diff --git a/Removable Storage Access Control Samples/WindowsDefender.adml b/Removable Storage Access Control Samples/WindowsDefender.adml
index cade25a..7299ffc 100644
--- a/Removable Storage Access Control Samples/WindowsDefender.adml
+++ b/Removable Storage Access Control Samples/WindowsDefender.adml
@@ -1,1338 +1,1298 @@
-
-enter display name here
-enter description here
-
-
- Microsoft Defender Antivirus
- Endpoint Protection
- Exclusions
- Features
- Device Control
- Microsoft Defender Exploit Guard
- Attack Surface Reduction
- Controlled Folder Access
- Network Protection
- Network Inspection System
- Exclusions
- Quarantine
- Real-time Protection
- Remediation
- Reporting
- Scan
- Security Intelligence Updates
- MAPS
- Threats
- Client Interface
- MpEngine
- Allow antimalware service to startup with normal priority
- This policy setting controls the load priority for the antimalware service. Increasing the load priority will allow for faster service startup, but may impact performance.
-
- If you enable or do not configure this setting, the antimalware service will load as a normal priority task.
-
- If you disable this setting, the antimalware service will load as a low priority task.
-
- Allows Microsoft Defender Antivirus to update and communicate over a metered connection.
-
- Disabled (Default):
- Updates and communications are not allowed over metered connections.
-
- Enabled:
- Allow managed devices to update through metered connections. Data charges may apply.
- Control whether or not exclusions are visible to Local Admins.
-
- This policy setting controls whether or not exclusions are visible to Local Admins. For end users (that are not Local Admins) exclusions are not visible, whether or not this setting is enabled.
- Disabled(Default):
- If you disable or do not configure this setting, Local Admins will be able to see exclusions in the Windows Security App or via PowerShell.
-
- Enabled:
- If you enable this setting, Local Admins will no longer be able to see the exclusion list in Windows Security App or via PowerShell.
- Note: Applying this setting will not remove exclusions, it will only prevent them from being visible to Local Admins. This is reflected in Get-MpPreference.
- This settings controls whether Network Protection is allowed to be configured into block or audit mode on Windows Server.
-
- Disabled (Default):
- If Not Configured or Disabled, network protection is not allowed to be configured into block or audit mode on Windows Server.
-
- Enabled:
- If Enabled, administrators can control whether Network Protection is allowed to be configured into block or audit mode on Windows Server.
- Note, that this configuration is dependent on the EnableNetworkProtection configuration. If this configuration is false, EnableNetworkProtection will be ignored, otherwise network protection will start on Windows Server depending on the value of EnableNetworkProtection.
- This setting controls datagram processing for network protection.
-
- Enabled (Default):
- If Not Configured or Disabled, datagram processing will be enabled for network protection.
-
- Enabled:
- If Enabled, datagram processing will be disabled for network protection.
- Turn off Auto Exclusions
-
- Allows an administrator to specify if Automatic Exclusions feature for Server SKUs should be turned off.
-
- Disabled (Default):
- Microsoft Defender will exclude pre-defined list of paths from the scan to improve performance.
-
- Enabled:
- Microsoft Defender will not exclude pre-defined list of paths from scans. This can impact machine performance in some scenarios.
-
- Not configured:
- Same as Disabled.
-
- Turn off Endpoint Protection
- This policy setting turns off Endpoint Protection.
-
- If you enable this policy setting, Endpoint Protection does not run, and computers are not scanned for malware or other potentially unwanted software.
-
- If you disable or do not configure this policy setting, by default Endpoint Protection runs and computers are scanned for malware and other potentially unwanted software.
-
- Turn off Microsoft Defender Antivirus
- This policy setting turns off Microsoft Defender Antivirus.
-
- If you enable this policy setting, Microsoft Defender Antivirus does not run, and will not scan computers for malware or other potentially unwanted software.
-
- If you disable this policy setting, Microsoft Defender Antivirus will run regardless of any other installed antivirus product.
-
- If you do not configure this policy setting, Windows will internally manage Microsoft Defender Antivirus. If you install another antivirus program, Windows automatically disables Microsoft Defender Antivirus. Otherwise, Microsoft Defender Antivirus will scan your computers for malware and other potentially unwanted software.
-
- Enabling or disabling this policy may lead to unexpected or unsupported behavior. It is recommended that you leave this policy setting unconfigured.
- Configure local administrator merge behavior for lists
- This policy setting controls whether or not complex list settings configured by a local administrator are merged with Group Policy settings. This setting applies to lists such as threats and Exclusions.
-
- If you disable or do not configure this setting, unique items defined in Group Policy and in preference settings configured by the local administrator will be merged into the resulting effective policy. In the case of conflicts, Group policy Settings will override preference settings.
-
- If you enable this setting, only items defined by Group Policy will be used in the resulting effective policy. Group Policy settings will override preference settings configured by the local administrator.
- Turn off routine remediation
-
- This policy setting allows you to configure whether Microsoft Defender Antivirus automatically takes action on all detected threats. The action to be taken on a particular threat is determined by the combination of the policy-defined action, user-defined action, and the signature-defined action.
-
- If you enable this policy setting, Microsoft Defender Antivirus does not automatically take action on the detected threats, but prompts users to choose from the actions available for each threat.
-
- If you disable or do not configure this policy setting, Microsoft Defender Antivirus automatically takes action on all detected threats after a nonconfigurable delay of approximately five seconds.
-
- This policy setting allows you to configure whether Endpoint Protection automatically takes action on all detected threats. The action to be taken on a particular threat is determined by the combination of the policy-defined action, user-defined action, and the signature-defined action.
-
- If you enable this policy setting, Endpoint Protection does not automatically take action on the detected threats, but prompts users to choose from the actions available for each threat.
-
- If you disable or do not configure this policy setting, Endpoint Protection automatically takes action on all detected threats after a nonconfigurable delay of approximately five seconds.
-
- Define addresses to bypass proxy server
- This policy, if defined, will prevent antimalware from using the configured proxy server when communicating with the specified IP addresses. The address value should be entered as a valid URL.
-
- If you enable this setting, the proxy server will be bypassed for the specified addresses.
-
- If you disable or do not configure this setting, the proxy server will not be bypassed for the specified addresses.
- Define proxy auto-config (.pac) for connecting to the network
- This policy setting defines the URL of a proxy .pac file that should be used when the client attempts to connect the network for security intelligence updates and MAPS reporting. If the proxy auto-config fails or if there is no proxy auto-config specified, the client will fall back to the alternative options (in order):
- 1. Proxy server (if specified)
- 2. Proxy .pac URL (if specified)
- 3. None
- 4. Internet Explorer proxy settings
- 5. Autodetect
-
- If you enable this setting, the proxy setting will be set to use the specified proxy .pac according to the order specified above.
-
- If you disable or do not configure this setting, the proxy will skip over this fallback step according to the order specified above.
- Define proxy server for connecting to the network
- This policy setting allows you to configure the named proxy that should be used when the client attempts to connect to the network for security intelligence updates and MAPS reporting. If the named proxy fails or if there is no proxy specified, the client will fall back to the alternative options (in order):
- 1. Proxy server (if specified)
- 2. Proxy .pac URL (if specified)
- 3. None
- 4. Internet Explorer proxy settings
- 5. Autodetect
-
- If you enable this setting, the proxy will be set to the specified URL according to the order specified above. The URL should be proceeded with either http:// or https://.
-
- If you disable or do not configure this setting, the proxy will skip over this fallback step according to the order specified above.
-
- Randomize scheduled task times
- This policy setting allows you to configure the scheduled scan, and the scheduled security intelligence update, start time window in hours.
-
- If you disable or do not configure this setting, scheduled tasks will begin at a random time within 4 hours after the time specified in Task Scheduler.
- If you enable this setting, you can widen, or narrow, this randomization period. Specify a randomization window of between 1 and 23 hours.
- Configure scheduled task times randomization window
- This policy setting allows you to configure scheduled scan start time and the scheduled security intelligence update start time window in hours.
-
- If you disable or do not configure this setting, scheduled tasks will begin at a random time within an interval of 4 hours after the specified start time.
- If you enable this setting, you must pick a randomization window in hours. The possible randomization window interval is between 1 and 23 hours.
- Allow antimalware service to remain running always
- This policy setting allows you to configure whether or not the antimalware service remains running when antivirus and antispyware security intelligence is disabled. It is recommended that this setting remain disabled.
-
- If you enable this setting, the antimalware service will always remain running even if both antivirus and antispyware security intelligence is disabled.
-
- If you disable or do not configure this setting, the antimalware service will be stopped when both antivirus and antispyware security intelligence is disabled. If the computer is restarted, the service will be started if it is set to Automatic startup. After the service has started, there will be a check to see if antivirus and antispyware security intelligence is enabled. If at least one is enabled, the service will remain running. If both are disabled, the service will be stopped.
- Configure detection for potentially unwanted applications
-
- Enable or disable detection for potentially unwanted applications. You can choose to block, audit, or allow when potentially unwanted software is being downloaded or attempts to install itself on your computer.
-
- Enabled:
- Specify the mode in the Options section:
- -Block: Potentially unwanted software will be blocked.
- -Audit Mode: Potentially unwanted software will not be blocked, however if this feature would have blocked access if it were set to Block, then a record of the event will be in the event logs.
-
- Disabled:
- Potentially unwanted software will not be blocked.
-
- Not configured:
- Same as Disabled.
-
- Define the directory path to copy support log files
- This policy setting allows you to configure the directory path where the support log files would be copied to. The value of this setting should be a valid directory path.
-
- If you enable this setting, the support log files will be copied to the specified support log location path.
-
- If you disable or do not configure this setting, the support logs files will not be copied to any location.
- Extension Exclusions
- This policy setting allows you specify a list of file types that should be excluded from scheduled, custom, and real-time scanning. File types should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of the file type extension (such as "obj" or "lib"). The value is not used and it is recommended that this be set to 0.
- Path Exclusions
- This policy setting allows you to disable scheduled and real-time scanning for files under the paths specified or for the fully qualified resources specified. Paths should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of a path or a fully qualified resource name. As an example, a path might be defined as: "c:\Windows" to exclude all files in this directory. A fully qualified resource name might be defined as: "C:\Windows\App.exe". The value is not used and it is recommended that this be set to 0.
- Process Exclusions
- This policy setting allows you to disable real-time scanning for any file opened by any of the specified processes. This policy does not apply to scheduled scans. The process itself will not be excluded. To exclude the process, use the Path exclusion. Processes should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of the path to the process image. Note that only executables can be excluded. For example, a process might be defined as: "c:\windows\app.exe". The value is not used and it is recommended that this be set to 0.
- Ip Address Exclusions
- Allows an administrator to explicitly disable network packet inspection made by wdnisdrv on a particular set of IP addresses.
- Turn on protocol recognition
- This policy setting allows you to configure protocol recognition for network protection against exploits of known vulnerabilities.
-
- If you enable or do not configure this setting, protocol recognition will be enabled.
-
- If you disable this setting, protocol recognition will be disabled.
- Turn on definition retirement
- This policy setting allows you to configure definition retirement for network protection against exploits of known vulnerabilities. Definition retirement checks to see if a computer has the required security updates necessary to protect it against a particular vulnerability. If the system is not vulnerable to the exploit detected by a definition, then that definition is "retired". If all security intelligence for a given protocal are retired then that protocol is no longer parsed. Enabling this feature helps to improve performance. On a computer that is up-to-date with all the latest security updates, network protection will have no impact on network performance.
-
- If you enable or do not configure this setting, definition retirement will be enabled.
-
- If you disable this setting, definition retirement will be disabled.
- Specify additional definition sets for network traffic inspection
- This policy setting defines additional definition sets to enable for network traffic inspection. Definition set GUIDs should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of a definition set GUID. As an example, the definition set GUID to enable test security intelligence is defined as: “{b54b6ac9-a737-498e-9120-6616ad3bf590}”. The value is not used and it is recommended that this be set to 0.
- Configure local setting override for the removal of items from Quarantine folder
- This policy setting configures a local override for the configuration of the number of days items should be kept in the Quarantine folder before being removed. This setting can only be set by Group Policy.
-
- If you enable this setting, the local preference setting will take priority over Group Policy.
-
- If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.
- Configure removal of items from Quarantine folder
- This policy setting defines the number of days items should be kept in the Quarantine folder before being removed.
-
- If you enable this setting, items will be removed from the Quarantine folder after the number of days specified.
-
- If you disable or do not configure this setting, items will be kept in the quarantine folder indefinitely and will not be automatically removed.
-
- Turn on script scanning
- This policy setting allows you to configure script scanning.
-
- If you enable or do not configure this setting, script scanning will be enabled.
-
- If you disable this setting, script scanning will be disabled.
-
- Turn on behavior monitoring
- This policy setting allows you to configure behavior monitoring.
-
- If you enable or do not configure this setting, behavior monitoring will be enabled.
-
- If you disable this setting, behavior monitoring will be disabled.
- Scan all downloaded files and attachments
- This policy setting allows you to configure scanning for all downloaded files and attachments.
-
- If you enable or do not configure this setting, scanning for all downloaded files and attachments will be enabled.
-
- If you disable this setting, scanning for all downloaded files and attachments will be disabled.
- Monitor file and program activity on your computer
- This policy setting allows you to configure monitoring for file and program activity.
-
- If you enable or do not configure this setting, monitoring for file and program activity will be enabled.
-
- If you disable this setting, monitoring for file and program activity will be disabled.
- Turn on raw volume write notifications
- This policy setting controls whether raw volume write notifications are sent to behavior monitoring.
-
- If you enable or do not configure this setting, raw write notifications will be enabled.
-
- If you disable this setting, raw write notifications be disabled.
- Turn off real-time protection
- This policy turns off real-time protection in Microsoft Defender Antivirus.
-
- Real-time protection consists of always-on scanning with file and process behavior monitoring and heuristics. When real-time protection is on, Microsoft Defender Antivirus detects malware and potentially unwanted software that attempts to install itself or run on your device, and prompts you to take action on malware detections.
-
- If you enable this policy setting, real-time protection is turned off.
-
- If you either disable or do not configure this policy setting, real-time protection is turned on.
-
- This policy setting turns off real-time protection prompts for known malware detection.
-
- Endpoint Protection alerts you when malware or potentially unwanted software attempts to install itself or to run on your computer.
-
- If you enable this policy setting, Endpoint Protection will not prompt users to take actions on malware detections.
-
- If you disable or do not configure this policy setting, Endpoint Protection will prompt users to take actions on malware detections.
