Set-MpPreference

Configure preferences for Windows Defender scans and updates.

Syntax
      Set-MpPreference [-CheckForSignaturesBeforeRunningScan Boolean] [-CimSession CimSession[]] 
         [-DisableArchiveScanning Boolean] [-DisableAutoExclusions Boolean]
            [-DisableBehaviorMonitoring Boolean] [-DisableCatchupFullScan Boolean]
               [-DisableCatchupQuickScan Boolean] [-DisableEmailScanning Boolean] 
                  [-DisableIntrusionPreventionSystem Boolean] [-DisableIOAVProtection Boolean]
                     [-DisablePrivacyMode Boolean] [-DisableRealtimeMonitoring Boolean]
                        [-DisableRemovableDriveScanning Boolean] [-DisableRestorePoint Boolean] 
                           [-DisableScanningMappedNetworkDrivesForFullScan Boolean] [-DisableScanningNetworkFiles Boolean] 
                              [-DisableScriptScanning Boolean] [-ExclusionExtension String[]]
                                 [-ExclusionPath String[]] [-ExclusionProcess String[]] [-Force]
                                    [-HighThreatDefaultAction {Clean | Quarantine | Remove | Allow | UserDefined | NoAction | Block}]
         [-LowThreatDefaultAction {Clean | Quarantine | Remove | Allow | UserDefined | NoAction | Block}] 
            [-MAPSReporting {Disabled | Basic | Advanced}]
               [-ModerateThreatDefaultAction {Clean | Quarantine | Remove | Allow | UserDefined | NoAction | Block}]
                  [-QuarantinePurgeItemsAfterDelay UInt32] [-RandomizeScheduleTaskTimes Boolean]
                     [-RealTimeScanDirection {Both | Incoming | Outcoming}]
                        [-RemediationScheduleDay {Everyday | Sunday | Monday | Tuesday | Wednesday | Thursday | Friday | Saturday | Never}]
                           [-RemediationScheduleTime DateTime] [-ReportingAdditionalActionTimeOut UInt32]
                              [-ReportingCriticalFailureTimeOut UInt32] [-ReportingNonCriticalTimeOut UInt32]
                                 [-ScanAvgCPULoadFactor Byte] [-ScanOnlyIfIdleEnabled Boolean] 
                                    [-ScanParameters {QuickScan | FullScan}] [-ScanPurgeItemsAfterDelay UInt32]
         [-ScanScheduleDay {Everyday | Sunday | Monday | Tuesday | Wednesday | Thursday | Friday | Saturday | Never}]
            [-ScanScheduleQuickScanTime DateTime] [-ScanScheduleTime DateTime]
               [-SevereThreatDefaultAction {Clean | Quarantine | Remove | Allow | UserDefined | NoAction | Block}]
                  [-SignatureAuGracePeriod UInt32] [-SignatureDefinitionUpdateFileSharesSources String] 
                     [-SignatureDisableUpdateOnStartupWithoutEngine Boolean] [-SignatureFallbackOrder String] 
                        [-SignatureFirstAuGracePeriod UInt32]
                           [-SignatureScheduleDay {Everyday | Sunday | Monday | Tuesday | Wednesday | Thursday | Friday | Saturday | Never}]
                              [-SignatureScheduleTime DateTime] [-SignatureUpdateCatchupInterval UInt32]
                                 [-SignatureUpdateInterval UInt32] [-SubmitSamplesConsent {None | Always | Never}] 
                                    [-ThreatIDDefaultAction_Actions ThreatAction[]] [-ThreatIDDefaultAction_Ids Int64[]]
         [-ThrottleLimit Int32] [-UILockdown Boolean]
            [-UnknownThreatDefaultAction {Clean | Quarantine | Remove | Allow | UserDefined | NoAction | Block}] 
               [CommonParameters]

Key
   -CheckForSignaturesBeforeRunningScan [Boolean]
        Indicates whether to check for new virus and spyware definitions before Windows Defender runs a scan. If you 
        specify a value of $True, Windows Defender checks for new definitions. If you specify $False or do not specify 
        a value, the scan begins with existing definitions. This value applies to scheduled scans and to scans that 
        you start from the command line, but it does not affect scans that you start from the user interface.
        
    -CimSession [CimSession[]]
        Runs the cmdlet in a remote session or on a remote computer. Enter a computer name or a session object, such 
        as the output of a New-CimSession or Get-CimSession cmdlet. The default is the current session on the local 
        computer.
        
    -DisableArchiveScanning [Boolean]
        Indicates whether to scan archive files, such as .zip and .cab files, for malicious and unwanted software. If 
        you specify a value of $True or do not specify a value, Windows Defender scans archive files.
        
