Symbolic name:
+</td>
+<td >
+<b>MALWAREPROTECTION_PLATFORM_ALMOSTOUTOFDATE</b>
+</td>
+</tr>
+<tr>
+<td>
+Message:
+</td>
+<td >
+<b>The platform will soon be out of date. Download the latest platform to maintain up-to-date protection.</b>
+</td>
+</tr>
+<tr>
+<td>
+Description:
+</td>
+<td >
+Microsoft Defender Antivirus will soon require a newer platform version to support future versions of the antimalware engine. Download the latest Microsoft Defender Antivirus platform to maintain the best level of protection available.
+<dl>
+<dt>Current Platform Version: &lt;Current platform version&gt;</dt>
+</dl>
+</td>
+</tr>
+<tr>
+<th colspan="2">Event ID: 2010</th>
+</tr>
+<tr><td>
+Symbolic name:
+</td>
+<td >
+<b>MALWAREPROTECTION_SIGNATURE_FASTPATH_UPDATED
+</b>
+</td>
+</tr>
+<tr>
+<td>
+Message:
+</td>
+<td >
+<b>The antimalware engine used the Dynamic Signature Service to get additional definitions.
+</b>
+</td>
+</tr>
+<tr>
+<td>
+Description:
+</td>
+<td >
+Microsoft Defender Antivirus used <i>Dynamic Signature Service</i> to retrieve additional signatures to help protect your machine.
+<dl>
+<dt>Current Signature Version: &lt;Current signature version&gt;</dt>
+<dt>Signature Type: &lt;Signature type&gt;, for example: <ul>
+<li>Antivirus</li>
+<li>Antispyware</li>
+<li>Antimalware</li>
+<li>Network Inspection System</li>
+</ul>
+</dt>
+<dt>Current Engine Version: &lt;Current engine version&gt;</dt>
+<dt>Dynamic Signature Type: &lt;Dynamic signature type&gt;, for example:
+<ul>
+<li>Version</li>
+<li>Timestamp</li>
+<li>No limit</li>
+<li>Duration</li>
+</ul>
+</dt>
+<dt>Persistence Path: &lt;Path&gt;</dt>
+<dt>Dynamic Signature Version: &lt;Version number&gt;</dt>
+<dt>Dynamic Signature Compilation Timestamp: &lt;Timestamp&gt;</dt>
+<dt>Persistence Limit Type: &lt;Persistence limit type&gt;, for example:
+<ul>
+<li>VDM version</li>
+<li>Timestamp</li>
+<li>No limit</li>
+</ul>
+</dt>
+<dt>Persistence Limit: Persistence limit of the fastpath signature.</dt>
+</dl>
+</td>
+</tr>
+<tr>
+<th colspan="2">Event ID: 2011</th>
+</tr>
+<tr><td>
+Symbolic name:
+</td>
+<td >
+<b>MALWAREPROTECTION_SIGNATURE_FASTPATH_DELETED
+</b>
+</td>
+</tr>
+<tr>
+<td>
+Message:
+</td>
+<td >
+<b>The Dynamic Signature Service deleted the out-of-date dynamic definitions.
+</b>
+</td>
+</tr>
+<tr>
+<td>
+Description:
+</td>
+<td >
+Microsoft Defender Antivirus used <i>Dynamic Signature Service</i> to discard obsolete signatures.
+<dl>
+<dt>Current Signature Version: &lt;Current signature version&gt;</dt>
+<dt>Signature Type: &lt;Signature type&gt;, for example: <ul>
+<li>Antivirus</li>
+<li>Antispyware</li>
+<li>Antimalware</li>
+<li>Network Inspection System</li>
+</ul>
+</dt>
+<dt>Current Engine Version: &lt;Current engine version&gt;</dt>
+<dt>Dynamic Signature Type: &lt;Dynamic signature type&gt;, for example:
+<ul>
+<li>Version</li>
+<li>Timestamp</li>
+<li>No limit</li>
+<li>Duration</li>
+</ul>
+</dt>
+<dt>Persistence Path: &lt;Path&gt;</dt>
+<dt>Dynamic Signature Version: &lt;Version number&gt;</dt>
+<dt>Dynamic Signature Compilation Timestamp: &lt;Timestamp&gt;</dt>
+<dt>Removal Reason:</dt>
+<dt>Persistence Limit Type: &lt;Persistence limit type&gt;, for example:
+<ul>
+<li>VDM version</li>
+<li>Timestamp</li>
+<li>No limit</li>
+</ul>
+</dt>
+<dt>Persistence Limit: Persistence limit of the fastpath signature.</dt>
+</dl>
+</td>
+</tr>
+<tr>
+<td>
+User action:
+</td>
+<td >
+No action is necessary. The Microsoft Defender Antivirus client is in a healthy state. This event is reported when the Dynamic Signature Service successfully deletes out-of-date dynamic definitions.
+</td>
+</tr>
+<tr>
+<th colspan="2">Event ID: 2012</th>
+</tr>
+<tr><td>
+Symbolic name:
+</td>
+<td >
+<b>MALWAREPROTECTION_SIGNATURE_FASTPATH_UPDATE_FAILED
+</b>
+</td>
+</tr>
+<tr>
+<td>
+Message:
+</td>
+<td >
+<b>The antimalware engine encountered an error when trying to use the Dynamic Signature Service.
+</b>
+</td>
+</tr>
+<tr>
+<td>
+Description:
+</td>
+<td >
+Microsoft Defender Antivirus has encountered an error trying to use <i>Dynamic Signature Service</i>.
+<dl>
+<dt>Current Signature Version: &lt;Current signature version&gt;</dt>
+<dt>Signature Type: &lt;Signature type&gt;, for example: <ul>
+<li>Antivirus</li>
+<li>Antispyware</li>
+<li>Antimalware</li>
+<li>Network Inspection System</li>
+</ul>
+</dt>
+<dt>Current Engine Version: &lt;Current engine version&gt;</dt>
+<dt>Error Code: &lt;Error code&gt;
+Result code associated with threat status. Standard HRESULT values.</dt>
+<dt>Error Description: &lt;Error description&gt;
+Description of the error. </dt>
+<dt>Dynamic Signature Type: &lt;Dynamic signature type&gt;, for example:
+<ul>
+<li>Version</li>
+<li>Timestamp</li>
+<li>No limit</li>
+<li>Duration</li>
+</ul>
+</dt>
+<dt>Persistence Path: &lt;Path&gt;</dt>
+<dt>Dynamic Signature Version: &lt;Version number&gt;</dt>
+<dt>Dynamic Signature Compilation Timestamp: &lt;Timestamp&gt;</dt>
+<dt>Persistence Limit Type: &lt;Persistence limit type&gt;, for example:
+<ul>
+<li>VDM version</li>
+<li>Timestamp</li>
+<li>No limit</li>
+</ul>
+</dt>
+<dt>Persistence Limit: Persistence limit of the fastpath signature.</dt>
+</dl>
+</td>
+</tr>
+<tr>
+<td>
+User action:
+</td>
+<td >
+Check your Internet connectivity settings.
+</td>
+</tr>
+<tr>
+<th colspan="2">Event ID: 2013</th>
+</tr>
+<tr><td>
+Symbolic name:
+</td>
+<td >
+<b>MALWAREPROTECTION_SIGNATURE_FASTPATH_DELETED_ALL
+</b>
+</td>
+</tr>
+<tr>
+<td>
+Message:
+</td>
+<td >
+<b>The Dynamic Signature Service deleted all dynamic definitions.
+</b>
+</td>
+</tr>
+<tr>
+<td>
+Description:
+</td>
+<td >
+Microsoft Defender Antivirus discarded all <i>Dynamic Signature Service</i> signatures.
+<dl>
+<dt>Current Signature Version: &lt;Current signature version&gt;</dt>
+</dl>
+</td>
+</tr>
+<tr>
+<th colspan="2">Event ID: 2020</th>
+</tr>
+<tr><td>
+Symbolic name:
+</td>
+<td >
+<b>MALWAREPROTECTION_CLOUD_CLEAN_RESTORE_FILE_DOWNLOADED
+</b>
+</td>
+</tr>
+<tr>
+<td>
+Message:
+</td>
+<td >
+<b>The antimalware engine downloaded a clean file.
+</b>
+</td>
+</tr>
+<tr>
+<td>
+Description:
+</td>
+<td >
+Microsoft Defender Antivirus downloaded a clean file.
+<dl>
+<dt>Filename: &lt;File name&gt;
+Name of the file.</dt>
+<dt>Current Signature Version: &lt;Current signature version&gt;</dt>
+<dt>Current Engine Version: &lt;Current engine version&gt;</dt>
+</dl>
+</td>
+</tr>
+<tr>
+<th colspan="2">Event ID: 2021</th>
+</tr>
+<tr><td>
+Symbolic name:
+</td>
+<td >
+<b>MALWAREPROTECTION_CLOUD_CLEAN_RESTORE_FILE_DOWNLOAD_FAILED</b>
+</td>
+</tr>
+<tr>
+<td>
+Message:
+</td>
+<td >
+<b>The antimalware engine failed to download a clean file.
