Set-MpPreference

Configures preferences for Windows Defender scans and updates.

Syntax

Default (Default)

Set-MpPreference
    [-ExclusionPath <String[]>]
    [-ExclusionExtension <String[]>]
    [-ExclusionProcess <String[]>]
    [-ExclusionIpAddress <String[]>]
    [-RealTimeScanDirection <ScanDirection>]
    [-IntelTDTEnabled <UInt32>]
    [-QuarantinePurgeItemsAfterDelay <UInt32>]
    [-RemediationScheduleDay <Day>]
    [-RemediationScheduleTime <DateTime>]
    [-ReportingAdditionalActionTimeOut <UInt32>]
    [-ReportingCriticalFailureTimeOut <UInt32>]
    [-ReportingNonCriticalTimeOut <UInt32>]
    [-ScanAvgCPULoadFactor <Byte>]
    [-CheckForSignaturesBeforeRunningScan <Boolean>]
    [-ScanPurgeItemsAfterDelay <UInt32>]
    [-ScanOnlyIfIdleEnabled <Boolean>]
    [-ScanParameters <ScanType>]
    [-ScanScheduleDay <Day>]
    [-ScanScheduleQuickScanTime <DateTime>]
    [-ScanScheduleOffset <UInt32>]
    [-ScanScheduleTime <HH:MM:SS>]
    [-SignatureFirstAuGracePeriod <UInt32>]
    [-SignatureAuGracePeriod <UInt32>]
    [-SignatureDefinitionUpdateFileSharesSources <String>]
    [-SignatureDisableUpdateOnStartupWithoutEngine <Boolean>]
    [-SignatureFallbackOrder <String>]
    [-SharedSignaturesPath <String>]
    [-SignatureScheduleDay <Day>]
    [-SignatureScheduleTime <DateTime>]
    [-SignatureUpdateCatchupInterval <UInt32>]
    [-SignatureUpdateInterval <UInt32>]
    [-SignatureBlobUpdateInterval <UInt32>]
    [-SignatureBlobFileSharesSources <String>]
    [-MeteredConnectionUpdates <Boolean>]
    [-AllowNetworkProtectionOnWinServer <Boolean>]
    [-DisableDatagramProcessing <Boolean>]
    [-DisableCpuThrottleOnIdleScans <Boolean>]
    [-MAPSReporting <MAPSReportingType>]
    [-SubmitSamplesConsent <SubmitSamplesConsentType>]
    [-DisableAutoExclusions <Boolean>]
    [-DisablePrivacyMode <Boolean>]
    [-RandomizeScheduleTaskTimes <Boolean>]
    [-SchedulerRandomizationTime <UInt32>]
    [-DisableBehaviorMonitoring <Boolean>]
    [-DisableRealtimeMonitoring <Boolean>]
    [-DisableScriptScanning <Boolean>]
    [-DisableArchiveScanning <Boolean>]
    [-DisableCacheMaintenance <UInt32>]
    [-DisableCatchupFullScan <Boolean>]
    [-DisableCatchupQuickScan <Boolean>]
    [-DisableEmailScanning <Boolean>]
    [-DisableRemovableDriveScanning <Boolean>]
    [-DisableRestorePoint <Boolean>]
    [-DisableScanningMappedNetworkDrivesForFullScan <Boolean>]
    [-DisableScanningNetworkFiles <Boolean>]
    [-DisableIOAVProtection <Boolean>]
    [-AllowSwitchToAsyncInspection <Boolean>]
    [-UILockdown <Boolean>]
    [-ThreatIDDefaultAction_Ids <Int64[]>]
    [-ThreatIDDefaultAction_Actions <ThreatAction[]>]
    [-UnknownThreatDefaultAction <ThreatAction>]
    [-LowThreatDefaultAction <ThreatAction>]
    [-ModerateThreatDefaultAction <ThreatAction>]
    [-HighThreatDefaultAction <ThreatAction>]
    [-SevereThreatDefaultAction <ThreatAction>]
    [-Force]
    [-DisableBlockAtFirstSeen <Boolean>]
    [-PUAProtection <PUAProtectionType>]
    [-ThrottleLimit <Int32>]
    [-AsJob]
    [-DisableGradualRelease <Boolean>]
    [-DefinitionUpdatesChannel <UpdatesChannelType>]
    [-EngineUpdatesChannel <UpdatesChannelType>]
    -<CloudBlockLevelType>][-ServiceHealthReportInterval <UInt32>
    [-CloudBlockLevel <CloudBlockLevelType>]
    [-CloudExtendedTimeout <UInt32>]
    [-EnableNetworkProtection <ASRRuleActionType>]
    [-EnableControlledFolderAccess <ControlledFolderAccessType>]
    [-AttackSurfaceReductionOnlyExclusions <String[]>]
    [-ControlledFolderAccessAllowedApplications <String[]>]
    [-ControlledFolderAccessProtectedFolders <String[]>]
    [-AttackSurfaceReductionRules_Ids <String[]>]
    [-AttackSurfaceReductionRules_Actions <ASRRuleActionType[]>]
    [-EnableLowCpuPriority <Boolean>]
    [-EnableFileHashComputation <Boolean>]
    [-EnableFullScanOnBatteryPower <Boolean>]
    [-ProxyPacUrl <String>]
    [-ProxyServer <String>]
    [-ProxyBypass <String[]>]
    [-ForceUseProxyOnly <Boolean>]
    [-OobeEnableRtpAndSigUpdate <Boolean>]
    [-DisableTlsParsing <Boolean>]
    [-DisableHttpParsing <Boolean>]
    [-DisableDnsParsing <Boolean>]
    [-DisableFtpParsing <Boolean>]
    [-DisableSmtpParsing <Boolean>]
    [-DisableDnsOverTcpParsing <Boolean>]
    [-DisableSshParsing <Boolean>]
    [-DisableNetworkProtectionPerfTelemetry <Boolean>]
    [-PlatformUpdatesChannel <UpdatesChannelType>]
    [-EngineUpdatesChannel <UpdatesChannelType>]
    [-SignaturesUpdatesChannel <UpdatesChannelType>]
    [-DisableGradualRelease <Boolean>]
    [-AllowNetworkProtectionDownLevel <Boolean>]
    [-AllowDatagramProcessingOnWinServer <Boolean>]
    [-EnableDnsSinkhole <Boolean>]
    [-DisableInboundConnectionFiltering <Boolean>]
    [-DisableRdpParsing <Boolean>]
    [-CimSession <CimSession[]>]
    [-ThrottleLimit <Int32>]
    [-AsJob]
    [<CommonParameters>]

Description

The Set-MpPreference cmdlet configures preferences for Windows Defender scans and updates. You can modify exclusion file name extensions, paths, or processes, and specify the default action for high, moderate, and low threat levels.