    -DisableAutoExclusions [Boolean]
        Indicates whether to disable the Automatic Exclusions feature for the server.
        
    -DisableBehaviorMonitoring [Boolean]
        Indicates whether to enable behavior monitoring. If you specify a value of $True or do not specify a value, 
        Windows Defender enables behavior monitoring.
        
    -DisableCatchupFullScan [Boolean]
        Indicates whether Windows Defender runs catch-up scans for scheduled full scans. A computer can miss a 
        scheduled scan, usually because the computer is turned off at the scheduled time. If you specify a value of 
        $True, after the computer misses two scheduled full scans, Windows Defender runs a catch-up scan the next time 
        someone logs on to the computer. If you specify a value of $False or do not specify a value, the computer does 
        not run catch-up scans for scheduled full scans.
        
    -DisableCatchupQuickScan [Boolean]
        Indicates whether Windows Defender runs catch-up scans for scheduled quick scans. A computer can miss a 
        scheduled scan, usually because the computer is off at the scheduled time. If you specify a value of $True, 
        after the computer misses two scheduled quick scans, Windows Defender runs a catch-up scan the next time 
        someone logs onto the computer. If you specify a value of $False or do not specify a value, the computer does 
        not run catch-up scans for scheduled quick scans.
        
    -DisableEmailScanning [Boolean]
        Indicates whether Windows Defender parses the mailbox and mail files, according to their specific format, in 
        order to analyze mail bodies and attachments. Windows Defender supports several formats, including .pst, .dbx, 
        .mbx, .mime, and .binhex. If you specify a value of $True, Windows Defender performs email scanning. If you 
        specify a value of $False or do not specify a value, Windows Defender does not perform email scanning.
        
    -DisableIntrusionPreventionSystem [Boolean]
        Indicates whether to configure network protection against exploitation of known vulnerabilities. If you 
        specify a value of $True or do not specify a value, network protection is enabled.
        
    -DisableIOAVProtection [Boolean]
        Indicates whether Windows Defender scans all downloaded files and attachments. If you specify a value of $True 
        or do not specify a value, scanning downloaded files and attachments is enabled.
        
    -DisablePrivacyMode [Boolean]
        Indicates whether to disable privacy mode. Privacy mode prevents users, other than administrators, from 
        displaying threat history.
        
    -DisableRealtimeMonitoring [Boolean]
        Indicates whether to use real-time protection. If you specify a value of $True or do not specify a value, 
        Windows Defender uses real-time protection. We recommend that you enable Windows Defender to use real-time 
        protection.
        
    -DisableRemovableDriveScanning [Boolean]
        Indicates whether to scan for malicious and unwanted software in removable drives, such as flash drives, 
        during a full scan. If you specify a value of $True, Windows Defender scans removable drives during any type 
        of scan. If you specify a value of $False or do not specify a value, Windows Defender does not scan removable 
        drives during a full scan. Windows Defender can still scan removable drives during quick scans or custom scans.
        
    -DisableRestorePoint [Boolean]
        Indicates whether to disable scanning of restore points.
        
    -DisableScanningMappedNetworkDrivesForFullScan [Boolean]
        Indicates whether to scan mapped network drives. If you specify a value of $True, Windows Defender scans 
        mapped network drives. If you specify a value of $False or do not specify a value, Windows Defender does not 
        scan mapped network drives.
        
    -DisableScanningNetworkFiles [Boolean]
        Indicates whether to scan for network files. If you specify a value of $True, Windows Defender scans network 
        files. If you specify a value of $False or do not specify a value, Windows Defender does not scan network 
        files. We do not recommend that you scan network files.
        
    -DisableScriptScanning [Boolean]
        Specifies whether to disable the scanning of scripts during malware scans.
        
    -ExclusionExtension [String[]]
        Specifies an array of file name extensions, such as obj or lib, to exclude from scheduled, custom, and 
        real-time scanning.
        
    -ExclusionPath [String[]]
        Specifies an array of file paths to exclude from scheduled and real-time scanning. You can specify a folder to 
        exclude all the files under the folder.
        
    -ExclusionProcess [String[]]
        Specifies an array of processes, as paths to process images. This cmdlet excludes any files opened by the 
        processes that you specify from scheduled and real-time scanning. Specifying this parameter excludes files 
        opened by executable programs only. The cmdlet does not exclude the processes themselves. To exclude a 
        process, specify it by using the ExclusionPath parameter.
        
    -Force
        Forces the command to run without asking for user confirmation.
        
