Ask the Community
Groups
Windows Defender Manager Default Configuration - Connect IT Community | Kaseya
<main> <article class="userContent"> <h2 data-id="describes-windows-defender-configuration-options-and-recommended-defaults">Describes Windows Defender configuration options and recommended defaults</h2> <table cellpadding="4"><tbody><tr><td> <p><strong>Category</strong></p> </td> <td> <p><strong>Default Value</strong></p> </td> <td> <p><strong>Description</strong></p> </td> </tr><tr><td> <p><strong>General</strong></p> </td> <td> <p> </p> </td> <td> <p> </p> </td> </tr><tr><td> <p>Enable Windows Defender</p> </td> <td> <p>No</p> </td> <td> <p>The master switch for enabling Windows Defender on a device.</p> <p>The default value is set to No which will allow you to switch Defender on when you are ready.</p> </td> </tr><tr><td> <p> </p> </td> <td> <p> </p> </td> <td> <p> </p> </td> </tr><tr><td> <p><strong>General Notifications and UI</strong></p> </td> <td> <p> </p> </td> <td> <p> </p> </td> </tr><tr><td> <p>Disable Security Center Notifications</p> </td> <td> <p>Yes</p> </td> <td> <p>Disables notifications from being displayed in Security Center</p> </td> </tr><tr><td> <p>Disable Windows Defender UI</p> </td> <td> <p>Yes</p> </td> <td> <p>Prevents any Defender configuration UI from being displayed</p> </td> </tr><tr><td> <p>Disable Windows Defender Notifications</p> </td> <td> <p>Yes</p> </td> <td> <p>Prevents popup notifications in the task bar or system tray</p> </td> </tr><tr><td> <p> </p> </td> <td> <p> </p> </td> <td> <p> </p> </td> </tr><tr><td> <p><strong>General Signatures</strong></p> </td> <td> <p> </p> </td> <td> <p> </p> </td> </tr><tr><td> <p>Update Signatures Every (hours)</p> </td> <td> <p>1</p> </td> <td> <p>Check for new AV/AS signatures every 1 hour</p> </td> </tr><tr><td> <p>Check for Signature Update Before Running Scan</p> </td> <td> <p>Yes</p> </td> <td> <p>Check for new AV/AS signatures before a scheduled scan</p> </td> </tr><tr><td> <p> </p> </td> <td> <p> </p> </td> <td> <p> </p> </td> </tr><tr><td> <p><strong>Real-time Protection</strong></p> </td> <td> <p> </p> </td> <td> <p> </p> </td> </tr><tr><td> <p>Real-time Monitoring</p> </td> <td> <p>On</p> </td> <td> <p>Enable the real-time monitoring component</p> </td> </tr><tr><td> <p>Behaioral Monitoring</p> </td> <td> <p>On</p> </td> <td> <p>Enable the behavioral monitoring component</p> </td> </tr><tr><td> <p>Scan All Downloaded Files and Attachements</p> </td> <td> <p>On</p> </td> <td> <p>Scan all files downloaded via IE/Edge browsers</p> </td> </tr><tr><td> <p>Script Scanning</p> </td> <td> <p>On</p> </td> <td> <p>Scan scripts for malicious content before execution</p> </td> </tr><tr><td> <p>NTFS File Direction Scanning</p> </td> <td> <p>Both</p> </td> <td> <p>Scan files that are both being written to disk and sent over the network / internet</p> </td> </tr><tr><td> <p> </p> </td> <td> <p> </p> </td> <td> <p> </p> </td> </tr><tr><td> <p><strong>Cloud Protection</strong></p> </td> <td> <p> </p> </td> <td> <p> </p> </td> </tr><tr><td> <p>Block At First Sight</p> </td> <td> <p>On</p> </td> <td> <p>Block executable content that has not been seen before by the Microsoft Cloud.</p> </td> </tr><tr><td> <p>Reporting Level</p> </td> <td> <p>Advanced</p> </td> <td> <p> </p> </td> </tr><tr><td> <p>Automatic Sample Submission</p> </td> <td> <p>Send All Samples Automatically</p> </td> <td> <p>Automatically send suspicous executable content files to the Microsoft Cloud for further analysis</p> </td> </tr><tr><td> <p>PUA Protection</p> </td> <td> <p>Audit</p> </td> <td> <p>Enable reporting but not take action on potentially unwanted software</p> </td> </tr><tr><td> <p> </p> </td> <td> <p> </p> </td> <td> <p> </p> </td> </tr><tr><td> <p><strong>Scans</strong></p> </td> <td> <p> </p> </td> <td> <p> </p> </td> </tr><tr><td> <p>Only Scan When Idle</p> </td> <td> <p>Yes</p> </td> <td> <p>Only begin a scan when the system is idle</p> </td> </tr><tr><td> <p>Email Scanning</p> </td> <td> <p>On</p> </td> <td> <p>Parses the mailbox and mail files, according to their specific format, in order to</p> <p>analyze mail bodies and attachments. Windows Defender supports several formats, including .pst, .dbx, .mbx, .mime, and .binhex</p> </td> </tr><tr><td> <p>Perform Catchup Quick Scans</p> </td> <td> <p>On</p> </td> <td> <p>Configures whether Windows Defender runs catch-up scans for scheduled quick scans.