Use Group Policy settings to configure and manage Microsoft Defender Antivirus
Applies to:
- Microsoft Defender for Endpoint Plan 1
- Microsoft Defender for Endpoint Plan 2
- Microsoft Defender Antivirus
Platforms
- Windows
We recommend using Microsoft Intune to manage Microsoft Defender Antivirus settings for your organization. However, you can use Group Policy to configure and manage some settings for Microsoft Defender Antivirus.
Important
If tamper protection is enabled in your organization, any changes made to tamper-protected settings are ignored. In addition, you can't turn off tamper protection by using Group Policy.
If you must make changes to a device and those changes are blocked by tamper protection, we recommend using troubleshooting mode to temporarily disable tamper protection on the device. After troubleshooting mode ends, any changes made to tamper-protected settings are reverted to their configured state.
Configure Microsoft Defender Antivirus using Group Policy
In general, you can use the following procedure to configure or change some settings for Microsoft Defender Antivirus.
On your Group Policy management machine, open the Group Policy Management Console. Right-click the Group Policy Object (GPO) you want to configure and select Edit.
Using the Group Policy Management Editor go to Computer configuration.
Select Administrative templates.
Expand the tree to Windows components > Microsoft Defender Antivirus.
Expand the section (referred to as Location in the table in this article) that contains the setting you want to configure, double-click the setting to open it, and make configuration changes.
Group Policy settings and resources
The following table lists commonly used Group Policy settings that are available in Windows 10.
Tip
For the most current settings, get the latest ADMX files in your central store to access the correct policy options. See How to create and manage the Central Store for Group Policy Administrative Templates in Windows and download the latest files.
| Location | Setting | Article |
|---|---|---|
| Client interface | Enable headless UI mode | Prevent users from seeing or interacting with the Microsoft Defender Antivirus user interface |
| Client interface | Display more text to clients when they need to perform an action | Configure the notifications that appear on endpoints |
| Client interface | Suppress all notifications | Configure the notifications that appear on endpoints |
| Client interface | Suppresses reboot notifications | Configure the notifications that appear on endpoints |
| Exclusions | Extension Exclusions | Configure and validate exclusions in Microsoft Defender Antivirus scans |
| Exclusions | IP Address Exclusions | Add exclusions |
| Exclusions | Path Exclusions | Configure and validate exclusions in Microsoft Defender Antivirus scans |
| Exclusions | Process Exclusions | Configure and validate exclusions in Microsoft Defender Antivirus scans |
| Exclusions | Turn off Auto Exclusions | Configure and validate exclusions in Microsoft Defender Antivirus scans |
| Features | Device Control | Deploy and manage device control in Microsoft Defender for Endpoint using Group Policy |
| Features | Enable EDR in Block Mode | EDR in block mode: Group Policy |
| MAPS | Configure the "Block at First Sight" feature | Enable block at first sight |
| MAPS | Join Microsoft MAPS | Enable cloud-delivered protection |
| MAPS | Send file samples when further analysis is required | Enable cloud-delivered protection |
| MAPS | Configure local setting override for reporting to Microsoft MAPS | Prevent or allow users to locally modify policy settings |
| MpEngine | Configure extended cloud check | Configure the cloud block time-out period |
| MpEngine | Disable gradual rollout of Microsoft Defender updates | Configure updates: Group Policy |
| MpEngine | Enable file hash computation feature | Create indicators for files |
| MpEngine | Select cloud protection level | Specify the cloud-delivered protection level |
| Network inspection system | Convert warn verdict to block | Network protection: Warn experience |
| Network inspection system | Specify more definition sets for network traffic inspection | Not used (deprecated) |
| Network inspection system | Turn on asynchronous inspection | Optimizing network protection performance |
| Network inspection system | Turn on definition retirement | Not used (deprecated) |
| Network inspection system | Turn on protocol recognition | Not used (deprecated) |
| Quarantine | Configure local setting override for the removal of items from Quarantine folder | Prevent or allow users to locally modify policy settings |
| Quarantine | Configure removal of items from Quarantine folder | Configure remediation for Microsoft Defender Antivirus scans |
| Real-time protection | Configure local setting override for monitoring file and program activity on your computer | Prevent or allow users to locally modify policy settings |
