Remove-MpPreference
Removes exclusions or default actions.
Syntax
Remove-MpPreference
[-ExclusionPath <String[]>]
[-ExclusionExtension <String[]>]
[-ExclusionProcess <String[]>]
[-ExclusionIpAddress <String[]>]
[-RealTimeScanDirection]
[-QuarantinePurgeItemsAfterDelay]
[-RemediationScheduleDay]
[-RemediationScheduleTime]
[-ReportingAdditionalActionTimeOut]
[-ReportingCriticalFailureTimeOut]
[-ReportingNonCriticalTimeOut]
[-ScanAvgCPULoadFactor]
[-CheckForSignaturesBeforeRunningScan]
[-ScanPurgeItemsAfterDelay]
[-ScanOnlyIfIdleEnabled]
[-ScanParameters]
[-ScanScheduleDay]
[-ScanScheduleQuickScanTime]
[-ScanScheduleTime]
[-SignatureFirstAuGracePeriod]
[-SignatureAuGracePeriod]
[-SignatureDefinitionUpdateFileSharesSources]
[-SignatureDisableUpdateOnStartupWithoutEngine]
[-SignatureFallbackOrder]
[-SharedSignaturesPath]
[-SignatureScheduleDay]
[-SignatureScheduleTime]
[-SignatureUpdateCatchupInterval]
[-SignatureUpdateInterval]
[-SignatureBlobUpdateInterval]
[-SignatureBlobFileSharesSources]
[-MeteredConnectionUpdates]
[-AllowNetworkProtectionOnWinServer]
[-DisableDatagramProcessing]
[-DisableCpuThrottleOnIdleScans]
[-MAPSReporting]
[-SubmitSamplesConsent]
[-DisableAutoExclusions]
[-DisablePrivacyMode]
[-RandomizeScheduleTaskTimes]
[-SchedulerRandomizationTime]
[-DisableBehaviorMonitoring]
[-DisableIntrusionPreventionSystem]
[-DisableIOAVProtection]
[-DisableRealtimeMonitoring]
[-DisableScriptScanning]
[-DisableArchiveScanning]
[-DisableCatchupFullScan]
[-DisableCatchupQuickScan]
[-DisableEmailScanning]
[-DisableRemovableDriveScanning]
[-DisableRestorePoint]
[-DisableScanningMappedNetworkDrivesForFullScan]
[-DisableScanningNetworkFiles]
[-UILockdown]
[-ThreatIDDefaultAction_Ids <Int64[]>]
[-ThreatIDDefaultAction_Actions <ThreatAction[]>]
[-UnknownThreatDefaultAction]
[-LowThreatDefaultAction]
[-ModerateThreatDefaultAction]
[-HighThreatDefaultAction]
[-SevereThreatDefaultAction]
[-DisableBlockAtFirstSeen]
[-PUAProtection]
[-CloudBlockLevel]
[-CloudExtendedTimeout]
[-EnableNetworkProtection]
[-EnableControlledFolderAccess]
[-AttackSurfaceReductionOnlyExclusions <String[]>]
[-ControlledFolderAccessAllowedApplications <String[]>]
[-ControlledFolderAccessProtectedFolders <String[]>]
[-AttackSurfaceReductionRules_Ids <String[]>]
[-AttackSurfaceReductionRules_Actions <ASRRuleActionType[]>]
[-EnableLowCpuPriority]
[-EnableFileHashComputation]
[-EnableFullScanOnBatteryPower]
[-ProxyPacUrl]
[-ProxyServer]
[-ProxyBypass]
[-ForceUseProxyOnly]
[-DisableTlsParsing]
[-DisableHttpParsing]
[-DisableDnsParsing]
[-DisableDnsOverTcpParsing]
[-DisableSshParsing]
[-PlatformUpdatesChannel]
[-EngineUpdatesChannel]
[-SignaturesUpdatesChannel]
[-DisableGradualRelease]
[-AllowNetworkProtectionDownLevel]
[-AllowDatagramProcessingOnWinServer]
[-EnableDnsSinkhole]
[-DisableInboundConnectionFiltering]
[-DisableRdpParsing]
[-Force]
[-CimSession <CimSession[]>]
[-ThrottleLimit <Int32>]
[-AsJob]
[<CommonParameters>] Description
The Remove-MpPreference cmdlet removes exclusions for file name extensions, paths, and processes, or default actions for high, moderate, and low threats. If you attempt to remove an exclusion that is not in the list, this cmdlet reports the error.
