Defender CSP

Note

ControlPolicyConflict (MDMWinsOverGP) is not applicable to the Defender CSP. If using MDM, remove your current Defender group policy settings to avoid conflicts with your MDM settings.

The following list shows the Defender configuration service provider nodes:

Configuration

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1903 [10.0.18362] and later
./Device/Vendor/MSFT/Defender/Configuration

An interior node to group Windows Defender configuration information.

Description framework properties:

Property name Property value
Format node
Access Type Get

Configuration/AllowDatagramProcessingOnWinServer

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Defender/Configuration/AllowDatagramProcessingOnWinServer

This settings controls whether Network Protection is allowed to enable datagram processing on Windows Server. If false, the value of DisableDatagramProcessing will be ignored and default to disabling Datagram inspection.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
1 Datagram processing on Windows Server is enabled.
0 (Default) Datagram processing on Windows Server is disabled.

Configuration/AllowNetworkProtectionDownLevel

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Defender/Configuration/AllowNetworkProtectionDownLevel

This settings controls whether Network Protection is allowed to be configured into block or audit mode on windows downlevel of RS3. If false, the value of EnableNetworkProtection will be ignored.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
1 Network protection will be enabled downlevel.
0 (Default) Network protection will be disabled downlevel.

Configuration/AllowNetworkProtectionOnWinServer

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Device/Vendor/MSFT/Defender/Configuration/AllowNetworkProtectionOnWinServer

This settings controls whether Network Protection is allowed to be configured into block or audit mode on Windows Server. If false, the value of EnableNetworkProtection will be ignored.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 1

Allowed values:

Value Description
1 (Default) Allow.
0 Disallow.

Configuration/AllowSwitchToAsyncInspection

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Device/Vendor/MSFT/Defender/Configuration/AllowSwitchToAsyncInspection

Control whether network protection can improve performance by switching from real-time inspection to asynchronous inspection.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
1 Allow switching to asynchronous inspection.
0 (Default) Don’t allow asynchronous inspection.

Configuration/ArchiveMaxDepth

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Defender/Configuration/ArchiveMaxDepth

Specify the maximum folder depth to extract from archive files for scanning. If this configuration is off or not set, the default value (0) is applied, and all archives are extracted up to the deepest folder for scanning.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Allowed Values Range: [0-4294967295]
Default Value 0

Configuration/ArchiveMaxSize

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Defender/Configuration/ArchiveMaxSize

Specify the maximum size, in KB, of archive files to be extracted and scanned. If this configuration is off or not set, the default value (0) is applied, and all archives are extracted and scanned regardless of size.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Allowed Values Range: [0-4294967295]
Default Value 0

Configuration/ASROnlyPerRuleExclusions

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Device/Vendor/MSFT/Defender/Configuration/ASROnlyPerRuleExclusions

Apply ASR only per rule exclusions.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Configuration/BehavioralNetworkBlocks

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Defender/Configuration/BehavioralNetworkBlocks

Description framework properties:

Property name Property value
Format node
Access Type Get

Configuration/BehavioralNetworkBlocks/BruteForceProtection

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Defender/Configuration/BehavioralNetworkBlocks/BruteForceProtection

Description framework properties:

Property name Property value
Format node
Access Type Get
Configuration/BehavioralNetworkBlocks/BruteForceProtection/BruteForceProtectionAggressiveness
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Defender/Configuration/BehavioralNetworkBlocks/BruteForceProtection/BruteForceProtectionAggressiveness

Set the criteria for when Brute-Force Protection blocks IP addresses.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
0 (Default) Low: Only IP addresses that are 100% confidence malicious (default).
1 Medium: Use cloud aggregation to block IP addresses that are over 99% likely malicious.
2 High: Block IP addresses identified using client intelligence and context to block IP addresses that are over 90% likely malicious.
Configuration/BehavioralNetworkBlocks/BruteForceProtection/BruteForceProtectionConfiguredState
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Defender/Configuration/BehavioralNetworkBlocks/BruteForceProtection/BruteForceProtectionConfiguredState

Brute-Force Protection in Microsoft Defender Antivirus detects and blocks attempts to forcibly sign in and initiate sessions.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
0 (Default) Not configured: Apply defaults set by the antivirus engine and platform.
1 Block: Prevent suspicious and malicious behaviors.
2 Audit: Generate EDR detections without blocking.
4 Off: Feature is disabled with no performance impact.
Configuration/BehavioralNetworkBlocks/BruteForceProtection/BruteForceProtectionExclusions
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Defender/Configuration/BehavioralNetworkBlocks/BruteForceProtection/BruteForceProtectionExclusions

Specify IP addresses, subnets, or workstation names to exclude from being blocked by Brute-Force Protection. Note that attackers can spoof excluded addresses and names to bypass protection.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values List (Delimiter: |)
Configuration/BehavioralNetworkBlocks/BruteForceProtection/BruteForceProtectionMaxBlockTime
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Defender/Configuration/BehavioralNetworkBlocks/BruteForceProtection/BruteForceProtectionMaxBlockTime

Set the maximum time an IP address is blocked by Brute-Force Protection. After this time, blocked IP addresses will be able to sign-in and initiate sessions. If set to 0, internal feature logic will determine blocking time.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Allowed Values Range: [0-4294967295]
Default Value 0
Configuration/BehavioralNetworkBlocks/BruteForceProtection/BruteForceProtectionPlugins
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Defender/Configuration/BehavioralNetworkBlocks/BruteForceProtection/BruteForceProtectionPlugins

Description framework properties:

