The Set-MpPreference cmdlet configures preferences for Windows Defender scans and updates.
You can modify exclusion file name extensions, paths, or processes, and specify the default action for high, moderate, and low threat levels.
REMEDIATION VALUES
The following table provides remediation action values for detected threats at low, medium, high, and severe alert levels.
Value
Action
1
Clean the detected threat.
2
Quarantine the detected threat.
3
Remove the detected threat.
6
Allow the detected threat.
8
Allow the user to determine the action to take with the detected threat.
9
Don’t take any action.
10
Block the detected threat.
0
(NULL)
Apply action based on the Security Intelligence Update (SIU). This value is the default value.
Examples
Example 1: Schedule to check for definition updates everyday
This command configures preferences to check for definition updates 120 minutes after midnight on days when it’s scheduled to check.
Parameters
-AllowSwitchToAsyncInspection
Specifies whether to enable a performance optimization that allows synchronously inspected network flows to switch to async inspection once they have been checked and validated.
Parameter properties
Type:
Boolean
Default value:
Enabled
Supports wildcards:
False
DontShow:
False
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-AsJob
Runs the cmdlet as a background job. Use this parameter to run commands that take a long time to complete.
The cmdlet immediately returns an object that represents the job and then displays the command prompt.
You can continue to work in the session while the job completes.
To manage the job, use the *-Job cmdlets.
To get the job results, use the Receive-Job cmdlet.
For more information about Windows PowerShell background jobs, see about_Jobs.
Parameter properties
Type:
SwitchParameter
Default value:
None
Supports wildcards:
False
DontShow:
False
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-CheckForSignaturesBeforeRunningScan
Indicates whether to check for new virus and spyware definitions before Windows Defender runs a scan.
If you specify a value of $True, Windows Defender checks for new definitions.
If you specify $False or don’t specify a value, the scan begins with existing definitions.
This setting applies to scheduled scans, but it has no effect on scans initiated manually from the user interface or on scans started from the command line using "mpcmdrun -Scan".
Parameter properties
Type:
Boolean
Default value:
None
Supports wildcards:
False
DontShow:
False
Aliases:
csbr
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-CimSession
Runs the cmdlet in a remote session or on a remote computer.
The default is the current session on the local computer.
Parameter properties
Type:
CimSession[]
Default value:
None
Supports wildcards:
False
DontShow:
False
Aliases:
Session
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-CloudBlockLevel
Configure this policy to specify the level of cloud protection to your endpoint.
Default (0): provides strong detection without increasing risk of detecting legitimate files
Moderate (1): provides moderate detection only for high confidence detections
High (2): applies a strong level of detection while optimizing client performance
HighPlus (4): applies extra protection measures (might affect client performance and increase your chance of false positives)
ZeroTolerance (6): blocks all unknown executables
Parameter properties
Type:
CloudBlockLevelType
Default value:
None
Accepted values:
Default|Moderate|High|HighPlus|ZeroTolerance
Supports wildcards:
False
DontShow:
False
Parameter sets
(All)
Position:
Named
Mandatory:
True
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-DefinitionUpdatesChannel
Enable this policy to specify when devices receive daily Microsoft Defender security intelligence (definition/signature) updates during the daily gradual rollout.
Current Channel (Staged): Devices will be offered updates after the release cycle. Suggested to apply to a small, representative part of production population (~10%).
Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).
If you disable or don’t configure this policy, the device will stay up to date automatically during the daily release cycle. Suitable for most devices.
Supported OS versions: Windows 10
Note: This policy is available starting with platform version 4.18.2106.5 and later
Parameter properties
Type:
UpdatesChannelType
Default value:
None
Accepted values:
Staged|Broad|Not Configured
Supports wildcards:
False
DontShow:
False
Aliases:
suc
Parameter sets
(All)
Position:
Named
Mandatory:
True
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-DisableArchiveScanning
Indicates whether to scan archive files, such as .zip and .cab files, for malicious and unwanted software.
If you specify a value of $False or don’t specify a value, Windows Defender scans archive files.
