Configure remediation for Microsoft Defender Antivirus detections

Applies to:


  • Windows

When Microsoft Defender Antivirus runs a scan, it attempts to remediate or remove threats that are detected. Remediation actions can include removing a file, sending it to quarantine, or allowing it to remain. This article includes information and links to resources about specifying what actions should be taken when threats are detected on devices. You can choose from several methods, such as:


Microsoft Defender Antivirus detects and remediates files based on many factors. Sometimes, completing a remediation requires a reboot. Even if the detection is later determined to be a false positive, the reboot must be completed to ensure all additional remediation steps have been completed.

If you are certain Microsoft Defender Antivirus quarantined a file based on a false positive, you can restore the file from quarantine after the device reboots. See Restore quarantined files in Microsoft Defender Antivirus. To avoid this problem in the future, you can exclude files from the scans. See Configure and validate exclusions for Microsoft Defender Antivirus scans.

Also see Schedule regular quick and full scans with Microsoft Defender Antivirus for more remediation-related settings.

Configure remediation options using Intune

  1. As a global or security administrator, go to the Intune admin center and sign in.

  2. Under Manage, choose Antivirus.

  3. Either create a new policy, or edit an existing policy using the following settings:

    • Platform: Windows 10, Windows 11, and Windows Server
    • Profile: Microsoft Defender Antivirus
  4. For configuration settings, expand Defender, scroll down to Allow On Access Protection. and set it to Allowed.

  5. Under Allow On Access Protection, select a remediation action for each level:

    • High severity threats
    • Severe threats
    • Moderate severity threats
    • Low severity threats
  6. Specify the device groups that should receive this policy (such as All Devices).

  7. Review your settings, and then choose Save.

For more information about antivirus policies in Intune, see Antivirus policy for endpoint security in Intune.

Configure remediation options using Configuration Manager

If you're using Configuration Manager, see the following articles:

Configure remediation options using Group Policy

  1. On your Group Policy management computer, open the Group Policy Management Console, and edit the Group Policy Object you want to configure.

  2. In the Group Policy Management Editor, go to Computer configuration and then select Administrative templates.

  3. Expand the tree to Windows components > Microsoft Defender Antivirus.

  4. Using the following table, edit the policy as needed.

    Setting Description Default setting (if not configured)
    Create a system restore point.
    A system restore point is created each day before cleaning or scanning is attempted. Disabled
    Turn on removal of items from scan history folder.
    Specify how many days items should be kept in the scan history. 30 days
    Turn off routine remediation.
    Specify whether Microsoft Defender Antivirus automatically remediates threats, or whether to prompt the user. Disabled. Threats are remediated automatically.
    Configure removal of items from Quarantine folder.
    Specify how many days items should be kept in quarantine before being removed. 90 days
    Specify threat alert levels at which default action shouldn't be taken when detected.
    Every threat that is detected by Microsoft Defender Antivirus is assigned a threat level (low, medium, high, or severe). You can use this setting to define how all threats for each of the threat levels should be remediated (quarantined, removed, or ignored). Not applicable
    Specify threats upon which default action shouldn't be taken when detected.
    Specify how specific threats (using their threat ID) should be remediated. You can specify whether the specific threat should be quarantined, removed, or ignored. Not applicable
  5. Select OK.

Configure remediation options using PowerShell or WMI

You can also use the Set-MpPreference PowerShell cmdlet or MSFT_MpPreference WMI class to configure these settings.

See also


Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.