Property name Property value
Format node
Access Type Get
Configuration/BehavioralNetworkBlocks/BruteForceProtection/BruteForceProtectionPlugins/BruteForceProtectionLocalNetworkBlocking
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Device/Vendor/MSFT/Defender/Configuration/BehavioralNetworkBlocks/BruteForceProtection/BruteForceProtectionPlugins/BruteForceProtectionLocalNetworkBlocking

Extend brute-force protection coverage in Microsoft Defender Antivirus to block local network addresses.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
0 (Default) Brute-force protection won't block local network addresses.
1 Brute-force protection will block local network addresses.
Configuration/BehavioralNetworkBlocks/BruteForceProtection/BruteForceProtectionPlugins/BruteForceProtectionSkipLearningPeriod
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Device/Vendor/MSFT/Defender/Configuration/BehavioralNetworkBlocks/BruteForceProtection/BruteForceProtectionPlugins/BruteForceProtectionSkipLearningPeriod

Skip the 2-week initial learning period, so brute-force protection in Microsoft Defender Antivirus can start blocking immediately.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
0 (Default) Brute-force protection blocks threats only after completing a 2-week learning period.
1 Brute-force protection starts blocking threats immediately.

Configuration/BehavioralNetworkBlocks/RemoteEncryptionProtection

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Defender/Configuration/BehavioralNetworkBlocks/RemoteEncryptionProtection

Description framework properties:

Property name Property value
Format node
Access Type Get
Configuration/BehavioralNetworkBlocks/RemoteEncryptionProtection/RemoteEncryptionProtectionAggressiveness
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Defender/Configuration/BehavioralNetworkBlocks/RemoteEncryptionProtection/RemoteEncryptionProtectionAggressiveness

Set the criteria for when Remote Encryption Protection blocks IP addresses.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
0 (Default) Low: Block only when confidence level is 100% (Default).
1 Medium: Use cloud aggregation and block when confidence level is above 99%.
2 High: Use cloud intel and context, and block when confidence level is above 90%.
Configuration/BehavioralNetworkBlocks/RemoteEncryptionProtection/RemoteEncryptionProtectionConfiguredState
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Defender/Configuration/BehavioralNetworkBlocks/RemoteEncryptionProtection/RemoteEncryptionProtectionConfiguredState

Remote Encryption Protection in Microsoft Defender Antivirus detects and blocks attempts to replace local files with encrypted versions from another device.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
0 (Default) Not configured: Apply defaults set for the antivirus engine and platform.
1 Block: Prevent suspicious and malicious behaviors.
2 Audit: Generate EDR detections without blocking.
4 Off: Feature is off with no performance impact.
Configuration/BehavioralNetworkBlocks/RemoteEncryptionProtection/RemoteEncryptionProtectionExclusions
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Defender/Configuration/BehavioralNetworkBlocks/RemoteEncryptionProtection/RemoteEncryptionProtectionExclusions

Specify IP addresses, subnets, or workstation names to exclude from being blocked by Remote Encryption Protection. Note that attackers can spoof excluded addresses and names to bypass protection.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Allowed Values List (Delimiter: |)
Default Value 0
Configuration/BehavioralNetworkBlocks/RemoteEncryptionProtection/RemoteEncryptionProtectionMaxBlockTime
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Defender/Configuration/BehavioralNetworkBlocks/RemoteEncryptionProtection/RemoteEncryptionProtectionMaxBlockTime

Set the maximum time an IP address is blocked by Remote Encryption Protection. After this time, blocked IP addresses will be able to reinitiate connections. If set to 0, internal feature logic will determine blocking time.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Allowed Values Range: [0-4294967295]
Default Value 0

Configuration/DataDuplicationDirectory

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1809 [10.0.17763] and later
./Device/Vendor/MSFT/Defender/Configuration/DataDuplicationDirectory

Define data duplication directory for device control.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Configuration/DataDuplicationLocalRetentionPeriod

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1809 [10.0.17763] and later
./Device/Vendor/MSFT/Defender/Configuration/DataDuplicationLocalRetentionPeriod

Define the retention period in days of how much time the evidence data will be kept on the client machine should any transfer to the remote locations would occur.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Allowed Values Range: [1-120]
Default Value 60

Configuration/DataDuplicationMaximumQuota

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1809 [10.0.17763] and later
./Device/Vendor/MSFT/Defender/Configuration/DataDuplicationMaximumQuota

Defines the maximum data duplication quota in MB that can be collected. When the quota is reached the filter will stop duplicating any data until the service manages to dispatch the existing collected data, thus decreasing the quota again below the maximum. The valid interval is [5-5000] MB. By default, the maximum quota will be 500 MB.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Allowed Values Range: [5-5000]
Default Value 500

Configuration/DataDuplicationRemoteLocation

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1809 [10.0.17763] and later
./Device/Vendor/MSFT/Defender/Configuration/DataDuplicationRemoteLocation

Define data duplication remote location for Device Control. When configuring this setting, ensure that Device Control is Enabled and that the provided path is a remote path the user can access.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Configuration/DaysUntilAggressiveCatchupQuickScan

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Defender/Configuration/DaysUntilAggressiveCatchupQuickScan

Configure how many days can pass before an aggressive quick scan is triggered. The valid interval is [7-60] days. If not configured, aggressive quick scans will be disabled. By default, the value is set to 30 days when enabled.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Allowed Values Range: [7-60]
Default Value 30

Configuration/DefaultEnforcement

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1809 [10.0.17763] and later
./Device/Vendor/MSFT/Defender/Configuration/DefaultEnforcement

Control Device Control default enforcement. This is the enforcement applied if there are no policy rules present or at the end of the policy rules evaluation none were matched.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 1

Allowed values:

Value Description
1 (Default) Default Allow Enforcement.
2 Default Deny Enforcement.