</p> <p>A computer can miss a scheduled scan, usually because the computer is off at the scheduled time. </p> </td> </tr><tr><td> <p>Perform Catchup Full Scans</p> </td> <td> <p>Off</p> </td> <td> <p>Configures whether Windows Defender runs catch-up scans for scheduled full scans.</p> <p>A computer can miss a scheduled scan, usually because the computer is off at the scheduled time. </p> </td> </tr><tr><td> <p>Scan Removable Drives</p> </td> <td> <p>On</p> </td> <td> <p>Configures whether to scan for malicious and unwanted software in removable drives, such as flash drives, during a full scan.</p> </td> </tr><tr><td> <p>Scan Restore Points</p> </td> <td> <p>On</p> </td> <td> <p>Configures whether to enable scanning of restore points</p> </td> </tr><tr><td> <p>Scan Mapped Network Drives for Full Scan</p> </td> <td> <p>Off</p> </td> <td> <p>Configures whether to scan mapped network drives during a full scan</p> </td> </tr><tr><td> <p>Scan Network Files</p> </td> <td> <p>Off</p> </td> <td> <p>Configures whether to scan for network files</p> </td> </tr><tr><td> <p>Remove Quarantine Items After (Days)</p> </td> <td> <p>7</p> </td> <td> <p>Specifies the number of days to keep items in the Quarantine folder. If you specify a value of zero, items stay in the Quarantine folder indefinitely</p> </td> </tr><tr><td> <p>Scheduled Scan Type</p> </td> <td> <p>Quick Scan</p> </td> <td> <p>Specifies the scan type used for scheduled scans</p> </td> </tr><tr><td> <p>Scheduled Scan Day of Week</p> </td> <td> <p>Everyday</p> </td> <td> <p>Specifies the day of the week on which to perform a scheduled scan. Alternatively, specify Everyday for a scheduled scan or Never.</p> </td> </tr><tr><td> <p>Scheduled Scan Time of Day</p> </td> <td> <p>0</p> </td> <td> <p>Specifies the time of day, as the number of minutes after midnight, to perform a scheduled scan. The time refers to the local time on the computer.</p> </td> </tr><tr><td> <p>Randomize Scheduled Scan Times</p> </td> <td> <p>No</p> </td> <td> <p>Configures whether to select a random time for the scheduled start and scheduled update for definitions.</p> <p>If you specify a value of Enabled, scheduled tasks begin within 30 minutes, before or after, the scheduled time</p> </td> </tr><tr><td> <p> </p> </td> <td> <p> </p> </td> <td> <p> </p> </td> </tr><tr><td> <p><strong>Threat Actions</strong></p> </td> <td> <p> </p> </td> <td> <p> </p> </td> </tr><tr><td> <p>Unknown Threat Default Action</p> </td> <td> <p>Quarantine</p> </td> <td> <p>Specifies which automatic remediation action to take for a Unknown level threat.</p> </td> </tr><tr><td> <p>Low Threat Default Action</p> </td> <td> <p>Quarantine</p> </td> <td> <p>Specifies which automatic remediation action to take for a Low level threat.</p> </td> </tr><tr><td> <p>Moderate Threat Default Action</p> </td> <td> <p>Quarantine</p> </td> <td> <p>Specifies which automatic remediation action to take for a Moderate level threat.</p> </td> </tr><tr><td> <p>High Threat Default Action</p> </td> <td> <p>Quarantine</p> </td> <td> <p>Specifies which automatic remediation action to take for a High level threat.</p> </td> </tr><tr><td> <p>Severe Threat Default Action</p> </td> <td> <p>Clean</p> </td> <td> <p>Specifies which automatic remediation action to take for a Severe level threat.