MSFT_MpPreference class
Windows Defender Preferences Class
The following syntax is simplified from Managed Object Format (MOF) code and includes all of the inherited properties.
Syntax
class MSFT_MpPreference
{
string ComputerID = msft_mppreference.xml;
boolean DisableAutoExclusions = FALSE;
string ExclusionPath[];
string ExclusionExtension[];
string ExclusionProcess[];
uint32 QuarantinePurgeItemsAfterDelay;
uint8 RealTimeScanDirection = 0;
uint8 RemediationScheduleDay;
DateTime RemediationScheduleTime;
uint32 ReportingAdditionalActionTimeOut;
uint32 ReportingCriticalFailureTimeOut;
uint32 ReportingNonCriticalTimeOut;
uint8 ScanAvgCPULoadFactor;
boolean CheckForSignaturesBeforeRunningScan;
uint32 ScanPurgeItemsAfterDelay;
boolean ScanOnlyIfIdleEnabled;
uint8 ScanParameters;
uint8 ScanScheduleDay;
DateTime ScanScheduleQuickScanTime;
DateTime ScanScheduleTime;
uint32 SignatureFirstAuGracePeriod;
uint32 SignatureAuGracePeriod;
string SignatureDefinitionUpdateFileSharesSources;
boolean SignatureDisableUpdateOnStartupWithoutEngine;
string SignatureFallbackOrder;
uint8 SignatureScheduleDay;
DateTime SignatureScheduleTime;
uint32 SignatureUpdateCatchupInterval;
uint32 SignatureUpdateInterval;
uint8 MAPSReporting;
uint8 SubmitSamplesConsent;
boolean DisablePrivacyMode;
boolean RandomizeScheduleTaskTimes;
boolean DisableBehaviorMonitoring;
boolean DisableIntrusionPreventionSystem;
boolean DisableIOAVProtection;
boolean DisableRealtimeMonitoring;
boolean DisableScriptScanning;
boolean DisableArchiveScanning;
boolean DisableCatchupFullScan;
boolean DisableCatchupQuickScan;
boolean DisableEmailScanning;
boolean DisableRemovableDriveScanning;
boolean DisableRestorePoint;
boolean DisableScanningMappedNetworkDrivesForFullScan;
boolean DisableScanningNetworkFiles;
boolean UILockdown;
sint64 ThreatIDDefaultAction_Ids[];
uint8 ThreatIDDefaultAction_Actions[];
uint8 UnknownThreatDefaultAction;
uint8 LowThreatDefaultAction;
uint8 ModerateThreatDefaultAction;
uint8 HighThreatDefaultAction;
uint8 SevereThreatDefaultAction;
};
Members
The MSFT_MpPreference class has these types of members:
- Methods
- Properties
Methods
The MSFT_MpPreference class has these methods.
| Method | Description |
|---|---|
| Add | TBD |
| Remove | TBD |
| Set | TBD |
Properties
The MSFT_MpPreference class has these properties.
CheckForSignaturesBeforeRunningScan
Data type: boolean
Access type: Read-only
When set, Windows Defender will check for new signatures before running a scan. If new signatures are found they will be downloaded and installed before the scan begins. If no new signatures are found, the scan will start based on the existing signatures.
ComputerID
Data type: string
Access type: Read-only
Computer ID created by MAPS
DisableArchiveScanning
Data type: boolean
Access type: Read-only
Disable archive scanning.
DisableAutoExclusions
Data type: boolean
Access type: Read-only
Beginning in Windows 10: Allows an administrator to specify if the Automatic Exclusions feature for Server SKUs should be turned off.
DisableBehaviorMonitoring
Data type: boolean
Access type: Read-only
Disable behavior monitoring.
DisableCatchupFullScan
Data type: boolean
Access type: Read-only
Disable catch-up full scan. A catch-up scan is a scan that is initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the computer was turned off at the scheduled time.
DisableCatchupQuickScan
Data type: boolean
Access type: Read-only
Disable catch-up quick scan. A catch-up scan is a scan that is initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the computer was turned off at the scheduled time.
DisableEmailScanning
Data type: boolean
Access type: Read-only
Disable email scanning.
DisableIntrusionPreventionSystem
Data type: boolean
Access type: Read-only
Disable intrusion prevention system.
DisableIOAVProtection
Data type: boolean
Access type: Read-only
Disable IOAV protection.
DisablePrivacyMode
Data type: boolean
Access type: Read-only
Disable the privacy mode.
DisableRealtimeMonitoring
Data type: boolean
Access type: Read-only
Disable real-time monitoring.