However, archives are always scanned during directed scans.
Parameter properties
Type:
Boolean
Default value:
None
Supports wildcards:
False
DontShow:
False
Aliases:
darchsc
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-DisableAutoExclusions
Indicates whether to disable the Automatic Exclusions feature for the server.
If you specify a value of $False or don’t specify a value, Windows Defender enables the Automatic Exclusions feature for the server.
Parameter properties
Type:
Boolean
Default value:
None
Supports wildcards:
False
DontShow:
False
Aliases:
dae
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-DisableBehaviorMonitoring
Indicates whether to enable behavior monitoring.
If you specify a value of $False or don’t specify a value, Windows Defender enables behavior monitoring.
Parameter properties
Type:
Boolean
Default value:
None
Supports wildcards:
False
DontShow:
False
Aliases:
dbm
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-DisableBlockAtFirstSeen
Indicates whether to enable block at first seen.
If you specify a value of $False or don’t specify a value, Windows Defender enables block at first seen.
Parameter properties
Type:
Boolean
Default value:
None
Supports wildcards:
False
DontShow:
False
Aliases:
dbaf
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-DisableCacheMaintenance
Defines whether the cache maintenance idle task will perform the cache maintenance or not. Allowed values are 1 - cache maintenance is disabled, and 0 - cache maintenance is enabled (default).
Parameter properties
Type:
Boolean
Default value:
0
Supports wildcards:
False
DontShow:
False
Aliases:
dcm
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-DisableCatchupFullScan
Indicates whether Windows Defender runs catch-up scans for scheduled full scans.
A computer can miss a scheduled scan, usually because the computer is turned off at the scheduled time.
If you specify a value of $False, after the computer misses two scheduled full scans, Windows Defender runs a catch-up scan the next time someone signs in the computer. If you specify a value of $True, the computer doesn’t run catch-up scans for scheduled full scans.
Parameter properties
Type:
Boolean
Default value:
True
Supports wildcards:
False
DontShow:
False
Aliases:
dcfsc
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-DisableCatchupQuickScan
Indicates whether Windows Defender runs catch-up scans for scheduled quick scans.
A computer can miss a scheduled scan, usually because the computer is off at the scheduled time.
If you specify a value of $False, after the computer misses two scheduled quick scans, Windows Defender runs a catch-up scan the next time someone signs in the computer. If you specify a value of $True, the computer doesn’t run catch-up scans for scheduled quick scans.
Parameter properties
Type:
Boolean
Default value:
True
Supports wildcards:
False
DontShow:
False
Aliases:
dcqsc
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-DisableCpuThrottleOnIdleScans
Indicates whether the CPU will be throttled for scheduled scans while the device is idle. This parameter is enabled by default, thus ensuring that the CPU won’t be throttled for scheduled scans performed when the device is idle, regardless of what ScanAvgCPULoadFactor is set to. For all other scheduled scans, this flag doesn’t have any impact and normal throttling will occur.
Parameter properties
Type:
Boolean
Default value:
True
Supports wildcards:
False
DontShow:
False
Aliases:
None
Parameter sets
(All)
Position:
Named
Mandatory:
True
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-DisableEmailScanning
Indicates whether Windows Defender parses the mailbox and mail files, according to their specific format, in order to analyze mail bodies and attachments.
Windows Defender supports several formats, including .pst, .dbx, .mbx, .mime, and .binhex.
If you specify a value of $False or don’t specify a value, Windows Defender performs email scanning. If you specify a value of $True, Windows Defender doesn’t perform email scanning.
This configuration isn’t applicable to modern email clients.
Parameter properties
Type:
Boolean
Default value:
None
Supports wildcards:
False
DontShow:
False
Aliases:
demsc
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-DisableGradualRelease
Enable this policy to disable gradual rollout of monthly and daily Defender updates.
Devices will be offered all Defender updates after the gradual release cycle completes. Best for datacenter machines that only receive limited updates.