Configuration/DeviceControl

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1809 [10.0.17763] and later
./Device/Vendor/MSFT/Defender/Configuration/DeviceControl

Description framework properties:

Property name Property value
Format node
Access Type Get

Configuration/DeviceControl/PolicyGroups

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1809 [10.0.17763] and later
./Device/Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups

Description framework properties:

Property name Property value
Format node
Access Type Get
Configuration/DeviceControl/PolicyGroups/{GroupId}
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1809 [10.0.17763] and later
./Device/Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/{GroupId}

Description framework properties:

Property name Property value
Format node
Access Type Add, Delete, Get, Replace
Configuration/DeviceControl/PolicyGroups/{GroupId}/GroupData
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1809 [10.0.17763] and later
./Device/Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/{GroupId}/GroupData

For more information, see Microsoft Defender for Endpoint Device Control Removable Storage Access Control.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Configuration/DeviceControl/PolicyRules

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1809 [10.0.17763] and later
./Device/Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules

Description framework properties:

Property name Property value
Format node
Access Type Get
Configuration/DeviceControl/PolicyRules/{RuleId}
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1809 [10.0.17763] and later
./Device/Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/{RuleId}

Description framework properties:

Property name Property value
Format node
Access Type Add, Delete, Get, Replace
Configuration/DeviceControl/PolicyRules/{RuleId}/RuleData
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1809 [10.0.17763] and later
./Device/Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/{RuleId}/RuleData

For more information, see Microsoft Defender for Endpoint Device Control Removable Storage Access Control.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Configuration/DeviceControlEnabled

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1809 [10.0.17763] and later
./Device/Vendor/MSFT/Defender/Configuration/DeviceControlEnabled

Control Device Control feature.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
1 Device Control is enabled.
0 (Default) Device Control is disabled.

Configuration/DisableCacheMaintenance

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1809 [10.0.17763] and later
./Device/Vendor/MSFT/Defender/Configuration/DisableCacheMaintenance

Defines whether the cache maintenance idle task will perform the cache maintenance or not.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
1 Cache maintenance is disabled.
0 (Default) Cache maintenance is enabled (default).

Configuration/DisableCoreServiceECSIntegration

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Defender/Configuration/DisableCoreServiceECSIntegration

Turn off ECS integration for Defender core service.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0x0

Allowed values:

Flag Description
0x0 (Default) The Defender core service will use the Experimentation and Configuration Service (ECS) to rapidly deliver critical, org-specific fixes.
0x1 The Defender core service stops using the Experimentation and Configuration Service (ECS). Fixes will continue to be delivered through security intelligence updates.

Configuration/DisableCoreServiceTelemetry

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Defender/Configuration/DisableCoreServiceTelemetry

Turn off OneDsCollector telemetry for Defender core service.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0x0

Allowed values:

Flag Description
0x0 (Default) The Defender core service will use the OneDsCollector framework to rapidly collect telemetry.
0x1 The Defender core service stops using the OneDsCollector framework to rapidly collect telemetry, impacting Microsoft's ability to quickly recognize and address poor performance, false positives, and other problems.

Configuration/DisableCpuThrottleOnIdleScans

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Defender/Configuration/DisableCpuThrottleOnIdleScans

Indicates whether the CPU will be throttled for scheduled scans while the device is idle. This feature is enabled by default and won't throttle the CPU for scheduled scans performed when the device is otherwise idle, regardless of what ScanAvgCPULoadFactor is set to. For all other scheduled scans this flag will have no impact and normal throttling will occur.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 1

Allowed values:

Value Description
1 (Default) Disable CPU Throttle on idle scans.
0 Enable CPU Throttle on idle scans.

Configuration/DisableDatagramProcessing

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Device/Vendor/MSFT/Defender/Configuration/DisableDatagramProcessing

Control whether network protection inspects User Datagram Protocol (UDP) traffic.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
1 UDP inspection is off.
0 (Default) UDP inspection is on.

Configuration/DisableDnsOverTcpParsing

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Defender/Configuration/DisableDnsOverTcpParsing

This setting disables DNS over TCP Parsing for Network Protection.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
1 DNS over TCP parsing is disabled.
0 (Default) DNS over TCP parsing is enabled.

Configuration/DisableDnsParsing

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Defender/Configuration/DisableDnsParsing

This setting disables DNS Parsing for Network Protection.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
1 DNS parsing is disabled.
0 (Default) DNS parsing is enabled.

Configuration/DisableFtpParsing

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Defender/Configuration/DisableFtpParsing

This setting disables FTP Parsing for Network Protection.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
1 FTP parsing is disabled.
0 (Default) FTP parsing is enabled.

Configuration/DisableGradualRelease

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Defender/Configuration/DisableGradualRelease

Enable this policy to disable gradual rollout of Defender updates.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
1 Gradual release is disabled.
0 (Default) Gradual release is enabled.

Configuration/DisableHttpParsing

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Defender/Configuration/DisableHttpParsing

This setting disables HTTP Parsing for Network Protection.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
1 HTTP parsing is disabled.
0 (Default) HTTP parsing is enabled.

Configuration/DisableInboundConnectionFiltering

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Defender/Configuration/DisableInboundConnectionFiltering

This setting disables Inbound connection filtering for Network Protection.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
1 Inbound connection filtering is disabled.
0 (Default) Inbound connection filtering is enabled.