REMEDIATION VALUES

The following table provides remediation action values for detected threats at low, medium, high, and severe alert levels.

Value Action
1 Clean the detected threat.
2 Quarantine the detected threat.
3 Remove the detected threat.
6 Allow the detected threat.
8 Allow the user to determine the action to take with the detected threat.
9 Don't take any action.
10 Block the detected threat.
0 (NULL) Apply action based on the Security Intelligence Update (SIU). This is the default value.

Examples

Example 1: Schedule to check for definition updates everyday

PS C:\> Set-MpPreference -SignatureScheduleDay Everyday

This command configures preferences to check for definition updates every day.

Example 2: Schedule a time of day to check for definition updates

PS C:\> Set-MpPreference -SignatureScheduleTime 02:00:00

This command configures preferences to check for definition updates 120 minutes after midnight on days when it's scheduled to check.

Parameters

-AllowDatagramProcessingOnWinServer

Specifies whether to disable inspection of UDP connections on Windows Server.

Parameter properties

Type:Boolean
Default value:None
Supports wildcards:False
DontShow:False
Aliases:adpows

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-AllowNetworkProtectionDownLevel

Specifies whether to allow network protection to be set to Enabled or Audit Mode on Windows versions before 1709.

Parameter properties

Type:Boolean
Default value:None
Supports wildcards:False
DontShow:False
Aliases:anpdl

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-AllowNetworkProtectionOnWinServer

Specifies whether to allow network protection to be set to Enabled or Audit Mode for Windows Server.

Parameter properties

Type:Boolean
Default value:None
Supports wildcards:False
DontShow:False
Aliases:anpws

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-AllowSwitchToAsyncInspection

Specifies whether to enable a performance optimization that allows synchronously inspected network flows to switch to async inspection once they have been checked and validated.

Parameter properties

Type:Boolean
Default value:Enabled
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-AsJob

Runs the cmdlet as a background job. Use this parameter to run commands that take a long time to complete.

The cmdlet immediately returns an object that represents the job and then displays the command prompt. You can continue to work in the session while the job completes. To manage the job, use the *-Job cmdlets. To get the job results, use the Receive-Job cmdlet.

For more information about Windows PowerShell background jobs, see about_Jobs.

Parameter properties

Type:SwitchParameter
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-AttackSurfaceReductionOnlyExclusions

Specifies the files and paths to exclude from Attack Surface Reduction (ASR) rules. Specify the folders or files and resources that should be excluded from ASR rules. Enter a folder path or a fully qualified resource name. For example, ""C:\Windows"" will exclude all files in that directory. ""C:\Windows\App.exe"" will exclude only that specific file in that specific folder.

For more information about excluding files and folders from ASR rules.

Parameter properties

Type:

String[]

Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-AttackSurfaceReductionRules_Actions

Specifies the states of attack surface reduction rules specified by using the AttackSurfaceReductionRules_Ids parameter. If you add multiple rules as a comma-separated list, specify their states separately as a comma-separated list.

Parameter properties

Type:

ASRRuleActionType[]

Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-AttackSurfaceReductionRules_Ids

Specifies the states of attack surface reduction rules specified by using the AttackSurfaceReductionRules_Ids parameter. If you add multiple rules as a comma-separated list, specify their states separately as a comma-separated list.

Parameter properties

Type:

String[]

Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-CheckForSignaturesBeforeRunningScan

Indicates whether to check for new virus and spyware definitions before Windows Defender runs a scan. If you specify a value of $True, Windows Defender checks for new definitions. If you specify $False or don't specify a value, the scan begins with existing definitions. This setting applies to scheduled scans, but it has no effect on scans initiated manually from the user interface or on scans started from the command line using "mpcmdrun -Scan".

Parameter properties

Type:Boolean
Default value:None
Supports wildcards:False
DontShow:False
Aliases:csbr

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-CimSession

Runs the cmdlet in a remote session or on a remote computer. Enter a computer name or a session object, such as the output of a New-CimSession or Get-CimSession cmdlet. The default is the current session on the local computer.

Parameter properties

Type:

CimSession[]

Default value:None
Supports wildcards:False
DontShow:False
Aliases:Session

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-CloudBlockLevel

Specifies a cloud block level. This value determines how aggressive Microsoft Defender Antivirus is in blocking and scanning suspicious files.

Parameter properties

Type:CloudBlockLevelType
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-CloudExtendedTimeout

Specifies the amount of extended time to block a suspicious file and scan it in the cloud. Standard time is 10 seconds. Extend by up to 50 seconds.

Parameter properties

Type:UInt32
Default value:None
Supports wildcards:False
DontShow:False
Aliases:cloudextimeout

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-ControlledFolderAccessAllowedApplications

Specifies applications that can make changes in controlled folders.

Parameter properties

Type:

String[]

Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-ControlledFolderAccessProtectedFolders

Specifies more folders to protect.

Parameter properties

Type:

String[]

Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-DisableArchiveScanning

Indicates whether to scan archive files, such as .zip and .cab files, for malicious and unwanted software. If you specify a value of $False or do not specify a value, Windows Defender scans archive files.

Parameter properties

Type:Boolean
Default value:None
Supports wildcards:False
DontShow:False
Aliases:darchsc

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-DisableAutoExclusions

Indicates whether to disable the Automatic Exclusions feature for the server. If you specify a value of $False or do not specify a value, Windows Defender enables the Automatic Exclusions feature for the server.