Note: This setting applies to both monthly and daily Defender updates and will override any previously configured channel selections for platform and engine updates.
If you disable or don’t configure this policy, the device will remain in Current Channel (Default) unless specified otherwise in specific channels for platform and engine updates. Stay up to date automatically during the gradual release cycle. Suitable for most devices.
Supported OS versions: Windows 10
Note: This policy is available starting with platform version 4.18.2106.5 and later
Parameter properties
Type:
Boolean
Default value:
None
Supports wildcards:
False
DontShow:
False
Aliases:
dgr
Parameter sets
(All)
Position:
Named
Mandatory:
True
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-DisableIntrusionPreventionSystem
This parameter was deprecated and its use has no impact.
Parameter properties
Type:
Boolean
Default value:
None
Supports wildcards:
False
DontShow:
False
Aliases:
dips
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-DisableIOAVProtection
Indicates whether Windows Defender scans all downloaded files and attachments.
If you specify a value of $False or don’t specify a value, scanning downloaded files and attachments is enabled.
Parameter properties
Type:
Boolean
Default value:
None
Supports wildcards:
False
DontShow:
False
Aliases:
dioavp
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-DisablePrivacyMode
Indicates whether to disable privacy mode.
Privacy mode prevents users, other than administrators, from displaying threat history.
If you specify a value of $False or don’t specify a value, privacy mode is enabled.
Parameter properties
Type:
Boolean
Default value:
None
Supports wildcards:
False
DontShow:
False
Aliases:
dpm
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-DisableRealtimeMonitoring
Indicates whether to use real-time protection.
If you specify a value of $False or don’t specify a value, Windows Defender uses real-time protection.
We recommend that you enable Windows Defender to use real-time protection.
Parameter properties
Type:
Boolean
Default value:
None
Supports wildcards:
False
DontShow:
False
Aliases:
drtm
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-DisableRemovableDriveScanning
Indicates whether to scan for malicious and unwanted software in removable drives, such as flash drives, during a full scan.
If you specify a value of $False or don’t specify a value, Windows Defender scans removable drives during any type of scan. If you specify a value of $True, Windows Defender doesn’t scan removable drives during a full scan. Windows Defender can still scan removable drives during quick scans or custom scans.
Parameter properties
Type:
Boolean
Default value:
None
Supports wildcards:
False
DontShow:
False
Aliases:
drdsc
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-DisableRestorePoint
Indicates whether to disable scanning of restore points.
If you specify a value of $False or don’t specify a value, Windows Defender restore point is enabled.
Parameter properties
Type:
Boolean
Default value:
None
Supports wildcards:
False
DontShow:
False
Aliases:
drp, dsnf
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-DisableScanningMappedNetworkDrivesForFullScan
Indicates whether to scan mapped network drives. If you specify a value of $False or don’t specify a value, Windows Defender scans mapped network drives. If you specify a value of $True, Windows Defender doesn’t scan mapped network drives.
Parameter properties
Type:
Boolean
Default value:
None
Supports wildcards:
False
DontShow:
False
Aliases:
dsmndfsc
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-DisableScanningNetworkFiles
Indicates whether to scan for network files. If you specify a value of $False or don’t specify a value, Windows Defender scans network files. If you specify a value of $True, Windows Defender doesn’t scan network files. We don’t recommend scanning network files.
Parameter properties
Type:
Boolean
Default value:
None
Supports wildcards:
False
DontShow:
False
Aliases:
dsnf
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-DisableScriptScanning
Specifies whether to disable the scanning of scripts during malware scans.
If you specify a value of $False or don’t specify a value, Windows Defender doesn’t scan scripts.
Parameter properties
Type:
Boolean
Default value:
None
Supports wildcards:
False
DontShow:
False
Aliases:
dscrptsc
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-EngineUpdatesChannel
Enable this policy to specify when devices receive Microsoft Defender engine updates during the monthly gradual rollout.
Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices.
Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments.
Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%).
Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).
Critical- Time Delay: Devices will be offered updates with a 48-hour delay. Suggested for critical environments only.