DisableRemovableDriveScanning
Data type: boolean
Access type: Read-only
Disable removable drive scanning.
DisableRestorePoint
Data type: boolean
Access type: Read-only
Disables restore point.
DisableScanningMappedNetworkDrivesForFullScan
Data type: boolean
Access type: Read-only
Disable running full scan on mapped network drives.
DisableScanningNetworkFiles
Data type: boolean
Access type: Read-only
Disables scanning network files.
DisableScriptScanning
Data type: boolean
Access type: Read-only
Disable script scanning.
ExclusionExtension
Data type: string array
Access type: Read-only
Allows an administrator to explicitly disable a scan from checking any of the extensions listed.
ExclusionPath
Data type: string array
Access type: Read-only
Allows an administrator to explicitly disable a scan from checking any of the paths listed.
ExclusionProcess
Data type: string array
Access type: Read-only
Allows an administrator to explicitly disable a scan from checking any of the processes listed.
HighThreatDefaultAction
Data type: uint8
Access type: Read-only
Default action for high severity threats.
Clean (1)
Quarantine (2)
Remove (3)
Allow (6)
UserDefined (8)
NoAction (9)
Block (10)
LowThreatDefaultAction
Data type: uint8
Access type: Read-only
Default action for low severity threats.
Clean (1)
Quarantine (2)
Remove (3)
Allow (6)
UserDefined (8)
NoAction (9)
Block (10)
MAPSReporting
Data type: uint8
Access type: Read-only
Join Microsoft MAPS.
Disabled (0)
Basic (1)
Advanced (2)
ModerateThreatDefaultAction
Data type: uint8
Access type: Read-only
Default action for moderate severity threats.
Clean (1)
Quarantine (2)
Remove (3)
Allow (6)
UserDefined (8)
NoAction (9)
Block (10)
QuarantinePurgeItemsAfterDelay
Data type: uint32
Access type: Read-only
Indicates how many days items should kept in Quarantine folder before being removed.
RandomizeScheduleTaskTimes
Data type: boolean
Access type: Read-only
This setting allows you to enable or disable randomization of the scheduled scan start time and the scheduled definition update start time. This setting is used to distribute the resource impact of scanning. For example, it could be used in guest virtual machines sharing a host, to prevent multiple guest virtual machines from undertaking a disk-intensive operation at the same time.
RealTimeScanDirection
Data type: uint8
Access type: Read-only
Real-time scan direction - Enumeration
Both (0)
Incoming (1)
Outcoming (2)
RemediationScheduleDay
Data type: uint8
Access type: Read-only
Indicates what day of the week to perform the scheduled full scan to complete remediation.
Every Day (0)
Sunday (1)
Monday (2)
Tuesday (3)
Wednesday (4)
Thursday (5)
Friday (6)
Saturday (7)
Never (8)
RemediationScheduleTime
Data type: DateTime
Access type: Read-only
Indicates what time to perform the scheduled full scan to complete remediation.
ReportingAdditionalActionTimeOut
Data type: uint32
Access type: Read-only
Configure timeout for detections requiring additional action.
ReportingCriticalFailureTimeOut
Data type: uint32
Access type: Read-only
Time in minutes for a detection in the 'critically failed' state to move to either 'additional action' or 'cleared' state.
ReportingNonCriticalTimeOut
Data type: uint32
Access type: Read-only
Time in minutes for a detection in the 'failed' state to move to the 'cleared' state.
ScanAvgCPULoadFactor
Data type: uint8
Access type: Read-only
Specify the maximum percentage of CPU utilization during a scan. This policy setting allows you to configure the maximum percentage CPU utilization permitted during a scan. Valid values for this setting are a percentage represented by the integers 5 to 100. A value of 0 indicates that there should be no throttling of CPU utilization.
ScanOnlyIfIdleEnabled
Data type: boolean
Access type: Read-only
Run scheduled scans only if system is idle.
ScanParameters
Data type: uint8
Access type: Read-only
Specify the scan type to use for a scheduled scan.
Quick Scan (1)
Full Scan (2)
ScanPurgeItemsAfterDelay
Data type: uint32
Access type: Read-only
Turn on removal of items from scan history folder. This setting defines the number of days items should be kept in the scan history folder before being permanently removed. The value represents the number of days to keep items in the folder. If set to zero, items will be kept forever and will not be automatically removed.
ScanScheduleDay
Data type: uint8
Access type: Read-only
Specify the day of the week to run a scheduled scan.
