Add-MpPreference
Modifies settings for Windows Defender.
Syntax
Add-MpPreference
[-ExclusionPath <String[]>]
[-ExclusionExtension <String[]>][-ExclusionProcess <String[]>]
[-ExclusionIpAddress <String[]>][-ThreatIDDefaultAction_Ids <Int64[]>]
[-ThreatIDDefaultAction_Actions <ThreatAction[]>][-AttackSurfaceReductionOnlyExclusions <String[]>][-ControlledFolderAccessAllowedApplications <String[]>][-ControlledFolderAccessProtectedFolders <String[]>]
[-AttackSurfaceReductionRules_Ids <String[]>][-AttackSurfaceReductionRules_Actions <ASRRuleActionType[]>]
[-Force]
[-CimSession <CimSession[]>][-ThrottleLimit <Int32>]
[-AsJob]
[<CommonParameters>]
Description
The Add-MpPreference
cmdlet modifies settings for Windows Defender. Use this cmdlet to add
exclusions for file name extensions, paths, and processes, and to add default actions for high,
moderate, and low threats.
Examples
Example 1: Add a folder to the exclusion list
Add-MpPreference -ExclusionPath 'C:\Temp'
This command adds the folder C:\Temp to the exclusion list. The command disables Windows Defender scheduled and real-time scanning for files in this folder.
Example 2: Allow an application to access folders
Add-MpPreference -ControlledFolderAccessAllowedApplications 'c:\apps\test.exe'
This command allows the specified application to make changes in controlled folders.
Parameters
-AsJob
Runs the cmdlet as a background job. Use this parameter to run commands that take a long time to complete.
The cmdlet immediately returns an object that represents the job and then displays the command
prompt. You can continue to work in the session while the job completes. To manage the job, use the
*-Job
cmdlets. To get the job results, use the
Receive-Job cmdlet.
For more information about Windows PowerShell background jobs, see about_Jobs.
Type: | SwitchParameter |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-AttackSurfaceReductionOnlyExclusions
Specifies the files and paths to exclude from attack surface reduction (ASR) rules. Specifies the
folders or files and resources that should be excluded from ASR rules. Enter a folder path or a
fully qualified resource name. For example, C:\Windows
excludes all files in that directory.
C:\Windows\App.exe
excludes only that specific file in that specific folder.
See the ASR rules topic for more information about excluding files and folders from ASR rules.
Type: | String[] |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-AttackSurfaceReductionRules_Actions
Specifies the states of attack surface reduction rules specified by using the AttackSurfaceReductionRules_Ids parameter. If you add multiple rules as a comma-separated list, specify their states separately as a comma-separated list.
Type: | ASRRuleActionType[] |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-AttackSurfaceReductionRules_Ids
Specifies the IDs of attack surface reduction rules. Use the AttackSurfaceReductionRules_Actions parameter to specify the state for each rule. If you add multiple rules as a comma-separated list, specify their states separately as a comma-separated list.
Type: | String[] |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-CimSession
Runs the cmdlet in a remote session or on a remote computer. Enter a computer name or a session object, such as the output of a New-CimSession or Get-CimSession cmdlet. The default is the current session on the local computer.
Type: | CimSession[] |
Aliases: | Session |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-ControlledFolderAccessAllowedApplications
Specifies applications that can make changes in controlled folders.
Type: | String[] |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-ControlledFolderAccessProtectedFolders
Specifies more folders to protect.
Type: | String[] |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-ExclusionExtension
Specifies an array of file name extensions, such as obj
or lib
, to exclude from scheduled, custom,
and real-time scanning. This cmdlet adds these file name extensions to the exclusions.
Type: | String[] |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-ExclusionIpAddress
Specifies an array of IP addresses to exclude from scheduled and real-time scanning.
Type: | String[] |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-ExclusionPath
Specifies an array of file paths to exclude from scheduled and real-time scanning. You can specify a folder to exclude all the files under the folder.
Type: | String[] |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-ExclusionProcess
Specifies an array of processes, as paths to process images. This cmdlet excludes any files opened by the processes that you specify from scheduled and real-time scanning. Specifying this parameter excludes files opened by executable programs only. The cmdlet does not exclude the processes themselves. To exclude a process, specify it by using the ExclusionPath parameter.
Type: | String[] |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-Force
Forces the command to run without asking for user confirmation.
Type: | SwitchParameter |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-ThreatIDDefaultAction_Actions
Specifies an array of the actions to take for the IDs specified by using the ThreatIDDefaultAction_Ids parameter. The acceptable values for this parameter are:
1
: Clean2
: Quarantine3
: Remove6
: Allow8
: UserDefined9
: NoAction10
: Block
Type: | ThreatAction[] |
Aliases: | tiddefaca |
Accepted values: | Clean, Quarantine, Remove, Allow, UserDefined, NoAction, Block |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-ThreatIDDefaultAction_Ids
Specifies an array of threat IDs. This cmdlet adds the default action for the threat IDs that you specify.
Type: | Int64[] |
Aliases: | tiddefaci |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-ThrottleLimit
Specifies the maximum number of concurrent operations that can be established to run the cmdlet. If
this parameter is omitted or a value of 0
is entered, then Windows PowerShell® calculates an
optimum throttle limit for the cmdlet based on the number of CIM cmdlets that are running on the
computer. The throttle limit applies only to the current cmdlet, not to the session or to the
computer.
Type: | Int32 |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |