Protect Dev Drive using performance mode
Want to experience Microsoft Defender XDR? Learn more about how you can evaluate and pilot Microsoft Defender XDR.
- Microsoft Defender for Endpoint Plans 1 and 2
- Microsoft Defender for Business
- Microsoft Defender Antivirus
- Windows 11
What is performance mode
Performance mode is now available on Windows 11 as a new Microsoft Defender Antivirus capability. Performance mode reduces the performance impact of Microsoft Defender Antivirus scans for files stored on designated Dev Drive. The goal of performance mode is to improve functional performance for developers who use Windows 11 devices.
It's important to note that performance mode can run only on Dev Drive. Additionally, real-time protection must be turned on for performance mode to function. Enabling this feature on a Dev Drive doesn't change standard real-time protection running on volumes with operating systems or other volumes formatted FAT32 or NTFS.
Dev Drive is a new form of storage volume available to improve performance for key developer workloads. It builds on ReFS technology to employ targeted file system optimizations and provide more control over storage volume settings and security, including trust designation, antivirus configuration, and administrative control over which filters are attached.
For more information about Dev Drive, see: Set up a Dev Drive on Windows 11.
Performance mode compared to real-time protection
By default, to give the best possible performance, creating a Dev Drive automatically grants trust in the new volume. A trusted Dev Drive volume causes real-time protection to run in a special asynchronous performance mode for that volume. Running performance mode provides a balance between threat protection and performance. The balance is achieved by deferring security scans until after the open file operation has completed, instead of performing the security scan synchronously while the file operation is being processed. This mode of performing security scans inherently provides faster performance, but with less protection. However, enabling performance mode provides significantly better protection than other performance tuning methods such as using folder exclusions, which block security scans altogether.
To enable performance mode, real-time protection must be turned on.
The following table summarizes performance mode synchronous and asynchronous scan behavior.
|Performance mode state||Scan type||Description||Summary|
|Not enabled (Off)||Synchronous
|Opening a file initiates a real-time protection scan.||Open now, scan now.|
|Enabled (On)||Asynchronous||File open operations are scanned asynchronously.||Open now, scan later.|
An untrusted Dev Drive doesn't have the same benefits as a trusted Dev Drive. Security runs in synchronous, real-time protection mode when a Dev Drive is untrusted. Real-time protection scans can affect performance.
Microsoft Defender Antivirus requirements for performance mode
Review the requirements that are specific to Dev Drive. See Set up a Dev Drive on Windows 11.
Make sure Microsoft Defender Antivirus is up to date.
- Antimalware platform version:
- Antimalware security intelligence version:
- Real-time protection is turned on
- Antimalware platform version:
Manage performance mode
Performance mode can only run on a trusted Dev Drive and is enabled by default when a new Dev Drive is created. For more information, see Understanding security risks and trust in relation to Dev Drive.
Enforce the Microsoft Defender Antivirus Performance Mode by using Intune, Group Policy, or PowerShell.
Enable performance mode status via the OMA-URI settings shown in the following table.
In GPMC.msc or GPedit.msc, go to Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Real-time Protection.
Double-click Configure performance mode status.
Select Apply, and then select OK.
Open PowerShell as an administrator on the device.
set-MpPreference -PerformanceModeStatus Enabled, and then press Enter.
Verify performance mode is enabled
To verify that Dev Drive and Defender Performance Mode is enabled, follow these steps:
In the Windows Security App, go to Virus & threat Protection settings > Manage settings, and verify that Dev Drive protection is enabled.
Select See volumes.
Drive Status C: Since the system drive (for example, C: or D:) drive is formatted with NTFS, it's not eligible for Defender Performance mode. D: Dev Drive is enabled but Defender Performance mode isn't enabled. F: Dev Drive is enabled, and Defender Performance mode is enabled.
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.