+</b>
+</td>
+</tr>
+<tr>
+<td>
+Description:
+</td>
+<td >
+Microsoft Defender Antivirus has encountered an error trying to download a clean file.
+<dl>
+<dt>Filename: &lt;File name&gt;
+Name of the file.</dt>
+<dt>Current Signature Version: &lt;Current signature version&gt;</dt>
+<dt>Current Engine Version: &lt;Current engine version&gt;</dt>
+<dt>Error Code: &lt;Error code&gt;
+Result code associated with threat status. Standard HRESULT values.</dt>
+<dt>Error Description: &lt;Error description&gt;
+Description of the error. </dt>
+</dl>
+</td>
+</tr>
+<tr>
+<td>
+User action:
+</td>
+<td >
+Check your Internet connectivity settings.
+The Microsoft Defender Antivirus client encountered an error when using the Dynamic Signature Service to download the latest definitions to a specific threat. This error is likely caused by a network connectivity issue.
+</td>
+</tr>
+<tr>
+<th colspan="2">Event ID: 2030</th>
+</tr>
+<tr><td>
+Symbolic name:
+</td>
+<td >
+<b>MALWAREPROTECTION_OFFLINE_SCAN_INSTALLED</b>
+</td>
+</tr>
+<tr>
+<td>
+Message:
+</td>
+<td >
+<b>The antimalware engine was downloaded and is configured to run offline on the next system restart.</b>
+</td>
+</tr>
+<tr>
+<td>
+Description:
+</td>
+<td >
+Microsoft Defender Antivirus downloaded and configured offline antivirus to run on the next reboot.
+</td>
+</tr>
+<tr>
+<th colspan="2">Event ID: 2031</th>
+</tr>
+<tr><td>
+Symbolic name:
+</td>
+<td >
+<b>MALWAREPROTECTION_OFFLINE_SCAN_INSTALL_FAILED
+</b>
+</td>
+</tr>
+<tr>
+<td>
+Message:
+</td>
+<td >
+<b>The antimalware engine was unable to download and configure an offline scan.</b>
+</td>
+</tr>
+<tr>
+<td>
+Description:
+</td>
+<td >
+Microsoft Defender Antivirus has encountered an error trying to download and configure offline antivirus.
+<dl>
+<dt>Error Code: &lt;Error code&gt;
+Result code associated with threat status. Standard HRESULT values.</dt>
+<dt>Error Description: &lt;Error description&gt;
+Description of the error. </dt>
+</dl>
+</td>
+</tr>
+<tr>
+<th colspan="2">Event ID: 2040</th>
+</tr>
+<tr><td>
+Symbolic name:
+</td>
+<td >
+<b>MALWAREPROTECTION_OS_EXPIRING
+</b>
+</td>
+</tr>
+<tr>
+<td>
+Message:
+</td>
+<td >
+<b>Antimalware support for this operating system version will soon end.
+</b>
+</td>
+</tr>
+<tr>
+<td>
+Description:
+</td>
+<td >
+The support for your operating system will expire shortly. Running Microsoft Defender Antivirus on an out of support operating system is not an adequate solution to protect against threats.
+</td>
+</tr>
+<tr>
+<th colspan="2">Event ID: 2041</th>
+</tr>
+<tr><td>
+Symbolic name:
+</td>
+<td >
+<b>MALWAREPROTECTION_OS_EOL
+</b>
+</td>
+</tr>
+<tr>
+<td>
+Message:
+</td>
+<td >
+<b>Antimalware support for this operating system has ended. You must upgrade the operating system for continued support.
+</b>
+</td>
+</tr>
+<tr>
+<td>
+Description:
+</td>
+<td >
+The support for your operating system has expired. Running Microsoft Defender Antivirus on an out of support operating system is not an adequate solution to protect against threats.
+</td>
+</tr>
+<tr>
+<th colspan="2">Event ID: 2042</th>
+</tr>
+<tr><td>
+Symbolic name:
+</td>
+<td >
+<b>MALWAREPROTECTION_PROTECTION_EOL
+</b>
+</td>
+</tr>
+<tr>
+<td>
+Message:
+</td>
+<td >
+<b>The antimalware engine no longer supports this operating system, and is no longer protecting your system from malware.
+</b>
+</td>
+</tr>
+<tr>
+<td>
+Description:
+</td>
+<td >
+The support for your operating system has expired. Microsoft Defender Antivirus is no longer supported on your operating system, has stopped functioning, and is not protecting against malware threats.
+</td>
+</tr>
+<tr>
+<th colspan="2">Event ID: 3002</th>
+</tr>
+<tr><td>
+Symbolic name:
+</td>
+<td >
+<b>MALWAREPROTECTION_RTP_FEATURE_FAILURE
+</b>
+</td>
+</tr>
+<tr>
+<td>
+Message:
+</td>
+<td >
+<b>Real-time protection encountered an error and failed.</b>
+</td>
+</tr>
+<tr>
+<td>
+Description:
+</td>
+<td >
+Microsoft Defender Antivirus Real-Time Protection feature has encountered an error and failed.
+<dl>
+<dt>Feature: &lt;Feature&gt;, for example:
+<ul>
+<li>On Access</li>
+<li>Internet Explorer downloads and Microsoft Outlook Express attachments</li>
+<li>Behavior monitoring</li>
+<li>Network Inspection System</li>
+</ul>
+</dt>
+<dt>Error Code: &lt;Error code&gt;
+Result code associated with threat status. Standard HRESULT values.</dt>
+<dt>Error Description: &lt;Error description&gt;
+Description of the error. </dt>
+<dt>Reason: The reason Microsoft Defender Antivirus real-time protection has restarted a feature.</dt>
+</dl>
+</td>
+</tr>
+<tr>
+<td>
+User action:
+</td>
+<td >
+You should restart the system then run a full scan because it&#39;s possible the system was not protected for some time.
+The Microsoft Defender Antivirus client&#39;s real-time protection feature encountered an error because one of the services failed to start.
+If it is followed by a 3007 event ID, the failure was temporary and the antimalware client recovered from the failure.
+</td>
+</tr>
+<tr>
+<th colspan="2">Event ID: 3007</th>
+</tr>
+<tr><td>
+Symbolic name:
+</td>
+<td >
+<b>MALWAREPROTECTION_RTP_FEATURE_RECOVERED</b>
+</td>
+</tr>
+<tr>
+<td>
+Message:
+</td>
+<td >
+<b>Real-time protection recovered from a failure. We recommend running a full system scan when you see this error.
+</b>
+</td>
+</tr>
+<tr>
+<td>
+Description:
+</td>
+<td >
+Microsoft Defender Antivirus Real-time Protection has restarted a feature. It is recommended that you run a full system scan to detect any items that may have been missed while this agent was down.
+<dl>
+<dt>Feature: &lt;Feature&gt;, for example:
+<ul>
+<li>On Access</li>
+<li>IE downloads and Outlook Express attachments</li>
+<li>Behavior monitoring</li>
+<li>Network Inspection System</li>
+</ul>
+</dt>
+<dt>Reason: The reason Microsoft Defender Antivirus real-time protection has restarted a feature.</dt>
+</dl>
+</td>
+</tr>
+<tr>
+<td>
+User action:
+</td>
+<td >
+The real-time protection feature has restarted. If this event happens again, contact <a href="https://go.microsoft.com/fwlink/?LinkId=215491">Microsoft Technical Support</a>.
+</td>
+</tr>
+<tr>
+<th colspan="2">Event ID: 5000</th>
+</tr>
+<tr><td>
+Symbolic name:
+</td>
+<td >
+<b>MALWAREPROTECTION_RTP_ENABLED
+</b>
+</td>
+</tr>
+<tr>
+<td>
+Message:
+</td>
+<td >
+<b>Real-time protection is enabled.
+</b>
+</td>
+</tr>
+<tr>
+<td>
+Description:
+</td>
+<td >
+Microsoft Defender Antivirus real-time protection scanning for malware and other potentially unwanted software was enabled.
+</td>
+</tr>
+<tr>
+<th colspan="2">Event ID: 5001</th>
+</tr>
+<tr><td>
+Symbolic name:
+</td>
+<td >
+<b>MALWAREPROTECTION_RTP_DISABLED</b>
+</td>
+</tr>
+<tr>
+<td>
+Message:
+</td>
+<td >
+<b>Real-time protection is disabled.
+</b>
+</td>
+</tr>
+<tr>
+<td>
+Description:
+</td>
+<td >
+Microsoft Defender Antivirus real-time protection scanning for malware and other potentially unwanted software was disabled.
+</td>
+</tr>
+<tr>
+<th colspan="2">Event ID: 5004</th>
+</tr>
+<tr><td>
+Symbolic name:
+</td>
+<td >
+<b>MALWAREPROTECTION_RTP_FEATURE_CONFIGURED
+</b>
+</td>
+</tr>
+<tr>
+<td>
+Message:
+</td>
+<td >
+<b>The real-time protection configuration changed.
+</b>
+</td>
+</tr>
+<tr>
+<td>
+Description:
+</td>
+<td >
+Microsoft Defender Antivirus real-time protection feature configuration has changed.
