MSFT_MpPreference class
Windows Defender Preferences Class
The following syntax is simplified from Managed Object Format (MOF) code and includes all of the inherited properties.
Syntax
class MSFT_MpPreference
{
string ComputerID = msft_mppreference.xml;
boolean DisableAutoExclusions = FALSE;
string ExclusionPath[];
string ExclusionExtension[];
string ExclusionProcess[];
uint32 QuarantinePurgeItemsAfterDelay;
uint8 RealTimeScanDirection = 0;
uint8 RemediationScheduleDay;
DateTime RemediationScheduleTime;
uint32 ReportingAdditionalActionTimeOut;
uint32 ReportingCriticalFailureTimeOut;
uint32 ReportingNonCriticalTimeOut;
uint8 ScanAvgCPULoadFactor;
boolean CheckForSignaturesBeforeRunningScan;
uint32 ScanPurgeItemsAfterDelay;
boolean ScanOnlyIfIdleEnabled;
uint8 ScanParameters;
uint8 ScanScheduleDay;
DateTime ScanScheduleQuickScanTime;
DateTime ScanScheduleTime;
uint32 SignatureFirstAuGracePeriod;
uint32 SignatureAuGracePeriod;
string SignatureDefinitionUpdateFileSharesSources;
boolean SignatureDisableUpdateOnStartupWithoutEngine;
string SignatureFallbackOrder;
uint8 SignatureScheduleDay;
DateTime SignatureScheduleTime;
uint32 SignatureUpdateCatchupInterval;
uint32 SignatureUpdateInterval;
uint8 MAPSReporting;
uint8 SubmitSamplesConsent;
boolean DisablePrivacyMode;
boolean RandomizeScheduleTaskTimes;
boolean DisableBehaviorMonitoring;
boolean DisableIntrusionPreventionSystem;
boolean DisableIOAVProtection;
boolean DisableRealtimeMonitoring;
boolean DisableScriptScanning;
boolean DisableArchiveScanning;
boolean DisableCatchupFullScan;
boolean DisableCatchupQuickScan;
boolean DisableEmailScanning;
boolean DisableRemovableDriveScanning;
boolean DisableRestorePoint;
boolean DisableScanningMappedNetworkDrivesForFullScan;
boolean DisableScanningNetworkFiles;
boolean UILockdown;
sint64 ThreatIDDefaultAction_Ids[];
uint8 ThreatIDDefaultAction_Actions[];
uint8 UnknownThreatDefaultAction;
uint8 LowThreatDefaultAction;
uint8 ModerateThreatDefaultAction;
uint8 HighThreatDefaultAction;
uint8 SevereThreatDefaultAction;
};
Members
The MSFT_MpPreference class has these types of members:
Methods
The MSFT_MpPreference class has these methods.
| Method | Description |
|---|---|
| Add | TBD |
| Remove | TBD |
| Set | TBD |
Properties
The MSFT_MpPreference class has these properties.
-
CheckForSignaturesBeforeRunningScan
-
-
Data type: boolean
-
Access type: Read-only
When set, Windows Defender will check for new signatures before running a scan. If new signatures are found they will be downloaded and installed before the scan begins. If no new signatures are found, the scan will start based on the existing signatures.
-
-
ComputerID
-
-
Data type: string
-
Access type: Read-only
Computer ID created by MAPS
-
-
DisableArchiveScanning
-
-
Data type: boolean
-
Access type: Read-only
Disable archive scanning.
-
-
DisableAutoExclusions
-
-
Data type: boolean
-
Access type: Read-only
Beginning in Windows 10: Allows an administrator to specify if the Automatic Exclusions feature for Server SKUs should be turned off.
-
-
DisableBehaviorMonitoring
-
-
Data type: boolean
-
Access type: Read-only
Disable behavior monitoring.
-
-
DisableCatchupFullScan
-
-
Data type: boolean
-
Access type: Read-only
Disable catch-up full scan. A catch-up scan is a scan that is initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the computer was turned off at the scheduled time.
-
-
DisableCatchupQuickScan
-
-
Data type: boolean
-
Access type: Read-only
Disable catch-up quick scan. A catch-up scan is a scan that is initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the computer was turned off at the scheduled time.
-
-
DisableEmailScanning
-
-
Data type: boolean
-
Access type: Read-only
Disable email scanning.
-
-
DisableIntrusionPreventionSystem
-
-
Data type: boolean
-
Access type: Read-only
Disable intrusion prevention system.
-
-
DisableIOAVProtection
-
-
Data type: boolean
-
Access type: Read-only
Disable IOAV protection.
-
-
DisablePrivacyMode
-
-
Data type: boolean
-
Access type: Read-only
Disable the privacy mode.
-
-
DisableRealtimeMonitoring
-
-
Data type: boolean
-
Access type: Read-only
Disable real-time monitoring.
-
-
DisableRemovableDriveScanning
-
-
Data type: boolean
-
Access type: Read-only
Disable removable drive scanning.
-
-
DisableRestorePoint
-
-
Data type: boolean
-
Access type: Read-only
Disables restore point.