| Real-time protection | Configure local setting override for monitoring for incoming and outgoing file activity | Prevent or allow users to locally modify policy settings |
| Real-time protection | Configure local setting override for scanning all downloaded files and attachments | Prevent or allow users to locally modify policy settings |
| Real-time protection | Configure local setting override to turn on behavior monitoring | Prevent or allow users to locally modify policy settings |
| Real-time protection | Configure local setting override to turn on real-time protection | Prevent or allow users to locally modify policy settings |
| Real-time protection | Define the maximum size of downloaded files and attachments to be scanned | Enable and configure Microsoft Defender Antivirus always-on protection and monitoring |
| Real-time protection | Configure performance mode status | Performance mode: Group Policy |
| Real-time protection | Configure real-time protection and Security Intelligence Updates during OOBE | Enable and configure Microsoft Defender Antivirus always-on protection |
| Real-time protection | Monitor file and program activity on your computer | Enable and configure Microsoft Defender Antivirus always-on protection and monitoring |
| Real-time protection | Scan all downloaded files and attachments | Enable and configure Microsoft Defender Antivirus always-on protection and monitoring |
| Real-time protection | Turn off real-time protection | Enable and configure Microsoft Defender Antivirus always-on protection and monitoring |
| Real-time protection | Turn on behavior monitoring | Enable and configure Microsoft Defender Antivirus always-on protection and monitoring |
| Real-time protection | Turn on process scanning whenever real-time protection is enabled | Enable and configure Microsoft Defender Antivirus always-on protection and monitoring |
| Real-time protection | Turn on raw volume write notifications | Enable and configure Microsoft Defender Antivirus always-on protection and monitoring |
| Real-time protection | Configure monitoring for incoming and outgoing file and program activity | Enable and configure Microsoft Defender Antivirus always-on protection and monitoring |
| Remediation | Configure local setting override for the time of day to run a scheduled full scan to complete remediation | Prevent or allow users to locally modify policy settings |
| Remediation | Specify the day of the week to run a scheduled full scan to complete remediation | Configure scheduled Microsoft Defender Antivirus scans |
| Remediation | Specify the time of day to run a scheduled full scan to complete remediation | Configure scheduled Microsoft Defender Antivirus scans |
| Reporting | Configure time interval for service health reports | Configure Microsoft Defender Antivirus notifications that appear on endpoints |
| Reporting | Configure time out for detections in critically failed state | Configure Microsoft Defender Antivirus notifications that appear on endpoints |
| Reporting | Configure time out for detections in noncritical failed state | Configure Microsoft Defender Antivirus notifications that appear on endpoints |
| Reporting | Configure time out for detections in recently remediated state | Configure Microsoft Defender Antivirus notifications that appear on endpoints |
| Reporting | Configure time out for detections in requiring additional action | Configure Microsoft Defender Antivirus notifications that appear on endpoints |
| Reporting | Configure Watson events | Configure Microsoft Defender Antivirus notifications that appear on endpoints |
| Reporting | Configure whether to report Dynamic Signature dropped events | Configure Microsoft Defender Antivirus notifications that appear on endpoints |
| Reporting | Configure Windows software trace preprocessor components | Configure Microsoft Defender Antivirus notifications that appear on endpoints |
| Reporting | Configure WPP tracing level | Configure Microsoft Defender Antivirus notifications that appear on endpoints |
| Reporting | Turn off enhanced notifications | Configure the notifications that appear on endpoints |
| Root | Turn off Microsoft Defender Antivirus | Not used. If you're using or planning to use a non-Microsoft antivirus product, see Microsoft Defender Antivirus compatibility with other security products. |
| Root | Define addresses to bypass proxy server | Configure device proxy and Internet connectivity settings |
| Root | Define proxy autoconfig (.pac) for connecting to the network | Configure device proxy and Internet connectivity settings |
| Root | Define proxy server for connecting to the network | Configure device proxy and Internet connectivity settings |
| Root | Define the directory path to copy support log files | Configure device proxy and Internet connectivity settings |
| Root | Configure local administrator merge behavior for lists | Prevent or allow users to locally modify policy settings |