+<dl>
+<dt>Feature: &lt;Feature&gt;, for example:
+<ul>
+<li>On Access</li>
+<li>IE downloads and Outlook Express attachments</li>
+<li>Behavior monitoring</li>
+<li>Network Inspection System</li>
+</ul>
+</dt>
+<dt>Configuration: </dt>
+</dl>
+</td>
+</tr>
+<tr>
+<th colspan="2">Event ID: 5007</th>
+</tr>
+<tr><td>
+Symbolic name:
+</td>
+<td >
+<b>MALWAREPROTECTION_CONFIG_CHANGED
+</b>
+</td>
+</tr>
+<tr>
+<td>
+Message:
+</td>
+<td >
+<b>The antimalware platform configuration changed.</b>
+</td>
+</tr>
+<tr>
+<td>
+Description:
+</td>
+<td >
+Microsoft Defender Antivirus configuration has changed. If this is an unexpected event, you should review the settings as this may be the result of malware.
+<dl>
+<dt>Old value: &lt;Old value number&gt;
+Old antivirus configuration value.</dt>
+<dt>New value: &lt;New value number&gt;
+New antivirus configuration value.</dt>
+</dl>
+</td>
+</tr>
+<tr>
+<th colspan="2">Event ID: 5008</th>
+</tr>
+<tr><td>
+Symbolic name:
+</td>
+<td >
+<b>MALWAREPROTECTION_ENGINE_FAILURE</b>
+</td>
+</tr>
+<tr>
+<td>
+Message:
+</td>
+<td >
+<b>The antimalware engine encountered an error and failed.</b>
+</td>
+</tr>
+<tr>
+<td>
+Description:
+</td>
+<td >
+Microsoft Defender Antivirus engine has been terminated due to an unexpected error.
+<dl>
+<dt>Failure Type: &lt;Failure type&gt;, for example:
+Crash
+or Hang</dt>
+<dt>Exception Code: &lt;Error code&gt;</dt>
+<dt>Resource: &lt;Resource&gt;</dt>
+</dl>
+</td>
+</tr>
+<tr>
+<td>
+User action:
+</td>
+<td >
+To troubleshoot this event:<ol>
+<li>Try to restart the service.<ul>
+<li>For antimalware, antivirus and spyware, at an elevated command prompt, type <b>net stop msmpsvc</b>, and then type <b>net start msmpsvc</b> to restart the antimalware engine.</li>
+<li>For the <i>Network Inspection System</i>, at an elevated command prompt, type <b>net start nissrv</b>, and then type <b>net start nissrv</b> to restart the <i>Network Inspection System</i> engine by using the NiSSRV.exe file.
+</li>
+</ul>
+</li>
+<li>If it fails in the same way, look up the error code by accessing the <a href="https://go.microsoft.com/fwlink/?LinkId=215163">Microsoft Support Site</a> and entering the error number in the <b>Search</b> box, and contact <a href="https://go.microsoft.com/fwlink/?LinkId=215491">Microsoft Technical Support</a>.</li>
+</ol>
+</td>
+</tr>
+<tr>
+<td>
+User action:
+</td>
+<td >
+The Microsoft Defender Antivirus client engine stopped due to an unexpected error.
+To troubleshoot this event:
+<ol>
+<li>Run the scan again.</li>
+<li>If it fails in the same way, go to the <a href="https://go.microsoft.com/fwlink/?LinkId=215163">Microsoft Support site</a>, enter the error number in the <b>Search</b> box to look for the error code.</li>
+<li>Contact <a href="https://go.microsoft.com/fwlink/?LinkId=215491">Microsoft Technical Support</a>.
+</li>
+</ol>
+</td>
+</tr>
+<tr>
+<th colspan="2">Event ID: 5009</th>
+</tr>
+<tr><td>
+Symbolic name:
+</td>
+<td >
+<b>MALWAREPROTECTION_ANTISPYWARE_ENABLED
+</b>
+</td>
+</tr>
+<tr>
+<td>
+Message:
+</td>
+<td >
+<b>Scanning for malware and other potentially unwanted software is enabled.
+</b>
+</td>
+</tr>
+<tr>
+<td>
+Description:
+</td>
+<td >
+Microsoft Defender Antivirus scanning for malware and other potentially unwanted software has been enabled.
+</td>
+</tr>
+<tr>
+<th colspan="2">Event ID: 5010</th>
+</tr>
+<tr><td>
+Symbolic name:
+</td>
+<td >
+<b>MALWAREPROTECTION_ANTISPYWARE_DISABLED
+</b>
+</td>
+</tr>
+<tr>
+<td>
+Message:
+</td>
+<td >
+<b>Scanning for malware and other potentially unwanted software is disabled.</b>
+</td>
+</tr>
+<tr>
+<td>
+Description:
+</td>
+<td >
+Microsoft Defender Antivirus scanning for malware and other potentially unwanted software is disabled.
+</td>
+</tr>
+<tr>
+<th colspan="2">Event ID: 5011</th>
+</tr>
+<tr><td>
+Symbolic name:
+</td>
+<td >
+<b>MALWAREPROTECTION_ANTIVIRUS_ENABLED</b>
+</td>
+</tr>
+<tr>
+<td>
+Message:
+</td>
+<td >
+<b>Scanning for viruses is enabled.</b>
+</td>
+</tr>
+<tr>
+<td>
+Description:
+</td>
+<td >
+Microsoft Defender Antivirus scanning for viruses has been enabled.
+</td>
+</tr>
+<tr>
+<th colspan="2">Event ID: 5012</th>
+</tr>
+<tr><td>
+Symbolic name:
+</td>
+<td >
+<b>MALWAREPROTECTION_ANTIVIRUS_DISABLED
+</b>
+</td>
+</tr>
+<tr>
+<td>
+Message:
+</td>
+<td >
+<b>Scanning for viruses is disabled.
+</b>
+</td>
+</tr>
+<tr>
+<td>
+Description:
+</td>
+<td >
+Microsoft Defender Antivirus scanning for viruses is disabled.
+</td>
+</tr>
+<tr>
+<th colspan="2">Event ID: 5100</th>
+</tr>
+<tr><td>
+Symbolic name:
+</td>
+<td >
+<b>MALWAREPROTECTION_EXPIRATION_WARNING_STATE
+</b>
+</td>
+</tr>
+<tr>
+<td>
+Message:
+</td>
+<td >
+<b>The antimalware platform will expire soon.
+</b>
+</td>
+</tr>
+<tr>
+<td>
+Description:
+</td>
+<td >
+Microsoft Defender Antivirus has entered a grace period and will soon expire. After expiration, this program will disable protection against viruses, spyware, and other potentially unwanted software.
+<dl>
+<dt>Expiration Reason: The reason Microsoft Defender Antivirus will expire.</dt>
+<dt>Expiration Date: The date Microsoft Defender Antivirus will expire.</dt>
+</dl>
+</td>
+</tr>
+<tr>
+<th colspan="2">Event ID: 5101</th>
+</tr>
+<tr><td>
+Symbolic name:
+</td>
+<td >
+<b>MALWAREPROTECTION_DISABLED_EXPIRED_STATE
+</b>
+</td>
+</tr>
+<tr>
+<td>
+Message:
+</td>
+<td >
+<b>The antimalware platform is expired.
+</b>
+</td>
+</tr>
+<tr>
+<td>
+Description:
+</td>
+<td >
+Microsoft Defender Antivirus grace period has expired. Protection against viruses, spyware, and other potentially unwanted software is disabled.
+<dl>
+<dt>Expiration Reason:</dt>
+<dt>Expiration Date: </dt>
+<dt>Error Code: &lt;Error code&gt;
+Result code associated with threat status. Standard HRESULT values.</dt>
+<dt>Error Description: &lt;Error description&gt;
+Description of the error. </dt>
+</dl>
+</td>
+</tr>
+</table>
+
+<a id="error-codes"></a>
+## Microsoft Defender Antivirus client error codes
+If Microsoft Defender Antivirus experiences any issues it will usually give you an error code to help you troubleshoot the issue. Most often an error means there was a problem installing an update.
+This section provides the following information about Microsoft Defender Antivirus client errors.
+- The error code
+- The possible reason for the error
+- Advice on what to do now
+
+Use the information in these tables to help troubleshoot Microsoft Defender Antivirus error codes.
++
+<table>
+<tr>
+<th colspan="2">Error code: 0x80508007</th>
+</tr>
+<tr>
+<td>Message</td>
+<td>
+<b>ERR_MP_NO_MEMORY </b>
+</td>
+</tr>
+<tr>
+<td>
+Possible reason
+</td>
+<td>
+This error indicates that you might have run out of memory.
+</td>
+</tr>
+<tr>
+<td>Resolution</td>
+<td>
+<ol>
+<li>Check the available memory on your device.</li>
+<li>Close any unused applications that are running to free up memory on your device.</li>
+<li>Restart the device and run the scan again.