-
- Turn on process scanning whenever real-time protection is enabled
- This policy setting allows you to configure process scanning when real-time protection is turned on. This helps to catch malware which could start when real-time protection is turned off.
-
- If you enable or do not configure this setting, a process scan will be initiated when real-time protection is turned on.
-
- If you disable this setting, a process scan will not be initiated when real-time protection is turned on.
- Define the maximum size of downloaded files and attachments to be scanned
- This policy setting defines the maximum size (in kilobytes) of downloaded files and attachments that will be scanned.
-
- If you enable this setting, downloaded files and attachments smaller than the size specified will be scanned.
-
- If you disable or do not configure this setting, a default size will be applied.
- Configure local setting override for turn on behavior monitoring
- This policy setting configures a local override for the configuration of behavior monitoring. This setting can only be set by Group Policy.
-
- If you enable this setting, the local preference setting will take priority over Group Policy.
-
- If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.
- Configure local setting override for monitoring file and program activity on your computer
- This policy setting configures a local override for the configuration of monitoring for file and program activity on your computer. This setting can only be set by Group Policy.
-
- If you enable this setting, the local preference setting will take priority over Group Policy.
-
- If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.
- Configure local setting override for scanning all downloaded files and attachments
- This policy setting configures a local override for the configuration of scanning for all downloaded files and attachments. This setting can only be set by Group Policy.
-
- If you enable this setting, the local preference setting will take priority over Group Policy.
-
- If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.
- Configure local setting override to turn on real-time protection
- This policy setting configures a local override for the configuration to turn on real-time protection. This setting can only be set by Group Policy.
-
- If you enable this setting, the local preference setting will take priority over Group Policy.
-
- If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.
- Configure local setting override for monitoring for incoming and outgoing file activity
- This policy setting configures a local override for the configuration of monitoring for incoming and outgoing file activity. This setting can only be set by Group Policy.
-
- If you enable this setting, the local preference setting will take priority over Group Policy.
-
- If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.
- Configure monitoring for incoming and outgoing file and program activity
- This policy setting allows you to configure monitoring for incoming and outgoing files, without having to turn off monitoring entirely. It is recommended for use on servers where there is a lot of incoming and outgoing file activity but for performance reasons need to have scanning disabled for a particular scan direction. The appropriate configuration should be evaluated based on the server role.
-
- Note that this configuration is only honored for NTFS volumes. For any other file system type, full monitoring of file and program activity will be present on those volumes.
-
- The options for this setting are mutually exclusive:
- 0 = Scan incoming and outgoing files (default)
- 1 = Scan incoming files only
- 2 = Scan outgoing files only
-
- Any other value, or if the value does not exist, resolves to the default (0).
-
- If you enable this setting, the specified type of monitoring will be enabled.
-
- If you disable or do not configure this setting, monitoring for incoming and outgoing files will be enabled.
- bi-directional (full on-access)
- scan only incoming (disable on-open)
- scan only outgoing (disable on-close)
- Configure local setting override for the time of day to run a scheduled full scan to complete remediation
- This policy setting configures a local override for the configuration of the time to run a scheduled full scan to complete remediation. This setting can only be set by Group Policy.
-
- If you enable this setting, the local preference setting will take priority over Group Policy.
-
- If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.
- Specify the day of the week to run a scheduled full scan to complete remediation
- This policy setting allows you to specify the day of the week on which to perform a scheduled full scan in order to complete remediation. The scan can also be configured to run every day or to never run at all.
-
- This setting can be configured with the following ordinal number values:
- (0x0) Every Day
- (0x1) Sunday
- (0x2) Monday
- (0x3) Tuesday
- (0x4) Wednesday
- (0x5) Thursday
- (0x6) Friday
- (0x7) Saturday
- (0x8) Never (default)
-
- If you enable this setting, a scheduled full scan to complete remediation will run at the frequency specified.
-
- If you disable or do not configure this setting, a scheduled full scan to complete remediation will run at a default frequency.
- Never
- Every Day
- Sunday
- Monday
- Tuesday
- Wednesday
- Thursday
- Friday
- Saturday
- Specify the time of day to run a scheduled full scan to complete remediation
- This policy setting allows you to specify the time of day at which to perform a scheduled full scan in order to complete remediation. The time value is represented as the number of minutes past midnight (00:00). For example, 120 (0x78) is equivalent to 02:00 AM. The schedule is based on local time on the computer where the scan is executing.
-
- If you enable this setting, a scheduled full scan to complete remediation will run at the time of day specified.
-
- If you disable or do not configure this setting, a scheduled full scan to complete remediation will run at a default time.
- Configure time out for detections requiring additional action
- This policy setting configures the time in minutes before a detection in the "additional action" state moves to the "cleared" state.
- Configure time out for detections in critically failed state
- This policy setting configures the time in minutes before a detection in the “critically failed” state to moves to either the “additional action” state or the “cleared” state.
- Configure Watson events
- This policy setting allows you to configure whether or not Watson events are sent.
-
- If you enable or do not configure this setting, Watson events will be sent.
-
- If you disable this setting, Watson events will not be sent.
- Configure time out for detections in non-critical failed state
- This policy setting configures the time in minutes before a detection in the "non-critically failed" state moves to the "cleared" state.
- Configure time out for detections in recently remediated state
- This policy setting configures the time in minutes before a detection in the "completed" state moves to the "cleared" state.
- Configure Windows software trace preprocessor components
- This policy configures Windows software trace preprocessor (WPP Software Tracing) components.
- Configure WPP tracing level
- This policy allows you to configure tracing levels for Windows software trace preprocessor (WPP Software Tracing).
- Tracing levels are defined as:
- 1 - Error
- 2 - Warning
- 3 - Info
- 4 - Debug
- Turn off enhanced notifications
-
- Use this policy setting to specify if you want Microsoft Defender Antivirus enhanced notifications to display on clients.
-
- If you disable or do not configure this setting, Microsoft Defender Antivirus enhanced notifications will display on clients.
-
- If you enable this setting, Microsoft Defender Antivirus enhanced notifications will not display on clients.
-
- Configure time interval for service health reports
- This policy setting configures the time interval (in minutes) for the service health reports to be sent from endpoints.
-
- If you disable or do not configure this setting, the default value will be applied. The default value is set at 60 minutes (1 hour).
-
- If you configure this setting to 0, no service health reports will be sent.
-
- The maximum value allowed to be set is 14400 minutes (10 days).
- Configure whether to report Dynamic Signature dropped events
- This policy setting configures whether to report Dynamic Signature dropped events.
-
- If you do not configure this setting, the default value will be applied. The default value is set to disabled (such events are not reported).
- If you configure this setting to enabled, Dynamic Signature dropped events will be reported.
- If you configure this setting to disabled, Dynamic Signature dropped events will not be reported.
- Allow users to pause scan
- This policy setting allows you to manage whether or not end users can pause a scan in progress.
-
- If you enable or do not configure this setting, a new context menu will be added to the task tray icon to allow the user to pause a scan.
-
- If you disable this setting, users will not be able to pause scans.
- Specify the maximum depth to scan archive files
- This policy setting allows you to configure the maximum directory depth level into which archive files such as .ZIP or .CAB are unpacked during scanning. The default directory depth level is 0.
-
- If you enable this setting, archive files will be scanned to the directory depth level specified.
-
- If you disable or do not configure this setting, archive files will be scanned to the default directory depth level.
- Specify the maximum size of archive files to be scanned
- This policy setting allows you to configure the maximum size of archive files such as .ZIP or .CAB that will be scanned. The value represents file size in kilobytes (KB). The default value is 0 and represents no limit to archive size for scanning.
-
- If you enable this setting, archive files less than or equal to the size specified will be scanned.
-
- If you disable or do not configure this setting, archive files will be scanned according to the default value.
- Specify the maximum percentage of CPU utilization during a scan
- This policy setting allows you to configure the maximum percentage CPU utilization permitted during a scan. Valid values for this setting are a percentage represented by the integers 5 to 100. A value of 0 indicates that there should be no throttling of CPU utilization. The default value is 50.
-
- If you enable this setting, CPU utilization will not exceed the percentage specified.
-
- If you disable or do not configure this setting, CPU utilization will not exceed the default value.
- Check for the latest virus and spyware security intelligence before running a scheduled scan
- This policy setting allows you to manage whether a check for new virus and spyware security intelligence will occur before running a scan.
-
- This setting applies to scheduled scans, but it has no effect on scans initiated manually from the user interface or to the ones started from the command line using "mpcmdrun -Scan".
-
- If you enable this setting, a check for new security intelligence will occur before running a scan.
-
- If you disable this setting or do not configure this setting, the scan will start using the existing security intelligence.
- Scan archive files
- This policy setting allows you to configure scans for malicious software and unwanted software in archive files such as .ZIP or .CAB files.
-
- If you enable or do not configure this setting, archive files will be scanned.
-
- If you disable this setting, archive files will not be scanned. However, archives are always scanned during directed scans.
- Turn on catch-up full scan
- This policy setting allows you to configure catch-up scans for scheduled full scans. A catch-up scan is a scan that is initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the computer was turned off at the scheduled time.
-
- If you enable this setting, catch-up scans for scheduled full scans will be turned on. If a computer is offline for two consecutive scheduled scans, a catch-up scan is started the next time someone logs on to the computer. If there is no scheduled scan configured, there will be no catch-up scan run.
-
- If you disable or do not configure this setting, catch-up scans for scheduled full scans will be turned off.
- CPU throttling type
- This policy setting determines whether the maximum percentage CPU utilization permitted during a scan applies only to scheduled scans, or to both scheduled and custom scans (but not real-time protection). The maximum CPU utilization limit is also referred to as CPU throttling, or a CPU usage limit.
-
- The default value for this policy setting is True, which means CPU throttling is applied only to scheduled scans.
-
- If you either enable or do not configure this setting, CPU throttling will apply only to scheduled scans.
-
- If you disable this setting, CPU throttling will apply to scheduled and custom scans.
- Turn on catch-up quick scan
- This policy setting allows you to configure catch-up scans for scheduled quick scans. A catch-up scan is a scan that is initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the computer was turned off at the scheduled time.
-
- If you enable this setting, catch-up scans for scheduled quick scans will be turned on. If a computer is offline for two consecutive scheduled scans, a catch-up scan is started the next time someone logs on to the computer. If there is no scheduled scan configured, there will be no catch-up scan run.
-
- If you disable or do not configure this setting, catch-up scans for scheduled quick scans will be turned off.
- Turn on e-mail scanning
- This policy setting allows you to configure e-mail scanning. When e-mail scanning is enabled, the engine will parse the mailbox and mail files, according to their specific format, in order to analyze the mail bodies and attachments. Several e-mail formats are currently supported, for example: pst (Outlook), dbx, mbx, mime (Outlook Express), binhex (Mac). Email scanning is not supported on modern email clients.
-
- If you enable this setting, e-mail scanning will be enabled.
-
- If you disable or do not configure this setting, e-mail scanning will be disabled.
- Turn on heuristics
- This policy setting allows you to configure heuristics. Suspicious detections will be suppressed right before reporting to the engine client. Turning off heuristics will reduce the capability to flag new threats. It is recommended that you do not turn off heuristics.
-
- If you enable or do not configure this setting, heuristics will be enabled.
-
- If you disable this setting, heuristics will be disabled.
- Scan removable drives
- This policy setting allows you to manage whether or not to scan for malicious software and unwanted software in the contents of removable drives, such as USB flash drives, when running a full scan.
-
- If you enable this setting, removable drives will be scanned during any type of scan.
-
- If you disable or do not configure this setting, removable drives will not be scanned during a full scan. Removable drives may still be scanned during quick scan and custom scan.
- Turn on reparse point scanning
- This policy setting allows you to configure reparse point scanning. If you allow reparse points to be scanned, there is a possible risk of recursion. However, the engine supports following reparse points to a maximum depth so at worst scanning could be slowed. Reparse point scanning is disabled by default and this is the recommended state for this functionality.
-
- If you enable this setting, reparse point scanning will be enabled.
-
- If you disable or do not configure this setting, reparse point scanning will be disabled.
- Create a system restore point
- This policy setting allows you to create a system restore point on the computer on a daily basis prior to cleaning.
-
- If you enable this setting, a system restore point will be created.
-
- If you disable or do not configure this setting, a system restore point will not be created.
- Run full scan on mapped network drives
- This policy setting allows you to configure scanning mapped network drives.
-
- If you enable this setting, mapped network drives will be scanned.
-
- If you disable or do not configure this setting, mapped network drives will not be scanned.
- Scan network files
- This policy setting allows you to configure scanning for network files. It is recommended that you do not enable this setting.
-
- If you enable this setting, network files will be scanned.
-
- If you disable or do not configure this setting, network files will not be scanned.
- Configure local setting override for maximum percentage of CPU utilization
- This policy setting configures a local override for the configuration of maximum percentage of CPU utilization during scan. This setting can only be set by Group Policy.
-
- If you enable this setting, the local preference setting will take priority over Group Policy.
-
- If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.
- Configure local setting override for the scan type to use for a scheduled scan
- This policy setting configures a local override for the configuration of the scan type to use during a scheduled scan. This setting can only be set by Group Policy.
-
- If you enable this setting, the local preference setting will take priority over Group Policy.
-
- If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.
- Configure local setting override for schedule scan day
- This policy setting configures a local override for the configuration of scheduled scan day. This setting can only be set by Group Policy.
-
- If you enable this setting, the local preference setting will take priority over Group Policy.
-
- If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.
- Configure local setting override for scheduled quick scan time
- This policy setting configures a local override for the configuration of scheduled quick scan time. This setting can only be set by Group Policy.
-
- If you enable this setting, the local preference setting will take priority over Group Policy.
-
- If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.
- Configure local setting override for scheduled scan time
- This policy setting configures a local override for the configuration of scheduled scan time. This setting can only be set by Group Policy.
-
- If you enable this setting, the local preference setting will take priority over Group Policy.
-
- If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.
- Turn on removal of items from scan history folder
- This policy setting defines the number of days items should be kept in the scan history folder before being permanently removed. The value represents the number of days to keep items in the folder. If set to zero, items will be kept forever and will not be automatically removed. By default, the value is set to 30 days.
-
- If you enable this setting, items will be removed from the scan history folder after the number of days specified.
-
- If you disable or do not configure this setting, items will be kept in the scan history folder for the default number of days.
- Specify the interval to run quick scans per day
- This policy setting allows you to specify an interval at which to perform a quick scan. The time value is represented as the number of hours between quick scans. Valid values range from 1 (every hour) to 24 (once per day). If set to zero, interval quick scans will not occur. By default, this setting is set to 0.