Examples
Example 1: Remove a folder from the exclusion list
Remove-MpPreference -ExclusionPath "C:\Temp"This command removes the folder C:\Temp from the exclusion list.
Example 2: Exclude a specific file
Remove-MpPreference -AttackSurfaceReductionOnlyExclusions "C:\Windows\App.exe"This command will exclude only that specific file app.exe in that specific folder.
Parameters
-AllowDatagramProcessingOnWinServer
Indicates that the cmdlet removes whether to disable inspection of UDP connections on Windows Server.
| Type: | SwitchParameter |
| Aliases: | adpows |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-AllowNetworkProtectionDownLevel
Indicates that the cmdlet removes whether to allow network protection to be set to Enabled or Audit Mode on Windows versions before 1709.
| Type: | SwitchParameter |
| Aliases: | anpdl |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-AllowNetworkProtectionOnWinServer
Indicates that the cmdlet removes whether to allow network protection to be set to Enabled or Audit Mode for Windows Server.
| Type: | SwitchParameter |
| Aliases: | anpws |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-AsJob
Runs the cmdlet as a background job. Use this parameter to run commands that take a long time to complete.
The cmdlet immediately returns an object that represents the job and then displays the command prompt.
You can continue to work in the session while the job completes.
To manage the job, use the *-Job cmdlets.
To get the job results, use the Receive-Job cmdlet.
For more information about Windows PowerShell background jobs, see about_Jobs.
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-AttackSurfaceReductionOnlyExclusions
Specifies the files and paths to exclude from Attack Surface Reduction (ASR) rules. Specify the folders or files and resources that should be excluded from ASR rules. Enter a folder path or a fully qualified resource name. For example, ""C:\Windows"" will exclude all files in that directory. ""C:\Windows\App.exe"" will exclude only that specific file in that specific folder.
For more information about excluding files and folders from ASR rules.
| Type: | String[] |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-AttackSurfaceReductionRules_Actions
Specifies the states of attack surface reduction rules specified by using the AttackSurfaceReductionRules_Ids parameter. If you add multiple rules as a comma-separated list, specify their states separately as a comma-separated list.
| Type: | ASRRuleActionType[] |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-AttackSurfaceReductionRules_Ids
Specifies the states of attack surface reduction rules specified by using the AttackSurfaceReductionRules_Ids parameter. If you add multiple rules as a comma-separated list, specify their states separately as a comma-separated list.
| Type: | String[] |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-CheckForSignaturesBeforeRunningScan
Indicates that the cmdlet removes whether to check for new virus and spyware definitions before Windows Defender runs a scan.
| Type: | SwitchParameter |
| Aliases: | csbr |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-CimSession
Runs the cmdlet in a remote session or on a remote computer. Enter a computer name or a session object, such as the output of a New-CimSession or Get-CimSession cmdlet. The default is the current session on the local computer.
| Type: | CimSession[] |
| Aliases: | Session |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-CloudBlockLevel
Specifies a cloud block level. This value determines how aggressive Microsoft Defender Antivirus is in blocking and scanning suspicious files.
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-CloudExtendedTimeout
Specifies the amount of extended time to block a suspicious file and scan it in the cloud. Standard time is 10 seconds. Extend by up to 50 seconds.
| Type: | SwitchParameter |
| Aliases: | cloudextimeout |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-ControlledFolderAccessAllowedApplications
Specifies applications that can make changes in controlled folders.
| Type: | String[] |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-ControlledFolderAccessProtectedFolders
Specifies more folders to protect.
| Type: | String[] |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-DisableArchiveScanning
Indicates that the cmdlet removes whether to scan archive files, such as .zip and .cab files, for malicious and unwanted software.
| Type: | SwitchParameter |
| Aliases: | darchsc |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-DisableAutoExclusions
Indicates that the cmdlet removes whether to disable the Automatic Exclusions feature for the server.
| Type: | SwitchParameter |
| Aliases: | dae |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-DisableBehaviorMonitoring
Indicates that the cmdlet removes whether to enable behavior monitoring.
| Type: | SwitchParameter |
| Aliases: | dbm |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-DisableBlockAtFirstSeen
Indicates that the cmdlet removes whether to enable block at first seen.
| Type: | SwitchParameter |
| Aliases: | dbaf |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-DisableCatchupFullScan
Indicates that the cmdlet removes whether Windows Defender runs catch-up scans for scheduled full scans.
| Type: | SwitchParameter |
| Aliases: | dcfsc |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-DisableCatchupQuickScan
Indicates that the cmdlet removes whether Windows Defender runs catch-up scans for scheduled quick scans.
| Type: | SwitchParameter |
| Aliases: | dcqsc |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-DisableCpuThrottleOnIdleScans
Indicates that the cmdlet removes whether the CPU will be throttled for scheduled scans while the device is idle.
