Protect Dev Drive using performance mode
Note
Want to experience Microsoft Defender XDR? Learn more about how you can evaluate and pilot Microsoft Defender XDR.
Applies to:
- Microsoft Defender for Endpoint Plans 1 and 2
- Microsoft Defender for Business
- Microsoft Defender Antivirus
Platforms
- Windows 11
Tip
As a companion to this article, see our Microsoft Defender for Endpoint setup guide to review best practices and learn about essential tools such as attack surface reduction and next-generation protection. For a customized experience based on your environment, you can access the Defender for Endpoint automated setup guide in the Microsoft 365 admin center.
What is performance mode
Performance mode is now available on Windows 11 as a new Microsoft Defender Antivirus capability. Performance mode reduces the performance impact of Microsoft Defender Antivirus scans for files stored on designated Dev Drive. The goal of performance mode is to improve functional performance for developers who use Windows 11 devices.
It's important to note that performance mode can run only on Dev Drive. Additionally, real-time protection must be turned on for performance mode to function. Enabling this feature on a Dev Drive doesn't change standard real-time protection running on volumes with operating systems or other volumes formatted as FAT32 or NTFS.
Microsoft Defender Antivirus requirements for performance mode
Review the requirements that are specific to Dev Drive. See Set up a Dev Drive on Windows 11.
Make sure Microsoft Defender Antivirus is up to date.
- Microsoft Defender Antivirus needs to be the primary antivirus/antimalware solution
- Real-time protection is turned on
- Antimalware platform version:
4.18.2303.8(or later) - Antimalware security intelligence version:
1.385.1455.0(or later)
Dev Drive
Dev Drive is a new form of storage volume available to improve performance for key developer workloads. It builds on ReFS technology to employ targeted file system optimizations and provide more control over storage volume settings and security, including trust designation, antivirus configuration, and administrative control over which filters are attached.
For more information about Dev Drive, see: Set up a Dev Drive on Windows 11.
Performance mode compared to real-time protection
By default, to give the best possible performance, creating a Dev Drive automatically grants trust in the new volume. A trusted Dev Drive volume causes real-time protection to run in a special asynchronous performance mode for that volume. Running performance mode provides a balance between threat protection and performance. The balance is achieved by deferring security scans until after the open file operation has completed, instead of performing the security scan synchronously while the file operation is being processed. This mode of performing security scans inherently provides faster performance, but with less protection. However, enabling performance mode provides significantly better protection than other performance tuning methods, such as using folder exclusions, which block security scans altogether.
Note
Using performance mode doesn't apply to high cpu or high memory usage scenarios with Microsoft Defender Antivirus services (MsMpEng.exe, WinDefend, or Antimalware Service Executable). If you are troubleshooting a high cpu usage, instead use the Microsoft Defender Antivirus Performance Analyzer to narrow down to the hot processes/paths and add them to the exclusions. Tip: Use Contextual exclusions to target real-time protection (RTP).
The following table summarizes performance mode synchronous and asynchronous scan behavior.
| Performance mode state | Scan type | Description | Summary |
|---|---|---|---|
| Not enabled (Off) | Synchronous (Real-time protection) |
Opening a file initiates a real-time protection scan. | Open now, scan now. |
| Enabled (On) | Asynchronous | File open operations are scanned asynchronously. | Open now, scan later. |
An untrusted Dev Drive doesn't have the same benefits as a trusted Dev Drive. Security runs in synchronous, real-time protection mode when a Dev Drive is untrusted. Real-time protection scans can affect performance.
Manage performance mode
Performance mode can only run on a trusted Dev Drive and is enabled by default when a new Dev Drive is created. For more information, see Understanding security risks and trust in relation to Dev Drive.
Enforce the Microsoft Defender Antivirus Performance Mode by using Intune, Group Policy, or PowerShell.
Intune
Enable performance mode status via the OMA-URI settings shown in the following table.
| Setting | Value |
|---|---|
| OMA-URI: | ./Device/Vendor/MSFT/Defender/Configuration/PerformanceModeStatus |
| Data type | Integer |
| Value | 0 |
0 = Enable (default)
1 = Disable
Group Policy
Using your Group Policy Management Console or Group Policy Editor, go to Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Real-time Protection.
Double-click Configure performance mode status.
Select Enabled.
Select Apply, and then select OK.
Note
The updated Group Policy Template Configure performance mode status, located under Real-Time Protection is only available after you install the Windows 11 2024 Update (24H2).
PowerShell
Open PowerShell as an administrator on the device.
Type
set-MpPreference -PerformanceModeStatus Enabled, and then press Enter.
Verify performance mode is enabled
To verify that Dev Drive and Defender Performance Mode is enabled, follow these steps:
In the Windows Security App, go to Virus & threat Protection settings > Manage settings, and verify that Dev Drive protection is enabled.
Select See volumes.
Drive Status C:Since the system drive (for example, C: or D:) drive is formatted with NTFS, it's not eligible for Defender Performance mode. D:Dev Drive is enabled but Defender Performance mode isn't enabled. F:Dev Drive is enabled, and Defender Performance mode is enabled.
See also
Set up a Dev Drive on Windows 11
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.