Parameter properties

Type:Boolean
Default value:None
Supports wildcards:False
DontShow:False
Aliases:dae

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-DisableBehaviorMonitoring

Indicates whether to enable behavior monitoring. If you specify a value of $False or do not specify a value, Windows Defender enables behavior monitoring.

Parameter properties

Type:Boolean
Default value:None
Supports wildcards:False
DontShow:False
Aliases:dbm

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-DisableBlockAtFirstSeen

Indicates whether to enable block at first seen. If you specify a value of $False or do not specify a value, Windows Defender enables block at first seen.

Parameter properties

Type:Boolean
Default value:None
Supports wildcards:False
DontShow:False
Aliases:dbaf

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-DisableCacheMaintenance

Defines whether the cache maintenance idle task will perform the cache maintenance or not. Allowed values are 1 - cache maintenance is disabled, and 0 - cache maintenance is enabled (default).

Parameter properties

Type:Boolean
Default value:0
Supports wildcards:False
DontShow:False
Aliases:dcm

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-DisableCatchupFullScan

Indicates whether Windows Defender runs catch-up scans for scheduled full scans. A computer can miss a scheduled scan, usually because the computer is turned off at the scheduled time. If you specify a value of $False, after the computer misses two scheduled full scans, Windows Defender runs a catch-up scan the next time someone logs on to the computer. If you specify a value of $True, the computer does not run catch-up scans for scheduled full scans.

Parameter properties

Type:Boolean
Default value:0
Supports wildcards:False
DontShow:False
Aliases:dcfsc

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-DisableCatchupQuickScan

Indicates whether Windows Defender runs catch-up scans for scheduled quick scans. A computer can miss a scheduled scan, usually because the computer is off at the scheduled time. If you specify a value of $False, after the computer misses two scheduled quick scans, Windows Defender runs a catch-up scan the next time someone logs onto the computer. If you specify a value of $True, the computer does not run catch-up scans for scheduled quick scans.

Parameter properties

Type:Boolean
Default value:True
Supports wildcards:False
DontShow:False
Aliases:dcqsc

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-DisableCpuThrottleOnIdleScans

Indicates whether the CPU will be throttled for scheduled scans while the device is idle. This parameter is enabled by default, thus ensuring that the CPU won't be throttled for scheduled scans performed when the device is idle, regardless of what ScanAvgCPULoadFactor is set to. For all other scheduled scans, this flag does not have any impact and normal throttling will occur.

Parameter properties

Type:Boolean
Default value:True
Supports wildcards:False
DontShow:False
Aliases:None

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-DisableDatagramProcessing

Specifies whether to disable inspection of UDP connections.

Parameter properties

Type:Boolean
Default value:None
Supports wildcards:False
DontShow:False
Aliases:ddtgp

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-DisableDnsOverTcpParsing

Specifies whether to disable inspection of DNS traffic that occurs over a TCP channel.

Parameter properties

Type:Boolean
Default value:None
Supports wildcards:False
DontShow:False
Aliases:ddnstcpp

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-DisableDnsParsing

Specifies whether to disable inspection of DNS traffic that occurs over a UDP channel. Network protection inspects DNS traffic that occurs over a TCP channel to provide metadata for anti-malware behavior monitoring or to allow for DNS sink holing if the "-EnableDnsSinkhole" configuration is set. This can be disabled by setting this value to "$true".

Parameter properties

Type:Boolean
Default value:None
Supports wildcards:False
DontShow:False
Aliases:ddnsp

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-DisableEmailScanning

Indicates whether Windows Defender parses the mailbox and mail files, according to their specific format, in order to analyze mail bodies and attachments. Windows Defender supports several formats, including .pst, .dbx, .mbx, .mime, and .binhex. If you specify a value of $False or do not specify a value, Windows Defender performs email scanning. If you specify a value of $True, Windows Defender does not perform email scanning.

Parameter properties

Type:Boolean
Default value:None
Supports wildcards:False
DontShow:False
Aliases:demsc

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-DisableFtpParsing

Specifies whether to disable FTP parsing for network protection.

Parameter properties

Type:Boolean
Default value:0
Supports wildcards:False
DontShow:False
Aliases:dfp

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-DisableGradualRelease

Specifies whether to disable gradual rollout of monthly and daily Windows Defender updates. If you enable this option, devices are offered all updates after the gradual release cycle finishes. Consider this option for datacenter computers that only receive limited updates.

This setting applies to both monthly and daily updates. It overrides configured channel selections for platform and engine updates.

If you disable or do not configure this policy, the device remains in Current Channel (Default) unless specified otherwise in specific channels. The device stays up to date automatically during the gradual release cycle, which is suitable for most devices.

This policy is available starting with platform version 4.18.2106.5 and later.

Parameter properties

Type:Boolean
Default value:None
Supports wildcards:False
DontShow:False
Aliases:dgr

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-DisableHttpParsing

Specifies whether disable inspection of HTTP traffic. If EnableNetworkProtection has the value Enabled, HTTP connections to malicious websites can be blocked.

Parameter properties

Type:Boolean
Default value:None
Supports wildcards:False
DontShow:False
Aliases:dhttpp

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-DisableInboundConnectionFiltering

Specifies whether to inspect only outbound connections. By default, Network Protection inspects both inbound and outbound connections.

Parameter properties

Type:Boolean
Default value:None
Supports wildcards:False
DontShow:False
Aliases:dicf

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-DisableIOAVProtection

Indicates whether Windows Defender scans all downloaded files and attachments. If you specify a value of $False or do not specify a value, scanning downloaded files and attachments is enabled.

Parameter properties

Type:Boolean
Default value:None
Supports wildcards:False
DontShow:False
Aliases:dioavp

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-DisableNetworkProtectionPerfTelemetry

This setting disables the gathering and sending of performance telemetry from network protection. The accepted values are 0 and 1.

  • 1- Network protection telemetry is disabled.
  • 0 (Default) - Network protection telemetry is enabled.