+</li>
+</ol>
+</td>
+</tr>
+<tr>
+<th colspan="2">Error code: 0x8050800C</th>
+</tr><tr><td>Message</td>
+<td><b>ERR_MP_BAD_INPUT_DATA</b>
+</td></tr><tr><td>Possible reason</td>
+<td>
+This error indicates that there might be a problem with your security product.
+</td>
+</tr><tr><td>Resolution</td><td>
+<ol>
+<li>Update the definitions. Either:<ol>
+<li>Click the <b>Update definitions</b> button on the <b>Update</b> tab in Microsoft Defender Antivirus. <img src="images/defender-updatedefs2.png" alt="Update definitions in Microsoft Defender Antivirus"/>Or,
+</li>
+<li>Download the latest definitions from the <a href="https://aka.ms/wdsi">Microsoft Security Intelligence site</a>.
+Note: The size of the definitions file downloaded from the site can exceed 60 MB and should not be used as a long-term solution for updating definitions.
+</li>
+</ol>
+</li>
+<li>Run a full scan.
+</li>
+<li>Restart the device and try again.</li>
+</ol>
+</td>
+</tr>
+<tr>
+<th colspan="2">Error code: 0x80508020</th>
+</tr><tr><td>Message</td>
+<td><b>ERR_MP_BAD_CONFIGURATION
+</b>
+</td></tr><tr><td>Possible reason</td>
+<td>
+This error indicates that there might be an engine configuration error; commonly, this is related to input
+data that does not allow the engine to function properly.
+</td>
+</tr>
+<tr>
+<th colspan="2">Error code: 0x805080211
+</th>
+</tr><tr><td>Message</td>
+<td><b>ERR_MP_QUARANTINE_FAILED
+</b>
+</td></tr><tr><td>Possible reason</td>
+<td>
+This error indicates that Microsoft Defender Antivirus failed to quarantine a threat.
+</td>
+</tr>
+<tr>
+<th colspan="2">Error code: 0x80508022
+</th>
+</tr><tr><td>Message</td>
+<td><b>ERR_MP_REBOOT_REQUIRED
+</b>
+</td></tr><tr><td>Possible reason</td>
+<td>
+This error indicates that a reboot is required to complete threat removal.
+</td>
+</tr>
+<tr>
+<th colspan="2">
+0x80508023
+</th>
+</tr><tr><td>Message</td>
+<td><b>ERR_MP_THREAT_NOT_FOUND
+</b>
+</td></tr><tr><td>Possible reason</td>
+<td>
+This error indicates that the threat might no longer be present on the media, or malware might be stopping you from scanning your device.
+</tr><tr><td>Resolution
+</td>
+<td>
+Run the <a href="https://www.microsoft.com/security/scanner/default.aspx">Microsoft Safety Scanner</a> then update your security software and try again.
+</td>
+</tr>
+<tr>
+<th colspan="2">Error code: 0x80508024 </th></tr>
+<tr>
+<td>Message</td>
+<td><b>ERR_MP_FULL_SCAN_REQUIRED
+</b>
+</td></tr><tr><td>Possible reason</td>
+<td>
+This error indicates that a full system scan might be required.
+</td></tr>
+<tr>
+<td>Resolution</td><td>
+Run a full system scan.
+</td>
+</tr>
+<tr>
+<th colspan="2">Error code: 0x80508025
+</th>
+</tr><tr><td>Message</td>
+<td><b>ERR_MP_MANUAL_STEPS_REQUIRED
+</b>
+</td></tr><tr><td>Possible reason</td>
+<td>
+This error indicates that manual steps are required to complete threat removal.
+</td></tr><tr><td>Resolution</td><td>
+Follow the manual remediation steps outlined in the <a href="https://www.microsoft.com/security/portal/threat/Threats.aspx">Microsoft Malware Protection Encyclopedia</a>. You can find a threat-specific link in the event history.<br/></td>
+</tr>
+<tr>
+<th colspan="2">Error code: 0x80508026
+</th>
+</tr><tr><td>Message</td>
+<td><b>ERR_MP_REMOVE_NOT_SUPPORTED
+</b>
+</td></tr><tr><td>Possible reason</td>
+<td>
+This error indicates that removal inside the container type might not be not supported.
+</td></tr><tr><td>Resolution</td><td>
+Microsoft Defender Antivirus is not able to remediate threats detected inside the archive. Consider manually removing the detected resources.
+</td>
+</tr>
+<tr>
+<th colspan="2">Error code: 0x80508027
+</th>
+</tr><tr><td>Message</td>
+<td><b>ERR_MP_REMOVE_LOW_MEDIUM_DISABLED
+</b>
+</td></tr><tr><td>Possible reason</td>
+<td>
+This error indicates that removal of low and medium threats might be disabled.
+</td></tr><tr><td>Resolution</td><td>
+Check the detected threats and resolve them as required.
+</td>
+</tr>
+<tr>
+<th colspan="2">Error code: 0x80508029
+</th>
+</tr><tr><td>Message</td>
+<td><b>ERROR_MP_RESCAN_REQUIRED
+</b>
+</td></tr><tr><td>Possible reason</td>
+<td>
+This error indicates a rescan of the threat is required.
+</td></tr><tr><td>Resolution</td><td>
+Run a full system scan.
+</td>
+</tr>
+<tr>
+<th colspan="2">Error code: 0x80508030
+</th>
+</tr><tr><td>Message</td>
+<td><b>ERROR_MP_CALLISTO_REQUIRED
+</b>
+</td></tr><tr><td>Possible reason</td>
+<td>
+This error indicates that an offline scan is required.
+</td></tr><tr><td>Resolution</td><td>
+Run offline Microsoft Defender Antivirus. You can read about how to do this in the <a href="https://windows.microsoft.com/windows/what-is-windows-defender-offline">offline Microsoft Defender Antivirus article</a>.
+</td>
+</tr>
+<tr>
+<th colspan="2">Error code: 0x80508031
+</th>
+</tr><tr><td>Message</td>
+<td><b>ERROR_MP_PLATFORM_OUTDATED<br/></b>
+</td></tr><tr><td>Possible reason</td>
+<td>
+This error indicates that Microsoft Defender Antivirus does not support the current version of the platform and requires a new version of the platform.
+</td></tr><tr><td>Resolution</td><td>
+You can only use Microsoft Defender Antivirus in Windows 10. For Windows 8, Windows 7 and Windows Vista, you can use <a href="https://www.microsoft.com/server-cloud/system-center/endpoint-protection-2012.aspx">System Center Endpoint Protection</a>.<br/></td>
+</tr>
+</table>
+
+<a id="internal-error-codes"></a>
+The following error codes are used during internal testing of Microsoft Defender Antivirus.
+
+If you see these errors, you can try to [update definitions](manage-updates-baselines-microsoft-defender-antivirus.md) and force a rescan directly on the endpoint.
++
+<table>
+<tr>
+<th colspan="3">Internal error codes</th>
+</tr>
+<tr>
+<th><b>Error code</b></th>
+<th>Message displayed</th>
+<th>Possible reason for error and resolution</th>
+</tr>
+<tr>
+<td>
+0x80501004
+</td>
+<td>
+<b>ERROR_MP_NO_INTERNET_CONN
+</b>
+</td>
+<td>
+Check your Internet connection, then run the scan again.
+</td>
+</tr>
+<tr>
+<td>
+0x80501000
+</td>
+<td>
+<b>ERROR_MP_UI_CONSOLIDATION_BAS</b>E
+</td>
+<td rowspan="34">
+This is an internal error. The cause is not clearly defined.