Every Day (0)
Sunday (1)
Monday (2)
Tuesday (3)
Wednesday (4)
Thursday (5)
Friday (6)
Saturday (7)
Never (8)
ScanScheduleQuickScanTime
Data type: DateTime
Access type: Read-only
Specify the time of day to run a scheduled quick scan.
ScanScheduleTime
Data type: DateTime
Access type: Read-only
Specify the time of day to run a scheduled scan.
SevereThreatDefaultAction
Data type: uint8
Access type: Read-only
Default action for severe severity threats.
Clean (1)
Quarantine (2)
Remove (3)
Allow (6)
UserDefined (8)
NoAction (9)
Block (10)
SignatureAuGracePeriod
Data type: uint32
Access type: Read-only
Overrides CheckForSignatureBeforeRunningScan. Aborts any service-initiated update if signature was updated successfully within this amount of time. Time in minutes.
SignatureDefinitionUpdateFileSharesSources
Data type: string
Access type: Read-only
Defines the file shares for downloading definition updates. setting allows you to configure UNC file share sources for downloading definition updates. Sources will be contacted in the order specified. The value of this setting should be entered as a pipe-separated string enumerating the definition update sources. For example: {\\unc1 | \\unc2 }. The list is empty by default.
SignatureDisableUpdateOnStartupWithoutEngine
Data type: boolean
Access type: Read-only
When set to true, AM Service will not initiate definition update on start-up, regardless of whether an Engine is present or not.
SignatureFallbackOrder
Data type: string
Access type: Read-only
Define the order of sources for downloading definition updates. This setting allows you to define the order in which different definition update sources should be contacted. The value of this setting should be entered as a pipe-separated string enumerating the definition update sources in order. Possible values are: 'InternalDefinitionUpdateServer' 'MicrosoftUpdateServer' 'MMPC' 'FileShares'
SignatureFirstAuGracePeriod
Data type: uint32
Access type: Read-only
Aborts any service-initiated update immediately after first install by the configured amount of time.
SignatureScheduleDay
Data type: uint8
Access type: Read-only
Indicates the day of the week in which signature updates occur. If set to zero (0x0) then signature update occurs daily.
Every Day (0)
Sunday (1)
Monday (2)
Tuesday (3)
Wednesday (4)
Thursday (5)
Friday (6)
Saturday (7)
Never (8)
SignatureScheduleTime
Data type: DateTime
Access type: Read-only
Specifies the time at which signature update check happens. By default the signatures are checked before the scheduled scan.
SignatureUpdateCatchupInterval
Data type: uint32
Access type: Read-only
Defines the number of days after which a catch-up signature is warranted. Works with SignatureUpdateLastChecked. 0 = no catch-up; 1 = 1 day; 2 = 2 days, etc.
SignatureUpdateInterval
Data type: uint32
Access type: Read-only
The time value is represented as the number of hours between update checks. Valid values range from 1 (every hour) to 24 (once per day).
SubmitSamplesConsent
Data type: uint8
Access type: Read-only
Beginning in Windows 10: For certain samples the service checks for user consent. If the required consent has already been granted, the service submits them. If not, (and if the user has specified never to ask), the UI is launched to ask for user consent when opt-in for MAPS telemetry is set (MAPSReporting != 0).
Always Prompt (0)
Send safe samples automatically (1)
Never send (2)
Send all samples automatically (3)
ThreatIDDefaultAction_Actions
Data type: uint8 array
Access type: Read-only
Default actions for threats upon which default action should not be taken when detected. The actions need to be in the same order as their respective Ids specified in the ThreatIDDefaultAction_Ids property.
Clean (1)
Quarantine (2)
Remove (3)
Allow (6)
UserDefined (8)
NoAction (9)
Block (10)
ThreatIDDefaultAction_Ids
Data type: sint64 array
Access type: Read-only
The Ids of threats upon which default action should not be taken when detected. The actions in ThreatIDDefaultAction_Actions need to be specified in the same order as the Ids in ThreatIDDefaultAction_Ids
UILockdown
Data type: boolean
Access type: Read-only
Enable UI Lockdown mode.
UnknownThreatDefaultAction
Data type: uint8
Access type: Read-only
Default action for unknown threats.
Clean (1)
Quarantine (2)
Remove (3)
Allow (6)
UserDefined (8)
NoAction (9)
Block (10)
Requirements
Minimum supported client |
Windows 8.1 [desktop apps only] |
Minimum supported server |
Windows Server 2012 R2 [desktop apps only] |
Namespace |
Root\Microsoft\Windows\Defender |
MOF |
ProtectionManagement.mof |
DLL |
ProtectionManagement.dll |