If you disable or don’t configure this policy, the device will stay up to date automatically during the gradual release cycle. Suitable for most devices.
Supported OS versions: Windows 10
Note: This policy is available starting with platform version 4.18.2106.5 and later
Parameter properties
Type:
UpdatesChannelType
Default value:
None
Accepted values:
Beta|Preview|Staged|Broad|Delayed|NotConfigured
Supports wildcards:
False
DontShow:
False
Aliases:
euc
Parameter sets
(All)
Position:
Named
Mandatory:
True
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-ExclusionExtension
Specifies an array of file name extensions, such as obj or lib, to exclude from scheduled, custom, and real-time scanning.
Parameter properties
Type:
String[]
Default value:
None
Supports wildcards:
False
DontShow:
False
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-ExclusionPath
Specifies an array of file paths to exclude from scheduled and real-time scanning.
You can specify a folder to exclude all the files under the folder.
Parameter properties
Type:
String[]
Default value:
None
Supports wildcards:
False
DontShow:
False
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-ExclusionProcess
Specifies an array of processes, as paths to process images.
This cmdlet excludes any files opened by the processes that you specify from scheduled and real-time scanning.
Specifying this parameter excludes files opened by executable programs only.
The cmdlet doesn’t exclude the processes themselves.
To exclude a process, specify it by using the ExclusionPath parameter.
Parameter properties
Type:
String[]
Default value:
None
Supports wildcards:
False
DontShow:
False
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-Force
Forces the command to run without asking for user confirmation.
Parameter properties
Type:
SwitchParameter
Default value:
None
Supports wildcards:
False
DontShow:
False
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-HighThreatDefaultAction
Specifies which automatic remediation action to take for a high-level threat.
The acceptable values for this parameter are:
Specifies the type of membership in Microsoft Active Protection Service.
Microsoft Active Protection Service is an online community that helps you choose how to respond to potential threats.
The community also helps prevent the spread of new malicious software.
The acceptable values for this parameter are:
0: Disabled - Send no information to Microsoft. This value is the default value.
1: Basic membership. - Send basic information to Microsoft about detected software, including where the software came from, the actions that you apply or that apply automatically, and whether the actions succeeded.
2: Advanced membership. - In addition to basic information, send more information to Microsoft about malicious software, spyware, and potentially unwanted software, including the location of the software, file names, how the software operates, and how it affects your computer.
If you join this community, you can choose to automatically send basic or additional information about detected software.
Additional information helps Microsoft create new definitions.
In some instances, personal information might unintentionally be sent to Microsoft.
However, Microsoft won’t use this information to identify you or contact you.
Parameter properties
Type:
MAPSReportingType
Default value:
None
Accepted values:
Disabled, Basic, Advanced
Supports wildcards:
False
DontShow:
False
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-ModerateThreatDefaultAction
Specifies which automatic remediation action to take for a moderate level threat.
The acceptable values for this parameter are:
This setting allows you to configure whether real-time protection and Security Intelligence Updates are enabled during Out of Box experience (OOBE).
Valid values are:
True - If you enable this setting, real-time protection and Security Intelligence Updates are enabled during OOBE.
False (Default) - If you either disable or don't configure this setting, real-time protection and Security Intelligence Updates during OOBE aren't enabled.
Parameter properties
Type:
Boolean
Default value:
False
Supports wildcards:
False
DontShow:
False
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-PlatformUpdatesChannel
Enable this policy to specify when devices receive Microsoft Defender platform updates during the monthly gradual rollout.
Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices.
Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments.
Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%).
Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).
Critical- Time Delay: Devices will be offered updates with a 48-hour delay. Suggested for critical environments only.
If you disable or don’t configure this policy, the device will stay up to date automatically during the gradual release cycle. Suitable for most devices.