+</td>
+<td rowspan="36">
+
+</td>
+</tr>
+<tr>
+<td>
+0x80501001
+</td>
+<td>
+<b>ERROR_MP_ACTIONS_FAILED</b>
+</td>
+</tr>
+<tr>
+<td>
+0x80501002
+</td>
+<td>
+<b>ERROR_MP_NOENGINE</b>
+</td>
+</tr>
+<tr>
+<td>
+0x80501003
+</td>
+<td>
+<b>ERROR_MP_ACTIVE_THREATS</b>
+</td>
+</tr>
+<tr>
+<td>
+0x805011011
+</td>
+<td>
+<b>MP_ERROR_CODE_LUA_CANCELLED </b>
+</td>
+</tr>
+<tr>
+<td>
+0x80501101
+</td>
+<td>
+<b>ERROR_LUA_CANCELLATION </b>
+</td>
+</tr>
+<tr>
+<td>
+0x80501102
+</td>
+<td>
+<b>MP_ERROR_CODE_ALREADY_SHUTDOWN</b>
+</td>
+</tr>
+<tr>
+<td>
+0x80501103
+</td>
+<td>
+<b>MP_ERROR_CODE_RDEVICE_S_ASYNC_CALL_PENDING </b>
+</td>
+</tr>
+<tr>
+<td>
+0x80501104
+</td>
+<td>
+<b>MP_ERROR_CODE_CANCELLED</b>
+</td>
+</tr>
+<tr>
+<td>
+0x80501105
+</td>
+<td>
+<b>MP_ERROR_CODE_NO_TARGETOS</b>
+</td>
+</tr>
+<tr>
+<td>
+0x80501106
+</td>
+<td>
+<b>MP_ERROR_CODE_BAD_REGEXP</b>
+</td>
+</tr>
+<tr>
+<td>
+0x80501107
+</td>
+<td>
+<b>MP_ERROR_TEST_INDUCED_ERROR</b>
+</td>
+</tr>
+<tr>
+<td>
+0x80501108
+</td>
+<td>
+<b>MP_ERROR_SIG_BACKUP_DISABLED</b>
+</td>
+</tr>
+<tr>
+<td>
+0x80508001
+</td>
+<td>
+<b>ERR_MP_BAD_INIT_MODULES</b>
+</td>
+</tr>
+<tr>
+<td>
+0x80508002
+</td>
+<td>
+<b>ERR_MP_BAD_DATABASE</b>
+</td>
+</tr>
+<tr>
+<td>
+0x80508004
+</td>
+<td>
+<b>ERR_MP_BAD_UFS </b>
+</td>
+</tr>
+<tr>
+<td>
+0x8050800C
+</td>
+<td>
+<b>ERR_MP_BAD_INPUT_DATA</b>
+</td>
+</tr>
+<tr>
+<td>
+0x8050800D
+</td>
+<td>
+<b>ERR_MP_BAD_GLOBAL_STORAGE</b>
+</td>
+</tr>
+<tr>
+<td>
+0x8050800E
+</td>
+<td>
+<b>ERR_MP_OBSOLETE</b>
+</td>
+</tr>
+<tr>
+<td>
+0x8050800F
+</td>
+<td>
+<b>ERR_MP_NOT_SUPPORTED</b>
+</td>
+</tr>
+<tr>
+<td>
+0x8050800F
+0x80508010
+</td>
+<td>
+<b>ERR_MP_NO_MORE_ITEMS </b>
+</td>
+</tr>
+<tr>
+<td>
+0x80508011
+</td>
+<td>
+<b>ERR_MP_DUPLICATE_SCANID</b>
+</td>
+</tr>
+<tr>
+<td>
+0x80508012
+</td>
+<td>
+<b>ERR_MP_BAD_SCANID</b>
+</td>
+</tr>
+<tr>
+<td>
+0x80508013
+</td>
+<td>
+<b>ERR_MP_BAD_USERDB_VERSION</b>
+</td>
+</tr>
+<tr>
+<td>
+0x80508014
+</td>
+<td>
+<b>ERR_MP_RESTORE_FAILED</b>
+</td>
+</tr>
+<tr>
+<td>
+0x80508016
+</td>
+<td>
+<b>ERR_MP_BAD_ACTION</b>
+</td>
+</tr>
+<tr>
+<td>
+0x80508019
+</td>
+<td>
+<b>ERR_MP_NOT_FOUND</b>
+</td>
+</tr>
+<tr>
+<td>
+0x80509001
+</td>
+<td>
+<b>ERR_RELO_BAD_EHANDLE</b>
+</td>
+</tr>
+<tr>
+<td>
+0x80509003
+</td>
+<td>
+<b>ERR_RELO_KERNEL_NOT_LOADED</b>
+</td>
+</tr>
+<tr>
+<td>
+0x8050A001
+</td>
+<td>
+<b>ERR_MP_BADDB_OPEN</b>
+</td>
+</tr>
+<tr>
+<td>
+0x8050A002
+</td>
+<td>
+<b>ERR_MP_BADDB_HEADER</b>
+</td>
+</tr>
+<tr>
+<td>
+0x8050A003
+</td>
+<td>
+<b>ERR_MP_BADDB_OLDENGINE</b>
+</td>
+</tr>
+<tr>
+<td>
+0x8050A004
+</td>
+<td>
+<b>ERR_MP_BADDB_CONTENT </b>
+</td>
+</tr>
+<tr>
+<td>
+0x8050A005
+</td>
+<td>
+<b>ERR_MP_BADDB_NOTSIGNED</b>
+</td>
+</tr>
+<tr>
+<td>
+0x8050801
+</td>
+<td>
+<b>ERR_MP_REMOVE_FAILED</b>
+</td>
+<td>
+This is an internal error. It might be triggered when malware removal is not successful.
+</td>
+</tr>
+<tr>
+<td>
+0x80508018
+</td>
+<td>
+<b>ERR_MP_SCAN_ABORTED
+</b>
+</td>
+<td>
+This is an internal error. It might have triggered when a scan fails to complete.
+</td>
+</tr>
+</table>
+
+## Related topics
+
+- [Report on Microsoft Defender Antivirus protection](report-monitor-microsoft-defender-antivirus.md)
+- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
security Troubleshoot Reporting https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-reporting.md
+
+ Title: Troubleshoot problems with reporting tools for Microsoft Defender AV
+description: Identify and solve common problems when attempting to report in Microsoft Defender AV protection status in Update Compliance
+keywords: troubleshoot, error, fix, update compliance, oms, monitor, report, Microsoft Defender AV
+search.product: eADQiWindows 10XVcnh
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+++++
+ms.technology: mde
++
+# Troubleshoot Microsoft Defender Antivirus reporting in Update Compliance
+++
+**Applies to:**
+
+- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
+
+> [!IMPORTANT]
+> On March 31, 2020, the Microsoft Defender Antivirus reporting feature of Update Compliance will be removed. You can continue to define and review security compliance policies using [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager), which allows finer control over security features and updates.
+
+You can use Microsoft Defender Antivirus with Update Compliance. YouΓÇÖll see status for E3, B, F1, VL, and Pro licenses. However, for E5 licenses, you need to use the [Microsoft Defender for Endpoint portal](/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints). To learn more about licensing options, see [Windows 10 product licensing options](https://www.microsoft.com/licensing/product-licensing/windows10.aspx).
+
+When you use [Windows Analytics Update Compliance to obtain reporting into the protection status of devices or endpoints](/windows/deployment/update/update-compliance-using#wdav-assessment) in your network that are using Microsoft Defender Antivirus, you might encounter problems or issues.
+
+Typically, the most common indicators of a problem are:
+- You only see a small number or subset of all the devices you were expecting to see
+- You do not see any devices at all
+- The reports and information you do see is outdated (older than a few days)
+
+For common error codes and event IDs related to the Microsoft Defender Antivirus service that are not related to Update Compliance, see [Microsoft Defender Antivirus events](troubleshoot-microsoft-defender-antivirus.md).
+
+There are three steps to troubleshooting these problems:
+
+1. Confirm that you have met all prerequisites
+2. Check your connectivity to the Windows Defender cloud-based service
+3. Submit support logs
+
+>[!IMPORTANT]
+>It typically takes 3 days for devices to start appearing in Update Compliance.
++
+## Confirm prerequisites
+
+In order for devices to properly show up in Update Compliance, you have to meet certain prerequisites for both the Update Compliance service and for Microsoft Defender Antivirus:
+
+>[!div class="checklist"]
+>- Endpoints are using Microsoft Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Microsoft Defender AV to disable itself](microsoft-defender-antivirus-compatibility.md) and the endpoint will not be reported in Update Compliance.
+> - [Cloud-delivered protection is enabled](enable-cloud-protection-microsoft-defender-antivirus.md).
+> - Endpoints can [connect to the Microsoft Defender AV cloud](configure-network-connections-microsoft-defender-antivirus.md#validate-connections-between-your-network-and-the-cloud)
+> - If the endpoint is running Windows 10 version 1607 or earlier, [Windows 10 diagnostic data must be set to the Enhanced level](/windows/configuration/configure-windows-diagnostic-data-in-your-organization#enhanced-level).
+> - It has been 3 days since all requirements have been met
+
+ΓÇ£You can use Microsoft Defender Antivirus with Update Compliance. YouΓÇÖll see status for E3, B, F1, VL, and Pro licenses. However, for E5 licenses, you need to use the Microsoft Defender for Endpoint portal (https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints). To learn more about licensing options, see Windows 10 product licensing options"
+
+If the above prerequisites have all been met, you might need to proceed to the next step to collect diagnostic information and send it to us.
+
+> [!div class="nextstepaction"]
+> [Collect diagnostic data for Update Compliance troubleshooting](collect-diagnostic-data.md)
+
+## Related topics
+
+- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
+- [Deploy Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md)
security Use Group Policy Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/use-group-policy-microsoft-defender-antivirus.md
+
+ Title: Configure Microsoft Defender Antivirus with Group Policy
+description: Learn how to use a Group Policy to configure and manage Microsoft Defender Antivirus on your endpoints in Microsoft Defender for Endpoint.
+keywords: group policy, GPO, configuration, settings
+search.product: eADQiWindows 10XVcnh
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.localizationpriority: medium
+++ Last updated : 03/31/2021++
+ms.technology: mde
++
+# Use Group Policy settings to configure and manage Microsoft Defender Antivirus
+++
+**Applies to:**
+
+- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
+
+You can use [Group Policy](/windows/win32/srvnodes/group-policy) to configure and manage Microsoft Defender Antivirus on your endpoints.
+
+In general, you can use the following procedure to configure or change Microsoft Defender Antivirus group policy settings:
+
+1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
+
+2. Using the **Group Policy Management Editor** go to **Computer configuration**.
+
+3. Click **Administrative templates**.