Parameter properties

Type:Boolean
Default value:0
Supports wildcards:False
DontShow:False
Aliases:dnpp

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-DisablePrivacyMode

This is a legacy setting that does not have any affect on current platforms. The intent of this parameter was to disable privacy mode, which prevented users, other than administrators, from displaying threat history. When this parameter was in use, if you specified a value of $False or did not specify a value, privacy mode was enabled.

Parameter properties

Type:Boolean
Default value:None
Supports wildcards:False
DontShow:False
Aliases:dpm

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-DisableRdpParsing

This setting controls whether to parse RDP traffic to look for malicious attacks using the RDP protocol.

Parameter properties

Type:Boolean
Default value:None
Supports wildcards:False
DontShow:False
Aliases:drdpp

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-DisableRealtimeMonitoring

Indicates whether to use real-time protection. If you specify a value of $False or do not specify a value, Windows Defender uses real-time protection. We recommend that you enable Windows Defender to use real-time protection.

Parameter properties

Type:Boolean
Default value:None
Supports wildcards:False
DontShow:False
Aliases:drtm

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-DisableRemovableDriveScanning

Indicates whether to scan for malicious and unwanted software in removable drives, such as flash drives, during a full scan. If you specify a value of $False or do not specify a value, Windows Defender scans removable drives during any type of scan. If you specify a value of $True, Windows Defender does not scan removable drives during a full scan. Windows Defender can still scan removable drives during quick scans or custom scans.

Parameter properties

Type:Boolean
Default value:None
Supports wildcards:False
DontShow:False
Aliases:drdsc

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-DisableRestorePoint

Indicates whether to disable scanning of restore points. If you specify a value of $False or do not specify a value, Windows Defender restore point is enabled.

Parameter properties

Type:Boolean
Default value:None
Supports wildcards:False
DontShow:False
Aliases:drp, dsnf

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-DisableScanningMappedNetworkDrivesForFullScan

Indicates whether to scan mapped network drives. If you specify a value of $False or do not specify a value, Windows Defender scans mapped network drives. If you specify a value of $True, Windows Defender does not scan mapped network drives.

Parameter properties

Type:Boolean
Default value:None
Supports wildcards:False
DontShow:False
Aliases:dsmndfsc

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-DisableScanningNetworkFiles

Indicates whether to scan for network files. If you specify a value of $False or do not specify a value, Windows Defender scans network files. If you specify a value of $True, Windows Defender does not scan network files.

Parameter properties

Type:Boolean
Default value:None
Supports wildcards:False
DontShow:False
Aliases:dsnf

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-DisableScriptScanning

Specifies whether to disable the scanning of scripts during malware scans. If you specify a value of $False or do not specify a value, Windows Defender does not scan scripts.

Parameter properties

Type:Boolean
Default value:None
Supports wildcards:False
DontShow:False
Aliases:dscrptsc

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-DisableSmtpParsing

This setting disables SMTP parsing for network protection. The accepted values are 0 and 1.

  • 1 - SMTP parsing is disabled.
  • 0 (Default) - SMTP parsing is enabled.

Parameter properties

Type:Boolean
Default value:0
Supports wildcards:False
DontShow:False
Aliases:dsp

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-DisableSshParsing

Specifies whether to disable inspection of SSH traffic. By default, Network Protection inspects SSH traffic.

Parameter properties

Type:Boolean
Default value:None
Supports wildcards:False
DontShow:False
Aliases:dsshp

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-DisableTlsParsing

Specifies whether to disable inspection of TLS traffic. Network protection inspects TLS traffic (also known as HTTPS traffic) to see if a connection is being made to a malicious website, and to provide metadata to behavior monitoring. TLS connections to malicious websites can also be blocked if "-EnableNetworkProtection" is set to enabled. HTTP inspection can be disabled by setting this value to "$true". By default, network protection inspects TLS traffic.

Parameter properties

Type:Boolean
Default value:None
Supports wildcards:False
DontShow:False
Aliases:dtlsp

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-EnableControlledFolderAccess

Specifies the state for the controlled folder access feature. Valid values are Disabled, Enabled, and Audit Mode.

Parameter properties

Type:ControlledFolderAccessType
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-EnableDnsSinkhole

Specifies whether to examine DNS traffic to detect and sinkhole DNS exfiltration attempts and other DNS based malicious attacks. Network protection can inspect the DNS traffic of a machine and, in conjunction with behavior monitoring, detect and sink hole DNS exfiltration attempts, and other DNS based malicious attacks. Set this configuration to "$true" to enable this feature.

Parameter properties

Type:Boolean
Default value:None
Supports wildcards:False
DontShow:False
Aliases:ednss

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-EnableFileHashComputation

Specifies whether to enable file hash computation. When this feature is enabled, Windows Defender computes hashes for files it scans.

Parameter properties

Type:Boolean
Default value:None
Supports wildcards:False
DontShow:False
Aliases:efhc

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-EnableFullScanOnBatteryPower

Specifies whether Windows Defender does a full scan while on battery power.

Parameter properties

Type:Boolean
Default value:None
Supports wildcards:False
DontShow:False
Aliases:efsobp

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-EnableLowCpuPriority

Specifies whether Windows Defender uses low CPU priority for scheduled scans.

Parameter properties

Type:Boolean
Default value:None
Supports wildcards:False
DontShow:False
Aliases:elcp

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-EnableNetworkProtection

Specifies how the network protection service handles web-based malicious threats, including phishing and malware. Possible values are Disabled, Enabled, and AuditMode.

Parameter properties

Type:ASRRuleActionType
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-EngineUpdatesChannel

Specifies when devices receive Microsoft Defender engine updates during the monthly gradual rollout.

Valid values are:

  • NotConfigured. Devices stay up to date automatically during the gradual release cycle. This value is suitable for most devices.
  • Beta. Devices are the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. This value is for use in manual test environments only and a limited number of devices.
  • Broad. Devices are offered updates only after the gradual release cycle completes. This value is suggested for a broad set of devices in your production population, from 10 to 100 percent.
  • Preview. Devices are offered updates earliest during the monthly gradual release cycle. This value is suggested for pre-production or validation environments.
  • Staged. Devices are offered updates after the monthly gradual release cycle. This value is suggested for a small, representative part of your production population, around 10 percent.