-
- If you enable this setting, a quick scan will run at the interval specified.
-
- If you disable or do not configure this setting, quick scan controlled by this config will not be run.
- Start the scheduled scan only when computer is on but not in use
- This policy setting allows you to configure scheduled scans to start only when your computer is on but not in use.
-
- If you enable or do not configure this setting, scheduled scans will only run when the computer is on but not in use.
-
- If you disable this setting, scheduled scans will run at the scheduled time.
- Specify the scan type to use for a scheduled scan
- This policy setting allows you to specify the scan type to use during a scheduled scan. Scan type options are:
- 1 = Quick Scan (default)
- 2 = Full Scan
-
- If you enable this setting, the scan type will be set to the specified value.
-
- If you disable or do not configure this setting, the default scan type will used.
- Quick scan
- Full system scan
- Specify the day of the week to run a scheduled scan
- This policy setting allows you to specify the day of the week on which to perform a scheduled scan. The scan can also be configured to run every day or to never run at all.
-
- This setting can be configured with the following ordinal number values:
- (0x0) Every Day
- (0x1) Sunday
- (0x2) Monday
- (0x3) Tuesday
- (0x4) Wednesday
- (0x5) Thursday
- (0x6) Friday
- (0x7) Saturday
- (0x8) Never (default)
-
- If you enable this setting, a scheduled scan will run at the frequency specified.
-
- If you disable or do not configure this setting, a scheduled scan will run at a default frequency.
- Never
- Every Day
- Sunday
- Monday
- Tuesday
- Wednesday
- Thursday
- Friday
- Saturday
- Specify the time for a daily quick scan
- This policy setting allows you to specify the time of day at which to perform a daily quick scan. The time value is represented as the number of minutes past midnight (00:00). For example, 120 (0x78) is equivalent to 02:00 AM. By default, this setting is set to disabled. The schedule is based on local time on the computer where the scan is executing.
-
- If you enable this setting, a daily quick scan will run at the time of day specified.
-
- If you disable or do not configure this setting, daily quick scan controlled by this config will not be run.
- Specify the time of day to run a scheduled scan
- This policy setting allows you to specify the time of day at which to perform a scheduled scan. The time value is represented as the number of minutes past midnight (00:00). For example, 120 (0x78) is equivalent to 02:00 AM. By default, this setting is set to a time value of 2:00 AM. The schedule is based on local time on the computer where the scan is executing.
-
- If you enable this setting, a scheduled scan will run at the time of day specified.
-
- If you disable or do not configure this setting, a scheduled scan will run at a default time.
- Define the number of days after which a catch-up scan is forced
-
- This policy setting allows you to define the number of consecutive scheduled scans that can be missed after which a catch-up scan will be forced. By default, the value of this setting is 2 consecutive scheduled scans.
-
- If you enable this setting, a catch-up scan will occur after the specified number consecutive missed scheduled scans.
-
- If you disable or do not configure this setting, a catch-up scan will occur after the 2 consecutive missed scheduled scans.
- Configure low CPU priority for scheduled scans
-
- This policy setting allows you to enable or disable low CPU priority for scheduled scans.
-
- If you enable this setting, low CPU priority will be used during scheduled scans.
-
- If you disable or do not configure this setting, not changes will be made to CPU priority for scheduled scans.
-
- Define the number of days before spyware security intelligence is considered out of date
- This policy setting allows you to define the number of days that must pass before spyware security intelligence is considered out of date. If security intelligence is determined to be out of date, this state may trigger several additional actions, including falling back to an alternative update source or displaying a warning icon in the user interface. By default, this value is set to 7 days.
-
- If you enable this setting, spyware security intelligence will be considered out of date after the number of days specified have passed without an update.
-
- If you disable or do not configure this setting, spyware security intelligence will be considered out of date after the default number of days have passed without an update.
- Define the number of days before virus security intelligence is considered out of date
- This policy setting allows you to define the number of days that must pass before virus security intelligence is considered out of date. If security intelligence is determined to be out of date, this state may trigger several additional actions, including falling back to an alternative update source or displaying a warning icon in the user interface. By default, this value is set to 7 days.
-
- If you enable this setting, virus security intelligence will be considered out of date after the number of days specified have passed without an update.
-
- If you disable or do not configure this setting, virus security intelligence will be considered out of date after the default number of days have passed without an update.
- Define file shares for downloading security intelligence updates
- This policy setting allows you to configure UNC file share sources for downloading security intelligence updates. Sources will be contacted in the order specified. The value of this setting should be entered as a pipe-separated string enumerating the security intelligence update sources. For example: "{\\unc1 | \\unc2 }". The list is empty by default.
-
- If you enable this setting, the specified sources will be contacted for security intelligence updates. Once security intelligence updates have been successfully downloaded from one specified source, the remaining sources in the list will not be contacted.
-
- If you disable or do not configure this setting, the list will remain empty by default and no sources will be contacted.
- Define security intelligence location for VDI clients.
- This policy setting allows you to define the security intelligence location for VDI-configured computers.
-
- If you disable or do not configure this setting, security intelligence will be referred from the default local source.
- Turn on scan after security intelligence update
- This policy setting allows you to configure the automatic scan which starts after a security intelligence update has occurred.
-
- If you enable or do not configure this setting, a scan will start following a security intelligence update.
-
- If you disable this setting, a scan will not start following a security intelligence update.
- Allow security intelligence updates when running on battery power
- This policy setting allows you to configure security intelligence updates when the computer is running on battery power.
-
- If you enable or do not configure this setting, security intelligence updates will occur as usual regardless of power state.
-
- If you disable this setting, security intelligence updates will be turned off while the computer is running on battery power.
- Initiate security intelligence update on startup
- This policy setting allows you to configure security intelligence updates on startup when there is no antimalware engine present.
-
- If you enable or do not configure this setting, security intelligence updates will be initiated on startup when there is no antimalware engine present.
-
- If you disable this setting, security intelligence updates will not be initiated on startup when there is no antimalware engine present.
- Define the order of sources for downloading security intelligence updates
- This policy setting allows you to define the order in which different security intelligence update sources should be contacted. The value of this setting should be entered as a pipe-separated string enumerating the security intelligence update sources in order. Possible values are: “InternalDefinitionUpdateServer”, “MicrosoftUpdateServer”, “MMPC”, and “FileShares”
-
- For example: { InternalDefinitionUpdateServer | MicrosoftUpdateServer | MMPC }
-
- If you enable this setting, security intelligence update sources will be contacted in the order specified. Once security intelligence updates have been successfully downloaded from one specified source, the remaining sources in the list will not be contacted.
-
- If you disable or do not configure this setting, security intelligence update sources will be contacted in a default order.
- Allow security intelligence updates from Microsoft Update
- This policy setting allows you to enable download of security intelligence updates from Microsoft Update even if the Automatic Updates default server is configured to another download source such as Windows Update.
-
- If you enable this setting, security intelligence updates will be downloaded from Microsoft Update.
-
- If you disable or do not configure this setting, security intelligence updates will be downloaded from the configured download source.
- Allow real-time security intelligence updates based on reports to Microsoft MAPS
- This policy setting allows you to enable real-time security intelligence updates in response to reports sent to Microsoft MAPS. If the service reports a file as an unknown and Microsoft MAPS finds that the latest security intelligence update has security intelligence for a threat involving that file, the service will receive all of the latest security intelligence for that threat immediately. You must have configured your computer to join Microsoft MAPS for this functionality to work.
-
- If you enable or do not configure this setting, real-time security intelligence updates will be enabled.
-
- If you disable this setting, real-time security intelligence updates will disabled.
- Specify the day of the week to check for security intelligence updates
- This policy setting allows you to specify the day of the week on which to check for security intelligence updates. The check can also be configured to run every day or to never run at all.
-
- This setting can be configured with the following ordinal number values:
- (0x0) Every Day (default)
- (0x1) Sunday
- (0x2) Monday
- (0x3) Tuesday
- (0x4) Wednesday
- (0x5) Thursday
- (0x6) Friday
- (0x7) Saturday
- (0x8) Never
-
- If you enable this setting, the check for security intelligence updates will occur at the frequency specified.
-
- If you disable or do not configure this setting, the check for security intelligence updates will occur at a default frequency.
- Never
- Every Day
- Sunday
- Monday
- Tuesday
- Wednesday
- Thursday
- Friday
- Saturday
- Specify the time to check for security intelligence updates
- This policy setting allows you to specify the time of day at which to check for security intelligence updates. The time value is represented as the number of minutes past midnight (00:00). For example, 120 (0x78) is equivalent to 02:00 AM. By default this setting is configured to check for security intelligence updates 15 minutes before the scheduled scan time. The schedule is based on local time on the computer where the check is occurring.
-
- If you enable this setting, the check for security intelligence updates will occur at the time of day specified.
-
- If you disable or do not configure this setting, the check for security intelligence updates will occur at the default time.
- Allow notifications to disable security intelligence based reports to Microsoft MAPS
- This policy setting allows you to configure the antimalware service to receive notifications to disable individual security intelligence in response to reports it sends to Microsoft MAPS. Microsoft MAPS uses these notifications to disable security intelligence that are causing false positive reports. You must have configured your computer to join Microsoft MAPS for this functionality to work.
-
- If you enable this setting or do not configure, the antimalware service will receive notifications to disable security intelligence.
-
- If you disable this setting, the antimalware service will not receive notifications to disable security intelligence.
- Define the number of days after which a catch-up security intelligence update is required
- This policy setting allows you to define the number of days after which a catch-up security intelligence update will be required. By default, the value of this setting is 1 day.
-
- If you enable this setting, a catch-up security intelligence update will occur after the specified number of days.
-
- If you disable or do not configure this setting, a catch-up security intelligence update will be required after the default number of days.
- Specify the interval for expiry notification
-
- This policy setting allows you to specify an interval(in days) for expiry notification.
- If a signature expiry or platform expiry is impending, this value tells how soon AM UI will notify customers.
-
- Value should be greater than zero for the policy to be active.
-
- Specify the interval to check for security intelligence updates
- This policy setting allows you to specify an interval at which to check for security intelligence updates. The time value is represented as the number of hours between update checks. Valid values range from 1 (every hour) to 24 (once per day).
-
- If you enable this setting, checks for security intelligence updates will occur at the interval specified.
-
- If you disable or do not configure this setting, checks for security intelligence updates will occur at the default interval.
- Check for the latest virus and spyware security intelligence on startup
- This policy setting allows you to manage whether a check for new virus and spyware security intelligence will occur immediately after service startup.
-
- If you enable this setting, a check for new security intelligence will occur after service startup.
-
- If you disable this setting or do not configure this setting, a check for new security intelligence will not occur after service startup.
- Configure the 'Block at First Sight' feature
- This feature ensures the device checks in real time with the Microsoft Active Protection Service (MAPS) before allowing certain content to be run or accessed. If this feature is disabled, the check will not occur, which will lower the protection state of the device.
- Enabled – The Block at First Sight setting is turned on.
- Disabled – The Block at First Sight setting is turned off.
-
- This feature requires these Group Policy settings to be set as follows:
- MAPS -> The “Join Microsoft MAPS” must be enabled or the “Block at First Sight” feature will not function.
- MAPS -> The “Send file samples when further analysis is required” should be set to 1 (Send safe samples) or 3 (Send all samples). Setting to 0 (Always Prompt) will lower the protection state of the device. Setting to 2 (Never send) means the “Block at First Sight” feature will not function.
- Real-time Protection -> The “Scan all downloaded files and attachments” policy must be enabled or the “Block at First Sight” feature will not function.
- Real-time Protection -> Do not enable the “Turn off real-time protection” policy or the “Block at First Sight” feature will not function.
- Configure local setting override for reporting to Microsoft MAPS
- This policy setting configures a local override for the configuration to join Microsoft MAPS. This setting can only be set by Group Policy.
-
- If you enable this setting, the local preference setting will take priority over Group Policy.
-
- If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.
- Send file samples when further analysis is required
-
- This policy setting configures behaviour of samples submission when opt-in for MAPS telemetry is set.
-
- Possible options are:
- (0x0) Always prompt
- (0x1) Send safe samples automatically
- (0x2) Never send
- (0x3) Send all samples automatically
-
-
- Always prompt
- Send safe samples
- Never send
- Send all samples
-
- Join Microsoft MAPS
- This policy setting allows you to join Microsoft MAPS. Microsoft MAPS is the online community that helps you choose how to respond to potential threats. The community also helps stop the spread of new malicious software infections.
-
- You can choose to send basic or additional information about detected software. Additional information helps Microsoft create new security intelligence and help it to protect your computer. This information can include things like location of detected items on your computer if harmful software was removed. The information will be automatically collected and sent. In some instances, personal information might unintentionally be sent to Microsoft. However, Microsoft will not use this information to identify you or contact you.
-
- Possible options are:
- (0x0) Disabled (default)
- (0x1) Basic membership
- (0x2) Advanced membership
-
- Basic membership will send basic information to Microsoft about software that has been detected, including where the software came from, the actions that you apply or that are applied automatically, and whether the actions were successful.
-
- Advanced membership, in addition to basic information, will send more information to Microsoft about malicious software, spyware, and potentially unwanted software, including the location of the software, file names, how the software operates, and how it has impacted your computer.
-
- If you enable this setting, you will join Microsoft MAPS with the membership specified.
-
- If you disable or do not configure this setting, you will not join Microsoft MAPS.
-
- In Windows 10, Basic membership is no longer available, so setting the value to 1 or 2 enrolls the device into Advanced membership.
- Disabled
- Basic MAPS
- Advanced MAPS
- Specify threats upon which default action should not be taken when detected
- This policy setting customize which remediation action will be taken for each listed Threat ID when it is detected during a scan. Threats should be added under the Options for this setting. Each entry must be listed as a name value pair. The name defines a valid Threat ID, while the value contains the action ID for the remediation action that should be taken.
-
- Valid remediation action values are:
- 2 = Quarantine
- 3 = Remove
- 6 = Ignore
- Specify threat alert levels at which default action should not be taken when detected
- This policy setting allows you to customize which automatic remediation action will be taken for each threat alert level.Threat alert levels should be added under the Options for this setting. Each entry must be listed as a name value pair. The name defines a threat alert level. The value contains the action ID for the remediation action that should be taken.
-
- Valid threat alert levels are:
- 1 = Low
- 2 = Medium
- 4 = High
- 5 = Severe
-
- Valid remediation action values are:
- 2 = Quarantine
- 3 = Remove
- 6 = Ignore
- Enable headless UI mode
-
- This policy setting allows you to configure whether or not to display AM UI to the users.