+
+4. Expand the tree to **Windows components** > **Microsoft Defender Antivirus**.
+
+5. Expand the section (referred to as **Location** in the table in this topic) that contains the setting you want to configure, double-click the setting to open it, and make configuration changes.
+
+6. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
+
+The following table in this topic lists the Group Policy settings available in Windows 10, version 1703, and provides links to the appropriate topic in this documentation library (where applicable).
+
+| Location | Setting | Article |
+|:|:|:|
+| Client interface | Enable headless UI mode | [Prevent users from seeing or interacting with the Microsoft Defender Antivirus user interface](prevent-end-user-interaction-microsoft-defender-antivirus.md) |
+| Client interface | Display additional text to clients when they need to perform an action | [Configure the notifications that appear on endpoints](configure-notifications-microsoft-defender-antivirus.md) |
+| Client interface | Suppress all notifications | [Configure the notifications that appear on endpoints](configure-notifications-microsoft-defender-antivirus.md) |
+| Client interface | Suppresses reboot notifications | [Configure the notifications that appear on endpoints](configure-notifications-microsoft-defender-antivirus.md) |
+| Exclusions | Extension Exclusions | [Configure and validate exclusions in Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md) |
+| Exclusions | Path Exclusions | [Configure and validate exclusions in Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md) |
+| Exclusions | Process Exclusions | [Configure and validate exclusions in Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md) |
+| Exclusions | Turn off Auto Exclusions | [Configure and validate exclusions in Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md) |
+| MAPS | Configure the 'Block at First Sight' feature | [Enable block at first sight](configure-block-at-first-sight-microsoft-defender-antivirus.md) |
+| MAPS | Join Microsoft MAPS | [Enable cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md) |
+| MAPS | Send file samples when further analysis is required | [Enable cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md) |
+| MAPS | Configure local setting override for reporting to Microsoft MAPS | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md) |
+| MpEngine | Configure extended cloud check | [Configure the cloud block timeout period](configure-cloud-block-timeout-period-microsoft-defender-antivirus.md) |
+| MpEngine | Select cloud protection level | [Specify the cloud-delivered protection level](specify-cloud-protection-level-microsoft-defender-antivirus.md) |
+| Network inspection system | Specify additional definition sets for network traffic inspection | No longer relevant |
+| Network inspection system | Turn on definition retirement | No longer relevant |
+| Network inspection system | Turn on protocol recognition | No longer relevant |
+| Quarantine | Configure local setting override for the removal of items from Quarantine folder | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md) |
+| Quarantine | Configure removal of items from Quarantine folder | [Configure remediation for Microsoft Defender Antivirus scans](configure-remediation-microsoft-defender-antivirus.md) |
+| Real-time protection | Configure local setting override for monitoring file and program activity on your computer | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md) |
+| Real-time protection | Configure local setting override for monitoring for incoming and outgoing file activity | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md) |
+| Real-time protection | Configure local setting override for scanning all downloaded files and attachments | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md) |
+| Real-time protection | Configure local setting override for turn on behavior monitoring | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md) |
+| Real-time protection | Configure local setting override to turn on real-time protection | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md) |
+| Real-time protection | Define the maximum size of downloaded files and attachments to be scanned | [Enable and configure Microsoft Defender Antivirus always-on protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md) |
+| Real-time protection | Monitor file and program activity on your computer | [Enable and configure Microsoft Defender Antivirus always-on protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md) |
+| Real-time protection | Scan all downloaded files and attachments | [Enable and configure Microsoft Defender Antivirus always-on protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md) |
+| Real-time protection | Turn off real-time protection | [Enable and configure Microsoft Defender Antivirus always-on protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md) |
+| Real-time protection | Turn on behavior monitoring | [Enable and configure Microsoft Defender Antivirus always-on protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md) |
+| Real-time protection | Turn on process scanning whenever real-time protection is enabled | [Enable and configure Microsoft Defender Antivirus always-on protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md) |
+| Real-time protection | Turn on raw volume write notifications | [Enable and configure Microsoft Defender Antivirus always-on protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md) |
+| Real-time protection | Configure monitoring for incoming and outgoing file and program activity | [Enable and configure Microsoft Defender Antivirus always-on protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md) |
+| Remediation | Configure local setting override for the time of day to run a scheduled full scan to complete remediation | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md) |
+| Remediation | Specify the day of the week to run a scheduled full scan to complete remediation | [Configure scheduled Microsoft Defender Antivirus scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md) |
+| Remediation | Specify the time of day to run a scheduled full scan to complete remediation | [Configure scheduled Microsoft Defender Antivirus scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md) |
+| Reporting | Turn off enhanced notifications | [Configure the notifications that appear on endpoints](configure-notifications-microsoft-defender-antivirus.md)
+| Root | Turn off Microsoft Defender Antivirus | Not used (This setting must be set to **Not configured** to ensure any installed third-party antivirus apps work correctly)
+| Root | Define addresses to bypass proxy server | No longer relevant |
+| Root | Define proxy autoconfig (.pac) for connecting to the network | No longer relevant |
+| Root | Define proxy server for connecting to the network | No longer relevant |
+| Root | Configure local administrator merge behavior for lists | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md) |
+| Root | Allow antimalware service to start up with normal priority | [Configure remediation for Microsoft Defender Antivirus scans](configure-remediation-microsoft-defender-antivirus.md) |
+| Root | Allow antimalware service to remain running always | [Configure remediation for Microsoft Defender Antivirus scans](configure-remediation-microsoft-defender-antivirus.md) |
+| Root | Turn off routine remediation | [Configure remediation for Microsoft Defender Antivirus scans](configure-remediation-microsoft-defender-antivirus.md) |
+| Root | Randomize scheduled task times | [Configure scheduled scans for Microsoft Defender Antivirus](scheduled-catch-up-scans-microsoft-defender-antivirus.md) |
+| Scan | Allow users to pause scan | [Prevent users from seeing or interacting with the Microsoft Defender Antivirus user interface](prevent-end-user-interaction-microsoft-defender-antivirus.md) (Not supported on Windows 10) |
+| Scan | Check for the latest virus and spyware definitions before running a scheduled scan | [Manage event-based forced updates](manage-event-based-updates-microsoft-defender-antivirus.md) |
+| Scan | Define the number of days after which a catch-up scan is forced | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md) |
+| Scan | Turn on catch up full scan | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md) |
+| Scan | Turn on catch up quick scan | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md) |
+| Scan | Configure local setting override for maximum percentage of CPU utilization | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md) |
+| Scan | Configure local setting override for schedule scan day | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md) |
+| Scan | Configure local setting override for scheduled quick scan time | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md) |
+| Scan | Configure local setting override for scheduled scan time | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md) |
+| Scan | Configure local setting override for the scan type to use for a scheduled scan | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md) |
+| Scan | Create a system restore point | [Configure remediation for Microsoft Defender Antivirus scans](configure-remediation-microsoft-defender-antivirus.md) |
+| Scan | Turn on removal of items from scan history folder | [Configure remediation for Microsoft Defender Antivirus scans](configure-remediation-microsoft-defender-antivirus.md) |
+| Scan | Turn on heuristics | [Enable and configure Microsoft Defender Antivirus always-on protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md) |
+| Scan | Turn on e-mail scanning | [Configure scanning options in Microsoft Defender Antivirus](configure-advanced-scan-types-microsoft-defender-antivirus.md) |
+| Scan | Turn on reparse point scanning | [Configure scanning options in Microsoft Defender Antivirus](configure-advanced-scan-types-microsoft-defender-antivirus.md) |
+| Scan | Run full scan on mapped network drives | [Configure scanning options in Microsoft Defender Antivirus](configure-advanced-scan-types-microsoft-defender-antivirus.md) |
+| Scan | Scan archive files | [Configure scanning options in Microsoft Defender Antivirus](configure-advanced-scan-types-microsoft-defender-antivirus.md) |
+| Scan | Scan network files | [Configure scanning options in Microsoft Defender Antivirus](configure-advanced-scan-types-microsoft-defender-antivirus.md) |
+| Scan | Scan packed executables | [Configure scanning options in Microsoft Defender Antivirus](configure-advanced-scan-types-microsoft-defender-antivirus.md) |
+| Scan | Scan removable drives | [Configure scanning options in Microsoft Defender Antivirus](configure-advanced-scan-types-microsoft-defender-antivirus.md) |
+| Scan | Specify the maximum depth to scan archive files | [Configure scanning options in Microsoft Defender Antivirus](configure-advanced-scan-types-microsoft-defender-antivirus.md) |