Configuration/DisableLocalAdminMerge

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Defender/Configuration/DisableLocalAdminMerge

When this value is set to no, it allows a local admin the ability to specify some settings for complex list type that will then merge /override the Preference settings with the Policy settings.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
1 Yes.
0 (Default) No.

Configuration/DisableNetworkProtectionPerfTelemetry

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Defender/Configuration/DisableNetworkProtectionPerfTelemetry

This setting disables the gathering and send of performance telemetry from Network Protection.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
1 Network protection telemetry is disabled.
0 (Default) Network protection telemetry is enabled.

Configuration/DisableQuicParsing

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Defender/Configuration/DisableQuicParsing

This setting disables QUIC Parsing for Network Protection.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
1 QUIC parsing is disabled.
0 (Default) QUIC parsing is enabled.

Configuration/DisableRdpParsing

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Defender/Configuration/DisableRdpParsing

This setting disables RDP Parsing for Network Protection.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
1 RDP Parsing is disabled.
0 (Default) RDP Parsing is enabled.

Configuration/DisableSmtpParsing

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Defender/Configuration/DisableSmtpParsing

This setting disables SMTP Parsing for Network Protection.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
1 SMTP parsing is disabled.
0 (Default) SMTP parsing is enabled.

Configuration/DisableSshParsing

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Defender/Configuration/DisableSshParsing

This setting disables SSH Parsing for Network Protection.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
1 SSH parsing is disabled.
0 (Default) SSH parsing is enabled.

Configuration/DisableTlsParsing

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Defender/Configuration/DisableTlsParsing

This setting disables TLS Parsing for Network Protection.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
1 TLS parsing is disabled.
0 (Default) TLS parsing is enabled.

Configuration/EnableConvertWarnToBlock

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Device/Vendor/MSFT/Defender/Configuration/EnableConvertWarnToBlock

This setting controls whether network protection blocks network traffic instead of displaying a warning.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
1 Warn verdicts are converted to block.
0 (Default) Warn verdicts aren't converted to block.

Configuration/EnableDnsSinkhole

Note

This policy is deprecated and may be removed in a future release.

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Defender/Configuration/EnableDnsSinkhole

This setting enables the DNS Sinkhole feature for Network Protection, respecting the value of EnableNetworkProtection for block vs audit, does nothing in inspect mode.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 1

Allowed values:

Value Description
0 DNS Sinkhole is disabled.
1 (Default) DNS Sinkhole is enabled.

Configuration/EnableFileHashComputation

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1903 [10.0.18362] and later
./Device/Vendor/MSFT/Defender/Configuration/EnableFileHashComputation

Enables or disables file hash computation feature. When this feature is enabled Windows defender will compute hashes for files it scans.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
0 (Default) Disable.
1 Enable.

Configuration/EnableUdpReceiveOffload

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Defender/Configuration/EnableUdpReceiveOffload

This setting enables Udp Receive Offload Network Protection.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
0 (Default) Udp Receive Offload is disabled.
1 Udp Receive Offload is enabled.

Configuration/EnableUdpSegmentationOffload

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Defender/Configuration/EnableUdpSegmentationOffload

This setting enables Udp Segmentation Offload Network Protection.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
0 (Default) Udp Segmentation Offload is disabled.
1 Udp Segmentation Offload is enabled.

Configuration/EngineUpdatesChannel

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Defender/Configuration/EngineUpdatesChannel

Enable this policy to specify when devices receive Microsoft Defender engine updates during the monthly gradual rollout.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
0 (Default) Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices.
2 Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices.
3 Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments.
4 Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%).
5 Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).
6 Critical - Time delay: Devices will be offered updates with a 48-hour delay. Suggested for critical environments only.

Configuration/ExcludedIpAddresses

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Defender/Configuration/ExcludedIpAddresses

Allows an administrator to explicitly disable network packet inspection made by wdnisdrv on a particular set of IP addresses.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values Regular Expression: ^(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$|^(?:[0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}$|^(?:[0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}$|^(?:[0-9a-fA-F]{1,4}:){1,5}(?::[0-9a-fA-F]{1,4}){1,2}$|^(?:[0-9a-fA-F]{1,4}:){1,4}(?::[0-9a-fA-F]{1,4}){1,3}$|^(?:[0-9a-fA-F]{1,4}:){1,3}(?::[0-9a-fA-F]{1,4}){1,4}$|^(?:[0-9a-fA-F]{1,4}:){1,2}(?::[0-9a-fA-F]{1,4}){1,5}$|^[0-9a-fA-F]{1,4}(?::[0-9a-fA-F]{1,4}){1,6}$|^::1$|^::$

Configuration/HideExclusionsFromLocalAdmins

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1809 [10.0.17763] and later
./Device/Vendor/MSFT/Defender/Configuration/HideExclusionsFromLocalAdmins

This policy setting controls whether or not exclusions are visible to local admins. To control local users exclusions visibility use HideExclusionsFromLocalUsers. If HideExclusionsFromLocalAdmins is set then HideExclusionsFromLocalUsers will be implicitly set.

Note

Applying this setting won't remove exclusions from the device registry, it will only prevent them from being applied/used. This is reflected in Get-MpPreference.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
1 If you enable this setting, local admins will no longer be able to see the exclusion list in Windows Security App or via PowerShell.
0 (Default) If you disable or don't configure this setting, local admins will be able to see exclusions in the Windows Security App and via PowerShell.