- If you enable this setting AM UI won't be available to users.
-
- Suppresses reboot notifications
-
- This policy setting allows user to supress reboot notifications in UI only mode (for cases where UI can't be in lockdown mode).
-
- If you enable this setting AM UI won't show reboot notifications.
-
- Suppress all notifications
- Use this policy setting to specify if you want Microsoft Defender Antivirus notifications to display on clients.
- If you disable or do not configure this setting, Microsoft Defender Antivirus notifications will display on clients.
-
- If you enable this setting, Microsoft Defender Antivirus notifications will not display on clients.
-
- Select cloud protection level
-
- This policy setting determines how aggressive Microsoft Defender Antivirus will be in blocking and scanning suspicious files.
-
- If this setting is on, Microsoft Defender Antivirus will be more aggressive when identifying suspicious files to block and scan; otherwise, it will be less aggressive and therefore block and scan with less frequency.
-
- For more information about specific values that are supported, see the Microsoft Defender Antivirus documentation site.
-
- Note: This feature requires the "Join Microsoft MAPS" setting enabled in order to function.
-
- Possible options are:
- (0x0) Default Microsoft Defender Antivirus blocking level
- (0x1) Moderate Microsoft Defender Antivirus blocking level, delivers verdict only for high confidence detections
- (0x2) High blocking level - aggressively block unknowns while optimizing client performance (greater chance of false positives)
- (0x4) High+ blocking level – aggressively block unknowns and apply additional protection measures (may impact client performance)
- (0x6) Zero tolerance blocking level – block all unknown executables
-
- Default blocking level
- Moderate blocking level
- High blocking level
- High+ blocking level
- Zero tolerance blocking level
- Configure extended cloud check
-
- This feature allows Microsoft Defender Antivirus to block a suspicious file for up to 60 seconds, and scan it in the cloud to make sure it's safe.
-
- The typical cloud check timeout is 10 seconds. To enable the extended cloud check feature, specify the extended time in seconds, up to an additional 50 seconds.
-
- For example, if the desired timeout is 60 seconds, specify 50 seconds in this setting, which will enable the extended cloud check feature, and will raise the total time to 60 seconds.
-
- Note: This feature depends on three other MAPS settings - "Configure the 'Block at First Sight' feature; "Join Microsoft MAPS"; "Send file samples when further analysis is required" all need to be enabled.
-
- Enable file hash computation feature
-
- Enable or disable file hash computation feature.
-
- Enabled:
- When this feature is enabled Microsoft Defender will compute hash value for files it scans.
-
- Disabled:
- File hash value is not computed
-
- Not configured:
- Same as Disabled.
-
- Prevent users and apps from accessing dangerous websites
-
- Enable or disable Microsoft Defender Exploit Guard network protection to prevent employees from using any application to access dangerous domains that may host phishing scams, exploit-hosting sites, and other malicious content on the Internet.
-
- Enabled:
- Specify the mode in the Options section:
- -Block: Users and applications will not be able to access dangerous domains
- -Audit Mode: Users and applications can connect to dangerous domains, however if this feature would have blocked access if it were set to Block, then a record of the event will be in the event logs.
-
- Disabled:
- Users and applications will not be blocked from connecting to dangerous domains.
-
- Not configured:
- Same as Disabled.
-
- Exclude files and paths from Attack Surface Reduction Rules
-
- Exclude files and paths from Attack Surface Reduction (ASR) rules.
-
- Enabled:
- Specify the folders or files and resources that should be excluded from ASR rules in the Options section.
- Enter each rule on a new line as a name-value pair:
- - Name column: Enter a folder path or a fully qualified resource name. For example, ""C:\Windows"" will exclude all files in that directory. ""C:\Windows\App.exe"" will exclude only that specific file in that specific folder
- - Value column: Enter ""0"" for each item
-
- Disabled:
- No exclusions will be applied to the ASR rules.
-
- Not configured:
- Same as Disabled.
-
- You can configure ASR rules in the Configure Attack Surface Reduction rules GP setting.
-
- Configure Attack Surface Reduction rules
-
- Set the state for each Attack Surface Reduction (ASR) rule.
-
- After enabling this setting, you can set each rule to the following in the Options section:
- - Block: the rule will be applied
- - Audit Mode: if the rule would normally cause an event, then it will be recorded (although the rule will not actually be applied)
- - Off: the rule will not be applied
- - Not Configured: the rule is enabled with default values
- - Warn: the rule will be applied and the end-user will have the option to bypass the block
-
- Unless the ASR rule is disabled, a subsample of audit events are collected for ASR rules will the value of not configured.
-
- Enabled:
- Specify the state for each ASR rule under the Options section for this setting.
- Enter each rule on a new line as a name-value pair:
- - Name column: Enter a valid ASR rule ID
- - Value column: Enter the status ID that relates to state you want to specify for the associated rule
-
- The following status IDs are permitted under the value column:
- - 1 (Block)
- - 0 (Off)
- - 2 (Audit)
- - 5 (Not Configured)
- - 6 (Warn)
-
-
- Example:
- xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 0
- xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 1
- xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 2
-
- Disabled:
- No ASR rules will be configured.
-
- Not configured:
- Same as Disabled.
-
- You can exclude folders or files in the ""Exclude files and paths from Attack Surface Reduction Rules"" GP setting.
-
- Configure Controlled folder access
-
- Enable or disable controlled folder access for untrusted applications. You can choose to block, audit, or allow attempts by untrusted apps to:
- - Modify or delete files in protected folders, such as the Documents folder
- - Write to disk sectors
-
- You can also choose to only block or audit writes to disk sectors while still allowing the modification or deletion of files in protected folders.
-
- Microsoft Defender Antivirus automatically determines which applications can be trusted. You can add additional trusted applications in the Configure allowed applications GP setting.
- Default system folders are automatically protected, but you can add folders in the Configure protected folders GP setting.
-
- Block:
- The following will be blocked:
- - Attempts by untrusted apps to modify or delete files in protected folders
- - Attempts by untrusted apps to write to disk sectors
- The Windows event log will record these blocks under Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational > ID 1123.
-
-
- Disabled:
- The following will not be blocked and will be allowed to run:
- - Attempts by untrusted apps to modify or delete files in protected folders
- - Attempts by untrusted apps to write to disk sectors
- These attempts will not be recorded in the Windows event log.
-
-
- Audit Mode:
- The following will not be blocked and will be allowed to run:
- - Attempts by untrusted apps to modify or delete files in protected folders
- - Attempts by untrusted apps to write to disk sectors
- The Windows event log will record these attempts under Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational > ID 1124.
-
-
- Block disk modification only:
- The following will be blocked:
- - Attempts by untrusted apps to write to disk sectors
- The Windows event log will record these attempts under Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational > ID 1123.
-
- The following will not be blocked and will be allowed to run:
- - Attempts by untrusted apps to modify or delete files in protected folders
- These attempts will not be recorded in the Windows event log.
-
-
- Audit disk modification only:
- The following will not be blocked and will be allowed to run:
- - Attempts by untrusted apps to write to disk sectors
- - Attempts by untrusted apps to modify or delete files in protected folders
- Only attempts to write to protected disk sectors will be recorded in the Windows event log (under Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational > ID 1124).
- Attempts to modify or delete files in protected folders will not be recorded.
-
- Not configured:
- Same as Disabled.
-
- Disable (Default)
- Block
- Audit Mode
- Block disk modification only
- Audit disk modification only
- Configure allowed applications
-
- Add additional applications that should be considered "trusted" by controlled folder access.
-
- These applications are allowed to modify or delete files in controlled folder access folders.
-
- Microsoft Defender Antivirus automatically determines which applications should be trusted. You can configure this setting to add additional applications.
-
- Enabled:
- Specify additional allowed applications in the Options section..
-
- Disabled:
- No additional applications will be added to the trusted list.
-
- Not configured:
- Same as Disabled.
-
- You can enable controlled folder access in the Configure controlled folder access GP setting.
-
- Default system folders are automatically guarded, but you can add folders in the configure protected folders GP setting.
-
- Configure protected folders
-
- Specify additional folders that should be guarded by the Controlled folder access feature.
-
- Files in these folders cannot be modified or deleted by untrusted applications.
-
- Default system folders are automatically protected. You can configure this setting to add additional folders.
- The list of default system folders that are protected is shown in Windows Security.
-
- Enabled:
- Specify additional folders that should be protected in the Options section.
-
- Disabled:
- No additional folders will be protected.
-
- Not configured:
- Same as Disabled.
-
- You can enable controlled folder access in the Configure controlled folder access GP setting.
-
- Microsoft Defender Antivirus automatically determines which applications can be trusted. You can add additional trusted applications in the Configure allowed applications GP setting.
-
- Define device control policy groups
-
- Please follow the device control policy groups xml schema to fill out the policy groups data.
- Alternatively you could use a file path containing the XML groups data.
-
- Define device control policy rules
-
- Please follow the device control policy rules xml schema to fill out the policy rules data.
- Alternatively you could use a file path containing the XML rules data.
-
- Select the channel for Microsoft Defender monthly platform updates
- Enable this policy to specify when devices receive Microsoft Defender platform updates during the monthly gradual rollout.
-
- Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices.
- Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments.
- Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%).
- Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).
- Critical - Time delay: Devices will be offered updates with a 48-hour delay. Suggested for critical environments only.
-
- If you disable or do not configure this policy, the device will stay up to date automatically during the gradual release cycle. Suitable for most devices.
-
- Select the channel for Microsoft Defender monthly engine updates
- Enable this policy to specify when devices receive Microsoft Defender engine updates during the monthly gradual rollout.
-
- Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices.
- Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments.
- Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%).
- Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).
- Critical - Time delay: Devices will be offered updates with a 48-hour delay. Suggested for critical environments only.
-
- If you disable or do not configure this policy, the device will stay up to date automatically during the gradual release cycle. Suitable for most devices.
-
- Select the channel for Microsoft Defender daily security intelligence updates
- Enable this policy to specify when devices receive Microsoft Defender security intelligence updates during the daily gradual rollout.
-
- Current Channel (Staged): Devices will be offered updates after the release cycle. Suggested to apply to a small, representative part of production population (~10%).
- Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).
- Critical - Time delay: Devices will be offered updates with a 48-hour delay. Suggested for critical environments only.
-
- If you disable or do not configure this policy, the device will stay up to date automatically during the daily release cycle. Suitable for most devices.
-
- Beta Channel
- Current Channel (Preview)
- Current Channel (Staged)
- Current Channel (Broad)
- Critical - Time delay
- Disable gradual rollout of Microsoft Defender updates.
- Enable this policy to disable gradual rollout of Defender updates.
-
- Current Channel (Broad): Devices set to this channel will be offered updates last during the gradual release cycle. Best for datacenter machines that only receive limited updates.
-
- Note: This setting applies to both monthly as well as daily Defender updates and will override any previously configured channel selections for platform and engine updates.
-
- If you disable or do not configure this policy, the device will remain in Current Channel (Default) unless specified otherwise in specific channels for platform and engine updates. Stay up to date automatically during the gradual release cycle. Suitable for most devices.
- Select Device Control Default Enforcement Policy
-
- Default Allow: Choosing this default enforcement, will Allow any operations to occur on the attached devices if no policy rules are found to match.
- Default Deny: Choosing this default enforcement, will Deny any operations to occur on the attached devices if no policy rules are found to match.
-
- Default Enforcement will establish what decision should be made during the Device Control access checks when none of the policy rules match.
-
- Default Allow
- Default Deny
- Define Device Control evidence data remote location
-
- Define evidence file remote location, where Device Control service will move evidence data captured.
-
- Device Control
-
- Enable or Disable Defender Device Control on this machine.
- Note: You must be enrolled as E3 or E5 in order for Device Control to be enabled.
-
- Intel TDT Integration Level
- This policy setting configures the integration level for Intel TDT integration for Intel TDT-capable devices.
-
- If you do not configure this setting, the default value will be applied. The default value is set to control by signatures. TDT will be enabled based on particular signatures that are released by Microsoft.
-
- If you configure this setting to disabled, Intel TDT integration will be turned off.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Extension Exclusions
-
-
- Path Exclusions
-
-
- Process Exclusions
-
-
- IP Address Exclusions
-
-
- Specify additional definition sets for network traffic inspection
-
-
- Configure removal of items from Quarantine folder
-
-
- Define the maximum size of downloaded files and attachments to be scanned
-
-
- Configure monitoring for incoming and outgoing file and program activity
-
-
- Specify the day of the week to run a scheduled full scan to complete remediation
-
-
- Specify the time of day to run a scheduled full scan to complete remediation
-
-
- Define the number of scheduled scans that can be missed after which a catch-up scan is forced
-
-
- Configure time out for detections requiring additional action
-
-
- Configure time out for detections in critically failed state
-
-
- Configure time out for detections in non-critical failed state
-
-
- Configure time out for detections in recently remediated state
-
-
- Configure Windows software trace preprocessor components
-
-
- Configure WPP tracing level
-
-
- Configure time interval for service health reports
-
-
- Specify the maximum depth to scan archive files
-
-
- Specify the maximum size of archive files to be scanned
-
-
- Specify the maximum percentage of CPU utilization during a scan
-
-
- Turn on removal of items from scan history folder
-
-
- Specify the interval to run quick scans per day
-
-
- Specify the scan type to use for a scheduled scan
-
-
- Specify the day of the week to run a scheduled scan
-
-
- Specify the time for a daily quick scan
-
-
- Specify the time of day to run a scheduled scan
-
-
- Define the number of days before spyware security intelligence is considered out of date
-
-
- Define the number of days before virus security intelligence is considered out of date
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Specify the day of the week to check for security intelligence updates
-
-
- Specify the time to check for security intelligence updates
-
-
- Define the number of days after which a catch-up security intelligence update is required
-
-
- Specify the interval to check for security intelligence updates
-
-
- Join Microsoft MAPS
-
-
- Send file samples when further analysis is required
-
-
- Specify threats upon which default action should not be taken when detected
-
-
- Specify threat alert levels at which default action should not be taken when detected
-
-
- Specify the interval for expiry notification
-
-
- Select cloud blocking level
-
-
- Specify the extended cloud check time in seconds
-
-
- Configure the guard my folders feature
-
-
- Exclusions from ASR rules:
-
-
- Set the state for each ASR rule:
-
-
- Enter the applications that should be trusted:
-
-
- Enter the folders that should be guarded:
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Specify scheduler randomization window in hours.
