Protect Dev Drive using performance mode
Note
Want to experience Microsoft Defender XDR? Learn more about how you can evaluate and pilot Microsoft Defender XDR.
Applies to:
- Microsoft Defender for Endpoint Plans 1 and 2
- Microsoft Defender for Business
- Microsoft Defender Antivirus
Platforms
- Windows 11
What is performance mode
Performance mode is now available on Windows 11 as a new Microsoft Defender Antivirus capability. Performance mode reduces the performance impact of Microsoft Defender Antivirus scans for files stored on designated Dev Drive. The goal of performance mode is to improve functional performance for developers who use Windows 11 devices.
It's important to note that performance mode can run only on Dev Drive. Additionally, real-time protection must be turned on for performance mode to function. Enabling this feature on a Dev Drive doesn't change standard real-time protection running on volumes with operating systems or other volumes formatted FAT32 or NTFS.
Dev Drive
Dev Drive is a new form of storage volume available to improve performance for key developer workloads. It builds on ReFS technology to employ targeted file system optimizations and provide more control over storage volume settings and security, including trust designation, antivirus configuration, and administrative control over which filters are attached.
For more information about Dev Drive, see: Set up a Dev Drive on Windows 11.
Performance mode compared to real-time protection
By default, to give the best possible performance, creating a Dev Drive automatically grants trust in the new volume. A trusted Dev Drive volume causes real-time protection to run in a special asynchronous performance mode for that volume. Running performance mode provides a balance between threat protection and performance. The balance is achieved by deferring security scans until after the open file operation has completed, instead of performing the security scan synchronously while the file operation is being processed. This mode of performing security scans inherently provides faster performance, but with less protection. However, enabling performance mode provides significantly better protection than other performance tuning methods such as using folder exclusions, which block security scans altogether.
Note
To enable performance mode, real-time protection must be turned on.
The following table summarizes performance mode synchronous and asynchronous scan behavior.
| Performance mode state | Scan type | Description | Summary |
|---|---|---|---|
| Not enabled (Off) | Synchronous (Real-time protection) |
Opening a file initiates a real-time protection scan. | Open now, scan now. |
| Enabled (On) | Asynchronous | File open operations are scanned asynchronously. | Open now, scan later. |
An untrusted Dev Drive doesn't have the same benefits as a trusted Dev Drive. Security runs in synchronous, real-time protection mode when a Dev Drive is untrusted. Real-time protection scans can affect performance.
Microsoft Defender Antivirus requirements for performance mode
Review the requirements that are specific to Dev Drive. See Set up a Dev Drive on Windows 11.
Make sure Microsoft Defender Antivirus is up to date.
- Antimalware platform version:
4.18.2303.8(or later) - Antimalware security intelligence version:
1.385.1455.0(or later) - Real-time protection is turned on
- Antimalware platform version:
Manage performance mode
Performance mode can only run on a trusted Dev Drive and is enabled by default when a new Dev Drive is created. For more information, see Understanding security risks and trust in relation to Dev Drive.
Enforce the Microsoft Defender Antivirus Performance Mode by using Intune, Group Policy, or PowerShell.
Intune
Enable performance mode status via the OMA-URI settings shown in the following table.
| Setting | Value |
|---|---|
| OMA-URI: | ./Device/Vendor/MSFT/Defender/Configuration/PerformanceModeStatus |
| Data type | Integer |
| Value | 1 |
Group Policy
In GPMC.msc or GPedit.msc, go to Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Real-time Protection.
Double-click Configure performance mode status.
Select Enabled.
Select Apply, and then select OK.
PowerShell
Open PowerShell as an administrator on the device.
Type
set-MpPreference -PerformanceModeStatus Enabled, and then press Enter.
Verify performance mode is enabled
To verify that Dev Drive and Defender Performance Mode is enabled, follow these steps:
In the Windows Security App, go to Virus & threat Protection settings > Manage settings, and verify that Dev Drive protection is enabled.
Select See volumes.
Drive Status C: Since the system drive (for example, C: or D:) drive is formatted with NTFS, it's not eligible for Defender Performance mode. D: Dev Drive is enabled but Defender Performance mode isn't enabled. F: Dev Drive is enabled, and Defender Performance mode is enabled.
See also
Set up a Dev Drive on Windows 11
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for