Configuration/HideExclusionsFromLocalUsers

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1809 [10.0.17763] and later
./Device/Vendor/MSFT/Defender/Configuration/HideExclusionsFromLocalUsers

This policy setting controls whether or not exclusions are visible to local users. If HideExclusionsFromLocalAdmins is set then this policy will be implicitly set.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
1 If you enable this setting, local users will no longer be able to see the exclusion list in Windows Security App or via PowerShell.
0 (Default) If you disable or don't configure this setting, local users will be able to see exclusions in the Windows Security App and via PowerShell.

Configuration/IntelTDTEnabled

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 2004 [10.0.19041] and later
./Device/Vendor/MSFT/Defender/Configuration/IntelTDTEnabled

This policy setting configures the Intel TDT integration level for Intel TDT-capable devices.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
0 (Default) If you don't configure this setting, the default value will be applied. The default value is controlled by Microsoft security intelligence updates. Microsoft will enable Intel TDT if there is a known threat.
1 If you configure this setting to enabled, Intel TDT integration will turn on.
2 If you configure this setting to disabled, Intel TDT integration will turn off.

Configuration/MeteredConnectionUpdates

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Defender/Configuration/MeteredConnectionUpdates

Allow managed devices to update through metered connections. Default is 0 - not allowed, 1 - allowed.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
1 Allowed.
0 (Default) Not Allowed.

Configuration/NetworkProtectionReputationMode

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Defender/Configuration/NetworkProtectionReputationMode

This sets the reputation mode engine for Network Protection.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
0 (Default) Use standard reputation engine.
1 Use ESP reputation engine.

Configuration/OobeEnableRtpAndSigUpdate

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Defender/Configuration/OobeEnableRtpAndSigUpdate

This setting allows you to configure whether real-time protection and Security Intelligence Updates are enabled during OOBE (Out of Box experience).

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
1 If you enable this setting, real-time protection and Security Intelligence Updates are enabled during OOBE.
0 (Default) If you either disable or don't configure this setting, real-time protection and Security Intelligence Updates during OOBE isn't enabled.

Configuration/PassiveRemediation

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Defender/Configuration/PassiveRemediation

Setting to control automatic remediation for Sense scans.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0x0

Allowed values:

Flag Description
0x0 (Default) Passive Remediation is turned off (default).
0x1 PASSIVE_REMEDIATION_FLAG_SENSE_AUTO_REMEDIATION: Passive Remediation Sense AutoRemediation.
0x2 PASSIVE_REMEDIATION_FLAG_RTP_AUDIT: Passive Remediation Realtime Protection Audit.
0x4 PASSIVE_REMEDIATION_FLAG_RTP_REMEDIATION: Passive Remediation Realtime Protection Remediation.

Configuration/PerformanceModeStatus

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 21H2 [10.0.22000] and later
./Device/Vendor/MSFT/Defender/Configuration/PerformanceModeStatus

This setting allows IT admins to configure performance mode in either enabled or disabled mode for managed devices.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
0 (Default) Performance mode is enabled (default).
1 Performance mode is disabled.

Configuration/PlatformUpdatesChannel

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Defender/Configuration/PlatformUpdatesChannel

Enable this policy to specify when devices receive Microsoft Defender platform updates during the monthly gradual rollout.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
0 (Default) Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices.
2 Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices.
3 Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments.
4 Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%).
5 Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).
6 Critical - Time delay: Devices will be offered updates with a 48-hour delay. Suggested for critical environments only.

Configuration/QuickScanIncludeExclusions

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Defender/Configuration/QuickScanIncludeExclusions

This setting allows you to scan excluded files and directories during quick scans.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
0 (Default) If you set this setting to 0 or don't configure it, exclusions aren't scanned during quick scans.
1 If you set this setting to 1, all files and directories that are excluded from real-time protection using contextual exclusions are scanned during a quick scan.

Configuration/RandomizeScheduleTaskTimes

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Defender/Configuration/RandomizeScheduleTaskTimes

In Microsoft Defender Antivirus, randomize the start time of the scan to any interval from 0 to 23 hours. This can be useful in virtual machines or VDI deployments.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 1

Allowed values:

Value Description
1 (Default) Widen or narrow the randomization period for scheduled scans. Specify a randomization window of between 1 and 23 hours by using the setting SchedulerRandomizationTime.
0 Scheduled tasks won't be randomized.

Configuration/ScanOnlyIfIdleEnabled

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Defender/Configuration/ScanOnlyIfIdleEnabled

In Microsoft Defender Antivirus, this setting will run scheduled scans only if the system is idle.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 1

Allowed values:

Value Description
1 (Default) Runs scheduled scans only if the system is idle.
0 Runs scheduled scans regardless of whether the system is idle.

Configuration/SchedulerRandomizationTime

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Defender/Configuration/SchedulerRandomizationTime

This setting allows you to configure the scheduler randomization in hours. The randomization interval is [1 - 23] hours. For more information on the randomization effect please check the RandomizeScheduleTaskTimes setting.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Allowed Values Range: [1-23]
Default Value 4

Configuration/ScheduleSecurityIntelligenceUpdateDay

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Defender/Configuration/ScheduleSecurityIntelligenceUpdateDay

This setting allows you to specify the day of the week on which to check for security intelligence updates. By default, this setting is configured to never check for security intelligence updates.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 8

Allowed values:

Value Description
0 Daily.
1 Sunday.
2 Monday.
3 Tuesday.
4 Wednesday.
5 Thursday.
6 Friday.
7 Saturday.
8 (Default) Never.