-
-
- Select the channel for Microsoft Defender monthly platform updates:
-
-
- Select the channel for Microsoft Defender monthly engine updates:
-
-
- Select the channel for Microsoft Defender daily security intelligence updates:
-
-
- Select Device Control Default Enforcement Policy
-
-
-
-
-
-
-
-
-
+
+enter display name here
+enter description here
+
+
+ Microsoft Defender Antivirus
+ Endpoint Protection
+ Exclusions
+ Features
+ Device Control
+ Microsoft Defender Exploit Guard
+ Attack Surface Reduction
+ Controlled Folder Access
+ Network Protection
+ Network Inspection System
+ Exclusions
+ Quarantine
+ Real-time Protection
+ Remediation
+ Reporting
+ Scan
+ Security Intelligence Updates
+ MAPS
+ Threats
+ Client Interface
+ MpEngine
+ Allow antimalware service to startup with normal priority
+ This policy setting controls the load priority for the antimalware service. Increasing the load priority will allow for faster service startup, but may impact performance.
+
+ If you enable or do not configure this setting, the antimalware service will load as a normal priority task.
+
+ If you disable this setting, the antimalware service will load as a low priority task.
+ Allows Microsoft Defender Antivirus to update and communicate over a metered connection.
+
+ Disabled (Default):
+ Updates and communications are not allowed over metered connections.
+
+ Enabled:
+ Allow managed devices to update through metered connections. Data charges may apply.
+ Control whether or not exclusions are visible to Local Admins.
+
+ This policy setting controls whether or not exclusions are visible to Local Admins. For end users (that are not Local Admins) exclusions are not visible, whether or not this setting is enabled.
+ Disabled(Default):
+ If you disable or do not configure this setting, Local Admins will be able to see exclusions in the Windows Security App or via PowerShell.
+
+ Enabled:
+ If you enable this setting, Local Admins will no longer be able to see the exclusion list in Windows Security App or via PowerShell.
+ Note: Applying this setting will not remove exclusions, it will only prevent them from being visible to Local Admins. This is reflected in Get-MpPreference.
+ This settings controls whether Network Protection is allowed to be configured into block or audit mode on Windows Server.
+
+ Disabled (Default):
+ If Not Configured or Disabled, network protection is not allowed to be configured into block or audit mode on Windows Server.
+
+ Enabled:
+ If Enabled, administrators can control whether Network Protection is allowed to be configured into block or audit mode on Windows Server.
+ Note, that this configuration is dependent on the EnableNetworkProtection configuration. If this configuration is false, EnableNetworkProtection will be ignored, otherwise network protection will start on Windows Server depending on the value of EnableNetworkProtection.
+ This setting controls datagram processing for network protection.
+
+ Enabled (Default):
+ If Not Configured or Disabled, datagram processing will be enabled for network protection.
+
+ Enabled:
+ If Enabled, datagram processing will be disabled for network protection.
+ Turn off Auto Exclusions
+
+ Allows an administrator to specify if Automatic Exclusions feature for Server SKUs should be turned off.
+
+ Disabled (Default):
+ Microsoft Defender will exclude pre-defined list of paths from the scan to improve performance.
+
+ Enabled:
+ Microsoft Defender will not exclude pre-defined list of paths from scans. This can impact machine performance in some scenarios.
+
+ Not configured:
+ Same as Disabled.
+
+ Turn off Endpoint Protection
+ This policy setting turns off Endpoint Protection.
+
+ If you enable this policy setting, Endpoint Protection does not run, and computers are not scanned for malware or other potentially unwanted software.
+
+ If you disable or do not configure this policy setting, by default Endpoint Protection runs and computers are scanned for malware and other potentially unwanted software.
+
+ Turn off Microsoft Defender Antivirus
+ This policy setting turns off Microsoft Defender Antivirus.
+
+ If you enable this policy setting, Microsoft Defender Antivirus does not run, and will not scan computers for malware or other potentially unwanted software.
+
+ If you disable this policy setting, Microsoft Defender Antivirus will run regardless of any other installed antivirus product.
+
+ If you do not configure this policy setting, Windows will internally manage Microsoft Defender Antivirus. If you install another antivirus program, Windows automatically disables Microsoft Defender Antivirus. Otherwise, Microsoft Defender Antivirus will scan your computers for malware and other potentially unwanted software.
+
+ Enabling or disabling this policy may lead to unexpected or unsupported behavior. It is recommended that you leave this policy setting unconfigured.
+ Configure local administrator merge behavior for lists
+ This policy setting controls whether or not complex list settings configured by a local administrator are merged with Group Policy settings. This setting applies to lists such as threats and Exclusions.
+
+ If you enable or do not configure this setting, unique items defined in Group Policy and in preference settings configured by the local administrator will be merged into the resulting effective policy. In the case of conflicts, Group policy Settings will override preference settings.
+
+ If you disable this setting, only items defined by Group Policy will be used in the resulting effective policy. Group Policy settings will override preference settings configured by the local administrator.
+ Turn off routine remediation
+
+ This policy setting allows you to configure whether Microsoft Defender Antivirus automatically takes action on all detected threats. The action to be taken on a particular threat is determined by the combination of the policy-defined action, user-defined action, and the signature-defined action.
+
+ If you enable this policy setting, Microsoft Defender Antivirus does not automatically take action on the detected threats, but prompts users to choose from the actions available for each threat.
+
+ If you disable or do not configure this policy setting, Microsoft Defender Antivirus automatically takes action on all detected threats after a nonconfigurable delay of approximately five seconds.
+
+ This policy setting allows you to configure whether Endpoint Protection automatically takes action on all detected threats. The action to be taken on a particular threat is determined by the combination of the policy-defined action, user-defined action, and the signature-defined action.
+
+ If you enable this policy setting, Endpoint Protection does not automatically take action on the detected threats, but prompts users to choose from the actions available for each threat.
+
+ If you disable or do not configure this policy setting, Endpoint Protection automatically takes action on all detected threats after a nonconfigurable delay of approximately five seconds.
+
+ Define addresses to bypass proxy server
+ This policy, if defined, will prevent antimalware from using the configured proxy server when communicating with the specified IP addresses. The address value should be entered as a valid URL.
+
+ If you enable this setting, the proxy server will be bypassed for the specified addresses.
+
+ If you disable or do not configure this setting, the proxy server will not be bypassed for the specified addresses.
+ Define proxy auto-config (.pac) for connecting to the network
+ This policy setting defines the URL of a proxy .pac file that should be used when the client attempts to connect the network for security intelligence updates and MAPS reporting. If the proxy auto-config fails or if there is no proxy auto-config specified, the client will fall back to the alternative options (in order):
+ 1. Proxy server (if specified)
+ 2. Proxy .pac URL (if specified)
+ 3. None
+ 4. Internet Explorer proxy settings
+ 5. Autodetect
+
+ If you enable this setting, the proxy setting will be set to use the specified proxy .pac according to the order specified above.
+
+ If you disable or do not configure this setting, the proxy will skip over this fallback step according to the order specified above.
+ Define proxy server for connecting to the network
+ This policy setting allows you to configure the named proxy that should be used when the client attempts to connect to the network for security intelligence updates and MAPS reporting. If the named proxy fails or if there is no proxy specified, the client will fall back to the alternative options (in order):
+ 1. Proxy server (if specified)
+ 2. Proxy .pac URL (if specified)
+ 3. None
+ 4. Internet Explorer proxy settings
+ 5. Autodetect
+
+ If you enable this setting, the proxy will be set to the specified URL according to the order specified above. The URL should be proceeded with either http:// or https://.
+
+ If you disable or do not configure this setting, the proxy will skip over this fallback step according to the order specified above.
+
+ Randomize scheduled task times
+ This policy setting allows you to enable or disable randomization of the scheduled scan start time and the scheduled security intelligence update start time. This setting is used to distribute the resource impact of scanning. For example, it could be used in guest virtual machines sharing a host, to prevent multiple guest virtual machines from undertaking a disk-intensive operation at the same time.
+
+ If you enable or do not configure this setting, scheduled tasks will begin at a random time within an interval of 30 minutes before and after the specified start time.
+
+ If you disable this setting, scheduled tasks will begin at the specified start time.
+ Allow antimalware service to remain running always
+ This policy setting allows you to configure whether or not the antimalware service remains running when antivirus and antispyware security intelligence is disabled. It is recommended that this setting remain disabled.
+
+ If you enable this setting, the antimalware service will always remain running even if both antivirus and antispyware security intelligence is disabled.
+
+ If you disable or do not configure this setting, the antimalware service will be stopped when both antivirus and antispyware security intelligence is disabled. If the computer is restarted, the service will be started if it is set to Automatic startup. After the service has started, there will be a check to see if antivirus and antispyware security intelligence is enabled. If at least one is enabled, the service will remain running. If both are disabled, the service will be stopped.
+ Configure detection for potentially unwanted applications
+
+ Enable or disable detection for potentially unwanted applications. You can choose to block, audit, or allow when potentially unwanted software is being downloaded or attempts to install itself on your computer.
+
+ Enabled:
+ Specify the mode in the Options section:
+ -Block: Potentially unwanted software will be blocked.
+ -Audit Mode: Potentially unwanted software will not be blocked, however if this feature would have blocked access if it were set to Block, then a record of the event will be in the event logs.
+
+ Disabled:
+ Potentially unwanted software will not be blocked.
+
+ Not configured:
+ Same as Disabled.
+
+ Extension Exclusions
+ This policy setting allows you specify a list of file types that should be excluded from scheduled, custom, and real-time scanning. File types should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of the file type extension (such as "obj" or "lib"). The value is not used and it is recommended that this be set to 0.
+ Path Exclusions
+ This policy setting allows you to disable scheduled and real-time scanning for files under the paths specified or for the fully qualified resources specified. Paths should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of a path or a fully qualified resource name. As an example, a path might be defined as: "c:\Windows" to exclude all files in this directory. A fully qualified resource name might be defined as: "C:\Windows\App.exe". The value is not used and it is recommended that this be set to 0.
+ Process Exclusions
+ This policy setting allows you to disable scheduled and real-time scanning for any file opened by any of the specified processes. The process itself will not be excluded. To exclude the process, use the Path exclusion. Processes should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of the path to the process image. Note that only executables can be excluded. For example, a process might be defined as: "c:\windows\app.exe". The value is not used and it is recommended that this be set to 0.
+ Ip Address Exclusions
+ Allows an administrator to explicitly disable network packet inspection made by wdnisdrv on a particular set of IP addresses.
+ Turn on protocol recognition
+ This policy setting allows you to configure protocol recognition for network protection against exploits of known vulnerabilities.
+
+ If you enable or do not configure this setting, protocol recognition will be enabled.
+
+ If you disable this setting, protocol recognition will be disabled.
+ Turn on definition retirement
+ This policy setting allows you to configure definition retirement for network protection against exploits of known vulnerabilities. Definition retirement checks to see if a computer has the required security updates necessary to protect it against a particular vulnerability. If the system is not vulnerable to the exploit detected by a definition, then that definition is "retired". If all security intelligence for a given protocal are retired then that protocol is no longer parsed. Enabling this feature helps to improve performance. On a computer that is up-to-date with all the latest security updates, network protection will have no impact on network performance.
+
+ If you enable or do not configure this setting, definition retirement will be enabled.
+
+ If you disable this setting, definition retirement will be disabled.
+ Specify additional definition sets for network traffic inspection
+ This policy setting defines additional definition sets to enable for network traffic inspection. Definition set GUIDs should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of a definition set GUID. As an example, the definition set GUID to enable test security intelligence is defined as: “{b54b6ac9-a737-498e-9120-6616ad3bf590}”. The value is not used and it is recommended that this be set to 0.
+ Configure local setting override for the removal of items from Quarantine folder
+ This policy setting configures a local override for the configuration of the number of days items should be kept in the Quarantine folder before being removed. This setting can only be set by Group Policy.
+
+ If you enable this setting, the local preference setting will take priority over Group Policy.
+
+ If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.
+ Configure removal of items from Quarantine folder
+ This policy setting defines the number of days items should be kept in the Quarantine folder before being removed.
+
+ If you enable this setting, items will be removed from the Quarantine folder after the number of days specified.
+
+ If you disable or do not configure this setting, items will be kept in the quarantine folder indefinitely and will not be automatically removed.
+
+ Turn on script scanning
+ This policy setting allows you to configure script scanning.
+
+ If you enable or do not configure this setting, script scanning will be enabled.
+
+ If you disable this setting, script scanning will be disabled.
+ Turn on behavior monitoring
+ This policy setting allows you to configure behavior monitoring.
+
+ If you enable or do not configure this setting, behavior monitoring will be enabled.
+
+ If you disable this setting, behavior monitoring will be disabled.
+ Scan all downloaded files and attachments
+ This policy setting allows you to configure scanning for all downloaded files and attachments.
+
+ If you enable or do not configure this setting, scanning for all downloaded files and attachments will be enabled.
+
+ If you disable this setting, scanning for all downloaded files and attachments will be disabled.
+ Monitor file and program activity on your computer
+ This policy setting allows you to configure monitoring for file and program activity.
+
+ If you enable or do not configure this setting, monitoring for file and program activity will be enabled.
+
+ If you disable this setting, monitoring for file and program activity will be disabled.
+ Turn on raw volume write notifications
+ This policy setting controls whether raw volume write notifications are sent to behavior monitoring.
+
+ If you enable or do not configure this setting, raw write notifications will be enabled.
+
+ If you disable this setting, raw write notifications be disabled.
+ Turn off real-time protection
+ This policy setting turns off real-time protection prompts for known malware detection.
+
+ Microsoft Defender Antivirus alerts you when malware or potentially unwanted software attempts to install itself or to run on your computer.
+
+ If you enable this policy setting, Microsoft Defender Antivirus will not prompt users to take actions on malware detections.
+
+ If you disable or do not configure this policy setting, Microsoft Defender Antivirus will prompt users to take actions on malware detections.
+
+ This policy setting turns off real-time protection prompts for known malware detection.
+
+ Endpoint Protection alerts you when malware or potentially unwanted software attempts to install itself or to run on your computer.
+
+ If you enable this policy setting, Endpoint Protection will not prompt users to take actions on malware detections.
+
+ If you disable or do not configure this policy setting, Endpoint Protection will prompt users to take actions on malware detections.
+
+ Turn on process scanning whenever real-time protection is enabled
+ This policy setting allows you to configure process scanning when real-time protection is turned on. This helps to catch malware which could start when real-time protection is turned off.
+
+ If you enable or do not configure this setting, a process scan will be initiated when real-time protection is turned on.
+
+ If you disable this setting, a process scan will not be initiated when real-time protection is turned on.