Supported OS versions: Windows 10
Note: This policy is available starting with platform version 4.18.2106.5 and later
Parameter properties
Type:
UpdatesChannelType
Default value:
None
Accepted values:
Beta|Preview|Staged|Broad|Delayed|NotConfigured
Supports wildcards:
False
DontShow:
False
Aliases:
puc
Parameter sets
(All)
Position:
Named
Mandatory:
True
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-PUAProtection
The Set-MpPreference cmdlet configures preferences for Windows Defender scans and updates.
You can modify exclusion file name extensions, paths, or processes, and specify the default action for high, moderate, and low threat levels.
REMEDIATION VALUES
The following table provides remediation action values for detected threats at low, medium, high, and severe alert levels.
Value
Action
1
Clean the detected threat.
2
Quarantine the detected threat.
3
Remove the detected threat.
6
Allow the detected threat.
8
Allow the user to determine the action to take with the detected threat.
9
Don’t take any action.
10
Block the detected threat.
0
(NULL)
Apply action based on the Security Intelligence Update (SIU). This value is the default value.
Parameter properties
Type:
PUAProtectionType
Default value:
None
Accepted values:
Disabled, Enabled, AuditMode
Supports wildcards:
False
DontShow:
False
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-QuarantinePurgeItemsAfterDelay
Specifies the number of days to keep items in the Quarantine folder.
If you specify a value of zero or don’t specify a value for this parameter, items stay in the Quarantine folder indefinitely.
Parameter properties
Type:
UInt32
Default value:
None
Supports wildcards:
False
DontShow:
False
Aliases:
qpiad
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-RandomizeScheduleTaskTimes
Indicates whether to select a random time for the scheduled start and scheduled update for definitions.
If you specify a value of $True or don’t specify a value, scheduled tasks begin within 30 minutes, before or after, the scheduled time.
If you randomize the start times, it can distribute the impact of scanning.
For example, if several virtual machines share the same host, randomized start times prevents all the hosts from starting the scheduled tasks at the same time.
Parameter properties
Type:
Boolean
Default value:
None
Supports wildcards:
False
DontShow:
False
Aliases:
rstt
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-RealTimeScanDirection
Specifies scanning configuration for incoming and outgoing files on NTFS volumes.
The acceptable values for this parameter are:
0: Scan both incoming and outgoing files.
This is the default.
1: Scan incoming files only.
2: Scan outgoing files only.
Specify a value for this parameter to enhance performance on servers that have a large number of file transfers, but need scanning for either incoming or outgoing files.
Evaluate this configuration based on the server role.
For non-NTFS volumes, Windows Defender performs full monitoring of file and program activity.
Parameter properties
Type:
ScanDirection
Default value:
None
Accepted values:
Both, Incoming, Outcoming
Supports wildcards:
False
DontShow:
False
Aliases:
rtsd
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-RemediationScheduleDay
Specifies the day of the week on which to perform a scheduled full scan in order to complete remediation.
Alternatively, specify everyday for this full scan or never.
The acceptable values for this parameter are:
0: Everyday
1: Sunday
2: Monday
3: Tuesday
4: Wednesday
5: Thursday
6: Friday
7: Saturday
8: Never
The default value is 8, never.
If you specify a value of 8 or don’t specify a value, Windows Defender performs a scheduled full scan to complete remediation by using a default frequency.
Parameter properties
Type:
Day
Default value:
None
Accepted values:
Everyday, Sunday, Monday, Tuesday, Wednesday, Thursday, Friday, Saturday, Never
Supports wildcards:
False
DontShow:
False
Aliases:
rsd
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-RemediationScheduleTime
Specifies the time of day, as the number of minutes after midnight, to perform a scheduled scan.
The time refers to the local time on the computer.
If you don’t specify a value for this parameter, a scheduled scan runs at the default time of two hours after midnight.
Parameter properties
Type:
DateTime
Default value:
None
Supports wildcards:
False
DontShow:
False
Aliases:
rst
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-ReportingAdditionalActionTimeOut
Specifies the number of minutes before a detection in the additional action state changes to the cleared state.