Parameter properties

Type:UpdatesChannelType
Default value:None
Supports wildcards:False
DontShow:False
Aliases:erelr

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-ExclusionExtension

Specifies an array of file name extensions, such as obj or lib, to exclude from scheduled, custom, and real-time scanning.

Parameter properties

Type:

String[]

Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-ExclusionIpAddress

Specifies an array of IP addresses to exclude from scheduled and real-time scanning.

Parameter properties

Type:

String[]

Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-ExclusionPath

Specifies an array of file paths to exclude from scheduled and real-time scanning. You can specify a folder to exclude all the files under the folder.

Parameter properties

Type:

String[]

Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-ExclusionProcess

Specifies an array of processes, as paths to process images. This cmdlet excludes any files opened by the processes that you specify from scheduled and real-time scanning. Specifying this parameter excludes files opened by executable programs only. The cmdlet does not exclude the processes themselves. To exclude a process, specify it by using the ExclusionPath parameter.

Parameter properties

Type:

String[]

Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-Force

Forces the command to run without asking for user confirmation.

Parameter properties

Type:SwitchParameter
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-ForceUseProxyOnly

Specifies whether to force the device to use only the proxy.

Parameter properties

Type:Boolean
Default value:None
Supports wildcards:False
DontShow:False
Aliases:fupo

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-HighThreatDefaultAction

Specifies which automatic remediation action to take for a high level threat. The acceptable values for this parameter are:

  • Quarantine
  • Remove
  • Ignore

Parameter properties

Type:ThreatAction
Default value:None
Accepted values:Clean, Quarantine, Remove, Allow, UserDefined, NoAction, Block
Supports wildcards:False
DontShow:False
Aliases:htdefac

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-IntelTDTEnabled

This policy setting configures the Intel TDT integration level for Intel TDT-capable devices. The acceptable values for this parameter are:

  • 0 (Default) - If you don't configure this setting, the default value will be applied. The default value is controlled by Microsoft security intelligence updates. Microsoft will enable Intel TDT if there is a known threat.
  • 1 - If you configure this setting to enabled, Intel TDT integration will turn on.
  • 2 - If you configure this setting to disabled, Intel TDT integration will turn off.

Parameter properties

Type:UInt32
Default value:0
Accepted values:0, 1 and 2
Supports wildcards:False
DontShow:False
Aliases:itdte

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-LowThreatDefaultAction

Specifies which automatic remediation action to take for a low level threat. The acceptable values for this parameter are:

  • Quarantine
  • Remove
  • Ignore

Parameter properties

Type:ThreatAction
Default value:None
Accepted values:Clean, Quarantine, Remove, Allow, UserDefined, NoAction, Block
Supports wildcards:False
DontShow:False
Aliases:ltdefac

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-MAPSReporting

Specifies the type of membership in Microsoft Active Protection Service. Microsoft Active Protection Service is an online community that helps you choose how to respond to potential threats. The community also helps prevent the spread of new malicious software. The acceptable values for this parameter are:

  • 0: Disabled. Send no information to Microsoft. This is the default value.
  • 1: Basic membership. Send basic information to Microsoft about detected software, including where the software came from, the actions that you apply or that apply automatically, and whether the actions succeeded.
  • 2: Advanced membership. In addition to basic information, send more information to Microsoft about malicious software, spyware, and potentially unwanted software, including the location of the software, file names, how the software operates, and how it affects your computer.

If you join this community, you can choose to automatically send basic or additional information about detected software. Additional information helps Microsoft create new definitions. In some instances, personal information might unintentionally be sent to Microsoft. However, Microsoft will not use this information to identify you or contact you.

Parameter properties

Type:MAPSReportingType
Default value:None
Accepted values:Disabled, Basic, Advanced
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-MeteredConnectionUpdates

Specifies whether to update managed devices to update through metered connections. Data charges may apply.

Parameter properties

Type:Boolean
Default value:None
Supports wildcards:False
DontShow:False
Aliases:mcupd

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-ModerateThreatDefaultAction

Specifies which automatic remediation action to take for a moderate level threat. The acceptable values for this parameter are:

  • Quarantine
  • Remove
  • Ignore

Parameter properties

Type:ThreatAction
Default value:None
Accepted values:Clean, Quarantine, Remove, Allow, UserDefined, NoAction, Block
Supports wildcards:False
DontShow:False
Aliases:mtdefac

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-OobeEnableRtpAndSigUpdate

This setting allows you to configure whether real-time protection and Security Intelligence Updates are enabled during Out of Box experience (OOBE).

Valid values are:

  • True - If you enable this setting, real-time protection and Security Intelligence Updates are enabled during OOBE.
  • False (Default) - If you either disable or don't configure this setting, real-time protection and Security Intelligence Updates during OOBE aren't enabled.

Parameter properties

Type:Boolean
Default value:False
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-PlatformUpdatesChannel

Specifies when devices receive Microsoft Defender platform updates during the monthly gradual rollout.

Valid values are:

  • NotConfigured. Devices stay up to date automatically during the gradual release cycle. This value is suitable for most devices.
  • Beta. Devices are the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. This value is for use in manual test environments only and a limited number of devices.
  • Broad. Devices are offered updates only after the gradual release cycle completes. This value is suggested for a broad set of devices in your production population, from 10 to 100 percent.
  • Preview. Devices are offered updates earliest during the monthly gradual release cycle. This value is suggested for pre-production or validation environments.
  • Staged. Devices are offered updates after the monthly gradual release cycle. This value is suggested for a small, representative part of your production population, around 10 percent.

Parameter properties

Type:UpdatesChannelType
Default value:None
Supports wildcards:False
DontShow:False
Aliases:prelr

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-ProxyBypass

Specifies proxy bypasses.

Parameter properties

Type:

String[]

Default value:None
Supports wildcards:False
DontShow:False
Aliases:proxbps

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-ProxyPacUrl

Specifies the Privilege Attribute Certificate (PAC) proxy.

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False
Aliases:ppurl

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-ProxyServer

Specifies the proxy server.