+ Define the maximum size of downloaded files and attachments to be scanned
+ This policy setting defines the maximum size (in kilobytes) of downloaded files and attachments that will be scanned.
+
+ If you enable this setting, downloaded files and attachments smaller than the size specified will be scanned.
+
+ If you disable or do not configure this setting, a default size will be applied.
+ Configure local setting override for turn on behavior monitoring
+ This policy setting configures a local override for the configuration of behavior monitoring. This setting can only be set by Group Policy.
+
+ If you enable this setting, the local preference setting will take priority over Group Policy.
+
+ If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.
+ Configure local setting override for monitoring file and program activity on your computer
+ This policy setting configures a local override for the configuration of monitoring for file and program activity on your computer. This setting can only be set by Group Policy.
+
+ If you enable this setting, the local preference setting will take priority over Group Policy.
+
+ If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.
+ Configure local setting override for scanning all downloaded files and attachments
+ This policy setting configures a local override for the configuration of scanning for all downloaded files and attachments. This setting can only be set by Group Policy.
+
+ If you enable this setting, the local preference setting will take priority over Group Policy.
+
+ If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.
+ Configure local setting override to turn on real-time protection
+ This policy setting configures a local override for the configuration to turn on real-time protection. This setting can only be set by Group Policy.
+
+ If you enable this setting, the local preference setting will take priority over Group Policy.
+
+ If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.
+ Configure local setting override for monitoring for incoming and outgoing file activity
+ This policy setting configures a local override for the configuration of monitoring for incoming and outgoing file activity. This setting can only be set by Group Policy.
+
+ If you enable this setting, the local preference setting will take priority over Group Policy.
+
+ If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.
+ Configure monitoring for incoming and outgoing file and program activity
+ This policy setting allows you to configure monitoring for incoming and outgoing files, without having to turn off monitoring entirely. It is recommended for use on servers where there is a lot of incoming and outgoing file activity but for performance reasons need to have scanning disabled for a particular scan direction. The appropriate configuration should be evaluated based on the server role.
+
+ Note that this configuration is only honored for NTFS volumes. For any other file system type, full monitoring of file and program activity will be present on those volumes.
+
+ The options for this setting are mutually exclusive:
+ 0 = Scan incoming and outgoing files (default)
+ 1 = Scan incoming files only
+ 2 = Scan outgoing files only
+
+ Any other value, or if the value does not exist, resolves to the default (0).
+
+ If you enable this setting, the specified type of monitoring will be enabled.
+
+ If you disable or do not configure this setting, monitoring for incoming and outgoing files will be enabled.
+ bi-directional (full on-access)
+ scan only incoming (disable on-open)
+ scan only outgoing (disable on-close)
+ Configure local setting override for the time of day to run a scheduled full scan to complete remediation
+ This policy setting configures a local override for the configuration of the time to run a scheduled full scan to complete remediation. This setting can only be set by Group Policy.
+
+ If you enable this setting, the local preference setting will take priority over Group Policy.
+
+ If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.
+ Specify the day of the week to run a scheduled full scan to complete remediation
+ This policy setting allows you to specify the day of the week on which to perform a scheduled full scan in order to complete remediation. The scan can also be configured to run every day or to never run at all.
+
+ This setting can be configured with the following ordinal number values:
+ (0x0) Every Day
+ (0x1) Sunday
+ (0x2) Monday
+ (0x3) Tuesday
+ (0x4) Wednesday
+ (0x5) Thursday
+ (0x6) Friday
+ (0x7) Saturday
+ (0x8) Never (default)
+
+ If you enable this setting, a scheduled full scan to complete remediation will run at the frequency specified.
+
+ If you disable or do not configure this setting, a scheduled full scan to complete remediation will run at a default frequency.
+ Never
+ Every Day
+ Sunday
+ Monday
+ Tuesday
+ Wednesday
+ Thursday
+ Friday
+ Saturday
+ Specify the time of day to run a scheduled full scan to complete remediation
+ This policy setting allows you to specify the time of day at which to perform a scheduled full scan in order to complete remediation. The time value is represented as the number of minutes past midnight (00:00). For example, 120 (0x78) is equivalent to 02:00 AM. The schedule is based on local time on the computer where the scan is executing.
+
+ If you enable this setting, a scheduled full scan to complete remediation will run at the time of day specified.
+
+ If you disable or do not configure this setting, a scheduled full scan to complete remediation will run at a default time.
+ Configure time out for detections requiring additional action
+ This policy setting configures the time in minutes before a detection in the "additional action" state moves to the "cleared" state.
+ Configure time out for detections in critically failed state
+ This policy setting configures the time in minutes before a detection in the “critically failed” state to moves to either the “additional action” state or the “cleared” state.
+ Configure Watson events
+ This policy setting allows you to configure whether or not Watson events are sent.
+
+ If you enable or do not configure this setting, Watson events will be sent.
+
+ If you disable this setting, Watson events will not be sent.
+ Configure time out for detections in non-critical failed state
+ This policy setting configures the time in minutes before a detection in the "non-critically failed" state moves to the "cleared" state.
+ Configure time out for detections in recently remediated state
+ This policy setting configures the time in minutes before a detection in the "completed" state moves to the "cleared" state.
+ Configure Windows software trace preprocessor components
+ This policy configures Windows software trace preprocessor (WPP Software Tracing) components.
+ Configure WPP tracing level
+ This policy allows you to configure tracing levels for Windows software trace preprocessor (WPP Software Tracing).
+ Tracing levels are defined as:
+ 1 - Error
+ 2 - Warning
+ 3 - Info
+ 4 - Debug
+ Turn off enhanced notifications
+
+ Use this policy setting to specify if you want Microsoft Defender Antivirus enhanced notifications to display on clients.
+
+ If you disable or do not configure this setting, Microsoft Defender Antivirus enhanced notifications will display on clients.
+
+ If you enable this setting, Microsoft Defender Antivirus enhanced notifications will not display on clients.
+
+ Configure time interval for service health reports
+ This policy setting configures the time interval (in minutes) for the service health reports to be sent from endpoints.
+
+ If you disable or do not configure this setting, the default value will be applied. The default value is set at 60 minutes (1 hour).
+
+ If you configure this setting to 0, no service health reports will be sent.
+
+ The maximum value allowed to be set is 14400 minutes (10 days).
+ Configure whether to report Dynamic Signature dropped events
+ This policy setting configures whether to report Dynamic Signature dropped events.
+
+ If you do not configure this setting, the default value will be applied. The default value is set to disabled (such events are not reported).
+ If you configure this setting to enabled, Dynamic Signature dropped events will be reported.
+ If you configure this setting to disabled, Dynamic Signature dropped events will not be reported.
+ Allow users to pause scan
+ This policy setting allows you to manage whether or not end users can pause a scan in progress.
+
+ If you enable or do not configure this setting, a new context menu will be added to the task tray icon to allow the user to pause a scan.
+
+ If you disable this setting, users will not be able to pause scans.
+ Specify the maximum depth to scan archive files
+ This policy setting allows you to configure the maximum directory depth level into which archive files such as .ZIP or .CAB are unpacked during scanning. The default directory depth level is 0.
+
+ If you enable this setting, archive files will be scanned to the directory depth level specified.
+
+ If you disable or do not configure this setting, archive files will be scanned to the default directory depth level.
+ Specify the maximum size of archive files to be scanned
+ This policy setting allows you to configure the maximum size of archive files such as .ZIP or .CAB that will be scanned. The value represents file size in kilobytes (KB). The default value is 0 and represents no limit to archive size for scanning.
+
+ If you enable this setting, archive files less than or equal to the size specified will be scanned.
+
+ If you disable or do not configure this setting, archive files will be scanned according to the default value.
+ Specify the maximum percentage of CPU utilization during a scan
+ This policy setting allows you to configure the maximum percentage CPU utilization permitted during a scan. Valid values for this setting are a percentage represented by the integers 5 to 100. A value of 0 indicates that there should be no throttling of CPU utilization. The default value is 50.
+
+ If you enable this setting, CPU utilization will not exceed the percentage specified.
+
+ If you disable or do not configure this setting, CPU utilization will not exceed the default value.
+ Check for the latest virus and spyware security intelligence before running a scheduled scan
+ This policy setting allows you to manage whether a check for new virus and spyware security intelligence will occur before running a scan.
+
+ This setting applies to scheduled scans as well as the command line "mpcmdrun -SigUpdate", but it has no effect on scans initiated manually from the user interface.
+
+ If you enable this setting, a check for new security intelligence will occur before running a scan.
+
+ If you disable this setting or do not configure this setting, the scan will start using the existing security intelligence.
+ Scan archive files
+ This policy setting allows you to configure scans for malicious software and unwanted software in archive files such as .ZIP or .CAB files.
+
+ If you enable or do not configure this setting, archive files will be scanned.
+
+ If you disable this setting, archive files will not be scanned.
+ CPU throttling type
+ This policy setting determines whether the maximum percentage CPU utilization permitted during a scan applies only to scheduled scans, or to both scheduled and custom scans (but not real-time protection). The maximum CPU utilization limit is also referred to as CPU throttling, or a CPU usage limit.
+
+ The default value for this policy setting is True, which means CPU throttling is applied only to scheduled scans.
+
+ If you either enable or do not configure this setting, CPU throttling will apply only to scheduled scans.
+
+ If you disable this setting, CPU throttling will apply to scheduled and custom scans.
+ Scan removable drives
+ This policy setting allows you to manage whether or not to scan for malicious software and unwanted software in the contents of removable drives, such as USB flash drives, when running a full scan.
+
+ If you enable this setting, removable drives will be scanned during any type of scan.
+
+ If you disable or do not configure this setting, removable drives will not be scanned during a full scan. Removable drives may still be scanned during quick scan and custom scan.
+ Turn on reparse point scanning
+ This policy setting allows you to configure reparse point scanning. If you allow reparse points to be scanned, there is a possible risk of recursion. However, the engine supports following reparse points to a maximum depth so at worst scanning could be slowed. Reparse point scanning is disabled by default and this is the recommended state for this functionality.
+
+ If you enable this setting, reparse point scanning will be enabled.
+
+ If you disable or do not configure this setting, reparse point scanning will be disabled.
+ Create a system restore point
+ This policy setting allows you to create a system restore point on the computer on a daily basis prior to cleaning.
+
+ If you enable this setting, a system restore point will be created.
+
+ If you disable or do not configure this setting, a system restore point will not be created.
+ Run full scan on mapped network drives
+ This policy setting allows you to configure scanning mapped network drives.
+
+ If you enable this setting, mapped network drives will be scanned.
+
+ If you disable or do not configure this setting, mapped network drives will not be scanned.
+ Scan network files
+ This policy setting allows you to configure scanning for network files. It is recommended that you do not enable this setting.
+
+ If you enable this setting, network files will be scanned.
+
+ If you disable or do not configure this setting, network files will not be scanned.
+ Configure local setting override for maximum percentage of CPU utilization
+ This policy setting configures a local override for the configuration of maximum percentage of CPU utilization during scan. This setting can only be set by Group Policy.
+
+ If you enable this setting, the local preference setting will take priority over Group Policy.
+
+ If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.
+ Configure local setting override for the scan type to use for a scheduled scan
+ This policy setting configures a local override for the configuration of the scan type to use during a scheduled scan. This setting can only be set by Group Policy.
+
+ If you enable this setting, the local preference setting will take priority over Group Policy.
+
+ If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.
+ Configure local setting override for schedule scan day
+ This policy setting configures a local override for the configuration of scheduled scan day. This setting can only be set by Group Policy.
+
+ If you enable this setting, the local preference setting will take priority over Group Policy.
+
+ If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.
+ Configure local setting override for scheduled quick scan time
+ This policy setting configures a local override for the configuration of scheduled quick scan time. This setting can only be set by Group Policy.
+
+ If you enable this setting, the local preference setting will take priority over Group Policy.
+
+ If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.
+ Configure local setting override for scheduled scan time
+ This policy setting configures a local override for the configuration of scheduled scan time. This setting can only be set by Group Policy.
+
+ If you enable this setting, the local preference setting will take priority over Group Policy.
+
+ If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.
+ Turn on removal of items from scan history folder
+ This policy setting defines the number of days items should be kept in the scan history folder before being permanently removed. The value represents the number of days to keep items in the folder. If set to zero, items will be kept forever and will not be automatically removed. By default, the value is set to 30 days.
+
+ If you enable this setting, items will be removed from the scan history folder after the number of days specified.
+
+ If you disable or do not configure this setting, items will be kept in the scan history folder for the default number of days.
+ Specify the interval to run quick scans per day
+ This policy setting allows you to specify an interval at which to perform a quick scan. The time value is represented as the number of hours between quick scans. Valid values range from 1 (every hour) to 24 (once per day). If set to zero, interval quick scans will not occur. By default, this setting is set to 0.
+
+ If you enable this setting, a quick scan will run at the interval specified.
+
+ If you disable or do not configure this setting, a quick scan will run at a default time.
+ Start the scheduled scan only when computer is on but not in use
+ This policy setting allows you to configure scheduled scans to start only when your computer is on but not in use.
+
+ If you enable or do not configure this setting, scheduled scans will only run when the computer is on but not in use.
+
+ If you disable this setting, scheduled scans will run at the scheduled time.
+ Specify the scan type to use for a scheduled scan
+ This policy setting allows you to specify the scan type to use during a scheduled scan. Scan type options are:
+ 1 = Quick Scan (default)
+ 2 = Full Scan
+
+ If you enable this setting, the scan type will be set to the specified value.
+
+ If you disable or do not configure this setting, the default scan type will used.
+ Quick scan
+ Full system scan
+ Specify the day of the week to run a scheduled scan
+ This policy setting allows you to specify the day of the week on which to perform a scheduled scan. The scan can also be configured to run every day or to never run at all.
+
+ This setting can be configured with the following ordinal number values:
+ (0x0) Every Day
+ (0x1) Sunday
+ (0x2) Monday
+ (0x3) Tuesday
+ (0x4) Wednesday
+ (0x5) Thursday
+ (0x6) Friday
+ (0x7) Saturday
+ (0x8) Never (default)
+
+ If you enable this setting, a scheduled scan will run at the frequency specified.
+
+ If you disable or do not configure this setting, a scheduled scan will run at a default frequency.
+ Never
+ Every Day
+ Sunday
+ Monday
+ Tuesday
+ Wednesday
+ Thursday
+ Friday
+ Saturday
+ Specify the time for a daily quick scan
+ This policy setting allows you to specify the time of day at which to perform a daily quick scan. The time value is represented as the number of minutes past midnight (00:00). For example, 120 (0x78) is equivalent to 02:00 AM. By default, this setting is set to a time value of 2:00 AM. The schedule is based on local time on the computer where the scan is executing.