+| Scan | Specify the maximum percentage of CPU utilization during a scan | [Configure scanning options in Microsoft Defender Antivirus](configure-advanced-scan-types-microsoft-defender-antivirus.md) |
+| Scan | Specify the maximum size of archive files to be scanned | [Configure scanning options in Microsoft Defender Antivirus](configure-advanced-scan-types-microsoft-defender-antivirus.md) |
+| Scan | Specify the day of the week to run a scheduled scan | [Configure scheduled scans for Microsoft Defender Antivirus](scheduled-catch-up-scans-microsoft-defender-antivirus.md) |
+| Scan | Specify the interval to run quick scans per day | [Configure scheduled scans for Microsoft Defender Antivirus](scheduled-catch-up-scans-microsoft-defender-antivirus.md) |
+| Scan | Specify the scan type to use for a scheduled scan | [Configure scheduled scans for Microsoft Defender Antivirus](scheduled-catch-up-scans-microsoft-defender-antivirus.md) |
+| Scan | Specify the time for a daily quick scan | [Configure scheduled scans for Microsoft Defender Antivirus](scheduled-catch-up-scans-microsoft-defender-antivirus.md) |
+| Scan | Specify the time of day to run a scheduled scan | [Configure scheduled scans for Microsoft Defender Antivirus](scheduled-catch-up-scans-microsoft-defender-antivirus.md) |
+| Scan | Start the scheduled scan only when computer is on but not in use | [Configure scheduled scans for Microsoft Defender Antivirus](scheduled-catch-up-scans-microsoft-defender-antivirus.md) |
+| Security intelligence updates | Allow security intelligence updates from Microsoft Update | [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md) |
+| Security intelligence updates | Allow security intelligence updates when running on battery power | [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md) |
+| Security intelligence updates | Allow notifications to disable definitions-based reports to Microsoft MAPS | [Manage event-based forced updates](manage-event-based-updates-microsoft-defender-antivirus.md) |
+| Security intelligence updates | Allow real-time security intelligence updates based on reports to Microsoft MAPS | [Manage event-based forced updates](manage-event-based-updates-microsoft-defender-antivirus.md) |
+| Security intelligence updates | Check for the latest virus and spyware definitions on startup | [Manage event-based forced updates](manage-event-based-updates-microsoft-defender-antivirus.md) |
+| Security intelligence updates | Define file shares for downloading security intelligence updates | [Manage Microsoft Defender Antivirus protection and security intelligence updates](manage-protection-updates-microsoft-defender-antivirus.md) |
+| Security intelligence updates | Define the number of days after which a catch up security intelligence update is required | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md) |
+| Security intelligence updates | Define the number of days before spyware definitions are considered out of date | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md) |
+| Security intelligence updates | Define the number of days before virus definitions are considered out of date | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md) |
+| Security intelligence updates | Define the order of sources for downloading security intelligence updates | [Manage Microsoft Defender Antivirus protection and security intelligence updates](manage-protection-updates-microsoft-defender-antivirus.md) |
+| Security intelligence updates | Initiate security intelligence update on startup | [Manage event-based forced updates](manage-event-based-updates-microsoft-defender-antivirus.md) |
+| Security intelligence updates | Specify the day of the week to check for security intelligence updates | [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md) |
+| Security intelligence updates | Specify the interval to check for security intelligence updates | [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md) |
+| Security intelligence updates | Specify the time to check for security intelligence updates | [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md) |
+| Security intelligence updates | Turn on scan after Security intelligence update | [Configure scheduled scans for Microsoft Defender Antivirus](scheduled-catch-up-scans-microsoft-defender-antivirus.md) |
+| Threats | Specify threat alert levels at which default action should not be taken when detected | [Configure remediation for Microsoft Defender Antivirus scans](configure-remediation-microsoft-defender-antivirus.md) |
+| Threats | Specify threats upon which default action should not be taken when detected | [Configure remediation for Microsoft Defender Antivirus scans](configure-remediation-microsoft-defender-antivirus.md) |
++
+## Related articles
+
+- [Reference topics for management and configuration tools](configuration-management-reference-microsoft-defender-antivirus.md)
+- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
security Use Intune Config Manager Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/use-intune-config-manager-microsoft-defender-antivirus.md
+
+ Title: Configure Microsoft Defender Antivirus with Configuration Manager and Intune
+description: Use Microsoft Endpoint Manager and Microsoft Intune to configure Microsoft Defender AV and Endpoint Protection
+keywords: scep, intune, endpoint protection, configuration
+search.product: eADQiWindows 10XVcnh
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+++ Last updated : 10/26/2018++
+ms.technology: mde
++
+# Use Microsoft Endpoint Manager and Microsoft Intune to configure and manage Microsoft Defender Antivirus
+++
+**Applies to:**
+
+- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
+
+If you were using Microsoft Endpoint Manager or Microsoft Intune to manage the endpoints on your network, you can now use Microsoft Endpoint Manager to manage Microsoft Defender Antivirus scans.
+
+1. In the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)), navigate to **Endpoint Security**.
+
+2. Under **Manage**, choose **Antivirus**.
+
+3. Select your Microsoft Defender Antivirus policy.
+
+4. Under **Manage**, choose **Properties**.
+
+5. Next to **Configuration settings**, choose **Edit**.
+
+6. Expand the **Scan** section, and review or edit your scanning settings.
+
+7. Choose **Review + save**
+
+Need help? See [Manage endpoint security in Microsoft Intune](/mem/intune/protect/endpoint-security).
++
+## Related articles
+
+- [Reference topics for management and configuration tools](configuration-management-reference-microsoft-defender-antivirus.md)
+- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
security Use Powershell Cmdlets Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/use-powershell-cmdlets-microsoft-defender-antivirus.md
+
+ Title: Use PowerShell cmdlets to configure and run Microsoft Defender AV
+description: In Windows 10, you can use PowerShell cmdlets to run scans, update Security intelligence, and change settings in Microsoft Defender Antivirus.
+keywords: scan, command line, mpcmdrun, defender
+search.product: eADQiWindows 10XVcnh
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+++ Last updated : 07/23/2020++
+ms.technology: mde
++
+# Use PowerShell cmdlets to configure and manage Microsoft Defender Antivirus
+++
+**Applies to:**
+
+- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
+
+You can use PowerShell to perform various functions in Windows Defender. Similar to the command prompt or command line, PowerShell is a task-based command-line shell and scripting language designed especially for system administration. You can read more about it at the [PowerShell hub on MSDN](/previous-versions/msdn10/mt173057(v=msdn.10)).
+
+For a list of the cmdlets and their functions and available parameters, see the [Defender cmdlets](/powershell/module/defender) topic.
+
+PowerShell cmdlets are most useful in Windows Server environments that don't rely on a graphical user interface (GUI) to configure software.
+
+> [!NOTE]
+> PowerShell cmdlets should not be used as a replacement for a full network policy management infrastructure, such as [Microsoft Endpoint Configuration Manager](/configmgr), [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), or [Microsoft Defender Antivirus Group Policy ADMX templates](https://www.microsoft.com/download/101445).
+
+Changes made with PowerShell will affect local settings on the endpoint where the changes are deployed or made. This means that deployments of policy with Group Policy, Microsoft Endpoint Configuration Manager, or Microsoft Intune can overwrite changes made with PowerShell.
+
+You can [configure which settings can be overridden locally with local policy overrides](configure-local-policy-overrides-microsoft-defender-antivirus.md).
+
+PowerShell is typically installed under the folder `%SystemRoot%\system32\WindowsPowerShell`.
+
+## Use Microsoft Defender Antivirus PowerShell cmdlets
+
+1. In the Windows search bar, type **powershell**.
+2. Select **Windows PowerShell** from the results to open the interface.
+3. Enter the PowerShell command and any parameters.
+
+> [!NOTE]
+> You may need to open PowerShell in administrator mode. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
+
+To open online help for any of the cmdlets type the following:
+
+```PowerShell
+Get-Help <cmdlet> -Online
+```
+
+Omit the `-online` parameter to get locally cached help.
+
+## Related topics
+
+- [Reference topics for management and configuration tools](configuration-management-reference-microsoft-defender-antivirus.md)
+- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
+- [Microsoft Defender Antivirus Cmdlets](/powershell/module/defender/?view=win10-ps)
security Use Wmi Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/use-wmi-microsoft-defender-antivirus.md
+
+ Title: Configure Microsoft Defender Antivirus with WMI
+description: Learn how to configure and manage Microsoft Defender Antivirus by using WMI scripts to retrieve, modify, and update settings in Microsoft Defender for Endpoint.
+keywords: wmi, scripts, windows management instrumentation, configuration
+search.product: eADQiWindows 10XVcnh
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+++ Last updated : 09/03/2018++
+ms.technology: mde
++
+# Use Windows Management Instrumentation (WMI) to configure and manage Microsoft Defender Antivirus
+++
+**Applies to:**
+
+- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
+
+Windows Management Instrumentation (WMI) is a scripting interface that allows you to retrieve, modify, and update settings.
+
+Read more about WMI at the [Microsoft Developer Network System Administration library](/windows/win32/wmisdk/wmi-start-page).
+
+Microsoft Defender Antivirus has a number of specific WMI classes that can be used to perform most of the same functions as Group Policy and other management tools. Many of the classes are analogous to [Defender PowerShell cmdlets](use-powershell-cmdlets-microsoft-defender-antivirus.md).
+
+The [MSDN Windows Defender WMIv2 Provider reference library](/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal) lists the available WMI classes for Microsoft Defender Antivirus, and includes example scripts.