| Root | Allow anti-malware service to start up with normal priority | Configure remediation for Microsoft Defender Antivirus scans |
| Root | Allow anti-malware service to remain running always | Configure remediation for Microsoft Defender Antivirus scans |
| Root | Turn off routine remediation | Configure remediation for Microsoft Defender Antivirus scans |
| Root | Randomize scheduled task times | Configure scheduled scans for Microsoft Defender Antivirus |
| Root | Select the channel for Microsoft Defender daily security intelligence updates | Update channels for security intelligence updates |
| Root | Select the channel for Microsoft Defender monthly engine updates | Update channels for monthly updates |
| Root | Select the channel for Microsoft Defender monthly platform updates | Update channels for monthly updates |
| Scan | Allow users to pause scan | Prevent users from seeing or interacting with the Microsoft Defender Antivirus user interface (Not supported on Windows 10 or newer, and Windows Server 2016 and newer) |
| Scan | Check for the latest virus and spyware definitions before running a scheduled scan | Manage event-based forced updates |
| Scan | Define the number of days after which a catch-up scan is forced | Manage updates for endpoints that are out of date |
| Scan | Turn on catch up full scan | Manage updates for endpoints that are out of date |
| Scan | Turn on catch up quick scan | Manage updates for endpoints that are out of date |
| Scan | Configure local setting override for maximum percentage of CPU utilization | Prevent or allow users to locally modify policy settings |
| Scan | Configure local setting override for schedule scan day | Prevent or allow users to locally modify policy settings |
| Scan | Configure local setting override for scheduled quick scan time | Prevent or allow users to locally modify policy settings |
| Scan | Configure local setting override for scheduled scan time | Prevent or allow users to locally modify policy settings |
| Scan | Configure local setting override for the scan type to use for a scheduled scan | Prevent or allow users to locally modify policy settings |
| Scan | Configure low CPU priority for scheduled scans | Configure Microsoft Defender Antivirus scanning options |
| Scan | Configure scanning of network files | Configure Microsoft Defender Antivirus scanning options |
| Scan | CPU throttling type | Configure Microsoft Defender Antivirus scanning options |
| Scan | Create a system restore point | Configure remediation for Microsoft Defender Antivirus scans |
| Scan | Turn on removal of items from scan history folder | Configure remediation for Microsoft Defender Antivirus scans |
| Scan | Turn on heuristics | Enable and configure Microsoft Defender Antivirus always-on protection and monitoring |
| Scan | Turn on e-mail scanning | Configure scanning options in Microsoft Defender Antivirus |
| Scan | Turn on reparse point scanning | Configure scanning options in Microsoft Defender Antivirus |
| Scan | Run full scan on mapped network drives | Configure scanning options in Microsoft Defender Antivirus |
| Scan | Scan archive files | Configure scanning options in Microsoft Defender Antivirus |
| Scan | Scan excluded files and directories during quick scan | Configure scanning options: Settings and locations |
| Scan | Scan packed executables | Configure scanning options in Microsoft Defender Antivirus |
| Scan | Scan scripts | Configure scanning options in Microsoft Defender Antivirus Also see Defender/AllowScriptScanning. |
| Scan | Scan removable drives | Configure scanning options in Microsoft Defender Antivirus |
| Scan | Specify the maximum depth to scan archive files | Configure scanning options in Microsoft Defender Antivirus |
| Scan | Specify the maximum percentage of CPU utilization during a scan | Configure scanning options in Microsoft Defender Antivirus |
| Scan | Specify the maximum size of archive files to be scanned | Configure scanning options in Microsoft Defender Antivirus |
| Scan | Specify the day of the week to run a scheduled scan | Configure scheduled scans for Microsoft Defender Antivirus |
| Scan | Specify the interval to run quick scans per day | Configure scheduled scans for Microsoft Defender Antivirus |
| Scan | Specify the scan type to use for a scheduled scan | Configure scheduled scans for Microsoft Defender Antivirus |
| Scan | Specify the time for a daily quick scan | Configure scheduled scans for Microsoft Defender Antivirus |
| Scan | Specify the time of day to run a scheduled scan | Configure scheduled scans for Microsoft Defender Antivirus |
| Scan | Start the scheduled scan only when computer is on but not in use | Configure scheduled scans for Microsoft Defender Antivirus |
| Scan | Trigger a quick scan after X days without any scans | Configure scanning options: Settings and locations |