+
+ If you enable this setting, a daily quick scan will run at the time of day specified.
+
+ If you disable or do not configure this setting, a daily quick scan will run at a default time.
+ Specify the time of day to run a scheduled scan
+ This policy setting allows you to specify the time of day at which to perform a scheduled scan. The time value is represented as the number of minutes past midnight (00:00). For example, 120 (0x78) is equivalent to 02:00 AM. By default, this setting is set to a time value of 2:00 AM. The schedule is based on local time on the computer where the scan is executing.
+
+ If you enable this setting, a scheduled scan will run at the time of day specified.
+
+ If you disable or do not configure this setting, a scheduled scan will run at a default time.
+ Define the number of days after which a catch-up scan is forced
+
+ This policy setting allows you to define the number of consecutive scheduled scans that can be missed after which a catch-up scan will be forced. By default, the value of this setting is 2 consecutive scheduled scans.
+
+ If you enable this setting, a catch-up scan will occur after the specified number consecutive missed scheduled scans.
+
+ If you disable or do not configure this setting, a catch-up scan will occur after the 2 consecutive missed scheduled scans.
+ Configure low CPU priority for scheduled scans
+
+ This policy setting allows you to enable or disable low CPU priority for scheduled scans.
+
+ If you enable this setting, low CPU priority will be used during scheduled scans.
+
+ If you disable or do not configure this setting, not changes will be made to CPU priority for scheduled scans.
+
+ Define the number of days before spyware security intelligence is considered out of date
+ This policy setting allows you to define the number of days that must pass before spyware security intelligence is considered out of date. If security intelligence is determined to be out of date, this state may trigger several additional actions, including falling back to an alternative update source or displaying a warning icon in the user interface. By default, this value is set to 14 days.
+
+ If you enable this setting, spyware security intelligence will be considered out of date after the number of days specified have passed without an update.
+
+ If you disable or do not configure this setting, spyware security intelligence will be considered out of date after the default number of days have passed without an update.
+ Define the number of days before virus security intelligence is considered out of date
+ This policy setting allows you to define the number of days that must pass before virus security intelligence is considered out of date. If security intelligence is determined to be out of date, this state may trigger several additional actions, including falling back to an alternative update source or displaying a warning icon in the user interface. By default, this value is set to 14 days.
+
+ If you enable this setting, virus security intelligence will be considered out of date after the number of days specified have passed without an update.
+
+ If you disable or do not configure this setting, virus security intelligence will be considered out of date after the default number of days have passed without an update.
+ Define file shares for downloading security intelligence updates
+ This policy setting allows you to configure UNC file share sources for downloading security intelligence updates. Sources will be contacted in the order specified. The value of this setting should be entered as a pipe-separated string enumerating the security intelligence update sources. For example: "{\\unc1 | \\unc2 }". The list is empty by default.
+
+ If you enable this setting, the specified sources will be contacted for security intelligence updates. Once security intelligence updates have been successfully downloaded from one specified source, the remaining sources in the list will not be contacted.
+
+ If you disable or do not configure this setting, the list will remain empty by default and no sources will be contacted.
+ Define security intelligence location for VDI clients.
+ This policy setting allows you to define the security intelligence location for VDI-configured computers.
+
+ If you disable or do not configure this setting, security intelligence will be referred from the default local source.
+ Turn on scan after security intelligence update
+ This policy setting allows you to configure the automatic scan which starts after a security intelligence update has occurred.
+
+ If you enable or do not configure this setting, a scan will start following a security intelligence update.
+
+ If you disable this setting, a scan will not start following a security intelligence update.
+ Allow security intelligence updates when running on battery power
+ This policy setting allows you to configure security intelligence updates when the computer is running on battery power.
+
+ If you enable or do not configure this setting, security intelligence updates will occur as usual regardless of power state.
+
+ If you disable this setting, security intelligence updates will be turned off while the computer is running on battery power.
+ Initiate security intelligence update on startup
+ This policy setting allows you to configure security intelligence updates on startup when there is no antimalware engine present.
+
+ If you enable or do not configure this setting, security intelligence updates will be initiated on startup when there is no antimalware engine present.
+
+ If you disable this setting, security intelligence updates will not be initiated on startup when there is no antimalware engine present.
+ Define the order of sources for downloading security intelligence updates
+ This policy setting allows you to define the order in which different security intelligence update sources should be contacted. The value of this setting should be entered as a pipe-separated string enumerating the security intelligence update sources in order. Possible values are: “InternalDefinitionUpdateServer”, “MicrosoftUpdateServer”, “MMPC”, and “FileShares”
+
+ For example: { InternalDefinitionUpdateServer | MicrosoftUpdateServer | MMPC }
+
+ If you enable this setting, security intelligence update sources will be contacted in the order specified. Once security intelligence updates have been successfully downloaded from one specified source, the remaining sources in the list will not be contacted.
+
+ If you disable or do not configure this setting, security intelligence update sources will be contacted in a default order.
+ Allow security intelligence updates from Microsoft Update
+ This policy setting allows you to enable download of security intelligence updates from Microsoft Update even if the Automatic Updates default server is configured to another download source such as Windows Update.
+
+ If you enable this setting, security intelligence updates will be downloaded from Microsoft Update.
+
+ If you disable or do not configure this setting, security intelligence updates will be downloaded from the configured download source.
+ Allow real-time security intelligence updates based on reports to Microsoft MAPS
+ This policy setting allows you to enable real-time security intelligence updates in response to reports sent to Microsoft MAPS. If the service reports a file as an unknown and Microsoft MAPS finds that the latest security intelligence update has security intelligence for a threat involving that file, the service will receive all of the latest security intelligence for that threat immediately. You must have configured your computer to join Microsoft MAPS for this functionality to work.
+
+ If you enable or do not configure this setting, real-time security intelligence updates will be enabled.
+
+ If you disable this setting, real-time security intelligence updates will disabled.
+ Specify the day of the week to check for security intelligence updates
+ This policy setting allows you to specify the day of the week on which to check for security intelligence updates. The check can also be configured to run every day or to never run at all.
+
+ This setting can be configured with the following ordinal number values:
+ (0x0) Every Day (default)
+ (0x1) Sunday
+ (0x2) Monday
+ (0x3) Tuesday
+ (0x4) Wednesday
+ (0x5) Thursday
+ (0x6) Friday
+ (0x7) Saturday
+ (0x8) Never
+
+ If you enable this setting, the check for security intelligence updates will occur at the frequency specified.
+
+ If you disable or do not configure this setting, the check for security intelligence updates will occur at a default frequency.
+ Never
+ Every Day
+ Sunday
+ Monday
+ Tuesday
+ Wednesday
+ Thursday
+ Friday
+ Saturday
+ Specify the time to check for security intelligence updates
+ This policy setting allows you to specify the time of day at which to check for security intelligence updates. The time value is represented as the number of minutes past midnight (00:00). For example, 120 (0x78) is equivalent to 02:00 AM. By default this setting is configured to check for security intelligence updates 15 minutes before the scheduled scan time. The schedule is based on local time on the computer where the check is occurring.
+
+ If you enable this setting, the check for security intelligence updates will occur at the time of day specified.
+
+ If you disable or do not configure this setting, the check for security intelligence updates will occur at the default time.
+ Allow notifications to disable security intelligence based reports to Microsoft MAPS
+ This policy setting allows you to configure the antimalware service to receive notifications to disable individual security intelligence in response to reports it sends to Microsoft MAPS. Microsoft MAPS uses these notifications to disable security intelligence that are causing false positive reports. You must have configured your computer to join Microsoft MAPS for this functionality to work.
+
+ If you enable this setting or do not configure, the antimalware service will receive notifications to disable security intelligence.
+
+ If you disable this setting, the antimalware service will not receive notifications to disable security intelligence.
+ Define the number of days after which a catch-up security intelligence update is required
+ This policy setting allows you to define the number of days after which a catch-up security intelligence update will be required. By default, the value of this setting is 1 day.
+
+ If you enable this setting, a catch-up security intelligence update will occur after the specified number of days.
+
+ If you disable or do not configure this setting, a catch-up security intelligence update will be required after the default number of days.
+ Specify the interval for expiry notification
+
+ This policy setting allows you to specify an interval(in days) for expiry notification.
+ If a signature expiry or platform expiry is impending, this value tells how soon AM UI will notify customers.
+
+ Value should be greater than zero for the policy to be active.
+
+ Specify the interval to check for security intelligence updates
+ This policy setting allows you to specify an interval at which to check for security intelligence updates. The time value is represented as the number of hours between update checks. Valid values range from 1 (every hour) to 24 (once per day).
+
+ If you enable this setting, checks for security intelligence updates will occur at the interval specified.
+
+ If you disable or do not configure this setting, checks for security intelligence updates will occur at the default interval.
+ Check for the latest virus and spyware security intelligence on startup
+ This policy setting allows you to manage whether a check for new virus and spyware security intelligence will occur immediately after service startup.
+
+ If you enable this setting, a check for new security intelligence will occur after service startup.
+
+ If you disable this setting or do not configure this setting, a check for new security intelligence will not occur after service startup.
+ Configure the 'Block at First Sight' feature
+ This feature ensures the device checks in real time with the Microsoft Active Protection Service (MAPS) before allowing certain content to be run or accessed. If this feature is disabled, the check will not occur, which will lower the protection state of the device.
+ Enabled – The Block at First Sight setting is turned on.
+ Disabled – The Block at First Sight setting is turned off.
+
+ This feature requires these Group Policy settings to be set as follows:
+ MAPS -> The “Join Microsoft MAPS” must be enabled or the “Block at First Sight” feature will not function.
+ MAPS -> The “Send file samples when further analysis is required” should be set to 1 (Send safe samples) or 3 (Send all samples). Setting to 0 (Always Prompt) will lower the protection state of the device. Setting to 2 (Never send) means the “Block at First Sight” feature will not function.
+ Real-time Protection -> The “Scan all downloaded files and attachments” policy must be enabled or the “Block at First Sight” feature will not function.
+ Real-time Protection -> Do not enable the “Turn off real-time protection” policy or the “Block at First Sight” feature will not function.
+ Configure local setting override for reporting to Microsoft MAPS
+ This policy setting configures a local override for the configuration to join Microsoft MAPS. This setting can only be set by Group Policy.
+
+ If you enable this setting, the local preference setting will take priority over Group Policy.
+
+ If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.
+ Send file samples when further analysis is required
+
+ This policy setting configures behaviour of samples submission when opt-in for MAPS telemetry is set.
+
+ Possible options are:
+ (0x0) Always prompt
+ (0x1) Send safe samples automatically
+ (0x2) Never send
+ (0x3) Send all samples automatically
+
+
+ Always prompt
+ Send safe samples
+ Never send
+ Send all samples
+
+ Join Microsoft MAPS
+ This policy setting allows you to join Microsoft MAPS. Microsoft MAPS is the online community that helps you choose how to respond to potential threats. The community also helps stop the spread of new malicious software infections.
+
+ You can choose to send basic or additional information about detected software. Additional information helps Microsoft create new security intelligence and help it to protect your computer. This information can include things like location of detected items on your computer if harmful software was removed. The information will be automatically collected and sent. In some instances, personal information might unintentionally be sent to Microsoft. However, Microsoft will not use this information to identify you or contact you.
+
+ Possible options are:
+ (0x0) Disabled (default)
+ (0x1) Basic membership
+ (0x2) Advanced membership
+
+ Basic membership will send basic information to Microsoft about software that has been detected, including where the software came from, the actions that you apply or that are applied automatically, and whether the actions were successful.
+
+ Advanced membership, in addition to basic information, will send more information to Microsoft about malicious software, spyware, and potentially unwanted software, including the location of the software, file names, how the software operates, and how it has impacted your computer.
+
+ If you enable this setting, you will join Microsoft MAPS with the membership specified.
+
+ If you disable or do not configure this setting, you will not join Microsoft MAPS.
+
+ In Windows 10, Basic membership is no longer available, so setting the value to 1 or 2 enrolls the device into Advanced membership.
+ Disabled
+ Basic MAPS
+ Advanced MAPS
+ Specify threats upon which default action should not be taken when detected
+ This policy setting customize which remediation action will be taken for each listed Threat ID when it is detected during a scan. Threats should be added under the Options for this setting. Each entry must be listed as a name value pair. The name defines a valid Threat ID, while the value contains the action ID for the remediation action that should be taken.
+
+ Valid remediation action values are:
+ 2 = Quarantine
+ 3 = Remove
+ 6 = Ignore
+ Specify threat alert levels at which default action should not be taken when detected
+ This policy setting allows you to customize which automatic remediation action will be taken for each threat alert level.Threat alert levels should be added under the Options for this setting. Each entry must be listed as a name value pair. The name defines a threat alert level. The value contains the action ID for the remediation action that should be taken.
+
+ Valid threat alert levels are:
+ 1 = Low
+ 2 = Medium
+ 4 = High
+ 5 = Severe
+
+ Valid remediation action values are:
+ 2 = Quarantine
+ 3 = Remove
+ 6 = Ignore
+ Enable headless UI mode
+
+ This policy setting allows you to configure whether or not to display AM UI to the users.
+ If you enable this setting AM UI won't be available to users.
+
+ Suppresses reboot notifications
+
+ This policy setting allows user to supress reboot notifications in UI only mode (for cases where UI can't be in lockdown mode).
+
+ If you enable this setting AM UI won't show reboot notifications.
+
+ Suppress all notifications
+ Use this policy setting to specify if you want Microsoft Defender Antivirus notifications to display on clients.
+ If you disable or do not configure this setting, Microsoft Defender Antivirus notifications will display on clients.
+
+ If you enable this setting, Microsoft Defender Antivirus notifications will not display on clients.
+
+ Display additional text to clients when they need to perform an action
+ This policy setting allows you to configure whether or not to display additional text to clients when they need to perform an action. The text displayed is a custom administrator-defined string. For example, the phone number to call the company help desk. The client interface will only display a maximum of 1024 characters. Longer strings will be truncated before display.
+
+ If you enable this setting, the additional text specified will be displayed.
+
+ If you disable or do not configure this setting, there will be no additional text displayed.
+ Select cloud protection level
+
+ This policy setting determines how aggressive Microsoft Defender Antivirus will be in blocking and scanning suspicious files.
+
+ If this setting is on, Microsoft Defender Antivirus will be more aggressive when identifying suspicious files to block and scan; otherwise, it will be less aggressive and therefore block and scan with less frequency.