+
+Changes made with WMI will affect local settings on the endpoint where the changes are deployed or made. This means that deployments of policy with Group Policy, Microsoft Endpoint Configuration Manager, or Microsoft Intune can overwrite changes made with WMI.
+
+You can [configure which settings can be overridden locally with local policy overrides](configure-local-policy-overrides-microsoft-defender-antivirus.md).
+
+## Related topics
+
+- [Reference topics for management and configuration tools](configuration-management-reference-microsoft-defender-antivirus.md)
+- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
security Why Use Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/why-use-microsoft-defender-antivirus.md
+
+ Title: Why you should use Microsoft Defender Antivirus together with Microsoft Defender for Endpoint
+description: For best results, use Microsoft Defender Antivirus together with your other Microsoft offerings.
+keywords: windows defender, antivirus, third party av
+search.product: eADQiWindows 10XVcnh
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.localizationpriority: medium
+audience: ITPro
++++++
+ms.technology: mde
++
+# Better together: Microsoft Defender Antivirus and Microsoft Defender for Endpoint
+++
+**Applies to:**
+
+- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint)
+
+Microsoft Defender Antivirus is the next-generation protection component of [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint) (Microsoft Defender for Endpoint).
+
+Although you can use a non-Microsoft antivirus solution with Microsoft Defender for Endpoint, there are advantages to using Microsoft Defender Antivirus together with Defender for Endpoint. Not only is Microsoft Defender Antivirus an excellent next-generation antivirus solution, but combined with other Defender for Endpoint capabilities, such as [endpoint detection and response](/microsoft-365/security/defender-endpoint/overview-endpoint-detection-response) and [automated investigation and remediation](/microsoft-365/security/defender-endpoint/automated-investigations), you get better protection that's coordinated across products and services.
+
+## 11 reasons to use Microsoft Defender Antivirus together with Microsoft Defender for Endpoint
+
+|# |Advantage |Why it matters |
+|--|--|--|
+|1|Antivirus signal sharing |Microsoft applications and services share signals across your enterprise organization, providing a stronger single platform. See [Insights from the MITRE ATT&CK-based evaluation of Microsoft Defender for Endpoint](https://www.microsoft.com/security/blog/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/). |
+|2|Threat analytics and your score for devices |Microsoft Defender Antivirus collects underlying system data used by [threat analytics](/microsoft-365/security/defender-endpoint/threat-analytics) and [Microsoft Secure Score for Devices](/microsoft-365/security/defender-endpoint/tvm-microsoft-secure-score-devices). This provides your organization's security team with more meaningful information, such as recommendations and opportunities to improve your organization's security posture. |
+|3|Performance |Microsoft Defender for Endpoint is designed to work with Microsoft Defender Antivirus, so you get better performance when you use these offerings together. [Evaluate Microsoft Defender Antivirus](evaluate-microsoft-defender-antivirus.md) and [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/evaluate-mde).|
+|4|Details about blocked malware |More details and actions for blocked malware are available with Microsoft Defender Antivirus and Microsoft Defender for Endpoint. [Understand malware & other threats](/windows/security/threat-protection/intelligence/understanding-malware).|
+|5|Network protection |Your organization's security team can protect your network by blocking specific URLs and IP addresses. [Protect your network](/microsoft-365/security/defender-endpoint/network-protection).|
+|6|File blocking |Your organization's security team can block specific files. [Stop and quarantine files in your network](/microsoft-365/security/defender-endpoint/respond-file-alerts#stop-and-quarantine-files-in-your-network).|
+|7|Attack Surface Reduction |Your organization's security team can reduce your vulnerabilities (attack surfaces), giving attackers fewer ways to perform attacks. Attack surface reduction uses cloud protection for a number of rules. [Get an overview of attack surface reduction](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction).|
+|8|Auditing events |Auditing event signals are available in [endpoint detection and response capabilities](/microsoft-365/security/defender-endpoint/overview-endpoint-detection-response). (These signals are not available with non-Microsoft antivirus solutions.) |
+|9|Geographic data |Compliant with ISO 270001 and data retention, geographic data is provided according to your organization's selected geographic sovereignty. See [Compliance offerings: ISO/IEC 27001:2013 Information Security Management Standards](/microsoft-365/compliance/offering-iso-27001). |
+|10|File recovery via OneDrive |If you are using Microsoft Defender Antivirus together with [Office 365](/Office365/Enterprise), and your device is attacked by ransomware, your files are protected and recoverable. [OneDrive Files Restore and Windows Defender take ransomware protection one step further](https://techcommunity.microsoft.com/t5/Microsoft-OneDrive-Blog/OneDrive-Files-Restore-and-Windows-Defender-takes-ransomware/ba-p/188001).|
+|11|Technical support |By using Microsoft Defender for Endpoint together with Microsoft Defender Antivirus, you have one company to call for technical support. [Troubleshoot service issues](/microsoft-365/security/defender-endpoint/troubleshoot-mde) and [review event logs and error codes with Microsoft Defender Antivirus](troubleshoot-microsoft-defender-antivirus.md). |
++
+## Learn more
+
+[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint)
+
+[Threat & Vulnerability Management](/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt)
security Anti Spoofing Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-spoofing-protection.md
Microsoft differentiates between two different types of spoofed messages:
- SFTY is the safety level of the message. 9 indicates phishing, .22 indicates cross-domain spoofing.
-For more information about the Category and composite authentication (compauth) values that are related to spoofing, see [Anti-spam message headers in Microsoft 365](anti-spam-message-headers.md).
+> [!NOTE]
+> If you've gotten a message like ***compauth=fail reason=###*** and need to know about composite authentication (compauth), and the values related to spoofing, see [*Anti-spam message headers in Microsoft 365*](anti-spam-message-headers.md). Or go directly to the [*reason*](anti-spam-message-headers.md) codes.
For more information about DMARC, see [Use DMARC to validate email in Microsoft 365](use-dmarc-to-validate-email.md).
security Exchange Online Protection Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/exchange-online-protection-overview.md
The available EOP subscription plans are:
For information about requirements, important limits, and feature availability across all EOP subscription plans, see the [Exchange Online Protection service description](/office365/servicedescriptions/exchange-online-protection-service-description/exchange-online-protection-service-description).
+> [!NOTE]
+> If you have an **Office 365 E3 subscription it includes EOP**. For steps to set up EOP security feature in your subscription, and information on the added security a Microsoft Defender for Office 365 subscription can give you, see [protect against threats](protect-against-threats.md). The recommended settings for EOP feature for setup can be found in the [Recommendations](best-practices-for-configuring-eop.md) article, where EOP settings are specifically called out.
+ ## Setting up EOP for on-premises email organizations Setting up EOP can be simple, especially in the case of a small organization with a handful of compliance rules. However, if you have a large organization with multiple domains, custom compliance rules, or hybrid mail flow, set up can take more planning and time.
security Protect Against Threats https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/protect-against-threats.md
Threat protection features are included in *all* Microsoft or Office 365 subscri
|Anti-spam protection|[EOP](/office365/servicedescriptions/exchange-online-protection-service-description/exchange-online-protection-service-description)| |Zero-hour auto purge (for email)|[EOP](/office365/servicedescriptions/exchange-online-protection-service-description/exchange-online-protection-service-description)| |Protection from malicious URLs and files in email and Office documents (Safe Links and Safe Attachments)|[Microsoft Defender for Office 365](/office365/servicedescriptions/office-365-advanced-threat-protection-service-description)|
-|Turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams workloads|[Defender for Office 365](turn-on-mdo-for-spo-odb-and-teams.md)|
-|Advanced anti-phishing protection|[Defender for Office 365](/office365/servicedescriptions/office-365-advanced-threat-protection-service-description)|
+|Turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams workloads|[Microsoft Defender for Office 365](turn-on-mdo-for-spo-odb-and-teams.md)|
+|Advanced anti-phishing protection|[Microsoft Defender for Office 365](/office365/servicedescriptions/office-365-advanced-threat-protection-service-description)|
### Roles and permissions
solutions Manage Creation Of Groups https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/manage-creation-of-groups.md
When you limit who can create a group, it affects all services that rely on grou
- Power BI (classic) - Project for the web / Roadmap
-The steps in this article won't prevent members of certain roles from creating Groups. Office 365 Global admins can create Groups via any means, such as the Microsoft 365 admin center, Planner, Teams, Exchange, and SharePoint Online. Other roles can create Groups via limited means, listed below.
+The steps in this article won't prevent members of certain roles from creating Groups. Office 365 Global admins can create Groups via the Microsoft 365 admin center, Planner, Exchange, and SharePoint Online. Other roles can create Groups via limited means, listed below.
- Exchange Administrator: Exchange Admin center, Azure AD - Partner Tier 1 Support: Microsoft 365 Admin center, Exchange Admin center, Azure AD
Try the same procedure again with a member of the group.
[Set-ExecutionPolicy](/powershell/module/microsoft.powershell.security/set-executionpolicy)
-[Azure Active Directory cmdlets for configuring group settings](/azure/active-directory/users-groups-roles/groups-settings-cmdlets)
+[Azure Active Directory cmdlets for configuring group settings](/azure/active-directory/users-groups-roles/groups-settings-cmdlets)