Configure remediation for Microsoft Defender Antivirus detections

When Microsoft Defender Antivirus runs a scan, it attempts to remediate or remove threats that are detected. Remediation actions can include removing a file, sending it to quarantine, or allowing it to remain. This article includes information and links to resources about specifying what actions should be taken when threats are detected on devices. You can choose from several methods, such as:

• Configure remediation for Microsoft Defender Antivirus detections
  • Configure remediation options using Intune
  • Configure remediation options using Configuration Manager
  • Configure remediation options using Group Policy
  • Configure remediation options using PowerShell or WMI
  • See also

Important

Microsoft Defender Antivirus detects and remediates files based on many factors. Sometimes, completing a remediation requires a reboot. Even if the detection is later determined to be a false positive, the reboot must be completed to ensure all additional remediation steps have been completed.

If you are certain Microsoft Defender Antivirus quarantined a file based on a false positive, you can restore the file from quarantine after the device reboots. See Restore quarantined files in Microsoft Defender Antivirus. To avoid this problem in the future, you can exclude files from the scans. See Configure and validate exclusions for Microsoft Defender Antivirus scans.

Also see About regular quick and full scans with Microsoft Defender Antivirus for more remediation-related settings.

Prerequisites

Supported operating systems

• Windows

Configure remediation options using Intune

To configure remediation actions using a Microsoft Intune Endpoint Security Antivirus policy policy, see Create an endpoint security policy (opens in a new tab in the Intune documentation). When creating the policy, use these settings:

• Policy type: Attack surface reduction

• Platform: Windows

• Profile: Microsoft Defender Antivirus

• Configuration settings: In the Threat security default action section, configure the available settings:

  • Remediation action for High severity threats
  • Remediation action for Severe threats
  • Remediation action for Low severity threats
  • Remediation action for Moderate severity threats

  with an available action value:

  • Not configured (default)
  • Clean
  • Quarantine
  • Remove
  • Allow
  • User defined
  • Block

  Warning

  Allow doesn't remediate detected threats and suppresses ongoing detection events. Don't configure this action when tamper protection is enabled. Use Allow only in specialized environments (for example, industrial control systems or critical infrastructure) where:

  • Automatic remediation isn't practical for operations.
  • Other procedures exist to respond to detected threats.
  • Compensating security controls are deployed.

  Use standard remediation actions (Clean, Quarantine, Remove, or Block) in all other environments.

For more information about antivirus policies in Intune, see Antivirus policy for endpoint security in Intune.

Configure remediation options using Configuration Manager

If you're using Configuration Manager, see the following articles:

• Configure Endpoint Protection in Configuration Manager
• Default Actions Settings

Configure remediation options using Group Policy

1. On your Group Policy management computer, open the Group Policy Management Console, and edit the Group Policy Object you want to configure.

2. In the Group Policy Management Editor, go to Computer configuration and then select Administrative templates.

3. Expand the tree to Windows components > Microsoft Defender Antivirus.

4. Using the following table, edit the policy as needed.

   Setting	Description	Default setting (if not configured)
   Scan Create a system restore point.	A system restore point is created each day before cleaning or scanning is attempted.	Disabled
   Scan Turn on removal of items from scan history folder.	Specify how many days items should be kept in the scan history.	30 days
   Root Turn off routine remediation.	Specify whether Microsoft Defender Antivirus automatically remediates threats, or whether to prompt the user.	Disabled. Threats are remediated automatically.
   Quarantine Configure removal of items from Quarantine folder.	Specify how many days items should be kept in quarantine before being removed.	90 days
   Threats > Specify threats upon which default action shouldn't be taken when detected.	Specify how specific threats (using their threat ID) should be remediated. You can specify whether the specific threat should be quarantined, removed, or ignored.	Not applicable
   Threats > Specify threat alert levels at which default action shouldn't be taken when detected.	Every threat that is detected by Microsoft Defender Antivirus is assigned a threat level: 1: Low 2: Medium 4: High 5: Severe Use this setting to specify how threats for each level are remediated. Valid values are: 2: Quarantine 3: Remove 6: Ignore 11: None Warning: The actions Ignore (6) and None (11) don't remediate detected threats. Ignore (6) suppresses ongoing detection events, while None (11) continues to generate alerts and Protection History entries. Don't configure either action when tamper protection is enabled. Use these actions only in specialized environments (for example, industrial control systems or critical infrastructure) where Automatic remediation isn't practical for operations, other procedures exist to respond to detected threats, or compensating security controls are deployed. Use standard remediation actions (Quarantine (2) or Remove (3)) in all other environments.	Not applicable

5. Select OK.

Configure remediation options using PowerShell or WMI

You can also use the Set-MpPreference PowerShell cmdlet or MSFT_MpPreference WMI class to configure these settings.

See also

• Microsoft Defender for Endpoint on Mac
• Microsoft Defender for Endpoint on Linux
• Configure Defender for Endpoint on Android features
• Configure Microsoft Defender for Endpoint on iOS features