+
+ For more information about specific values that are supported, see the Microsoft Defender Antivirus documentation site.
+
+ Note: This feature requires the "Join Microsoft MAPS" setting enabled in order to function.
+
+ Possible options are:
+ (0x0) Default Microsoft Defender Antivirus blocking level
+ (0x1) Moderate Microsoft Defender Antivirus blocking level, delivers verdict only for high confidence detections
+ (0x2) High blocking level - aggressively block unknowns while optimizing client performance (greater chance of false positives)
+ (0x4) High+ blocking level – aggressively block unknowns and apply additional protection measures (may impact client performance)
+ (0x6) Zero tolerance blocking level – block all unknown executables
+
+ Default blocking level
+ Moderate blocking level
+ High blocking level
+ High+ blocking level
+ Zero tolerance blocking level
+ Configure extended cloud check
+
+ This feature allows Microsoft Defender Antivirus to block a suspicious file for up to 60 seconds, and scan it in the cloud to make sure it's safe.
+
+ The typical cloud check timeout is 10 seconds. To enable the extended cloud check feature, specify the extended time in seconds, up to an additional 50 seconds.
+
+ For example, if the desired timeout is 60 seconds, specify 50 seconds in this setting, which will enable the extended cloud check feature, and will raise the total time to 60 seconds.
+
+ Note: This feature depends on three other MAPS settings - "Configure the 'Block at First Sight' feature; "Join Microsoft MAPS"; "Send file samples when further analysis is required" all need to be enabled.
+
+ Enable file hash computation feature
+
+ Enable or disable file hash computation feature.
+
+ Enabled:
+ When this feature is enabled Microsoft Defender will compute hash value for files it scans.
+
+ Disabled:
+ File hash value is not computed
+
+ Not configured:
+ Same as Disabled.
+
+ Prevent users and apps from accessing dangerous websites
+
+ Enable or disable Microsoft Defender Exploit Guard network protection to prevent employees from using any application to access dangerous domains that may host phishing scams, exploit-hosting sites, and other malicious content on the Internet.
+
+ Enabled:
+ Specify the mode in the Options section:
+ -Block: Users and applications will not be able to access dangerous domains
+ -Audit Mode: Users and applications can connect to dangerous domains, however if this feature would have blocked access if it were set to Block, then a record of the event will be in the event logs.
+
+ Disabled:
+ Users and applications will not be blocked from connecting to dangerous domains.
+
+ Not configured:
+ Same as Disabled.
+
+ Exclude files and paths from Attack Surface Reduction Rules
+
+ Exclude files and paths from Attack Surface Reduction (ASR) rules.
+
+ Enabled:
+ Specify the folders or files and resources that should be excluded from ASR rules in the Options section.
+ Enter each rule on a new line as a name-value pair:
+ - Name column: Enter a folder path or a fully qualified resource name. For example, ""C:\Windows"" will exclude all files in that directory. ""C:\Windows\App.exe"" will exclude only that specific file in that specific folder
+ - Value column: Enter ""0"" for each item
+
+ Disabled:
+ No exclusions will be applied to the ASR rules.
+
+ Not configured:
+ Same as Disabled.
+
+ You can configure ASR rules in the Configure Attack Surface Reduction rules GP setting.
+
+ Configure Attack Surface Reduction rules
+
+ Set the state for each Attack Surface Reduction (ASR) rule.
+
+ After enabling this setting, you can set each rule to the following in the Options section:
+ - Block: the rule will be applied
+ - Audit Mode: if the rule would normally cause an event, then it will be recorded (although the rule will not actually be applied)
+ - Off: the rule will not be applied
+
+ Enabled:
+ Specify the state for each ASR rule under the Options section for this setting.
+ Enter each rule on a new line as a name-value pair:
+ - Name column: Enter a valid ASR rule ID
+ - Value column: Enter the status ID that relates to state you want to specify for the associated rule
+
+ The following status IDs are permitted under the value column:
+ - 1 (Block)
+ - 0 (Off)
+ - 2 (Audit)
+
+ Example:
+ xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 0
+ xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 1
+ xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 2
+
+ Disabled:
+ No ASR rules will be configured.
+
+ Not configured:
+ Same as Disabled.
+
+ You can exclude folders or files in the ""Exclude files and paths from Attack Surface Reduction Rules"" GP setting.
+
+ Configure Controlled folder access
+
+ Enable or disable controlled folder access for untrusted applications. You can choose to block, audit, or allow attempts by untrusted apps to:
+ - Modify or delete files in protected folders, such as the Documents folder
+ - Write to disk sectors
+
+ You can also choose to only block or audit writes to disk sectors while still allowing the modification or deletion of files in protected folders.
+
+ Microsoft Defender Antivirus automatically determines which applications can be trusted. You can add additional trusted applications in the Configure allowed applications GP setting.
+ Default system folders are automatically protected, but you can add folders in the Configure protected folders GP setting.
+
+ Block:
+ The following will be blocked:
+ - Attempts by untrusted apps to modify or delete files in protected folders
+ - Attempts by untrusted apps to write to disk sectors
+ The Windows event log will record these blocks under Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational > ID 1123.
+
+
+ Disabled:
+ The following will not be blocked and will be allowed to run:
+ - Attempts by untrusted apps to modify or delete files in protected folders
+ - Attempts by untrusted apps to write to disk sectors
+ These attempts will not be recorded in the Windows event log.
+
+
+ Audit Mode:
+ The following will not be blocked and will be allowed to run:
+ - Attempts by untrusted apps to modify or delete files in protected folders
+ - Attempts by untrusted apps to write to disk sectors
+ The Windows event log will record these attempts under Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational > ID 1124.
+
+
+ Block disk modification only:
+ The following will be blocked:
+ - Attempts by untrusted apps to write to disk sectors
+ The Windows event log will record these attempts under Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational > ID 1123.
+
+ The following will not be blocked and will be allowed to run:
+ - Attempts by untrusted apps to modify or delete files in protected folders
+ These attempts will not be recorded in the Windows event log.
+
+
+ Audit disk modification only:
+ The following will not be blocked and will be allowed to run:
+ - Attempts by untrusted apps to write to disk sectors
+ - Attempts by untrusted apps to modify or delete files in protected folders
+ Only attempts to write to protected disk sectors will be recorded in the Windows event log (under Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational > ID 1124).
+ Attempts to modify or delete files in protected folders will not be recorded.
+
+ Not configured:
+ Same as Disabled.
+
+ Disable (Default)
+ Block
+ Audit Mode
+ Block disk modification only
+ Audit disk modification only
+ Configure allowed applications
+
+ Add additional applications that should be considered "trusted" by controlled folder access.
+
+ These applications are allowed to modify or delete files in controlled folder access folders.
+
+ Microsoft Defender Antivirus automatically determines which applications should be trusted. You can configure this setting to add additional applications.
+
+ Enabled:
+ Specify additional allowed applications in the Options section..
+
+ Disabled:
+ No additional applications will be added to the trusted list.
+
+ Not configured:
+ Same as Disabled.
+
+ You can enable controlled folder access in the Configure controlled folder access GP setting.
+
+ Default system folders are automatically guarded, but you can add folders in the configure protected folders GP setting.
+
+ Configure protected folders
+
+ Specify additional folders that should be guarded by the Controlled folder access feature.
+
+ Files in these folders cannot be modified or deleted by untrusted applications.
+
+ Default system folders are automatically protected. You can configure this setting to add additional folders.
+ The list of default system folders that are protected is shown in Windows Security.
+
+ Enabled:
+ Specify additional folders that should be protected in the Options section.
+
+ Disabled:
+ No additional folders will be protected.
+
+ Not configured:
+ Same as Disabled.
+
+ You can enable controlled folder access in the Configure controlled folder access GP setting.
+
+ Microsoft Defender Antivirus automatically determines which applications can be trusted. You can add additional trusted applications in the Configure allowed applications GP setting.
+
+ Define device control policy groups
+
+ Please follow the device control policy groups xml schema to fill out the policy groups data.
+ Alternatively you could use a file path containing the XML groups data.
+
+ Define device control policy rules
+
+ Please follow the device control policy rules xml schema to fill out the policy rules data.
+ Alternatively you could use a file path containing the XML rules data.
+
+ Select the channel for Microsoft Defender monthly platform updates
+ Enable this policy to specify when devices receive Microsoft Defender platform updates during the monthly gradual rollout.
+
+ Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices.
+ Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments.
+ Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%).
+ Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).
+ Critical - Time delay: Devices will be offered updates with a 48-hour delay. Suggested for critical environments only.
+
+ If you disable or do not configure this policy, the device will stay up to date automatically during the gradual release cycle. Suitable for most devices.
+
+ Select the channel for Microsoft Defender monthly engine updates
+ Enable this policy to specify when devices receive Microsoft Defender engine updates during the monthly gradual rollout.
+
+ Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices.
+ Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments.
+ Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%).
+ Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).
+ Critical - Time delay: Devices will be offered updates with a 48-hour delay. Suggested for critical environments only.
+
+ If you disable or do not configure this policy, the device will stay up to date automatically during the gradual release cycle. Suitable for most devices.
+
+ Select the channel for Microsoft Defender daily security intelligence updates
+ Enable this policy to specify when devices receive Microsoft Defender security intelligence updates during the daily gradual rollout.
+
+ Current Channel (Staged): Devices will be offered updates after the release cycle. Suggested to apply to a small, representative part of production population (~10%).
+ Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).
+ Critical - Time delay: Devices will be offered updates with a 48-hour delay. Suggested for critical environments only.
+
+ If you disable or do not configure this policy, the device will stay up to date automatically during the daily release cycle. Suitable for most devices.
+
+ Beta Channel
+ Current Channel (Preview)
+ Current Channel (Staged)
+ Current Channel (Broad)
+ Critical - Time delay
+ Disable gradual rollout of Microsoft Defender updates.
+ Enable this policy to disable gradual rollout of Defender updates.
+
+ Current Channel (Broad): Devices set to this channel will be offered updates last during the gradual release cycle. Best for datacenter machines that only receive limited updates.
+
+ Note: This setting applies to both monthly as well as daily Defender updates and will override any previously configured channel selections for platform and engine updates.
+
+ If you disable or do not configure this policy, the device will remain in Current Channel (Default) unless specified otherwise in specific channels for platform and engine updates. Stay up to date automatically during the gradual release cycle. Suitable for most devices.
+ Select Device Control Default Enforcement Policy
+
+ Default Allow: Choosing this default enforcement, will Allow any operations to occur on the attached devices if no policy rules are found to match.
+ Default Deny: Choosing this default enforcement, will Deny any operations to occur on the attached devices if no policy rules are found to match.
+
+ Default Enforcement will establish what decision should be made during the Device Control access checks when none of the policy rules match.
+
+ Default Allow
+ Default Deny
+ Define Device Control evidence data remote location
+
+ Define evidence file remote location, where Device Control service will move evidence data captured.
+
+ Device Control
+
+ Enable or Disable Defender Device Control on this machine.
+ Note: You must be enrolled as E3 or E5 in order for Device Control to be enabled.
+
+ Intel TDT Integration Level
+ This policy setting configures the integration level for Intel TDT integration for Intel TDT-capable devices.
+
+ If you do not configure this setting, the default value will be applied. The default value is set to control by signatures. TDT will be enabled based on particular signatures that are released by Microsoft.
+
+ If you configure this setting to disabled, Intel TDT integration will be turned off.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Extension Exclusions
+
+
+ Path Exclusions
+
+
+ Process Exclusions
+
+
+ IP Address Exclusions
+
+
+ Specify additional definition sets for network traffic inspection
+
+
+ Configure removal of items from Quarantine folder
+
+
+ Define the maximum size of downloaded files and attachments to be scanned
+
+
+ Configure monitoring for incoming and outgoing file and program activity
+
+
+ Specify the day of the week to run a scheduled full scan to complete remediation
+
+
+ Specify the time of day to run a scheduled full scan to complete remediation
+
+
+ Define the number of scheduled scans that can be missed after which a catch-up scan is forced
+
+
+ Configure time out for detections requiring additional action
+
+
+ Configure time out for detections in critically failed state
+
+
+ Configure time out for detections in non-critical failed state
+
+
+ Configure time out for detections in recently remediated state
+
+
+ Configure Windows software trace preprocessor components
+
+
+ Configure WPP tracing level
+
+
+ Configure time interval for service health reports
+
+
+ Specify the maximum depth to scan archive files
+
+
+ Specify the maximum size of archive files to be scanned
+
+
+ Specify the maximum percentage of CPU utilization during a scan
+
+
+ Turn on removal of items from scan history folder
+
+
+ Specify the interval to run quick scans per day
+
+
+ Specify the scan type to use for a scheduled scan
+
+
+ Specify the day of the week to run a scheduled scan
+
+
+ Specify the time for a daily quick scan
+
+
+ Specify the time of day to run a scheduled scan
+
+
+ Define the number of days before spyware security intelligence is considered out of date
+
+
+ Define the number of days before virus security intelligence is considered out of date
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Specify the day of the week to check for security intelligence updates
+
+
+ Specify the time to check for security intelligence updates
+
+
+ Define the number of days after which a catch-up security intelligence update is required
+
+
+ Specify the interval to check for security intelligence updates
+
+
+ Join Microsoft MAPS
+
+
+ Send file samples when further analysis is required
+
+
+ Specify threats upon which default action should not be taken when detected
+
+
+ Specify threat alert levels at which default action should not be taken when detected
+
+
+
+
+
+
+
+ Specify the interval for expiry notification
+
+
+ Select cloud blocking level
+
+
+ Specify the extended cloud check time in seconds
+
+
+ Configure the guard my folders feature
+
+
+ Exclusions from ASR rules:
+
+
+ Set the state for each ASR rule:
+
+
+ Enter the applications that should be trusted:
+
+
+ Enter the folders that should be guarded:
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Select the channel for Microsoft Defender monthly platform updates:
+
+
+ Select the channel for Microsoft Defender monthly engine updates:
+
+
+ Select the channel for Microsoft Defender daily security intelligence updates:
+
+
+ Select Device Control Default Enforcement Policy
+
+
+
+
+
+
+
+
+
diff --git a/Removable Storage Access Control Samples/WindowsDefender.admx b/Removable Storage Access Control Samples/WindowsDefender.admx
index f864620..1e11f1d 100644
--- a/Removable Storage Access Control Samples/WindowsDefender.admx
+++ b/Removable Storage Access Control Samples/WindowsDefender.admx
@@ -1,1521 +1,1473 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- "
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ "
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+