</p> </td> </tr><tr><td> <p> </p> </td> <td> <p> </p> </td> <td> <p> </p> </td> </tr><tr><td> <p><strong>Advanced</strong></p> </td> <td> <p> </p> </td> <td> <p> </p> </td> </tr><tr><td> <p>Block Executable Content From Email and Webmail</p> </td> <td> <p>Disabled</p> </td> <td> <p><a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2F2928012.hs-sites.com%2Fknowledge%2Fmicrosoft-defender-atp-attack-surface-reduction%3F__hstc%3D90024708.a594749fef5a925ba2b71f7d0bf8d2bf.1613084591507.1613093579987.1613138855270.3%26__hssc%3D90024708.7.1613138855270%26__hsfp%3D1812308554" rel="noopener nofollow">Details</a></p> </td> </tr><tr><td> <p>Block Office Applications from Creating Child Processes</p> </td> <td> <p>Disabled</p> </td> <td> <p><a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2F2928012.hs-sites.com%2Fknowledge%2Fmicrosoft-defender-atp-attack-surface-reduction%3F__hstc%3D90024708.a594749fef5a925ba2b71f7d0bf8d2bf.1613084591507.1613093579987.1613138855270.3%26__hssc%3D90024708.7.1613138855270%26__hsfp%3D1812308554" rel="noopener nofollow">Details</a></p> </td> </tr><tr><td> <p>Block Office Applications From Creating Executable Content</p> </td> <td> <p>Audit</p> </td> <td> <p><a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2F2928012.hs-sites.com%2Fknowledge%2Fmicrosoft-defender-atp-attack-surface-reduction%3F__hstc%3D90024708.a594749fef5a925ba2b71f7d0bf8d2bf.1613084591507.1613093579987.1613138855270.3%26__hssc%3D90024708.7.1613138855270%26__hsfp%3D1812308554" rel="noopener nofollow">Details</a></p> </td> </tr><tr><td> <p>Block Office Applications From Injecting Into Other Processes</p> </td> <td> <p>Disabled</p> </td> <td> <p><a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2F2928012.hs-sites.com%2Fknowledge%2Fmicrosoft-defender-atp-attack-surface-reduction%3F__hstc%3D90024708.a594749fef5a925ba2b71f7d0bf8d2bf.1613084591507.1613093579987.1613138855270.3%26__hssc%3D90024708.7.1613138855270%26__hsfp%3D1812308554" rel="noopener nofollow">Details</a></p> </td> </tr><tr><td> <p>Prevent JavaScript and VBScript From Launching Executables</p> </td> <td> <p>Disabled</p> </td> <td> <p><a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2F2928012.hs-sites.com%2Fknowledge%2Fmicrosoft-defender-atp-attack-surface-reduction%3F__hstc%3D90024708.a594749fef5a925ba2b71f7d0bf8d2bf.1613084591507.1613093579987.1613138855270.3%26__hssc%3D90024708.7.1613138855270%26__hsfp%3D1812308554" rel="noopener nofollow">Details</a></p> </td> </tr><tr><td> <p>Block Execution of Potentially Obfuscated Scripts</p> </td> <td> <p>Audit</p> </td> <td> <p><a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2F2928012.hs-sites.com%2Fknowledge%2Fmicrosoft-defender-atp-attack-surface-reduction%3F__hstc%3D90024708.a594749fef5a925ba2b71f7d0bf8d2bf.1613084591507.1613093579987.1613138855270.3%26__hssc%3D90024708.7.1613138855270%26__hsfp%3D1812308554" rel="noopener nofollow">Details</a></p> </td> </tr><tr><td> <p>Block Win32 Imports From Macro Code in Office Applications</p> </td> <td> <p>Audit</p> </td> <td> <p><a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2F2928012.hs-sites.com%2Fknowledge%2Fmicrosoft-defender-atp-attack-surface-reduction%3F__hstc%3D90024708.a594749fef5a925ba2b71f7d0bf8d2bf.1613084591507.1613093579987.1613138855270.3%26__hssc%3D90024708.7.1613138855270%26__hsfp%3D1812308554" rel="noopener nofollow">Details</a></p> </td> </tr><tr><td> <p>Block Executables From Running Unless They Meet Prevelance, Age or Trusted List Criteria</p> </td> <td> <p>Disabled</p> </td> <td> <p><a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2F2928012.hs-sites.com%2Fknowledge%2Fmicrosoft-defender-atp-attack-surface-reduction%3F__hstc%3D90024708.a594749fef5a925ba2b71f7d0bf8d2bf.1613084591507.1613093579987.1613138855270.3%26__hssc%3D90024708.7.1613138855270%26__hsfp%3D1812308554" rel="noopener nofollow">Details</a></p> </td> </tr><tr><td> <p>Block Credential Stealing From the Windows Local Security Authority Subsystem (lsass.exe)</p> </td> <td> <p>Disabled</p> </td> <td> <p><a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2F2928012.hs-sites.com%2Fknowledge%2Fmicrosoft-defender-atp-attack-surface-reduction%3F__hstc%3D90024708.a594749fef5a925ba2b71f7d0bf8d2bf.1613084591507.1613093579987.1613138855270.3%26__hssc%3D90024708.7.1613138855270%26__hsfp%3D1812308554" rel="noopener