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False
Aliases:proxsrv

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-PUAProtection

Specifies the level of detection for potentially unwanted applications. When potentially unwanted software is downloaded or attempts to install itself on your computer, you are warned.

Parameter properties

Type:PUAProtectionType
Default value:None
Accepted values:Disabled, Enabled, AuditMode
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-QuarantinePurgeItemsAfterDelay

Specifies the number of days to keep items in the Quarantine folder. If you specify a value of zero or do not specify a value for this parameter, items stay in the Quarantine folder indefinitely.

Parameter properties

Type:UInt32
Default value:None
Supports wildcards:False
DontShow:False
Aliases:qpiad

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-RandomizeScheduleTaskTimes

Indicates whether to select a random time for the scheduled start and scheduled update for definitions. If you specify a value of $True or do not specify a value, scheduled tasks begin within 30 minutes, before or after, the scheduled time. If you randomize the start times, it can distribute the impact of scanning. For example, if several virtual machines share the same host, randomized start times prevents all the hosts from starting the scheduled tasks at the same time.

If this setting and the SchedulerRandomizationTime setting are both set to Not Configured then the system will use the default behavior of RandomizeScheduleTaskTimes, which is a 30-minute window.

Parameter properties

Type:Boolean
Default value:None
Supports wildcards:False
DontShow:False
Aliases:rstt

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-RealTimeScanDirection

Specifies scanning configuration for incoming and outgoing files on NTFS volumes. The acceptable values for this parameter are:

  • 0: Scan both incoming and outgoing files. This is the default.
  • 1: Scan incoming files only.
  • 2: Scan outgoing files only.

Specify a value for this parameter to enhance performance on servers which have a large number of file transfers, but need scanning for either incoming or outgoing files. Evaluate this configuration based on the server role. For non-NTFS volumes, Windows Defender performs full monitoring of file and program activity.

Parameter properties

Type:ScanDirection
Default value:None
Accepted values:Both, Incoming, Outcoming
Supports wildcards:False
DontShow:False
Aliases:rtsd

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-RemediationScheduleDay

Specifies the day of the week on which to perform a scheduled full scan in order to complete remediation. Alternatively, specify everyday for this full scan or never. The acceptable values for this parameter are:

  • 0: Everyday
  • 1: Sunday
  • 2: Monday
  • 3: Tuesday
  • 4: Wednesday
  • 5: Thursday
  • 6: Friday
  • 7: Saturday
  • 8: Never

The default value is 8, never. If you specify a value of 8 or do not specify a value, Windows Defender performs a scheduled full scan to complete remediation by using a default frequency.

Parameter properties

Type:Day
Default value:None
Accepted values:Everyday, Sunday, Monday, Tuesday, Wednesday, Thursday, Friday, Saturday, Never
Supports wildcards:False
DontShow:False
Aliases:rsd

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-RemediationScheduleTime

Specifies the time of day, as the number of minutes after midnight, to perform a scheduled scan. The time refers to the local time on the computer. If you do not specify a value for this parameter, a scheduled scan runs at the default time of two hours after midnight.

Parameter properties

Type:DateTime
Default value:None
Supports wildcards:False
DontShow:False
Aliases:rst

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-ReportingAdditionalActionTimeOut

Specifies the number of minutes before a detection in the additional action state changes to the cleared state.

Parameter properties

Type:UInt32
Default value:None
Supports wildcards:False
DontShow:False
Aliases:raat

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-ReportingCriticalFailureTimeOut

Specifies the number of minutes before a detection in the critically failed state changes to either the additional action state or the cleared state.

Parameter properties

Type:UInt32
Default value:None
Supports wildcards:False
DontShow:False
Aliases:rcto

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-ReportingNonCriticalTimeOut

Specifies the number of minutes before a detection in the non-critically failed state changes to the cleared state.

Parameter properties

Type:UInt32
Default value:None
Supports wildcards:False
DontShow:False
Aliases:rncto

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-ScanAvgCPULoadFactor

Specifies the maximum percentage CPU usage for a scan. The acceptable values for this parameter are: integers from 5 through 100, and the value 0, which disables CPU throttling. Windows Defender does not exceed the percentage of CPU usage that you specify. The default value is 50.

Note: This is not a hard limit but rather a guidance for the scanning engine to not exceed this maximum on average. If ScanOnlyIfIdleEnabled (instructing the product to scan only when the computer is not in use) and DisableCpuThrottleOnIdleScans (instructing the product to disable CPU throttling on idle scans) are both enabled, then the value of ScanAvgCPULoadFactor is ignored.

Parameter properties

Type:Byte
Default value:None
Supports wildcards:False
DontShow:False
Aliases:saclf

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-ScanOnlyIfIdleEnabled

Indicates whether to start scheduled scans only when the computer is not in use. If you specify a value of $True or do not specify a value, Windows Defender runs schedules scans when the computer is on, but not in use.

Parameter properties

Type:Boolean
Default value:None
Supports wildcards:False
DontShow:False
Aliases:soiie

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-ScanParameters

Specifies the scan type to use during a scheduled scan. The acceptable values for this parameter are:

  • 1: Quick scan
  • 2: Full scan

If you do not specify this parameter, Windows Defender uses the default value of quick scan.

Parameter properties

Type:ScanType
Default value:None
Accepted values:QuickScan, FullScan
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-ScanPurgeItemsAfterDelay

Specifies the number of days to keep items in the scan history folder. After this time, Windows Defender removes the items. If you specify a value of zero, Windows Defender does not remove items. If you do not specify a value, Windows Defender removes items from the scan history folder after the default length of time, which is 15 days.

Parameter properties

Type:UInt32
Default value:15
Supports wildcards:False
DontShow:False
Aliases:spiad

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-ScanScheduleDay

Specifies the day of the week on which to perform a scheduled scan. Alternatively, specify everyday for a scheduled scan or never. The acceptable values for this parameter are:

  • 0: Everyday
  • 1: Sunday
  • 2: Monday
  • 3: Tuesday
  • 4: Wednesday
  • 5: Thursday
  • 6: Friday
  • 7: Saturday
  • 8: Never

The default value is 8, never. If you specify a value of 8 or do not specify a value, Windows Defender does not perform scheduled scans.