Configuration/ScheduleSecurityIntelligenceUpdateTime

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Defender/Configuration/ScheduleSecurityIntelligenceUpdateTime

This setting allows you to specify the time of day at which to check for security intelligence updates. The time value is represented as the number of minutes past midnight (00:00). For example, 120 is equivalent to 02:00 AM. By default, this setting is configured to check for security intelligence updates 15 minutes before the scheduled scan time. The schedule is based on local time on the computer where the check is occurring.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Allowed Values Range: [0-1439]
Default Value 105

Configuration/SecuredDevicesConfiguration

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1809 [10.0.17763] and later
./Device/Vendor/MSFT/Defender/Configuration/SecuredDevicesConfiguration

Defines which device's primary ids should be secured by Defender Device Control. The primary id values should be pipe (|) separated. Example: RemovableMediaDevices|CdRomDevices. If this configuration isn't set the default value will be applied, meaning all supported devices will be secured. Currently supported primary ids are: RemovableMediaDevices, CdRomDevices, WpdDevices, PrinterDevices.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Allowed values:

Value Description
RemovableMediaDevices RemovableMediaDevices.
CdRomDevices CdRomDevices.
WpdDevices WpdDevices.
PrinterDevices PrinterDevices.

Configuration/SecurityIntelligenceLocationUpdateAtScheduledTimeOnly

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1903 [10.0.18362] and later
./Device/Vendor/MSFT/Defender/Configuration/SecurityIntelligenceLocationUpdateAtScheduledTimeOnly

This setting allows you to configure security intelligence updates according to the scheduler for VDI-configured computers. It's used together with the shared security intelligence location (SecurityIntelligenceLocation).

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
1 If you enable this setting and configure SecurityIntelligenceLocation, updates from the configured location occur only at the previously configured scheduled update time.
0 (Default) If you either disable or don't configure this setting, updates occur whenever a new security intelligence update is detected at the location that's specified by SecurityIntelligenceLocation.

Configuration/SecurityIntelligenceUpdatesChannel

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Defender/Configuration/SecurityIntelligenceUpdatesChannel

Enable this policy to specify when devices receive Microsoft Defender security intelligence updates during the daily gradual rollout.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
0 (Default) Not configured (Default). Microsoft will either assign the device to Current Channel (Broad) or a beta channel early in the gradual release cycle. The channel selected by Microsoft might be one that receives updates early during the gradual release cycle, which may not be suitable for devices in a production or critical environment.
4 Current Channel (Staged): Same as Current Channel (Broad).
5 Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in all populations, including production.

Configuration/SupportLogLocation

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Defender/Configuration/SupportLogLocation

The support log location setting allows the administrator to specify where the Microsoft Defender Antivirus diagnostic data collection tool (MpCmdRun.exe) will save the resulting log files. This setting is configured with an MDM solution, such as Intune, and is available for Windows 10 Enterprise.

Intune Support Log Location setting UI supports three states:

  • Not configured (default) - Doesn't have any impact on the default state of the device.
  • 1 - Enabled. Enables the Support log location feature. Requires admin to set custom file path.
  • 0 - Disabled. Turns off the Support log location feature.

When enabled or disabled exists on the client and admin moves the setting to not configured, it won't have any impact on the device state. To change the state to either enabled or disabled would require to be set explicitly.

More details:

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Configuration/TamperProtection

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1903 [10.0.18362] and later
./Device/Vendor/MSFT/Defender/Configuration/TamperProtection

Tamper protection helps protect important security features from unwanted changes and interference. This includes real-time protection, behavior monitoring, and more. Accepts signed string to turn the feature on or off. Settings are configured with an MDM solution, such as Intune and is available in Windows 10 Enterprise E5 or equivalent subscriptions. Send off blob to device to reset tamper protection state before setting this configuration to "not configured" or "unassigned" in Intune. The data type is a Signed blob.

Note

Changes to this setting are not applied when tamper protection is enabled.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Default Value 0

Configuration/ThrottleForScheduledScanOnly

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Defender/Configuration/ThrottleForScheduledScanOnly

A CPU usage limit can be applied to scheduled scans only, or to scheduled and custom scans. The default value applies a CPU usage limit to scheduled scans only.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 1

Allowed values:

Value Description
1 (Default) If you enable this setting, CPU throttling will apply only to scheduled scans.
0 If you disable this setting, CPU throttling will apply to scheduled and custom scans.

Detections

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/Defender/Detections

An interior node to group all threats detected by Windows Defender.

Description framework properties:

Property name Property value
Format node
Access Type Get

Detections/{ThreatId}

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/Defender/Detections/{ThreatId}

The ID of a threat that has been detected by Windows Defender.

Description framework properties:

Property name Property value
Format node
Access Type Get
Dynamic Node Naming ClientInventory

Detections/{ThreatId}/Category

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/Defender/Detections/{ThreatId}/Category

Threat category ID. Supported values:

| Value | Description |.

|:--|:--|.

| 0 | Invalid |.

| 1 | Adware |.

| 2 | Spyware |.

| 3 | Password stealer |.

| 4 | Trojan downloader |.

| 5 | Worm |.

| 6 | Backdoor |.

| 7 | Remote access Trojan |.

| 8 | Trojan |.

| 9 | Email flooder |.

| 10 | Keylogger |.

| 11 | Dialer |.

| 12 | Monitoring software |.

| 13 | Browser modifier |.

| 14 | Cookie |.

| 15 | Browser plugin |.

| 16 | AOL exploit |.

| 17 | Nuker |.

| 18 | Security disabler |.

| 19 | Joke program |.

| 20 | Hostile ActiveX control |.

| 21 | Software bundler |.

| 22 | Stealth modifier |.

| 23 | Settings modifier |.