-
-
DisableScanningMappedNetworkDrivesForFullScan
-
-
Data type: boolean
-
Access type: Read-only
Disable running full scan on mapped network drives.
-
-
DisableScanningNetworkFiles
-
-
Data type: boolean
-
Access type: Read-only
Disables scanning network files.
-
-
DisableScriptScanning
-
-
Data type: boolean
-
Access type: Read-only
Disable script scanning.
-
-
ExclusionExtension
-
-
Data type: string array
-
Access type: Read-only
Allows an administrator to explicitly disable a scan from checking any of the extensions listed.
-
-
ExclusionPath
-
-
Data type: string array
-
Access type: Read-only
Allows an administrator to explicitly disable a scan from checking any of the paths listed.
-
-
ExclusionProcess
-
-
Data type: string array
-
Access type: Read-only
Allows an administrator to explicitly disable a scan from checking any of the processes listed.
-
-
HighThreatDefaultAction
-
-
Data type: uint8
-
Access type: Read-only
Default action for high severity threats.
-
Clean (1)
-
Quarantine (2)
-
Remove (3)
-
Allow (6)
-
UserDefined (8)
-
NoAction (9)
-
Block (10)
-
-
LowThreatDefaultAction
-
-
Data type: uint8
-
Access type: Read-only
Default action for low severity threats.
-
Clean (1)
-
Quarantine (2)
-
Remove (3)
-
Allow (6)
-
UserDefined (8)
-
NoAction (9)
-
Block (10)
-
-
MAPSReporting
-
-
Data type: uint8
-
Access type: Read-only
Join Microsoft MAPS.
-
Disabled (0)
-
Basic (1)
-
Advanced (2)
-
-
ModerateThreatDefaultAction
-
-
Data type: uint8
-
Access type: Read-only
Default action for moderate severity threats.
-
Clean (1)
-
Quarantine (2)
-
Remove (3)
-
Allow (6)
-
UserDefined (8)
-
NoAction (9)
-
Block (10)
-
-
QuarantinePurgeItemsAfterDelay
-
-
Data type: uint32
-
Access type: Read-only
Indicates how many days items should kept in Quarantine folder before being removed.
-
-
RandomizeScheduleTaskTimes
-
-
Data type: boolean
-
Access type: Read-only
This setting allows you to enable or disable randomization of the scheduled scan start time and the scheduled definition update start time. This setting is used to distribute the resource impact of scanning. For example, it could be used in guest virtual machines sharing a host, to prevent multiple guest virtual machines from undertaking a disk-intensive operation at the same time.
-
-
RealTimeScanDirection
-
-
Data type: uint8
-
Access type: Read-only
Real-time scan direction - Enumeration
-
Both (0)
-
Incoming (1)
-
Outcoming (2)
-
-
RemediationScheduleDay
-
-
Data type: uint8
-
Access type: Read-only
Indicates what day of the week to perform the scheduled full scan to complete remediation.
-
Every Day (0)
-
Sunday (1)
-
Monday (2)
-
Tuesday (3)
-
Wednesday (4)
-
Thursday (5)
-
Friday (6)
-
Saturday (7)
-
Never (8)
-
-
RemediationScheduleTime
-
-
Data type: DateTime
-
Access type: Read-only
Indicates what time to perform the scheduled full scan to complete remediation.
-
-
ReportingAdditionalActionTimeOut
-
-
Data type: uint32
-
Access type: Read-only
Configure timeout for detections requiring additional action.
-
-
ReportingCriticalFailureTimeOut
-
-
Data type: uint32
-
Access type: Read-only
Time in minutes for a detection in the 'critically failed' state to move to either 'additional action' or 'cleared' state.
-
-
ReportingNonCriticalTimeOut
-
-
Data type: uint32
-
Access type: Read-only
Time in minutes for a detection in the 'failed' state to move to the 'cleared' state.
-
-
ScanAvgCPULoadFactor
-
-
Data type: uint8
-
Access type: Read-only
Specify the maximum percentage of CPU utilization during a scan. This policy setting allows you to configure the maximum percentage CPU utilization permitted during a scan. Valid values for this setting are a percentage represented by the integers 5 to 100. A value of 0 indicates that there should be no throttling of CPU utilization.
-
-
ScanOnlyIfIdleEnabled
-
-
Data type: boolean
-
Access type: Read-only
Run scheduled scans only if system is idle.
-
-
ScanParameters
-
-
Data type: uint8
-
Access type: Read-only
Specify the scan type to use for a scheduled scan.
-
Quick Scan (1)
-
Full Scan (2)
-
-
ScanPurgeItemsAfterDelay
-
-
Data type: uint32
-
Access type: Read-only
Turn on removal of items from scan history folder. This setting defines the number of days items should be kept in the scan history folder before being permanently removed. The value represents the number of days to keep items in the folder. If set to zero, items will be kept forever and will not be automatically removed.
-
-
ScanScheduleDay
-
-
Data type: uint8
-
Access type: Read-only
Specify the day of the week to run a scheduled scan.