nofollow">Details</a></p> </td> </tr><tr><td> <p>Block Process Creation Originating From PsExec and WMI commands</p> </td> <td> <p>Audit</p> </td> <td> <p><a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2F2928012.hs-sites.com%2Fknowledge%2Fmicrosoft-defender-atp-attack-surface-reduction%3F__hstc%3D90024708.a594749fef5a925ba2b71f7d0bf8d2bf.1613084591507.1613093579987.1613138855270.3%26__hssc%3D90024708.7.1613138855270%26__hsfp%3D1812308554" rel="noopener nofollow">Details</a></p> </td> </tr><tr><td> <p>Block Untrusted and Unsigned Processes That Run From USB</p> </td> <td> <p>Enabled</p> </td> <td> <p><a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2F2928012.hs-sites.com%2Fknowledge%2Fmicrosoft-defender-atp-attack-surface-reduction%3F__hstc%3D90024708.a594749fef5a925ba2b71f7d0bf8d2bf.1613084591507.1613093579987.1613138855270.3%26__hssc%3D90024708.7.1613138855270%26__hsfp%3D1812308554" rel="noopener nofollow">Details</a></p> </td> </tr><tr><td> <p>Use Advanced Protection Against Ransomware</p> </td> <td> <p>Audit</p> </td> <td> <p><a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2F2928012.hs-sites.com%2Fknowledge%2Fmicrosoft-defender-atp-attack-surface-reduction%3F__hstc%3D90024708.a594749fef5a925ba2b71f7d0bf8d2bf.1613084591507.1613093579987.1613138855270.3%26__hssc%3D90024708.7.1613138855270%26__hsfp%3D1812308554" rel="noopener nofollow">Details</a></p> </td> </tr><tr><td> <p>Block Only Office Communications Applications From Creating Child Processes</p> </td> <td> <p>Disabled</p> </td> <td> <p><a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2F2928012.hs-sites.com%2Fknowledge%2Fmicrosoft-defender-atp-attack-surface-reduction%3F__hstc%3D90024708.a594749fef5a925ba2b71f7d0bf8d2bf.1613084591507.1613093579987.1613138855270.3%26__hssc%3D90024708.7.1613138855270%26__hsfp%3D1812308554" rel="noopener nofollow">Details</a></p> </td> </tr><tr><td> <p>Block Adobe Reader From Creating Child Processes</p> </td> <td> <p>Disabled</p> </td> <td> <p><a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2F2928012.hs-sites.com%2Fknowledge%2Fmicrosoft-defender-atp-attack-surface-reduction%3F__hstc%3D90024708.a594749fef5a925ba2b71f7d0bf8d2bf.1613084591507.1613093579987.1613138855270.3%26__hssc%3D90024708.7.1613138855270%26__hsfp%3D1812308554" rel="noopener nofollow">Details</a></p> </td> </tr><tr><td> <p>Network Protection</p> </td> <td> <p>Audit</p> </td> <td> <p><a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2F2928012.hs-sites.com%2Fknowledge%2Fmicrosoft-defender-atp-attack-surface-reduction%3F__hstc%3D90024708.a594749fef5a925ba2b71f7d0bf8d2bf.1613084591507.1613093579987.1613138855270.3%26__hssc%3D90024708.7.1613138855270%26__hsfp%3D1812308554" rel="noopener nofollow">Details</a></p> </td> </tr><tr><td> <p>Folder Access</p> </td> <td> <p>Disabled</p> </td> <td> <p><a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2F2928012.hs-sites.com%2Fknowledge%2Fmicrosoft-defender-atp-attack-surface-reduction%3F__hstc%3D90024708.a594749fef5a925ba2b71f7d0bf8d2bf.1613084591507.1613093579987.1613138855270.3%26__hssc%3D90024708.7.1613138855270%26__hsfp%3D1812308554" rel="noopener nofollow">Details</a></p> </td> </tr><tr><td> <p> </p> </td> <td> <p> </p> </td> <td> <p> </p> </td> </tr><tr><td> <p><strong>Exclusions</strong></p> </td> <td> <p> </p> </td> <td> <p> </p> </td> </tr><tr><td> <p>Process Exclusions</p> </td> <td> <p>None</p> </td> <td> <p>Process names to exclude any files opened by the processes that you specify from scheduled and real-time scanning. </p> </td> </tr><tr><td> <p>Path Exclusions</p> </td> <td> <p>None</p> </td> <td> <p>File paths to exclude from scheduled and real-time scanning. You can specify a folder to exclude all the files under the folder</p> </td> </tr><tr><td> <p>Extension Exclusions</p> </td> <td> <p>None</p> </td> <td> <p>File name extensions, such as obj or lib, to exclude from scheduled, custom, and real-time scanning.</p> </td> </tr></tbody></table> </article> </main>