Parameter properties
Type:
UInt32
Default value:
None
Supports wildcards:
False
DontShow:
False
Aliases:
raat
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-ReportingCriticalFailureTimeOut
Specifies the number of minutes before a detection in the critically failed state changes to either the additional action state or the cleared state.
Parameter properties
Type:
UInt32
Default value:
None
Supports wildcards:
False
DontShow:
False
Aliases:
rcto
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-ReportingNonCriticalTimeOut
Specifies the number of minutes before a detection in the non-critically failed state changes to the cleared state.
Parameter properties
Type:
UInt32
Default value:
None
Supports wildcards:
False
DontShow:
False
Aliases:
rncto
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-ScanAvgCPULoadFactor
Specifies the maximum percentage CPU usage for a scan.
The acceptable values for this parameter are: integers from 5 through 100, and the value 0, which disables CPU throttling.
Windows Defender doesn’t exceed the percentage of CPU usage that you specify.
The default value is 50.
Note: This limit isn’t a hard limit but rather guidance for the scanning engine to not exceed this maximum on average.
Note: Manually run scans will ignore this setting and run without any CPU limits. If ScanOnlyIfIdleEnabled (instructing the product to scan only when the computer is not in use) and DisableCpuThrottleOnIdleScans (instructing the product to disable CPU throttling on idle scans) are both enabled, then the value of ScanAvgCPULoadFactor is ignored.
Parameter properties
Type:
Byte
Default value:
None
Supports wildcards:
False
DontShow:
False
Aliases:
saclf
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-ScanOnlyIfIdleEnabled
Indicates whether to start scheduled scans only when the computer isn’t in use.
If you specify a value of $True or don’t specify a value, Windows Defender runs schedules scans when the computer is on, but not in use.
Parameter properties
Type:
Boolean
Default value:
None
Supports wildcards:
False
DontShow:
False
Aliases:
soiie
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-ScanParameters
Specifies the scan type to use during a scheduled scan.
The acceptable values for this parameter are:
1: Quick scan
2: Full scan
If you don’t specify this parameter, Windows Defender uses the default value of quick scan.
Parameter properties
Type:
ScanType
Default value:
None
Accepted values:
QuickScan, FullScan
Supports wildcards:
False
DontShow:
False
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-ScanPurgeItemsAfterDelay
Specifies the number of days to keep items in the scan history folder.
After this time, Windows Defender removes the items.
If you specify a value of zero, Windows Defender doesn’t remove items.
If you don’t specify a value, Windows Defender removes items from the scan history folder after the default length of time, which is 15 days.
Parameter properties
Type:
UInt32
Default value:
15
Supports wildcards:
False
DontShow:
False
Aliases:
spiad
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-ScanScheduleDay
Specifies the day of the week on which to perform a scheduled scan.
Alternatively, specify everyday for a scheduled scan or never.
The acceptable values for this parameter are:
0: Everyday
1: Sunday
2: Monday
3: Tuesday
4: Wednesday
5: Thursday
6: Friday
7: Saturday
8: Never
The default value is 8, never.
If you specify a value of 8 or don’t specify a value, Windows Defender doesn’t perform scheduled scans.
Parameter properties
Type:
Day
Default value:
None
Accepted values:
Everyday, Sunday, Monday, Tuesday, Wednesday, Thursday, Friday, Saturday, Never
Supports wildcards:
False
DontShow:
False
Aliases:
scsd
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-ScanScheduleOffset
Configures the number of minutes after midnight to perform a scheduled scan. The time on the endpoint is used to determine the local time. If you enable this setting, a scheduled scan will run at the time specified. If you disable or don’t enable this setting, a scheduled scan runs at the default time of two hours (120 minutes) after midnight.
Parameter properties
Type:
UInt32
Default value:
None
Supports wildcards:
False
DontShow:
False
Aliases:
scso
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-ScanScheduleQuickScanTime
Specifies the time of day, as the number of minutes after midnight, to perform a scheduled quick scan.
The time refers to the local time on the computer.
If you don’t specify a value for this parameter, a scheduled quick scan runs at the time specified by the ScanScheduleOffset parameter.
