Remove-MpPreference
Removes exclusions or default actions.
Syntax
Remove-MpPreference
[-ExclusionPath <String[]>]
[-ExclusionExtension <String[]>]
[-ExclusionProcess <String[]>]
[-ThreatIDDefaultAction_Ids <Int64[]>]
[-UnknownThreatDefaultAction]
[-LowThreatDefaultAction]
[-AttackSurfaceReductionOnlyExclusions <String>]
[-ModerateThreatDefaultAction]
[-HighThreatDefaultAction]
[-SevereThreatDefaultAction]
[-Force]
[-CimSession <CimSession[]>]
[-ThrottleLimit <Int32>]
[-AsJob]
[<CommonParameters>]
Description
The Remove-MpPreference cmdlet removes exclusions for file name extensions, paths, and processes, or default actions for high, moderate, and low threats. If you attempt to remove an exclusion that is not in the list, this cmdlet reports the error.
Examples
Example 1: Remove a folder from the exclusion list
PS C:\> Remove-MpPreference -ExclusionPath "C:\Temp"
This command removes the folder C:\Temp from the exclusion list.
Example 2:
PS C:\> Remove-MpPreference -AttackSurfaceReductionOnlyExclusions "C:\Windows\App.exe"
This command will exclude only that specific file app.exe in that specific folder.
Parameters
-AsJob
Runs the cmdlet as a background job. Use this parameter to run commands that take a long time to complete.
The cmdlet immediately returns an object that represents the job and then displays the command prompt.
You can continue to work in the session while the job completes.
To manage the job, use the *-Job
cmdlets.
To get the job results, use the Receive-Job cmdlet.
For more information about Windows PowerShell background jobs, see about_Jobs.
Type: | SwitchParameter |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-AttackSurfaceReductionOnlyExclusions
Exclude files and paths from Attack Surface Reduction (ASR) rules. Specify the folders or files and resources that should be excluded from ASR rules. Enter a folder path or a fully qualified resource name. For example, ""C:\Windows"" will exclude all files in that directory. ""C:\Windows\App.exe"" will exclude only that specific file in that specific folder.
For more information about excluding files and folders from ASR rules.
Type: | String[] |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-CimSession
Runs the cmdlet in a remote session or on a remote computer. Enter a computer name or a session object, such as the output of a New-CimSession or Get-CimSession cmdlet. The default is the current session on the local computer.
Type: | CimSession[] |
Aliases: | Session |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-ExclusionExtension
Specifies an array of file name extensions, such as obj or lib, to exclude from scheduled, custom, and real-time scanning. This cmdlet removes the exclusions that you specify.
Type: | String[] |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-ExclusionPath
Specifies an array of file paths to exclude from scheduled and real-time scanning. This cmdlet removes the exclusions that you specify.
Type: | String[] |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-ExclusionProcess
Specifies an array of processes, as paths to process images. This cmdlet removes exclusions of files opened by the processes that you specify.
Type: | String[] |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-Force
Forces the command to run without asking for user confirmation.
Type: | SwitchParameter |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-HighThreatDefaultAction
Indicates that this cmdlet removes the automatic remediation action specified for the high threat alert level.
Type: | SwitchParameter |
Aliases: | htdefac |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-LowThreatDefaultAction
Indicates that this cmdlet removes the automatic remediation action specified for the low threat alert level.
Type: | SwitchParameter |
Aliases: | ltdefac |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-ModerateThreatDefaultAction
Indicates that this cmdlet removes the automatic remediation action specified for the moderate threat alert level.
Type: | SwitchParameter |
Aliases: | mtdefac |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-SevereThreatDefaultAction
Indicates that this cmdlet removes the automatic remediation action specified for the severe threat alert level.
Type: | SwitchParameter |
Aliases: | stdefac |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-ThreatIDDefaultAction_Ids
Specifies an array of threat IDs. This cmdlet removes the default actions for the threat IDs that you specify.
Type: | Int64[] |
Aliases: | tiddefaci |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-ThrottleLimit
Specifies the maximum number of concurrent operations that can be established to run the cmdlet.
If this parameter is omitted or a value of 0
is entered, then Windows PowerShell® calculates an optimum throttle limit for the cmdlet based on the number of CIM cmdlets that are running on the computer.
The throttle limit applies only to the current cmdlet, not to the session or to the computer.
Type: | Int32 |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-UnknownThreatDefaultAction
Indicates that this cmdlet removes the automatic remediation action specified for the unknown threat alert level.
Type: | SwitchParameter |
Aliases: | unktdefac |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Related Links
Feedback
https://aka.ms/ContentUserFeedback.
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see:Submit and view feedback for