Parameter properties

Type:Day
Default value:None
Accepted values:Everyday, Sunday, Monday, Tuesday, Wednesday, Thursday, Friday, Saturday, Never
Supports wildcards:False
DontShow:False
Aliases:scsd

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-ScanScheduleOffset

Configures the number of minutes after midnight to perform a scheduled scan. The time on the endpoint is used to determine the local time. If you enable this setting, a scheduled scan will run at the time specified. If you disable or don’t enable this setting, a scheduled scan runs at the default time of two hours (120 minutes) after midnight.

Tip

We recommend using the ScanScheduleOffset parameter instead of the ScanScheduleTime parameter because it's a more intuitive way to set the time for the Weekly Scheduled Scan. If both ScanScheduleOffset and ScanScheduleTime are set, whichever configuration was edited more recently is used to determine the time to execute the scan.

Parameter properties

Type:UInt32
Default value:None
Supports wildcards:False
DontShow:False
Aliases:scso

Parameter sets

(All)
Position:Named
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-ScanScheduleQuickScanTime

Specifies the time of day, as the number of minutes after midnight, to perform a daily scheduled quick scan. The time refers to the local time on the computer. If you do not specify a value for this parameter, a scheduled quick scan runs at the time specified by the ScanScheduleOffset parameter. That parameter has a default time of two hours after midnight.

Parameter properties

Type:DateTime
Default value:None
Supports wildcards:False
DontShow:False
Aliases:scsqst

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-ScanScheduleTime

Specifies the time of day to run a scheduled scan. The time refers to the local time on the computer. Specify the number of minutes after midnight (for example, enter 60 for 1 a.m.). This parameter has a default time of two hours after midnight (2 a.m.).

Parameter properties

Type:DateTime
Default value:None
Supports wildcards:False
DontShow:False
Aliases:scsqst

Parameter sets

(All)
Position:Named
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-SchedulerRandomizationTime

Specifies the randomization time for the scheduler.

If you disable or do not configure this setting, scheduled tasks will begin at a random time within an interval of 4 hours after the specified start time. If you enable this setting, you must pick a randomization window in hours. The possible randomization window interval is between 1 and 23 hours.

If this setting and the RandomizeScheduleTaskTimes setting are both set to Not Configured then the system will use the default behavior of RandomizeScheduleTaskTimes, which is a 30-minute window.

Parameter properties

Type:UInt32
Default value:None
Supports wildcards:False
DontShow:False
Aliases:srt

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-ServiceHealthReportInterval

This policy setting configures the time interval (in minutes) for the service health reports to be sent from endpoints. These are for Microsoft Defender Antivirus events 1150 and 1151. For more information, see Microsoft Defender Antivirus event IDs.

If you do not configure this setting, the default value will be applied. The default value is set at 60 minutes (one hour). If you configure this setting to 0, no service health reports will be sent. The maximum value allowed to be set is 14400 minutes (ten days).

Parameter properties

Type:UInt32
Default value:60
Accepted values:0-14400
Supports wildcards:False
DontShow:False
Aliases:shri

Parameter sets

(All)
Position:Named
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-SevereThreatDefaultAction

Specifies which automatic remediation action to take for a severe level threat. The acceptable values for this parameter are:

  • Quarantine
  • Remove
  • Ignore

Parameter properties

Type:ThreatAction
Default value:None
Accepted values:Clean, Quarantine, Remove, Allow, UserDefined, NoAction, Block
Supports wildcards:False
DontShow:False
Aliases:stdefac

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-SharedSignaturesPath

Specifies the shared signatures path.

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False
Aliases:ssp, SecurityIntelligenceLocation, ssl

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-SignatureAuGracePeriod

Specifies a grace period, in minutes, for the definition. If a definition successfully updates within this period, Windows Defender abandons any service initiated updates.

Parameter properties

Type:UInt32
Default value:None
Supports wildcards:False
DontShow:False
Aliases:sigagp

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-SignatureBlobFileSharesSources

Specifies the file shares sources for signatures.

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False
Aliases:sigbfs

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-SignatureBlobUpdateInterval

Specifies the signature update interval.

Parameter properties

Type:UInt32
Default value:None
Supports wildcards:False
DontShow:False
Aliases:sigbui

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-SignatureDefinitionUpdateFileSharesSources

Specifies file-share sources for definition updates. Specify sources as a bracketed sequence of Universal Naming Convention (UNC) locations, separated by the pipeline symbol; for example, { \\Server01\Share01 | \\Server02\Share02 | \\Server03\Share03}. If you specify a value for this parameter, Windows Defender attempts to connect to the shares in the order that you specify. After Windows Defender updates a definition, it stops attempting to connect to shares on the list. If you do not specify a value for this parameter, the list is empty.

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False
Aliases:sigdufss

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-SignatureDisableUpdateOnStartupWithoutEngine

Indicates whether to initiate definition updates even if no antimalware engine is present. If you specify a value of $True or do not specify a value, Windows Defender does not initiate definition updates on startup. If you specify a value of $False, and if no antimalware engine is present, Windows Defender initiates definition updates on startup.

Parameter properties

Type:Boolean
Default value:False
Supports wildcards:False
DontShow:False
Aliases:sigduoswo

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-SignatureFallbackOrder

Specifies the order in which to contact different definition update sources. Specify the types of update sources in the order in which you want Windows Defender to contact them, enclosed in braces and separated by the pipeline symbol; for example, { InternalDefinitionUpdateServer | MicrosoftUpdateServer | MMPC }. The values that you can specify in the string are:

  • InternalDefinitionUpdateServer
  • MicrosoftUpdateServer
  • MMPC
  • FileShares

MMPC refers to Microsoft Malware Protection Center.

If you specify a value for this parameter, Windows Defender contacts the definition update sources in the specified order. After Windows Defender downloads definition updates from a source, it stops attempting to connect to other sources. If you do not specify a value for this parameter, Windows Defender contacts sources in the default order of { MicrosoftUpdateServer | MMPC }.