-
Every Day (0)
-
Sunday (1)
-
Monday (2)
-
Tuesday (3)
-
Wednesday (4)
-
Thursday (5)
-
Friday (6)
-
Saturday (7)
-
Never (8)
-
-
ScanScheduleQuickScanTime
-
-
Data type: DateTime
-
Access type: Read-only
Specify the time of day to run a scheduled quick scan.
-
-
ScanScheduleTime
-
-
Data type: DateTime
-
Access type: Read-only
Specify the time of day to run a scheduled scan.
-
-
SevereThreatDefaultAction
-
-
Data type: uint8
-
Access type: Read-only
Default action for severe severity threats.
-
Clean (1)
-
Quarantine (2)
-
Remove (3)
-
Allow (6)
-
UserDefined (8)
-
NoAction (9)
-
Block (10)
-
-
SignatureAuGracePeriod
-
-
Data type: uint32
-
Access type: Read-only
Overrides CheckForSignatureBeforeRunningScan. Aborts any service-initiated update if signature was updated successfully within this amount of time. Time in minutes.
-
-
SignatureDefinitionUpdateFileSharesSources
-
-
Data type: string
-
Access type: Read-only
Defines the file shares for downloading definition updates. setting allows you to configure UNC file share sources for downloading definition updates. Sources will be contacted in the order specified. The value of this setting should be entered as a pipe-separated string enumerating the definition update sources. For example: {\\unc1 | \\unc2 }. The list is empty by default.
-
-
SignatureDisableUpdateOnStartupWithoutEngine
-
-
Data type: boolean
-
Access type: Read-only
When set to true, AM Service will not initiate definition update on start-up, regardless of whether an Engine is present or not.
-
-
SignatureFallbackOrder
-
-
Data type: string
-
Access type: Read-only
Define the order of sources for downloading definition updates. This setting allows you to define the order in which different definition update sources should be contacted. The value of this setting should be entered as a pipe-separated string enumerating the definition update sources in order. Possible values are: 'InternalDefinitionUpdateServer' 'MicrosoftUpdateServer' 'MMPC' 'FileShares'
-
-
SignatureFirstAuGracePeriod
-
-
Data type: uint32
-
Access type: Read-only
Aborts any service-initiated update immediately after first install by the configured amount of time.
-
-
SignatureScheduleDay
-
-
Data type: uint8
-
Access type: Read-only
Indicates the day of the week in which signature updates occur. If set to zero (0x0) then signature update occurs daily.
-
Every Day (0)
-
Sunday (1)
-
Monday (2)
-
Tuesday (3)
-
Wednesday (4)
-
Thursday (5)
-
Friday (6)
-
Saturday (7)
-
Never (8)
-
-
SignatureScheduleTime
-
-
Data type: DateTime
-
Access type: Read-only
Specifies the time at which signature update check happens. By default the signatures are checked before the scheduled scan.
-
-
SignatureUpdateCatchupInterval
-
-
Data type: uint32
-
Access type: Read-only
Defines the number of days after which a catch-up signature is warranted. Works with SignatureUpdateLastChecked. 0 = no catch-up; 1 = 1 day; 2 = 2 days, etc.
-
-
SignatureUpdateInterval
-
-
Data type: uint32
-
Access type: Read-only
The time value is represented as the number of hours between update checks. Valid values range from 1 (every hour) to 24 (once per day).
-
-
SubmitSamplesConsent
-
-
Data type: uint8
-
Access type: Read-only
Beginning in Windows 10: For certain samples the service checks for user consent. If the required consent has already been granted, the service submits them. If not, (and if the user has specified never to ask), the UI is launched to ask for user consent when opt-in for MAPS telemetry is set (MAPSReporting != 0).
-
Always Prompt (0)
-
Send safe samples automatically (1)
-
Never send (2)
-
Send all samples automatically (3)
-
-
ThreatIDDefaultAction_Actions
-
-
Data type: uint8 array
-
Access type: Read-only
Default actions for threats upon which default action should not be taken when detected. The actions need to be in the same order as their respective Ids specified in the ThreatIDDefaultAction_Ids property.
-
Clean (1)
-
Quarantine (2)
-
Remove (3)
-
Allow (6)
-
UserDefined (8)
-
NoAction (9)
-
Block (10)
-
-
ThreatIDDefaultAction_Ids
-
-
Data type: sint64 array
-
Access type: Read-only
The Ids of threats upon which default action should not be taken when detected. The actions in ThreatIDDefaultAction_Actions need to be specified in the same order as the Ids in ThreatIDDefaultAction_Ids
-
-
UILockdown
-
-
Data type: boolean
-
Access type: Read-only
Enable UI Lockdown mode.
-
-
UnknownThreatDefaultAction
-
-
Data type: uint8
-
Access type: Read-only
Default action for unknown threats.
-
Clean (1)
-
Quarantine (2)
-
Remove (3)
-
Allow (6)
-
UserDefined (8)
-
NoAction (9)
-
Block (10)
-
Requirements
| Minimum supported client |
Windows 8.1 [desktop apps only] |
| Minimum supported server |
Windows Server 2012 R2 [desktop apps only] |
| Namespace |
Root\Microsoft\Windows\Defender |
| MOF |
|
| DLL |
|