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-DisableDatagramProcessing
Indicates that the cmdlet removes whether to disable inspection of UDP connections.
| Type: | SwitchParameter |
| Aliases: | ddtgp |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-DisableDnsOverTcpParsing
Indicates that the cmdlet removes whether to disable inspection of DNS traffic that occurs over a TCP channel.
| Type: | SwitchParameter |
| Aliases: | ddnstcpp |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-DisableDnsParsing
Indicates that the cmdlet removes whether to disable inspection of DNS traffic that occurs over a UDP channel.
| Type: | SwitchParameter |
| Aliases: | ddnsp |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-DisableEmailScanning
Indicates that the cmdlet removes whether Windows Defender parses the mailbox and mail files, according to their specific format, in order to analyze mail bodies and attachments.
| Type: | SwitchParameter |
| Aliases: | demsc |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-DisableGradualRelease
Indicates that the cmdlet removes whether to disable gradual rollout of monthly and daily Windows Defender updates. If you enable this option, devices are offered all updates after the gradual release cycle finishes. Consider this option for datacenter computers that only receive limited updates.
This setting applies to both monthly and daily updates. It overrides any previously configured channel selections for platform and engine updates.
If you disable or do not configure this policy, the device remains in Current Channel (Default) unless specified otherwise in specific channels for platform and engine updates. The device stays up to date automatically during the gradual release cycle, which is suitable for most devices.
This policy is available starting with platform version 4.18.2106.5 and later.
| Type: | SwitchParameter |
| Aliases: | dgr |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-DisableHttpParsing
Indicates that the cmdlet removes whether disable inspection of HTTP traffic.
If EnableNetworkProtection has the value Enabled, HTTP connections to malicious websites can be blocked.
| Type: | SwitchParameter |
| Aliases: | dhttpp |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-DisableInboundConnectionFiltering
Indicates that the cmdlet removes whether to inspect only outbound connections. By default, Network Protection inspects both inbound and outbound connections.
| Type: | SwitchParameter |
| Aliases: | dicf |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-DisableIntrusionPreventionSystem
Indicates that the cmdlet removes whether to configure network protection against exploitation of known vulnerabilities.
| Type: | SwitchParameter |
| Aliases: | dips |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-DisableIOAVProtection
Indicates that the cmdlet removes whether Windows Defender scans all downloaded files and attachments.
| Type: | SwitchParameter |
| Aliases: | dioavp |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-DisablePrivacyMode
Indicates that the cmdlet removes whether to disable privacy mode.
| Type: | SwitchParameter |
| Aliases: | dpm |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-DisableRdpParsing
Indicates that the cmdlet removes whether to inspect only outbound connections. By default, Network Protection inspects both inbound and outbound connections.
| Type: | SwitchParameter |
| Aliases: | drdpp |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-DisableRealtimeMonitoring
Indicates that the cmdlet removes whether to use real-time protection.
| Type: | SwitchParameter |
| Aliases: | drtm |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-DisableRemovableDriveScanning
Indicates that the cmdlet removes whether to scan for malicious and unwanted software in removable drives, such as flash drives, during a full scan.
| Type: | SwitchParameter |
| Aliases: | drdsc |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-DisableRestorePoint
Indicates that the cmdlet removes whether to disable scanning of restore points.
| Type: | SwitchParameter |
| Aliases: | drp |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-DisableScanningMappedNetworkDrivesForFullScan
Indicates that the cmdlet removes whether to scan mapped network drives.