    -HighThreatDefaultAction [ThreatAction]
        Specifies which automatic remediation action to take for a high level threat. The acceptable values for this 
        parameter are:
        
        -- Quarantine 
        -- Remove 
        -- Ignore
        
    -LowThreatDefaultAction [ThreatAction]
        Specifies which automatic remediation action to take for a low level threat. The acceptable values for this 
        parameter are:
        
        -- Quarantine 
        -- Remove 
        -- Ignore
        
    -MAPSReporting [MAPSReportingType]
        Specifies the type of membership in Microsoft Active Protection Service. Microsoft Active Protection Service 
        is an online community that helps you choose how to respond to potential threats. The community also helps 
        prevent the spread of new malicious software. The acceptable values for this parameter are:
        
        -- 0: Disabled. Send no information to Microsoft. This is the default value. 
        -- 1: Basic membership. Send basic information to Microsoft about detected software, including where the 
        software came from, the actions that you apply or that apply automatically, and whether the actions succeeded. 
        -- 2: Advanced membership. In addition to basic information, send more information to Microsoft about 
        malicious software, spyware, and potentially unwanted software, including the location of the software, file 
        names, how the software operates, and how it affects your computer.
        
        If you join this community, you can choose to automatically send basic or additional information about 
        detected software. Additional information helps Microsoft create new definitions. In some instances, personal 
        information might unintentionally be sent to Microsoft. However, Microsoft will not use this information to 
        identify you or contact you.
        
    -ModerateThreatDefaultAction [ThreatAction]
        Specifies which automatic remediation action to take for a moderate level threat. The acceptable values for 
        this parameter are:
        
        -- Quarantine 
        -- Remove 
        -- Ignore
        
    -QuarantinePurgeItemsAfterDelay [UInt32]
        Specifies the number of days to keep items in the Quarantine folder. If you specify a value of zero or do not 
        specify a value for this parameter, items stay in the Quarantine folder indefinitely.
        
    -RandomizeScheduleTaskTimes [Boolean]
        Indicates whether to select a random time for the scheduled start and scheduled update for definitions. If you 
        specify a value of $True or do not specify a value, scheduled tasks begin within 30 minutes, before or after, 
        the scheduled time. If you randomize the start times, it can distribute the impact of scanning. For example, 
        if several virtual machines share the same host, randomized start times prevents all the hosts from starting 
        the scheduled tasks at the same time.
        
    -RealTimeScanDirection [ScanDirection]
        Specifies scanning configuration for incoming and outgoing files on NTFS volumes. The acceptable values for 
        this parameter are:
        
        -- 0: Scan both incoming and outgoing files. This is the default. 
        -- 1: Scan incoming files only. 
        -- 2: Scan outgoing files only. 
        
        Specify a value for this parameter to enhance performance on servers which have a large number of file 
        transfers, but need scanning for either incoming or outgoing files. Evaluate this configuration based on the 
        server role. For non-NTFS volumes, Windows Defender performs full monitoring of file and program activity.
        
    -RemediationScheduleDay [Day]
        Specifies the day of the week on which to perform a scheduled full scan in order to complete remediation. 
        Alternatively, specify everyday for this full scan or never. The acceptable values for this parameter are:
        
        -- 0: Everyday
        -- 1: Sunday
        -- 2: Monday
        -- 3: Tuesday 
        -- 4: Wednesday
        -- 5: Thursday 
        -- 6: Friday
        -- 7: Saturday
        -- 8: Never 
        
        The default value is 8, never. If you specify a value of 8 or do not specify a value, Windows Defender 
        performs a scheduled full scan to complete remediation by using a default frequency.
        
    -RemediationScheduleTime [DateTime]
        Specifies the time of day, as the number of minutes after midnight, to perform a scheduled scan. The time 
        refers to the local time on the computer. If you do not specify a value for this parameter, a scheduled scan 
        runs at the default time of two hours after midnight.
        
    -ReportingAdditionalActionTimeOut [UInt32]
        Specifies the number of minutes before a detection in the additional action state changes to the cleared state.
        
    -ReportingCriticalFailureTimeOut [UInt32]
        Specifies the number of minutes before a detection in the critically failed state changes to either the 
        additional action state or the cleared state.
        
    -ReportingNonCriticalTimeOut [UInt32]
        Specifies the number of minutes before a detection in the non-critically failed state changes to the cleared 
        state.
        
    -ScanAvgCPULoadFactor [Byte]
        Specifies the maximum percentage CPU usage for a scan. The acceptable values for this parameter are: integers 
        from 5 through 100, and the value 0, which disables CPU throttling. Windows Defender does not exceed the 
        percentage of CPU usage that you specify. The default value is 50.
        