| 24 | Toolbar |.

| 25 | Remote control software |.

| 26 | Trojan FTP |.

| 27 | Potential unwanted software |.

| 28 | ICQ exploit |.

| 29 | Trojan telnet |.

| 30 | Exploit |.

| 31 | File sharing program |.

| 32 | Malware creation tool |.

| 33 | Remote control software |.

| 34 | Tool |.

| 36 | Trojan denial of service |.

| 37 | Trojan dropper |.

| 38 | Trojan mass mailer |.

| 39 | Trojan monitoring software |.

| 40 | Trojan proxy server |.

| 42 | Virus |.

| 43 | Known |.

| 44 | Unknown |.

| 45 | SPP |.

| 46 | Behavior |.

| 47 | Vulnerability |.

| 48 | Policy |.

| 49 | EUS (Enterprise Unwanted Software) |.

| 50 | Ransomware |.

| 51 | ASR Rule |

Description framework properties:

Property name Property value
Format int
Access Type Get

Detections/{ThreatId}/CurrentStatus

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/Defender/Detections/{ThreatId}/CurrentStatus

Information about the current status of the threat. The following list shows the supported values:

| Value | Description |.

|:--|:--|.

| 0 | Active |.

| 1 | Action failed |.

| 2 | Manual steps required |.

| 3 | Full scan required |.

| 4 | Reboot required |.

| 5 | Remediated with noncritical failures |.

| 6 | Quarantined |.

| 7 | Removed |.

| 8 | Cleaned |.

| 9 | Allowed |.

| 10 | No Status ( Cleared) |

Description framework properties:

Property name Property value
Format int
Access Type Get

Detections/{ThreatId}/ExecutionStatus

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/Defender/Detections/{ThreatId}/ExecutionStatus

Information about the execution status of the threat.

Description framework properties:

Property name Property value
Format int
Access Type Get

Detections/{ThreatId}/InitialDetectionTime

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/Defender/Detections/{ThreatId}/InitialDetectionTime

The first time this particular threat was detected.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Get

Detections/{ThreatId}/LastThreatStatusChangeTime

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/Defender/Detections/{ThreatId}/LastThreatStatusChangeTime

The last time this particular threat was changed.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Get

Detections/{ThreatId}/Name

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/Defender/Detections/{ThreatId}/Name

The name of the specific threat.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Get

Detections/{ThreatId}/NumberOfDetections

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/Defender/Detections/{ThreatId}/NumberOfDetections

Number of times this threat has been detected on a particular client.

Description framework properties:

Property name Property value
Format int
Access Type Get

Detections/{ThreatId}/Severity

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/Defender/Detections/{ThreatId}/Severity

Threat severity ID. The following list shows the supported values:

| Value | Description |.

|:--|:--|.

| 0 | Unknown |.

| 1 | Low |.

| 2 | Moderate |.

| 4 | High |.

| 5 | Severe |

Description framework properties:

Property name Property value
Format int
Access Type Get

Detections/{ThreatId}/URL

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/Defender/Detections/{ThreatId}/URL

URL link for additional threat information.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Get

Health

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/Defender/Health

An interior node to group information about Windows Defender health status.

Description framework properties:

Property name Property value
Format node
Access Type Get

Health/ComputerState

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/Defender/Health/ComputerState

Provide the current state of the device. The following list shows the supported values:

| Value | Description |.

|:--|:--|.

| 0 | Clean |.

| 1 | Pending full scan |.

| 2 | Pending reboot |.

| 4 | Pending manual steps (Windows Defender is waiting for the user to take some action, such as restarting the computer or running a full scan) |.

| 8 | Pending offline scan |.

| 16 | Pending critical failure (Windows Defender has failed critically and an Administrator needs to investigate and take some action, such as restarting the computer or reinstalling Windows Defender) |

Description framework properties:

Property name Property value
Format int
Access Type Get

Health/DefenderEnabled

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/Defender/Health/DefenderEnabled

Indicates whether the Windows Defender service is running.

Description framework properties:

Property name Property value
Format bool
Access Type Get

Health/DefenderVersion

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/Defender/Health/DefenderVersion

Version number of Windows Defender on the device.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Get

Health/DeviceControl

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/Defender/Health/DeviceControl

An interior node to group information about Device Cotrol health status.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Get

Health/DeviceControl/State

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1809 [10.0.17763] and later
./Device/Vendor/MSFT/Defender/Health/DeviceControl/State

Provide the current state of the Device Control.

Description framework properties:

Property name Property value
Format int
Access Type Get

Health/EngineVersion

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/Defender/Health/EngineVersion

Version number of the current Windows Defender engine on the device.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Get

Health/FullScanOverdue

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/Defender/Health/FullScanOverdue

Indicates whether a Windows Defender full scan is overdue for the device. A Full scan is overdue when a scheduled Full scan didn't complete successfully for 2 weeks and catchup Full scans are disabled (default).

Description framework properties:

Property name Property value
Format bool
Access Type Get

Health/FullScanRequired

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/Defender/Health/FullScanRequired

Indicates whether a Windows Defender full scan is required.

Description framework properties:

Property name Property value
Format bool
Access Type Get

Health/FullScanSigVersion

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/Defender/Health/FullScanSigVersion

Signature version used for the last full scan of the device.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Get

Health/FullScanTime

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/Defender/Health/FullScanTime

Time of the last Windows Defender full scan of the device.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Get

Health/IsVirtualMachine

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1903 [10.0.18362] and later
./Device/Vendor/MSFT/Defender/Health/IsVirtualMachine

Indicates whether the device is a virtual machine.