If you specify a value of $False or do not specify a value, Windows Defender scans mapped network drives.
| Type: | SwitchParameter |
| Aliases: | dsmndfsc |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-DisableScanningNetworkFiles
Indicates that the cmdlet removes whether to scan for network files.
| Type: | SwitchParameter |
| Aliases: | dsnf |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-DisableScriptScanning
Indicates that the cmdlet removes whether to disable the scanning of scripts during malware scans. If you specify a value of $False or do not specify a value, Windows Defender does not scan scripts.
| Type: | SwitchParameter |
| Aliases: | dscrptsc |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-DisableSshParsing
Indicates that the cmdlet removes whether to disable inspection of SSH traffic. By default, Network Protection inspects SSH traffic.
| Type: | SwitchParameter |
| Aliases: | dsshp |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-DisableTlsParsing
Indicates that the cmdlet removes whether to disable inspection of TLS traffic, also known as HTTPS. By default, Network Protection inspects TLS traffic.
| Type: | SwitchParameter |
| Aliases: | dtlsp |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-EnableControlledFolderAccess
Indicates that the cmdlet removes the state for the controlled folder access feature. Valid values are Disabled, Enabled, and Audit Mode.
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-EnableDnsSinkhole
Indicates that the cmdlet removes whether to examine DNS traffic to detect and sinkhole DNS exfiltration attempts and other DNS based malicious attacks.
| Type: | SwitchParameter |
| Aliases: | ednss |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-EnableFileHashComputation
Indicates that the cmdlet removes whether to enable file hash computation. When this feature is enabled, Windows Defender computes hashes for files it scans.
| Type: | SwitchParameter |
| Aliases: | efhc |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-EnableFullScanOnBatteryPower
Indicates that the cmdlet removes whether Windows Defender does a full scan while on battery power.
| Type: | SwitchParameter |
| Aliases: | efsobp |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-EnableLowCpuPriority
Indicates that the cmdlet removes whether Windows Defender uses low CPU priority for scheduled scans.
| Type: | SwitchParameter |
| Aliases: | elcp |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-EnableNetworkProtection
Specifies how the Network Protection Service handles web-based malicious threats, including phishing and malware. Possible values are Disabled, Enabled, and AuditMode.
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-EngineUpdatesChannel
Specifies when devices receive Microsoft Defender engine updates during the monthly gradual rollout.
Valid values are:
- NotConfigured. Devices stay up to date automatically during the gradual release cycle. This value is suitable for most devices.
- Beta. Devices are the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. This value is for use in manual test environments only and a limited number of devices.
- Broad. Devices are offered updates only after the gradual release cycle completes. This value is suggested for a broad set of devices in your production population, from 10 to 100 percent.
- Preview. Devices are offered updates earliest during the monthly gradual release cycle. This value is suggested for pre-production or validation environments.
- Staged. Devices are offered updates after the monthly gradual release cycle. This value is suggested for a small, representative part of your production population, around 10 percent.
| Type: | SwitchParameter |
| Aliases: | erelr |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-ExclusionExtension
Specifies an array of file name extensions, such as obj or lib, to exclude from scheduled, custom, and real-time scanning. This cmdlet removes the exclusions that you specify.
| Type: | String[] |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-ExclusionIpAddress
Specifies an array of IP addresses to exclude from scheduled and real-time scanning.
| Type: | String[] |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-ExclusionPath
Specifies an array of file paths to exclude from scheduled and real-time scanning. This cmdlet removes the exclusions that you specify.
| Type: | String[] |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-ExclusionProcess
Specifies an array of processes, as paths to process images. This cmdlet removes exclusions of files opened by the processes that you specify.
| Type: | String[] |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Force
Forces the command to run without asking for user confirmation.
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-ForceUseProxyOnly
Removes whether to force the device to use only the proxy.
| Type: | SwitchParameter |
| Aliases: | fupo |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-HighThreatDefaultAction
Indicates that this cmdlet removes the automatic remediation action specified for the high threat alert level.
| Type: | SwitchParameter |
| Aliases: | htdefac |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-LowThreatDefaultAction
Indicates that this cmdlet removes the automatic remediation action specified for the low threat alert level.
| Type: | SwitchParameter |
| Aliases: | ltdefac |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-MAPSReporting
Indicates that the cmdlet removes membership in Microsoft Active Protection Service.
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-MeteredConnectionUpdates
Indicates that the cmdlet removes whether to update managed devices to update through metered connections. Data charges may apply.
| Type: | SwitchParameter |
| Aliases: | mcupd |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-ModerateThreatDefaultAction
Indicates that this cmdlet removes the automatic remediation action specified for the moderate threat alert level.
| Type: | SwitchParameter |
| Aliases: | mtdefac |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-PlatformUpdatesChannel
Specifies when devices receive Microsoft Defender platform updates during the monthly gradual rollout.