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False
Aliases:sfo

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-SignatureFirstAuGracePeriod

Specifies a grace period, in minutes, for the definition. If a definition successfully updates within this period, Windows Defender abandons any service initiated updates. This parameter overrides the value of the CheckForSignaturesBeforeRunningScan parameter.

Parameter properties

Type:UInt32
Default value:None
Supports wildcards:False
DontShow:False
Aliases:sigfagp

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-SignatureScheduleDay

Specifies the day of the week on which to check for definition updates. Alternatively, specify everyday for a scheduled scan or never. The acceptable values for this parameter are:

  • 0: Everyday
  • 1: Sunday
  • 2: Monday
  • 3: Tuesday
  • 4: Wednesday
  • 5: Thursday
  • 6: Friday
  • 7: Saturday
  • 8: Never

The default value is 8, never. If you specify a value of 8 or do not specify a value, Windows Defender checks for definition updates by using a default frequency.

Parameter properties

Type:Day
Default value:None
Accepted values:Everyday, Sunday, Monday, Tuesday, Wednesday, Thursday, Friday, Saturday, Never
Supports wildcards:False
DontShow:False
Aliases:sigsd

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-SignatureScheduleTime

Specifies the time of day, as the number of minutes after midnight, to check for definition updates. The time refers to the local time on the computer. If you do not specify a value for this parameter, Windows Defender checks for definition updates at the default time of 15 minutes before the scheduled scan time.

Parameter properties

Type:DateTime
Default value:None
Supports wildcards:False
DontShow:False
Aliases:sigst

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-SignaturesUpdatesChannel

Specifies when devices receive daily Microsoft Defender definition updates during the monthly gradual rollout.

Valid values are:

  • NotConfigured. Devices stay up to date automatically during the gradual release cycle. This value is suitable for most devices.
  • Broad. Devices are offered updates only after the gradual release cycle completes. This value is suggested for a broad set of devices in your production population, from 10 to 100 percent.
  • Staged. Devices are offered updates after the monthly gradual release cycle. This value is suggested for a small, representative part of your production population, around 10 percent.

This parameter name will be updated to DefinitionUpdatesChannel in a future release.

Parameter properties

Type:UpdatesChannelType
Default value:None
Supports wildcards:False
DontShow:False
Aliases:srelr

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-SignatureUpdateCatchupInterval

Specifies the number of days after which Windows Defender requires a catch-up definition update. If you do not specify a value for this parameter, Windows Defender requires a catch-up definition update after the default value of one day.

Parameter properties

Type:UInt32
Default value:None
Supports wildcards:False
DontShow:False
Aliases:siguci

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-SignatureUpdateInterval

Specifies the interval, in hours, at which to check for definition updates. The acceptable values for this parameter are: integers from 1 through 24. If you do not specify a value for this parameter, Windows Defender checks at the default interval. You can use this parameter instead of the SignatureScheduleDay parameter and SignatureScheduleTime parameter.

Parameter properties

Type:UInt32
Default value:None
Supports wildcards:False
DontShow:False
Aliases:sigui

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-SubmitSamplesConsent

Specifies how Windows Defender checks for user consent for certain samples. If consent has previously been granted, Windows Defender submits the samples. Otherwise, if the MAPSReporting parameter does not have a value of Disabled, Windows Defender prompts the user for consent. The acceptable values for this parameter are:

  • 0: Always prompt
  • 1: Send safe samples automatically
  • 2: Never send
  • 3: Send all samples automatically

Parameter properties

Type:SubmitSamplesConsentType
Default value:None
Accepted values:AlwaysPrompt, SendSafeSamples, NeverSend, SendAllSamples
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-ThreatIDDefaultAction_Actions

Specifies an array of the actions to take for the IDs specified by using the ThreatIDDefaultAction_Ids parameter. The acceptable values for this parameter are:

  • 1: Clean
  • 2: Quarantine
  • 3: Remove
  • 6: Allow
  • 8: UserDefined
  • 9: NoAction
  • 10: Block

Note

A value of 0 (NULL) applies an action based on the Security Intelligence Update (SIU). This is the default value.

Parameter properties

Type:

ThreatAction[]

Default value:None
Accepted values:Clean, Quarantine, Remove, Allow, UserDefined, NoAction, Block
Supports wildcards:False
DontShow:False
Aliases:tiddefaca

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-ThreatIDDefaultAction_Ids

Specifies an array of threat IDs. This cmdlet modifies the default action for the threat IDs that you specify.

Parameter properties

Type:

Int64[]

Default value:None
Supports wildcards:False
DontShow:False
Aliases:tiddefaci

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-ThrottleForScheduledScanOnly

A CPU usage limit can be applied to scheduled scans only, or to scheduled and custom scans. The default value applies a CPU usage limit to scheduled scans only. The acceptable values for this parameter are:

  • 1 (Default) - If you enable this setting, CPU throttling will apply only to scheduled scans.
  • 0 - If you disable this setting, CPU throttling will apply to scheduled and custom scans.

Parameter properties

Type:Boolean
Default value:1
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-ThrottleLimit

Specifies the maximum number of concurrent operations that can be established to run the cmdlet. If this parameter is omitted or a value of 0 is entered, then Windows PowerShell® calculates an optimum throttle limit for the cmdlet based on the number of CIM cmdlets that are running on the computer. The throttle limit applies only to the current cmdlet, not to the session or to the computer.

Parameter properties

Type:Int32
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-UILockdown

Indicates whether to disable UI lockdown mode. If you specify a value of $True, Windows Defender disables UI lockdown mode. If you specify $False or do not specify a value, UI lockdown mode is enabled.

Parameter properties

Type:Boolean
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-UnknownThreatDefaultAction

Specifies which automatic remediation action to take for an unknown level threat. The acceptable values for this parameter are:

  • Quarantine
  • Remove
  • Ignore

Parameter properties

Type:ThreatAction
Default value:None
Accepted values:Clean, Quarantine, Remove, Allow, UserDefined, NoAction, Block
Supports wildcards:False
DontShow:False
Aliases:unktdefac

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

CommonParameters

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable, -ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.