Description framework properties:

Property name Property value
Format bool
Access Type Get

Health/NisEnabled

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/Defender/Health/NisEnabled

Indicates whether network protection is running.

Description framework properties:

Property name Property value
Format bool
Access Type Get

Health/ProductStatus

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1809 [10.0.17763] and later
./Device/Vendor/MSFT/Defender/Health/ProductStatus

Provide the current state of the product. This is a bitmask flag value that can represent one or multiple product states from below list. Supported product status values:

| Value | Description |.

|:--|:--|.

| 0 | No status |.

| 1 (1 << 0) | Service not running |.

| 2 (1 << 1) | Service started without any malware protection engine |.

| 4 (1 << 2) | Pending full scan due to threat action |.

| 8 (1 << 3) | Pending reboot due to threat action |.

| 16 (1 << 4) | ending manual steps due to threat action |.

| 32 (1 << 5) | AV signatures out of date |.

| 64 (1 << 6) | AS signatures out of date |.

| 128 (1 << 7) | No quick scan has happened for a specified period |.

| 256 (1 << 8) | No full scan has happened for a specified period |.

| 512 (1 << 9) | System initiated scan in progress |.

| 1024 (1 << 10) | System initiated clean in progress |.

| 2048 (1 << 11) | There are samples pending submission |.

| 4096 (1 << 12) | Product running in evaluation mode |.

| 8192 (1 << 13) | Product running in non-genuine Windows mode |.

| 16384 (1 << 14) | Product expired |.

| 32768 (1 << 15) | Off-line scan required |.

| 65536 (1 << 16) | Service is shutting down as part of system shutdown |.

| 131072 (1 << 17) | Threat remediation failed critically |.

| 262144 (1 << 18) | Threat remediation failed non-critically |.

| 524288 (1 << 19) | No status flags set (well initialized state) |.

| 1048576 (1 << 20) | Platform is out of date |.

| 2097152 (1 << 21) | Platform update is in progress |.

| 4194304 (1 << 22) | Platform is about to be outdated |.

| 8388608 (1 << 23) | Signature or platform end of life is past or is impending |.

| 16777216 (1 << 24) | Windows SMode signatures still in use on non-Win10S install |

Description framework properties:

Property name Property value
Format int
Access Type Get

Example:

<SyncML xmlns="SYNCML:SYNCML1.1">
  <SyncBody>
    <Get>
      <CmdID>1</CmdID>
        <Item>
          <Target>
            <LocURI>./Vendor/MSFT/Defender/Health/ProductStatus</LocURI>
          </Target>
        </Item>
    </Get>
    <Final/>
  </SyncBody>
</SyncML>

Health/QuickScanOverdue

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/Defender/Health/QuickScanOverdue

Indicates whether a Windows Defender quick scan is overdue for the device. A Quick scan is overdue when a scheduled Quick scan didn't complete successfully for 2 weeks and catchup Quick scans are disabled (default).

Description framework properties:

Property name Property value
Format bool
Access Type Get

Health/QuickScanSigVersion

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/Defender/Health/QuickScanSigVersion

Signature version used for the last quick scan of the device.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Get

Health/QuickScanTime

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/Defender/Health/QuickScanTime

Time of the last Windows Defender quick scan of the device.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Get

Health/RebootRequired

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/Defender/Health/RebootRequired

Indicates whether a device reboot is needed.

Description framework properties:

Property name Property value
Format bool
Access Type Get

Health/RtpEnabled

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/Defender/Health/RtpEnabled

Indicates whether real-time protection is running.

Description framework properties:

Property name Property value
Format bool
Access Type Get

Health/SignatureOutOfDate

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/Defender/Health/SignatureOutOfDate

Indicates whether the Windows Defender signature is outdated.

Description framework properties:

Property name Property value
Format bool
Access Type Get

Health/SignatureVersion

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/Defender/Health/SignatureVersion

Version number of the current Windows Defender signatures on the device.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Get

Health/TamperProtectionEnabled

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1903 [10.0.18362] and later
./Device/Vendor/MSFT/Defender/Health/TamperProtectionEnabled

Indicates whether the Windows Defender tamper protection feature is enabled.

Description framework properties:

Property name Property value
Format bool
Access Type Get

OfflineScan

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1803 [10.0.17134] and later
./Device/Vendor/MSFT/Defender/OfflineScan

OfflineScan action starts a Microsoft Defender Offline scan on the computer where you run the command. After the next OS reboot, the device will start in Microsoft Defender Offline mode to begin the scan.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Exec, Get
Reboot Behavior ServerInitiated

RollbackEngine

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1803 [10.0.17134] and later
./Device/Vendor/MSFT/Defender/RollbackEngine

RollbackEngine action rolls back Microsoft Defender engine to it's last known good saved version on the computer where you run the command.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Exec, Get
Reboot Behavior ServerInitiated

RollbackPlatform

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1803 [10.0.17134] and later
./Device/Vendor/MSFT/Defender/RollbackPlatform

RollbackPlatform action rolls back Microsoft Defender to it's last known good installation location on the computer where you run the command.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Exec, Get
Reboot Behavior ServerInitiated

Scan

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/Defender/Scan

Node that can be used to start a Windows Defender scan on a device.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Exec, Get

Allowed values:

Value Description
1 Quick scan.
2 Full scan.

UpdateSignature

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1511 [10.0.10586] and later
./Device/Vendor/MSFT/Defender/UpdateSignature

Node that can be used to perform signature updates for Windows Defender.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Exec, Get

Configuration service provider reference