Valid values are:
- NotConfigured. Devices stay up to date automatically during the gradual release cycle. This value is suitable for most devices.
- Beta. Devices are the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. This value is for use in manual test environments only and a limited number of devices.
- Broad. Devices are offered updates only after the gradual release cycle completes. This value is suggested for a broad set of devices in your production population, from 10 to 100 percent.
- Preview. Devices are offered updates earliest during the monthly gradual release cycle. This value is suggested for pre-production or validation environments.
- Staged. Devices are offered updates after the monthly gradual release cycle. This value is suggested for a small, representative part of your production population, around 10 percent.
| Type: | SwitchParameter |
| Aliases: | prelr |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-ProxyBypass
Specifies proxy bypasses.
| Type: | SwitchParameter |
| Aliases: | proxbps |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-ProxyPacUrl
Specifies the Privilege Attribute Certificate (PAC) proxy.
| Type: | SwitchParameter |
| Aliases: | ppurl |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-ProxyServer
Specifies the proxy server.
| Type: | SwitchParameter |
| Aliases: | proxsrv |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-PUAProtection
Specifies the level of detection for potentially unwanted applications. When potentially unwanted software is downloaded or attempts to install itself on your computer, you are warned.
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-QuarantinePurgeItemsAfterDelay
Indicates that the cmdlet removes specified number of days to keep items in the Quarantine folder.
| Type: | SwitchParameter |
| Aliases: | qpiad |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-RandomizeScheduleTaskTimes
Indicates that the cmdlet removes whether to select a random time for the scheduled start and scheduled update for definitions.
| Type: | SwitchParameter |
| Aliases: | rstt |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-RealTimeScanDirection
Indicates that the cmdlet removes specified scanning configuration for incoming and outgoing files on NTFS volumes.
| Type: | SwitchParameter |
| Aliases: | rtsd |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-RemediationScheduleDay
Indicates that the cmdlet removes specified day of the week on which to perform a scheduled full scan in order to complete remediation.
| Type: | SwitchParameter |
| Aliases: | rsd |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-RemediationScheduleTime
Indicates that the cmdlet removes specified time of day, as the number of minutes after midnight, to perform a scheduled scan.
| Type: | SwitchParameter |
| Aliases: | rst |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-ReportingAdditionalActionTimeOut
Indicates that the cmdlet removes specified number of minutes before a detection in the additional action state changes to the cleared state.
| Type: | SwitchParameter |
| Aliases: | raat |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-ReportingCriticalFailureTimeOut
Indicates that the cmdlet removes specified the number of minutes before a detection in the critically failed state changes to either the additional action state or the cleared state.
| Type: | SwitchParameter |
| Aliases: | rcto |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-ReportingNonCriticalTimeOut
Indicates that the cmdlet removes specified number of minutes before a detection in the non-critically failed state changes to the cleared state.
| Type: | SwitchParameter |
| Aliases: | rncto |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-ScanAvgCPULoadFactor
Indicates that the cmdlet removes specified maximum percentage CPU usage for a scan.
| Type: | SwitchParameter |
| Aliases: | saclf |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-ScanOnlyIfIdleEnabled
Indicates that the cmdlet removes whether to start scheduled scans only when the computer is not in use.
| Type: | SwitchParameter |
| Aliases: | soiie |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-ScanParameters
Indicates that the cmdlet removes specified scan type to use during a scheduled scan.
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-ScanPurgeItemsAfterDelay
Indicates that the cmdlet removes specified number of days to keep items in the scan history folder.
| Type: | SwitchParameter |
| Aliases: | spiad |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-ScanScheduleDay
Indicates that the cmdlet removes specified the day of the week on which to perform a scheduled scan.
| Type: | SwitchParameter |
| Aliases: | scsd |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-ScanScheduleQuickScanTime
Indicates that the cmdlet removes specified time of day, as the number of minutes after midnight, to perform a scheduled quick scan.
| Type: | SwitchParameter |
| Aliases: | scsqst |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-ScanScheduleTime
Indicates that the cmdlet removes specified time of day, as the number of minutes after midnight, to perform a scheduled scan.
| Type: | SwitchParameter |
| Aliases: | scst |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-SchedulerRandomizationTime
Specifies the randomization time for the scheduler.
| Type: | SwitchParameter |
| Aliases: | srt |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-SevereThreatDefaultAction
Indicates that this cmdlet removes the automatic remediation action specified for the severe threat alert level.