That parameter has a default time of two hours after midnight.
Parameter properties
Type:
DateTime
Default value:
None
Supports wildcards:
False
DontShow:
False
Aliases:
scsqst
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-ScanScheduleTime
Specifies the time of day to run a scheduled scan. The time refers to the local time on the computer. Specify the number of minutes after midnight (for example, enter 60 for 1 a.m.). This parameter has a default time of two hours after midnight (2 a.m.).
Parameter properties
Type:
DateTime
Default value:
None
Supports wildcards:
False
DontShow:
False
Aliases:
scsqst
Parameter sets
(All)
Position:
Named
Mandatory:
True
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-ServiceHealthReportInterval
This policy setting configures the time interval (in minutes) for the service health reports to be sent from endpoints. These are for Microsoft Defender Antivirus events 1150 and 1151. For more information, see Microsoft Defender Antivirus event IDs.
If you don’t configure this setting, the default value will be applied. The default value is set at 60 minutes (one hour).
If you configure this setting to 0, no service health reports will be sent.
The maximum value allowed to be set is 14400 minutes (10 days).
Parameter properties
Type:
UInt32
Default value:
60
Accepted values:
0-14400
Supports wildcards:
False
DontShow:
False
Aliases:
shri
Parameter sets
(All)
Position:
Named
Mandatory:
True
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-SevereThreatDefaultAction
Specifies which automatic remediation action to take for a severe level threat.
The acceptable values for this parameter are:
Specifies a grace period, in minutes, for the definition.
If a definition successfully updates within this period, Windows Defender abandons any service initiated updates.
Parameter properties
Type:
UInt32
Default value:
None
Supports wildcards:
False
DontShow:
False
Aliases:
sigagp
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-SignatureDefinitionUpdateFileSharesSources
Specifies file-share sources for definition updates.
Specify sources as a bracketed sequence of Universal Naming Convention (UNC) locations, separated by the pipeline symbol; for example, { \\\\Server01\Share01 | \\\\Server02\Share02 | \\\\Server03\Share03}.
If you specify a value for this parameter, Windows Defender attempts to connect to the shares in the order that you specify.
After Windows Defender updates a definition, it stops attempting to connect to shares on the list.
If you don’t specify a value for this parameter, the list is empty.
Parameter properties
Type:
String
Default value:
None
Supports wildcards:
False
DontShow:
False
Aliases:
sigdufss
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-SignatureDisableUpdateOnStartupWithoutEngine
Indicates whether to initiate definition updates even if no antimalware engine is present.
If you specify a value of $True or don’t specify a value, Windows Defender doesn’t initiate definition updates on startup.
If you specify a value of $False, and if no antimalware engine is present, Windows Defender initiates definition updates on startup.
Parameter properties
Type:
Boolean
Default value:
False
Supports wildcards:
False
DontShow:
False
Aliases:
sigduoswo
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-SignatureFallbackOrder
Specifies the order in which to contact different definition update sources.
Specify the types of update sources in the order in which you want Windows Defender to contact them, enclosed in braces and separated by the pipeline symbol; for example, { InternalDefinitionUpdateServer | MicrosoftUpdateServer | MMPC }.
The values that you can specify in the string are:
InternalDefinitionUpdateServer
MicrosoftUpdateServer
MMPC
FileShares
MMPC refers to Microsoft Malware Protection Center.
If you specify a value for this parameter, Windows Defender contacts the definition update sources in the specified order.
After Windows Defender downloads definition updates from a source, it stops attempting to connect to other sources.
If you don’t specify a value for this parameter, Windows Defender contacts sources in the default order of { MicrosoftUpdateServer | MMPC }.
Parameter properties
Type:
String
Default value:
None
Supports wildcards:
False
DontShow:
False
Aliases:
sfo
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-SignatureFirstAuGracePeriod
Specifies a grace period, in minutes, for the definition.
If a definition successfully updates within this period, Windows Defender abandons any service initiated updates.