| Security intelligence updates | Allow security intelligence updates from Microsoft Update | Manage updates for mobile devices and virtual machines (VMs) |
| Security intelligence updates | Allow security intelligence updates when running on battery power | Manage updates for mobile devices and virtual machines (VMs) |
| Security intelligence updates | Allow Microsoft Defender Antivirus to update and communicate over a metered connection | Manage Microsoft Defender Antivirus updates and scans for endpoints that are out of date |
| Security intelligence updates | Allow notifications to disable definitions-based reports to Microsoft MAPS | Manage event-based forced updates |
| Security intelligence updates | Allow real-time security intelligence updates based on reports to Microsoft MAPS | Manage event-based forced updates |
| Security intelligence updates | Check for the latest virus and spyware security intelligence on startup | Manage event-based forced updates |
| Security intelligence updates | Define file shares for downloading security intelligence updates | Manage Microsoft Defender Antivirus protection and security intelligence updates |
| Security intelligence updates | Define security intelligence location for VDI clients | Configure Microsoft Defender Antivirus on a remote desktop or VDI: Group Policy |
| Security intelligence updates | Define the number of days after which a catch up security intelligence update is required | Manage updates for endpoints that are out of date |
| Security intelligence updates | Define the number of days before spyware security intelligence are considered out of date | Manage updates for endpoints that are out of date |
| Security intelligence updates | Define the number of days before virus security intelligence are considered out of date | Manage updates for endpoints that are out of date |
| Security intelligence updates | Define the order of sources for downloading security intelligence updates | Manage Microsoft Defender Antivirus protection and security intelligence updates |
| Security intelligence updates | Initiate security intelligence update on startup | Manage event-based forced updates |
| Security intelligence updates | Specify the day of the week to check for security intelligence updates | Manage when protection updates should be downloaded and applied |
| Security intelligence updates | Specify the interval to check for security intelligence updates | Manage when protection updates should be downloaded and applied |
| Security intelligence updates | Specify the time to check for security intelligence updates | Manage when protection updates should be downloaded and applied |
| Security intelligence updates | Turn on scan after Security intelligence update | Configure scheduled scans for Microsoft Defender Antivirus |
| Threats | Specify threat alert levels at which default action shouldn't be taken when detected | Configure remediation for Microsoft Defender Antivirus scans |
| Threats | Specify threats upon which default action shouldn't be taken when detected | Configure remediation for Microsoft Defender Antivirus scans |
Tip
Instead of using "Run full scan on mapped network drives", if you have a Network-Attached Storage (NAS) or Storage Area Network (SAN), you can use Internet Content Adaption Protocol (ICAP) scanning with the Microsoft Defender Antivirus engine. For more information, see Tech Community Blog: MetaDefender ICAP with Windows Defender Antivirus: World-class security for hybrid environments.
Tip
Performance tip Due to a variety of factors (examples listed below) Microsoft Defender Antivirus, like other antivirus software, can cause performance issues on endpoint devices. In some cases, you might need to tune the performance of Microsoft Defender Antivirus to alleviate those performance issues. Microsoft's Performance analyzer is a PowerShell command-line tool that helps determine which files, file paths, processes, and file extensions might be causing performance issues; some examples are:
- Top paths that impact scan time
- Top files that impact scan time
- Top processes that impact scan time
- Top file extensions that impact scan time
- Combinations – for example:
- top files per extension
- top paths per extension
- top processes per path
- top scans per file
- top scans per file per process
You can use the information gathered using Performance analyzer to better assess performance issues and apply remediation actions. See: Performance analyzer for Microsoft Defender Antivirus.
See also
- Performance analyzer for Microsoft Defender Antivirus
- Reference topics for management and configuration tools
- Microsoft Defender Antivirus in Windows 10
- Set preferences for Microsoft Defender for Endpoint on macOS
- Set preferences for Microsoft Defender for Endpoint on Linux
- Configure Defender for Endpoint on Android features
- Configure Microsoft Defender for Endpoint on iOS features
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.