    -ScanOnlyIfIdleEnabled [Boolean]
        Indicates whether to start scheduled scans only when the computer is not in use. If you specify a value of 
        $True or do not specify a value, Windows Defender runs schedules scans when the computer is on, but not in use.
        
    -ScanParameters [ScanType]
        Specifies the scan type to use during a scheduled scan. The acceptable values for this parameter are:
        
        -- 1: Quick scan
         -- 2: Full scan 
        
        If you do not specify this parameter, Windows Defender uses the default value of quick scan.
        
    -ScanPurgeItemsAfterDelay [UInt32]
        Specifies the number of days to keep items in the scan history folder. After this time, Windows Defender 
        removes the items. If you specify a value of zero, Windows Defender does not remove items. If you do not 
        specify a value, Windows Defender removes items from the scan history folder after the default length of time, 
        which is 30 days.
        
    -ScanScheduleDay [Day]
        Specifies the day of the week on which to perform a scheduled scan. Alternatively, specify everyday for a 
        scheduled scan or never. The acceptable values for this parameter are:
        
        -- 0: Everyday 
        -- 1: Sunday 
        -- 2: Monday 
        -- 3: Tuesday 
        -- 4: Wednesday 
        -- 5: Thursday 
        -- 6: Friday 
        -- 7: Saturday 
        -- 8: Never
        
        The default value is 8, never. If you specify a value of 8 or do not specify a value, Windows Defender does 
        not perform scheduled scans.
        
    -ScanScheduleQuickScanTime [DateTime]
        Specifies the time of day, as the number of minutes after midnight, to perform a scheduled quick scan. The 
        time refers to the local time on the computer. If you do not specify a value for this parameter, a scheduled 
        quick scan runs at the time specified by the ScanScheduleTime parameter. That parameter has a default time of 
        two hours after midnight.
        
    -ScanScheduleTime [DateTime]
        Specifies the time of day, as the number of minutes after midnight, to perform a scheduled scan. The time 
        refers to the local time on the computer. If you do not specify a value for this parameter, a scheduled scan 
        runs at a default time of two hours after midnight.
        
    -SevereThreatDefaultAction [ThreatAction]
        Specifies which automatic remediation action to take for a severe level threat. The acceptable values for this 
        parameter are:
        
        -- Quarantine 
        -- Remove 
        -- Ignore
        
    -SignatureAuGracePeriod [UInt32]
        Specifies a grace period, in minutes, for the definition. If a definition successfully updates within this 
        period, Windows Defender abandons any service initiated updates.
        
    -SignatureDefinitionUpdateFileSharesSources [String]
        Specifies file-share sources for definition updates. Specify sources as a bracketed sequence of Universal 
        Naming Convention (UNC) locations, separated by the pipeline symbol; for example, { \\Server01\Share01 | 
        \\Server02\Share02 | \\Server03\Share03}. If you specify a value for this parameter, Windows Defender attempts 
        to connect to the shares in the order that you specify. After Windows Defender updates a definition, it stops 
        attempting to connect to shares on the list. If you do not specify a value for this parameter, the list is 
        empty.
        
    -SignatureDisableUpdateOnStartupWithoutEngine [Boolean]
        Indicates whether to initiate definition updates even if no antimalware engine is present. If you specify a 
        value of $True or do not specify a value, Windows Defender initiates definition updates on startup. If you 
        specify a value of $False, and if no antimalware engine is present, Windows Defender does not initiate 
        definition updates on startup.
        
    -SignatureFallbackOrder [String]
        Specifies the order in which to contact different definition update sources. Specify the types of update 
        sources in the order in which you want Windows Defender to contact them, enclosed in braces and separated by 
        the pipeline symbol; for example, { InternalDefinitionUpdateServer | MicrosoftUpdateServer | MMPC }. The 
        values that you can specify in the string are:
        
        -- InternalDefinitionUpdateServer
        -- MicrosoftUpdateServer
        -- MMPC
        -- FileShares
        
        MMPC refers to Microsoft Malware Protection Center.
        
        If you specify a value for this parameter, Windows Defender contacts the definition update sources in the 
        specified order. After Windows Defender downloads definition updates from a source, it stops attempting to 
        connect to other sources. If you do not specify a value for this parameter, Windows Defender contacts sources 
        in the default order of { MicrosoftUpdateServer | MMPC }.
        