This parameter overrides the value of the CheckForSignaturesBeforeRunningScan parameter.
Parameter properties
Type:
UInt32
Default value:
None
Supports wildcards:
False
DontShow:
False
Aliases:
sigfagp
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-SignatureScheduleDay
Specifies the day of the week on which to check for definition updates.
Alternatively, specify everyday for a scheduled scan or never.
The acceptable values for this parameter are:
0: Everyday
1: Sunday
2: Monday
3: Tuesday
4: Wednesday
5: Thursday
6: Friday
7: Saturday
8: Never
The default value is 8, never.
If you specify a value of 8 or don’t specify a value, Windows Defender checks for definition updates by using a default frequency.
Parameter properties
Type:
Day
Default value:
None
Accepted values:
Everyday, Sunday, Monday, Tuesday, Wednesday, Thursday, Friday, Saturday, Never
Supports wildcards:
False
DontShow:
False
Aliases:
sigsd
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-SignatureScheduleTime
Specifies the time of day, as the number of minutes after midnight, to check for definition updates.
The time refers to the local time on the computer.
If you don’t specify a value for this parameter, Windows Defender checks for definition updates at the default time of 15 minutes before the scheduled scan time.
Parameter properties
Type:
DateTime
Default value:
None
Supports wildcards:
False
DontShow:
False
Aliases:
sigst
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-SignatureUpdateCatchupInterval
Specifies the number of days after which Windows Defender requires a catch-up definition update.
If you don’t specify a value for this parameter, Windows Defender requires a catch-up definition update after the default value of one day.
Parameter properties
Type:
UInt32
Default value:
None
Supports wildcards:
False
DontShow:
False
Aliases:
siguci
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-SignatureUpdateInterval
Specifies the interval, in hours, at which to check for definition updates.
The acceptable values for this parameter are: integers from 1 through 24.
If you don’t specify a value for this parameter, Windows Defender checks at the default interval.
You can use this parameter instead of the SignatureScheduleDay parameter and SignatureScheduleTime parameter.
Parameter properties
Type:
UInt32
Default value:
None
Supports wildcards:
False
DontShow:
False
Aliases:
sigui
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-SubmitSamplesConsent
Specifies how Windows Defender checks for user consent for certain samples.
If consent has previously been granted, Windows Defender submits the samples.
Otherwise, if the MAPSReporting parameter doesn’t have a value of Disabled, Windows Defender prompts the user for consent.
The acceptable values for this parameter are:
Specifies an array of the actions to take for the IDs specified by using the ThreatIDDefaultAction_Ids parameter.
The acceptable values for this parameter are:
1: Clean
2: Quarantine
3: Remove
6: Allow
8: UserDefined
9: NoAction
10: Block
Note
A value of 0 (NULL) applies an action based on the Security Intelligence Update (SIU). This is the default value.
Specifies an array of threat IDs.
This cmdlet modifies the default action for the threat IDs that you specify.
Parameter properties
Type:
Int64[]
Default value:
None
Supports wildcards:
False
DontShow:
False
Aliases:
tiddefaci
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-ThrottleLimit
Specifies the maximum number of concurrent operations that can be established to run the cmdlet.
If this parameter is omitted or a value of 0 is entered, then Windows PowerShell® calculates an optimum throttle limit for the cmdlet based on the number of CIM cmdlets that are running on the computer.
The throttle limit applies only to the current cmdlet, not to the session or to the computer.
Parameter properties
Type:
Int32
Default value:
None
Supports wildcards:
False
DontShow:
False
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-UILockdown
Indicates whether to disable UI lockdown mode.
If you specify a value of $True, Windows Defender disables UI lockdown mode.
If you specify $False or don’t specify a value, UI lockdown mode is enabled.
Parameter properties
Type:
Boolean
Default value:
None
Supports wildcards:
False
DontShow:
False
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-UnknownThreatDefaultAction
Specifies which automatic remediation action to take for an unknown level threat.
The acceptable values for this parameter are:
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable,
-InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable,
-ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see
about_CommonParameters.