This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Applies to:
Platforms
For more information, see Configure device restriction settings in Microsoft Intune and Microsoft Defender Antivirus device restriction settings for Windows 10 in Intune.
For details on configuring Microsoft Configuration Manager (current branch), see How to create and deploy anti-malware policies: Scan settings.
Tip
Download the Group Policy Reference Spreadsheet, which lists the policy settings for computer and user configurations that are included in the Administrative template files delivered for Windows. Refer to the spreadsheet when you edit Group Policy Objects. Here are the most recent versions:
On your Group Policy management computer, open the Group Policy Management Console.
Right-click the Group Policy Object you want to configure, and then select Edit.
In the Group Policy Management Editor go to Computer configuration and select Administrative templates.
Expand the tree to Windows components > Microsoft Defender Antivirus, and then select a location (refer to Settings and locations in this article).
Edit the policy object.
Select OK, and repeat for any other settings.
| Policy item and location | Default setting (if not configured) |
PowerShell Set-MpPreference parameter or WMI property for MSFT_MpPreference class |
|---|---|---|
| Email scanning Scan > Turn on e-mail scanning See Email scanning limitations (in this article) |
Disabled | -DisableEmailScanning |
| Script scanning | Enabled | This policy setting allows you to configure script scanning. If you enable or don't configure this setting, script scanning is enabled. See Defender/AllowScriptScanning |
| Scan reparse points Scan > Turn on reparse point scanning |
Disabled | Not available See Reparse points |
| Scan mapped network drives Scan > Run full scan on mapped network drives |
Disabled | -DisableScanningMappedNetworkDrivesForFullScan |
| Scan archive files (such as .zip or .rar files). Scan > Scan archive files |
Enabled | -DisableArchiveScanning The extensions exclusion list takes precedence over this setting. |
| Scan files on the network Scan > Scan network files |
Disabled | -DisableScanningNetworkFiles |
| Scan packed executables Scan > Scan packed executables |
Enabled | Not available Scan packed executables were removed from the following templates: - Administrative Templates (.admx) for Windows 11 2023 Update (23H2) - Administrative Templates (.admx) for Windows 11 2022 Update (22H2) - v3.0 - Administrative Templates (.admx) for Windows 11 2022 Update (22H2) - Administrative Templates (.admx) for Windows 11 October 2021 Update (21H2) |
| Scan removable drives during full scans only Scan > Scan removable drives |
Disabled | -DisableRemovableDriveScanning |
| Specify the level of subfolders within an archive folder to scan Scan > Specify the maximum depth to scan archive files |
0 | Not available |
| Specify the maximum CPU load (as a percentage) during a scan. Scan > Specify the maximum percentage of CPU utilization during a scan |
50 | -ScanAvgCPULoadFactorThe maximum CPU load isn't a hard limit, but is guidance for the scanning engine to not exceed the maximum on average. Manual scans ignore this setting and run without any CPU limits. |
| Specify the maximum size (in kilobytes) of archive files that should be scanned. Scan > Specify the maximum size of archive files to be scanned |
No limit | Not available The default value of 0 applies no limit |
| Configure low CPU priority for scheduled scans Scan > Configure low CPU priority for scheduled scans |
Disabled | Not available |
| Configure scanning of network files Scan > Configure scanning of network files |
Enabled | -DisableScanningNetworkFiles |
| CPU throttling type Scan > CPU throttling type |
Disabled | -ThrottleForScheduledScanOnly |
| Scan excluded files and directories during quick scan Scan > Scan excluded files and directories during quick scan |
Disabled | Not available |
Note
If real-time protection is turned on, files are scanned before they're accessed and executed. The scanning scope includes all files, such as files on mounted removable media, like USB drives. If the device performing the scan has real-time protection or on-access protection turned on, the scan also includes network shares.
Tip
If you have a Network-Attached Storage (NAS) or Storage Area Network (SAN), you can use Internet Content Adaption Protocol (ICAP) scanning with the Microsoft Defender Antivirus engine. For more information, see Tech Community Blog: MetaDefender ICAP with Windows Defender Antivirus: World-class security for hybrid environments.
For more information on how to use PowerShell with Microsoft Defender Antivirus, see the following articles:
See Windows Defender WMIv2 APIs.
Email scanning enables scanning of email files used by Outlook and other mail clients during on-demand and scheduled scans. Embedded objects within email (such as attachments and archived files) are also scanned. The following file format types can be scanned and remediated:
DBXMBXMIMEPST files used by Outlook 2003 or older (where the archive type is set to nonunicode) are also scanned, but Microsoft Defender Antivirus can't remediate threats that are detected inside PST files.
If Microsoft Defender Antivirus detects a threat inside an email message, the following information is displayed to assist you in identifying the compromised email so you can remediate the threat manually:
On any OS, only the network drives that are mapped at system level, are scanned. User-level mapped network drives aren't scanned. User-level mapped network drives are those that a user maps in their session manually and using their own credentials.
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.
Training
Learning path
SC-200: Mitigate threats using Microsoft Defender for Endpoint - Training
SC-200: Mitigate threats using Microsoft Defender for Endpoint
Certification
Microsoft 365 Certified: Endpoint Administrator Associate - Certifications
Plan and execute an endpoint deployment strategy, using essential elements of modern management, co-management approaches, and Microsoft Intune integration.
Documentation
Understand when and how to use full scans with Microsoft Defender Antivirus.
Enable or disable users from locally changing settings in Microsoft Defender Antivirus.
Set up recurring (scheduled) scans, including when they should run and whether they run as full or quick scans