    -SignatureFirstAuGracePeriod [UInt32]
        Specifies a grace period, in minutes, for the definition. If a definition successfully updates within this 
        period, Windows Defender abandons any service initiated updates. This parameter overrides the value of the 
        CheckForSignaturesBeforeRunningScan parameter.
        
    -SignatureScheduleDay [Day]
        Specifies the day of the week on which to check for definition updates. Alternatively, specify everyday for a 
        scheduled scan or never. The acceptable values for this parameter are:
        
        -- 0: Everyday 
        -- 1: Sunday 
        -- 2: Monday 
        -- 3: Tuesday 
        -- 4: Wednesday 
        -- 5: Thursday 
        -- 6: Friday 
        -- 7: Saturday 
        -- 8: Never 
        
        The default value is 8, never. If you specify a value of 8 or do not specify a value, Windows Defender checks 
        for definition updates by using a default frequency.
        
    -SignatureScheduleTime [DateTime]
        Specifies the time of day, as the number of minutes after midnight, to check for definition updates. The time 
        refers to the local time on the computer. If you do not specify a value for this parameter, Windows Defender 
        checks for definition updates at the default time of 15 minutes before the scheduled scan time.
        
    -SignatureUpdateCatchupInterval [UInt32]
        Specifies the number of days after which Windows Defender requires a catch-up definition update. If you do not 
        specify a value for this parameter, Windows Defender requires a catch-up definition update after the default 
        value of one day.
        
    -SignatureUpdateInterval [UInt32]
        Specifies the interval, in hours, at which to check for definition updates. The acceptable values for this 
        parameter are: integers from 1 through 24. If you do not specify a value for this parameter, Windows Defender 
        checks at the default interval. You can use this parameter instead of the SignatureScheduleDay parameter and 
        SignatureScheduleTime parameter.
        
    -SubmitSamplesConsent [SubmitSamplesConsentType]
        Specifies how Windows Defender checks for user consent for certain samples. If consent has previously been 
        granted, Windows Defender submits the samples. Otherwise, if the MAPSReporting parameter does not have a value 
        of Disabled, Windows Defender prompts the user for consent. The acceptable values for this parameter are:
        
        --0: Always prompt
        --1: Send safe samples automatically 
        --2: Never send
        --3: Send all samples automatically
        
    -ThreatIDDefaultAction_Actions [ThreatAction]
        Specifies an array of the actions to take for the IDs specified by using the ThreatIDDefaultAction_Ids 
        parameter. The acceptable values for this parameter are:
        
        -- 1: Clean 
        -- 2: Quarantine 
        -- 3: Remove 
        -- 4: Allow 
        -- 8: UserDefined 
        -- 9: NoAction 
        -- 10: Block
        
    -ThreatIDDefaultAction_Ids [int64]
        Specifies an array of threat IDs. This cmdlet modifies the default action for the threat IDs that you specify.
        
    -ThrottleLimit [int32]
        Specifies the maximum number of concurrent operations that can be established to run the cmdlet. If this 
        parameter is omitted or a value of 0 is entered, then Windows PowerShell® calculates an optimum throttle limit 
        for the cmdlet based on the number of CIM cmdlets that are running on the computer. The throttle limit applies 
        only to the current cmdlet, not to the session or to the computer.
        
    -UILockdown [Boolean]
        Indicates whether to disable UI lockdown mode. If you specify a value of $True, Windows Defender disables UI 
        lockdown mode. If you specify $False or do not specify a value, UI lockdown mode is enabled.
        
    -UnknownThreatDefaultAction [ThreatAction]
        Specifies which automatic remediation action to take for an unknown level threat. The acceptable values for 
        this parameter are:
        
        -- Quarantine 
        -- Remove 
        -- Ignore

Set-MpPreference configures preferences for Windows Defender scans and updates. You can modify exclusion file name extensions, paths, or processes, and specify the default action for high, moderate, and low threat levels.

Examples

Enable Windows Defender PUA protection:

PS C:\> Set-MpPreference -PUAProtection Enabled

Disable Windows Defender PUA protection:

PS C:\> Set-MpPreference -PUAProtection Disabled

Set a schedule to check for definition updates everyday:

PS C:\> Set-MpPreference -SignatureScheduleDay Everyday

Schedule the time of day for definition updates to 120 minutes after midnight:

PS C:\> Set-MpPreference -SignatureScheduleTime 120

“There can be no defence like elaborate courtesy” ~ E. V. Lucas

Related PowerShell Cmdlets

Add-MpPreference
Get-MpComputerStatus
Get-MpPreference
Get-MpThreat
Get-MpThreatCatalog
Get-MpThreatDetection


 
Copyright © 1999-2024 SS64.com
Some rights reserved