Microsoft Defender for Endpoint

Manages the preferences of the antivirus component of Microsoft Defender for Endpoint.

Configure the cloud-driven protection features of Microsoft Defender for Endpoint.

Manage the preferences for the user interface.

Manage the preferences of the endpoint detection and response (EDR) component.

Tamper protection helps prevent unauthorized removal of Microsoft Defender for Endpoint.

Device control can be used to customize the URL target for notifications raised by device control, and allow or block removable devices.

—

—

—

—

Determines whether behavior monitoring and blocking capability is enabled on the device or not.

Enforcement level of antivirus engine. On-demand: Files are scanned only on demand; Passive: Same as on-demand, but also security intelligence updates are enabled, and the status menu icon is hidden; Real-time: Scan files as they are accessed.

Depends on: antivirusEngine.behaviorMonitoring ∈ [enabled]

When this feature is enabled, Defender for Endpoint will compute hashes for files it scans.

Specifies whether to start a process scan after new security intelligence updates are downloaded on the device. Enabling this setting will trigger an antivirus scan on the running processes of the device.

If true, Defender will unpack archives and scan files inside them. Otherwise archive content will be skipped, that will improve scanning performance.

The number of threads used to perform the scan.

Specify the merge policy for exclusions. This can be a combination of administrator-defined and user-defined exclusions (merge) or only administrator-defined exclusions (admin_only). This setting can be used to restrict local users from defining their own exclusions.

Entities that have been excluded from the scan. Exclusions can be specified by full paths, extensions, or file names.

List of threats (identified by their name) that are not blocked by the product and are instead allowed to run.

Restricts the actions that the local user of a device can take when threats are detected. The actions included in this list are not displayed in the user interface. Use unique values.

The threatTypeSettings preference in the antivirus engine is used to control how certain threat types are handled by the product.

Specify the merge policy for threat type settings. This can be a combination of administrator-defined and user-defined settings (merge) or only administrator-defined settings (admin_only). This setting can be used to restrict local users from defining their own settings for different threat types.

The number of days (1-180) that results are retained in the scan history on the device.

The maximum number of entries to keep in the scan history.

Locates and stops malware from installing or running on your device. You can turn off this setting for a short time before it turns back on automatically.

Whether the antivirus engine runs in passive mode or not.

—

Specify content excluded from being scanned by type.

Path to exclude, wildcards are supported

Directory if selected, or file if not selected

Specify content excluded from being scanned by file extension.

Process name, either or full path or file name, wildcards supported

—

—

—

Type of the threat for which the behavior is configured.

Action to take when coming across a threat of the type specified in the preceding section.

Provides increased, faster protection with access to the latest protection data in the cloud. Works best with automatic sample submission turned on

We encourage you to share your diagnostic and usage data with us to help improve Microsoft products and services.

Determines how aggressive Defender for Endpoint will be in blocking and scanning suspicious files.

Determines whether suspicious samples are sent to Microsoft.

Determines whether security intelligence updates are installed automatically:

Sends sample files to Microsoft to help protect device users and your organization from potential threats

Whether the status menu icon (shown in the top-right corner of the screen) is hidden or not.

Specify whether users can submit feedback to Microsoft by going to Help > Send Feedback.

Specify whether users can sign into the consumer version of Microsoft Defender

—

—

—

Specifies the type of tag

Specifies the value of tag

Specifies if tamper protection is disabled, in audit mode, or enforced

Defines process that can interfere with Defender without considering it tampering

—

Full and exact path to the process binary

Code signature TeamIdentifier

Code signature Identifier

Command line arguments

—

Configure the URL that is opened when end users click the notification shown when a device control policy is enforced.

Restrict access to removable media.

JSON string representing the device control policy

Set the removable media enforcement level.

The default permission level for devices that do not match anything else in the policy.

Restrict removable media by vendor.

—

—

—

—

—

—

—

—

—

—

—

—

—

—

Whether data loss prevention enforcement is enabled on the machine.

Schedule scans with Microsoft Defender for Endpoint.

Specifies if network protection is disabled, in audit mode, or enforced

—

—

—

The signing id of the application to exclude from data loss prevention.

—

The name of a DLP feature to enable or disable.

Enable a feature up to a deployment ring (default production), or force disable a feature for all rings.

Limit enabling the feature to a specific deployment ring.

Check for definitions update before initiating a scheduled scan

Check for definitions update before initiating a scheduled scan

Should exclusions be ignored during a scheduled scan

Should scheduled scan be run with low priority. (Scan might take longer to complete).

Run scheduled scan when the device is idle. Only applicable for weekly full scans.

Should scheduled scan be run with low priority. (Scan might take longer to complete).

Specifies the type of scan to perform.