| Type: | SwitchParameter |
| Aliases: | stdefac |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-SharedSignaturesPath
Specifies the shared signatures path.
| Type: | SwitchParameter |
| Aliases: | ssp, SecurityIntelligenceLocation, ssl |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-SignatureAuGracePeriod
Indicates that the cmdlet removes specified grace period, in minutes, for the definition.
| Type: | SwitchParameter |
| Aliases: | sigagp |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-SignatureBlobFileSharesSources
Specifies the file shares sources for signatures.
| Type: | SwitchParameter |
| Aliases: | sigbfs |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-SignatureBlobUpdateInterval
Indicates that the cmdlet removes the signature update interval.
| Type: | SwitchParameter |
| Aliases: | sigbui |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-SignatureDefinitionUpdateFileSharesSources
Indicates that the cmdlet removes specified file-share sources for definition updates.
| Type: | SwitchParameter |
| Aliases: | sigdufss |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-SignatureDisableUpdateOnStartupWithoutEngine
Indicates that the cmdlet removes whether to initiate definition updates even if no antimalware engine is present.
| Type: | SwitchParameter |
| Aliases: | sigduoswo |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-SignatureFallbackOrder
Indicates that the cmdlet removes specified order in which to contact different definition update sources.
| Type: | SwitchParameter |
| Aliases: | sfo |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-SignatureFirstAuGracePeriod
Indicates that the cmdlet removes specified grace period, in minutes, for the definition.
| Type: | SwitchParameter |
| Aliases: | sigfagp |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-SignatureScheduleDay
Indicates that the cmdlet removes specified day of the week on which to check for definition updates.
| Type: | SwitchParameter |
| Aliases: | sigsd |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-SignatureScheduleTime
Indicates that the cmdlet removes specified time of day, as the number of minutes after midnight, to check for definition updates.
| Type: | SwitchParameter |
| Aliases: | sigst |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-SignaturesUpdatesChannel
Specifies when devices receive daily Microsoft Defender definition updates during the monthly gradual rollout.
Valid values are:
- NotConfigured. Devices stay up to date automatically during the gradual release cycle. This value is suitable for most devices.
- Broad. Devices are offered updates only after the gradual release cycle completes. This value is suggested for a broad set of devices in your production population, from 10 to 100 percent.
- Staged. Devices are offered updates after the monthly gradual release cycle. This value is suggested for a small, representative part of your production population, around 10 percent.
This parameter name will be updated to DefinitionUpdatesChannel in a future release.
| Type: | SwitchParameter |
| Aliases: | srelr |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-SignatureUpdateCatchupInterval
Indicates that the cmdlet removes specified number of days after which Windows Defender requires a catch-up definition update.
| Type: | SwitchParameter |
| Aliases: | siguci |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-SignatureUpdateInterval
Indicates that the cmdlet removes specified interval at which to check for definition updates.
| Type: | SwitchParameter |
| Aliases: | sigui |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-SubmitSamplesConsent
Indicates that the cmdlet removes how Windows Defender checks for user consent for certain samples.
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-ThreatIDDefaultAction_Actions
Specifies an array of the actions to take for the IDs specified by using the ThreatIDDefaultAction_Ids parameter. The acceptable values for this parameter are:
- 1: Clean
- 2: Quarantine
- 3: Remove
- 6: Allow
- 8: UserDefined
- 9: NoAction
- 10: Block
Note
A value of 0 (NULL) applies an action based on the Security Intelligence Update (SIU). This is the default value.
| Type: | ThreatAction[] |
| Aliases: | tiddefaca |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-ThreatIDDefaultAction_Ids
Specifies an array of threat IDs. This cmdlet removes the default actions for the threat IDs that you specify.
| Type: | Int64[] |
| Aliases: | tiddefaci |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-ThrottleLimit
Specifies the maximum number of concurrent operations that can be established to run the cmdlet.
If this parameter is omitted or a value of 0 is entered, then Windows PowerShell® calculates an optimum throttle limit for the cmdlet based on the number of CIM cmdlets that are running on the computer.
The throttle limit applies only to the current cmdlet, not to the session or to the computer.
| Type: | Int32 |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-UILockdown
Indicates that the cmdlet removes whether to disable UI lockdown mode.
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-UnknownThreatDefaultAction
Indicates that this cmdlet removes the automatic remediation action specified for the unknown threat alert level.
| Type: | SwitchParameter |
| Aliases: | unktdefac |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
Related Links
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for